From 9a3f6b21d25861f5c8e9e8baf99b04e066aa1c22 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Mon, 3 Feb 2025 14:20:35 +0100
Subject: [PATCH 001/212] feat(app/service-details): hide view while loading
 data (#348)

---
 app/docker/views/services/edit/service.html   | 525 +++++++++---------
 .../views/services/edit/serviceController.js  |   4 +
 2 files changed, 270 insertions(+), 259 deletions(-)

diff --git a/app/docker/views/services/edit/service.html b/app/docker/views/services/edit/service.html
index fc49a3e13..406c487ca 100644
--- a/app/docker/views/services/edit/service.html
+++ b/app/docker/views/services/edit/service.html
@@ -1,274 +1,281 @@
 <page-header title="'Service details'" breadcrumbs="[{label:'Services', link:'docker.services'}, service.Name]" reload="true"> </page-header>
 
-<div class="row">
-  <div ng-if="isUpdating" class="col-lg-12 col-md-12 col-xs-12">
-    <div class="alert alert-info" role="alert" id="service-update-alert">
-      <p>This service is being updated. Editing this service is currently disabled.</p>
-      <a ui-sref="docker.services.service({id: service.Id}, {reload: true})">Refresh to see if this service has finished updated.</a>
+<div ng-if="!isLoading">
+  <div class="row">
+    <div ng-if="isUpdating" class="col-lg-12 col-md-12 col-xs-12">
+      <div class="alert alert-info" role="alert" id="service-update-alert">
+        <p>This service is being updated. Editing this service is currently disabled.</p>
+        <a ui-sref="docker.services.service({id: service.Id}, {reload: true})">Refresh to see if this service has finished updated.</a>
+      </div>
     </div>
   </div>
-</div>
-<div class="row">
-  <div class="col-lg-9 col-md-9 col-xs-9">
-    <rd-widget>
-      <rd-widget-header icon="shuffle" title-text="Service details"></rd-widget-header>
-      <rd-widget-body classes="no-padding">
-        <table class="table">
-          <tbody>
-            <tr>
-              <td class="w-1/5">Name</td>
-              <td ng-if="applicationState.endpoint.apiVersion <= 1.24">
-                <input
-                  type="text"
-                  class="form-control"
-                  ng-model="service.Name"
-                  ng-change="updateServiceAttribute(service, 'Name')"
-                  ng-disabled="isUpdating"
-                  data-cy="docker-service-edit-name"
-                />
-              </td>
-              <td ng-if="applicationState.endpoint.apiVersion >= 1.25"> {{ service.Name }} </td>
-            </tr>
-            <tr>
-              <td>ID</td>
-              <td> {{ service.Id }} </td>
-            </tr>
-            <tr ng-if="service.CreatedAt">
-              <td>Created at</td>
-              <td>{{ service.CreatedAt | getisodate }}</td>
-            </tr>
-            <tr ng-if="service.UpdatedAt">
-              <td>Last updated at</td>
-              <td>{{ service.UpdatedAt | getisodate }}</td>
-            </tr>
-            <tr ng-if="service.Version">
-              <td>Version</td>
-              <td>{{ service.Version }}</td>
-            </tr>
-            <tr>
-              <td>Scheduling mode</td>
-              <td>{{ service.Mode }}</td>
-            </tr>
-            <tr ng-if="service.Mode === 'replicated'">
-              <td>Replicas</td>
-              <td>
-                <span ng-if="service.Mode === 'replicated'">
+  <div class="row">
+    <div class="col-lg-9 col-md-9 col-xs-9">
+      <rd-widget>
+        <rd-widget-header icon="shuffle" title-text="Service details"></rd-widget-header>
+        <rd-widget-body classes="no-padding">
+          <table class="table">
+            <tbody>
+              <tr>
+                <td class="w-1/5">Name</td>
+                <td ng-if="applicationState.endpoint.apiVersion <= 1.24">
                   <input
-                    class="input-sm"
-                    type="number"
-                    data-cy="docker-service-edit-replicas-input"
-                    ng-model="service.Replicas"
-                    ng-change="updateServiceAttribute(service, 'Replicas')"
-                    disable-authorization="DockerServiceUpdate"
+                    type="text"
+                    class="form-control"
+                    ng-model="service.Name"
+                    ng-change="updateServiceAttribute(service, 'Name')"
+                    ng-disabled="isUpdating"
+                    data-cy="docker-service-edit-name"
                   />
-                </span>
-              </td>
-            </tr>
-            <tr>
-              <td>Image</td>
-              <td>{{ service.Image }}</td>
-            </tr>
-            <tr ng-if="isAdmin && applicationState.endpoint.type !== 4">
-              <td>
-                <div class="inline-flex items-center">
-                  <div> Service webhook </div>
-                  <portainer-tooltip
-                    message="'Webhook (or callback URI) used to automate the update of this service. Sending a POST request to this callback URI (without requiring any authentication) will pull the most up-to-date version of the associated image and re-deploy this service.'"
-                  >
-                  </portainer-tooltip>
-                </div>
-              </td>
-              <td>
-                <div class="flex flex-wrap items-center">
-                  <por-switch-field label-class="'!mr-0'" checked="WebhookExists" disabled="disabledWebhookButton(WebhookExists)" on-change="(onWebhookChange)"></por-switch-field>
-                  <span ng-if="webhookURL">
-                    <span class="text-muted">{{ webhookURL | truncatelr }}</span>
-                    <button type="button" class="btn btn-sm btn-primary btn-sm space-left" ng-if="webhookURL" ng-click="copyWebhook()">
-                      <pr-icon icon="'copy'" class-name="'mr-1'"></pr-icon>
-                      Copy link
-                    </button>
-                    <span>
-                      <pr-icon id="copyNotification" icon="'check'" mode="'success'" style="display: none"></pr-icon>
-                    </span>
+                </td>
+                <td ng-if="applicationState.endpoint.apiVersion >= 1.25"> {{ service.Name }} </td>
+              </tr>
+              <tr>
+                <td>ID</td>
+                <td> {{ service.Id }} </td>
+              </tr>
+              <tr ng-if="service.CreatedAt">
+                <td>Created at</td>
+                <td>{{ service.CreatedAt | getisodate }}</td>
+              </tr>
+              <tr ng-if="service.UpdatedAt">
+                <td>Last updated at</td>
+                <td>{{ service.UpdatedAt | getisodate }}</td>
+              </tr>
+              <tr ng-if="service.Version">
+                <td>Version</td>
+                <td>{{ service.Version }}</td>
+              </tr>
+              <tr>
+                <td>Scheduling mode</td>
+                <td>{{ service.Mode }}</td>
+              </tr>
+              <tr ng-if="service.Mode === 'replicated'">
+                <td>Replicas</td>
+                <td>
+                  <span ng-if="service.Mode === 'replicated'">
+                    <input
+                      class="input-sm"
+                      type="number"
+                      data-cy="docker-service-edit-replicas-input"
+                      ng-model="service.Replicas"
+                      ng-change="updateServiceAttribute(service, 'Replicas')"
+                      disable-authorization="DockerServiceUpdate"
+                    />
                   </span>
-                </div>
-              </td>
-            </tr>
-            <tr authorization="DockerServiceLogs, DockerServiceUpdate, DockerServiceDelete">
-              <td colspan="2">
-                <p class="small text-muted" authorization="DockerServiceUpdate">
-                  Note: you can only rollback one level of changes. Clicking the rollback button without making a new change will undo your previous rollback </p
-                ><div class="flex flex-wrap gap-x-2 gap-y-1">
-                  <a
-                    authorization="DockerServiceLogs"
-                    ng-if="applicationState.endpoint.apiVersion >= 1.3"
-                    class="btn btn-primary btn-sm"
-                    type="button"
-                    ui-sref="docker.services.service.logs({id: service.Id})"
-                  >
-                    <pr-icon icon="'file-text'"></pr-icon>Service logs</a
-                  >
-                  <button
-                    authorization="DockerServiceUpdate"
-                    type="button"
-                    class="btn btn-primary btn-sm !ml-0"
-                    ng-disabled="state.updateInProgress || isUpdating"
-                    ng-click="forceUpdateService(service)"
-                    button-spinner="state.updateInProgress"
-                    ng-if="applicationState.endpoint.apiVersion >= 1.25"
-                  >
-                    <span ng-hide="state.updateInProgress" class="vertical-center">
-                      <pr-icon icon="'refresh-cw'"></pr-icon>
-                      Update the service</span
+                </td>
+              </tr>
+              <tr>
+                <td>Image</td>
+                <td>{{ service.Image }}</td>
+              </tr>
+              <tr ng-if="isAdmin && applicationState.endpoint.type !== 4">
+                <td>
+                  <div class="inline-flex items-center">
+                    <div> Service webhook </div>
+                    <portainer-tooltip
+                      message="'Webhook (or callback URI) used to automate the update of this service. Sending a POST request to this callback URI (without requiring any authentication) will pull the most up-to-date version of the associated image and re-deploy this service.'"
                     >
-                    <span ng-show="state.updateInProgress">Update in progress...</span>
-                  </button>
-                  <button
-                    authorization="DockerServiceUpdate"
-                    type="button"
-                    class="btn btn-primary btn-sm !ml-0"
-                    ng-disabled="state.rollbackInProgress || isUpdating"
-                    ng-click="rollbackService(service)"
-                    button-spinner="state.rollbackInProgress"
-                    ng-if="applicationState.endpoint.apiVersion >= 1.25"
-                  >
-                    <span ng-hide="state.rollbackInProgress" class="vertical-center">
-                      <pr-icon icon="'rotate-ccw'"></pr-icon>
-                      Rollback the service</span
+                    </portainer-tooltip>
+                  </div>
+                </td>
+                <td>
+                  <div class="flex flex-wrap items-center">
+                    <por-switch-field
+                      label-class="'!mr-0'"
+                      checked="WebhookExists"
+                      disabled="disabledWebhookButton(WebhookExists)"
+                      on-change="(onWebhookChange)"
+                    ></por-switch-field>
+                    <span ng-if="webhookURL">
+                      <span class="text-muted">{{ webhookURL | truncatelr }}</span>
+                      <button type="button" class="btn btn-sm btn-primary btn-sm space-left" ng-if="webhookURL" ng-click="copyWebhook()">
+                        <pr-icon icon="'copy'" class-name="'mr-1'"></pr-icon>
+                        Copy link
+                      </button>
+                      <span>
+                        <pr-icon id="copyNotification" icon="'check'" mode="'success'" style="display: none"></pr-icon>
+                      </span>
+                    </span>
+                  </div>
+                </td>
+              </tr>
+              <tr authorization="DockerServiceLogs, DockerServiceUpdate, DockerServiceDelete">
+                <td colspan="2">
+                  <p class="small text-muted" authorization="DockerServiceUpdate">
+                    Note: you can only rollback one level of changes. Clicking the rollback button without making a new change will undo your previous rollback </p
+                  ><div class="flex flex-wrap gap-x-2 gap-y-1">
+                    <a
+                      authorization="DockerServiceLogs"
+                      ng-if="applicationState.endpoint.apiVersion >= 1.3"
+                      class="btn btn-primary btn-sm"
+                      type="button"
+                      ui-sref="docker.services.service.logs({id: service.Id})"
                     >
-                    <span ng-show="state.rollbackInProgress">Rollback in progress...</span>
-                  </button>
-                  <button
-                    authorization="DockerServiceDelete"
-                    type="button"
-                    class="btn btn-danger btn-sm !ml-0"
-                    ng-disabled="state.deletionInProgress || isUpdating"
-                    ng-click="removeService()"
-                    button-spinner="state.deletionInProgress"
-                  >
-                    <span ng-hide="state.deletionInProgress" class="vertical-center">
-                      <pr-icon icon="'trash-2'"></pr-icon>
-                      Delete the service</span
+                      <pr-icon icon="'file-text'"></pr-icon>Service logs</a
                     >
-                    <span ng-show="state.deletionInProgress">Deletion in progress...</span>
-                  </button>
-                </div>
-              </td>
-            </tr>
-          </tbody>
-        </table>
-      </rd-widget-body>
-      <rd-widget-footer authorization="DockerServiceUpdate">
-        <p class="small text-muted">
-          Do you need help? View the Docker Service documentation <a href="https://docs.docker.com/engine/reference/commandline/service_update/" target="self">here</a>.
-        </p>
-        <div class="btn-toolbar" role="toolbar">
-          <div class="btn-group" role="group">
-            <button type="button" class="btn btn-primary" ng-disabled="!hasChanges(service, ['Mode', 'Replicas', 'Name', 'Webhooks'])" ng-click="updateService(service)"
-              >Apply changes</button
-            >
-            <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
-              <pr-icon icon="'chevron-down'"></pr-icon>
-            </button>
-            <ul class="dropdown-menu">
-              <li><a ng-click="cancelChanges(service, ['Mode', 'Replicas', 'Name'])">Reset changes</a></li>
-              <li><a ng-click="cancelChanges(service)">Reset all changes</a></li>
-            </ul>
+                    <button
+                      authorization="DockerServiceUpdate"
+                      type="button"
+                      class="btn btn-primary btn-sm !ml-0"
+                      ng-disabled="state.updateInProgress || isUpdating"
+                      ng-click="forceUpdateService(service)"
+                      button-spinner="state.updateInProgress"
+                      ng-if="applicationState.endpoint.apiVersion >= 1.25"
+                    >
+                      <span ng-hide="state.updateInProgress" class="vertical-center">
+                        <pr-icon icon="'refresh-cw'"></pr-icon>
+                        Update the service</span
+                      >
+                      <span ng-show="state.updateInProgress">Update in progress...</span>
+                    </button>
+                    <button
+                      authorization="DockerServiceUpdate"
+                      type="button"
+                      class="btn btn-primary btn-sm !ml-0"
+                      ng-disabled="state.rollbackInProgress || isUpdating"
+                      ng-click="rollbackService(service)"
+                      button-spinner="state.rollbackInProgress"
+                      ng-if="applicationState.endpoint.apiVersion >= 1.25"
+                    >
+                      <span ng-hide="state.rollbackInProgress" class="vertical-center">
+                        <pr-icon icon="'rotate-ccw'"></pr-icon>
+                        Rollback the service</span
+                      >
+                      <span ng-show="state.rollbackInProgress">Rollback in progress...</span>
+                    </button>
+                    <button
+                      authorization="DockerServiceDelete"
+                      type="button"
+                      class="btn btn-danger btn-sm !ml-0"
+                      ng-disabled="state.deletionInProgress || isUpdating"
+                      ng-click="removeService()"
+                      button-spinner="state.deletionInProgress"
+                    >
+                      <span ng-hide="state.deletionInProgress" class="vertical-center">
+                        <pr-icon icon="'trash-2'"></pr-icon>
+                        Delete the service</span
+                      >
+                      <span ng-show="state.deletionInProgress">Deletion in progress...</span>
+                    </button>
+                  </div>
+                </td>
+              </tr>
+            </tbody>
+          </table>
+        </rd-widget-body>
+        <rd-widget-footer authorization="DockerServiceUpdate">
+          <p class="small text-muted">
+            Do you need help? View the Docker Service documentation <a href="https://docs.docker.com/engine/reference/commandline/service_update/" target="self">here</a>.
+          </p>
+          <div class="btn-toolbar" role="toolbar">
+            <div class="btn-group" role="group">
+              <button type="button" class="btn btn-primary" ng-disabled="!hasChanges(service, ['Mode', 'Replicas', 'Name', 'Webhooks'])" ng-click="updateService(service)"
+                >Apply changes</button
+              >
+              <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">
+                <pr-icon icon="'chevron-down'"></pr-icon>
+              </button>
+              <ul class="dropdown-menu">
+                <li><a ng-click="cancelChanges(service, ['Mode', 'Replicas', 'Name'])">Reset changes</a></li>
+                <li><a ng-click="cancelChanges(service)">Reset all changes</a></li>
+              </ul>
+            </div>
           </div>
-        </div>
-      </rd-widget-footer>
-    </rd-widget>
+        </rd-widget-footer>
+      </rd-widget>
+    </div>
+
+    <div class="col-lg-3 col-md-3 col-xs-3">
+      <rd-widget>
+        <rd-widget-header icon="menu" title-text="Quick navigation"></rd-widget-header>
+        <rd-widget-body classes="no-padding">
+          <ul class="nav nav-pills nav-stacked">
+            <li><a href ng-click="goToItem('service-env-variables')">Environment variables</a></li>
+            <li><a href ng-click="goToItem('service-container-image')">Container image</a></li>
+            <li><a href ng-click="goToItem('service-container-labels')">Container labels</a></li>
+            <li><a href ng-click="goToItem('service-mounts')">Mounts</a></li>
+            <li><a href ng-click="goToItem('service-network-specs')">Network &amp; published ports</a></li>
+            <li><a href ng-click="goToItem('service-resources')">Resource limits &amp; reservations</a></li>
+            <li><a href ng-click="goToItem('service-placement-constraints')">Placement constraints</a></li>
+            <li ng-if="applicationState.endpoint.apiVersion >= 1.3"><a href ng-click="goToItem('service-placement-preferences')">Placement preferences</a></li>
+            <li><a href ng-click="goToItem('service-restart-policy')">Restart policy</a></li>
+            <li><a href ng-click="goToItem('service-update-config')">Update configuration</a></li>
+            <li><a href ng-click="goToItem('service-logging')">Logging</a></li>
+            <li><a href ng-click="goToItem('service-labels')">Service labels</a></li>
+            <li><a href ng-click="goToItem('service-configs')">Configs</a></li>
+            <li ng-if="applicationState.endpoint.apiVersion >= 1.25"><a href ng-click="goToItem('service-secrets')">Secrets</a></li>
+            <li><a href ng-click="goToItem('service-tasks')">Tasks</a></li>
+          </ul>
+        </rd-widget-body>
+      </rd-widget>
+    </div>
   </div>
 
-  <div class="col-lg-3 col-md-3 col-xs-3">
-    <rd-widget>
-      <rd-widget-header icon="menu" title-text="Quick navigation"></rd-widget-header>
-      <rd-widget-body classes="no-padding">
-        <ul class="nav nav-pills nav-stacked">
-          <li><a href ng-click="goToItem('service-env-variables')">Environment variables</a></li>
-          <li><a href ng-click="goToItem('service-container-image')">Container image</a></li>
-          <li><a href ng-click="goToItem('service-container-labels')">Container labels</a></li>
-          <li><a href ng-click="goToItem('service-mounts')">Mounts</a></li>
-          <li><a href ng-click="goToItem('service-network-specs')">Network &amp; published ports</a></li>
-          <li><a href ng-click="goToItem('service-resources')">Resource limits &amp; reservations</a></li>
-          <li><a href ng-click="goToItem('service-placement-constraints')">Placement constraints</a></li>
-          <li ng-if="applicationState.endpoint.apiVersion >= 1.3"><a href ng-click="goToItem('service-placement-preferences')">Placement preferences</a></li>
-          <li><a href ng-click="goToItem('service-restart-policy')">Restart policy</a></li>
-          <li><a href ng-click="goToItem('service-update-config')">Update configuration</a></li>
-          <li><a href ng-click="goToItem('service-logging')">Logging</a></li>
-          <li><a href ng-click="goToItem('service-labels')">Service labels</a></li>
-          <li><a href ng-click="goToItem('service-configs')">Configs</a></li>
-          <li ng-if="applicationState.endpoint.apiVersion >= 1.25"><a href ng-click="goToItem('service-secrets')">Secrets</a></li>
-          <li><a href ng-click="goToItem('service-tasks')">Tasks</a></li>
-        </ul>
-      </rd-widget-body>
-    </rd-widget>
+  <!-- access-control-panel -->
+  <access-control-panel
+    ng-if="service"
+    resource-id="service.Id"
+    resource-control="service.ResourceControl"
+    resource-type="resourceType"
+    on-update-success="(onUpdateResourceControlSuccess)"
+    environment-id="endpoint.Id"
+  >
+  </access-control-panel>
+  <!-- !access-control-panel -->
+
+  <div class="row">
+    <hr />
+    <div class="col-lg-12 col-md-12 col-xs-12">
+      <h3 id="container-specs">Container specification</h3>
+      <div id="service-container-spec" class="padding-top" ng-include="'app/docker/views/services/edit/includes/container-specs.html'"></div>
+      <div id="service-container-image" class="padding-top" ng-include="'app/docker/views/services/edit/includes/image.html'"></div>
+      <div id="service-env-variables" class="padding-top" ng-include="'app/docker/views/services/edit/includes/environmentvariables.html'"></div>
+      <div id="service-container-labels" class="padding-top" ng-include="'app/docker/views/services/edit/includes/containerlabels.html'"></div>
+      <div id="service-mounts" class="padding-top" ng-include="'app/docker/views/services/edit/includes/mounts.html'"></div>
+    </div>
   </div>
+
+  <div class="row">
+    <hr />
+    <div class="col-lg-12 col-md-12 col-xs-12">
+      <h3 id="service-network-specs">Networks &amp; ports</h3>
+      <div id="service-networks" class="padding-top" ng-include="'app/docker/views/services/edit/includes/networks.html'"></div>
+
+      <docker-service-ports-mapping-field
+        id="service-published-ports"
+        class="block padding-top"
+        values="formValues.ports"
+        on-change="(onChangePorts)"
+        has-changes="hasChanges(service, ['Ports'])"
+        on-reset="(onResetPorts)"
+        on-submit="(onSubmit)"
+      ></docker-service-ports-mapping-field>
+
+      <div id="service-hosts-entries" class="padding-top" ng-include="'app/docker/views/services/edit/includes/hosts.html'"></div>
+    </div>
+  </div>
+
+  <div class="row">
+    <hr />
+    <div class="col-lg-12 col-md-12 col-xs-12">
+      <h3 id="service-specs">Service specification</h3>
+      <div id="service-resources" class="padding-top" ng-include="'app/docker/views/services/edit/includes/resources.html'"></div>
+      <div id="service-placement-constraints" class="padding-top" ng-include="'app/docker/views/services/edit/includes/constraints.html'"></div>
+      <div
+        id="service-placement-preferences"
+        ng-if="applicationState.endpoint.apiVersion >= 1.3"
+        class="padding-top"
+        ng-include="'app/docker/views/services/edit/includes/placementPreferences.html'"
+      ></div>
+      <div id="service-restart-policy" class="padding-top" ng-include="'app/docker/views/services/edit/includes/restart.html'"></div>
+      <div id="service-update-config" class="padding-top" ng-include="'app/docker/views/services/edit/includes/updateconfig.html'"></div>
+      <div id="service-logging" class="padding-top" ng-include="'app/docker/views/services/edit/includes/logging.html'"></div>
+      <div id="service-labels" class="padding-top" ng-include="'app/docker/views/services/edit/includes/servicelabels.html'"></div>
+      <div id="service-configs" class="padding-top" ng-include="'app/docker/views/services/edit/includes/configs.html'"></div>
+      <div id="service-secrets" ng-if="applicationState.endpoint.apiVersion >= 1.25" class="padding-top" ng-include="'app/docker/views/services/edit/includes/secrets.html'"></div>
+    </div>
+  </div>
+
+  <div id="service-tasks" class="padding-top" ng-include="'app/docker/views/services/edit/includes/tasks.html'"></div>
 </div>
-
-<!-- access-control-panel -->
-<access-control-panel
-  ng-if="service"
-  resource-id="service.Id"
-  resource-control="service.ResourceControl"
-  resource-type="resourceType"
-  on-update-success="(onUpdateResourceControlSuccess)"
-  environment-id="endpoint.Id"
->
-</access-control-panel>
-<!-- !access-control-panel -->
-
-<div class="row">
-  <hr />
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <h3 id="container-specs">Container specification</h3>
-    <div id="service-container-spec" class="padding-top" ng-include="'app/docker/views/services/edit/includes/container-specs.html'"></div>
-    <div id="service-container-image" class="padding-top" ng-include="'app/docker/views/services/edit/includes/image.html'"></div>
-    <div id="service-env-variables" class="padding-top" ng-include="'app/docker/views/services/edit/includes/environmentvariables.html'"></div>
-    <div id="service-container-labels" class="padding-top" ng-include="'app/docker/views/services/edit/includes/containerlabels.html'"></div>
-    <div id="service-mounts" class="padding-top" ng-include="'app/docker/views/services/edit/includes/mounts.html'"></div>
-  </div>
-</div>
-
-<div class="row">
-  <hr />
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <h3 id="service-network-specs">Networks &amp; ports</h3>
-    <div id="service-networks" class="padding-top" ng-include="'app/docker/views/services/edit/includes/networks.html'"></div>
-
-    <docker-service-ports-mapping-field
-      id="service-published-ports"
-      class="block padding-top"
-      values="formValues.ports"
-      on-change="(onChangePorts)"
-      has-changes="hasChanges(service, ['Ports'])"
-      on-reset="(onResetPorts)"
-      on-submit="(onSubmit)"
-    ></docker-service-ports-mapping-field>
-
-    <div id="service-hosts-entries" class="padding-top" ng-include="'app/docker/views/services/edit/includes/hosts.html'"></div>
-  </div>
-</div>
-
-<div class="row">
-  <hr />
-  <div class="col-lg-12 col-md-12 col-xs-12">
-    <h3 id="service-specs">Service specification</h3>
-    <div id="service-resources" class="padding-top" ng-include="'app/docker/views/services/edit/includes/resources.html'"></div>
-    <div id="service-placement-constraints" class="padding-top" ng-include="'app/docker/views/services/edit/includes/constraints.html'"></div>
-    <div
-      id="service-placement-preferences"
-      ng-if="applicationState.endpoint.apiVersion >= 1.3"
-      class="padding-top"
-      ng-include="'app/docker/views/services/edit/includes/placementPreferences.html'"
-    ></div>
-    <div id="service-restart-policy" class="padding-top" ng-include="'app/docker/views/services/edit/includes/restart.html'"></div>
-    <div id="service-update-config" class="padding-top" ng-include="'app/docker/views/services/edit/includes/updateconfig.html'"></div>
-    <div id="service-logging" class="padding-top" ng-include="'app/docker/views/services/edit/includes/logging.html'"></div>
-    <div id="service-labels" class="padding-top" ng-include="'app/docker/views/services/edit/includes/servicelabels.html'"></div>
-    <div id="service-configs" class="padding-top" ng-include="'app/docker/views/services/edit/includes/configs.html'"></div>
-    <div id="service-secrets" ng-if="applicationState.endpoint.apiVersion >= 1.25" class="padding-top" ng-include="'app/docker/views/services/edit/includes/secrets.html'"></div>
-  </div>
-</div>
-
-<div id="service-tasks" class="padding-top" ng-include="'app/docker/views/services/edit/includes/tasks.html'"></div>
diff --git a/app/docker/views/services/edit/serviceController.js b/app/docker/views/services/edit/serviceController.js
index 69474b398..3344ef2ab 100644
--- a/app/docker/views/services/edit/serviceController.js
+++ b/app/docker/views/services/edit/serviceController.js
@@ -731,6 +731,7 @@ angular.module('portainer.docker').controller('ServiceController', [
     };
 
     function initView() {
+      $scope.isLoading = true;
       var apiVersion = $scope.applicationState.endpoint.apiVersion;
       var agentProxy = $scope.applicationState.endpoint.mode.agentProxy;
 
@@ -855,6 +856,9 @@ angular.module('portainer.docker').controller('ServiceController', [
           $scope.secrets = [];
           $scope.configs = [];
           Notifications.error('Failure', err, 'Unable to retrieve service details');
+        })
+        .finally(() => {
+          $scope.isLoading = false;
         });
     }
 

From c0d30a455f606409d49d95df0e5c221893c2f233 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Mon, 3 Feb 2025 20:25:25 +0100
Subject: [PATCH 002/212] fix(api/edge): backend panic on edge stack removal
 (#371)

---
 api/http/handler/edgestacks/edgestack_status_update.go       | 4 ++--
 .../edgestacks/edgestack_status_update_coordinator.go        | 5 +++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/api/http/handler/edgestacks/edgestack_status_update.go b/api/http/handler/edgestacks/edgestack_status_update.go
index 4cf912030..fef5a6927 100644
--- a/api/http/handler/edgestacks/edgestack_status_update.go
+++ b/api/http/handler/edgestacks/edgestack_status_update.go
@@ -79,7 +79,7 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 	}
 
 	updateFn := func(stack *portainer.EdgeStack) (*portainer.EdgeStack, error) {
-		return handler.updateEdgeStackStatus(stack, endpoint, r, stack.ID, payload)
+		return handler.updateEdgeStackStatus(stack, stack.ID, payload)
 	}
 
 	stack, err := handler.stackCoordinator.UpdateStatus(r, portainer.EdgeStackID(stackID), updateFn)
@@ -99,7 +99,7 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 	return response.JSON(w, stack)
 }
 
-func (handler *Handler) updateEdgeStackStatus(stack *portainer.EdgeStack, endpoint *portainer.Endpoint, r *http.Request, stackID portainer.EdgeStackID, payload updateStatusPayload) (*portainer.EdgeStack, error) {
+func (handler *Handler) updateEdgeStackStatus(stack *portainer.EdgeStack, stackID portainer.EdgeStackID, payload updateStatusPayload) (*portainer.EdgeStack, error) {
 	if payload.Version > 0 && payload.Version < stack.Version {
 		return stack, nil
 	}
diff --git a/api/http/handler/edgestacks/edgestack_status_update_coordinator.go b/api/http/handler/edgestacks/edgestack_status_update_coordinator.go
index f81e2fc3e..885b4c6da 100644
--- a/api/http/handler/edgestacks/edgestack_status_update_coordinator.go
+++ b/api/http/handler/edgestacks/edgestack_status_update_coordinator.go
@@ -60,6 +60,11 @@ func (c *EdgeStackStatusUpdateCoordinator) loop() {
 			return err
 		}
 
+		// Return early when the agent tries to update the status on a deleted stack
+		if stack == nil {
+			return nil
+		}
+
 		// 2. Mutate the edge stack opportunistically until there are no more pending updates
 		for {
 			stack, err = u.updateFn(stack)

From a50a9c56176eb853f122728529150b1a61faa51c Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Mon, 3 Feb 2025 20:50:24 +0100
Subject: [PATCH 003/212] fix(app/edge): edge stacks webhooks cannot be
 disabled once created (#372)

---
 .../edge-stacks/ItemView/EditEdgeStackForm/NonGitStackForm.tsx  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/NonGitStackForm.tsx b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/NonGitStackForm.tsx
index d0d1e5373..5d7956822 100644
--- a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/NonGitStackForm.tsx
+++ b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/NonGitStackForm.tsx
@@ -143,7 +143,7 @@ export function NonGitStackForm({ edgeStack }: { edgeStack: EdgeStack }) {
         updateVersion,
         webhook: values.webhookEnabled
           ? edgeStack.Webhook || createWebhookId()
-          : undefined,
+          : '',
         envVars: values.envVars,
         rollbackTo: values.rollbackTo,
         staggerConfig: values.staggerConfig,

From 379711951c341af366abed2041bd506fa4134bc9 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Tue, 4 Feb 2025 09:41:24 +1300
Subject: [PATCH 004/212] fix(edgegroup): failed to associate env to static
 edge group [BE-11599] (#368)

---
 api/http/handler/edgegroups/edgegroup_update.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/http/handler/edgegroups/edgegroup_update.go b/api/http/handler/edgegroups/edgegroup_update.go
index 2d04f7cd2..e67607d92 100644
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -167,7 +167,7 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 
 func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
 		return err
 	}
 
@@ -183,6 +183,11 @@ func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoi
 		edgeStackSet[edgeStackID] = true
 	}
 
+	if relation == nil {
+		relation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+		}
+	}
 	relation.EdgeStacks = edgeStackSet
 
 	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)

From 5af0859f67e5cff76399277ee5769411f14f42f3 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Tue, 4 Feb 2025 15:34:33 +1300
Subject: [PATCH 005/212] fix(datatables): "Select all" should select only
 elements of the current page (#376)

---
 .../components/datatables/Datatable.test.tsx  | 44 +++++++++++++++++++
 .../components/datatables/select-column.tsx   | 13 ++++--
 2 files changed, 54 insertions(+), 3 deletions(-)

diff --git a/app/react/components/datatables/Datatable.test.tsx b/app/react/components/datatables/Datatable.test.tsx
index 25e1ed1eb..3b5a1e63f 100644
--- a/app/react/components/datatables/Datatable.test.tsx
+++ b/app/react/components/datatables/Datatable.test.tsx
@@ -155,6 +155,50 @@ describe('Datatable', () => {
 
     expect(screen.getByText('No data available')).toBeInTheDocument();
   });
+
+  it('selects/deselects only page rows when select all is clicked', () => {
+    render(
+      <Datatable
+        dataset={mockData}
+        columns={mockColumns}
+        settingsManager={{ ...mockSettingsManager, pageSize: 2 }}
+        data-cy="test-table"
+      />
+    );
+
+    const selectAllCheckbox = screen.getByLabelText('Select all rows');
+    fireEvent.click(selectAllCheckbox);
+
+    // Check if all rows on the page are selected
+    expect(screen.getByText('2 item(s) selected')).toBeInTheDocument();
+
+    // Deselect
+    fireEvent.click(selectAllCheckbox);
+    const checkboxes: HTMLInputElement[] = screen.queryAllByRole('checkbox');
+    expect(checkboxes.filter((checkbox) => checkbox.checked).length).toBe(0);
+  });
+
+  it('selects/deselects all rows including other pages when select all is clicked with shift key', () => {
+    render(
+      <Datatable
+        dataset={mockData}
+        columns={mockColumns}
+        settingsManager={{ ...mockSettingsManager, pageSize: 2 }}
+        data-cy="test-table"
+      />
+    );
+
+    const selectAllCheckbox = screen.getByLabelText('Select all rows');
+    fireEvent.click(selectAllCheckbox, { shiftKey: true });
+
+    // Check if all rows on the page are selected
+    expect(screen.getByText('3 item(s) selected')).toBeInTheDocument();
+
+    // Deselect
+    fireEvent.click(selectAllCheckbox, { shiftKey: true });
+    const checkboxes: HTMLInputElement[] = screen.queryAllByRole('checkbox');
+    expect(checkboxes.filter((checkbox) => checkbox.checked).length).toBe(0);
+  });
 });
 
 // Test the defaultGlobalFilterFn used in searches
diff --git a/app/react/components/datatables/select-column.tsx b/app/react/components/datatables/select-column.tsx
index 6e5b4a920..f20f4dd0b 100644
--- a/app/react/components/datatables/select-column.tsx
+++ b/app/react/components/datatables/select-column.tsx
@@ -11,15 +11,22 @@ export function createSelectColumn<T>(dataCy: string): ColumnDef<T> {
       <Checkbox
         id="select-all"
         data-cy={`select-all-checkbox-${dataCy}`}
-        checked={table.getIsAllRowsSelected()}
+        checked={table.getIsAllPageRowsSelected()}
         indeterminate={table.getIsSomeRowsSelected()}
-        onChange={table.getToggleAllRowsSelectedHandler()}
+        onChange={(e) => {
+          // Select all rows if shift key is held down, otherwise only page rows
+          if (e.nativeEvent instanceof MouseEvent && e.nativeEvent.shiftKey) {
+            table.getToggleAllRowsSelectedHandler()(e);
+            return;
+          }
+          table.getToggleAllPageRowsSelectedHandler()(e);
+        }}
         disabled={table.getRowModel().rows.every((row) => !row.getCanSelect())}
         onClick={(e) => {
           e.stopPropagation();
         }}
         aria-label="Select all rows"
-        title="Select all rows"
+        title="Select all rows. Hold shift key to select across all pages."
       />
     ),
     cell: ({ row, table }) => (

From bc19d6592fad172faaacdd0b8a42a17c35cc5daf Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Wed, 5 Feb 2025 12:17:51 +1300
Subject: [PATCH 006/212] fix(libstack): cannot open std edge stack log page
 [BE-11603] (#384)

---
 pkg/libstack/compose/composeplugin.go |  6 ++-
 pkg/libstack/compose/logwriter.go     | 58 +++++++++++++++++++++++++++
 2 files changed, 62 insertions(+), 2 deletions(-)
 create mode 100644 pkg/libstack/compose/logwriter.go

diff --git a/pkg/libstack/compose/composeplugin.go b/pkg/libstack/compose/composeplugin.go
index 7b6a639c4..3162c6ab7 100644
--- a/pkg/libstack/compose/composeplugin.go
+++ b/pkg/libstack/compose/composeplugin.go
@@ -31,8 +31,10 @@ const PortainerEdgeStackLabel = "io.portainer.edge_stack_id"
 var mu sync.Mutex
 
 func init() {
-	// Redirect Compose logging to zerolog
-	logrus.SetOutput(log.Logger)
+	logrus.SetOutput(&LogrusToZerologWriter{})
+	logrus.SetFormatter(&logrus.TextFormatter{
+		DisableTimestamp: true,
+	})
 }
 
 func withCli(
diff --git a/pkg/libstack/compose/logwriter.go b/pkg/libstack/compose/logwriter.go
new file mode 100644
index 000000000..477433552
--- /dev/null
+++ b/pkg/libstack/compose/logwriter.go
@@ -0,0 +1,58 @@
+package compose
+
+import (
+	"strings"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+)
+
+// LogrusToZerologWriter is a custom logrus writer that writes logrus logs to zerolog.
+// logrus is the logging library used by Docker Compose.
+type LogrusToZerologWriter struct{}
+
+func (ltzw *LogrusToZerologWriter) Write(p []byte) (n int, err error) {
+	logMessage := string(p)
+	logMessage = strings.TrimSuffix(logMessage, "\n")
+
+	// Parse the log level and message from the logrus log.
+	// This assumes logrus's default text format.
+	var level, message string
+	if strings.HasPrefix(logMessage, "time=") {
+		// Example logrus log: `time="2023-10-01T12:34:56Z" level=info msg="This is a log message" key=value`
+		parts := strings.SplitN(logMessage, " ", 4)
+		if len(parts) >= 3 {
+			level = strings.TrimPrefix(parts[1], "level=")
+			message = strings.TrimPrefix(parts[2], "msg=")
+			message = strings.Trim(message, `"`)
+		}
+	} else {
+		// Fallback for simpler log formats.
+		level = "info"
+		message = logMessage
+	}
+
+	// Map logrus levels to zerolog levels.
+	var zlogLevel zerolog.Level
+	switch level {
+	case "debug":
+		zlogLevel = zerolog.DebugLevel
+	case "info":
+		zlogLevel = zerolog.InfoLevel
+	case "warn", "warning":
+		zlogLevel = zerolog.WarnLevel
+	case "error":
+		zlogLevel = zerolog.ErrorLevel
+	case "fatal":
+		zlogLevel = zerolog.FatalLevel
+	case "panic":
+		zlogLevel = zerolog.PanicLevel
+	default:
+		zlogLevel = zerolog.InfoLevel
+	}
+
+	// Log the message using zerolog.
+	log.WithLevel(zlogLevel).Msg(message)
+
+	return len(p), nil
+}

From 678cd5455332dcac9f9c00eeed0ee36ef448d93c Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Wed, 5 Feb 2025 15:03:39 +1300
Subject: [PATCH 007/212] security: cve-2024-45338 develop (#386)

---
 binary-version.json | 8 ++++----
 go.mod              | 2 +-
 go.sum              | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/binary-version.json b/binary-version.json
index c91bf37a6..914838f53 100644
--- a/binary-version.json
+++ b/binary-version.json
@@ -1,6 +1,6 @@
 {
-  "docker": "v27.1.2",
-  "helm": "v3.16.4",
-  "kubectl": "v1.31.4",
-  "mingit": "2.46.0.1"
+  "docker": "v27.5.1",
+  "helm": "v3.17.0",
+  "kubectl": "v1.32.1",
+  "mingit": "2.47.0.1"
 }
diff --git a/go.mod b/go.mod
index cc34f23f2..0bc355d71 100644
--- a/go.mod
+++ b/go.mod
@@ -242,7 +242,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.25.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/net v0.29.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
diff --git a/go.sum b/go.sum
index 9a98a81e3..e5855879f 100644
--- a/go.sum
+++ b/go.sum
@@ -723,8 +723,8 @@ golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.29.0 h1:5ORfpBpCs4HzDYoodCDBbwHzdR5UrLBZ3sOnUJmFoHo=
-golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

From 7001f8e088dc1acb736c2ab7de08c458b22cbe81 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Wed, 5 Feb 2025 15:20:20 +1300
Subject: [PATCH 008/212] fix(edge): check all endpoint_relation db query logic
 [BE-11602] (#378)

---
 api/http/handler/edgegroups/edgegroup_update.go     |  1 +
 api/http/handler/edgestacks/edgestack_update.go     | 13 +++++++++++--
 .../endpointedge/endpointedge_status_inspect.go     |  3 +++
 api/http/handler/endpointgroups/endpoints.go        | 12 +++++++++++-
 api/http/handler/endpoints/update_edge_relations.go |  1 +
 api/http/handler/tags/tag_delete.go                 | 10 +++++++++-
 api/internal/edge/edgestacks/service.go             | 12 ++++++++++++
 7 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/api/http/handler/edgegroups/edgegroup_update.go b/api/http/handler/edgegroups/edgegroup_update.go
index e67607d92..319a1b03b 100644
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -186,6 +186,7 @@ func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoi
 	if relation == nil {
 		relation = &portainer.EndpointRelation{
 			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
 		}
 	}
 	relation.EdgeStacks = edgeStackSet
diff --git a/api/http/handler/edgestacks/edgestack_update.go b/api/http/handler/edgestacks/edgestack_update.go
index 9b5bb623d..593e403ef 100644
--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -107,7 +107,7 @@ func (handler *Handler) updateEdgeStack(tx dataservices.DataStoreTx, stackID por
 
 	hasWrongType, err := hasWrongEnvironmentType(tx.Endpoint(), relatedEndpointIds, payload.DeploymentType)
 	if err != nil {
-		return nil, httperror.BadRequest("unable to check for existence of non fitting environments: %w", err)
+		return nil, httperror.InternalServerError("unable to check for existence of non fitting environments: %w", err)
 	}
 	if hasWrongType {
 		return nil, httperror.BadRequest("edge stack with config do not match the environment type", nil)
@@ -151,6 +151,9 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 	for endpointID := range endpointsToRemove {
 		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
 		if err != nil {
+			if tx.IsErrObjectNotFound(err) {
+				continue
+			}
 			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
 		}
 
@@ -170,10 +173,16 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 
 	for endpointID := range endpointsToAdd {
 		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
+		if err != nil && !tx.IsErrObjectNotFound(err) {
 			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
 		}
 
+		if relation == nil {
+			relation = &portainer.EndpointRelation{
+				EndpointID: endpointID,
+				EdgeStacks: map[portainer.EdgeStackID]bool{},
+			}
+		}
 		relation.EdgeStacks[edgeStackID] = true
 
 		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
diff --git a/api/http/handler/endpointedge/endpointedge_status_inspect.go b/api/http/handler/endpointedge/endpointedge_status_inspect.go
index 9bd341561..4d6368493 100644
--- a/api/http/handler/endpointedge/endpointedge_status_inspect.go
+++ b/api/http/handler/endpointedge/endpointedge_status_inspect.go
@@ -264,6 +264,9 @@ func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID p
 func (handler *Handler) buildEdgeStacks(tx dataservices.DataStoreTx, endpointID portainer.EndpointID) ([]stackStatusResponse, *httperror.HandlerError) {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
 	if err != nil {
+		if tx.IsErrObjectNotFound(err) {
+			return nil, nil
+		}
 		return nil, httperror.InternalServerError("Unable to retrieve relation object from the database", err)
 	}
 
diff --git a/api/http/handler/endpointgroups/endpoints.go b/api/http/handler/endpointgroups/endpoints.go
index b7c9771bb..b34032d9e 100644
--- a/api/http/handler/endpointgroups/endpoints.go
+++ b/api/http/handler/endpointgroups/endpoints.go
@@ -21,10 +21,17 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end
 	}
 
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !tx.IsErrObjectNotFound(err) {
 		return err
 	}
 
+	if endpointRelation == nil {
+		endpointRelation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
+		}
+	}
+
 	edgeGroups, err := tx.EdgeGroup().ReadAll()
 	if err != nil {
 		return err
@@ -32,6 +39,9 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end
 
 	edgeStacks, err := tx.EdgeStack().EdgeStacks()
 	if err != nil {
+		if tx.IsErrObjectNotFound(err) {
+			return nil
+		}
 		return err
 	}
 
diff --git a/api/http/handler/endpoints/update_edge_relations.go b/api/http/handler/endpoints/update_edge_relations.go
index 8bebadedd..1390c9fd4 100644
--- a/api/http/handler/endpoints/update_edge_relations.go
+++ b/api/http/handler/endpoints/update_edge_relations.go
@@ -23,6 +23,7 @@ func (handler *Handler) updateEdgeRelations(tx dataservices.DataStoreTx, endpoin
 
 		relation = &portainer.EndpointRelation{
 			EndpointID: endpoint.ID,
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
 		}
 		if err := tx.EndpointRelation().Create(relation); err != nil {
 			return errors.WithMessage(err, "Unable to create environment relation inside the database")
diff --git a/api/http/handler/tags/tag_delete.go b/api/http/handler/tags/tag_delete.go
index ad8ef1347..4f8554faf 100644
--- a/api/http/handler/tags/tag_delete.go
+++ b/api/http/handler/tags/tag_delete.go
@@ -133,10 +133,17 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 
 func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil {
+	if err != nil && !tx.IsErrObjectNotFound(err) {
 		return err
 	}
 
+	if endpointRelation == nil {
+		endpointRelation = &portainer.EndpointRelation{
+			EndpointID: endpoint.ID,
+			EdgeStacks: make(map[portainer.EdgeStackID]bool),
+		}
+	}
+
 	endpointGroup, err := tx.EndpointGroup().Read(endpoint.GroupID)
 	if err != nil {
 		return err
@@ -147,6 +154,7 @@ func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.End
 	for _, edgeStackID := range endpointStacks {
 		stacksSet[edgeStackID] = true
 	}
+
 	endpointRelation.EdgeStacks = stacksSet
 
 	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, endpointRelation)
diff --git a/api/internal/edge/edgestacks/service.go b/api/internal/edge/edgestacks/service.go
index 4fc6943af..3a19e8c9d 100644
--- a/api/internal/edge/edgestacks/service.go
+++ b/api/internal/edge/edgestacks/service.go
@@ -11,6 +11,7 @@ import (
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/internal/edge"
 	edgetypes "github.com/portainer/portainer/api/internal/edge/types"
+	"github.com/rs/zerolog/log"
 
 	"github.com/pkg/errors"
 )
@@ -119,6 +120,9 @@ func (service *Service) updateEndpointRelations(tx dataservices.DataStoreTx, edg
 	for _, endpointID := range relatedEndpointIds {
 		relation, err := endpointRelationService.EndpointRelation(endpointID)
 		if err != nil {
+			if tx.IsErrObjectNotFound(err) {
+				continue
+			}
 			return fmt.Errorf("unable to find endpoint relation in database: %w", err)
 		}
 
@@ -147,6 +151,14 @@ func (service *Service) DeleteEdgeStack(tx dataservices.DataStoreTx, edgeStackID
 	for _, endpointID := range relatedEndpointIds {
 		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
 		if err != nil {
+			if tx.IsErrObjectNotFound(err) {
+				log.Warn().
+					Int("endpoint_id", int(endpointID)).
+					Msg("Unable to find endpoint relation in database, skipping")
+
+				continue
+			}
+
 			return errors.WithMessage(err, "Unable to find environment relation in database")
 		}
 

From 5423a2f1b95a1daa118093d7c8408db2ca2af302 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Wed, 5 Feb 2025 15:56:30 +1300
Subject: [PATCH 009/212] security: cve-2025-21613 develop (#390)

---
 go.mod | 12 ++++++------
 go.sum | 55 ++++++++++++++++++-------------------------------------
 2 files changed, 24 insertions(+), 43 deletions(-)

diff --git a/go.mod b/go.mod
index 0bc355d71..053035ec1 100644
--- a/go.mod
+++ b/go.mod
@@ -21,7 +21,7 @@ require (
 	github.com/docker/docker v27.4.0+incompatible
 	github.com/fvbommel/sortorder v1.1.0
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
-	github.com/go-git/go-git/v5 v5.11.0
+	github.com/go-git/go-git/v5 v5.13.0
 	github.com/go-ldap/ldap/v3 v3.4.1
 	github.com/go-playground/validator/v10 v10.12.0
 	github.com/gofrs/uuid v4.2.0+incompatible
@@ -71,7 +71,7 @@ require (
 	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
 	github.com/BurntSushi/toml v1.3.2 // indirect
 	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 // indirect
+	github.com/ProtonMail/go-crypto v1.1.3 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
@@ -105,7 +105,7 @@ require (
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/ocicrypt v1.1.10 // indirect
 	github.com/containers/storage v1.53.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/buildx v0.18.0 // indirect
@@ -125,7 +125,7 @@ require (
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.5.0 // indirect
+	github.com/go-git/go-billy/v5 v5.6.0 // indirect
 	github.com/go-logr/logr v1.4.1 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
@@ -205,10 +205,10 @@ require (
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/segmentio/asm v1.1.3 // indirect
-	github.com/sergi/go-diff v1.3.1 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
-	github.com/skeema/knownhosts v1.2.1 // indirect
+	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
diff --git a/go.sum b/go.sum
index e5855879f..6427b69de 100644
--- a/go.sum
+++ b/go.sum
@@ -28,8 +28,8 @@ github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9b
 github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371 h1:kkhsdkhsCvIsutKu5zLMgWtgh9YxGCNAw8Ad8hjwfYg=
-github.com/ProtonMail/go-crypto v0.0.0-20230828082145-3c4c8a2d2371/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
+github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
+github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
 github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
@@ -99,7 +99,6 @@ github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembj
 github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
-github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cbroglie/mustache v1.4.0 h1:Azg0dVhxTml5me+7PsZ7WPrQq1Gkf3WApcHMjMprYoU=
 github.com/cbroglie/mustache v1.4.0/go.mod h1:SS1FTIghy0sjse4DUVGV1k/40B1qE1XkD9DtDsHo9iM=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
@@ -110,7 +109,6 @@ github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
 github.com/cloudflare/cfssl v1.6.4 h1:NMOvfrEjFfC63K3SGXgAnFdsgkmiq4kATme5BfcqrO8=
 github.com/cloudflare/cfssl v1.6.4/go.mod h1:8b3CQMxfWPAeom3zBnGJ6sd+G1NkL5TXqmDXacb+1J0=
-github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI=
@@ -163,8 +161,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
 github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg=
-github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
+github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -205,8 +203,8 @@ github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7/go.mod h1:cyGadeNE
 github.com/dvsekhvalnov/jose2go v0.0.0-20170216131308-f21a8cedbbae/go.mod h1:7BvyPhdbLxMXIYTFPLsyJRFMsKmOZnQmzh6Gb+uquuM=
 github.com/eiannone/keyboard v0.0.0-20220611211555-0d226195f203 h1:XBBHcIb256gUJtLmY22n99HaZTz+r2Z51xUPi01m3wg=
 github.com/eiannone/keyboard v0.0.0-20220611211555-0d226195f203/go.mod h1:E1jcSv8FaEny+OP/5k9UxZVw9YFWGj7eI4KR/iOBqCg=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU=
-github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM=
+github.com/elazarl/goproxy v1.2.1 h1:njjgvO6cRG9rIqN2ebkqy6cQz2Njkx7Fsfv/zIZqgug=
+github.com/elazarl/goproxy v1.2.1/go.mod h1:YfEbZtqP4AetfO6d40vWchF3znWX7C7Vd6ZMfdL8z64=
 github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
@@ -227,18 +225,18 @@ github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQ
 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814 h1:gWvniJ4GbFfkf700kykAImbLiEMU0Q3QN9hQ26Js1pU=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814/go.mod h1:secRm32Ro77eD23BmPVbgLbWN+JWDw7pJszenjxI4bI=
-github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY=
-github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4=
+github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
+github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-asn1-ber/asn1-ber v1.5.1 h1:pDbRAunXzIUXfx4CB2QJFv5IuPiuoW+sWvr/Us009o8=
 github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
-github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
+github.com/go-git/go-billy/v5 v5.6.0 h1:w2hPNtoehvJIxR00Vb4xX94qHQi/ApZfX+nBE2Cjio8=
+github.com/go-git/go-billy/v5 v5.6.0/go.mod h1:sFDq7xD3fn3E0GOwUSZqHo9lrkmx8xJhA0ZrfvjBRGM=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4=
-github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY=
+github.com/go-git/go-git/v5 v5.13.0 h1:vLn5wlGIh/X78El6r3Jr+30W16Blk0CTcxTYcYPWi5E=
+github.com/go-git/go-git/v5 v5.13.0/go.mod h1:Wjo7/JyVKtQgUNdXYXIepzWfJQkUEIGvkvVkiXRR/zw=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap/v3 v3.4.1 h1:fU/0xli6HY02ocbMuozHAYsaHLcnkLjvho2r5a34BUU=
 github.com/go-ldap/ldap/v3 v3.4.1/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
@@ -486,8 +484,8 @@ github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4
 github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
-github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
-github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
+github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
+github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -559,8 +557,8 @@ github.com/segmentio/asm v1.1.3 h1:WM03sfUOENvvKexOLp+pCqgb/WDjsi7EK8gIsICtzhc=
 github.com/segmentio/asm v1.1.3/go.mod h1:Ld3L4ZXGNcSLRg4JBsZ3//1+f/TjYl0Mzen/DQy1EJg=
 github.com/segmentio/encoding v0.3.6 h1:E6lVLyDPseWEulBmCmAKPanDd3jiyGDo5gMcugCRwZQ=
 github.com/segmentio/encoding v0.3.6/go.mod h1:n0JeuIqEQrQoPDGsjo8UNd1iA0U8d8+oHAA4E3G3OxM=
-github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
-github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b h1:h+3JX2VoWTFuyQEo87pStk/a99dzIO1mM9KxIyLPGTU=
 github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b/go.mod h1:/yeG0My1xr/u+HZrFQ1tOQQQQrOawfyMUH13ai5brBc=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
@@ -571,8 +569,8 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/skeema/knownhosts v1.2.1 h1:SHWdIUa82uGZz+F+47k8SY4QhhI291cXCpopT1lK2AQ=
-github.com/skeema/knownhosts v1.2.1/go.mod h1:xYbVRSPxqBZFrdmDyMmsOs+uX1UZC3nTN3ThzgDxUwo=
+github.com/skeema/knownhosts v1.3.0 h1:AM+y0rI04VksttfwjkSTNQorvGqmwATnvnAHpSgc0LY=
+github.com/skeema/knownhosts v1.3.0/go.mod h1:sPINvnADmT/qYH1kfv+ePMmOBTH6Tbl7b5LvTDjFK7M=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EEf9cgbU6AtGPK4CTG3Zf6CKMNqf0MHTggAUA=
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/spdx/tools-golang v0.5.3 h1:ialnHeEYUC4+hkm5vJm4qz2x+oEJbS0mAMFrNXdQraY=
@@ -697,8 +695,6 @@ golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
@@ -706,7 +702,6 @@ golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
 golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -720,9 +715,6 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
-golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
@@ -735,7 +727,6 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
 golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -764,18 +755,11 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
 golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -783,8 +767,6 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
@@ -794,7 +776,6 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE=
 golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

From 371e84d9a559233d3a2edf59b7ebfa6c13d49c2c Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Wed, 5 Feb 2025 20:22:33 +1300
Subject: [PATCH 010/212] fix(podman): create new image from a container in
 podman [r8s-90] (#347)

---
 app/docker/helpers/imageHelper.js              |  8 ++++++--
 .../containers/edit/containerController.js     |  4 ++--
 .../views/images/edit/imageController.js       |  4 +---
 .../images/import/importImageController.js     |  4 +---
 app/react/docker/images/utils.test.ts          | 18 ++++++++++++++++++
 app/react/docker/images/utils.ts               |  9 +++++++++
 6 files changed, 37 insertions(+), 10 deletions(-)

diff --git a/app/docker/helpers/imageHelper.js b/app/docker/helpers/imageHelper.js
index 0bacd6c53..3ce3d4a45 100644
--- a/app/docker/helpers/imageHelper.js
+++ b/app/docker/helpers/imageHelper.js
@@ -1,4 +1,4 @@
-import { buildImageFullURIFromModel, imageContainsURL } from '@/react/docker/images/utils';
+import { buildImageFullURIFromModel, imageContainsURL, fullURIIntoRepoAndTag } from '@/react/docker/images/utils';
 
 angular.module('portainer.docker').factory('ImageHelper', ImageHelperFactory);
 function ImageHelperFactory() {
@@ -18,8 +18,12 @@ function ImageHelperFactory() {
    * @param {PorImageRegistryModel} registry
    */
   function createImageConfigForContainer(imageModel) {
+    const fromImage = buildImageFullURIFromModel(imageModel);
+    const { tag, repo } = fullURIIntoRepoAndTag(fromImage);
     return {
-      fromImage: buildImageFullURIFromModel(imageModel),
+      fromImage,
+      tag,
+      repo,
     };
   }
 
diff --git a/app/docker/views/containers/edit/containerController.js b/app/docker/views/containers/edit/containerController.js
index 085b2d73d..78f153e27 100644
--- a/app/docker/views/containers/edit/containerController.js
+++ b/app/docker/views/containers/edit/containerController.js
@@ -207,9 +207,9 @@ angular.module('portainer.docker').controller('ContainerController', [
     async function commitContainerAsync() {
       $scope.config.commitInProgress = true;
       const registryModel = $scope.config.RegistryModel;
-      const imageConfig = ImageHelper.createImageConfigForContainer(registryModel);
+      const { repo, tag } = ImageHelper.createImageConfigForContainer(registryModel);
       try {
-        await commitContainer(endpoint.Id, { container: $transition$.params().id, repo: imageConfig.fromImage });
+        await commitContainer(endpoint.Id, { container: $transition$.params().id, repo, tag });
         Notifications.success('Image created', $transition$.params().id);
         $state.reload();
       } catch (err) {
diff --git a/app/docker/views/images/edit/imageController.js b/app/docker/views/images/edit/imageController.js
index 78ae6107c..8ed5c9495 100644
--- a/app/docker/views/images/edit/imageController.js
+++ b/app/docker/views/images/edit/imageController.js
@@ -2,7 +2,6 @@ import _ from 'lodash-es';
 import { PorImageRegistryModel } from 'Docker/models/porImageRegistry';
 import { confirmImageExport } from '@/react/docker/images/common/ConfirmExportModal';
 import { confirmDelete } from '@@/modals/confirm';
-import { fullURIIntoRepoAndTag } from '@/react/docker/images/utils';
 
 angular.module('portainer.docker').controller('ImageController', [
   '$async',
@@ -71,8 +70,7 @@ angular.module('portainer.docker').controller('ImageController', [
     $scope.tagImage = function () {
       const registryModel = $scope.formValues.RegistryModel;
 
-      const image = ImageHelper.createImageConfigForContainer(registryModel);
-      const { repo, tag } = fullURIIntoRepoAndTag(image.fromImage);
+      const { repo, tag } = ImageHelper.createImageConfigForContainer(registryModel);
 
       ImageService.tagImage($transition$.params().id, repo, tag)
         .then(function success() {
diff --git a/app/docker/views/images/import/importImageController.js b/app/docker/views/images/import/importImageController.js
index dfdb8ab1a..d5587ecb9 100644
--- a/app/docker/views/images/import/importImageController.js
+++ b/app/docker/views/images/import/importImageController.js
@@ -1,5 +1,4 @@
 import { PorImageRegistryModel } from 'Docker/models/porImageRegistry';
-import { fullURIIntoRepoAndTag } from '@/react/docker/images/utils';
 
 angular.module('portainer.docker').controller('ImportImageController', [
   '$scope',
@@ -34,8 +33,7 @@ angular.module('portainer.docker').controller('ImportImageController', [
     async function tagImage(id) {
       const registryModel = $scope.formValues.RegistryModel;
       if (registryModel.Image) {
-        const image = ImageHelper.createImageConfigForContainer(registryModel);
-        const { repo, tag } = fullURIIntoRepoAndTag(image.fromImage);
+        const { repo, tag } = ImageHelper.createImageConfigForContainer(registryModel);
         try {
           await ImageService.tagImage(id, repo, tag);
         } catch (err) {
diff --git a/app/react/docker/images/utils.test.ts b/app/react/docker/images/utils.test.ts
index 05f0e39ff..70e1cf74c 100644
--- a/app/react/docker/images/utils.test.ts
+++ b/app/react/docker/images/utils.test.ts
@@ -16,6 +16,24 @@ describe('fullURIIntoRepoAndTag', () => {
     expect(result).toEqual({ repo: 'nginx', tag: 'latest' });
   });
 
+  it('splits image-repo:port/image correctly', () => {
+    const result = fullURIIntoRepoAndTag('registry.example.com:5000/my-image');
+    expect(result).toEqual({
+      repo: 'registry.example.com:5000/my-image',
+      tag: 'latest',
+    });
+  });
+
+  it('splits image-repo:port/image:tag correctly', () => {
+    const result = fullURIIntoRepoAndTag(
+      'registry.example.com:5000/my-image:v1'
+    );
+    expect(result).toEqual({
+      repo: 'registry.example.com:5000/my-image',
+      tag: 'v1',
+    });
+  });
+
   it('splits registry:port/image-repo:tag correctly', () => {
     const result = fullURIIntoRepoAndTag(
       'registry.example.com:5000/my-image:v2.1'
diff --git a/app/react/docker/images/utils.ts b/app/react/docker/images/utils.ts
index 10d6ae0e9..e9aeaf661 100644
--- a/app/react/docker/images/utils.ts
+++ b/app/react/docker/images/utils.ts
@@ -121,9 +121,18 @@ export function fullURIIntoRepoAndTag(fullURI: string) {
   // - registry/image-repo:tag
   // - image-repo:tag
   // - registry:port/image-repo:tag
+  // - localhost:5000/nginx
   // buildImageFullURIFromModel always gives a tag (defaulting to 'latest'), so the tag is always present after the last ':'
   const parts = fullURI.split(':');
   const tag = parts.pop() || 'latest';
+
+  // handle the case of a repo with a non standard port
+  if (tag.includes('/')) {
+    return {
+      repo: fullURI,
+      tag: 'latest',
+    };
+  }
   const repo = parts.join(':');
   return {
     repo,

From 9658f757c2c37aa99d88bb047cd0b76400a4fd88 Mon Sep 17 00:00:00 2001
From: viktigpetterr <viktor.pettersson@portainer.io>
Date: Thu, 6 Feb 2025 18:14:43 +0100
Subject: [PATCH 011/212] fix(endpoints): use the post method for batch delete
 API operations [BE-11573] (#394)

---
 api/http/handler/endpoints/endpoint_delete.go | 23 ++++++++++++++++++-
 api/http/handler/endpoints/handler.go         |  5 ++--
 .../ListView/useDeleteEnvironmentsMutation.ts |  6 ++---
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/api/http/handler/endpoints/endpoint_delete.go b/api/http/handler/endpoints/endpoint_delete.go
index 0add2ccdf..4752364ec 100644
--- a/api/http/handler/endpoints/endpoint_delete.go
+++ b/api/http/handler/endpoints/endpoint_delete.go
@@ -91,7 +91,7 @@ func (handler *Handler) endpointDelete(w http.ResponseWriter, r *http.Request) *
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 403 "Unauthorized access or operation not allowed."
 // @failure 500 "Server error occurred while attempting to delete the specified environments."
-// @router /endpoints [delete]
+// @router /endpoints/delete [post]
 func (handler *Handler) endpointDeleteBatch(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var p endpointDeleteBatchPayload
 	if err := request.DecodeAndValidateJSONPayload(r, &p); err != nil {
@@ -127,6 +127,27 @@ func (handler *Handler) endpointDeleteBatch(w http.ResponseWriter, r *http.Reque
 	return response.Empty(w)
 }
 
+// @id EndpointDeleteBatchDeprecated
+// @summary Remove multiple environments
+// @deprecated
+// @description Deprecated: use the `POST` endpoint instead.
+// @description Remove multiple environments and optionally clean-up associated resources.
+// @description **Access policy**: Administrator only.
+// @tags endpoints
+// @security ApiKeyAuth || jwt
+// @accept json
+// @produce json
+// @param body body endpointDeleteBatchPayload true "List of environments to delete, with optional deleteCluster flag to clean-up associated resources (cloud environments only)"
+// @success 204 "Environment(s) successfully deleted."
+// @failure 207 {object} endpointDeleteBatchPartialResponse "Partial success. Some environments were deleted successfully, while others failed."
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 403 "Unauthorized access or operation not allowed."
+// @failure 500 "Server error occurred while attempting to delete the specified environments."
+// @router /endpoints [delete]
+func (handler *Handler) endpointDeleteBatchDeprecated(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	return handler.endpointDeleteBatch(w, r)
+}
+
 func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID portainer.EndpointID, deleteCluster bool) error {
 	endpoint, err := tx.Endpoint().Endpoint(endpointID)
 	if tx.IsErrObjectNotFound(err) {
diff --git a/api/http/handler/endpoints/handler.go b/api/http/handler/endpoints/handler.go
index fa852633c..d1e323e8f 100644
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@@ -68,8 +68,8 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointUpdate))).Methods(http.MethodPut)
 	h.Handle("/endpoints/{id}",
 		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDelete))).Methods(http.MethodDelete)
-	h.Handle("/endpoints",
-		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatch))).Methods(http.MethodDelete)
+	h.Handle("/endpoints/delete",
+		bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatch))).Methods(http.MethodPost)
 	h.Handle("/endpoints/{id}/dockerhub/{registryId}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.endpointDockerhubStatus))).Methods(http.MethodGet)
 	h.Handle("/endpoints/{id}/snapshot",
@@ -85,6 +85,7 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 
 	// DEPRECATED
 	h.Handle("/endpoints/{id}/status", bouncer.PublicAccess(httperror.LoggerHandler(h.endpointStatusInspect))).Methods(http.MethodGet)
+	h.Handle("/endpoints", bouncer.AdminAccess(httperror.LoggerHandler(h.endpointDeleteBatchDeprecated))).Methods(http.MethodDelete)
 
 	return h
 }
diff --git a/app/react/portainer/environments/ListView/useDeleteEnvironmentsMutation.ts b/app/react/portainer/environments/ListView/useDeleteEnvironmentsMutation.ts
index 01a87681f..48f539f11 100644
--- a/app/react/portainer/environments/ListView/useDeleteEnvironmentsMutation.ts
+++ b/app/react/portainer/environments/ListView/useDeleteEnvironmentsMutation.ts
@@ -55,11 +55,11 @@ async function deleteEnvironments(
   environments: { id: EnvironmentId; deleteCluster?: boolean }[]
 ) {
   try {
-    const { data } = await axios.delete<{
+    const { data } = await axios.post<{
       deleted: EnvironmentId[];
       errors: EnvironmentId[];
-    } | null>(buildUrl(), {
-      data: { endpoints: environments },
+    } | null>(buildUrl(undefined, 'delete'), {
+      endpoints: environments,
     });
     return data;
   } catch (e) {

From d4e2b2188ed6c4b72bc28e3a1b821088eae5e07d Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 7 Feb 2025 08:48:19 +1300
Subject: [PATCH 012/212] chore: bump go version to 1.23.5 develop (#392)

---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 053035ec1..8f39fe3a9 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/portainer/portainer
 
-go 1.23.2
+go 1.23.5
 
 require (
 	github.com/Masterminds/semver v1.5.0

From 1b2dc6a133ddc4fd300742e46680354a62f8bc8b Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 7 Feb 2025 14:47:49 +1300
Subject: [PATCH 013/212] version: bump version to 2.27.0-rc2 - develop (#402)

---
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/portainer.go                                 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 9fa3e5f09..43d872914 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.27.0-rc1",
+    "KubectlShellImage": "portainer/kubectl-shell:2.27.0-rc2",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.27.0-rc1\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.27.0-rc2\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/portainer.go b/api/portainer.go
index ad0989437..64ac47012 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1636,7 +1636,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.27.0-rc1"
+	APIVersion = "2.27.0-rc2"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "LTS"
 	// Edition is what this edition of Portainer is called

From 935c7dd49650727b0ded15016b59a0829f3269e0 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Mon, 10 Feb 2025 10:45:47 +1300
Subject: [PATCH 014/212] feat: improve diagnostics stability - develop (#355)

---
 pkg/endpoints/utils.go          | 14 ++++++++
 pkg/endpoints/utils_test.go     | 58 +++++++++++++++++++++++++++++++++
 pkg/snapshot/docker_test.go     |  1 -
 pkg/snapshot/kubernetes_test.go | 43 ++++++++++++++++++++++++
 4 files changed, 115 insertions(+), 1 deletion(-)
 delete mode 100644 pkg/snapshot/docker_test.go

diff --git a/pkg/endpoints/utils.go b/pkg/endpoints/utils.go
index e32b56fea..4c704d86f 100644
--- a/pkg/endpoints/utils.go
+++ b/pkg/endpoints/utils.go
@@ -1,6 +1,7 @@
 package endpoints
 
 import (
+	"github.com/hashicorp/go-version"
 	portainer "github.com/portainer/portainer/api"
 )
 
@@ -15,6 +16,11 @@ func IsEdgeEndpoint(endpoint *portainer.Endpoint) bool {
 	return endpoint.Type == portainer.EdgeAgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment
 }
 
+// IsStandardEdgeEndpoint returns true if this is a standard Edge endpoint and not in async mode on either Docker or Kubernetes
+func IsStandardEdgeEndpoint(endpoint *portainer.Endpoint) bool {
+	return (endpoint.Type == portainer.EdgeAgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment) && !endpoint.Edge.AsyncMode
+}
+
 // IsAssociatedEdgeEndpoint returns true if the environment is an Edge environment
 // and has a set EdgeID and UserTrusted is true.
 func IsAssociatedEdgeEndpoint(endpoint *portainer.Endpoint) bool {
@@ -26,3 +32,11 @@ func IsAssociatedEdgeEndpoint(endpoint *portainer.Endpoint) bool {
 func HasDirectConnectivity(endpoint *portainer.Endpoint) bool {
 	return !IsEdgeEndpoint(endpoint) || (IsAssociatedEdgeEndpoint(endpoint) && !endpoint.Edge.AsyncMode)
 }
+
+// IsNewerThan225 returns true if the agent version is newer than 2.25.0
+// this is used to check if the agent is compatible with the new diagnostics feature
+func IsNewerThan225(agentVersion string) bool {
+	v1, _ := version.NewVersion(agentVersion)
+	v2, _ := version.NewVersion("2.25.0")
+	return v1.GreaterThanOrEqual(v2)
+}
diff --git a/pkg/endpoints/utils_test.go b/pkg/endpoints/utils_test.go
index 47ef2db8d..4231cf60a 100644
--- a/pkg/endpoints/utils_test.go
+++ b/pkg/endpoints/utils_test.go
@@ -202,3 +202,61 @@ func TestHasDirectConnectivity(t *testing.T) {
 		})
 	}
 }
+
+func TestIsStandardEdgeEndpoint(t *testing.T) {
+	tests := []struct {
+		name     string
+		endpoint *portainer.Endpoint
+		expected bool
+	}{
+		{
+			name: "StandardEdgeEndpoint",
+			endpoint: &portainer.Endpoint{
+				Type: portainer.EdgeAgentOnDockerEnvironment,
+				Edge: portainer.EnvironmentEdgeSettings{AsyncMode: false},
+			},
+			expected: true,
+		},
+		{
+			name: "AsyncEdgeEndpoint",
+			endpoint: &portainer.Endpoint{
+				Type: portainer.EdgeAgentOnDockerEnvironment,
+				Edge: portainer.EnvironmentEdgeSettings{AsyncMode: true},
+			},
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsStandardEdgeEndpoint(tt.endpoint)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
+
+func TestIsNewerThan225(t *testing.T) {
+	tests := []struct {
+		name     string
+		version  string
+		expected bool
+	}{
+		{
+			name:     "NewerThan225",
+			version:  "2.25.1",
+			expected: true,
+		},
+		{
+			name:     "OlderThan225",
+			version:  "2.24.0",
+			expected: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := IsNewerThan225(tt.version)
+			assert.Equal(t, tt.expected, result)
+		})
+	}
+}
diff --git a/pkg/snapshot/docker_test.go b/pkg/snapshot/docker_test.go
deleted file mode 100644
index 8df14bc39..000000000
--- a/pkg/snapshot/docker_test.go
+++ /dev/null
@@ -1 +0,0 @@
-package snapshot
diff --git a/pkg/snapshot/kubernetes_test.go b/pkg/snapshot/kubernetes_test.go
index 8df14bc39..142241a5c 100644
--- a/pkg/snapshot/kubernetes_test.go
+++ b/pkg/snapshot/kubernetes_test.go
@@ -1 +1,44 @@
 package snapshot
+
+import (
+	"context"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/require"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kfake "k8s.io/client-go/kubernetes/fake"
+)
+
+func TestCreateKubernetesSnapshot(t *testing.T) {
+	cli := kfake.NewSimpleClientset()
+	kubernetesSnapshot := &portainer.KubernetesSnapshot{}
+
+	serverInfo, err := cli.Discovery().ServerVersion()
+	if err != nil {
+		t.Fatalf("error getting the kubernetesserver version: %v", err)
+	}
+
+	kubernetesSnapshot.KubernetesVersion = serverInfo.GitVersion
+	require.Equal(t, kubernetesSnapshot.KubernetesVersion, serverInfo.GitVersion)
+
+	nodeList, err := cli.CoreV1().Nodes().List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		t.Fatalf("error listing kubernetes nodes: %v", err)
+	}
+
+	var totalCPUs, totalMemory int64
+	for _, node := range nodeList.Items {
+		totalCPUs += node.Status.Capacity.Cpu().Value()
+		totalMemory += node.Status.Capacity.Memory().Value()
+	}
+
+	kubernetesSnapshot.TotalCPU = totalCPUs
+	kubernetesSnapshot.TotalMemory = totalMemory
+	kubernetesSnapshot.NodeCount = len(nodeList.Items)
+	require.Equal(t, kubernetesSnapshot.TotalCPU, totalCPUs)
+	require.Equal(t, kubernetesSnapshot.TotalMemory, totalMemory)
+	require.Equal(t, kubernetesSnapshot.NodeCount, len(nodeList.Items))
+
+	t.Logf("Kubernetes snapshot: %+v", kubernetesSnapshot)
+}

From 03575186a7966ab3ca5014e24b5b3e7280d077bc Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Mon, 10 Feb 2025 10:46:36 +1300
Subject: [PATCH 015/212] remove deprecated api endpoints - develop [BE-11510]
 (#399)

---
 .../customtemplates/customtemplate_create.go  |  25 ----
 api/http/handler/customtemplates/handler.go   |   2 -
 api/http/handler/edgejobs/edgejob_create.go   |  23 ----
 api/http/handler/edgejobs/handler.go          |   3 -
 .../handler/edgestacks/edgestack_create.go    |  23 ----
 .../edgestacks/edgestack_status_delete.go     |  87 ------------
 .../edgestack_status_delete_test.go           |  30 -----
 api/http/handler/edgestacks/handler.go        |   4 -
 .../edgetemplates/edgetemplate_list.go        |  71 ----------
 api/http/handler/edgetemplates/handler.go     |  32 -----
 api/http/handler/handler.go                   |   4 -
 api/http/handler/helm/handler.go              |   6 -
 api/http/handler/helm/user_helm_repos.go      | 127 ------------------
 api/http/handler/stacks/handler.go            |   3 -
 api/http/handler/stacks/stack_create.go       |  51 -------
 api/http/handler/system/handler.go            |   4 -
 api/http/handler/system/nodes_count.go        |  20 ---
 api/http/handler/system/version.go            |  18 ---
 api/http/handler/templates/handler.go         |   2 -
 .../handler/templates/template_file_old.go    |  93 -------------
 api/http/server.go                            |   5 -
 app/constants.ts                              |   1 -
 app/ng-constants.ts                           |   2 -
 23 files changed, 636 deletions(-)
 delete mode 100644 api/http/handler/edgestacks/edgestack_status_delete.go
 delete mode 100644 api/http/handler/edgestacks/edgestack_status_delete_test.go
 delete mode 100644 api/http/handler/edgetemplates/edgetemplate_list.go
 delete mode 100644 api/http/handler/edgetemplates/handler.go
 delete mode 100644 api/http/handler/helm/user_helm_repos.go
 delete mode 100644 api/http/handler/templates/template_file_old.go

diff --git a/api/http/handler/customtemplates/customtemplate_create.go b/api/http/handler/customtemplates/customtemplate_create.go
index a5b6ecdee..0f9c8f1a3 100644
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -482,28 +482,3 @@ func (handler *Handler) createCustomTemplateFromFileUpload(r *http.Request) (*po
 
 	return customTemplate, nil
 }
-
-// @id CustomTemplateCreate
-// @summary Create a custom template
-// @description Create a custom template.
-// @description **Access policy**: authenticated
-// @tags custom_templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json,multipart/form-data
-// @produce json
-// @param method query string true "method for creating template" Enums(string, file, repository)
-// @param body body object true "for body documentation see the relevant /custom_templates/{method} endpoint"
-// @success 200 {object} portainer.CustomTemplate
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @deprecated
-// @router /custom_templates [post]
-func deprecatedCustomTemplateCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method", err)
-	}
-
-	return "/custom_templates/create/" + method, nil
-}
diff --git a/api/http/handler/customtemplates/handler.go b/api/http/handler/customtemplates/handler.go
index 1bb148af6..0da63d81f 100644
--- a/api/http/handler/customtemplates/handler.go
+++ b/api/http/handler/customtemplates/handler.go
@@ -7,7 +7,6 @@ import (
 	"github.com/gorilla/mux"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
@@ -33,7 +32,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 
 	h.Handle("/custom_templates/create/{method}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateCreate))).Methods(http.MethodPost)
-	h.Handle("/custom_templates", middlewares.Deprecated(h, deprecatedCustomTemplateCreateUrlParser)).Methods(http.MethodPost) // Deprecated
 	h.Handle("/custom_templates",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.customTemplateList))).Methods(http.MethodGet)
 	h.Handle("/custom_templates/{id}",
diff --git a/api/http/handler/edgejobs/edgejob_create.go b/api/http/handler/edgejobs/edgejob_create.go
index 252770aa2..0f7bff73d 100644
--- a/api/http/handler/edgejobs/edgejob_create.go
+++ b/api/http/handler/edgejobs/edgejob_create.go
@@ -271,26 +271,3 @@ func (handler *Handler) addAndPersistEdgeJob(tx dataservices.DataStoreTx, edgeJo
 
 	return tx.EdgeJob().CreateWithID(edgeJob.ID, edgeJob)
 }
-
-// @id EdgeJobCreate
-// @summary Create an EdgeJob
-// @description **Access policy**: administrator
-// @tags edge_jobs
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param method query string true "Creation Method" Enums(file, string)
-// @param body body object true "for body documentation see the relevant /edge_jobs/create/{method} endpoint"
-// @success 200 {object} portainer.EdgeGroup
-// @failure 503 "Edge compute features are disabled"
-// @failure 500
-// @deprecated
-// @router /edge_jobs [post]
-func deprecatedEdgeJobCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	return "/edge_jobs/create/" + method, nil
-}
diff --git a/api/http/handler/edgejobs/handler.go b/api/http/handler/edgejobs/handler.go
index 93f210bb5..ab3d66b3b 100644
--- a/api/http/handler/edgejobs/handler.go
+++ b/api/http/handler/edgejobs/handler.go
@@ -6,7 +6,6 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -30,8 +29,6 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 
 	h.Handle("/edge_jobs",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobList)))).Methods(http.MethodGet)
-	h.Handle("/edge_jobs",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeJobCreateUrlParser)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeJobCreate)))).Methods(http.MethodPost)
 	h.Handle("/edge_jobs/{id}",
diff --git a/api/http/handler/edgestacks/edgestack_create.go b/api/http/handler/edgestacks/edgestack_create.go
index 12dfe620a..65e77764a 100644
--- a/api/http/handler/edgestacks/edgestack_create.go
+++ b/api/http/handler/edgestacks/edgestack_create.go
@@ -55,26 +55,3 @@ func (handler *Handler) createSwarmStack(tx dataservices.DataStoreTx, method str
 
 	return nil, httperrors.NewInvalidPayloadError("Invalid value for query parameter: method. Value must be one of: string, repository or file")
 }
-
-// @id EdgeStackCreate
-// @summary Create an EdgeStack
-// @description **Access policy**: administrator
-// @tags edge_stacks
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param method query string true "Creation Method" Enums(file,string,repository)
-// @param body body object true "for body documentation see the relevant /edge_stacks/create/{method} endpoint"
-// @success 200 {object} portainer.EdgeStack
-// @failure 500
-// @failure 503 "Edge compute features are disabled"
-// @deprecated
-// @router /edge_stacks [post]
-func deprecatedEdgeStackCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	return "/edge_stacks/create/" + method, nil
-}
diff --git a/api/http/handler/edgestacks/edgestack_status_delete.go b/api/http/handler/edgestacks/edgestack_status_delete.go
deleted file mode 100644
index eb54951b6..000000000
--- a/api/http/handler/edgestacks/edgestack_status_delete.go
+++ /dev/null
@@ -1,87 +0,0 @@
-package edgestacks
-
-import (
-	"errors"
-	"net/http"
-	"time"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-)
-
-// @id EdgeStackStatusDelete
-// @summary Delete an EdgeStack status
-// @description Authorized only if the request is done by an Edge Environment(Endpoint)
-// @tags edge_stacks
-// @produce json
-// @param id path int true "EdgeStack Id"
-// @param environmentId path int true "Environment identifier"
-// @success 200 {object} portainer.EdgeStack
-// @failure 500
-// @failure 400
-// @failure 404
-// @failure 403
-// @deprecated
-// @router /edge_stacks/{id}/status/{environmentId} [delete]
-func (handler *Handler) edgeStackStatusDelete(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	stackID, err := request.RetrieveNumericRouteVariableValue(r, "id")
-	if err != nil {
-		return httperror.BadRequest("Invalid stack identifier route variable", err)
-	}
-
-	endpoint, err := middlewares.FetchEndpoint(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve a valid endpoint from the handler context", err)
-	}
-
-	err = handler.requestBouncer.AuthorizedEdgeEndpointOperation(r, endpoint)
-	if err != nil {
-		return httperror.Forbidden("Permission denied to access environment", err)
-	}
-
-	var stack *portainer.EdgeStack
-	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		stack, err = handler.deleteEdgeStackStatus(tx, portainer.EdgeStackID(stackID), endpoint)
-		return err
-	})
-	if err != nil {
-		var httpErr *httperror.HandlerError
-		if errors.As(err, &httpErr) {
-			return httpErr
-		}
-
-		return httperror.InternalServerError("Unexpected error", err)
-	}
-
-	return response.JSON(w, stack)
-}
-
-func (handler *Handler) deleteEdgeStackStatus(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID, endpoint *portainer.Endpoint) (*portainer.EdgeStack, error) {
-	stack, err := tx.EdgeStack().EdgeStack(stackID)
-	if err != nil {
-		return nil, handlerDBErr(err, "Unable to find a stack with the specified identifier inside the database")
-	}
-
-	environmentStatus, ok := stack.Status[endpoint.ID]
-	if !ok {
-		environmentStatus = portainer.EdgeStackStatus{}
-	}
-
-	environmentStatus.Status = append(environmentStatus.Status, portainer.EdgeStackDeploymentStatus{
-		Time: time.Now().Unix(),
-		Type: portainer.EdgeStackStatusRemoved,
-	})
-
-	stack.Status[endpoint.ID] = environmentStatus
-
-	err = tx.EdgeStack().UpdateEdgeStack(stack.ID, stack)
-	if err != nil {
-		return nil, httperror.InternalServerError("Unable to persist the stack changes inside the database", err)
-	}
-
-	return stack, nil
-}
diff --git a/api/http/handler/edgestacks/edgestack_status_delete_test.go b/api/http/handler/edgestacks/edgestack_status_delete_test.go
deleted file mode 100644
index 7a3db1315..000000000
--- a/api/http/handler/edgestacks/edgestack_status_delete_test.go
+++ /dev/null
@@ -1,30 +0,0 @@
-package edgestacks
-
-import (
-	"fmt"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-func TestDeleteStatus(t *testing.T) {
-	handler, _ := setupHandler(t)
-
-	endpoint := createEndpoint(t, handler.DataStore)
-	edgeStack := createEdgeStack(t, handler.DataStore, endpoint.ID)
-
-	req, err := http.NewRequest(http.MethodDelete, fmt.Sprintf("/edge_stacks/%d/status/%d", edgeStack.ID, endpoint.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
-
-	req.Header.Set(portainer.PortainerAgentEdgeIDHeader, endpoint.EdgeID)
-	rec := httptest.NewRecorder()
-	handler.ServeHTTP(rec, req)
-
-	if rec.Code != http.StatusOK {
-		t.Fatalf("expected a %d response, found: %d", http.StatusOK, rec.Code)
-	}
-}
diff --git a/api/http/handler/edgestacks/handler.go b/api/http/handler/edgestacks/handler.go
index 290524cb0..9fa90776f 100644
--- a/api/http/handler/edgestacks/handler.go
+++ b/api/http/handler/edgestacks/handler.go
@@ -37,8 +37,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 
 	h.Handle("/edge_stacks/create/{method}",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackCreate)))).Methods(http.MethodPost)
-	h.Handle("/edge_stacks",
-		bouncer.AdminAccess(bouncer.EdgeComputeOperation(middlewares.Deprecated(h, deprecatedEdgeStackCreateUrlParser)))).Methods(http.MethodPost) // Deprecated
 	h.Handle("/edge_stacks",
 		bouncer.AdminAccess(bouncer.EdgeComputeOperation(httperror.LoggerHandler(h.edgeStackList)))).Methods(http.MethodGet)
 	h.Handle("/edge_stacks/{id}",
@@ -55,8 +53,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	edgeStackStatusRouter := h.NewRoute().Subrouter()
 	edgeStackStatusRouter.Use(middlewares.WithEndpoint(h.DataStore.Endpoint(), "endpoint_id"))
 
-	edgeStackStatusRouter.PathPrefix("/edge_stacks/{id}/status/{endpoint_id}").Handler(bouncer.PublicAccess(httperror.LoggerHandler(h.edgeStackStatusDelete))).Methods(http.MethodDelete)
-
 	return h
 }
 
diff --git a/api/http/handler/edgetemplates/edgetemplate_list.go b/api/http/handler/edgetemplates/edgetemplate_list.go
deleted file mode 100644
index 5b2c7254d..000000000
--- a/api/http/handler/edgetemplates/edgetemplate_list.go
+++ /dev/null
@@ -1,71 +0,0 @@
-package edgetemplates
-
-import (
-	"net/http"
-	"slices"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/client"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/segmentio/encoding/json"
-)
-
-type templateFileFormat struct {
-	Version   string               `json:"version"`
-	Templates []portainer.Template `json:"templates"`
-}
-
-// @id EdgeTemplateList
-// @deprecated
-// @summary Fetches the list of Edge Templates
-// @description **Access policy**: administrator
-// @tags edge_templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @success 200 {array} portainer.Template
-// @failure 500
-// @router /edge_templates [get]
-func (handler *Handler) edgeTemplateList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
-	}
-
-	url := portainer.DefaultTemplatesURL
-	if settings.TemplatesURL != "" {
-		url = settings.TemplatesURL
-	}
-
-	var templateData []byte
-	templateData, err = client.Get(url, 10)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve external templates", err)
-	}
-
-	var templateFile templateFileFormat
-
-	err = json.Unmarshal(templateData, &templateFile)
-	if err != nil {
-		return httperror.InternalServerError("Unable to parse template file", err)
-	}
-
-	// We only support version 3 of the template format
-	// this is only a temporary fix until we have custom edge templates
-	if templateFile.Version != "3" {
-		return httperror.InternalServerError("Unsupported template version", nil)
-	}
-
-	filteredTemplates := make([]portainer.Template, 0)
-
-	for _, template := range templateFile.Templates {
-		if slices.Contains(template.Categories, "edge") && slices.Contains([]portainer.TemplateType{portainer.ComposeStackTemplate, portainer.SwarmStackTemplate}, template.Type) {
-			filteredTemplates = append(filteredTemplates, template)
-		}
-	}
-
-	return response.JSON(w, filteredTemplates)
-}
diff --git a/api/http/handler/edgetemplates/handler.go b/api/http/handler/edgetemplates/handler.go
deleted file mode 100644
index d6c98553f..000000000
--- a/api/http/handler/edgetemplates/handler.go
+++ /dev/null
@@ -1,32 +0,0 @@
-package edgetemplates
-
-import (
-	"net/http"
-
-	"github.com/portainer/portainer/api/dataservices"
-	"github.com/portainer/portainer/api/http/middlewares"
-	"github.com/portainer/portainer/api/http/security"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-
-	"github.com/gorilla/mux"
-)
-
-// Handler is the HTTP handler used to handle edge environment(endpoint) operations.
-type Handler struct {
-	*mux.Router
-	requestBouncer security.BouncerService
-	DataStore      dataservices.DataStore
-}
-
-// NewHandler creates a handler to manage environment(endpoint) operations.
-func NewHandler(bouncer security.BouncerService) *Handler {
-	h := &Handler{
-		Router:         mux.NewRouter(),
-		requestBouncer: bouncer,
-	}
-
-	h.Handle("/edge_templates",
-		bouncer.AdminAccess(middlewares.Deprecated(httperror.LoggerHandler(h.edgeTemplateList), func(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) { return "", nil }))).Methods(http.MethodGet)
-
-	return h
-}
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 4d7973170..4325d9f91 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -11,7 +11,6 @@ import (
 	"github.com/portainer/portainer/api/http/handler/edgegroups"
 	"github.com/portainer/portainer/api/http/handler/edgejobs"
 	"github.com/portainer/portainer/api/http/handler/edgestacks"
-	"github.com/portainer/portainer/api/http/handler/edgetemplates"
 	"github.com/portainer/portainer/api/http/handler/endpointedge"
 	"github.com/portainer/portainer/api/http/handler/endpointgroups"
 	"github.com/portainer/portainer/api/http/handler/endpointproxy"
@@ -50,7 +49,6 @@ type Handler struct {
 	EdgeGroupsHandler      *edgegroups.Handler
 	EdgeJobsHandler        *edgejobs.Handler
 	EdgeStacksHandler      *edgestacks.Handler
-	EdgeTemplatesHandler   *edgetemplates.Handler
 	EndpointEdgeHandler    *endpointedge.Handler
 	EndpointGroupHandler   *endpointgroups.Handler
 	EndpointHandler        *endpoints.Handler
@@ -190,8 +188,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.StripPrefix("/api", h.EdgeGroupsHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/edge_jobs"):
 		http.StripPrefix("/api", h.EdgeJobsHandler).ServeHTTP(w, r)
-	case strings.HasPrefix(r.URL.Path, "/api/edge_templates"):
-		http.StripPrefix("/api", h.EdgeTemplatesHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/endpoint_groups"):
 		http.StripPrefix("/api", h.EndpointGroupHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/kubernetes"):
diff --git a/api/http/handler/helm/handler.go b/api/http/handler/helm/handler.go
index 0108f7ef1..fb941940b 100644
--- a/api/http/handler/helm/handler.go
+++ b/api/http/handler/helm/handler.go
@@ -53,12 +53,6 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	h.Handle("/{id}/kubernetes/helm",
 		httperror.LoggerHandler(h.helmInstall)).Methods(http.MethodPost)
 
-	// Deprecated
-	h.Handle("/{id}/kubernetes/helm/repositories",
-		httperror.LoggerHandler(h.userGetHelmRepos)).Methods(http.MethodGet)
-	h.Handle("/{id}/kubernetes/helm/repositories",
-		httperror.LoggerHandler(h.userCreateHelmRepo)).Methods(http.MethodPost)
-
 	return h
 }
 
diff --git a/api/http/handler/helm/user_helm_repos.go b/api/http/handler/helm/user_helm_repos.go
deleted file mode 100644
index 5197f88f9..000000000
--- a/api/http/handler/helm/user_helm_repos.go
+++ /dev/null
@@ -1,127 +0,0 @@
-package helm
-
-import (
-	"net/http"
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/pkg/libhelm"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/pkg/errors"
-)
-
-type helmUserRepositoryResponse struct {
-	GlobalRepository string                         `json:"GlobalRepository"`
-	UserRepositories []portainer.HelmUserRepository `json:"UserRepositories"`
-}
-
-type addHelmRepoUrlPayload struct {
-	URL string `json:"url"`
-}
-
-func (p *addHelmRepoUrlPayload) Validate(_ *http.Request) error {
-	return libhelm.ValidateHelmRepositoryURL(p.URL, nil)
-}
-
-// @id HelmUserRepositoryCreateDeprecated
-// @summary Create a user helm repository
-// @description Create a user helm repository.
-// @description **Access policy**: authenticated
-// @tags helm
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @param id path int true "Environment(Endpoint) identifier"
-// @param payload body addHelmRepoUrlPayload true "Helm Repository"
-// @success 200 {object} portainer.HelmUserRepository "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 500 "Server error"
-// @deprecated
-// @router /endpoints/{id}/kubernetes/helm/repositories [post]
-func (handler *Handler) userCreateHelmRepo(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user authentication token", err)
-	}
-	userID := tokenData.ID
-
-	p := new(addHelmRepoUrlPayload)
-	err = request.DecodeAndValidateJSONPayload(r, p)
-	if err != nil {
-		return httperror.BadRequest("Invalid Helm repository URL", err)
-	}
-
-	// lowercase, remove trailing slash
-	p.URL = strings.TrimSuffix(strings.ToLower(p.URL), "/")
-
-	records, err := handler.dataStore.HelmUserRepository().HelmUserRepositoryByUserID(userID)
-	if err != nil {
-		return httperror.InternalServerError("Unable to access the DataStore", err)
-	}
-
-	// check if repo already exists - by doing case insensitive comparison
-	for _, record := range records {
-		if strings.EqualFold(record.URL, p.URL) {
-			errMsg := "Helm repo already registered for user"
-			return httperror.BadRequest(errMsg, errors.New(errMsg))
-		}
-	}
-
-	record := portainer.HelmUserRepository{
-		UserID: userID,
-		URL:    p.URL,
-	}
-
-	err = handler.dataStore.HelmUserRepository().Create(&record)
-	if err != nil {
-		return httperror.InternalServerError("Unable to save a user Helm repository URL", err)
-	}
-
-	return response.JSON(w, record)
-}
-
-// @id HelmUserRepositoriesListDeprecated
-// @summary List a users helm repositories
-// @description Inspect a user helm repositories.
-// @description **Access policy**: authenticated
-// @tags helm
-// @security ApiKeyAuth
-// @security jwt
-// @produce json
-// @param id path int true "User identifier"
-// @success 200 {object} helmUserRepositoryResponse "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied"
-// @failure 500 "Server error"
-// @deprecated
-// @router /endpoints/{id}/kubernetes/helm/repositories [get]
-func (handler *Handler) userGetHelmRepos(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	tokenData, err := security.RetrieveTokenData(r)
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve user authentication token", err)
-	}
-	userID := tokenData.ID
-
-	settings, err := handler.dataStore.Settings().Settings()
-	if err != nil {
-		return httperror.InternalServerError("Unable to retrieve settings from the database", err)
-	}
-
-	userRepos, err := handler.dataStore.HelmUserRepository().HelmUserRepositoryByUserID(userID)
-	if err != nil {
-		return httperror.InternalServerError("Unable to get user Helm repositories", err)
-	}
-
-	resp := helmUserRepositoryResponse{
-		GlobalRepository: settings.HelmRepositoryURL,
-		UserRepositories: userRepos,
-	}
-
-	return response.JSON(w, resp)
-}
diff --git a/api/http/handler/stacks/handler.go b/api/http/handler/stacks/handler.go
index 7e5cce040..2ad40a182 100644
--- a/api/http/handler/stacks/handler.go
+++ b/api/http/handler/stacks/handler.go
@@ -11,7 +11,6 @@ import (
 	"github.com/portainer/portainer/api/dataservices"
 	dockerclient "github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/docker/consts"
-	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@@ -62,8 +61,6 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 
 	h.Handle("/stacks/create/{type}/{method}",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackCreate))).Methods(http.MethodPost)
-	h.Handle("/stacks",
-		bouncer.AuthenticatedAccess(middlewares.Deprecated(h, deprecatedStackCreateUrlParser))).Methods(http.MethodPost) // Deprecated
 	h.Handle("/stacks",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.stackList))).Methods(http.MethodGet)
 	h.Handle("/stacks/{id}",
diff --git a/api/http/handler/stacks/stack_create.go b/api/http/handler/stacks/stack_create.go
index f45592d09..cb297f9d7 100644
--- a/api/http/handler/stacks/stack_create.go
+++ b/api/http/handler/stacks/stack_create.go
@@ -1,7 +1,6 @@
 package stacks
 
 import (
-	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
@@ -141,53 +140,3 @@ func (handler *Handler) decorateStackResponse(w http.ResponseWriter, stack *port
 
 	return response.JSON(w, stack)
 }
-
-func getStackTypeFromQueryParameter(r *http.Request) (string, error) {
-	stackType, err := request.RetrieveNumericQueryParameter(r, "type", false)
-	if err != nil {
-		return "", err
-	}
-
-	switch stackType {
-	case 1:
-		return "swarm", nil
-	case 2:
-		return "standalone", nil
-	case 3:
-		return "kubernetes", nil
-	}
-
-	return "", errors.New(request.ErrInvalidQueryParameter)
-}
-
-// @id StackCreate
-// @summary Deploy a new stack
-// @description Deploy a new stack into a Docker environment(endpoint) specified via the environment(endpoint) identifier.
-// @description **Access policy**: authenticated
-// @tags stacks
-// @security ApiKeyAuth
-// @security jwt
-// @accept json,multipart/form-data
-// @produce json
-// @param type query int true "Stack deployment type. Possible values: 1 (Swarm stack), 2 (Compose stack) or 3 (Kubernetes stack)." Enums(1,2,3)
-// @param method query string true "Stack deployment method. Possible values: file, string, repository or url." Enums(string, file, repository, url)
-// @param endpointId query int true "Identifier of the environment(endpoint) that will be used to deploy the stack"
-// @param body body object true "for body documentation see the relevant /stacks/create/{type}/{method} endpoint"
-// @success 200 {object} portainer.Stack
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @deprecated
-// @router /stacks [post]
-func deprecatedStackCreateUrlParser(w http.ResponseWriter, r *http.Request) (string, *httperror.HandlerError) {
-	method, err := request.RetrieveQueryParameter(r, "method", false)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: method. Valid values are: file or string", err)
-	}
-
-	stackType, err := getStackTypeFromQueryParameter(r)
-	if err != nil {
-		return "", httperror.BadRequest("Invalid query parameter: type", err)
-	}
-
-	return fmt.Sprintf("/stacks/create/%s/%s", stackType, method), nil
-}
diff --git a/api/http/handler/system/handler.go b/api/http/handler/system/handler.go
index d2e3f5485..4cab43332 100644
--- a/api/http/handler/system/handler.go
+++ b/api/http/handler/system/handler.go
@@ -59,10 +59,6 @@ func NewHandler(bouncer security.BouncerService,
 	// Deprecated /status endpoint, will be removed in the future.
 	h.Handle("/status",
 		bouncer.PublicAccess(httperror.LoggerHandler(h.statusInspectDeprecated))).Methods(http.MethodGet)
-	h.Handle("/status/version",
-		bouncer.AuthenticatedAccess(http.HandlerFunc(h.versionDeprecated))).Methods(http.MethodGet)
-	h.Handle("/status/nodes",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.statusNodesCountDeprecated))).Methods(http.MethodGet)
 
 	return h
 }
diff --git a/api/http/handler/system/nodes_count.go b/api/http/handler/system/nodes_count.go
index 0b9971619..94ab320fa 100644
--- a/api/http/handler/system/nodes_count.go
+++ b/api/http/handler/system/nodes_count.go
@@ -8,8 +8,6 @@ import (
 	"github.com/portainer/portainer/api/internal/snapshot"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/rs/zerolog/log"
 )
 
 type nodesCountResponse struct {
@@ -44,21 +42,3 @@ func (handler *Handler) systemNodesCount(w http.ResponseWriter, r *http.Request)
 
 	return response.JSON(w, &nodesCountResponse{Nodes: nodes})
 }
-
-// @id statusNodesCount
-// @summary Retrieve the count of nodes
-// @deprecated
-// @description Deprecated: use the `/system/nodes` endpoint instead.
-// @description **Access policy**: authenticated
-// @security ApiKeyAuth
-// @security jwt
-// @tags status
-// @produce json
-// @success 200 {object} nodesCountResponse "Success"
-// @failure 500 "Server error"
-// @router /status/nodes [get]
-func (handler *Handler) statusNodesCountDeprecated(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	log.Warn().Msg("The /status/nodes endpoint is deprecated, please use the /system/nodes endpoint instead")
-
-	return handler.systemNodesCount(w, r)
-}
diff --git a/api/http/handler/system/version.go b/api/http/handler/system/version.go
index 50ad2f6af..9d80b88a9 100644
--- a/api/http/handler/system/version.go
+++ b/api/http/handler/system/version.go
@@ -106,21 +106,3 @@ func HasNewerVersion(currentVersion, latestVersion string) bool {
 
 	return currentVersionSemver.LessThan(*latestVersionSemver)
 }
-
-// @id Version
-// @summary Check for portainer updates
-// @deprecated
-// @description Deprecated: use the `/system/version` endpoint instead.
-// @description Check if portainer has an update available
-// @description **Access policy**: authenticated
-// @security ApiKeyAuth
-// @security jwt
-// @tags status
-// @produce json
-// @success 200 {object} versionResponse "Success"
-// @router /status/version [get]
-func (handler *Handler) versionDeprecated(w http.ResponseWriter, r *http.Request) {
-	log.Warn().Msg("The /status/version endpoint is deprecated, please use the /system/version endpoint instead")
-
-	handler.version(w, r)
-}
diff --git a/api/http/handler/templates/handler.go b/api/http/handler/templates/handler.go
index e604e8abe..1e7b7f05d 100644
--- a/api/http/handler/templates/handler.go
+++ b/api/http/handler/templates/handler.go
@@ -29,7 +29,5 @@ func NewHandler(bouncer security.BouncerService) *Handler {
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateList))).Methods(http.MethodGet)
 	h.Handle("/templates/{id}/file",
 		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateFile))).Methods(http.MethodPost)
-	h.Handle("/templates/file",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.templateFileOld))).Methods(http.MethodPost)
 	return h
 }
diff --git a/api/http/handler/templates/template_file_old.go b/api/http/handler/templates/template_file_old.go
deleted file mode 100644
index 91ac038c5..000000000
--- a/api/http/handler/templates/template_file_old.go
+++ /dev/null
@@ -1,93 +0,0 @@
-package templates
-
-import (
-	"errors"
-	"net/http"
-
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
-	"github.com/portainer/portainer/pkg/libhttp/response"
-	"github.com/rs/zerolog/log"
-)
-
-type filePayload struct {
-	// URL of a git repository where the file is stored
-	RepositoryURL string `example:"https://github.com/portainer/portainer-compose" validate:"required"`
-	// Path to the file inside the git repository
-	ComposeFilePathInRepository string `example:"./subfolder/docker-compose.yml" validate:"required"`
-}
-
-func (payload *filePayload) Validate(r *http.Request) error {
-	if len(payload.RepositoryURL) == 0 {
-		return errors.New("Invalid repository url")
-	}
-
-	if len(payload.ComposeFilePathInRepository) == 0 {
-		return errors.New("Invalid file path")
-	}
-
-	return nil
-}
-
-func (handler *Handler) ifRequestedTemplateExists(payload *filePayload) *httperror.HandlerError {
-	response, httpErr := handler.fetchTemplates()
-	if httpErr != nil {
-		return httpErr
-	}
-
-	for _, t := range response.Templates {
-		if t.Repository.URL == payload.RepositoryURL && t.Repository.StackFile == payload.ComposeFilePathInRepository {
-			return nil
-		}
-	}
-	return httperror.InternalServerError("Invalid template", errors.New("requested template does not exist"))
-}
-
-// @id TemplateFileOld
-// @summary Get a template's file
-// @deprecated
-// @description Get a template's file
-// @description **Access policy**: authenticated
-// @tags templates
-// @security ApiKeyAuth
-// @security jwt
-// @accept json
-// @produce json
-// @param body body filePayload true "File details"
-// @success 200 {object} fileResponse "Success"
-// @failure 400 "Invalid request"
-// @failure 500 "Server error"
-// @router /templates/file [post]
-func (handler *Handler) templateFileOld(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	log.Warn().Msg("This api is deprecated. Please use /templates/{id}/file instead")
-
-	var payload filePayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
-		return httperror.BadRequest("Invalid request payload", err)
-	}
-
-	if err := handler.ifRequestedTemplateExists(&payload); err != nil {
-		return err
-	}
-
-	projectPath, err := handler.FileService.GetTemporaryPath()
-	if err != nil {
-		return httperror.InternalServerError("Unable to create temporary folder", err)
-	}
-
-	defer handler.cleanUp(projectPath)
-
-	err = handler.GitService.CloneRepository(projectPath, payload.RepositoryURL, "", "", "", false)
-	if err != nil {
-		return httperror.InternalServerError("Unable to clone git repository", err)
-	}
-
-	fileContent, err := handler.FileService.GetFileContent(projectPath, payload.ComposeFilePathInRepository)
-	if err != nil {
-		return httperror.InternalServerError("Failed loading file content", err)
-	}
-
-	return response.JSON(w, fileResponse{FileContent: string(fileContent)})
-
-}
diff --git a/api/http/server.go b/api/http/server.go
index ec86e6220..c5bb0d40f 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -24,7 +24,6 @@ import (
 	"github.com/portainer/portainer/api/http/handler/edgegroups"
 	"github.com/portainer/portainer/api/http/handler/edgejobs"
 	"github.com/portainer/portainer/api/http/handler/edgestacks"
-	"github.com/portainer/portainer/api/http/handler/edgetemplates"
 	"github.com/portainer/portainer/api/http/handler/endpointedge"
 	"github.com/portainer/portainer/api/http/handler/endpointgroups"
 	"github.com/portainer/portainer/api/http/handler/endpointproxy"
@@ -169,9 +168,6 @@ func (server *Server) Start() error {
 	edgeStacksHandler.GitService = server.GitService
 	edgeStacksHandler.KubernetesDeployer = server.KubernetesDeployer
 
-	var edgeTemplatesHandler = edgetemplates.NewHandler(requestBouncer)
-	edgeTemplatesHandler.DataStore = server.DataStore
-
 	var endpointHandler = endpoints.NewHandler(requestBouncer)
 	endpointHandler.DataStore = server.DataStore
 	endpointHandler.FileService = server.FileService
@@ -306,7 +302,6 @@ func (server *Server) Start() error {
 		EdgeGroupsHandler:      edgeGroupsHandler,
 		EdgeJobsHandler:        edgeJobsHandler,
 		EdgeStacksHandler:      edgeStacksHandler,
-		EdgeTemplatesHandler:   edgeTemplatesHandler,
 		EndpointGroupHandler:   endpointGroupHandler,
 		EndpointHandler:        endpointHandler,
 		EndpointHelmHandler:    endpointHelmHandler,
diff --git a/app/constants.ts b/app/constants.ts
index 8a8e687d2..e61172d27 100644
--- a/app/constants.ts
+++ b/app/constants.ts
@@ -5,7 +5,6 @@ export const API_ENDPOINT_CUSTOM_TEMPLATES = 'api/custom_templates';
 export const API_ENDPOINT_EDGE_GROUPS = 'api/edge_groups';
 export const API_ENDPOINT_EDGE_JOBS = 'api/edge_jobs';
 export const API_ENDPOINT_EDGE_STACKS = 'api/edge_stacks';
-export const API_ENDPOINT_EDGE_TEMPLATES = 'api/edge_templates';
 export const API_ENDPOINT_ENDPOINTS = 'api/endpoints';
 export const API_ENDPOINT_ENDPOINT_GROUPS = 'api/endpoint_groups';
 export const API_ENDPOINT_KUBERNETES = 'api/kubernetes';
diff --git a/app/ng-constants.ts b/app/ng-constants.ts
index 527d42132..87fa45b97 100644
--- a/app/ng-constants.ts
+++ b/app/ng-constants.ts
@@ -7,7 +7,6 @@ import {
   API_ENDPOINT_EDGE_GROUPS,
   API_ENDPOINT_EDGE_JOBS,
   API_ENDPOINT_EDGE_STACKS,
-  API_ENDPOINT_EDGE_TEMPLATES,
   API_ENDPOINT_ENDPOINTS,
   API_ENDPOINT_ENDPOINT_GROUPS,
   API_ENDPOINT_KUBERNETES,
@@ -42,7 +41,6 @@ export const constantsModule = angular
   .constant('API_ENDPOINT_EDGE_GROUPS', API_ENDPOINT_EDGE_GROUPS)
   .constant('API_ENDPOINT_EDGE_JOBS', API_ENDPOINT_EDGE_JOBS)
   .constant('API_ENDPOINT_EDGE_STACKS', API_ENDPOINT_EDGE_STACKS)
-  .constant('API_ENDPOINT_EDGE_TEMPLATES', API_ENDPOINT_EDGE_TEMPLATES)
   .constant('API_ENDPOINT_ENDPOINTS', API_ENDPOINT_ENDPOINTS)
   .constant('API_ENDPOINT_ENDPOINT_GROUPS', API_ENDPOINT_ENDPOINT_GROUPS)
   .constant('API_ENDPOINT_KUBERNETES', API_ENDPOINT_KUBERNETES)

From 4bb80d3e3afde96e257025e92cea33754c4b05c5 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Mon, 10 Feb 2025 21:05:15 +1300
Subject: [PATCH 016/212] fix(setting): failed to persist edge computer setting
 [BE-11403] (#395)

---
 api/cmd/portainer/main.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index edc9cb897..88e21f17b 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -238,10 +238,10 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}
 
-	settings.SnapshotInterval = *cmp.Or(flags.SnapshotInterval, &settings.SnapshotInterval)
-	settings.LogoURL = *cmp.Or(flags.Logo, &settings.LogoURL)
-	settings.EnableEdgeComputeFeatures = *cmp.Or(flags.EnableEdgeComputeFeatures, &settings.EnableEdgeComputeFeatures)
-	settings.TemplatesURL = *cmp.Or(flags.Templates, &settings.TemplatesURL)
+	settings.SnapshotInterval = cmp.Or(*flags.SnapshotInterval, settings.SnapshotInterval)
+	settings.LogoURL = cmp.Or(*flags.Logo, settings.LogoURL)
+	settings.EnableEdgeComputeFeatures = cmp.Or(*flags.EnableEdgeComputeFeatures, settings.EnableEdgeComputeFeatures)
+	settings.TemplatesURL = cmp.Or(*flags.Templates, settings.TemplatesURL)
 
 	if *flags.Labels != nil {
 		settings.BlackListedLabels = *flags.Labels

From b25bf1e341e2f500d873c5ca23824b6789cd4d2d Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Mon, 10 Feb 2025 21:08:27 +1300
Subject: [PATCH 017/212] fix(podman): missing filter in homepage [BE-11502]
 (#404)

---
 .../EnvironmentList/EnvironmentList.tsx       |  1 +
 .../EnvironmentListFilters.tsx                | 15 ++++++++--
 .../environments/environment.service/index.ts |  2 ++
 .../queries/useEnvironmentList.ts             | 29 ++++++++++++++++++-
 4 files changed, 44 insertions(+), 3 deletions(-)

diff --git a/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx b/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx
index 4805ce6e6..9884048b3 100644
--- a/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx
+++ b/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx
@@ -109,6 +109,7 @@ export function EnvironmentList({ onClickBrowse, onRefresh }: Props) {
     agentVersions,
     updateInformation: isBE,
     edgeAsync: getEdgeAsyncValue(connectionTypes),
+    platformTypes,
   };
 
   const queryWithSort = {
diff --git a/app/react/portainer/HomeView/EnvironmentList/EnvironmentListFilters.tsx b/app/react/portainer/HomeView/EnvironmentList/EnvironmentListFilters.tsx
index 3c4d993e4..06d1c5108 100644
--- a/app/react/portainer/HomeView/EnvironmentList/EnvironmentListFilters.tsx
+++ b/app/react/portainer/HomeView/EnvironmentList/EnvironmentListFilters.tsx
@@ -209,6 +209,7 @@ function getPlatformTypeOptions(connectionTypes: ConnectionType[]) {
     { value: PlatformType.Docker, label: 'Docker' },
     { value: PlatformType.Azure, label: 'Azure' },
     { value: PlatformType.Kubernetes, label: 'Kubernetes' },
+    { value: PlatformType.Podman, label: 'Podman' },
   ];
 
   if (connectionTypes.length === 0) {
@@ -216,15 +217,25 @@ function getPlatformTypeOptions(connectionTypes: ConnectionType[]) {
   }
 
   const connectionTypePlatformType = {
-    [ConnectionType.API]: [PlatformType.Docker, PlatformType.Azure],
-    [ConnectionType.Agent]: [PlatformType.Docker, PlatformType.Kubernetes],
+    [ConnectionType.API]: [
+      PlatformType.Docker,
+      PlatformType.Azure,
+      PlatformType.Podman,
+    ],
+    [ConnectionType.Agent]: [
+      PlatformType.Docker,
+      PlatformType.Kubernetes,
+      PlatformType.Podman,
+    ],
     [ConnectionType.EdgeAgentStandard]: [
       PlatformType.Kubernetes,
       PlatformType.Docker,
+      PlatformType.Podman,
     ],
     [ConnectionType.EdgeAgentAsync]: [
       PlatformType.Docker,
       PlatformType.Kubernetes,
+      PlatformType.Podman,
     ],
   };
 
diff --git a/app/react/portainer/environments/environment.service/index.ts b/app/react/portainer/environments/environment.service/index.ts
index 09844e6ce..8971a4af0 100644
--- a/app/react/portainer/environments/environment.service/index.ts
+++ b/app/react/portainer/environments/environment.service/index.ts
@@ -6,6 +6,7 @@ import {
   EnvironmentSecuritySettings,
   EnvironmentStatus,
   EnvironmentGroupId,
+  PlatformType,
 } from '@/react/portainer/environments/types';
 import { type TagId } from '@/portainer/tags/types';
 import { UserId } from '@/portainer/users/types';
@@ -45,6 +46,7 @@ export interface BaseEnvironmentsQueryParams {
   agentVersions?: string[];
   updateInformation?: boolean;
   edgeCheckInPassedSeconds?: number;
+  platformTypes?: PlatformType[];
 }
 
 export type EnvironmentsQueryParams = BaseEnvironmentsQueryParams &
diff --git a/app/react/portainer/environments/queries/useEnvironmentList.ts b/app/react/portainer/environments/queries/useEnvironmentList.ts
index ef545b06f..850fc7cfd 100644
--- a/app/react/portainer/environments/queries/useEnvironmentList.ts
+++ b/app/react/portainer/environments/queries/useEnvironmentList.ts
@@ -1,8 +1,11 @@
 import { useQuery } from '@tanstack/react-query';
 
 import { withError } from '@/react-tools/react-query';
+import {
+  PlatformType,
+  EnvironmentStatus,
+} from '@/react/portainer/environments/types';
 
-import { EnvironmentStatus } from '../types';
 import {
   EnvironmentsQueryParams,
   getEnvironments,
@@ -98,6 +101,30 @@ export function useEnvironmentList(
     }
   );
 
+  if (data?.value && query && query.platformTypes) {
+    const platforms = Array.from(query.platformTypes);
+
+    if (
+      platforms.includes(PlatformType.Podman) !==
+      platforms.includes(PlatformType.Docker)
+    ) {
+      const isPodmanSelected = platforms.includes(PlatformType.Podman);
+      const containerEngineToExclude = isPodmanSelected ? 'docker' : 'podman';
+
+      const filteredList = data?.value.filter(
+        (env) => env.ContainerEngine !== containerEngineToExclude
+      );
+
+      return {
+        isLoading,
+        environments: filteredList,
+        totalCount: data ? data.totalCount : 0,
+        totalAvailable: data ? data.totalAvailable : 0,
+        updateAvailable: data ? data.updateAvailable : false,
+      };
+    }
+  }
+
   return {
     isLoading,
     environments: data ? data.value : [],

From 2d3e5c3499812d359476b8440bdc5ffb5255a4ae Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Tue, 11 Feb 2025 15:36:29 +1300
Subject: [PATCH 018/212] workaround: leave the globally set helm repo to empty
 and add disclaimer - develop (#409)

---
 api/database/boltdb/json_test.go              |  2 +-
 .../test_data/output_24_to_latest.json        |  2 +-
 api/http/handler/helm/helm_install_test.go    |  2 +-
 .../handler/helm/helm_repo_search_test.go     |  2 +-
 api/http/handler/helm/helm_show_test.go       |  2 +-
 api/http/handler/settings/settings_update.go  |  2 +-
 api/portainer.go                              | 10 ++---
 .../helm-templates-list.html                  | 38 +++++++++++++++++--
 .../KubeSettingsPanel/HelmSection.tsx         | 24 +++++++++++-
 pkg/libhelm/binary/install_test.go            | 12 +++---
 pkg/libhelm/binary/search_repo_test.go        |  2 +-
 pkg/libhelm/validate_repo_test.go             |  2 +-
 12 files changed, 76 insertions(+), 24 deletions(-)

diff --git a/api/database/boltdb/json_test.go b/api/database/boltdb/json_test.go
index 577aa2cfd..ba0863efd 100644
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://kubernetes.github.io/ingress-nginx","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )
 
diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 43d872914..d9b9bf036 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -605,7 +605,7 @@
     "GlobalDeploymentOptions": {
       "hideStacksFunctionality": false
     },
-    "HelmRepositoryURL": "https://charts.bitnami.com/bitnami",
+    "HelmRepositoryURL": "",
     "InternalAuthSettings": {
       "RequiredPasswordLength": 12
     },
diff --git a/api/http/handler/helm/helm_install_test.go b/api/http/handler/helm/helm_install_test.go
index 869b80554..0b87d3a23 100644
--- a/api/http/handler/helm/helm_install_test.go
+++ b/api/http/handler/helm/helm_install_test.go
@@ -45,7 +45,7 @@ func Test_helmInstall(t *testing.T) {
 	is.NotNil(h, "Handler should not fail")
 
 	// Install a single chart.  We expect to get these values back
-	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default", Repo: "https://charts.bitnami.com/bitnami"}
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default", Repo: "https://kubernetes.github.io/ingress-nginx"}
 	optdata, err := json.Marshal(options)
 	is.NoError(err)
 
diff --git a/api/http/handler/helm/helm_repo_search_test.go b/api/http/handler/helm/helm_repo_search_test.go
index 5fde5e642..a556908b9 100644
--- a/api/http/handler/helm/helm_repo_search_test.go
+++ b/api/http/handler/helm/helm_repo_search_test.go
@@ -20,7 +20,7 @@ func Test_helmRepoSearch(t *testing.T) {
 
 	assert.NotNil(t, h, "Handler should not fail")
 
-	repos := []string{"https://charts.bitnami.com/bitnami", "https://portainer.github.io/k8s"}
+	repos := []string{"https://kubernetes.github.io/ingress-nginx", "https://portainer.github.io/k8s"}
 
 	for _, repo := range repos {
 		t.Run(repo, func(t *testing.T) {
diff --git a/api/http/handler/helm/helm_show_test.go b/api/http/handler/helm/helm_show_test.go
index dd3957c99..fed59388d 100644
--- a/api/http/handler/helm/helm_show_test.go
+++ b/api/http/handler/helm/helm_show_test.go
@@ -31,7 +31,7 @@ func Test_helmShow(t *testing.T) {
 		t.Run(cmd, func(t *testing.T) {
 			is.NotNil(h, "Handler should not fail")
 
-			repoUrlEncoded := url.QueryEscape("https://charts.bitnami.com/bitnami")
+			repoUrlEncoded := url.QueryEscape("https://kubernetes.github.io/ingress-nginx")
 			chart := "nginx"
 			req := httptest.NewRequest("GET", fmt.Sprintf("/templates/helm/%s?repo=%s&chart=%s", cmd, repoUrlEncoded, chart), nil)
 			rr := httptest.NewRecorder()
diff --git a/api/http/handler/settings/settings_update.go b/api/http/handler/settings/settings_update.go
index 0b36dbc62..895da489c 100644
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -46,7 +46,7 @@ type settingsUpdatePayload struct {
 	// Whether telemetry is enabled
 	EnableTelemetry *bool `example:"false"`
 	// Helm repository URL
-	HelmRepositoryURL *string `example:"https://charts.bitnami.com/bitnami"`
+	HelmRepositoryURL *string `example:"https://kubernetes.github.io/ingress-nginx"`
 	// Kubectl Shell Image
 	KubectlShellImage *string `example:"portainer/kubectl-shell:latest"`
 	// TrustOnFirstConnect makes Portainer accepting edge agent connection by default
diff --git a/api/portainer.go b/api/portainer.go
index 64ac47012..9a6d719e8 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -588,7 +588,7 @@ type (
 		// User identifier
 		UserID UserID `json:"UserId" example:"1"`
 		// Helm repository URL
-		URL string `json:"URL" example:"https://charts.bitnami.com/bitnami"`
+		URL string `json:"URL" example:"https://kubernetes.github.io/ingress-nginx"`
 	}
 
 	// QuayRegistryData represents data required for Quay registry to work
@@ -984,8 +984,8 @@ type (
 		KubeconfigExpiry string `json:"KubeconfigExpiry" example:"24h"`
 		// Whether telemetry is enabled
 		EnableTelemetry bool `json:"EnableTelemetry" example:"false"`
-		// Helm repository URL, defaults to "https://charts.bitnami.com/bitnami"
-		HelmRepositoryURL string `json:"HelmRepositoryURL" example:"https://charts.bitnami.com/bitnami"`
+		// Helm repository URL, defaults to ""
+		HelmRepositoryURL string `json:"HelmRepositoryURL"`
 		// KubectlImage, defaults to portainer/kubectl-shell
 		KubectlShellImage string `json:"KubectlShellImage" example:"portainer/kubectl-shell"`
 		// TrustOnFirstConnect makes Portainer accepting edge agent connection by default
@@ -1672,8 +1672,8 @@ const (
 	DefaultEdgeAgentCheckinIntervalInSeconds = 5
 	// DefaultTemplatesURL represents the URL to the official templates supported by Portainer
 	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/v3/templates.json"
-	// DefaultHelmrepositoryURL represents the URL to the official templates supported by Bitnami
-	DefaultHelmRepositoryURL = "https://charts.bitnami.com/bitnami"
+	// DefaultHelmrepositoryURL set to empty string until oci support is added
+	DefaultHelmRepositoryURL = ""
 	// DefaultUserSessionTimeout represents the default timeout after which the user session is cleared
 	DefaultUserSessionTimeout = "8h"
 	// DefaultUserSessionTimeout represents the default timeout after which the user session is cleared
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
index 8f3f2fb4a..504c53af3 100644
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
+++ b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
@@ -31,10 +31,40 @@
       >Select the Helm chart to use. Bring further Helm charts into your selection list via
       <a ui-sref="portainer.account({'#': 'helm-repositories'})">User settings - Helm repositories</a>.</div
     >
-    <beta-alert
-      is-html="true"
-      message="'Beta feature - so far, this functionality has been tested in limited scenarios. For more information, see this <a href=\'https://www.portainer.io/blog/portainer-now-with-helm-support\' target=\'_blank\' class=\'hyperlink\'>blog post on Portainer Helm support</a>.'"
-    ></beta-alert>
+    <div class="w-full">
+      <div class="small text-muted mb-2"
+        >Select the Helm chart to use. Bring further Helm charts into your selection list via
+        <a ui-sref="portainer.account({'#': 'helm-repositories'})">User settings - Helm repositories</a>.</div
+      >
+      <div class="relative flex w-fit gap-1 rounded-lg bg-gray-modern-3 p-4 text-sm th-highcontrast:bg-legacy-grey-3 th-dark:bg-legacy-grey-3 mt-2">
+        <div class="mt-0.5 shrink-0">
+          <svg
+            xmlns="http://www.w3.org/2000/svg"
+            width="24"
+            height="24"
+            viewBox="0 0 24 24"
+            fill="none"
+            stroke="currentColor"
+            stroke-width="2"
+            stroke-linecap="round"
+            stroke-linejoin="round"
+            class="lucide lucide-lightbulb h-4 text-warning-7 th-highcontrast:text-warning-6 th-dark:text-warning-6"
+          >
+            <path d="M15 14c.2-1 .7-1.7 1.5-2.5 1-.9 1.5-2.2 1.5-3.5A6 6 0 0 0 6 8c0 1 .2 2.2 1.5 3.5.7.7 1.3 1.5 1.5 2.5"></path>
+            <path d="M9 18h6"></path>
+            <path d="M10 22h4"></path>
+          </svg>
+        </div>
+        <div>
+          <p class="align-middle text-[0.9em] font-medium pr-10 mb-2">Disclaimer</p>
+          <div class="small">
+            At present Portainer does not support OCI format Helm charts. Support for OCI charts will be available in a future release.<br />
+            If you would like to provide feedback on OCI support or get access to early releases to test this functionality,
+            <a href="https://bit.ly/3WVkayl" target="_blank" rel="noopener noreferrer">please get in touch</a>.
+          </div>
+        </div>
+      </div>
+    </div>
   </div>
 
   <div class="blocklist !px-0" role="list">
diff --git a/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx b/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx
index 22790e781..e5d519174 100644
--- a/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx
+++ b/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx
@@ -4,6 +4,7 @@ import { TextTip } from '@@/Tip/TextTip';
 import { FormControl } from '@@/form-components/FormControl';
 import { FormSection } from '@@/form-components/FormSection';
 import { Input } from '@@/form-components/Input';
+import { InsightsBox } from '@@/InsightsBox';
 
 export function HelmSection() {
   const [{ name }, { error }] = useField<string>('helmRepositoryUrl');
@@ -24,13 +25,34 @@ export function HelmSection() {
         </TextTip>
       </div>
 
+      <InsightsBox
+        header="Disclaimer"
+        content={
+          <>
+            At present Portainer does not support OCI format Helm charts.
+            Support for OCI charts will be available in a future release. If you
+            would like to provide feedback on OCI support or get access to early
+            releases to test this functionality,{' '}
+            <a
+              href="https://bit.ly/3WVkayl"
+              target="_blank"
+              rel="noopener noreferrer"
+            >
+              please get in touch
+            </a>
+            .
+          </>
+        }
+        className="block w-fit mt-2 mb-1"
+      />
+
       <FormControl label="URL" errors={error} inputId="helm-repo-url">
         <Field
           as={Input}
           id="helm-repo-url"
           data-cy="helm-repo-url-input"
           name={name}
-          placeholder="https://charts.bitnami.com/bitnami"
+          placeholder="https://kubernetes.github.io/ingress-nginx"
         />
       </FormControl>
     </FormSection>
diff --git a/pkg/libhelm/binary/install_test.go b/pkg/libhelm/binary/install_test.go
index e3252e1f2..3d6c74707 100644
--- a/pkg/libhelm/binary/install_test.go
+++ b/pkg/libhelm/binary/install_test.go
@@ -53,11 +53,11 @@ func Test_Install(t *testing.T) {
 	hbpm := NewHelmBinaryPackageManager(path)
 
 	t.Run("successfully installs nginx chart with name test-nginx", func(t *testing.T) {
-		// helm install test-nginx --repo https://charts.bitnami.com/bitnami nginx
+		// helm install test-nginx --repo https://kubernetes.github.io/ingress-nginx nginx
 		installOpts := options.InstallOptions{
 			Name:  "test-nginx",
 			Chart: "nginx",
-			Repo:  "https://charts.bitnami.com/bitnami",
+			Repo:  "https://kubernetes.github.io/ingress-nginx",
 		}
 
 		release, err := hbpm.Install(installOpts)
@@ -67,10 +67,10 @@ func Test_Install(t *testing.T) {
 	})
 
 	t.Run("successfully installs nginx chart with generated name", func(t *testing.T) {
-		// helm install --generate-name --repo https://charts.bitnami.com/bitnami nginx
+		// helm install --generate-name --repo https://kubernetes.github.io/ingress-nginx nginx
 		installOpts := options.InstallOptions{
 			Chart: "nginx",
-			Repo:  "https://charts.bitnami.com/bitnami",
+			Repo:  "https://kubernetes.github.io/ingress-nginx",
 		}
 		release, err := hbpm.Install(installOpts)
 		defer hbpm.run("uninstall", []string{release.Name}, nil)
@@ -79,7 +79,7 @@ func Test_Install(t *testing.T) {
 	})
 
 	t.Run("successfully installs nginx with values", func(t *testing.T) {
-		// helm install test-nginx-2 --repo https://charts.bitnami.com/bitnami nginx --values /tmp/helm-values3161785816
+		// helm install test-nginx-2 --repo https://kubernetes.github.io/ingress-nginx nginx --values /tmp/helm-values3161785816
 		values, err := createValuesFile("service:\n  port:  8081")
 		is.NoError(err, "should create a values file")
 
@@ -88,7 +88,7 @@ func Test_Install(t *testing.T) {
 		installOpts := options.InstallOptions{
 			Name:       "test-nginx-2",
 			Chart:      "nginx",
-			Repo:       "https://charts.bitnami.com/bitnami",
+			Repo:       "https://kubernetes.github.io/ingress-nginx",
 			ValuesFile: values,
 		}
 		release, err := hbpm.Install(installOpts)
diff --git a/pkg/libhelm/binary/search_repo_test.go b/pkg/libhelm/binary/search_repo_test.go
index 4d5dd4d82..48786a0d7 100644
--- a/pkg/libhelm/binary/search_repo_test.go
+++ b/pkg/libhelm/binary/search_repo_test.go
@@ -22,7 +22,7 @@ func Test_SearchRepo(t *testing.T) {
 
 	tests := []testCase{
 		{"not a helm repo", "https://portainer.io", true},
-		{"bitnami helm repo", "https://charts.bitnami.com/bitnami", false},
+		{"ingress helm repo", "https://kubernetes.github.io/ingress-nginx", false},
 		{"portainer helm repo", "https://portainer.github.io/k8s/", false},
 		{"gitlap helm repo with trailing slash", "https://charts.gitlab.io/", false},
 		{"elastic helm repo with trailing slash", "https://helm.elastic.co/", false},
diff --git a/pkg/libhelm/validate_repo_test.go b/pkg/libhelm/validate_repo_test.go
index 7f81311ba..dce1257d0 100644
--- a/pkg/libhelm/validate_repo_test.go
+++ b/pkg/libhelm/validate_repo_test.go
@@ -26,7 +26,7 @@ func Test_ValidateHelmRepositoryURL(t *testing.T) {
 		{"not helm repo", "http://google.com", true},
 		{"not valid repo with trailing slash", "http://google.com/", true},
 		{"not valid repo with trailing slashes", "http://google.com////", true},
-		{"bitnami helm repo", "https://charts.bitnami.com/bitnami/", false},
+		{"ingress helm repo", "https://kubernetes.github.io/ingress-nginx/", false},
 		{"gitlap helm repo", "https://charts.gitlab.io/", false},
 		{"portainer helm repo", "https://portainer.github.io/k8s/", false},
 		{"elastic helm repo", "https://helm.elastic.co/", false},

From e45b852c0948c0d24656224f1667c0d3108cdaa4 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Wed, 12 Feb 2025 09:23:52 +1300
Subject: [PATCH 019/212] fix(platform): remove error log when local env is not
 found [BE-11353] (#364)

---
 api/http/handler/system/system_info.go    |  8 +++++++-
 api/http/handler/system/system_upgrade.go |  7 +++++--
 api/platform/service.go                   | 10 +++++++---
 3 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/api/http/handler/system/system_info.go b/api/http/handler/system/system_info.go
index ad5f944ef..64a915313 100644
--- a/api/http/handler/system/system_info.go
+++ b/api/http/handler/system/system_info.go
@@ -3,6 +3,7 @@ package system
 import (
 	"net/http"
 
+	"github.com/pkg/errors"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	plf "github.com/portainer/portainer/api/platform"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -46,7 +47,12 @@ func (handler *Handler) systemInfo(w http.ResponseWriter, r *http.Request) *http
 
 	platform, err := handler.platformService.GetPlatform()
 	if err != nil {
-		return httperror.InternalServerError("Failed to get platform", err)
+		if !errors.Is(err, plf.ErrNoLocalEnvironment) {
+			return httperror.InternalServerError("Failed to get platform", err)
+		}
+		// If no local environment is detected, we assume the platform is Docker
+		// UI will stop showing the upgrade banner
+		platform = plf.PlatformDocker
 	}
 
 	return response.JSON(w, &systemInfoResponse{
diff --git a/api/http/handler/system/system_upgrade.go b/api/http/handler/system/system_upgrade.go
index f881b6233..8eb41413f 100644
--- a/api/http/handler/system/system_upgrade.go
+++ b/api/http/handler/system/system_upgrade.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"regexp"
 
+	ceplf "github.com/portainer/portainer/api/platform"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -45,6 +46,9 @@ func (handler *Handler) systemUpgrade(w http.ResponseWriter, r *http.Request) *h
 
 	environment, err := handler.platformService.GetLocalEnvironment()
 	if err != nil {
+		if errors.Is(err, ceplf.ErrNoLocalEnvironment) {
+			return httperror.NotFound("The system upgrade feature is disabled because no local environment was detected.", err)
+		}
 		return httperror.InternalServerError("Failed to get local environment", err)
 	}
 
@@ -53,8 +57,7 @@ func (handler *Handler) systemUpgrade(w http.ResponseWriter, r *http.Request) *h
 		return httperror.InternalServerError("Failed to get platform", err)
 	}
 
-	err = handler.upgradeService.Upgrade(platform, environment, payload.License)
-	if err != nil {
+	if err := handler.upgradeService.Upgrade(platform, environment, payload.License); err != nil {
 		return httperror.InternalServerError("Failed to upgrade Portainer", err)
 	}
 
diff --git a/api/platform/service.go b/api/platform/service.go
index 628e1cf9b..e74855fb7 100644
--- a/api/platform/service.go
+++ b/api/platform/service.go
@@ -14,6 +14,10 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
+var (
+	ErrNoLocalEnvironment = errors.New("No local environment was detected")
+)
+
 type Service interface {
 	GetLocalEnvironment() (*portainer.Endpoint, error)
 	GetPlatform() (ContainerPlatform, error)
@@ -35,7 +39,7 @@ func (service *service) loadEnvAndPlatform() error {
 		return nil
 	}
 
-	environment, platform, err := guessLocalEnvironment(service.dataStore)
+	environment, platform, err := detectLocalEnvironment(service.dataStore)
 	if err != nil {
 		return err
 	}
@@ -73,7 +77,7 @@ var platformToEndpointType = map[ContainerPlatform][]portainer.EndpointType{
 	PlatformKubernetes: {portainer.KubernetesLocalEnvironment},
 }
 
-func guessLocalEnvironment(dataStore dataservices.DataStore) (*portainer.Endpoint, ContainerPlatform, error) {
+func detectLocalEnvironment(dataStore dataservices.DataStore) (*portainer.Endpoint, ContainerPlatform, error) {
 	platform := DetermineContainerPlatform()
 
 	if !slices.Contains([]ContainerPlatform{PlatformDocker, PlatformKubernetes}, platform) {
@@ -113,7 +117,7 @@ func guessLocalEnvironment(dataStore dataservices.DataStore) (*portainer.Endpoin
 		}
 	}
 
-	return nil, "", errors.New("failed to find local environment")
+	return nil, "", ErrNoLocalEnvironment
 }
 
 func checkDockerEnvTypeForUpgrade(environment *portainer.Endpoint) ContainerPlatform {

From 96b1869a0cc74310ef49de148aa6c3c1a9b7a759 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Tue, 11 Feb 2025 20:47:45 -0300
Subject: [PATCH 020/212] fix(swarm): fix the Host field when listing images
 BE-10827 (#352)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
Co-authored-by: LP B <xAt0mZ@users.noreply.github.com>
---
 api/docker/client/client.go                   | 18 +++++++-------
 api/http/handler/docker/images/images_list.go | 24 +++++++++++--------
 2 files changed, 23 insertions(+), 19 deletions(-)

diff --git a/api/docker/client/client.go b/api/docker/client/client.go
index 065a40382..1161c4995 100644
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -3,8 +3,8 @@ package client
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
-	"maps"
 	"net/http"
 	"strings"
 	"time"
@@ -141,7 +141,6 @@ func createAgentClient(endpoint *portainer.Endpoint, endpointURL string, signatu
 
 type NodeNameTransport struct {
 	*http.Transport
-	nodeNames map[string]string
 }
 
 func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -176,18 +175,19 @@ func (t *NodeNameTransport) RoundTrip(req *http.Request) (*http.Response, error)
 		return resp, nil
 	}
 
-	t.nodeNames = make(map[string]string)
-	for _, r := range rs {
-		t.nodeNames[r.ID] = r.Portainer.Agent.NodeName
+	nodeNames, ok := req.Context().Value("nodeNames").(map[string]string)
+	if ok {
+		for idx, r := range rs {
+			// as there is no way to differentiate the same image available in multiple nodes only by their ID
+			// we append the index of the image in the payload response to match the node name later
+			// from the image.Summary[] list returned by docker's client.ImageList()
+			nodeNames[fmt.Sprintf("%s-%d", r.ID, idx)] = r.Portainer.Agent.NodeName
+		}
 	}
 
 	return resp, err
 }
 
-func (t *NodeNameTransport) NodeNames() map[string]string {
-	return maps.Clone(t.nodeNames)
-}
-
 func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Client, error) {
 	transport := &NodeNameTransport{
 		Transport: &http.Transport{},
diff --git a/api/http/handler/docker/images/images_list.go b/api/http/handler/docker/images/images_list.go
index ac7e980a0..eca99d993 100644
--- a/api/http/handler/docker/images/images_list.go
+++ b/api/http/handler/docker/images/images_list.go
@@ -1,10 +1,11 @@
 package images
 
 import (
+	"context"
+	"fmt"
 	"net/http"
 	"strings"
 
-	"github.com/portainer/portainer/api/docker/client"
 	"github.com/portainer/portainer/api/http/handler/docker/utils"
 	"github.com/portainer/portainer/api/set"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -46,17 +47,16 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 		return httpErr
 	}
 
-	images, err := cli.ImageList(r.Context(), image.ListOptions{})
+	nodeNames := make(map[string]string)
+
+	// Pass the node names map to the context so the custom NodeNameTransport can use it
+	ctx := context.WithValue(r.Context(), "nodeNames", nodeNames)
+
+	images, err := cli.ImageList(ctx, image.ListOptions{})
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve Docker images", err)
 	}
 
-	// Extract the node name from the custom transport
-	nodeNames := make(map[string]string)
-	if t, ok := cli.HTTPClient().Transport.(*client.NodeNameTransport); ok {
-		nodeNames = t.NodeNames()
-	}
-
 	withUsage, err := request.RetrieveBooleanQueryParameter(r, "withUsage", true)
 	if err != nil {
 		return httperror.BadRequest("Invalid query parameter: withUsage", err)
@@ -85,8 +85,12 @@ func (handler *Handler) imagesList(w http.ResponseWriter, r *http.Request) *http
 		}
 
 		imagesList[i] = ImageResponse{
-			Created:  image.Created,
-			NodeName: nodeNames[image.ID],
+			Created: image.Created,
+			// Only works if the order of `images` is not changed between unmarshaling the agent's response
+			// in NodeNameTransport.RoundTrip()  (api/docker/client/client.go)
+			// and docker's cli.ImageList()
+			// As both functions unmarshal the same response body, the resulting array will be ordered the same way.
+			NodeName: nodeNames[fmt.Sprintf("%s-%d", image.ID, i)],
 			ID:       image.ID,
 			Size:     image.Size,
 			Tags:     image.RepoTags,

From df8673ba405ce4147574f31e0fcb45c68bf94cb7 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 14 Feb 2025 08:39:02 +1300
Subject: [PATCH 021/212]  version: bump version to 2.27.0-rc3 - develop (#426)

---
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/portainer.go                                 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index d9b9bf036..d1c264094 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.27.0-rc2",
+    "KubectlShellImage": "portainer/kubectl-shell:2.27.0-rc3",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.27.0-rc2\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.27.0-rc3\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/portainer.go b/api/portainer.go
index 9a6d719e8..dd48936ed 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1636,7 +1636,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.27.0-rc2"
+	APIVersion = "2.27.0-rc3"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "LTS"
 	// Edition is what this edition of Portainer is called

From 41c1d8861571fb686e1672eac7aba8d9a91562b7 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Wed, 19 Feb 2025 02:46:39 +0100
Subject: [PATCH 022/212] fix(edge): configure persisted mTLS certificates on
 start-up [BE-11622] (#437)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
Co-authored-by: oscarzhou <oscar.zhou@portainer.io>
Co-authored-by: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
---
 api/filesystem/filesystem.go | 45 +++++++++++++++++++++++++-----------
 api/portainer.go             |  3 ++-
 2 files changed, 34 insertions(+), 14 deletions(-)

diff --git a/api/filesystem/filesystem.go b/api/filesystem/filesystem.go
index df49a2706..43e38b4e7 100644
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -841,11 +841,11 @@ func (service *Service) GetDefaultSSLCertsPath() (string, string) {
 }
 
 func defaultMTLSCertPathUnderFileStore() (string, string, string) {
-	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	caCertPath := JoinPaths(SSLCertPath, MTLSCACertFilename)
+	certPath := JoinPaths(SSLCertPath, MTLSCertFilename)
 	keyPath := JoinPaths(SSLCertPath, MTLSKeyFilename)
 
-	return certPath, caCertPath, keyPath
+	return caCertPath, certPath, keyPath
 }
 
 // GetDefaultChiselPrivateKeyPath returns the chisle private key path
@@ -1014,26 +1014,45 @@ func CreateFile(path string, r io.Reader) error {
 	return err
 }
 
-func (service *Service) StoreMTLSCertificates(cert, caCert, key []byte) (string, string, string, error) {
-	certPath, caCertPath, keyPath := defaultMTLSCertPathUnderFileStore()
+func (service *Service) StoreMTLSCertificates(caCert, cert, key []byte) (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
 
-	r := bytes.NewReader(cert)
-	err := service.createFileInStore(certPath, r)
-	if err != nil {
+	r := bytes.NewReader(caCert)
+	if err := service.createFileInStore(caCertPath, r); err != nil {
 		return "", "", "", err
 	}
 
-	r = bytes.NewReader(caCert)
-	err = service.createFileInStore(caCertPath, r)
-	if err != nil {
+	r = bytes.NewReader(cert)
+	if err := service.createFileInStore(certPath, r); err != nil {
 		return "", "", "", err
 	}
 
 	r = bytes.NewReader(key)
-	err = service.createFileInStore(keyPath, r)
-	if err != nil {
+	if err := service.createFileInStore(keyPath, r); err != nil {
 		return "", "", "", err
 	}
 
-	return service.wrapFileStore(certPath), service.wrapFileStore(caCertPath), service.wrapFileStore(keyPath), nil
+	return service.wrapFileStore(caCertPath), service.wrapFileStore(certPath), service.wrapFileStore(keyPath), nil
+}
+
+func (service *Service) GetMTLSCertificates() (string, string, string, error) {
+	caCertPath, certPath, keyPath := defaultMTLSCertPathUnderFileStore()
+
+	caCertPath = service.wrapFileStore(caCertPath)
+	certPath = service.wrapFileStore(certPath)
+	keyPath = service.wrapFileStore(keyPath)
+
+	paths := [...]string{caCertPath, certPath, keyPath}
+	for _, path := range paths {
+		exists, err := service.FileExists(path)
+		if err != nil {
+			return "", "", "", err
+		}
+
+		if !exists {
+			return "", "", "", fmt.Errorf("file %s does not exist", path)
+		}
+	}
+
+	return caCertPath, certPath, keyPath, nil
 }
diff --git a/api/portainer.go b/api/portainer.go
index dd48936ed..2f9af995f 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1491,7 +1491,8 @@ type (
 		StoreSSLCertPair(cert, key []byte) (string, string, error)
 		CopySSLCertPair(certPath, keyPath string) (string, string, error)
 		CopySSLCACert(caCertPath string) (string, error)
-		StoreMTLSCertificates(cert, caCert, key []byte) (string, string, string, error)
+		StoreMTLSCertificates(caCert, cert, key []byte) (string, string, string, error)
+		GetMTLSCertificates() (string, string, string, error)
 		GetDefaultChiselPrivateKeyPath() string
 		StoreChiselPrivateKey(privateKey []byte) error
 	}

From cf95d91db39045adc83f566b7fe5c0a01632e314 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Wed, 19 Feb 2025 19:25:28 +0100
Subject: [PATCH 023/212] fix(swarm): keep swarm stack stop command attached
 (#444)

---
 api/exec/swarm_stack.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/exec/swarm_stack.go b/api/exec/swarm_stack.go
index 634194d67..b5e13dcc6 100644
--- a/api/exec/swarm_stack.go
+++ b/api/exec/swarm_stack.go
@@ -127,7 +127,7 @@ func (manager *SwarmStackManager) Remove(stack *portainer.Stack, endpoint *porta
 		return err
 	}
 
-	args = append(args, "stack", "rm", stack.Name)
+	args = append(args, "stack", "rm", "--detach=false", stack.Name)
 
 	return runCommandAndCaptureStdErr(command, args, nil, "")
 }

From 1b83542d41eb8f8acbc9c27aea355a31f64c9451 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 20 Feb 2025 09:42:52 +1300
Subject: [PATCH 024/212] chore: bump version to 2.27.0 - develop (#445)

---
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/http/handler/handler.go                      | 2 +-
 api/portainer.go                                 | 2 +-
 package.json                                     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index d1c264094..a9ebeffb5 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.27.0-rc3",
+    "KubectlShellImage": "portainer/kubectl-shell:2.27.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.27.0-rc3\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.27.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 4325d9f91..4877e76c7 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.26.0
+// @version 2.27.0
 // @description.markdown api-description.md
 // @termsOfService
 
diff --git a/api/portainer.go b/api/portainer.go
index 2f9af995f..1195737d8 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1637,7 +1637,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.27.0-rc3"
+	APIVersion = "2.27.0"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "LTS"
 	// Edition is what this edition of Portainer is called
diff --git a/package.json b/package.json
index d9a9dcd6d..41d07244e 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.26.0",
+  "version": "2.27.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"

From 5d568a3f3290f3e1b945fc0d9ff103238c14e45a Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Thu, 20 Feb 2025 12:09:26 +1300
Subject: [PATCH 025/212] fix(edge): edge stack pending when yaml file is under
 same root folder of edge configs [BE-11620] (#447)

---
 api/filesystem/serialize_per_dev_configs.go   | 32 ++++---------------
 .../serialize_per_dev_configs_test.go         | 21 ++++++++++++
 2 files changed, 28 insertions(+), 25 deletions(-)

diff --git a/api/filesystem/serialize_per_dev_configs.go b/api/filesystem/serialize_per_dev_configs.go
index c9d02ad0d..55881885a 100644
--- a/api/filesystem/serialize_per_dev_configs.go
+++ b/api/filesystem/serialize_per_dev_configs.go
@@ -44,11 +44,10 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 
 // FilterDirForPerDevConfigs filers the given dirEntries, returns entries for the given device
 // For given configPath A/B/C, return entries:
-//  1. all entries outside of dir A
-//  2. dir entries A, A/B, A/B/C
-//  3. For filterType file:
+//  1. all entries outside of dir A/B/C
+//  2. For filterType file:
 //     file entries: A/B/C/<deviceName> and A/B/C/<deviceName>.*
-//  4. For filterType dir:
+//  3. For filterType dir:
 //     dir entry:   A/B/C/<deviceName>
 //     all entries: A/B/C/<deviceName>/*
 func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) []DirEntry {
@@ -66,12 +65,7 @@ func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath str
 func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
 
 	// Include all entries outside of dir A
-	if !isInConfigRootDir(dirEntry, configPath) {
-		return true
-	}
-
-	// Include dir entries A, A/B, A/B/C
-	if isParentDir(dirEntry, configPath) {
+	if !isInConfigDir(dirEntry, configPath) {
 		return true
 	}
 
@@ -90,21 +84,9 @@ func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filter
 	return false
 }
 
-func isInConfigRootDir(dirEntry DirEntry, configPath string) bool {
-	// get the first element of the configPath
-	rootDir := strings.Split(configPath, string(os.PathSeparator))[0]
-
-	// return true if entry name starts with "A/"
-	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(rootDir))
-}
-
-func isParentDir(dirEntry DirEntry, configPath string) bool {
-	if dirEntry.IsFile {
-		return false
-	}
-
-	// return true for dir entries A, A/B, A/B/C
-	return strings.HasPrefix(appendTailSeparator(configPath), appendTailSeparator(dirEntry.Name))
+func isInConfigDir(dirEntry DirEntry, configPath string) bool {
+	// return true if entry name starts with "A/B"
+	return strings.HasPrefix(dirEntry.Name, appendTailSeparator(configPath))
 }
 
 func shouldIncludeFile(dirEntry DirEntry, deviceName, configPath string) bool {
diff --git a/api/filesystem/serialize_per_dev_configs_test.go b/api/filesystem/serialize_per_dev_configs_test.go
index 6a2a5f33b..55a1a4643 100644
--- a/api/filesystem/serialize_per_dev_configs_test.go
+++ b/api/filesystem/serialize_per_dev_configs_test.go
@@ -90,3 +90,24 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 		})
 	}
 }
+
+func TestIsInConfigDir(t *testing.T) {
+	f := func(dirEntry DirEntry, configPath string, expect bool) {
+		t.Helper()
+
+		actual := isInConfigDir(dirEntry, configPath)
+		assert.Equal(t, expect, actual)
+	}
+
+	f(DirEntry{Name: "edge-configs"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs_backup"}, "edge-configs", false)
+	f(DirEntry{Name: "edge-configs/standalone-edge-agent-standard"}, "edge-configs", true)
+	f(DirEntry{Name: "parent/edge-configs/"}, "edge-configs", false)
+	f(DirEntry{Name: "edgestacktest"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/file1.conf"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgeconfigs-test.yaml"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs"}, "edgestacktest/edge-configs", false)
+	f(DirEntry{Name: "edgestacktest/edge-configs/standalone-edge-agent-async"}, "edgestacktest/edge-configs", true)
+	f(DirEntry{Name: "edgestacktest/edge-configs/abc.txt"}, "edgestacktest/edge-configs", true)
+}

From 9c243cc8dd4427c9158c76414f35b93685a5be96 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 20 Feb 2025 13:38:26 +1300
Subject: [PATCH 026/212] Update bug report template for 2.27.0 (#450)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index e1ab32632..e2eef4f66 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -95,6 +95,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.27.0'
         - '2.26.1'
         - '2.26.0'
         - '2.25.1'
@@ -119,10 +120,6 @@ body:
         - '2.19.2'
         - '2.19.1'
         - '2.19.0'
-        - '2.18.4'
-        - '2.18.3'
-        - '2.18.2'
-        - '2.18.1'
     validations:
       required: true
 

From cc73b7831f13b48fdfbbcd80be11add8a5324bc6 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Tue, 25 Feb 2025 12:55:44 +1300
Subject: [PATCH 027/212] fix: cve-2024-50338 - develop (#461)

---
 binary-version.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/binary-version.json b/binary-version.json
index 914838f53..ff017d023 100644
--- a/binary-version.json
+++ b/binary-version.json
@@ -2,5 +2,5 @@
   "docker": "v27.5.1",
   "helm": "v3.17.0",
   "kubectl": "v1.32.1",
-  "mingit": "2.47.0.1"
+  "mingit": "2.48.1.1"
 }

From dd98097897fc2dbe437aee24642d8f3a77c12194 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Wed, 26 Feb 2025 13:00:25 +1300
Subject: [PATCH 028/212] fix(libstack): miss to read default .env file
 [BE-11638] (#458)

---
 pkg/libstack/compose/composeplugin.go | 22 +++++++++++++++++++---
 1 file changed, 19 insertions(+), 3 deletions(-)

diff --git a/pkg/libstack/compose/composeplugin.go b/pkg/libstack/compose/composeplugin.go
index 3162c6ab7..c83685351 100644
--- a/pkg/libstack/compose/composeplugin.go
+++ b/pkg/libstack/compose/composeplugin.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"maps"
+	"os"
 	"path/filepath"
 	"slices"
 	"strconv"
@@ -87,7 +88,7 @@ func withComposeService(
 			return composeFn(composeService, nil)
 		}
 
-		env, err := parseEnvironment(options)
+		env, err := parseEnvironment(options, filePaths)
 		if err != nil {
 			return err
 		}
@@ -326,7 +327,7 @@ func addServiceLabels(project *types.Project, oneOff bool, edgeStackID portainer
 	}
 }
 
-func parseEnvironment(options libstack.Options) (map[string]string, error) {
+func parseEnvironment(options libstack.Options, filePaths []string) (map[string]string, error) {
 	env := make(map[string]string)
 
 	for _, envLine := range options.Env {
@@ -339,7 +340,22 @@ func parseEnvironment(options libstack.Options) (map[string]string, error) {
 	}
 
 	if options.EnvFilePath == "" {
-		return env, nil
+		if len(filePaths) == 0 {
+			return env, nil
+		}
+
+		defaultDotEnv := filepath.Join(filepath.Dir(filePaths[0]), ".env")
+		s, err := os.Stat(defaultDotEnv)
+		if os.IsNotExist(err) {
+			return env, nil
+		}
+		if err != nil {
+			return env, err
+		}
+		if s.IsDir() {
+			return env, nil
+		}
+		options.EnvFilePath = defaultDotEnv
 	}
 
 	e, err := dotenv.GetEnvFromFile(make(map[string]string), []string{options.EnvFilePath})

From 7759d762abf92ead75994dd7d0d14ce658e43fee Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Wed, 26 Feb 2025 14:13:50 +1300
Subject: [PATCH 029/212] chore(react): Convert cluster details to react CE
 (#466)

---
 app/kubernetes/react/views/index.ts           |   5 +
 app/kubernetes/views/cluster/cluster.html     |  33 ---
 app/kubernetes/views/cluster/cluster.js       |   8 -
 .../views/cluster/clusterController.js        | 139 ------------
 app/react-tools/test-mocks.ts                 |  36 +++
 .../FormControl/FormControl.tsx               |  20 +-
 .../ClusterResourceReservation.test.tsx       | 214 ++++++++++++++++++
 .../ClusterResourceReservation.tsx            |  39 ++++
 .../cluster/ClusterView/ClusterView.tsx       |  33 +++
 .../kubernetes/cluster/ClusterView/index.ts   |   1 +
 .../cluster/ClusterView/queries/index.ts      |   3 +
 .../queries/useClusterResourceLimitsQuery.ts  |  49 ++++
 .../useClusterResourceReservationQuery.ts     |  25 ++
 .../queries/useClusterResourceUsageQuery.ts   |  46 ++++
 .../useClusterResourceReservationData.tsx     |  72 ++++++
 .../cluster/HomeView/nodes.service.ts         |   2 +-
 .../components/ResourceReservation.tsx        | 129 +++++++++++
 .../components/ResourceUsageItem.tsx          |  13 +-
 app/react/kubernetes/metrics/types.ts         |   8 +-
 .../NamespaceResourceReservation.tsx          |  45 ++++
 .../ResourceQuotaFormSection.tsx              |   4 +-
 .../ResourceReservationUsage.tsx              | 150 ------------
 .../useNamespaceResourceReservationData.ts    |  65 ++++++
 app/react/kubernetes/utils.ts                 |  35 +++
 24 files changed, 829 insertions(+), 345 deletions(-)
 delete mode 100644 app/kubernetes/views/cluster/cluster.html
 delete mode 100644 app/kubernetes/views/cluster/cluster.js
 delete mode 100644 app/kubernetes/views/cluster/clusterController.js
 create mode 100644 app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx
 create mode 100644 app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.tsx
 create mode 100644 app/react/kubernetes/cluster/ClusterView/ClusterView.tsx
 create mode 100644 app/react/kubernetes/cluster/ClusterView/index.ts
 create mode 100644 app/react/kubernetes/cluster/ClusterView/queries/index.ts
 create mode 100644 app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceLimitsQuery.ts
 create mode 100644 app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts
 create mode 100644 app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceUsageQuery.ts
 create mode 100644 app/react/kubernetes/cluster/ClusterView/useClusterResourceReservationData.tsx
 create mode 100644 app/react/kubernetes/components/ResourceReservation.tsx
 rename app/react/kubernetes/{namespaces => }/components/ResourceUsageItem.tsx (75%)
 create mode 100644 app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/NamespaceResourceReservation.tsx
 delete mode 100644 app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceReservationUsage.tsx
 create mode 100644 app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/useNamespaceResourceReservationData.ts

diff --git a/app/kubernetes/react/views/index.ts b/app/kubernetes/react/views/index.ts
index a6c440de3..7913f7641 100644
--- a/app/kubernetes/react/views/index.ts
+++ b/app/kubernetes/react/views/index.ts
@@ -22,6 +22,7 @@ import { VolumesView } from '@/react/kubernetes/volumes/ListView/VolumesView';
 import { NamespaceView } from '@/react/kubernetes/namespaces/ItemView/NamespaceView';
 import { AccessView } from '@/react/kubernetes/namespaces/AccessView/AccessView';
 import { JobsView } from '@/react/kubernetes/more-resources/JobsView/JobsView';
+import { ClusterView } from '@/react/kubernetes/cluster/ClusterView';
 
 export const viewsModule = angular
   .module('portainer.kubernetes.react.views', [])
@@ -78,6 +79,10 @@ export const viewsModule = angular
       []
     )
   )
+  .component(
+    'kubernetesClusterView',
+    r2a(withUIRouter(withReactQuery(withCurrentUser(ClusterView))), [])
+  )
   .component(
     'kubernetesConfigureView',
     r2a(withUIRouter(withReactQuery(withCurrentUser(ConfigureView))), [])
diff --git a/app/kubernetes/views/cluster/cluster.html b/app/kubernetes/views/cluster/cluster.html
deleted file mode 100644
index 46acbf931..000000000
--- a/app/kubernetes/views/cluster/cluster.html
+++ /dev/null
@@ -1,33 +0,0 @@
-<page-header ng-if="ctrl.state.viewReady" title="'Cluster'" breadcrumbs="['Cluster information']" reload="true"></page-header>
-
-<kubernetes-view-loading view-ready="ctrl.state.viewReady"></kubernetes-view-loading>
-
-<div ng-if="ctrl.state.viewReady">
-  <div class="row" ng-if="ctrl.isAdmin">
-    <div class="col-sm-12">
-      <rd-widget>
-        <rd-widget-body>
-          <!-- resource-reservation -->
-          <form class="form-horizontal" ng-if="ctrl.resourceReservation">
-            <kubernetes-resource-reservation
-              description="Resource reservation represents the total amount of resource assigned to all the applications inside the cluster."
-              cpu-reservation="ctrl.resourceReservation.CPU"
-              cpu-limit="ctrl.CPULimit"
-              memory-reservation="ctrl.resourceReservation.Memory"
-              memory-limit="ctrl.MemoryLimit"
-              display-usage="ctrl.hasResourceUsageAccess()"
-              cpu-usage="ctrl.resourceUsage.CPU"
-              memory-usage="ctrl.resourceUsage.Memory"
-            >
-            </kubernetes-resource-reservation>
-          </form>
-          <!-- !resource-reservation -->
-        </rd-widget-body>
-      </rd-widget>
-    </div>
-  </div>
-
-  <div class="row">
-    <kube-nodes-datatable></kube-nodes-datatable>
-  </div>
-</div>
diff --git a/app/kubernetes/views/cluster/cluster.js b/app/kubernetes/views/cluster/cluster.js
deleted file mode 100644
index 708076037..000000000
--- a/app/kubernetes/views/cluster/cluster.js
+++ /dev/null
@@ -1,8 +0,0 @@
-angular.module('portainer.kubernetes').component('kubernetesClusterView', {
-  templateUrl: './cluster.html',
-  controller: 'KubernetesClusterController',
-  controllerAs: 'ctrl',
-  bindings: {
-    endpoint: '<',
-  },
-});
diff --git a/app/kubernetes/views/cluster/clusterController.js b/app/kubernetes/views/cluster/clusterController.js
deleted file mode 100644
index b8f6df290..000000000
--- a/app/kubernetes/views/cluster/clusterController.js
+++ /dev/null
@@ -1,139 +0,0 @@
-import angular from 'angular';
-import _ from 'lodash-es';
-import filesizeParser from 'filesize-parser';
-import KubernetesResourceReservationHelper from 'Kubernetes/helpers/resourceReservationHelper';
-import { KubernetesResourceReservation } from 'Kubernetes/models/resource-reservation/models';
-import { getMetricsForAllNodes, getTotalResourcesForAllApplications } from '@/react/kubernetes/metrics/metrics.ts';
-
-class KubernetesClusterController {
-  /* @ngInject */
-  constructor($async, $state, Notifications, LocalStorage, Authentication, KubernetesNodeService, KubernetesApplicationService, KubernetesEndpointService, EndpointService) {
-    this.$async = $async;
-    this.$state = $state;
-    this.Authentication = Authentication;
-    this.Notifications = Notifications;
-    this.LocalStorage = LocalStorage;
-    this.KubernetesNodeService = KubernetesNodeService;
-    this.KubernetesApplicationService = KubernetesApplicationService;
-    this.KubernetesEndpointService = KubernetesEndpointService;
-    this.EndpointService = EndpointService;
-
-    this.onInit = this.onInit.bind(this);
-    this.getNodes = this.getNodes.bind(this);
-    this.getNodesAsync = this.getNodesAsync.bind(this);
-    this.getApplicationsAsync = this.getApplicationsAsync.bind(this);
-    this.getEndpointsAsync = this.getEndpointsAsync.bind(this);
-    this.hasResourceUsageAccess = this.hasResourceUsageAccess.bind(this);
-  }
-
-  async getEndpointsAsync() {
-    try {
-      const endpoints = await this.KubernetesEndpointService.get();
-      const systemEndpoints = _.filter(endpoints, { Namespace: 'kube-system' });
-      this.systemEndpoints = _.filter(systemEndpoints, (ep) => ep.HolderIdentity);
-
-      const kubernetesEndpoint = _.find(endpoints, { Name: 'kubernetes' });
-      if (kubernetesEndpoint && kubernetesEndpoint.Subsets) {
-        const ips = _.flatten(_.map(kubernetesEndpoint.Subsets, 'Ips'));
-        _.forEach(this.nodes, (node) => {
-          node.Api = _.includes(ips, node.IPAddress);
-        });
-      }
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve environments');
-    }
-  }
-
-  getEndpoints() {
-    return this.$async(this.getEndpointsAsync);
-  }
-
-  async getNodesAsync() {
-    try {
-      const nodes = await this.KubernetesNodeService.get();
-      _.forEach(nodes, (node) => (node.Memory = filesizeParser(node.Memory)));
-      this.nodes = nodes;
-      this.CPULimit = _.reduce(this.nodes, (acc, node) => node.CPU + acc, 0);
-      this.CPULimit = Math.round(this.CPULimit * 10000) / 10000;
-      this.MemoryLimit = _.reduce(this.nodes, (acc, node) => KubernetesResourceReservationHelper.megaBytesValue(node.Memory) + acc, 0);
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve nodes');
-    }
-  }
-
-  getNodes() {
-    return this.$async(this.getNodesAsync);
-  }
-
-  async getApplicationsAsync() {
-    try {
-      this.state.applicationsLoading = true;
-
-      const applicationsResources = await getTotalResourcesForAllApplications(this.endpoint.Id);
-      this.resourceReservation = new KubernetesResourceReservation();
-      this.resourceReservation.CPU = Math.round(applicationsResources.CpuRequest / 1000);
-      this.resourceReservation.Memory = KubernetesResourceReservationHelper.megaBytesValue(applicationsResources.MemoryRequest);
-
-      if (this.hasResourceUsageAccess()) {
-        await this.getResourceUsage(this.endpoint.Id);
-      }
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve applications');
-    } finally {
-      this.state.applicationsLoading = false;
-    }
-  }
-
-  getApplications() {
-    return this.$async(this.getApplicationsAsync);
-  }
-
-  async getResourceUsage(endpointId) {
-    try {
-      const nodeMetrics = await getMetricsForAllNodes(endpointId);
-      const resourceUsageList = nodeMetrics.items.map((i) => i.usage);
-      const clusterResourceUsage = resourceUsageList.reduce((total, u) => {
-        total.CPU += KubernetesResourceReservationHelper.parseCPU(u.cpu);
-        total.Memory += KubernetesResourceReservationHelper.megaBytesValue(u.memory);
-        return total;
-      }, new KubernetesResourceReservation());
-      this.resourceUsage = clusterResourceUsage;
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve cluster resource usage');
-    }
-  }
-
-  /**
-   * Check if resource usage stats can be displayed
-   * @returns {boolean}
-   */
-  hasResourceUsageAccess() {
-    return this.isAdmin && this.state.useServerMetrics;
-  }
-
-  async onInit() {
-    this.endpoint = await this.EndpointService.endpoint(this.endpoint.Id);
-    this.isAdmin = this.Authentication.isAdmin();
-    const useServerMetrics = this.endpoint.Kubernetes.Configuration.UseServerMetrics;
-
-    this.state = {
-      applicationsLoading: true,
-      viewReady: false,
-      useServerMetrics,
-    };
-
-    await this.getNodes();
-    if (this.isAdmin) {
-      await Promise.allSettled([this.getEndpoints(), this.getApplicationsAsync()]);
-    }
-
-    this.state.viewReady = true;
-  }
-
-  $onInit() {
-    return this.$async(this.onInit);
-  }
-}
-
-export default KubernetesClusterController;
-angular.module('portainer.kubernetes').controller('KubernetesClusterController', KubernetesClusterController);
diff --git a/app/react-tools/test-mocks.ts b/app/react-tools/test-mocks.ts
index 556d7e4c2..20fe7dee3 100644
--- a/app/react-tools/test-mocks.ts
+++ b/app/react-tools/test-mocks.ts
@@ -1,4 +1,5 @@
 import _ from 'lodash';
+import { QueryObserverResult } from '@tanstack/react-query';
 
 import { Team } from '@/react/portainer/users/teams/types';
 import { Role, User, UserId } from '@/portainer/users/types';
@@ -134,3 +135,38 @@ export function createMockEnvironment(): Environment {
     },
   };
 }
+
+export function createMockQueryResult<TData, TError = unknown>(
+  data: TData,
+  overrides?: Partial<QueryObserverResult<TData, TError>>
+) {
+  const defaultResult = {
+    data,
+    dataUpdatedAt: 0,
+    error: null,
+    errorUpdatedAt: 0,
+    failureCount: 0,
+    errorUpdateCount: 0,
+    failureReason: null,
+    isError: false,
+    isFetched: true,
+    isFetchedAfterMount: true,
+    isFetching: false,
+    isInitialLoading: false,
+    isLoading: false,
+    isLoadingError: false,
+    isPaused: false,
+    isPlaceholderData: false,
+    isPreviousData: false,
+    isRefetchError: false,
+    isRefetching: false,
+    isStale: false,
+    isSuccess: true,
+    refetch: async () => defaultResult,
+    remove: () => {},
+    status: 'success',
+    fetchStatus: 'idle',
+  };
+
+  return { ...defaultResult, ...overrides };
+}
diff --git a/app/react/components/form-components/FormControl/FormControl.tsx b/app/react/components/form-components/FormControl/FormControl.tsx
index 5f4c8727a..7c7151dd6 100644
--- a/app/react/components/form-components/FormControl/FormControl.tsx
+++ b/app/react/components/form-components/FormControl/FormControl.tsx
@@ -1,4 +1,4 @@
-import { ComponentProps, PropsWithChildren, ReactNode } from 'react';
+import { PropsWithChildren, ReactNode } from 'react';
 import clsx from 'clsx';
 
 import { Tooltip } from '@@/Tip/Tooltip';
@@ -10,10 +10,11 @@ export type Size = 'xsmall' | 'small' | 'medium' | 'large' | 'vertical';
 
 export interface Props {
   inputId?: string;
+  dataCy?: string;
   label: ReactNode;
   size?: Size;
-  tooltip?: ComponentProps<typeof Tooltip>['message'];
-  setTooltipHtmlMessage?: ComponentProps<typeof Tooltip>['setHtmlMessage'];
+  tooltip?: ReactNode;
+  setTooltipHtmlMessage?: boolean;
   children: ReactNode;
   errors?: ReactNode;
   required?: boolean;
@@ -24,6 +25,7 @@ export interface Props {
 
 export function FormControl({
   inputId,
+  dataCy,
   label,
   size = 'small',
   tooltip = '',
@@ -42,6 +44,7 @@ export function FormControl({
         'form-group',
         'after:clear-both after:table after:content-[""]' // to fix issues with float
       )}
+      data-cy={dataCy}
     >
       <label
         htmlFor={inputId}
@@ -56,10 +59,15 @@ export function FormControl({
         )}
       </label>
 
-      <div className={sizeClassChildren(size)}>
-        {isLoading && <InlineLoader>{loadingText}</InlineLoader>}
+      <div className={clsx('flex flex-col', sizeClassChildren(size))}>
+        {isLoading && (
+          // 34px height to reduce layout shift when loading is complete
+          <div className="h-[34px] flex items-center">
+            <InlineLoader>{loadingText}</InlineLoader>
+          </div>
+        )}
         {!isLoading && children}
-        {errors && <FormError>{errors}</FormError>}
+        {!!errors && !isLoading && <FormError>{errors}</FormError>}
       </div>
     </div>
   );
diff --git a/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx b/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx
new file mode 100644
index 000000000..ebeecc6c4
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx
@@ -0,0 +1,214 @@
+import { render, screen, within } from '@testing-library/react';
+import { HttpResponse } from 'msw';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { server, http } from '@/setup-tests/server';
+import {
+  createMockEnvironment,
+  createMockQueryResult,
+} from '@/react-tools/test-mocks';
+
+import { ClusterResourceReservation } from './ClusterResourceReservation';
+
+const mockUseAuthorizations = vi.fn();
+const mockUseEnvironmentId = vi.fn(() => 3);
+const mockUseCurrentEnvironment = vi.fn();
+
+// Set up mock implementations for hooks
+vi.mock('@/react/hooks/useUser', () => ({
+  useAuthorizations: () => mockUseAuthorizations(),
+}));
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => mockUseEnvironmentId(),
+}));
+
+vi.mock('@/react/hooks/useCurrentEnvironment', () => ({
+  useCurrentEnvironment: () => mockUseCurrentEnvironment(),
+}));
+
+function renderComponent() {
+  const Wrapped = withTestQueryProvider(ClusterResourceReservation);
+  return render(<Wrapped />);
+}
+
+describe('ClusterResourceReservation', () => {
+  beforeEach(() => {
+    // Set the return values for the hooks
+    mockUseAuthorizations.mockReturnValue({
+      authorized: true,
+      isLoading: false,
+    });
+
+    mockUseEnvironmentId.mockReturnValue(3);
+
+    const mockEnvironment = createMockEnvironment();
+    mockEnvironment.Kubernetes.Configuration.UseServerMetrics = true;
+    mockUseCurrentEnvironment.mockReturnValue(
+      createMockQueryResult(mockEnvironment)
+    );
+
+    // Setup default mock responses
+    server.use(
+      http.get('/api/endpoints/3/kubernetes/api/v1/nodes', () =>
+        HttpResponse.json({
+          items: [
+            {
+              status: {
+                allocatable: {
+                  cpu: '4',
+                  memory: '8Gi',
+                },
+              },
+            },
+          ],
+        })
+      ),
+      http.get('/api/kubernetes/3/metrics/nodes', () =>
+        HttpResponse.json({
+          items: [
+            {
+              usage: {
+                cpu: '2',
+                memory: '4Gi',
+              },
+            },
+          ],
+        })
+      ),
+      http.get('/api/kubernetes/3/metrics/applications_resources', () =>
+        HttpResponse.json({
+          CpuRequest: 1000,
+          MemoryRequest: '2Gi',
+        })
+      )
+    );
+  });
+
+  it('should display resource limits, reservations and usage when all APIs respond successfully', async () => {
+    renderComponent();
+
+    expect(
+      await within(await screen.findByTestId('memory-reservation')).findByText(
+        '2147 / 8589 MB - 25%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('memory-usage')).findByText(
+        '4294 / 8589 MB - 50%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('cpu-reservation')).findByText(
+        '1 / 4 - 25%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('cpu-usage')).findByText(
+        '2 / 4 - 50%'
+      )
+    ).toBeVisible();
+  });
+
+  it('should not display resource usage if user does not have K8sClusterNodeR authorization', async () => {
+    mockUseAuthorizations.mockReturnValue({
+      authorized: false,
+      isLoading: false,
+    });
+
+    renderComponent();
+
+    // Should only show reservation bars
+    expect(
+      await within(await screen.findByTestId('memory-reservation')).findByText(
+        '2147 / 8589 MB - 25%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('cpu-reservation')).findByText(
+        '1 / 4 - 25%'
+      )
+    ).toBeVisible();
+
+    // Usage bars should not be present
+    expect(screen.queryByTestId('memory-usage')).not.toBeInTheDocument();
+    expect(screen.queryByTestId('cpu-usage')).not.toBeInTheDocument();
+  });
+
+  it('should not display resource usage if metrics server is not enabled', async () => {
+    const disabledMetricsEnvironment = createMockEnvironment();
+    disabledMetricsEnvironment.Kubernetes.Configuration.UseServerMetrics =
+      false;
+    mockUseCurrentEnvironment.mockReturnValue(
+      createMockQueryResult(disabledMetricsEnvironment)
+    );
+
+    renderComponent();
+
+    // Should only show reservation bars
+    expect(
+      await within(await screen.findByTestId('memory-reservation')).findByText(
+        '2147 / 8589 MB - 25%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('cpu-reservation')).findByText(
+        '1 / 4 - 25%'
+      )
+    ).toBeVisible();
+
+    // Usage bars should not be present
+    expect(screen.queryByTestId('memory-usage')).not.toBeInTheDocument();
+    expect(screen.queryByTestId('cpu-usage')).not.toBeInTheDocument();
+  });
+
+  it('should display warning if metrics server is enabled but usage query fails', async () => {
+    server.use(
+      http.get('/api/kubernetes/3/metrics/nodes', () => HttpResponse.error())
+    );
+
+    // Mock console.error so test logs are not polluted
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+
+    renderComponent();
+
+    expect(
+      await within(await screen.findByTestId('memory-reservation')).findByText(
+        '2147 / 8589 MB - 25%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('memory-usage')).findByText(
+        '0 / 8589 MB - 0%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('cpu-reservation')).findByText(
+        '1 / 4 - 25%'
+      )
+    ).toBeVisible();
+
+    expect(
+      await within(await screen.findByTestId('cpu-usage')).findByText(
+        '0 / 4 - 0%'
+      )
+    ).toBeVisible();
+
+    // Should show the warning message
+    expect(
+      await screen.findByText(
+        /Resource usage is not currently available as Metrics Server is not responding/
+      )
+    ).toBeVisible();
+
+    // Restore console.error
+    vi.spyOn(console, 'error').mockRestore();
+  });
+});
diff --git a/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.tsx b/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.tsx
new file mode 100644
index 000000000..689ca8154
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.tsx
@@ -0,0 +1,39 @@
+import { Widget, WidgetBody } from '@/react/components/Widget';
+import { ResourceReservation } from '@/react/kubernetes/components/ResourceReservation';
+
+import { useClusterResourceReservationData } from './useClusterResourceReservationData';
+
+export function ClusterResourceReservation() {
+  // Load all data required for this component
+  const {
+    cpuLimit,
+    memoryLimit,
+    isLoading,
+    displayResourceUsage,
+    resourceUsage,
+    resourceReservation,
+    displayWarning,
+  } = useClusterResourceReservationData();
+
+  return (
+    <div className="row">
+      <div className="col-sm-12">
+        <Widget>
+          <WidgetBody>
+            <ResourceReservation
+              isLoading={isLoading}
+              displayResourceUsage={displayResourceUsage}
+              resourceReservation={resourceReservation}
+              resourceUsage={resourceUsage}
+              cpuLimit={cpuLimit}
+              memoryLimit={memoryLimit}
+              description="Resource reservation represents the total amount of resource assigned to all the applications inside the cluster."
+              displayWarning={displayWarning}
+              warningMessage="Resource usage is not currently available as Metrics Server is not responding. If you've recently upgraded, Metrics Server may take a while to restart, so please check back shortly."
+            />
+          </WidgetBody>
+        </Widget>
+      </div>
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/cluster/ClusterView/ClusterView.tsx b/app/react/kubernetes/cluster/ClusterView/ClusterView.tsx
new file mode 100644
index 000000000..57cd3ca4f
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/ClusterView.tsx
@@ -0,0 +1,33 @@
+import { useCurrentEnvironment } from '@/react/hooks/useCurrentEnvironment';
+import { PageHeader } from '@/react/components/PageHeader';
+import { NodesDatatable } from '@/react/kubernetes/cluster/HomeView/NodesDatatable';
+
+import { ClusterResourceReservation } from './ClusterResourceReservation';
+
+export function ClusterView() {
+  const { data: environment } = useCurrentEnvironment();
+
+  return (
+    <>
+      <PageHeader
+        title="Cluster"
+        breadcrumbs={[
+          { label: 'Environments', link: 'portainer.endpoints' },
+          {
+            label: environment?.Name || '',
+            link: 'portainer.endpoints.endpoint',
+            linkParams: { id: environment?.Id },
+          },
+          'Cluster information',
+        ]}
+        reload
+      />
+
+      <ClusterResourceReservation />
+
+      <div className="row">
+        <NodesDatatable />
+      </div>
+    </>
+  );
+}
diff --git a/app/react/kubernetes/cluster/ClusterView/index.ts b/app/react/kubernetes/cluster/ClusterView/index.ts
new file mode 100644
index 000000000..d9b624cc4
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/index.ts
@@ -0,0 +1 @@
+export { ClusterView } from './ClusterView';
diff --git a/app/react/kubernetes/cluster/ClusterView/queries/index.ts b/app/react/kubernetes/cluster/ClusterView/queries/index.ts
new file mode 100644
index 000000000..f4d86933b
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/queries/index.ts
@@ -0,0 +1,3 @@
+export * from './useClusterResourceLimitsQuery';
+export * from './useClusterResourceReservationQuery';
+export * from './useClusterResourceUsageQuery';
diff --git a/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceLimitsQuery.ts b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceLimitsQuery.ts
new file mode 100644
index 000000000..795ab595e
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceLimitsQuery.ts
@@ -0,0 +1,49 @@
+import { round, reduce } from 'lodash';
+import filesizeParser from 'filesize-parser';
+import { useQuery } from '@tanstack/react-query';
+import { Node } from 'kubernetes-types/core/v1';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { withGlobalError } from '@/react-tools/react-query';
+import KubernetesResourceReservationHelper from '@/kubernetes/helpers/resourceReservationHelper';
+import { parseCpu } from '@/react/kubernetes/utils';
+import { getNodes } from '@/react/kubernetes/cluster/HomeView/nodes.service';
+
+export function useClusterResourceLimitsQuery(environmentId: EnvironmentId) {
+  return useQuery(
+    [environmentId, 'clusterResourceLimits'],
+    async () => getNodes(environmentId),
+    {
+      ...withGlobalError('Unable to retrieve resource limit data', 'Failure'),
+      enabled: !!environmentId,
+      select: aggregateResourceLimits,
+    }
+  );
+}
+
+/**
+ * Processes node data to calculate total CPU and memory limits for the cluster
+ * and sets the state for memory limit in MB and CPU limit rounded to 3 decimal places.
+ */
+function aggregateResourceLimits(nodes: Node[]) {
+  const processedNodes = nodes.map((node) => ({
+    ...node,
+    memory: filesizeParser(node.status?.allocatable?.memory ?? ''),
+    cpu: parseCpu(node.status?.allocatable?.cpu ?? ''),
+  }));
+
+  return {
+    nodes: processedNodes,
+    memoryLimit: reduce(
+      processedNodes,
+      (acc, node) =>
+        KubernetesResourceReservationHelper.megaBytesValue(node.memory || 0) +
+        acc,
+      0
+    ),
+    cpuLimit: round(
+      reduce(processedNodes, (acc, node) => (node.cpu || 0) + acc, 0),
+      3
+    ),
+  };
+}
diff --git a/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts
new file mode 100644
index 000000000..50c68fd7d
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts
@@ -0,0 +1,25 @@
+import { useQuery } from '@tanstack/react-query';
+import { Node } from 'kubernetes-types/core/v1';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { getTotalResourcesForAllApplications } from '@/react/kubernetes/metrics/metrics';
+import KubernetesResourceReservationHelper from '@/kubernetes/helpers/resourceReservationHelper';
+
+export function useClusterResourceReservationQuery(
+  environmentId: EnvironmentId,
+  nodes: Node[]
+) {
+  return useQuery(
+    [environmentId, 'clusterResourceReservation'],
+    () => getTotalResourcesForAllApplications(environmentId),
+    {
+      enabled: !!environmentId && nodes.length > 0,
+      select: (data) => ({
+        cpu: data.CpuRequest / 1000,
+        memory: KubernetesResourceReservationHelper.megaBytesValue(
+          data.MemoryRequest
+        ),
+      }),
+    }
+  );
+}
diff --git a/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceUsageQuery.ts b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceUsageQuery.ts
new file mode 100644
index 000000000..a1e65b065
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceUsageQuery.ts
@@ -0,0 +1,46 @@
+import { useQuery } from '@tanstack/react-query';
+import { Node } from 'kubernetes-types/core/v1';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { getMetricsForAllNodes } from '@/react/kubernetes/metrics/metrics';
+import KubernetesResourceReservationHelper from '@/kubernetes/helpers/resourceReservationHelper';
+import { withGlobalError } from '@/react-tools/react-query';
+import { NodeMetrics } from '@/react/kubernetes/metrics/types';
+
+export function useClusterResourceUsageQuery(
+  environmentId: EnvironmentId,
+  serverMetricsEnabled: boolean,
+  authorized: boolean,
+  nodes: Node[]
+) {
+  return useQuery(
+    [environmentId, 'clusterResourceUsage'],
+    () => getMetricsForAllNodes(environmentId),
+    {
+      enabled:
+        authorized &&
+        serverMetricsEnabled &&
+        !!environmentId &&
+        nodes.length > 0,
+      select: aggregateResourceUsage,
+      ...withGlobalError('Unable to retrieve resource usage data.', 'Failure'),
+    }
+  );
+}
+
+function aggregateResourceUsage(data: NodeMetrics) {
+  return data.items.reduce(
+    (total, item) => ({
+      cpu:
+        total.cpu +
+        KubernetesResourceReservationHelper.parseCPU(item.usage.cpu),
+      memory:
+        total.memory +
+        KubernetesResourceReservationHelper.megaBytesValue(item.usage.memory),
+    }),
+    {
+      cpu: 0,
+      memory: 0,
+    }
+  );
+}
diff --git a/app/react/kubernetes/cluster/ClusterView/useClusterResourceReservationData.tsx b/app/react/kubernetes/cluster/ClusterView/useClusterResourceReservationData.tsx
new file mode 100644
index 000000000..276c7ff8a
--- /dev/null
+++ b/app/react/kubernetes/cluster/ClusterView/useClusterResourceReservationData.tsx
@@ -0,0 +1,72 @@
+import { useAuthorizations } from '@/react/hooks/useUser';
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+import { getSafeValue } from '@/react/kubernetes/utils';
+import { useCurrentEnvironment } from '@/react/hooks/useCurrentEnvironment';
+
+import {
+  useClusterResourceLimitsQuery,
+  useClusterResourceReservationQuery,
+  useClusterResourceUsageQuery,
+} from './queries';
+
+export function useClusterResourceReservationData() {
+  const { data: environment } = useCurrentEnvironment();
+  const environmentId = useEnvironmentId();
+
+  // Check if server metrics is enabled
+  const serverMetricsEnabled =
+    environment?.Kubernetes?.Configuration?.UseServerMetrics || false;
+
+  // User needs to have K8sClusterNodeR authorization to view resource usage data
+  const { authorized: hasK8sClusterNodeR } = useAuthorizations(
+    ['K8sClusterNodeR'],
+    undefined,
+    true
+  );
+
+  // Get resource limits for the cluster
+  const { data: resourceLimits, isLoading: isResourceLimitLoading } =
+    useClusterResourceLimitsQuery(environmentId);
+
+  // Get resource reservation info for the cluster
+  const {
+    data: resourceReservation,
+    isFetching: isResourceReservationLoading,
+  } = useClusterResourceReservationQuery(
+    environmentId,
+    resourceLimits?.nodes || []
+  );
+
+  // Get resource usage info for the cluster
+  const {
+    data: resourceUsage,
+    isFetching: isResourceUsageLoading,
+    isError: isResourceUsageError,
+  } = useClusterResourceUsageQuery(
+    environmentId,
+    serverMetricsEnabled,
+    hasK8sClusterNodeR,
+    resourceLimits?.nodes || []
+  );
+
+  return {
+    memoryLimit: getSafeValue(resourceLimits?.memoryLimit || 0),
+    cpuLimit: getSafeValue(resourceLimits?.cpuLimit || 0),
+    displayResourceUsage: hasK8sClusterNodeR && serverMetricsEnabled,
+    resourceUsage: {
+      cpu: getSafeValue(resourceUsage?.cpu || 0),
+      memory: getSafeValue(resourceUsage?.memory || 0),
+    },
+    resourceReservation: {
+      cpu: getSafeValue(resourceReservation?.cpu || 0),
+      memory: getSafeValue(resourceReservation?.memory || 0),
+    },
+    isLoading:
+      isResourceLimitLoading ||
+      isResourceReservationLoading ||
+      isResourceUsageLoading,
+    // Display warning if server metrics isn't responding but should be
+    displayWarning:
+      hasK8sClusterNodeR && serverMetricsEnabled && isResourceUsageError,
+  };
+}
diff --git a/app/react/kubernetes/cluster/HomeView/nodes.service.ts b/app/react/kubernetes/cluster/HomeView/nodes.service.ts
index fdbd670c4..9afc5ed7f 100644
--- a/app/react/kubernetes/cluster/HomeView/nodes.service.ts
+++ b/app/react/kubernetes/cluster/HomeView/nodes.service.ts
@@ -45,7 +45,7 @@ export function useNodeQuery(environmentId: EnvironmentId, nodeName: string) {
 }
 
 // getNodes is used to get a list of nodes using the kubernetes API
-async function getNodes(environmentId: EnvironmentId) {
+export async function getNodes(environmentId: EnvironmentId) {
   try {
     const { data: nodeList } = await axios.get<NodeList>(
       `/endpoints/${environmentId}/kubernetes/api/v1/nodes`
diff --git a/app/react/kubernetes/components/ResourceReservation.tsx b/app/react/kubernetes/components/ResourceReservation.tsx
new file mode 100644
index 000000000..016eb3ea2
--- /dev/null
+++ b/app/react/kubernetes/components/ResourceReservation.tsx
@@ -0,0 +1,129 @@
+import { round } from 'lodash';
+import { AlertTriangle } from 'lucide-react';
+
+import { FormSectionTitle } from '@/react/components/form-components/FormSectionTitle';
+import { TextTip } from '@/react/components/Tip/TextTip';
+import { ResourceUsageItem } from '@/react/kubernetes/components/ResourceUsageItem';
+import { getPercentageString, getSafeValue } from '@/react/kubernetes/utils';
+
+import { Icon } from '@@/Icon';
+
+interface ResourceMetrics {
+  cpu: number;
+  memory: number;
+}
+
+interface Props {
+  displayResourceUsage: boolean;
+  resourceReservation: ResourceMetrics;
+  resourceUsage: ResourceMetrics;
+  cpuLimit: number;
+  memoryLimit: number;
+  description: string;
+  isLoading?: boolean;
+  title?: string;
+  displayWarning?: boolean;
+  warningMessage?: string;
+}
+
+export function ResourceReservation({
+  displayResourceUsage,
+  resourceReservation,
+  resourceUsage,
+  cpuLimit,
+  memoryLimit,
+  description,
+  title = 'Resource reservation',
+  isLoading = false,
+  displayWarning = false,
+  warningMessage = '',
+}: Props) {
+  const memoryReservationAnnotation = `${getSafeValue(
+    resourceReservation.memory
+  )} / ${memoryLimit} MB ${getPercentageString(
+    resourceReservation.memory,
+    memoryLimit
+  )}`;
+
+  const memoryUsageAnnotation = `${getSafeValue(
+    resourceUsage.memory
+  )} / ${memoryLimit} MB ${getPercentageString(
+    resourceUsage.memory,
+    memoryLimit
+  )}`;
+
+  const cpuReservationAnnotation = `${round(
+    getSafeValue(resourceReservation.cpu),
+    2
+  )} / ${round(getSafeValue(cpuLimit), 2)} ${getPercentageString(
+    resourceReservation.cpu,
+    cpuLimit
+  )}`;
+
+  const cpuUsageAnnotation = `${round(
+    getSafeValue(resourceUsage.cpu),
+    2
+  )} / ${round(getSafeValue(cpuLimit), 2)} ${getPercentageString(
+    resourceUsage.cpu,
+    cpuLimit
+  )}`;
+
+  return (
+    <>
+      <FormSectionTitle>{title}</FormSectionTitle>
+      <TextTip color="blue" className="mb-2">
+        {description}
+      </TextTip>
+      <div className="form-horizontal">
+        {memoryLimit > 0 && (
+          <ResourceUsageItem
+            value={resourceReservation.memory}
+            total={memoryLimit}
+            label="Memory reservation"
+            annotation={memoryReservationAnnotation}
+            isLoading={isLoading}
+            dataCy="memory-reservation"
+          />
+        )}
+        {displayResourceUsage && memoryLimit > 0 && (
+          <ResourceUsageItem
+            value={resourceUsage.memory}
+            total={memoryLimit}
+            label="Memory usage"
+            annotation={memoryUsageAnnotation}
+            isLoading={isLoading}
+            dataCy="memory-usage"
+          />
+        )}
+        {cpuLimit > 0 && (
+          <ResourceUsageItem
+            value={resourceReservation.cpu}
+            total={cpuLimit}
+            label="CPU reservation"
+            annotation={cpuReservationAnnotation}
+            isLoading={isLoading}
+            dataCy="cpu-reservation"
+          />
+        )}
+        {displayResourceUsage && cpuLimit > 0 && (
+          <ResourceUsageItem
+            value={resourceUsage.cpu}
+            total={cpuLimit}
+            label="CPU usage"
+            annotation={cpuUsageAnnotation}
+            isLoading={isLoading}
+            dataCy="cpu-usage"
+          />
+        )}
+        {displayWarning && (
+          <div className="form-group">
+            <span className="col-sm-12 text-warning small vertical-center">
+              <Icon icon={AlertTriangle} mode="warning" />
+              {warningMessage}
+            </span>
+          </div>
+        )}
+      </div>
+    </>
+  );
+}
diff --git a/app/react/kubernetes/namespaces/components/ResourceUsageItem.tsx b/app/react/kubernetes/components/ResourceUsageItem.tsx
similarity index 75%
rename from app/react/kubernetes/namespaces/components/ResourceUsageItem.tsx
rename to app/react/kubernetes/components/ResourceUsageItem.tsx
index 647464ba9..5dcea701d 100644
--- a/app/react/kubernetes/namespaces/components/ResourceUsageItem.tsx
+++ b/app/react/kubernetes/components/ResourceUsageItem.tsx
@@ -1,11 +1,13 @@
-import { ProgressBar } from '@@/ProgressBar';
 import { FormControl } from '@@/form-components/FormControl';
+import { ProgressBar } from '@@/ProgressBar';
 
 interface ResourceUsageItemProps {
   value: number;
   total: number;
   annotation?: React.ReactNode;
   label: string;
+  isLoading?: boolean;
+  dataCy?: string;
 }
 
 export function ResourceUsageItem({
@@ -13,9 +15,16 @@ export function ResourceUsageItem({
   total,
   annotation,
   label,
+  isLoading = false,
+  dataCy,
 }: ResourceUsageItemProps) {
   return (
-    <FormControl label={label}>
+    <FormControl
+      label={label}
+      isLoading={isLoading}
+      className={isLoading ? 'mb-1.5' : ''}
+      dataCy={dataCy}
+    >
       <div className="flex items-center gap-2 mt-1">
         <ProgressBar
           steps={[
diff --git a/app/react/kubernetes/metrics/types.ts b/app/react/kubernetes/metrics/types.ts
index fa7118b8c..601944b87 100644
--- a/app/react/kubernetes/metrics/types.ts
+++ b/app/react/kubernetes/metrics/types.ts
@@ -37,8 +37,8 @@ export type Usage = {
 };
 
 export type ApplicationResource = {
-  cpuRequest: number;
-  cpuLimit: number;
-  memoryRequest: number;
-  memoryLimit: number;
+  CpuRequest: number;
+  CpuLimit: number;
+  MemoryRequest: number;
+  MemoryLimit: number;
 };
diff --git a/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/NamespaceResourceReservation.tsx b/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/NamespaceResourceReservation.tsx
new file mode 100644
index 000000000..d4e97f06e
--- /dev/null
+++ b/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/NamespaceResourceReservation.tsx
@@ -0,0 +1,45 @@
+import { ResourceReservation } from '@/react/kubernetes/components/ResourceReservation';
+
+import { ResourceQuotaFormValues } from './types';
+import { useNamespaceResourceReservationData } from './useNamespaceResourceReservationData';
+
+interface Props {
+  namespaceName: string;
+  environmentId: number;
+  resourceQuotaValues: ResourceQuotaFormValues;
+}
+
+export function NamespaceResourceReservation({
+  environmentId,
+  namespaceName,
+  resourceQuotaValues,
+}: Props) {
+  const {
+    cpuLimit,
+    memoryLimit,
+    displayResourceUsage,
+    resourceUsage,
+    resourceReservation,
+    isLoading,
+  } = useNamespaceResourceReservationData(
+    environmentId,
+    namespaceName,
+    resourceQuotaValues
+  );
+
+  if (!resourceQuotaValues.enabled) {
+    return null;
+  }
+
+  return (
+    <ResourceReservation
+      displayResourceUsage={displayResourceUsage}
+      resourceReservation={resourceReservation}
+      resourceUsage={resourceUsage}
+      cpuLimit={cpuLimit}
+      memoryLimit={memoryLimit}
+      description="Resource reservation represents the total amount of resource assigned to all the applications deployed inside this namespace."
+      isLoading={isLoading}
+    />
+  );
+}
diff --git a/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceQuotaFormSection.tsx b/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceQuotaFormSection.tsx
index f3412aaba..eceb5a062 100644
--- a/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceQuotaFormSection.tsx
+++ b/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceQuotaFormSection.tsx
@@ -13,8 +13,8 @@ import { SliderWithInput } from '@@/form-components/Slider/SliderWithInput';
 
 import { useClusterResourceLimitsQuery } from '../../../queries/useResourceLimitsQuery';
 
-import { ResourceReservationUsage } from './ResourceReservationUsage';
 import { ResourceQuotaFormValues } from './types';
+import { NamespaceResourceReservation } from './NamespaceResourceReservation';
 
 interface Props {
   values: ResourceQuotaFormValues;
@@ -128,7 +128,7 @@ export function ResourceQuotaFormSection({
         </div>
       )}
       {namespaceName && isEdit && (
-        <ResourceReservationUsage
+        <NamespaceResourceReservation
           namespaceName={namespaceName}
           environmentId={environmentId}
           resourceQuotaValues={values}
diff --git a/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceReservationUsage.tsx b/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceReservationUsage.tsx
deleted file mode 100644
index adbe920d6..000000000
--- a/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/ResourceReservationUsage.tsx
+++ /dev/null
@@ -1,150 +0,0 @@
-import { round } from 'lodash';
-
-import { EnvironmentId } from '@/react/portainer/environments/types';
-import { useMetricsForNamespace } from '@/react/kubernetes/metrics/queries/useMetricsForNamespace';
-import { PodMetrics } from '@/react/kubernetes/metrics/types';
-
-import { TextTip } from '@@/Tip/TextTip';
-import { FormSectionTitle } from '@@/form-components/FormSectionTitle';
-
-import { megaBytesValue, parseCPU } from '../../../resourceQuotaUtils';
-import { ResourceUsageItem } from '../../ResourceUsageItem';
-
-import { useResourceQuotaUsed } from './useResourceQuotaUsed';
-import { ResourceQuotaFormValues } from './types';
-
-export function ResourceReservationUsage({
-  namespaceName,
-  environmentId,
-  resourceQuotaValues,
-}: {
-  namespaceName: string;
-  environmentId: EnvironmentId;
-  resourceQuotaValues: ResourceQuotaFormValues;
-}) {
-  const namespaceMetricsQuery = useMetricsForNamespace(
-    environmentId,
-    namespaceName,
-    {
-      select: aggregatePodUsage,
-    }
-  );
-  const usedResourceQuotaQuery = useResourceQuotaUsed(
-    environmentId,
-    namespaceName
-  );
-  const { data: namespaceMetrics } = namespaceMetricsQuery;
-  const { data: usedResourceQuota } = usedResourceQuotaQuery;
-
-  const memoryQuota = Number(resourceQuotaValues.memory) ?? 0;
-  const cpuQuota = Number(resourceQuotaValues.cpu) ?? 0;
-
-  if (!resourceQuotaValues.enabled) {
-    return null;
-  }
-  return (
-    <>
-      <FormSectionTitle>Resource reservation</FormSectionTitle>
-      <TextTip color="blue" className="mb-2">
-        Resource reservation represents the total amount of resource assigned to
-        all the applications deployed inside this namespace.
-      </TextTip>
-      {!!usedResourceQuota && memoryQuota > 0 && (
-        <ResourceUsageItem
-          value={usedResourceQuota.memory}
-          total={getSafeValue(memoryQuota)}
-          label="Memory reservation"
-          annotation={`${usedResourceQuota.memory} / ${getSafeValue(
-            memoryQuota
-          )} MB ${getPercentageString(usedResourceQuota.memory, memoryQuota)}`}
-        />
-      )}
-      {!!namespaceMetrics && memoryQuota > 0 && (
-        <ResourceUsageItem
-          value={namespaceMetrics.memory}
-          total={getSafeValue(memoryQuota)}
-          label="Memory used"
-          annotation={`${namespaceMetrics.memory} / ${getSafeValue(
-            memoryQuota
-          )} MB ${getPercentageString(namespaceMetrics.memory, memoryQuota)}`}
-        />
-      )}
-      {!!usedResourceQuota && cpuQuota > 0 && (
-        <ResourceUsageItem
-          value={usedResourceQuota.cpu}
-          total={cpuQuota}
-          label="CPU reservation"
-          annotation={`${
-            usedResourceQuota.cpu
-          } / ${cpuQuota} ${getPercentageString(
-            usedResourceQuota.cpu,
-            cpuQuota
-          )}`}
-        />
-      )}
-      {!!namespaceMetrics && cpuQuota > 0 && (
-        <ResourceUsageItem
-          value={namespaceMetrics.cpu}
-          total={cpuQuota}
-          label="CPU used"
-          annotation={`${
-            namespaceMetrics.cpu
-          } / ${cpuQuota} ${getPercentageString(
-            namespaceMetrics.cpu,
-            cpuQuota
-          )}`}
-        />
-      )}
-    </>
-  );
-}
-
-function getSafeValue(value: number | string) {
-  const valueNumber = Number(value);
-  if (Number.isNaN(valueNumber)) {
-    return 0;
-  }
-  return valueNumber;
-}
-
-/**
- * Returns the percentage of the value over the total.
- * @param value - The value to calculate the percentage for.
- * @param total - The total value to compare the percentage to.
- * @returns The percentage of the value over the total, with the '- ' string prefixed, for example '- 50%'.
- */
-function getPercentageString(value: number, total?: number | string) {
-  const totalNumber = Number(total);
-  if (
-    totalNumber === 0 ||
-    total === undefined ||
-    total === '' ||
-    Number.isNaN(totalNumber)
-  ) {
-    return '';
-  }
-  if (value > totalNumber) {
-    return '- Exceeded';
-  }
-  return `- ${Math.round((value / totalNumber) * 100)}%`;
-}
-
-/**
- * Aggregates the resource usage of all the containers in the namespace.
- * @param podMetricsList - List of pod metrics
- * @returns Aggregated resource usage. CPU cores are rounded to 3 decimal places. Memory is in MB.
- */
-function aggregatePodUsage(podMetricsList: PodMetrics) {
-  const containerResourceUsageList = podMetricsList.items.flatMap((i) =>
-    i.containers.map((c) => c.usage)
-  );
-  const namespaceResourceUsage = containerResourceUsageList.reduce(
-    (total, usage) => ({
-      cpu: total.cpu + parseCPU(usage.cpu),
-      memory: total.memory + megaBytesValue(usage.memory),
-    }),
-    { cpu: 0, memory: 0 }
-  );
-  namespaceResourceUsage.cpu = round(namespaceResourceUsage.cpu, 3);
-  return namespaceResourceUsage;
-}
diff --git a/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/useNamespaceResourceReservationData.ts b/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/useNamespaceResourceReservationData.ts
new file mode 100644
index 000000000..cdf269d49
--- /dev/null
+++ b/app/react/kubernetes/namespaces/components/NamespaceForm/ResourceQuotaFormSection/useNamespaceResourceReservationData.ts
@@ -0,0 +1,65 @@
+import { round } from 'lodash';
+
+import { getSafeValue } from '@/react/kubernetes/utils';
+import { PodMetrics } from '@/react/kubernetes/metrics/types';
+import { useMetricsForNamespace } from '@/react/kubernetes/metrics/queries/useMetricsForNamespace';
+import {
+  megaBytesValue,
+  parseCPU,
+} from '@/react/kubernetes/namespaces/resourceQuotaUtils';
+
+import { useResourceQuotaUsed } from './useResourceQuotaUsed';
+import { ResourceQuotaFormValues } from './types';
+
+export function useNamespaceResourceReservationData(
+  environmentId: number,
+  namespaceName: string,
+  resourceQuotaValues: ResourceQuotaFormValues
+) {
+  const { data: quota, isLoading: isQuotaLoading } = useResourceQuotaUsed(
+    environmentId,
+    namespaceName
+  );
+  const { data: metrics, isLoading: isMetricsLoading } = useMetricsForNamespace(
+    environmentId,
+    namespaceName,
+    {
+      select: aggregatePodUsage,
+    }
+  );
+
+  return {
+    cpuLimit: Number(resourceQuotaValues.cpu) || 0,
+    memoryLimit: Number(resourceQuotaValues.memory) || 0,
+    displayResourceUsage: !!metrics,
+    resourceReservation: {
+      cpu: getSafeValue(quota?.cpu || 0),
+      memory: getSafeValue(quota?.memory || 0),
+    },
+    resourceUsage: {
+      cpu: getSafeValue(metrics?.cpu || 0),
+      memory: getSafeValue(metrics?.memory || 0),
+    },
+    isLoading: isQuotaLoading || isMetricsLoading,
+  };
+}
+
+/**
+ * Aggregates the resource usage of all the containers in the namespace.
+ * @param podMetricsList - List of pod metrics
+ * @returns Aggregated resource usage. CPU cores are rounded to 3 decimal places. Memory is in MB.
+ */
+function aggregatePodUsage(podMetricsList: PodMetrics) {
+  const containerResourceUsageList = podMetricsList.items.flatMap((i) =>
+    i.containers.map((c) => c.usage)
+  );
+  const namespaceResourceUsage = containerResourceUsageList.reduce(
+    (total, usage) => ({
+      cpu: total.cpu + parseCPU(usage.cpu),
+      memory: total.memory + megaBytesValue(usage.memory),
+    }),
+    { cpu: 0, memory: 0 }
+  );
+  namespaceResourceUsage.cpu = round(namespaceResourceUsage.cpu, 3);
+  return namespaceResourceUsage;
+}
diff --git a/app/react/kubernetes/utils.ts b/app/react/kubernetes/utils.ts
index 644debad0..e8dc7c9a6 100644
--- a/app/react/kubernetes/utils.ts
+++ b/app/react/kubernetes/utils.ts
@@ -20,3 +20,38 @@ export function prepareAnnotations(annotations?: Annotation[]) {
   );
   return result;
 }
+
+/**
+ * Returns the safe value of the given number or string.
+ * @param value - The value to get the safe value for.
+ * @returns The safe value of the given number or string.
+ */
+export function getSafeValue(value: number | string) {
+  const valueNumber = Number(value);
+  if (Number.isNaN(valueNumber)) {
+    return 0;
+  }
+  return valueNumber;
+}
+
+/**
+ * Returns the percentage of the value over the total.
+ * @param value - The value to calculate the percentage for.
+ * @param total - The total value to compare the percentage to.
+ * @returns The percentage of the value over the total, with the '- ' string prefixed, for example '- 50%'.
+ */
+export function getPercentageString(value: number, total?: number | string) {
+  const totalNumber = Number(total);
+  if (
+    totalNumber === 0 ||
+    total === undefined ||
+    total === '' ||
+    Number.isNaN(totalNumber)
+  ) {
+    return '';
+  }
+  if (value > totalNumber) {
+    return '- Exceeded';
+  }
+  return `- ${Math.round((value / totalNumber) * 100)}%`;
+}

From a554a8c49f1a9acfff0219a4e523103dc68f19c5 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Wed, 26 Feb 2025 16:10:02 +1300
Subject: [PATCH 030/212] api: remove server-ce swagger.json (#467)

---
 api/swagger.yaml | 6114 ----------------------------------------------
 1 file changed, 6114 deletions(-)
 delete mode 100644 api/swagger.yaml

diff --git a/api/swagger.yaml b/api/swagger.yaml
deleted file mode 100644
index e5d6eabea..000000000
--- a/api/swagger.yaml
+++ /dev/null
@@ -1,6114 +0,0 @@
-basePath: /api
-definitions:
-  auth.authenticatePayload:
-    properties:
-      password:
-        description: Password
-        example: mypassword
-        type: string
-      username:
-        description: Username
-        example: admin
-        type: string
-    required:
-      - password
-      - username
-    type: object
-  auth.authenticateResponse:
-    properties:
-      jwt:
-        description: JWT token used to authenticate against the API
-        example: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzAB
-        type: string
-    type: object
-  auth.oauthPayload:
-    properties:
-      code:
-        description: OAuth code returned from OAuth Provided
-        type: string
-    type: object
-  customtemplates.customTemplateFromFileContentPayload:
-    properties:
-      description:
-        description: Description of the template
-        example: High performance web server
-        type: string
-      fileContent:
-        description: Content of stack file
-        type: string
-      logo:
-        description: URL of the template's logo
-        example: https://cloudinovasi.id/assets/img/logos/nginx.png
-        type: string
-      note:
-        description: A note that will be displayed in the UI. Supports HTML content
-        example: This is my <b>custom</b> template
-        type: string
-      platform:
-        description: |-
-          Platform associated to the template.
-          Valid values are: 1 - 'linux', 2 - 'windows'
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-      title:
-        description: Title of the template
-        example: Nginx
-        type: string
-      type:
-        description: Type of created stack (1 - swarm, 2 - compose)
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-    required:
-      - description
-      - fileContent
-      - platform
-      - title
-      - type
-    type: object
-  customtemplates.customTemplateFromGitRepositoryPayload:
-    properties:
-      composeFilePathInRepository:
-        default: docker-compose.yml
-        description: Path to the Stack file inside the Git repository
-        example: docker-compose.yml
-        type: string
-      description:
-        description: Description of the template
-        example: High performance web server
-        type: string
-      logo:
-        description: URL of the template's logo
-        example: https://cloudinovasi.id/assets/img/logos/nginx.png
-        type: string
-      note:
-        description: A note that will be displayed in the UI. Supports HTML content
-        example: This is my <b>custom</b> template
-        type: string
-      platform:
-        description: |-
-          Platform associated to the template.
-          Valid values are: 1 - 'linux', 2 - 'windows'
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-      repositoryAuthentication:
-        description: Use basic authentication to clone the Git repository
-        example: true
-        type: boolean
-      repositoryPassword:
-        description: Password used in basic authentication. Required when RepositoryAuthentication
-          is true.
-        example: myGitPassword
-        type: string
-      repositoryReferenceName:
-        description: Reference name of a Git repository hosting the Stack file
-        example: refs/heads/master
-        type: string
-      repositoryURL:
-        description: URL of a Git repository hosting the Stack file
-        example: https://github.com/openfaas/faas
-        type: string
-      repositoryUsername:
-        description: Username used in basic authentication. Required when RepositoryAuthentication
-          is true.
-        example: myGitUsername
-        type: string
-      title:
-        description: Title of the template
-        example: Nginx
-        type: string
-      type:
-        description: Type of created stack (1 - swarm, 2 - compose)
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-    required:
-      - description
-      - platform
-      - repositoryURL
-      - title
-      - type
-    type: object
-  customtemplates.customTemplateUpdatePayload:
-    properties:
-      description:
-        description: Description of the template
-        example: High performance web server
-        type: string
-      fileContent:
-        description: Content of stack file
-        type: string
-      logo:
-        description: URL of the template's logo
-        example: https://cloudinovasi.id/assets/img/logos/nginx.png
-        type: string
-      note:
-        description: A note that will be displayed in the UI. Supports HTML content
-        example: This is my <b>custom</b> template
-        type: string
-      platform:
-        description: |-
-          Platform associated to the template.
-          Valid values are: 1 - 'linux', 2 - 'windows'
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-      title:
-        description: Title of the template
-        example: Nginx
-        type: string
-      type:
-        description: Type of created stack (1 - swarm, 2 - compose)
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-    required:
-      - description
-      - fileContent
-      - platform
-      - title
-      - type
-    type: object
-  customtemplates.fileResponse:
-    properties:
-      fileContent:
-        type: string
-    type: object
-  dockerhub.dockerhubUpdatePayload:
-    properties:
-      authentication:
-        description: Enable authentication against DockerHub
-        example: false
-        type: boolean
-      password:
-        description: Password used to authenticate against the DockerHub
-        example: hub_password
-        type: string
-      username:
-        description: Username used to authenticate against the DockerHub
-        example: hub_user
-        type: string
-    required:
-      - authentication
-      - password
-      - username
-    type: object
-  edgegroups.edgeGroupCreatePayload:
-    properties:
-      dynamic:
-        type: boolean
-      endpoints:
-        items:
-          type: integer
-        type: array
-      name:
-        type: string
-      partialMatch:
-        type: boolean
-      tagIDs:
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-    type: object
-  edgegroups.edgeGroupUpdatePayload:
-    properties:
-      dynamic:
-        type: boolean
-      endpoints:
-        items:
-          type: integer
-        type: array
-      name:
-        type: string
-      partialMatch:
-        type: boolean
-      tagIDs:
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-    type: object
-  edgejobs.edgeJobCreateFromFileContentPayload:
-    properties:
-      cronExpression:
-        type: string
-      endpoints:
-        items:
-          type: integer
-        type: array
-      fileContent:
-        type: string
-      name:
-        type: string
-      recurring:
-        type: boolean
-    type: object
-  edgejobs.edgeJobCreateFromFilePayload:
-    properties:
-      cronExpression:
-        type: string
-      endpoints:
-        items:
-          type: integer
-        type: array
-      file:
-        items:
-          type: integer
-        type: array
-      name:
-        type: string
-      recurring:
-        type: boolean
-    type: object
-  edgejobs.edgeJobFileResponse:
-    properties:
-      FileContent:
-        type: string
-    type: object
-  edgejobs.edgeJobUpdatePayload:
-    properties:
-      cronExpression:
-        type: string
-      endpoints:
-        items:
-          type: integer
-        type: array
-      fileContent:
-        type: string
-      name:
-        type: string
-      recurring:
-        type: boolean
-    type: object
-  edgejobs.fileResponse:
-    properties:
-      FileContent:
-        type: string
-    type: object
-  edgejobs.taskContainer:
-    properties:
-      EndpointId:
-        type: integer
-      Id:
-        type: string
-      LogsStatus:
-        type: integer
-    type: object
-  edgestacks.stackFileResponse:
-    properties:
-      StackFileContent:
-        type: string
-    type: object
-  edgestacks.swarmStackFromFileContentPayload:
-    properties:
-      edgeGroups:
-        items:
-          description: EdgeGroup Identifier
-          example: 1
-          type: integer
-        type: array
-      name:
-        type: string
-      stackFileContent:
-        type: string
-    type: object
-  edgestacks.swarmStackFromFileUploadPayload:
-    properties:
-      edgeGroups:
-        items:
-          description: EdgeGroup Identifier
-          example: 1
-          type: integer
-        type: array
-      name:
-        type: string
-      stackFileContent:
-        items:
-          type: integer
-        type: array
-    type: object
-  edgestacks.swarmStackFromGitRepositoryPayload:
-    properties:
-      composeFilePathInRepository:
-        type: string
-      edgeGroups:
-        items:
-          description: EdgeGroup Identifier
-          example: 1
-          type: integer
-        type: array
-      name:
-        type: string
-      repositoryAuthentication:
-        type: boolean
-      repositoryPassword:
-        type: string
-      repositoryReferenceName:
-        type: string
-      repositoryURL:
-        type: string
-      repositoryUsername:
-        type: string
-    type: object
-  edgestacks.updateEdgeStackPayload:
-    properties:
-      edgeGroups:
-        items:
-          description: EdgeGroup Identifier
-          example: 1
-          type: integer
-        type: array
-      prune:
-        type: boolean
-      stackFileContent:
-        type: string
-      version:
-        type: integer
-    type: object
-  endpointedge.configResponse:
-    properties:
-      name:
-        type: string
-      prune:
-        type: boolean
-      stackFileContent:
-        type: string
-    type: object
-  endpointgroups.endpointGroupCreatePayload:
-    properties:
-      associatedEndpoints:
-        description: List of endpoint identifiers that will be part of this group
-        example:
-          - 1
-          - 3
-        items:
-          type: integer
-        type: array
-      description:
-        description: Endpoint group description
-        example: description
-        type: string
-      name:
-        description: Endpoint group name
-        example: my-endpoint-group
-        type: string
-      tagIDs:
-        description: List of tag identifiers to which this endpoint group is associated
-        example:
-          - 1
-          - 2
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-    required:
-      - name
-    type: object
-  endpointgroups.endpointGroupUpdatePayload:
-    properties:
-      description:
-        description: Endpoint group description
-        example: description
-        type: string
-      name:
-        description: Endpoint group name
-        example: my-endpoint-group
-        type: string
-      tagIDs:
-        description: List of tag identifiers associated to the endpoint group
-        example:
-          - 3
-          - 4
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-      teamAccessPolicies:
-        $ref: '#/definitions/portainer.TeamAccessPolicies'
-      userAccessPolicies:
-        $ref: '#/definitions/portainer.UserAccessPolicies'
-    type: object
-  endpoints.edgeJobResponse:
-    properties:
-      CollectLogs:
-        description: Whether to collect logs
-        example: true
-        type: boolean
-      CronExpression:
-        description: A cron expression to schedule this job
-        example: '* * * * *'
-        type: string
-      Id:
-        description: EdgeJob Identifier
-        example: 2
-        type: integer
-      Script:
-        description: Script to run
-        example: echo hello
-        type: string
-      Version:
-        description: Version of this EdgeJob
-        example: 2
-        type: integer
-    type: object
-  endpoints.endpointEdgeStatusInspectResponse:
-    properties:
-      checkin:
-        description: The current value of CheckinInterval
-        example: 5
-        type: integer
-      credentials:
-        type: string
-      port:
-        description: The tunnel port
-        example: 8732
-        type: integer
-      schedules:
-        description: List of requests for jobs to run on the endpoint
-        items:
-          $ref: '#/definitions/endpoints.edgeJobResponse'
-        type: array
-      stacks:
-        description: List of stacks to be deployed on the endpoints
-        items:
-          $ref: '#/definitions/endpoints.stackStatusResponse'
-        type: array
-      status:
-        description: Status represents the endpoint status
-        example: REQUIRED
-        type: string
-    type: object
-  endpoints.endpointUpdatePayload:
-    properties:
-      azureApplicationID:
-        description: Azure application ID
-        example: eag7cdo9-o09l-9i83-9dO9-f0b23oe78db4
-        type: string
-      azureAuthenticationKey:
-        description: Azure authentication key
-        example: cOrXoK/1D35w8YQ8nH1/8ZGwzz45JIYD5jxHKXEQknk=
-        type: string
-      azureTenantID:
-        description: Azure tenant ID
-        example: 34ddc78d-4fel-2358-8cc1-df84c8o839f5
-        type: string
-      edgeCheckinInterval:
-        description: The check in interval for edge agent (in seconds)
-        example: 5
-        type: integer
-      groupID:
-        description: Group identifier
-        example: 1
-        type: integer
-      kubernetes:
-        $ref: '#/definitions/portainer.KubernetesData'
-        description: Associated Kubernetes data
-      name:
-        description: Name that will be used to identify this endpoint
-        example: my-endpoint
-        type: string
-      publicURL:
-        description: |-
-          URL or IP address where exposed containers will be reachable.\
-          Defaults to URL if not specified
-        example: docker.mydomain.tld:2375
-        type: string
-      status:
-        description: The status of the endpoint (1 - up, 2 - down)
-        example: 1
-        type: integer
-      tagIDs:
-        description: List of tag identifiers to which this endpoint is associated
-        example:
-          - 1
-          - 2
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-      teamAccessPolicies:
-        $ref: '#/definitions/portainer.TeamAccessPolicies'
-      tls:
-        description: Require TLS to connect against this endpoint
-        example: true
-        type: boolean
-      tlsskipClientVerify:
-        description: Skip client verification when using TLS
-        example: false
-        type: boolean
-      tlsskipVerify:
-        description: Skip server verification when using TLS
-        example: false
-        type: boolean
-      url:
-        description: URL or IP address of a Docker host
-        example: docker.mydomain.tld:2375
-        type: string
-      userAccessPolicies:
-        $ref: '#/definitions/portainer.UserAccessPolicies'
-    type: object
-  endpoints.stackStatusResponse:
-    properties:
-      id:
-        description: EdgeStack Identifier
-        example: 1
-        type: integer
-      version:
-        description: Version of this stack
-        example: 3
-        type: integer
-    type: object
-  motd.motdResponse:
-    properties:
-      ContentLayout:
-        additionalProperties:
-          type: string
-        type: object
-      Hash:
-        items:
-          type: integer
-        type: array
-      Message:
-        type: string
-      Style:
-        type: string
-      Title:
-        type: string
-    type: object
-  portainer.AccessPolicy:
-    properties:
-      RoleId:
-        description: Role identifier. Reference the role that will be associated to
-          this access policy
-        example: 1
-        type: integer
-    type: object
-  portainer.Authorizations:
-    additionalProperties:
-      type: boolean
-    type: object
-  portainer.AzureCredentials:
-    properties:
-      ApplicationID:
-        description: Azure application ID
-        example: eag7cdo9-o09l-9i83-9dO9-f0b23oe78db4
-        type: string
-      AuthenticationKey:
-        description: Azure authentication key
-        example: cOrXoK/1D35w8YQ8nH1/8ZGwzz45JIYD5jxHKXEQknk=
-        type: string
-      TenantID:
-        description: Azure tenant ID
-        example: 34ddc78d-4fel-2358-8cc1-df84c8o839f5
-        type: string
-    type: object
-  portainer.CustomTemplate:
-    properties:
-      CreatedByUserId:
-        description: User identifier who created this template
-        example: 3
-        type: integer
-      Description:
-        description: Description of the template
-        example: High performance web server
-        type: string
-      EntryPoint:
-        description: Path to the Stack file
-        example: docker-compose.yml
-        type: string
-      Id:
-        description: CustomTemplate Identifier
-        example: 1
-        type: integer
-      Logo:
-        description: URL of the template's logo
-        example: https://cloudinovasi.id/assets/img/logos/nginx.png
-        type: string
-      Note:
-        description: A note that will be displayed in the UI. Supports HTML content
-        example: This is my <b>custom</b> template
-        type: string
-      Platform:
-        description: |-
-          Platform associated to the template.
-          Valid values are: 1 - 'linux', 2 - 'windows'
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-      ProjectPath:
-        description: Path on disk to the repository hosting the Stack file
-        example: /data/custom_template/3
-        type: string
-      ResourceControl:
-        $ref: '#/definitions/portainer.ResourceControl'
-      Title:
-        description: Title of the template
-        example: Nginx
-        type: string
-      Type:
-        description: Type of created stack (1 - swarm, 2 - compose)
-        example: 1
-        type: integer
-    type: object
-  portainer.DockerHub:
-    properties:
-      Authentication:
-        description: Is authentication against DockerHub enabled
-        example: true
-        type: boolean
-      Password:
-        description: Password used to authenticate against the DockerHub
-        example: passwd
-        type: string
-      Username:
-        description: Username used to authenticate against the DockerHub
-        example: user
-        type: string
-    type: object
-  portainer.DockerSnapshot:
-    properties:
-      DockerSnapshotRaw:
-        $ref: '#/definitions/portainer.DockerSnapshotRaw'
-      DockerVersion:
-        type: string
-      GpuUseAll:
-        type: boolean
-      GpuUseList:
-        items:
-          type: string
-        type: array
-      HealthyContainerCount:
-        type: integer
-      ImageCount:
-        type: integer
-      RunningContainerCount:
-        type: integer
-      ServiceCount:
-        type: integer
-      StackCount:
-        type: integer
-      StoppedContainerCount:
-        type: integer
-      Swarm:
-        type: boolean
-      Time:
-        type: integer
-      TotalCPU:
-        type: integer
-      TotalMemory:
-        type: integer
-      UnhealthyContainerCount:
-        type: integer
-      VolumeCount:
-        type: integer
-    type: object
-  portainer.DockerSnapshotRaw:
-    properties:
-      Containers:
-        type: object
-      Images:
-        type: object
-      Info:
-        type: object
-      Networks:
-        type: object
-      Version:
-        type: object
-      Volumes:
-        type: object
-    type: object
-  portainer.EdgeGroup:
-    properties:
-      Dynamic:
-        type: boolean
-      Endpoints:
-        items:
-          type: integer
-        type: array
-      Id:
-        description: EdgeGroup Identifier
-        example: 1
-        type: integer
-      Name:
-        type: string
-      PartialMatch:
-        type: boolean
-      TagIds:
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-    type: object
-  portainer.EdgeJob:
-    properties:
-      Created:
-        type: integer
-      CronExpression:
-        type: string
-      Endpoints:
-        additionalProperties:
-          $ref: '#/definitions/portainer.EdgeJobEndpointMeta'
-        type: object
-      Id:
-        description: EdgeJob Identifier
-        example: 1
-        type: integer
-      Name:
-        type: string
-      Recurring:
-        type: boolean
-      ScriptPath:
-        type: string
-      Version:
-        type: integer
-    type: object
-  portainer.EdgeJobEndpointMeta:
-    properties:
-      collectLogs:
-        type: boolean
-      logsStatus:
-        type: integer
-    type: object
-  portainer.EdgeStack:
-    properties:
-      CreationDate:
-        type: integer
-      EdgeGroups:
-        items:
-          description: EdgeGroup Identifier
-          example: 1
-          type: integer
-        type: array
-      EntryPoint:
-        type: string
-      Id:
-        description: EdgeStack Identifier
-        example: 1
-        type: integer
-      Name:
-        type: string
-      ProjectPath:
-        type: string
-      Prune:
-        type: boolean
-      Status:
-        additionalProperties:
-          $ref: '#/definitions/portainer.EdgeStackStatus'
-        type: object
-      Version:
-        type: integer
-    type: object
-  portainer.EdgeStackStatus:
-    properties:
-      EndpointID:
-        type: integer
-      Error:
-        type: string
-      Type:
-        type: integer
-    type: object
-  portainer.Endpoint:
-    properties:
-      AuthorizedTeams:
-        items:
-          type: integer
-        type: array
-      AuthorizedUsers:
-        description: Deprecated in DBVersion == 18
-        items:
-          description: User identifier who created this template
-          example: 3
-          type: integer
-        type: array
-      AzureCredentials:
-        $ref: '#/definitions/portainer.AzureCredentials'
-      EdgeCheckinInterval:
-        description: The check in interval for edge agent (in seconds)
-        example: 5
-        type: integer
-      EdgeID:
-        description: The identifier of the edge agent associated with this endpoint
-        type: string
-      EdgeKey:
-        description: The key which is used to map the agent to Portainer
-        type: string
-      Gpus:
-        description: Endpoint Gpus information
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      GroupId:
-        description: Endpoint group identifier
-        example: 1
-        type: integer
-      Id:
-        description: Endpoint Identifier
-        example: 1
-        type: integer
-      Kubernetes:
-        $ref: '#/definitions/portainer.KubernetesData'
-        description: Associated Kubernetes data
-      Name:
-        description: Endpoint name
-        example: my-endpoint
-        type: string
-      PublicURL:
-        description: URL or IP address where exposed containers will be reachable
-        example: docker.mydomain.tld:2375
-        type: string
-      Snapshots:
-        description: List of snapshots
-        items:
-          $ref: '#/definitions/portainer.DockerSnapshot'
-        type: array
-      Status:
-        description: The status of the endpoint (1 - up, 2 - down)
-        example: 1
-        type: integer
-      TLS:
-        description: |-
-          Deprecated fields
-          Deprecated in DBVersion == 4
-        type: boolean
-      TLSCACert:
-        type: string
-      TLSCert:
-        type: string
-      TLSConfig:
-        $ref: '#/definitions/portainer.TLSConfiguration'
-      TLSKey:
-        type: string
-      TagIds:
-        description: List of tag identifiers to which this endpoint is associated
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-      Tags:
-        description: Deprecated in DBVersion == 22
-        items:
-          type: string
-        type: array
-      TeamAccessPolicies:
-        $ref: '#/definitions/portainer.TeamAccessPolicies'
-        description: List of team identifiers authorized to connect to this endpoint
-      Type:
-        description: Endpoint environment type. 1 for a Docker environment, 2 for
-          an agent on Docker environment or 3 for an Azure environment.
-        example: 1
-        type: integer
-      URL:
-        description: URL or IP address of the Docker host associated to this endpoint
-        example: docker.mydomain.tld:2375
-        type: string
-      UserAccessPolicies:
-        $ref: '#/definitions/portainer.UserAccessPolicies'
-        description: List of user identifiers authorized to connect to this endpoint
-    type: object
-  portainer.EndpointAuthorizations:
-    additionalProperties:
-      $ref: '#/definitions/portainer.Authorizations'
-    type: object
-  portainer.EndpointGroup:
-    properties:
-      AuthorizedTeams:
-        items:
-          type: integer
-        type: array
-      AuthorizedUsers:
-        description: Deprecated in DBVersion == 18
-        items:
-          description: User identifier who created this template
-          example: 3
-          type: integer
-        type: array
-      Description:
-        description: Description associated to the endpoint group
-        example: Endpoint group description
-        type: string
-      Id:
-        description: Endpoint group Identifier
-        example: 1
-        type: integer
-      Labels:
-        description: Deprecated fields
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      Name:
-        description: Endpoint group name
-        example: my-endpoint-group
-        type: string
-      TagIds:
-        description: List of tags associated to this endpoint group
-        items:
-          description: Tag identifier
-          example: 1
-          type: integer
-        type: array
-      Tags:
-        description: Deprecated in DBVersion == 22
-        items:
-          type: string
-        type: array
-      TeamAccessPolicies:
-        $ref: '#/definitions/portainer.TeamAccessPolicies'
-      UserAccessPolicies:
-        $ref: '#/definitions/portainer.UserAccessPolicies'
-    type: object
-  portainer.GitlabRegistryData:
-    properties:
-      InstanceURL:
-        type: string
-      ProjectId:
-        type: integer
-      ProjectPath:
-        type: string
-    type: object
-  portainer.KubernetesConfiguration:
-    properties:
-      IngressClasses:
-        items:
-          $ref: '#/definitions/portainer.KubernetesIngressClassConfig'
-        type: array
-      StorageClasses:
-        items:
-          $ref: '#/definitions/portainer.KubernetesStorageClassConfig'
-        type: array
-      UseLoadBalancer:
-        type: boolean
-      UseServerMetrics:
-        type: boolean
-      RestrictDefaultNamespace:
-        type: boolean
-    type: object
-  portainer.KubernetesData:
-    properties:
-      Configuration:
-        $ref: '#/definitions/portainer.KubernetesConfiguration'
-      Snapshots:
-        items:
-          $ref: '#/definitions/portainer.KubernetesSnapshot'
-        type: array
-    type: object
-  portainer.KubernetesIngressClassConfig:
-    properties:
-      Name:
-        type: string
-      Type:
-        type: string
-    type: object
-  portainer.KubernetesSnapshot:
-    properties:
-      KubernetesVersion:
-        type: string
-      NodeCount:
-        type: integer
-      Time:
-        type: integer
-      TotalCPU:
-        type: integer
-      TotalMemory:
-        type: integer
-    type: object
-  portainer.KubernetesStorageClassConfig:
-    properties:
-      AccessModes:
-        items:
-          type: string
-        type: array
-      AllowVolumeExpansion:
-        type: boolean
-      Name:
-        type: string
-      Provisioner:
-        type: string
-    type: object
-  portainer.InternalAuthSettings:
-    properties:
-      RequiredPasswordLength:
-        description: The minimum character length a user can set their password
-        example: 12
-        type: integer
-  portainer.LDAPGroupSearchSettings:
-    properties:
-      GroupAttribute:
-        description: LDAP attribute which denotes the group membership
-        example: member
-        type: string
-      GroupBaseDN:
-        description: The distinguished name of the element from which the LDAP server
-          will search for groups
-        example: dc=ldap,dc=domain,dc=tld
-        type: string
-      GroupFilter:
-        description: The LDAP search filter used to select group elements, optional
-        example: (objectClass=account
-        type: string
-    type: object
-  portainer.LDAPSearchSettings:
-    properties:
-      BaseDN:
-        description: The distinguished name of the element from which the LDAP server
-          will search for users
-        example: dc=ldap,dc=domain,dc=tld
-        type: string
-      Filter:
-        description: Optional LDAP search filter used to select user elements
-        example: (objectClass=account)
-        type: string
-      UserNameAttribute:
-        description: LDAP attribute which denotes the username
-        example: uid
-        type: string
-    type: object
-  portainer.LDAPSettings:
-    properties:
-      AnonymousMode:
-        description: Enable this option if the server is configured for Anonymous
-          access. When enabled, ReaderDN and Password will not be used
-        example: true
-        type: boolean
-      AutoCreateUsers:
-        description: Automatically provision users and assign them to matching LDAP
-          group names
-        example: true
-        type: boolean
-      GroupSearchSettings:
-        items:
-          $ref: '#/definitions/portainer.LDAPGroupSearchSettings'
-        type: array
-      Password:
-        description: Password of the account that will be used to search users
-        example: readonly-password
-        type: string
-      ReaderDN:
-        description: Account that will be used to search for users
-        example: cn=readonly-account,dc=ldap,dc=domain,dc=tld
-        type: string
-      SearchSettings:
-        items:
-          $ref: '#/definitions/portainer.LDAPSearchSettings'
-        type: array
-      StartTLS:
-        description: Whether LDAP connection should use StartTLS
-        example: true
-        type: boolean
-      TLSConfig:
-        $ref: '#/definitions/portainer.TLSConfiguration'
-      URL:
-        description: URL or IP address of the LDAP server
-        example: myldap.domain.tld:389
-        type: string
-    type: object
-  portainer.OAuthSettings:
-    properties:
-      AccessTokenURI:
-        type: string
-      AuthorizationURI:
-        type: string
-      ClientID:
-        type: string
-      ClientSecret:
-        type: string
-      DefaultTeamID:
-        type: integer
-      OAuthAutoCreateUsers:
-        type: boolean
-      RedirectURI:
-        type: string
-      ResourceURI:
-        type: string
-      Scopes:
-        type: string
-      UserIdentifier:
-        type: string
-    type: object
-  portainer.Pair:
-    properties:
-      name:
-        example: name
-        type: string
-      value:
-        example: value
-        type: string
-    type: object
-  portainer.Registry:
-    properties:
-      Authentication:
-        description: Is authentication against this registry enabled
-        example: true
-        type: boolean
-      AuthorizedTeams:
-        items:
-          type: integer
-        type: array
-      AuthorizedUsers:
-        description: |-
-          Deprecated fields
-          Deprecated in DBVersion == 18
-        items:
-          description: User identifier who created this template
-          example: 3
-          type: integer
-        type: array
-      Gitlab:
-        $ref: '#/definitions/portainer.GitlabRegistryData'
-      Id:
-        description: Registry Identifier
-        example: 1
-        type: integer
-      ManagementConfiguration:
-        $ref: '#/definitions/portainer.RegistryManagementConfiguration'
-      Name:
-        description: Registry Name
-        example: my-registry
-        type: string
-      Password:
-        description: Password used to authenticate against this registry
-        example: registry_password
-        type: string
-      TeamAccessPolicies:
-        $ref: '#/definitions/portainer.TeamAccessPolicies'
-      Type:
-        description: Registry Type (1 - Quay, 2 - Azure, 3 - Custom, 4 - Gitlab, 5 - ProGet)
-        enum:
-          - 1
-          - 2
-          - 3
-          - 4
-          - 5
-        type: integer
-      URL:
-        description: URL or IP address of the Docker registry
-        example: registry.mydomain.tld:2375
-        type: string
-      BaseURL:
-        description: Base URL or IP address of the ProGet registry
-        example: registry.mydomain.tld:2375
-        type: string
-      UserAccessPolicies:
-        $ref: '#/definitions/portainer.UserAccessPolicies'
-      Username:
-        description: Username used to authenticate against this registry
-        example: registry user
-        type: string
-    type: object
-  portainer.RegistryManagementConfiguration:
-    properties:
-      Authentication:
-        type: boolean
-      Password:
-        type: string
-      TLSConfig:
-        $ref: '#/definitions/portainer.TLSConfiguration'
-      Type:
-        type: integer
-      Username:
-        type: string
-    type: object
-  portainer.ResourceControl:
-    properties:
-      AccessLevel:
-        type: integer
-      AdministratorsOnly:
-        description: Permit access to resource only to admins
-        example: true
-        type: boolean
-      Id:
-        description: ResourceControl Identifier
-        example: 1
-        type: integer
-      OwnerId:
-        description: |-
-          Deprecated fields
-          Deprecated in DBVersion == 2
-        type: integer
-      Public:
-        description: Permit access to the associated resource to any user
-        example: true
-        type: boolean
-      ResourceId:
-        description: |-
-          Docker resource identifier on which access control will be applied.\
-          In the case of a resource control applied to a stack, use the stack name as identifier
-        example: 617c5f22bb9b023d6daab7cba43a57576f83492867bc767d1c59416b065e5f08
-        type: string
-      SubResourceIds:
-        description: List of Docker resources that will inherit this access control
-        example:
-          - 617c5f22bb9b023d6daab7cba43a57576f83492867bc767d1c59416b065e5f08
-        items:
-          type: string
-        type: array
-      System:
-        type: boolean
-      TeamAccesses:
-        items:
-          $ref: '#/definitions/portainer.TeamResourceAccess'
-        type: array
-      Type:
-        description: |-
-          Type of Docker resource. Valid values are: 1- container, 2 -service
-          3 - volume, 4 - secret, 5 - stack, 6 - config or 7 - custom template
-        example: 1
-        type: integer
-      UserAccesses:
-        items:
-          $ref: '#/definitions/portainer.UserResourceAccess'
-        type: array
-    type: object
-  portainer.Role:
-    properties:
-      Authorizations:
-        $ref: '#/definitions/portainer.Authorizations'
-        description: Authorizations associated to a role
-      Description:
-        description: Role description
-        example: Read-only access of all resources in an endpoint
-        type: string
-      Id:
-        description: Role Identifier
-        example: 1
-        type: integer
-      Name:
-        description: Role name
-        example: HelpDesk
-        type: string
-      Priority:
-        type: integer
-    type: object
-  portainer.Settings:
-    properties:
-      AllowBindMountsForRegularUsers:
-        description: Whether non-administrator should be able to use bind mounts when
-          creating containers
-        example: false
-        type: boolean
-      AllowContainerCapabilitiesForRegularUsers:
-        description: Whether non-administrator should be able to use container capabilities
-        type: boolean
-      AllowDeviceMappingForRegularUsers:
-        description: Whether non-administrator should be able to use device mapping
-        type: boolean
-      AllowHostNamespaceForRegularUsers:
-        description: Whether non-administrator should be able to use the host pid
-        type: boolean
-      AllowPrivilegedModeForRegularUsers:
-        description: Whether non-administrator should be able to use privileged mode
-          when creating containers
-        example: false
-        type: boolean
-      AllowStackManagementForRegularUsers:
-        description: Whether non-administrator should be able to manage stacks
-        type: boolean
-      AllowVolumeBrowserForRegularUsers:
-        description: Whether non-administrator should be able to browse volumes
-        type: boolean
-      AuthenticationMethod:
-        description: 'Active authentication method for the Portainer instance. Valid
-          values are: 1 for internal, 2 for LDAP, or 3 for oauth'
-        example: 1
-        type: integer
-      BlackListedLabels:
-        description: A list of label name & value that will be used to hide containers
-          when querying containers
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      EdgeAgentCheckinInterval:
-        description: The default check in interval for edge agent (in seconds)
-        example: 5
-        type: integer
-      EnableEdgeComputeFeatures:
-        description: Whether edge compute features are enabled
-        type: boolean
-      EnableHostManagementFeatures:
-        description: Whether host management features are enabled
-        type: boolean
-      EnableTelemetry:
-        description: Whether telemetry is enabled
-        example: false
-        type: boolean
-      InternalAuthSettings:
-        $ref: '#/definitions/portainer.InternalAuthSettings'
-      LDAPSettings:
-        $ref: '#/definitions/portainer.LDAPSettings'
-      LogoURL:
-        description: URL to a logo that will be displayed on the login page as well
-          as on top of the sidebar. Will use default Portainer logo when value is
-          empty string
-        example: https://mycompany.mydomain.tld/logo.png
-        type: string
-      OAuthSettings:
-        $ref: '#/definitions/portainer.OAuthSettings'
-      SnapshotInterval:
-        description: The interval in which endpoint snapshots are created
-        example: 5m
-        type: string
-      TemplatesURL:
-        description: URL to the templates that will be displayed in the UI when navigating
-          to App Templates
-        example: https://raw.githubusercontent.com/portainer/templates/master/templates.json
-        type: string
-      UserSessionTimeout:
-        description: The duration of a user session
-        example: 5m
-        type: string
-      displayDonationHeader:
-        description: Deprecated fields
-        type: boolean
-      displayExternalContributors:
-        type: boolean
-    type: object
-  portainer.Stack:
-    properties:
-      EndpointId:
-        description: Endpoint identifier. Reference the endpoint that will be used
-          for deployment
-        example: 1
-        type: integer
-      EntryPoint:
-        description: Path to the Stack file
-        example: docker-compose.yml
-        type: string
-      Env:
-        description: A list of environment variables used during stack deployment
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      Id:
-        description: Stack Identifier
-        example: 1
-        type: integer
-      Name:
-        description: Stack name
-        example: myStack
-        type: string
-      ResourceControl:
-        $ref: '#/definitions/portainer.ResourceControl'
-      Status:
-        description: Stack status (1 - active, 2 - inactive)
-        example: 1
-        type: integer
-      SwarmId:
-        description: Cluster identifier of the Swarm cluster where the stack is deployed
-        example: jpofkc0i9uo9wtx1zesuk649w
-        type: string
-      Type:
-        description: Stack type. 1 for a Swarm stack, 2 for a Compose stack
-        example: 2
-        type: integer
-      createdBy:
-        description: The username which created this stack
-        example: admin
-        type: string
-      creationDate:
-        description: The date in unix time when stack was created
-        example: 1587399600
-        type: integer
-      projectPath:
-        description: Path on disk to the repository hosting the Stack file
-        example: /data/compose/myStack_jpofkc0i9uo9wtx1zesuk649w
-        type: string
-      updateDate:
-        description: The date in unix time when stack was last updated
-        example: 1587399600
-        type: integer
-      updatedBy:
-        description: The username which last updated this stack
-        example: bob
-        type: string
-    type: object
-  portainer.Status:
-    properties:
-      Version:
-        description: Portainer API version
-        example: 2.0.0
-        type: string
-    type: object
-  portainer.TLSConfiguration:
-    properties:
-      TLS:
-        description: Use TLS
-        example: true
-        type: boolean
-      TLSCACert:
-        description: Path to the TLS CA certificate file
-        example: /data/tls/ca.pem
-        type: string
-      TLSCert:
-        description: Path to the TLS client certificate file
-        example: /data/tls/cert.pem
-        type: string
-      TLSKey:
-        description: Path to the TLS client key file
-        example: /data/tls/key.pem
-        type: string
-      TLSSkipVerify:
-        description: Skip the verification of the server TLS certificate
-        example: false
-        type: boolean
-    type: object
-  portainer.Tag:
-    properties:
-      EndpointGroups:
-        additionalProperties:
-          type: boolean
-        description: A set of endpoint group ids that have this tag
-        type: object
-      Endpoints:
-        additionalProperties:
-          type: boolean
-        description: A set of endpoint ids that have this tag
-        type: object
-      Name:
-        description: Tag name
-        example: org/acme
-        type: string
-      id:
-        description: Tag identifier
-        example: 1
-        type: integer
-    type: object
-  portainer.Team:
-    properties:
-      Id:
-        description: Team Identifier
-        example: 1
-        type: integer
-      Name:
-        description: Team name
-        example: developers
-        type: string
-    type: object
-  portainer.TeamAccessPolicies:
-    additionalProperties:
-      $ref: '#/definitions/portainer.AccessPolicy'
-    type: object
-  portainer.TeamMembership:
-    properties:
-      Id:
-        description: Membership Identifier
-        example: 1
-        type: integer
-      Role:
-        description: Team role (1 for team leader and 2 for team member)
-        example: 1
-        type: integer
-      TeamID:
-        description: Team identifier
-        example: 1
-        type: integer
-      UserID:
-        description: User identifier
-        example: 1
-        type: integer
-    type: object
-  portainer.TeamResourceAccess:
-    properties:
-      AccessLevel:
-        type: integer
-      TeamId:
-        type: integer
-    type: object
-  portainer.Template:
-    properties:
-      Id:
-        description: |-
-          Mandatory container/stack fields
-          Template Identifier
-        example: 1
-        type: integer
-      administrator_only:
-        description: Whether the template should be available to administrators only
-        example: true
-        type: boolean
-      categories:
-        description: A list of categories associated to the template
-        example:
-          - database
-        items:
-          type: string
-        type: array
-      command:
-        description: The command that will be executed in a container template
-        example: ls -lah
-        type: string
-      description:
-        description: Description of the template
-        example: High performance web server
-        type: string
-      env:
-        description: A list of environment variables used during the template deployment
-        items:
-          $ref: '#/definitions/portainer.TemplateEnv'
-        type: array
-      hostname:
-        description: Container hostname
-        example: mycontainer
-        type: string
-      image:
-        description: |-
-          Mandatory container fields
-          Image associated to a container template. Mandatory for a container template
-        example: nginx:latest
-        type: string
-      interactive:
-        description: |-
-          Whether the container should be started in
-          interactive mode (-i -t equivalent on the CLI)
-        example: true
-        type: boolean
-      labels:
-        description: Container labels
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      logo:
-        description: URL of the template's logo
-        example: https://cloudinovasi.id/assets/img/logos/nginx.png
-        type: string
-      name:
-        description: |-
-          Optional stack/container fields
-          Default name for the stack/container to be used on deployment
-        example: mystackname
-        type: string
-      network:
-        description: Name of a network that will be used on container deployment if
-          it exists inside the environment
-        example: mynet
-        type: string
-      note:
-        description: A note that will be displayed in the UI. Supports HTML content
-        example: This is my <b>custom</b> template
-        type: string
-      platform:
-        description: |-
-          Platform associated to the template.
-          Valid values are: 'linux', 'windows' or leave empty for multi-platform
-        example: linux
-        type: string
-      ports:
-        description: A list of ports exposed by the container
-        example:
-          - 8080:80/tcp
-        items:
-          type: string
-        type: array
-      privileged:
-        description: Whether the container should be started in privileged mode
-        example: true
-        type: boolean
-      registry:
-        description: |-
-          Optional container fields
-          The URL of a registry associated to the image for a container template
-        example: quay.io
-        type: string
-      repository:
-        $ref: '#/definitions/portainer.TemplateRepository'
-        description: Mandatory stack fields
-      restart_policy:
-        description: Container restart policy
-        example: on-failure
-        type: string
-      stackFile:
-        description: |-
-          Mandatory Edge stack fields
-          Stack file used for this template
-        type: string
-      title:
-        description: Title of the template
-        example: Nginx
-        type: string
-      type:
-        description: 'Template type. Valid values are: 1 (container), 2 (Swarm stack)
-          or 3 (Compose stack)'
-        example: 1
-        type: integer
-      volumes:
-        description: A list of volumes used during the container template deployment
-        items:
-          $ref: '#/definitions/portainer.TemplateVolume'
-        type: array
-    type: object
-  portainer.TemplateEnv:
-    properties:
-      default:
-        description: Default value that will be set for the variable
-        example: default_value
-        type: string
-      description:
-        description: Content of the tooltip that will be generated in the UI
-        example: MySQL root account password
-        type: string
-      label:
-        description: Text for the label that will be generated in the UI
-        example: Root password
-        type: string
-      name:
-        description: name of the environment variable
-        example: MYSQL_ROOT_PASSWORD
-        type: string
-      preset:
-        description: If set to true, will not generate any input for this variable
-          in the UI
-        example: false
-        type: boolean
-      select:
-        description: A list of name/value that will be used to generate a dropdown
-          in the UI
-        items:
-          $ref: '#/definitions/portainer.TemplateEnvSelect'
-        type: array
-    type: object
-  portainer.TemplateEnvSelect:
-    properties:
-      default:
-        description: Will set this choice as the default choice
-        example: false
-        type: boolean
-      text:
-        description: Some text that will displayed as a choice
-        example: text value
-        type: string
-      value:
-        description: A value that will be associated to the choice
-        example: value
-        type: string
-    type: object
-  portainer.TemplateRepository:
-    properties:
-      stackfile:
-        description: Path to the stack file inside the git repository
-        example: ./subfolder/docker-compose.yml
-        type: string
-      url:
-        description: URL of a git repository used to deploy a stack template. Mandatory
-          for a Swarm/Compose stack template
-        example: https://github.com/portainer/portainer-compose
-        type: string
-    type: object
-  portainer.TemplateVolume:
-    properties:
-      bind:
-        description: Path on the host
-        example: /tmp
-        type: string
-      container:
-        description: Path inside the container
-        example: /data
-        type: string
-      readonly:
-        description: Whether the volume used should be readonly
-        example: true
-        type: boolean
-    type: object
-  portainer.User:
-    properties:
-      EndpointAuthorizations:
-        $ref: '#/definitions/portainer.EndpointAuthorizations'
-      Id:
-        description: User Identifier
-        example: 1
-        type: integer
-      Password:
-        example: passwd
-        type: string
-      PortainerAuthorizations:
-        $ref: '#/definitions/portainer.Authorizations'
-        description: |-
-          Deprecated fields
-          Deprecated in DBVersion == 25
-      Role:
-        description: User role (1 for administrator account and 2 for regular account)
-        example: 1
-        type: integer
-      Username:
-        example: bob
-        type: string
-    type: object
-  portainer.UserAccessPolicies:
-    additionalProperties:
-      $ref: '#/definitions/portainer.AccessPolicy'
-    type: object
-  portainer.UserResourceAccess:
-    properties:
-      AccessLevel:
-        type: integer
-      UserId:
-        type: integer
-    type: object
-  portainer.Webhook:
-    properties:
-      EndpointId:
-        type: integer
-      Id:
-        description: Webhook Identifier
-        example: 1
-        type: integer
-      ResourceId:
-        type: string
-      Token:
-        type: string
-      Type:
-        type: integer
-    type: object
-  registries.registryConfigurePayload:
-    properties:
-      authentication:
-        description: Is authentication against this registry enabled
-        example: false
-        type: boolean
-      password:
-        description: Password used to authenticate against this registry. required
-          when Authentication is true
-        example: registry_password
-        type: string
-      tls:
-        description: Use TLS
-        example: true
-        type: boolean
-      tlscacertFile:
-        description: The TLS CA certificate file
-        items:
-          type: integer
-        type: array
-      tlscertFile:
-        description: The TLS client certificate file
-        items:
-          type: integer
-        type: array
-      tlskeyFile:
-        description: The TLS client key file
-        items:
-          type: integer
-        type: array
-      tlsskipVerify:
-        description: Skip the verification of the server TLS certificate
-        example: false
-        type: boolean
-      username:
-        description: Username used to authenticate against this registry. Required
-          when Authentication is true
-        example: registry_user
-        type: string
-    required:
-      - authentication
-    type: object
-  registries.registryCreatePayload:
-    properties:
-      authentication:
-        description: Is authentication against this registry enabled
-        example: false
-        type: boolean
-      gitlab:
-        $ref: '#/definitions/portainer.GitlabRegistryData'
-        description: Gitlab specific details, required when type = 4
-      name:
-        description: Name that will be used to identify this registry
-        example: my-registry
-        type: string
-      password:
-        description: Password used to authenticate against this registry. required
-          when Authentication is true
-        example: registry_password
-        type: string
-      type:
-        description: 'Registry Type. Valid values are: 1 (Quay.io), 2 (Azure container
-          registry), 3 (custom registry), 4 (Gitlab registry) or 5 (ProGet registry)'
-        enum:
-          - 1
-          - 2
-          - 3
-          - 4
-          - 5
-        example: 1
-        type: integer
-      url:
-        description: URL or IP address of the Docker registry
-        example: registry.mydomain.tld:2375
-        type: string
-      baseUrl:
-        description: Base URL or IP address of the ProGet registry
-        example: registry.mydomain.tld:2375
-        type: string
-      username:
-        description: Username used to authenticate against this registry. Required
-          when Authentication is true
-        example: registry_user
-        type: string
-    required:
-      - authentication
-      - name
-      - type
-      - url
-    type: object
-  registries.registryUpdatePayload:
-    properties:
-      authentication:
-        description: Is authentication against this registry enabled
-        example: false
-        type: boolean
-      name:
-        description: Name that will be used to identify this registry
-        example: my-registry
-        type: string
-      password:
-        description: Password used to authenticate against this registry. required
-          when Authentication is true
-        example: registry_password
-        type: string
-      teamAccessPolicies:
-        $ref: '#/definitions/portainer.TeamAccessPolicies'
-      url:
-        description: URL or IP address of the Docker registry
-        example: registry.mydomain.tld:2375
-        type: string
-      baseUrl:
-        description: Base URL or IP address of the ProGet registry
-        example: registry.mydomain.tld:2375
-        type: string
-      userAccessPolicies:
-        $ref: '#/definitions/portainer.UserAccessPolicies'
-      username:
-        description: Username used to authenticate against this registry. Required
-          when Authentication is true
-        example: registry_user
-        type: string
-    required:
-      - authentication
-      - name
-      - url
-    type: object
-  resourcecontrols.resourceControlCreatePayload:
-    properties:
-      administratorsOnly:
-        description: Permit access to resource only to admins
-        example: true
-        type: boolean
-      public:
-        description: Permit access to the associated resource to any user
-        example: true
-        type: boolean
-      resourceID:
-        example: 617c5f22bb9b023d6daab7cba43a57576f83492867bc767d1c59416b065e5f08
-        type: string
-      subResourceIDs:
-        description: List of Docker resources that will inherit this access control
-        example:
-          - 617c5f22bb9b023d6daab7cba43a57576f83492867bc767d1c59416b065e5f08
-        items:
-          type: string
-        type: array
-      teams:
-        description: List of team identifiers with access to the associated resource
-        example:
-          - 56
-          - 7
-        items:
-          type: integer
-        type: array
-      type:
-        description: |-
-          Type of Docker resource. Valid values are: container, volume\
-          service, secret, config or stack
-        example: container
-        type: string
-      users:
-        description: List of user identifiers with access to the associated resource
-        example:
-          - 1
-          - 4
-        items:
-          type: integer
-        type: array
-    required:
-      - resourceID
-      - type
-    type: object
-  resourcecontrols.resourceControlUpdatePayload:
-    properties:
-      administratorsOnly:
-        description: Permit access to resource only to admins
-        example: true
-        type: boolean
-      public:
-        description: Permit access to the associated resource to any user
-        example: true
-        type: boolean
-      teams:
-        description: List of team identifiers with access to the associated resource
-        example:
-          - 7
-        items:
-          type: integer
-        type: array
-      users:
-        description: List of user identifiers with access to the associated resource
-        example:
-          - 4
-        items:
-          type: integer
-        type: array
-    type: object
-  settings.publicSettingsResponse:
-    properties:
-      AllowBindMountsForRegularUsers:
-        description: Whether non-administrator should be able to use bind mounts when
-          creating containers
-        example: true
-        type: boolean
-      AllowContainerCapabilitiesForRegularUsers:
-        description: Whether non-administrator should be able to use container capabilities
-        example: true
-        type: boolean
-      AllowDeviceMappingForRegularUsers:
-        description: Whether non-administrator should be able to use device mapping
-        example: true
-        type: boolean
-      AllowHostNamespaceForRegularUsers:
-        description: Whether non-administrator should be able to use the host pid
-        example: true
-        type: boolean
-      AllowPrivilegedModeForRegularUsers:
-        description: Whether non-administrator should be able to use privileged mode
-          when creating containers
-        example: true
-        type: boolean
-      AllowStackManagementForRegularUsers:
-        description: Whether non-administrator should be able to manage stacks
-        example: true
-        type: boolean
-      AllowVolumeBrowserForRegularUsers:
-        description: Whether non-administrator should be able to browse volumes
-        example: true
-        type: boolean
-      AuthenticationMethod:
-        description: 'Active authentication method for the Portainer instance. Valid
-          values are: 1 for internal, 2 for LDAP, or 3 for oauth'
-        example: 1
-        type: integer
-      EnableEdgeComputeFeatures:
-        description: Whether edge compute features are enabled
-        example: true
-        type: boolean
-      EnableHostManagementFeatures:
-        description: Whether host management features are enabled
-        example: true
-        type: boolean
-      EnableTelemetry:
-        description: Whether telemetry is enabled
-        example: true
-        type: boolean
-      LogoURL:
-        description: URL to a logo that will be displayed on the login page as well
-          as on top of the sidebar. Will use default Portainer logo when value is
-          empty string
-        example: https://mycompany.mydomain.tld/logo.png
-        type: string
-      OAuthLoginURI:
-        description: The URL used for oauth login
-        example: https://gitlab.com/oauth
-        type: string
-    type: object
-  settings.settingsLDAPCheckPayload:
-    properties:
-      ldapsettings:
-        $ref: '#/definitions/portainer.LDAPSettings'
-    type: object
-  settings.settingsUpdatePayload:
-    properties:
-      allowBindMountsForRegularUsers:
-        description: Whether non-administrator should be able to use bind mounts when
-          creating containers
-        example: false
-        type: boolean
-      allowContainerCapabilitiesForRegularUsers:
-        description: Whether non-administrator should be able to use container capabilities
-        example: true
-        type: boolean
-      allowDeviceMappingForRegularUsers:
-        description: Whether non-administrator should be able to use device mapping
-        example: true
-        type: boolean
-      allowHostNamespaceForRegularUsers:
-        description: Whether non-administrator should be able to use the host pid
-        example: true
-        type: boolean
-      allowPrivilegedModeForRegularUsers:
-        description: Whether non-administrator should be able to use privileged mode
-          when creating containers
-        example: false
-        type: boolean
-      allowStackManagementForRegularUsers:
-        description: Whether non-administrator should be able to manage stacks
-        example: true
-        type: boolean
-      allowVolumeBrowserForRegularUsers:
-        description: Whether non-administrator should be able to browse volumes
-        example: true
-        type: boolean
-      authenticationMethod:
-        description: 'Active authentication method for the Portainer instance. Valid
-          values are: 1 for internal, 2 for LDAP, or 3 for oauth'
-        example: 1
-        type: integer
-      blackListedLabels:
-        description: A list of label name & value that will be used to hide containers
-          when querying containers
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      edgeAgentCheckinInterval:
-        description: The default check in interval for edge agent (in seconds)
-        example: 5
-        type: integer
-      enableEdgeComputeFeatures:
-        description: Whether edge compute features are enabled
-        example: true
-        type: boolean
-      enableHostManagementFeatures:
-        description: Whether host management features are enabled
-        example: true
-        type: boolean
-      enableTelemetry:
-        description: Whether telemetry is enabled
-        example: false
-        type: boolean
-      internalAuthSettings:
-        $ref: '#/definitions/portainer.InternalAuthSettings'
-      ldapsettings:
-        $ref: '#/definitions/portainer.LDAPSettings'
-      logoURL:
-        description: URL to a logo that will be displayed on the login page as well
-          as on top of the sidebar. Will use default Portainer logo when value is
-          empty string
-        example: https://mycompany.mydomain.tld/logo.png
-        type: string
-      oauthSettings:
-        $ref: '#/definitions/portainer.OAuthSettings'
-      snapshotInterval:
-        description: The interval in which endpoint snapshots are created
-        example: 5m
-        type: string
-      templatesURL:
-        description: URL to the templates that will be displayed in the UI when navigating
-          to App Templates
-        example: https://raw.githubusercontent.com/portainer/templates/master/templates.json
-        type: string
-      userSessionTimeout:
-        description: The duration of a user session
-        example: 5m
-        type: string
-    type: object
-  stacks.composeStackFromFileContentPayload:
-    properties:
-      env:
-        description: A list of environment variables used during stack deployment
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      name:
-        description: Name of the stack
-        example: myStack
-        type: string
-      stackFileContent:
-        description: Content of the Stack file
-        example: |-
-          version: 3
-           services:
-           web:
-           image:nginx
-        type: string
-    required:
-      - name
-      - stackFileContent
-    type: object
-  stacks.composeStackFromGitRepositoryPayload:
-    properties:
-      composeFilePathInRepository:
-        default: docker-compose.yml
-        description: Path to the Stack file inside the Git repository
-        example: docker-compose.yml
-        type: string
-      env:
-        description: A list of environment variables used during stack deployment
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      name:
-        description: Name of the stack
-        example: myStack
-        type: string
-      repositoryAuthentication:
-        description: Use basic authentication to clone the Git repository
-        example: true
-        type: boolean
-      repositoryPassword:
-        description: Password used in basic authentication. Required when RepositoryAuthentication
-          is true.
-        example: myGitPassword
-        type: string
-      repositoryReferenceName:
-        description: Reference name of a Git repository hosting the Stack file
-        example: refs/heads/master
-        type: string
-      repositoryURL:
-        description: URL of a Git repository hosting the Stack file
-        example: https://github.com/openfaas/faas
-        type: string
-      repositoryUsername:
-        description: Username used in basic authentication. Required when RepositoryAuthentication
-          is true.
-        example: myGitUsername
-        type: string
-    required:
-      - name
-      - repositoryURL
-    type: object
-  stacks.stackFileResponse:
-    properties:
-      StackFileContent:
-        description: Content of the Stack file
-        example: |-
-          version: 3
-           services:
-           web:
-           image:nginx
-        type: string
-    type: object
-  stacks.stackMigratePayload:
-    properties:
-      endpointID:
-        description: Endpoint identifier of the target endpoint where the stack will
-          be relocated
-        example: 2
-        type: integer
-      name:
-        description: If provided will rename the migrated stack
-        example: new-stack
-        type: string
-      swarmID:
-        description: Swarm cluster identifier, must match the identifier of the cluster
-          where the stack will be relocated
-        example: jpofkc0i9uo9wtx1zesuk649w
-        type: string
-    required:
-      - endpointID
-    type: object
-  stacks.swarmStackFromFileContentPayload:
-    properties:
-      env:
-        description: A list of environment variables used during stack deployment
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      name:
-        description: Name of the stack
-        example: myStack
-        type: string
-      stackFileContent:
-        description: Content of the Stack file
-        example: |-
-          version: 3
-           services:
-           web:
-           image:nginx
-        type: string
-      swarmID:
-        description: Swarm cluster identifier
-        example: jpofkc0i9uo9wtx1zesuk649w
-        type: string
-    required:
-      - name
-      - stackFileContent
-      - swarmID
-    type: object
-  stacks.swarmStackFromGitRepositoryPayload:
-    properties:
-      composeFilePathInRepository:
-        default: docker-compose.yml
-        description: Path to the Stack file inside the Git repository
-        example: docker-compose.yml
-        type: string
-      env:
-        description: A list of environment variables used during stack deployment
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      name:
-        description: Name of the stack
-        example: myStack
-        type: string
-      repositoryAuthentication:
-        description: Use basic authentication to clone the Git repository
-        example: true
-        type: boolean
-      repositoryPassword:
-        description: Password used in basic authentication. Required when RepositoryAuthentication
-          is true.
-        example: myGitPassword
-        type: string
-      repositoryReferenceName:
-        description: Reference name of a Git repository hosting the Stack file
-        example: refs/heads/master
-        type: string
-      repositoryURL:
-        description: URL of a Git repository hosting the Stack file
-        example: https://github.com/openfaas/faas
-        type: string
-      repositoryUsername:
-        description: Username used in basic authentication. Required when RepositoryAuthentication
-          is true.
-        example: myGitUsername
-        type: string
-      swarmID:
-        description: Swarm cluster identifier
-        example: jpofkc0i9uo9wtx1zesuk649w
-        type: string
-    required:
-      - name
-      - repositoryURL
-      - swarmID
-    type: object
-  stacks.updateSwarmStackPayload:
-    properties:
-      env:
-        description: A list of environment variables used during stack deployment
-        items:
-          $ref: '#/definitions/portainer.Pair'
-        type: array
-      prune:
-        description: Prune services that are no longer referenced (only available
-          for Swarm stacks)
-        example: true
-        type: boolean
-      stackFileContent:
-        description: New content of the Stack file
-        example: |-
-          version: 3
-           services:
-           web:
-           image:nginx
-        type: string
-    type: object
-  status.inspectVersionResponse:
-    properties:
-      LatestVersion:
-        description: The latest version available
-        example: 2.0.0
-        type: string
-      UpdateAvailable:
-        description: Whether portainer has an update available
-        example: false
-        type: boolean
-    type: object
-  tags.tagCreatePayload:
-    properties:
-      name:
-        description: Name
-        example: org/acme
-        type: string
-    required:
-      - name
-    type: object
-  teammemberships.teamMembershipCreatePayload:
-    properties:
-      role:
-        description: Role for the user inside the team (1 for leader and 2 for regular
-          member)
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-      teamID:
-        description: Team identifier
-        example: 1
-        type: integer
-      userID:
-        description: User identifier
-        example: 1
-        type: integer
-    required:
-      - role
-      - teamID
-      - userID
-    type: object
-  teammemberships.teamMembershipUpdatePayload:
-    properties:
-      role:
-        description: Role for the user inside the team (1 for leader and 2 for regular
-          member)
-        enum:
-          - 1
-          - 2
-        example: 1
-        type: integer
-      teamID:
-        description: Team identifier
-        example: 1
-        type: integer
-      userID:
-        description: User identifier
-        example: 1
-        type: integer
-    required:
-      - role
-      - teamID
-      - userID
-    type: object
-  teams.teamCreatePayload:
-    properties:
-      name:
-        description: Name
-        example: developers
-        type: string
-    required:
-      - name
-    type: object
-  teams.teamUpdatePayload:
-    properties:
-      name:
-        description: Name
-        example: developers
-        type: string
-    type: object
-  templates.filePayload:
-    properties:
-      composeFilePathInRepository:
-        description: Path to the file inside the git repository
-        example: ./subfolder/docker-compose.yml
-        type: string
-      repositoryURL:
-        description: URL of a git repository where the file is stored
-        example: https://github.com/portainer/portainer-compose
-        type: string
-    required:
-      - composeFilePathInRepository
-      - repositoryURL
-    type: object
-  templates.fileResponse:
-    properties:
-      fileContent:
-        description: The requested file content
-        type: string
-    type: object
-  templates.listResponse:
-    properties:
-      templates:
-        items:
-          $ref: '#/definitions/portainer.Template'
-        type: array
-      version:
-        type: string
-    type: object
-  users.adminInitPayload:
-    properties:
-      password:
-        description: Password for the admin user
-        example: admin-password
-        type: string
-      username:
-        description: Username for the admin user
-        example: admin
-        type: string
-    required:
-      - password
-      - username
-    type: object
-  users.userCreatePayload:
-    properties:
-      password:
-        example: cg9Wgky3
-        type: string
-      role:
-        description: User role (1 for administrator account and 2 for regular account)
-        enum:
-          - 1
-          - 2
-        example: 2
-        type: integer
-      username:
-        example: bob
-        type: string
-    required:
-      - password
-      - role
-      - username
-    type: object
-  users.userUpdatePasswordPayload:
-    properties:
-      newPassword:
-        description: New Password
-        example: new_passwd
-        type: string
-      password:
-        description: Current Password
-        example: passwd
-        type: string
-    required:
-      - newPassword
-      - password
-    type: object
-  users.userUpdatePayload:
-    properties:
-      password:
-        example: cg9Wgky3
-        type: string
-      role:
-        description: User role (1 for administrator account and 2 for regular account)
-        enum:
-          - 1
-          - 2
-        example: 2
-        type: integer
-      username:
-        example: bob
-        type: string
-    required:
-      - password
-      - role
-      - username
-    type: object
-  webhooks.webhookCreatePayload:
-    properties:
-      endpointID:
-        type: integer
-      resourceID:
-        type: string
-      webhookType:
-        type: integer
-    type: object
-info:
-  contact:
-    email: info@portainer.io
-  description: |
-    Portainer API is an HTTP API served by Portainer. It is used by the Portainer UI and everything you can do with the UI can be done using the HTTP API.
-    Examples are available at https://documentation.portainer.io/api/api-examples/
-    You can find out more about Portainer at [http://portainer.io](http://portainer.io) and get some support on [Slack](http://portainer.io/slack/).
-
-    # Authentication
-
-    Most of the API endpoints require to be authenticated as well as some level of authorization to be used.
-    Portainer API uses JSON Web Token to manage authentication and thus requires you to provide a token in the **Authorization** header of each request
-    with the **Bearer** authentication mechanism.
-
-    Example:
-
-    ```
-    Bearer abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890abcdefghijklmnopqrstuvwxyzAB
-    ```
-
-    # Security
-
-    Each API endpoint has an associated access policy, it is documented in the description of each endpoint.
-
-    Different access policies are available:
-
-    - Public access
-    - Authenticated access
-    - Restricted access
-    - Administrator access
-
-    ### Public access
-
-    No authentication is required to access the endpoints with this access policy.
-
-    ### Authenticated access
-
-    Authentication is required to access the endpoints with this access policy.
-
-    ### Restricted access
-
-    Authentication is required to access the endpoints with this access policy.
-    Extra-checks might be added to ensure access to the resource is granted. Returned data might also be filtered.
-
-    ### Administrator access
-
-    Authentication as well as an administrator role are required to access the endpoints with this access policy.
-
-    # Execute Docker requests
-
-    Portainer **DO NOT** expose specific endpoints to manage your Docker resources (create a container, remove a volume, etc...).
-
-    Instead, it acts as a reverse-proxy to the Docker HTTP API. This means that you can execute Docker requests **via** the Portainer HTTP API.
-
-    To do so, you can use the `/endpoints/{id}/docker` Portainer API endpoint (which is not documented below due to Swagger limitations). This endpoint has a restricted access policy so you still need to be authenticated to be able to query this endpoint. Any query on this endpoint will be proxied to the Docker API of the associated endpoint (requests and responses objects are the same as documented in the Docker API).
-
-    **NOTE**: You can find more information on how to query the Docker API in the [Docker official documentation](https://docs.docker.com/engine/api/v1.30/) as well as in [this Portainer example](https://documentation.portainer.io/api/api-examples/).
-  license: {}
-  title: PortainerCE API
-  version: 2.0.0
-paths:
-  /auth:
-    post:
-      consumes:
-        - application/json
-      description: Use this endpoint to authenticate against Portainer using a username
-        and password.
-      operationId: AuthenticateUser
-      parameters:
-        - description: Credentials used for authentication
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/auth.authenticatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/auth.authenticateResponse'
-        '400':
-          description: Invalid request
-        '422':
-          description: Invalid Credentials
-        '500':
-          description: Server error
-      summary: Authenticate
-      tags:
-        - auth
-  /auth/logout:
-    post:
-      consumes:
-        - application/json
-      operationId: logout
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: ''
-      security:
-        - jwt: []
-      summary: Logout
-      tags:
-        - auth
-  /auth/oauth/validate:
-    post:
-      consumes:
-        - application/json
-      operationId: authenticate_oauth
-      parameters:
-        - description: OAuth Credentials used for authentication
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/auth.oauthPayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/auth.authenticateResponse'
-        '400':
-          description: Invalid request
-        '422':
-          description: Invalid Credentials
-        '500':
-          description: Server error
-      summary: Authenticate with OAuth
-      tags:
-        - auth
-  /custom_templates:
-    get:
-      description: |-
-        List available custom templates.
-        **Access policy**: authenticated
-      operationId: CustomTemplateList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.CustomTemplate'
-            type: array
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List available custom templates
-      tags:
-        - custom_templates
-    post:
-      consumes:
-        - application/json
-        - ' multipart/form-data'
-      description: |-
-        Create a custom template.
-        **Access policy**: authenticated
-      operationId: CustomTemplateCreate
-      parameters:
-        - description: method for creating template
-          enum:
-            - string
-            - file
-            - repository
-          in: query
-          name: method
-          required: true
-          type: string
-        - description: Required when using method=string
-          in: body
-          name: body_string
-          schema:
-            $ref: '#/definitions/customtemplates.customTemplateFromFileContentPayload'
-        - description: Required when using method=repository
-          in: body
-          name: body_repository
-          schema:
-            $ref: '#/definitions/customtemplates.customTemplateFromGitRepositoryPayload'
-        - description: Title of the template. required when method is file
-          in: formData
-          name: Title
-          type: string
-        - description: Description of the template. required when method is file
-          in: formData
-          name: Description
-          type: string
-        - description: A note that will be displayed in the UI. Supports HTML content
-          in: formData
-          name: Note
-          type: string
-        - description: Platform associated to the template (1 - 'linux', 2 - 'windows').
-            required when method is file
-          enum:
-            - 1
-            - 2
-          in: formData
-          name: Platform
-          type: integer
-        - description: Type of created stack (1 - swarm, 2 - compose), required when
-            method is file
-          enum:
-            - 1
-            - 2
-          in: formData
-          name: Type
-          type: integer
-        - description: required when method is file
-          in: formData
-          name: file
-          type: file
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.CustomTemplate'
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a custom template
-      tags:
-        - custom_templates
-  /custom_templates/{id}:
-    delete:
-      description: |-
-        Remove a template.
-        **Access policy**: authorized
-      operationId: CustomTemplateDelete
-      parameters:
-        - description: Template identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Access denied to resource
-        '404':
-          description: Template not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a template
-      tags:
-        - custom_templates
-    get:
-      consumes:
-        - application/json
-      description: |-
-        Retrieve details about a template.
-        **Access policy**: authenticated
-      operationId: CustomTemplateInspect
-      parameters:
-        - description: Template identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.CustomTemplate'
-        '400':
-          description: Invalid request
-        '404':
-          description: Template not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect a custom template
-      tags:
-        - custom_templates
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update a template.
-        **Access policy**: authenticated
-      operationId: CustomTemplateUpdate
-      parameters:
-        - description: Template identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Template details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/customtemplates.customTemplateUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.CustomTemplate'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied to access template
-        '404':
-          description: Template not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update a template
-      tags:
-        - custom_templates
-  /custom_templates/{id}/file:
-    get:
-      description: |-
-        Retrieve the content of the Stack file for the specified custom template
-        **Access policy**: authorized
-      operationId: CustomTemplateFile
-      parameters:
-        - description: Template identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/customtemplates.fileResponse'
-        '400':
-          description: Invalid request
-        '404':
-          description: Custom template not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Get Template stack file content.
-      tags:
-        - custom_templates
-  /dockerhub:
-    get:
-      description: |-
-        Use this endpoint to retrieve the information used to connect to the DockerHub
-        **Access policy**: authenticated
-      operationId: DockerHubInspect
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.DockerHub'
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Retrieve DockerHub information
-      tags:
-        - dockerhub
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Use this endpoint to update the information used to connect to the DockerHub
-        **Access policy**: administrator
-      operationId: DockerHubUpdate
-      parameters:
-        - description: DockerHub information
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/dockerhub.dockerhubUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update DockerHub information
-      tags:
-        - dockerhub
-  /edge_groups:
-    get:
-      consumes:
-        - application/json
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: EdgeGroups
-          schema:
-            items:
-              allOf:
-                - $ref: '#/definitions/portainer.EdgeGroup'
-                - properties:
-                    HasEdgeStack:
-                      type: boolean
-                  type: object
-            type: array
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: list EdgeGroups
-      tags:
-        - edge_groups
-    post:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeGroup data
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/edgegroups.edgeGroupCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeGroup'
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Create an EdgeGroup
-      tags:
-        - edge_groups
-  /edge_groups/{id}:
-    delete:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeGroup Id
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Deletes an EdgeGroup
-      tags:
-        - edge_groups
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeGroup Id
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeGroup'
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Inspects an EdgeGroup
-      tags:
-        - edge_groups
-    put:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeGroup Id
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: EdgeGroup data
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/edgegroups.edgeGroupUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeGroup'
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Updates an EdgeGroup
-      tags:
-        - edge_groups
-  /edge_jobs:
-    get:
-      consumes:
-        - application/json
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/portainer.EdgeJob'
-            type: array
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Fetch EdgeJobs list
-      tags:
-        - edge_jobs
-    post:
-      consumes:
-        - application/json
-      parameters:
-        - description: Creation Method
-          enum:
-            - file
-            - string
-          in: query
-          name: method
-          required: true
-          type: string
-        - description: EdgeGroup data when method is string
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/edgejobs.edgeJobCreateFromFileContentPayload'
-        - description: EdgeGroup data when method is file
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/edgejobs.edgeJobCreateFromFilePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeGroup'
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Create an EdgeJob
-      tags:
-        - edge_jobs
-  /edge_jobs/{id}:
-    delete:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: ''
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Delete an EdgeJob
-      tags:
-        - edge_jobs
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeJob'
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Inspect an EdgeJob
-      tags:
-        - edge_jobs
-    post:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-        - description: EdgeGroup data
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/edgejobs.edgeJobUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeJob'
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Update an EdgeJob
-      tags:
-        - edge_jobs
-  /edge_jobs/{id}/file:
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/edgejobs.edgeJobFileResponse'
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Fetch a file of an EdgeJob
-      tags:
-        - edge_jobs
-  /edge_jobs/{id}/tasks:
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/edgejobs.taskContainer'
-            type: array
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Fetch the list of tasks on an EdgeJob
-      tags:
-        - edge_jobs
-  /edge_jobs/{id}/tasks/{taskID}/logs:
-    delete:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-        - description: Task Id
-          in: path
-          name: taskID
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: ''
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Clear the log for a specifc task on an EdgeJob
-      tags:
-        - edge_jobs
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-        - description: Task Id
-          in: path
-          name: taskID
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/edgejobs.fileResponse'
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Fetch the log for a specifc task on an EdgeJob
-      tags:
-        - edge_jobs
-    post:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeJob Id
-          in: path
-          name: id
-          required: true
-          type: string
-        - description: Task Id
-          in: path
-          name: taskID
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: ''
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Collect the log for a specifc task on an EdgeJob
-      tags:
-        - edge_jobs
-  /edge_stacks:
-    get:
-      consumes:
-        - application/json
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/portainer.EdgeStack'
-            type: array
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Fetches the list of EdgeStacks
-      tags:
-        - edge_stacks
-    post:
-      consumes:
-        - application/json
-      parameters:
-        - description: Creation Method
-          enum:
-            - file
-            - string
-            - repository
-          in: query
-          name: method
-          required: true
-          type: string
-        - description: Required when using method=string
-          in: body
-          name: body_string
-          required: true
-          schema:
-            $ref: '#/definitions/edgestacks.swarmStackFromFileContentPayload'
-        - description: Required when using method=file
-          in: body
-          name: body_file
-          required: true
-          schema:
-            $ref: '#/definitions/edgestacks.swarmStackFromFileUploadPayload'
-        - description: Required when using method=repository
-          in: body
-          name: body_repository
-          required: true
-          schema:
-            $ref: '#/definitions/edgestacks.swarmStackFromGitRepositoryPayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeStack'
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Create an EdgeStack
-      tags:
-        - edge_stacks
-  /edge_stacks/{id}:
-    delete:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeStack Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: ''
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Delete an EdgeStack
-      tags:
-        - edge_stacks
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeStack Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeStack'
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Inspect an EdgeStack
-      tags:
-        - edge_stacks
-    put:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeStack Id
-          in: path
-          name: id
-          required: true
-          type: string
-        - description: EdgeStack data
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/edgestacks.updateEdgeStackPayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeStack'
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Update an EdgeStack
-      tags:
-        - edge_stacks
-  /edge_stacks/{id}/file:
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: EdgeStack Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/edgestacks.stackFileResponse'
-        '400':
-          description: ''
-        '500':
-          description: ''
-        '503':
-          description: Service Unavailable
-          schema:
-            type: Edge
-      security:
-        - jwt: []
-      summary: Fetches the stack file for an EdgeStack
-      tags:
-        - edge_stacks
-  /edge_stacks/{id}/status:
-    put:
-      consumes:
-        - application/json
-      description: Authorized only if the request is done by an Edge Endpoint
-      parameters:
-        - description: EdgeStack Id
-          in: path
-          name: id
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.EdgeStack'
-        '400':
-          description: ''
-        '403':
-          description: ''
-        '404':
-          description: ''
-        '500':
-          description: ''
-      summary: Update an EdgeStack status
-      tags:
-        - edge_stacks
-  /edge_templates:
-    get:
-      consumes:
-        - application/json
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Template'
-            type: array
-        '500':
-          description: ''
-      security:
-        - jwt: []
-      summary: Fetches the list of Edge Templates
-      tags:
-        - edge_templates
-  /endpoint_groups:
-    get:
-      description: |-
-        List all endpoint groups based on the current user authorizations. Will
-        return all endpoint groups if using an administrator account otherwise it will
-        only return authorized endpoint groups.
-        **Access policy**: restricted
-      operationId: EndpointGroupList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Endpoint group
-          schema:
-            items:
-              $ref: '#/definitions/portainer.EndpointGroup'
-            type: array
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List Endpoint groups
-      tags:
-        - endpoint_groups
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Create a new endpoint group.
-        **Access policy**: administrator
-      parameters:
-        - description: Endpoint Group details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/endpointgroups.endpointGroupCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.EndpointGroup'
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create an Endpoint Group
-      tags:
-        - endpoint_groups
-  /endpoint_groups/:id:
-    get:
-      consumes:
-        - application/json
-      description: |-
-        Retrieve details abont an endpoint group.
-        **Access policy**: administrator
-      parameters:
-        - description: Endpoint group identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.EndpointGroup'
-        '400':
-          description: Invalid request
-        '404':
-          description: EndpointGroup not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect an Endpoint group
-      tags:
-        - endpoint_groups
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update an endpoint group.
-        **Access policy**: administrator
-      operationId: EndpointGroupUpdate
-      parameters:
-        - description: EndpointGroup identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: EndpointGroup details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/endpointgroups.endpointGroupUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.EndpointGroup'
-        '400':
-          description: Invalid request
-        '404':
-          description: EndpointGroup not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update an endpoint group
-      tags:
-        - endpoint_groups
-  /endpoint_groups/{id}:
-    delete:
-      consumes:
-        - application/json
-      description: |-
-        Remove an endpoint group.
-        **Access policy**: administrator
-      operationId: EndpointGroupDelete
-      parameters:
-        - description: EndpointGroup identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '404':
-          description: EndpointGroup not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove an endpoint group
-      tags:
-        - endpoint_groups
-  /endpoint_groups/{id}/endpoints/{endpointId}:
-    delete:
-      description: '**Access policy**: administrator'
-      operationId: EndpointGroupDeleteEndpoint
-      parameters:
-        - description: EndpointGroup identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Endpoint identifier
-          in: path
-          name: endpointId
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '404':
-          description: EndpointGroup not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Removes endpoint from an endpoint group
-      tags:
-        - endpoint_groups
-    put:
-      description: |-
-        Add an endpoint to an endpoint group
-        **Access policy**: administrator
-      operationId: EndpointGroupAddEndpoint
-      parameters:
-        - description: EndpointGroup identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Endpoint identifier
-          in: path
-          name: endpointId
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '404':
-          description: EndpointGroup not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Add an endpoint to an endpoint group
-      tags:
-        - endpoint_groups
-  /endpoints:
-    get:
-      description: |-
-        List all endpoints based on the current user authorizations. Will
-        return all endpoints if using an administrator account otherwise it will
-        only return authorized endpoints.
-        **Access policy**: restricted
-      operationId: EndpointList
-      parameters:
-        - description: Start searching from
-          in: query
-          name: start
-          type: integer
-        - description: Search query
-          in: query
-          name: search
-          type: string
-        - description: List endpoints of this group
-          in: query
-          name: groupId
-          type: integer
-        - description: Limit results to this value
-          in: query
-          name: limit
-          type: integer
-        - description: List endpoints of this type
-          in: query
-          name: type
-          type: integer
-        - description: search endpoints with these tags (depends on tagsPartialMatch)
-          in: query
-          items:
-            type: integer
-          name: tagIds
-          type: array
-        - description: If true, will return endpoint which has one of tagIds, if false
-            (or missing) will return only endpoints that has all the tags
-          in: query
-          name: tagsPartialMatch
-          type: boolean
-        - description: will return only these endpoints
-          in: query
-          items:
-            type: integer
-          name: endpointIds
-          type: array
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Endpoints
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Endpoint'
-            type: array
-        '500':
-          description: Internal Server Error
-          schema:
-            type: Server
-      security:
-        - jwt: []
-      summary: List endpoints
-      tags:
-        - endpoints
-    post:
-      consumes:
-        - multipart/form-data
-      description: |-
-        Create a new endpoint that will be used to manage an environment.
-        **Access policy**: administrator
-      operationId: EndpointCreate
-      parameters:
-        - description: 'Name that will be used to identify this endpoint (example: my-endpoint)'
-          in: formData
-          name: Name
-          required: true
-          type: string
-        - description: 'Environment type. Value must be one of: 1 (Local Docker environment),
-            2 (Agent environment), 3 (Azure environment), 4 (Edge agent environment)
-            or 5 (Local Kubernetes Environment'
-          in: formData
-          name: EndpointType
-          required: true
-          type: integer
-        - description: 'URL or IP address of a Docker host (example: docker.mydomain.tld:2375).
-            Defaults to local if not specified (Linux: /var/run/docker.sock, Windows:
-            //./pipe/docker_engine)'
-          in: formData
-          name: URL
-          type: string
-        - description: 'URL or IP address where exposed containers will be reachable.
-            Defaults to URL if not specified (example: docker.mydomain.tld:2375)'
-          in: formData
-          name: PublicURL
-          type: string
-        - description: Endpoint group identifier. If not specified will default to 1
-            (unassigned).
-          in: formData
-          name: GroupID
-          type: integer
-        - description: Require TLS to connect against this endpoint
-          in: formData
-          name: TLS
-          type: boolean
-        - description: Skip server verification when using TLS
-          in: formData
-          name: TLSSkipVerify
-          type: boolean
-        - description: Skip client verification when using TLS
-          in: formData
-          name: TLSSkipClientVerify
-          type: boolean
-        - description: TLS CA certificate file
-          in: formData
-          name: TLSCACertFile
-          type: file
-        - description: TLS client certificate file
-          in: formData
-          name: TLSCertFile
-          type: file
-        - description: TLS client key file
-          in: formData
-          name: TLSKeyFile
-          type: file
-        - description: Azure application ID. Required if endpoint type is set to 3
-          in: formData
-          name: AzureApplicationID
-          type: string
-        - description: Azure tenant ID. Required if endpoint type is set to 3
-          in: formData
-          name: AzureTenantID
-          type: string
-        - description: Azure authentication key. Required if endpoint type is set to
-            3
-          in: formData
-          name: AzureAuthenticationKey
-          type: string
-        - description: List of tag identifiers to which this endpoint is associated
-          in: formData
-          items:
-            type: integer
-          name: TagIDs
-          type: array
-        - description: The check in interval for edge agent (in seconds)
-          in: formData
-          name: EdgeCheckinInterval
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Endpoint'
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a new endpoint
-      tags:
-        - endpoints
-  /endpoints/{id}:
-    delete:
-      description: |-
-        Remove an endpoint.
-        **Access policy**: administrator
-      operationId: EndpointDelete
-      parameters:
-        - description: Endpoint identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '404':
-          description: Endpoint not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove an endpoint
-      tags:
-        - endpoints
-    get:
-      description: |-
-        Retrieve details about an endpoint.
-        **Access policy**: restricted
-      operationId: EndpointInspect
-      parameters:
-        - description: Endpoint identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Endpoint'
-        '400':
-          description: Invalid request
-        '404':
-          description: Endpoint not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect an endpoint
-      tags:
-        - endpoints
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update an endpoint.
-        **Access policy**: administrator
-      operationId: EndpointUpdate
-      parameters:
-        - description: Endpoint identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Endpoint details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/endpoints.endpointUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Endpoint'
-        '400':
-          description: Invalid request
-        '404':
-          description: Endpoint not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update an endpoint
-      tags:
-        - endpoints
-  /endpoints/{id}/edge/jobs/{jobID}/logs:
-    post:
-      consumes:
-        - application/json
-      parameters:
-        - description: Endpoint Id
-          in: path
-          name: id
-          required: true
-          type: string
-        - description: Job Id
-          in: path
-          name: jobID
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: ''
-        '400':
-          description: ''
-        '500':
-          description: ''
-      summary: Inspect an EdgeJob Log
-      tags:
-        - edge
-        - endpoints
-  /endpoints/{id}/edge/stacks/{stackId}:
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: Endpoint Id
-          in: path
-          name: id
-          required: true
-          type: string
-        - description: EdgeStack Id
-          in: path
-          name: stackID
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/endpointedge.configResponse'
-        '400':
-          description: ''
-        '404':
-          description: ''
-        '500':
-          description: ''
-      summary: Inspect an Edge Stack for an Endpoint
-      tags:
-        - edge
-        - endpoints
-        - edge_stacks
-  /endpoints/{id}/snapshot:
-    post:
-      description: |-
-        Snapshots an endpoint
-        **Access policy**: restricted
-      operationId: EndpointSnapshot
-      parameters:
-        - description: Endpoint identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '404':
-          description: Endpoint not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Snapshots an endpoint
-      tags:
-        - endpoints
-  /endpoints/{id}/edge/status:
-    get:
-      description: |-
-        Endpoint for edge agent to check status of environment
-        **Access policy**: restricted only to Edge endpoints
-      operationId: EndpointEdgeStatusInspect
-      parameters:
-        - description: Endpoint identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/endpoints.endpointEdgeStatusInspectResponse'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied to access endpoint
-        '404':
-          description: Endpoint not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Get endpoint status
-      tags:
-        - endpoints
-  /endpoints/snapshot:
-    post:
-      description: |-
-        Snapshot all endpoints
-        **Access policy**: administrator
-      operationId: EndpointSnapshots
-      responses:
-        '204':
-          description: Success
-        '500':
-          description: Server Error
-      security:
-        - jwt: []
-      summary: Snapshot all endpoints
-      tags:
-        - endpoints
-  /motd:
-    get:
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/motd.motdResponse'
-      security:
-        - jwt: []
-      summary: fetches the message of the day
-      tags:
-        - motd
-  /registries:
-    get:
-      description: |-
-        List all registries based on the current user authorizations.
-        Will return all registries if using an administrator account otherwise it
-        will only return authorized registries.
-        **Access policy**: restricted
-      operationId: RegistryList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Registry'
-            type: array
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List Registries
-      tags:
-        - registries
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Create a new registry.
-        **Access policy**: administrator
-      operationId: RegistryCreate
-      parameters:
-        - description: Registry details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/registries.registryCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Registry'
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a new registry
-      tags:
-        - registries
-  /registries/{id}:
-    delete:
-      description: |-
-        Remove a registry
-        **Access policy**: administrator
-      operationId: RegistryDelete
-      parameters:
-        - description: Registry identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '404':
-          description: Registry not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a registry
-      tags:
-        - registries
-    get:
-      description: |-
-        Retrieve details about a registry.
-        **Access policy**: administrator
-      operationId: RegistryInspect
-      parameters:
-        - description: Registry identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Registry'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied to access registry
-        '404':
-          description: Registry not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect a registry
-      tags:
-        - registries
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update a registry
-        **Access policy**: administrator
-      operationId: RegistryUpdate
-      parameters:
-        - description: Registry identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Registry details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/registries.registryUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Registry'
-        '400':
-          description: Invalid request
-        '404':
-          description: Registry not found
-        '409':
-          description: Another registry with the same URL already exists
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update a registry
-      tags:
-        - registries
-  /registries/{id}/configure:
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Configures a registry.
-        **Access policy**: admin
-      operationId: RegistryConfigure
-      parameters:
-        - description: Registry identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Registry configuration
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/registries.registryConfigurePayload'
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Registry not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Configures a registry
-      tags:
-        - registries
-  /resource_controls:
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Create a new resource control to restrict access to a Docker resource.
-        **Access policy**: administrator
-      operationId: ResourceControlCreate
-      parameters:
-        - description: Resource control details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/resourcecontrols.resourceControlCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.ResourceControl'
-        '400':
-          description: Invalid request
-        '409':
-          description: Resource control already exists
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a new resource control
-      tags:
-        - resource_controls
-  /resource_controls/{id}:
-    delete:
-      description: |-
-        Remove a resource control.
-        **Access policy**: administrator
-      parameters:
-        - description: Resource control identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '404':
-          description: Resource control not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a resource control
-      tags:
-        - resource_controls
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update a resource control
-        **Access policy**: restricted
-      operationId: ResourceControlUpdate
-      parameters:
-        - description: Resource control identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Resource control details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/resourcecontrols.resourceControlUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.ResourceControl'
-        '400':
-          description: Invalid request
-        '403':
-          description: Unauthorized
-        '404':
-          description: Resource control not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update a resource control
-      tags:
-        - resource_controls
-  /roles:
-    get:
-      description: |-
-        List all roles available for use
-        **Access policy**: administrator
-      operationId: RoleList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Role'
-            type: array
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List roles
-      tags:
-        - roles
-  /settings:
-    get:
-      description: |-
-        Retrieve Portainer settings.
-        **Access policy**: administrator
-      operationId: SettingsInspect
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Settings'
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Retrieve Portainer settings
-      tags:
-        - settings
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update Portainer settings.
-        **Access policy**: administrator
-      operationId: SettingsUpdate
-      parameters:
-        - description: New settings
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/settings.settingsUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Settings'
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update Portainer settings
-      tags:
-        - settings
-  /settings/ldap/check:
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Test LDAP connectivity using LDAP details
-        **Access policy**: administrator
-      operationId: SettingsLDAPCheck
-      parameters:
-        - description: details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/settings.settingsLDAPCheckPayload'
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Test LDAP connectivity
-      tags:
-        - settings
-  /settings/public:
-    get:
-      description: |-
-        Retrieve public settings. Returns a small set of settings that are not reserved to administrators only.
-        **Access policy**: public
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/settings.publicSettingsResponse'
-        '500':
-          description: Server error
-      summary: Retrieve Portainer public settings
-      tags:
-        - settings
-  /stacks:
-    get:
-      description: |-
-        List all stacks based on the current user authorizations.
-        Will return all stacks if using an administrator account otherwise it
-        will only return the list of stacks the user have access to.
-        **Access policy**: restricted
-      operationId: StackList
-      parameters:
-        - description: Filters to process on the stack list. Encoded as JSON (a map[string]string).
-            For example, {
-          in: query
-          name: filters
-          type: string
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Stack'
-            type: array
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List stacks
-      tags:
-        - stacks
-    post:
-      consumes:
-        - application/json
-        - ' multipart/form-data'
-      description: |-
-        Deploy a new stack into a Docker environment specified via the endpoint identifier.
-        **Access policy**: restricted
-      operationId: StackCreate
-      parameters:
-        - description: 'Stack deployment type. Possible values: 1 (Swarm stack) or 2
-            (Compose stack).'
-          enum:
-            - 1
-            - 2
-          in: query
-          name: type
-          required: true
-          type: integer
-        - description: 'Stack deployment method. Possible values: file, string or repository.'
-          enum:
-            - string
-            - file
-            - repository
-          in: query
-          name: method
-          required: true
-          type: string
-        - description: Identifier of the endpoint that will be used to deploy the stack
-          in: query
-          name: endpointId
-          required: true
-          type: integer
-        - description: Required when using method=string and type=1
-          in: body
-          name: body_swarm_string
-          schema:
-            $ref: '#/definitions/stacks.swarmStackFromFileContentPayload'
-        - description: Required when using method=repository and type=1
-          in: body
-          name: body_swarm_repository
-          schema:
-            $ref: '#/definitions/stacks.swarmStackFromGitRepositoryPayload'
-        - description: Required when using method=string and type=2
-          in: body
-          name: body_compose_string
-          schema:
-            $ref: '#/definitions/stacks.composeStackFromFileContentPayload'
-        - description: Required when using method=repository and type=2
-          in: body
-          name: body_compose_repository
-          schema:
-            $ref: '#/definitions/stacks.composeStackFromGitRepositoryPayload'
-        - description: Name of the stack. required when method is file
-          in: formData
-          name: Name
-          type: string
-        - description: Swarm cluster identifier. Required when method equals file and
-            type equals 1. required when method is file
-          in: formData
-          name: SwarmID
-          type: string
-        - description: "Environment variables passed during deployment, represented
-            as a JSON array [{'name': 'name', 'value': 'value'}]. Optional,
-            used when method equals file and type equals 1."
-          in: formData
-          name: Env
-          type: string
-        - description: Stack file. required when method is file
-          in: formData
-          name: file
-          type: file
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.CustomTemplate'
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Deploy a new stack
-      tags:
-        - stacks
-  /stacks/{id}:
-    delete:
-      description: |-
-        Remove a stack.
-        **Access policy**: restricted
-      operationId: StackDelete
-      parameters:
-        - description: Stack identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Set to true to delete an external stack. Only external Swarm
-            stacks are supported
-          in: query
-          name: external
-          type: boolean
-        - description: Endpoint identifier used to remove an external stack (required
-            when external is set to true)
-          in: query
-          name: endpointId
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: ' not found'
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a stack
-      tags:
-        - stacks
-    get:
-      description: |-
-        Retrieve details about a stack.
-        **Access policy**: restricted
-      operationId: StackInspect
-      parameters:
-        - description: Stack identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Stack'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Stack not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect a stack
-      tags:
-        - stacks
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update a stack.
-        **Access policy**: restricted
-      operationId: StackUpdate
-      parameters:
-        - description: Stack identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Stacks created before version 1.18.0 might not have an associated
-            endpoint identifier. Use this optional parameter to set the endpoint identifier
-            used by the stack.
-          in: query
-          name: endpointId
-          type: integer
-        - description: Stack details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/stacks.updateSwarmStackPayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Stack'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: ' not found'
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update a stack
-      tags:
-        - stacks
-  /stacks/{id}/file:
-    get:
-      description: |-
-        Get Stack file content.
-        **Access policy**: restricted
-      operationId: StackFileInspect
-      parameters:
-        - description: Stack identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/stacks.stackFileResponse'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Stack not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Retrieve the content of the Stack file for the specified stack
-      tags:
-        - stacks
-  /stacks/{id}/migrate:
-    post:
-      description: |-
-        Migrate a stack from an endpoint to another endpoint. It will re-create the stack inside the target endpoint before removing the original stack.
-        **Access policy**: restricted
-      operationId: StackMigrate
-      parameters:
-        - description: Stack identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Stacks created before version 1.18.0 might not have an associated
-            endpoint identifier. Use this optional parameter to set the endpoint identifier
-            used by the stack.
-          in: query
-          name: endpointId
-          type: integer
-        - description: Stack migration details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/stacks.stackMigratePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Stack'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Stack not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Migrate a stack to another endpoint
-      tags:
-        - stacks
-  /stacks/{id}/start:
-    post:
-      description: |-
-        Starts a stopped Stack.
-        **Access policy**: restricted
-      operationId: StackStart
-      parameters:
-        - description: Stack identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Stack'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: ' not found'
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Starts a stopped Stack
-      tags:
-        - stacks
-  /stacks/{id}/stop:
-    post:
-      description: |-
-        Stops a stopped Stack.
-        **Access policy**: restricted
-      operationId: StackStop
-      parameters:
-        - description: Stack identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Stack'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: ' not found'
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Stops a stopped Stack
-      tags:
-        - stacks
-  /status:
-    get:
-      description: |-
-        Retrieve Portainer status
-        **Access policy**: public
-      operationId: StatusInspect
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Status'
-      summary: Check Portainer status
-      tags:
-        - status
-  /status/version:
-    get:
-      description: |-
-        Check if portainer has an update available
-        **Access policy**: authenticated
-      operationId: StatusInspectVersion
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/status.inspectVersionResponse'
-      security:
-        - jwt: []
-      summary: Check for portainer updates
-      tags:
-        - status
-  /tags:
-    get:
-      description: |-
-        List tags.
-        **Access policy**: administrator
-      operationId: TagList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Tag'
-            type: array
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List tags
-      tags:
-        - tags
-    post:
-      description: |-
-        Create a new tag.
-        **Access policy**: administrator
-      operationId: TagCreate
-      parameters:
-        - description: Tag details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/tags.tagCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Tag'
-        '409':
-          description: Tag name exists
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a new tag
-      tags:
-        - tags
-  /tags/{id}:
-    delete:
-      consumes:
-        - application/json
-      description: |-
-        Remove a tag.
-        **Access policy**: administrator
-      operationId: TagDelete
-      parameters:
-        - description: Tag identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Tag not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a tag
-      tags:
-        - tags
-  /team:
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Create a new team.
-        **Access policy**: administrator
-      operationId: TeamCreate
-      parameters:
-        - description: details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/teams.teamCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Team'
-        '400':
-          description: Invalid request
-        '409':
-          description: Team already exists
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a new team
-      tags:
-        - teams
-  /team/{id}:
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update a team.
-        **Access policy**: administrator
-      operationId: TeamUpdate
-      parameters:
-        - description: Team identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Team details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/teams.teamUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Team'
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Team not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update a team
-      tags:
-        - ''
-  /team_memberships:
-    get:
-      description: |-
-        List team memberships. Access is only available to administrators and team leaders.
-        **Access policy**: admin
-      operationId: TeamMembershipList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.TeamMembership'
-            type: array
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List team memberships
-      tags:
-        - team_memberships
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Create a new team memberships. Access is only available to administrators leaders of the associated team.
-        **Access policy**: admin
-      operationId: TeamMembershipCreate
-      parameters:
-        - description: Team membership details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/teammemberships.teamMembershipCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.TeamMembership'
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied to manage memberships
-        '409':
-          description: Team membership already registered
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a new team membership
-      tags:
-        - team_memberships
-  /team_memberships/{id}:
-    delete:
-      description: |-
-        Remove a team membership. Access is only available to administrators leaders of the associated team.
-        **Access policy**: restricted
-      operationId: TeamMembershipDelete
-      parameters:
-        - description: TeamMembership identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: TeamMembership not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a team membership
-      tags:
-        - team_memberships
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update a team membership. Access is only available to administrators leaders of the associated team.
-        **Access policy**: restricted
-      operationId: TeamMembershipUpdate
-      parameters:
-        - description: Team membership identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: Team membership details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/teammemberships.teamMembershipUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.TeamMembership'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: TeamMembership not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update a team membership
-      tags:
-        - team_memberships
-  /teams:
-    get:
-      description: |-
-        List teams. For non-administrator users, will only list the teams they are member of.
-        **Access policy**: restricted
-      operationId: TeamList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Team'
-            type: array
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List teams
-      tags:
-        - teams
-  /teams/{id}:
-    delete:
-      description: |-
-        Remove a team.
-        **Access policy**: administrator
-      operationId: TeamDelete
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Team not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a team
-      tags:
-        - teams
-    get:
-      description: |-
-        Retrieve details about a team. Access is only available for administrator and leaders of that team.
-        **Access policy**: restricted
-      operationId: TeamInspect
-      parameters:
-        - description: Team identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.Team'
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: Team not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect a team
-      tags:
-        - teams
-  /teams/{id}/memberships:
-    get:
-      description: |-
-        List team memberships. Access is only available to administrators and team leaders.
-        **Access policy**: restricted
-      operationId: TeamMemberships
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.TeamMembership'
-            type: array
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List team memberships
-      tags:
-        - team_memberships
-  /templates:
-    get:
-      description: |-
-        List available templates.
-        **Access policy**: restricted
-      operationId: TemplateList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/templates.listResponse'
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List available templates
-      tags:
-        - templates
-  /templates/file:
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Get a template's file
-        **Access policy**: restricted
-      operationId: TemplateFile
-      parameters:
-        - description: File details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/templates.filePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/templates.fileResponse'
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Get a template's file
-      tags:
-        - templates
-  /upload/tls/{certificate}:
-    post:
-      consumes:
-        - multipart/form-data
-      description: |-
-        Use this endpoint to upload TLS files.
-        **Access policy**: administrator
-      operationId: UploadTLS
-      parameters:
-        - description: TLS file type. Valid values are 'ca', 'cert' or 'key'.
-          enum:
-            - ca
-            - cert
-            - key
-          in: path
-          name: certificate
-          required: true
-          type: string
-        - description: Folder where the TLS file will be stored. Will be created if
-            not existing
-          in: formData
-          name: folder
-          required: true
-          type: string
-        - description: The file to upload
-          in: formData
-          name: file
-          required: true
-          type: file
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Upload TLS files
-      tags:
-        - upload
-  /users:
-    get:
-      description: |-
-        List Portainer users.
-        Non-administrator users will only be able to list other non-administrator user accounts.
-        **Access policy**: restricted
-      operationId: UserList
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            items:
-              $ref: '#/definitions/portainer.User'
-            type: array
-        '400':
-          description: Invalid request
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: List users
-      tags:
-        - users
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Create a new Portainer user.
-        Only team leaders and administrators can create users.
-        Only administrators can create an administrator user account.
-        **Access policy**: restricted
-      operationId: UserCreate
-      parameters:
-        - description: User details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/users.userCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.User'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '409':
-          description: User already exists
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Create a new user
-      tags:
-        - users
-  /users/{id}:
-    delete:
-      consumes:
-        - application/json
-      description: |-
-        Remove a user.
-        **Access policy**: administrator
-      operationId: UserDelete
-      parameters:
-        - description: User identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: User not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Remove a user
-      tags:
-        - users
-    get:
-      description: |-
-        Retrieve details about a user.
-        **Access policy**: administrator
-      operationId: UserInspect
-      parameters:
-        - description: User identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.User'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: User not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect a user
-      tags:
-        - users
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update user details. A regular user account can only update his details.
-        **Access policy**: authenticated
-      operationId: UserUpdate
-      parameters:
-        - description: User identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: User details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/users.userUpdatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.User'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: User not found
-        '409':
-          description: Username already exist
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update a user
-      tags:
-        - users
-  /users/{id}/memberships:
-    get:
-      description: |-
-        Inspect a user memberships.
-        **Access policy**: authenticated
-      operationId: UserMembershipsInspect
-      parameters:
-        - description: User identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.TeamMembership'
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Inspect a user memberships
-      tags:
-        - users
-  /users/{id}/passwd:
-    put:
-      consumes:
-        - application/json
-      description: |-
-        Update password for the specified user.
-        **Access policy**: authenticated
-      operationId: UserUpdatePassword
-      parameters:
-        - description: identifier
-          in: path
-          name: id
-          required: true
-          type: integer
-        - description: details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/users.userUpdatePasswordPayload'
-      produces:
-        - application/json
-      responses:
-        '204':
-          description: Success
-        '400':
-          description: Invalid request
-        '403':
-          description: Permission denied
-        '404':
-          description: User not found
-        '500':
-          description: Server error
-      security:
-        - jwt: []
-      summary: Update password for a user
-      tags:
-        - users
-  /users/admin/check:
-    get:
-      description: |-
-        Check if an administrator account exists in the database.
-        **Access policy**: public
-      operationId: UserAdminCheck
-      responses:
-        '204':
-          description: Success
-        '404':
-          description: User not found
-      summary: Check administrator account existence
-      tags:
-        - users
-  /users/admin/init:
-    post:
-      consumes:
-        - application/json
-      description: |-
-        Initialize the 'admin' user account.
-        **Access policy**: public
-      operationId: UserAdminInit
-      parameters:
-        - description: User details
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/users.adminInitPayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: Success
-          schema:
-            $ref: '#/definitions/portainer.User'
-        '400':
-          description: Invalid request
-        '409':
-          description: Admin user already initialized
-        '500':
-          description: Server error
-      summary: Initialize administrator account
-      tags:
-        - ''
-  /webhooks:
-    get:
-      consumes:
-        - application/json
-      parameters:
-        - description: Webhook data
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/webhooks.webhookCreatePayload'
-        - in: query
-          name: EndpointID
-          type: integer
-        - in: query
-          name: ResourceID
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            items:
-              $ref: '#/definitions/portainer.Webhook'
-            type: array
-        '400':
-          description: ''
-        '500':
-          description: ''
-      security:
-        - jwt: []
-      summary: List webhooks
-      tags:
-        - webhooks
-    post:
-      consumes:
-        - application/json
-      parameters:
-        - description: Webhook data
-          in: body
-          name: body
-          required: true
-          schema:
-            $ref: '#/definitions/webhooks.webhookCreatePayload'
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: OK
-          schema:
-            $ref: '#/definitions/portainer.Webhook'
-        '400':
-          description: ''
-        '409':
-          description: ''
-        '500':
-          description: ''
-      security:
-        - jwt: []
-      summary: Create a webhook
-      tags:
-        - webhooks
-  /webhooks/{id}:
-    delete:
-      consumes:
-        - application/json
-      parameters:
-        - description: Webhook id
-          in: path
-          name: id
-          required: true
-          type: integer
-      produces:
-        - application/json
-      responses:
-        '202':
-          description: Webhook deleted
-        '400':
-          description: ''
-        '500':
-          description: ''
-      security:
-        - jwt: []
-      summary: Delete a webhook
-      tags:
-        - webhooks
-  /webhooks/{token}:
-    post:
-      consumes:
-        - application/json
-      description: Acts on a passed in token UUID to restart the docker service
-      parameters:
-        - description: Webhook token
-          in: path
-          name: token
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '202':
-          description: Webhook executed
-        '400':
-          description: ''
-        '500':
-          description: ''
-      summary: Execute a webhook
-      tags:
-        - webhooks
-  /websocket/attach:
-    get:
-      consumes:
-        - application/json
-      description: |-
-        If the nodeName query parameter is present, the request will be proxied to the underlying agent endpoint.
-        If the nodeName query parameter is not specified, the request will be upgraded to the websocket protocol and
-        an AttachStart operation HTTP request will be created and hijacked.
-        Authentication and access is controlled via the mandatory token query parameter.
-      parameters:
-        - description: endpoint ID of the endpoint where the resource is located
-          in: query
-          name: endpointId
-          required: true
-          type: integer
-        - description: node name
-          in: query
-          name: nodeName
-          type: string
-        - description: JWT token used for authentication against this endpoint
-          in: query
-          name: token
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: ''
-        '400':
-          description: ''
-        '403':
-          description: ''
-        '404':
-          description: ''
-        '500':
-          description: ''
-      security:
-        - jwt: []
-      summary: Attach a websocket
-      tags:
-        - websocket
-  /websocket/exec:
-    get:
-      consumes:
-        - application/json
-      description: |-
-        If the nodeName query parameter is present, the request will be proxied to the underlying agent endpoint.
-        If the nodeName query parameter is not specified, the request will be upgraded to the websocket protocol and
-        an ExecStart operation HTTP request will be created and hijacked.
-        Authentication and access is controlled via the mandatory token query parameter.
-      parameters:
-        - description: endpoint ID of the endpoint where the resource is located
-          in: query
-          name: endpointId
-          required: true
-          type: integer
-        - description: node name
-          in: query
-          name: nodeName
-          type: string
-        - description: JWT token used for authentication against this endpoint
-          in: query
-          name: token
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: ''
-        '400':
-          description: ''
-        '409':
-          description: ''
-        '500':
-          description: ''
-      security:
-        - jwt: []
-      summary: Execute a websocket
-      tags:
-        - websocket
-  /websocket/pod:
-    get:
-      consumes:
-        - application/json
-      description: |-
-        The request will be upgraded to the websocket protocol.
-        Authentication and access is controlled via the mandatory token query parameter.
-      parameters:
-        - description: endpoint ID of the endpoint where the resource is located
-          in: query
-          name: endpointId
-          required: true
-          type: integer
-        - description: namespace where the container is located
-          in: query
-          name: namespace
-          required: true
-          type: string
-        - description: name of the pod containing the container
-          in: query
-          name: podName
-          required: true
-          type: string
-        - description: name of the container
-          in: query
-          name: containerName
-          required: true
-          type: string
-        - description: command to execute in the container
-          in: query
-          name: command
-          required: true
-          type: string
-        - description: JWT token used for authentication against this endpoint
-          in: query
-          name: token
-          required: true
-          type: string
-      produces:
-        - application/json
-      responses:
-        '200':
-          description: ''
-        '400':
-          description: ''
-        '403':
-          description: ''
-        '404':
-          description: ''
-        '500':
-          description: ''
-      security:
-        - jwt: []
-      summary: Execute a websocket on pod
-      tags:
-        - websocket
-schemes:
-  - http
-  - https
-securityDefinitions:
-  jwt:
-    in: header
-    name: Authorization
-    type: apiKey
-swagger: '2.0'
-tags:
-  - description: Authenticate against Portainer HTTP API
-    name: auth
-  - description: Manage Custom Templates
-    name: custom_templates
-  - description: Manage how Portainer connects to the DockerHub
-    name: dockerhub
-  - description: Manage Edge Groups
-    name: edge_groups
-  - description: Manage Edge Jobs
-    name: edge_jobs
-  - description: Manage Edge Stacks
-    name: edge_stacks
-  - description: Manage Edge Templates
-    name: edge_templates
-  - description: Manage Edge related endpoint settings
-    name: edge
-  - description: Manage Docker environments
-    name: endpoints
-  - description: Manage endpoint groups
-    name: endpoint_groups
-  - description: Fetch the message of the day
-    name: motd
-  - description: Manage Docker registries
-    name: registries
-  - description: Manage access control on Docker resources
-    name: resource_controls
-  - description: Manage roles
-    name: roles
-  - description: Manage Portainer settings
-    name: settings
-  - description: Information about the Portainer instance
-    name: status
-  - description: Manage Docker stacks
-    name: stacks
-  - description: Manage users
-    name: users
-  - description: Manage tags
-    name: tags
-  - description: Manage teams
-    name: teams
-  - description: Manage team memberships
-    name: team_memberships
-  - description: Manage App Templates
-    name: templates
-  - description: Manage stacks
-    name: stacks
-  - description: Upload files
-    name: upload
-  - description: Manage webhooks
-    name: webhooks
-  - description: Create exec sessions using websockets
-    name: websocket

From 5526fd8296c0e576975e7336f7ff644d792c2dae Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 27 Feb 2025 11:02:25 +1300
Subject: [PATCH 031/212] chore: bump 2.27.1 - develop (#468)

---
 .github/ISSUE_TEMPLATE/bug_report.yml            | 1 +
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/http/handler/handler.go                      | 2 +-
 api/portainer.go                                 | 2 +-
 package.json                                     | 2 +-
 5 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index e2eef4f66..99d319aaf 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -95,6 +95,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.27.1'
         - '2.27.0'
         - '2.26.1'
         - '2.26.0'
diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index a9ebeffb5..8c5dc01e7 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.27.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.27.1",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.27.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.27.1\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 4877e76c7..7603e345b 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.27.0
+// @version 2.27.1
 // @description.markdown api-description.md
 // @termsOfService
 
diff --git a/api/portainer.go b/api/portainer.go
index 1195737d8..990747813 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1637,7 +1637,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.27.0"
+	APIVersion = "2.27.1"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "LTS"
 	// Edition is what this edition of Portainer is called
diff --git a/package.json b/package.json
index 41d07244e..2068b5454 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.27.0",
+  "version": "2.27.1",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"

From 8e6d0e7d42a15595fd2954aacbf411e9d3477924 Mon Sep 17 00:00:00 2001
From: Malcolm Lockyer <segfault88@users.noreply.github.com>
Date: Fri, 28 Feb 2025 14:41:54 +1300
Subject: [PATCH 032/212] perf(endpointrelation): Part 2 of fixing
 endpointrelation perf [be-11616] (#471)

---
 .../endpointrelation/endpointrelation.go      | 14 +++++
 api/dataservices/endpointrelation/tx.go       | 54 +++++++++++++++++
 api/dataservices/interface.go                 |  2 +
 .../handler/edgestacks/edgestack_update.go    | 58 ++++---------------
 api/internal/edge/edgestacks/service.go       | 27 ++-------
 api/internal/testhelpers/datastore.go         | 26 +++++++++
 6 files changed, 112 insertions(+), 69 deletions(-)

diff --git a/api/dataservices/endpointrelation/endpointrelation.go b/api/dataservices/endpointrelation/endpointrelation.go
index 4b7ff6b82..a81c258b9 100644
--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -22,6 +22,8 @@ type Service struct {
 	mu                     sync.Mutex
 }
 
+var _ dataservices.EndpointRelationService = &Service{}
+
 func (service *Service) BucketName() string {
 	return BucketName
 }
@@ -109,6 +111,18 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	return nil
 }
 
+func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
+func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).RemoveEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
+	})
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
diff --git a/api/dataservices/endpointrelation/tx.go b/api/dataservices/endpointrelation/tx.go
index 097748767..2b2d90280 100644
--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -13,6 +13,8 @@ type ServiceTx struct {
 	tx      portainer.Transaction
 }
 
+var _ dataservices.EndpointRelationService = &ServiceTx{}
+
 func (service ServiceTx) BucketName() string {
 	return BucketName
 }
@@ -74,6 +76,58 @@ func (service ServiceTx) UpdateEndpointRelation(endpointID portainer.EndpointID,
 	return nil
 }
 
+func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		rel.EdgeStacks[edgeStackID] = true
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments += len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
+func (service ServiceTx) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		rel, err := service.EndpointRelation(endpointID)
+		if err != nil {
+			return err
+		}
+
+		delete(rel.EdgeStacks, edgeStackID)
+
+		identifier := service.service.connection.ConvertToKey(int(endpointID))
+		err = service.tx.UpdateObject(BucketName, identifier, rel)
+		cache.Del(endpointID)
+		if err != nil {
+			return err
+		}
+	}
+
+	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.NumDeployments -= len(endpointIDs)
+	}); err != nil {
+		log.Error().Err(err).Msg("could not update the number of deployments")
+	}
+
+	return nil
+}
+
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service ServiceTx) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
 	deletedRelation, _ := service.EndpointRelation(endpointID)
diff --git a/api/dataservices/interface.go b/api/dataservices/interface.go
index 1efef4f70..2bc2df7f3 100644
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -115,6 +115,8 @@ type (
 		EndpointRelation(EndpointID portainer.EndpointID) (*portainer.EndpointRelation, error)
 		Create(endpointRelation *portainer.EndpointRelation) error
 		UpdateEndpointRelation(EndpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error
+		AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
+		RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error
 		DeleteEndpointRelation(EndpointID portainer.EndpointID) error
 		BucketName() string
 	}
diff --git a/api/http/handler/edgestacks/edgestack_update.go b/api/http/handler/edgestacks/edgestack_update.go
index 593e403ef..27a279fb3 100644
--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -138,57 +138,19 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 		return nil, nil, errors.WithMessage(err, "Unable to retrieve edge stack related environments from database")
 	}
 
-	oldRelatedSet := set.ToSet(oldRelatedEnvironmentIDs)
-	newRelatedSet := set.ToSet(newRelatedEnvironmentIDs)
+	oldRelatedEnvironmentsSet := set.ToSet(oldRelatedEnvironmentIDs)
+	newRelatedEnvironmentsSet := set.ToSet(newRelatedEnvironmentIDs)
 
-	endpointsToRemove := set.Set[portainer.EndpointID]{}
-	for endpointID := range oldRelatedSet {
-		if !newRelatedSet[endpointID] {
-			endpointsToRemove[endpointID] = true
-		}
+	relatedEnvironmentsToAdd := newRelatedEnvironmentsSet.Difference(oldRelatedEnvironmentsSet)
+	relatedEnvironmentsToRemove := oldRelatedEnvironmentsSet.Difference(newRelatedEnvironmentsSet)
+
+	if len(relatedEnvironmentsToRemove) > 0 {
+		tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEnvironmentsToRemove.Keys(), edgeStackID)
 	}
 
-	for endpointID := range endpointsToRemove {
-		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			if tx.IsErrObjectNotFound(err) {
-				continue
-			}
-			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
-		}
-
-		delete(relation.EdgeStacks, edgeStackID)
-
-		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to persist environment relation in database")
-		}
+	if len(relatedEnvironmentsToAdd) > 0 {
+		tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEnvironmentsToAdd.Keys(), edgeStackID)
 	}
 
-	endpointsToAdd := set.Set[portainer.EndpointID]{}
-	for endpointID := range newRelatedSet {
-		if !oldRelatedSet[endpointID] {
-			endpointsToAdd[endpointID] = true
-		}
-	}
-
-	for endpointID := range endpointsToAdd {
-		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil && !tx.IsErrObjectNotFound(err) {
-			return nil, nil, errors.WithMessage(err, "Unable to find environment relation in database")
-		}
-
-		if relation == nil {
-			relation = &portainer.EndpointRelation{
-				EndpointID: endpointID,
-				EdgeStacks: map[portainer.EdgeStackID]bool{},
-			}
-		}
-		relation.EdgeStacks[edgeStackID] = true
-
-		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
-			return nil, nil, errors.WithMessage(err, "Unable to persist environment relation in database")
-		}
-	}
-
-	return newRelatedEnvironmentIDs, endpointsToAdd, nil
+	return newRelatedEnvironmentIDs, relatedEnvironmentsToAdd, nil
 }
diff --git a/api/internal/edge/edgestacks/service.go b/api/internal/edge/edgestacks/service.go
index 3a19e8c9d..6986a6917 100644
--- a/api/internal/edge/edgestacks/service.go
+++ b/api/internal/edge/edgestacks/service.go
@@ -11,7 +11,6 @@ import (
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/internal/edge"
 	edgetypes "github.com/portainer/portainer/api/internal/edge/types"
-	"github.com/rs/zerolog/log"
 
 	"github.com/pkg/errors"
 )
@@ -100,12 +99,15 @@ func (service *Service) PersistEdgeStack(
 	stack.ManifestPath = manifestPath
 	stack.ProjectPath = projectPath
 	stack.EntryPoint = composePath
-	stack.NumDeployments = len(relatedEndpointIds)
 
 	if err := tx.EdgeStack().Create(stack.ID, stack); err != nil {
 		return nil, err
 	}
 
+	if err := tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEndpointIds, stack.ID); err != nil {
+		return nil, fmt.Errorf("unable to add endpoint relations: %w", err)
+	}
+
 	if err := service.updateEndpointRelations(tx, stack.ID, relatedEndpointIds); err != nil {
 		return nil, fmt.Errorf("unable to update endpoint relations: %w", err)
 	}
@@ -148,25 +150,8 @@ func (service *Service) DeleteEdgeStack(tx dataservices.DataStoreTx, edgeStackID
 		return errors.WithMessage(err, "Unable to retrieve edge stack related environments from database")
 	}
 
-	for _, endpointID := range relatedEndpointIds {
-		relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
-		if err != nil {
-			if tx.IsErrObjectNotFound(err) {
-				log.Warn().
-					Int("endpoint_id", int(endpointID)).
-					Msg("Unable to find endpoint relation in database, skipping")
-
-				continue
-			}
-
-			return errors.WithMessage(err, "Unable to find environment relation in database")
-		}
-
-		delete(relation.EdgeStacks, edgeStackID)
-
-		if err := tx.EndpointRelation().UpdateEndpointRelation(endpointID, relation); err != nil {
-			return errors.WithMessage(err, "Unable to persist environment relation in database")
-		}
+	if err := tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEndpointIds, edgeStackID); err != nil {
+		return errors.WithMessage(err, "unable to remove environment relation in database")
 	}
 
 	if err := tx.EdgeStack().DeleteEdgeStack(edgeStackID); err != nil {
diff --git a/api/internal/testhelpers/datastore.go b/api/internal/testhelpers/datastore.go
index f0bba23fd..19d4df762 100644
--- a/api/internal/testhelpers/datastore.go
+++ b/api/internal/testhelpers/datastore.go
@@ -9,6 +9,8 @@ import (
 	"github.com/portainer/portainer/api/dataservices/errors"
 )
 
+var _ dataservices.DataStore = &testDatastore{}
+
 type testDatastore struct {
 	customTemplate          dataservices.CustomTemplateService
 	edgeGroup               dataservices.EdgeGroupService
@@ -227,6 +229,30 @@ func (s *stubEndpointRelationService) UpdateEndpointRelation(ID portainer.Endpoi
 	return nil
 }
 
+func (s *stubEndpointRelationService) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		for i, r := range s.relations {
+			if r.EndpointID == endpointID {
+				s.relations[i].EdgeStacks[edgeStackID] = true
+			}
+		}
+	}
+
+	return nil
+}
+
+func (s *stubEndpointRelationService) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
+	for _, endpointID := range endpointIDs {
+		for i, r := range s.relations {
+			if r.EndpointID == endpointID {
+				delete(s.relations[i].EdgeStacks, edgeStackID)
+			}
+		}
+	}
+
+	return nil
+}
+
 func (s *stubEndpointRelationService) DeleteEndpointRelation(ID portainer.EndpointID) error {
 	return nil
 }

From 52bb06eb7b973c786886696eb05cc43d5f565b64 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Mon, 3 Mar 2025 11:29:58 +1300
Subject: [PATCH 033/212] chore(helm): Convert helm details view to react
 (#476)

---
 app/kubernetes/react/views/index.ts           |   5 +
 .../applications/helm/helm.controller.js      |  52 --------
 .../views/applications/helm/helm.css          |   5 -
 .../views/applications/helm/helm.html         |  50 --------
 .../views/applications/helm/index.js          |  11 --
 .../HelmApplicationView.test.tsx              | 119 ++++++++++++++++++
 .../HelmApplicationView.tsx                   |  79 ++++++++++++
 .../helm/HelmApplicationView/index.ts         |   1 +
 .../queries/useHelmRelease.ts                 |  83 ++++++++++++
 9 files changed, 287 insertions(+), 118 deletions(-)
 delete mode 100644 app/kubernetes/views/applications/helm/helm.controller.js
 delete mode 100644 app/kubernetes/views/applications/helm/helm.css
 delete mode 100644 app/kubernetes/views/applications/helm/helm.html
 delete mode 100644 app/kubernetes/views/applications/helm/index.js
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/index.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts

diff --git a/app/kubernetes/react/views/index.ts b/app/kubernetes/react/views/index.ts
index 7913f7641..e4043985f 100644
--- a/app/kubernetes/react/views/index.ts
+++ b/app/kubernetes/react/views/index.ts
@@ -23,6 +23,7 @@ import { NamespaceView } from '@/react/kubernetes/namespaces/ItemView/NamespaceV
 import { AccessView } from '@/react/kubernetes/namespaces/AccessView/AccessView';
 import { JobsView } from '@/react/kubernetes/more-resources/JobsView/JobsView';
 import { ClusterView } from '@/react/kubernetes/cluster/ClusterView';
+import { HelmApplicationView } from '@/react/kubernetes/helm/HelmApplicationView';
 
 export const viewsModule = angular
   .module('portainer.kubernetes.react.views', [])
@@ -79,6 +80,10 @@ export const viewsModule = angular
       []
     )
   )
+  .component(
+    'kubernetesHelmApplicationView',
+    r2a(withUIRouter(withReactQuery(withCurrentUser(HelmApplicationView))), [])
+  )
   .component(
     'kubernetesClusterView',
     r2a(withUIRouter(withReactQuery(withCurrentUser(ClusterView))), [])
diff --git a/app/kubernetes/views/applications/helm/helm.controller.js b/app/kubernetes/views/applications/helm/helm.controller.js
deleted file mode 100644
index 0b027c2ef..000000000
--- a/app/kubernetes/views/applications/helm/helm.controller.js
+++ /dev/null
@@ -1,52 +0,0 @@
-import PortainerError from 'Portainer/error';
-
-export default class KubernetesHelmApplicationController {
-  /* @ngInject */
-  constructor($async, $state, Authentication, Notifications, HelmService) {
-    this.$async = $async;
-    this.$state = $state;
-    this.Authentication = Authentication;
-    this.Notifications = Notifications;
-    this.HelmService = HelmService;
-  }
-
-  /**
-   * APPLICATION
-   */
-  async getHelmApplication() {
-    try {
-      this.state.dataLoading = true;
-      const releases = await this.HelmService.listReleases(this.endpoint.Id, { filter: `^${this.state.params.name}$`, namespace: this.state.params.namespace });
-      if (releases.length > 0) {
-        this.state.release = releases[0];
-      } else {
-        throw new PortainerError(`Release ${this.state.params.name} not found`);
-      }
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm application details');
-    } finally {
-      this.state.dataLoading = false;
-    }
-  }
-
-  $onInit() {
-    return this.$async(async () => {
-      this.state = {
-        dataLoading: true,
-        viewReady: false,
-        params: {
-          name: this.$state.params.name,
-          namespace: this.$state.params.namespace,
-        },
-        release: {
-          name: undefined,
-          chart: undefined,
-          app_version: undefined,
-        },
-      };
-
-      await this.getHelmApplication();
-      this.state.viewReady = true;
-    });
-  }
-}
diff --git a/app/kubernetes/views/applications/helm/helm.css b/app/kubernetes/views/applications/helm/helm.css
deleted file mode 100644
index 784f878fd..000000000
--- a/app/kubernetes/views/applications/helm/helm.css
+++ /dev/null
@@ -1,5 +0,0 @@
-.release-table tr {
-  display: grid;
-  grid-auto-flow: column;
-  grid-template-columns: 1fr 4fr;
-}
diff --git a/app/kubernetes/views/applications/helm/helm.html b/app/kubernetes/views/applications/helm/helm.html
deleted file mode 100644
index a815e8a9d..000000000
--- a/app/kubernetes/views/applications/helm/helm.html
+++ /dev/null
@@ -1,50 +0,0 @@
-<page-header
-  ng-if="$ctrl.state.viewReady"
-  title="'Helm details'"
-  breadcrumbs="[{label:'Applications', link:'kubernetes.applications'}, $ctrl.state.params.name]"
-  reload="true"
-></page-header>
-
-<kubernetes-view-loading view-ready="$ctrl.state.viewReady"></kubernetes-view-loading>
-
-<div ng-if="$ctrl.state.viewReady">
-  <div class="row">
-    <div class="col-sm-12">
-      <rd-widget>
-        <div class="toolBar vertical-center w-full flex-wrap !gap-x-5 !gap-y-1 p-5">
-          <div class="toolBarTitle vertical-center">
-            <div class="widget-icon space-right">
-              <pr-icon icon="'svg-helm'"></pr-icon>
-            </div>
-
-            Release
-          </div>
-        </div>
-        <rd-widget-body>
-          <table class="table">
-            <tbody class="release-table">
-              <tr>
-                <td class="vertical-center">Name</td>
-                <td class="vertical-center !p-2" data-cy="k8sAppDetail-appName">
-                  {{ $ctrl.state.release.name }}
-                </td>
-              </tr>
-              <tr>
-                <td class="vertical-center">Chart</td>
-                <td class="vertical-center !p-2">
-                  {{ $ctrl.state.release.chart }}
-                </td>
-              </tr>
-              <tr>
-                <td class="vertical-center">App version</td>
-                <td class="vertical-center !p-2">
-                  {{ $ctrl.state.release.app_version }}
-                </td>
-              </tr>
-            </tbody>
-          </table>
-        </rd-widget-body>
-      </rd-widget>
-    </div>
-  </div>
-</div>
diff --git a/app/kubernetes/views/applications/helm/index.js b/app/kubernetes/views/applications/helm/index.js
deleted file mode 100644
index b99f41d4b..000000000
--- a/app/kubernetes/views/applications/helm/index.js
+++ /dev/null
@@ -1,11 +0,0 @@
-import angular from 'angular';
-import controller from './helm.controller';
-import './helm.css';
-
-angular.module('portainer.kubernetes').component('kubernetesHelmApplicationView', {
-  templateUrl: './helm.html',
-  controller,
-  bindings: {
-    endpoint: '<',
-  },
-});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
new file mode 100644
index 000000000..296b17ff5
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
@@ -0,0 +1,119 @@
+import { render, screen } from '@testing-library/react';
+import { HttpResponse } from 'msw';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { server, http } from '@/setup-tests/server';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+
+import { HelmApplicationView } from './HelmApplicationView';
+
+// Mock the necessary hooks and dependencies
+const mockUseCurrentStateAndParams = vi.fn();
+const mockUseEnvironmentId = vi.fn();
+
+vi.mock('@uirouter/react', async (importOriginal: () => Promise<object>) => ({
+  ...(await importOriginal()),
+  useCurrentStateAndParams: () => mockUseCurrentStateAndParams(),
+}));
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => mockUseEnvironmentId(),
+}));
+
+function renderComponent() {
+  const user = new UserViewModel({ Username: 'user' });
+  const Wrapped = withTestQueryProvider(
+    withUserProvider(withTestRouter(HelmApplicationView), user)
+  );
+  return render(<Wrapped />);
+}
+
+describe('HelmApplicationView', () => {
+  beforeEach(() => {
+    // Set up default mock values
+    mockUseEnvironmentId.mockReturnValue(3);
+    mockUseCurrentStateAndParams.mockReturnValue({
+      params: {
+        name: 'test-release',
+        namespace: 'default',
+      },
+    });
+
+    // Set up default mock API responses
+    server.use(
+      http.get('/api/endpoints/3/kubernetes/helm', () =>
+        HttpResponse.json([
+          {
+            name: 'test-release',
+            chart: 'test-chart-1.0.0',
+            app_version: '1.0.0',
+          },
+        ])
+      )
+    );
+  });
+
+  it('should display helm release details when data is loaded', async () => {
+    renderComponent();
+
+    // Check for the page header
+    expect(await screen.findByText('Helm details')).toBeInTheDocument();
+
+    // Check for the release details
+    expect(screen.getByText('Release')).toBeInTheDocument();
+
+    // Check for the table content
+    expect(screen.getByText('Name')).toBeInTheDocument();
+    expect(screen.getByText('Chart')).toBeInTheDocument();
+    expect(screen.getByText('App version')).toBeInTheDocument();
+
+    // Check for the actual values
+    expect(screen.getByTestId('k8sAppDetail-appName')).toHaveTextContent(
+      'test-release'
+    );
+    expect(screen.getByText('test-chart-1.0.0')).toBeInTheDocument();
+    expect(screen.getByText('1.0.0')).toBeInTheDocument();
+  });
+
+  it('should display error message when API request fails', async () => {
+    // Mock API failure
+    server.use(
+      http.get('/api/endpoints/3/kubernetes/helm', () => HttpResponse.error())
+    );
+
+    // Mock console.error to prevent test output pollution
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+
+    renderComponent();
+
+    // Wait for the error message to appear
+    expect(
+      await screen.findByText('Failed to load Helm application details')
+    ).toBeInTheDocument();
+
+    // Restore console.error
+    vi.spyOn(console, 'error').mockRestore();
+  });
+
+  it('should display error message when release is not found', async () => {
+    // Mock empty response (no releases found)
+    server.use(
+      http.get('/api/endpoints/3/kubernetes/helm', () => HttpResponse.json([]))
+    );
+
+    // Mock console.error to prevent test output pollution
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+
+    renderComponent();
+
+    // Wait for the error message to appear
+    expect(
+      await screen.findByText('Failed to load Helm application details')
+    ).toBeInTheDocument();
+
+    // Restore console.error
+    vi.spyOn(console, 'error').mockRestore();
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
new file mode 100644
index 000000000..f50b59154
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -0,0 +1,79 @@
+import { useCurrentStateAndParams } from '@uirouter/react';
+
+import { PageHeader } from '@/react/components/PageHeader';
+import { Widget, WidgetBody, WidgetTitle } from '@/react/components/Widget';
+import helm from '@/assets/ico/vendor/helm.svg?c';
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+
+import { ViewLoading } from '@@/ViewLoading';
+import { Alert } from '@@/Alert';
+
+import { useHelmRelease } from './queries/useHelmRelease';
+
+export function HelmApplicationView() {
+  const { params } = useCurrentStateAndParams();
+  const environmentId = useEnvironmentId();
+
+  const name = params.name as string;
+  const namespace = params.namespace as string;
+
+  const {
+    data: release,
+    isLoading,
+    error,
+  } = useHelmRelease(environmentId, name, namespace);
+
+  if (isLoading) {
+    return <ViewLoading />;
+  }
+
+  if (error || !release) {
+    return (
+      <Alert color="error" title="Failed to load Helm application details" />
+    );
+  }
+
+  return (
+    <>
+      <PageHeader
+        title="Helm details"
+        breadcrumbs={[
+          { label: 'Applications', link: 'kubernetes.applications' },
+          name,
+        ]}
+        reload
+      />
+
+      <div className="row">
+        <div className="col-sm-12">
+          <Widget>
+            <WidgetTitle icon={helm} title="Release" />
+            <WidgetBody>
+              <table className="table">
+                <tbody>
+                  <tr>
+                    <td className="!border-none w-40">Name</td>
+                    <td
+                      className="!border-none min-w-[140px]"
+                      data-cy="k8sAppDetail-appName"
+                    >
+                      {release.name}
+                    </td>
+                  </tr>
+                  <tr>
+                    <td className="!border-t">Chart</td>
+                    <td className="!border-t">{release.chart}</td>
+                  </tr>
+                  <tr>
+                    <td>App version</td>
+                    <td>{release.app_version}</td>
+                  </tr>
+                </tbody>
+              </table>
+            </WidgetBody>
+          </Widget>
+        </div>
+      </div>
+    </>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/index.ts b/app/react/kubernetes/helm/HelmApplicationView/index.ts
new file mode 100644
index 000000000..e3adc8d92
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/index.ts
@@ -0,0 +1 @@
+export { HelmApplicationView } from './HelmApplicationView';
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
new file mode 100644
index 000000000..b7cfcb91c
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
@@ -0,0 +1,83 @@
+import { useQuery } from '@tanstack/react-query';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { withGlobalError } from '@/react-tools/react-query';
+import PortainerError from 'Portainer/error';
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+
+interface HelmRelease {
+  name: string;
+  chart: string;
+  app_version: string;
+}
+/**
+ * List all helm releases based on passed in options
+ * @param environmentId - Environment ID
+ * @param options - Options for filtering releases
+ * @returns List of helm releases
+ */
+export async function listReleases(
+  environmentId: EnvironmentId,
+  options: {
+    namespace?: string;
+    filter?: string;
+    selector?: string;
+    output?: string;
+  } = {}
+): Promise<HelmRelease[]> {
+  try {
+    const { namespace, filter, selector, output } = options;
+    const url = `endpoints/${environmentId}/kubernetes/helm`;
+    const { data } = await axios.get<HelmRelease[]>(url, {
+      params: { namespace, filter, selector, output },
+    });
+    return data;
+  } catch (e) {
+    throw parseAxiosError(e as Error, 'Unable to retrieve release list');
+  }
+}
+
+/**
+ * React hook to fetch a specific Helm release
+ */
+export function useHelmRelease(
+  environmentId: EnvironmentId,
+  name: string,
+  namespace: string
+) {
+  return useQuery(
+    [environmentId, 'helm', namespace, name],
+    () => getHelmRelease(environmentId, name, namespace),
+    {
+      enabled: !!environmentId,
+      ...withGlobalError('Unable to retrieve helm application details'),
+    }
+  );
+}
+
+/**
+ * Get a specific Helm release
+ */
+async function getHelmRelease(
+  environmentId: EnvironmentId,
+  name: string,
+  namespace: string
+): Promise<HelmRelease> {
+  try {
+    const releases = await listReleases(environmentId, {
+      filter: `^${name}$`,
+      namespace,
+    });
+
+    if (releases.length > 0) {
+      return releases[0];
+    }
+
+    throw new PortainerError(`Release ${name} not found`);
+  } catch (err) {
+    throw new PortainerError(
+      'Unable to retrieve helm application details',
+      err as Error
+    );
+  }
+}

From 2bccb3589e37ae3e44f278ad8fe3ffc137848f39 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Wed, 5 Mar 2025 16:04:16 +0100
Subject: [PATCH 034/212] fix(app/images): nodeName on images list links (#484)

---
 .../ListView/ImagesDatatable/columns/id.tsx   | 30 +++++++++----------
 1 file changed, 14 insertions(+), 16 deletions(-)

diff --git a/app/react/docker/images/ListView/ImagesDatatable/columns/id.tsx b/app/react/docker/images/ListView/ImagesDatatable/columns/id.tsx
index 00081aa7e..d0de59dfe 100644
--- a/app/react/docker/images/ListView/ImagesDatatable/columns/id.tsx
+++ b/app/react/docker/images/ListView/ImagesDatatable/columns/id.tsx
@@ -1,5 +1,4 @@
 import { CellContext, Column } from '@tanstack/react-table';
-import { useSref } from '@uirouter/react';
 
 import { truncate } from '@/portainer/filters/filters';
 import { getValueAsArrayOfStrings } from '@/portainer/helpers/array';
@@ -7,6 +6,7 @@ import { ImagesListResponse } from '@/react/docker/images/queries/useImages';
 
 import { MultipleSelectionFilter } from '@@/datatables/Filter';
 import { UnusedBadge } from '@@/Badge/UnusedBadge';
+import { Link } from '@@/Link';
 
 import { columnHelper } from './helper';
 
@@ -62,22 +62,20 @@ function FilterByUsage<TData extends { Used: boolean }>({
 }
 
 function Cell({
-  getValue,
-  row: { original: image },
+  row: { original: item },
 }: CellContext<ImagesListResponse, string>) {
-  const name = getValue();
-
-  const linkProps = useSref('.image', {
-    id: image.id,
-    imageId: image.id,
-  });
-
   return (
-    <div className="flex gap-1">
-      <a href={linkProps.href} onClick={linkProps.onClick} title={name}>
-        {truncate(name, 40)}
-      </a>
-      {!image.used && <UnusedBadge />}
-    </div>
+    <>
+      <Link
+        to=".image"
+        params={{ id: item.id, nodeName: item.nodeName }}
+        title={item.id}
+        data-cy={`image-link-${item.id}`}
+        className="mr-2"
+      >
+        {truncate(item.id, 40)}
+      </Link>
+      {!item.used && <UnusedBadge />}
+    </>
   );
 }

From 438b1f981535606ff4fc6b6d450e7ef828742a02 Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Thu, 6 Mar 2025 09:35:31 +1300
Subject: [PATCH 035/212] fix(helm): Remove duplicate helm instructions in CE
 [BE-11670] (#482)

---
 .../helm-templates-list.html                  | 58 +++++++++----------
 1 file changed, 26 insertions(+), 32 deletions(-)

diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
index 504c53af3..cd2c1131d 100644
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
+++ b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
@@ -31,37 +31,31 @@
       >Select the Helm chart to use. Bring further Helm charts into your selection list via
       <a ui-sref="portainer.account({'#': 'helm-repositories'})">User settings - Helm repositories</a>.</div
     >
-    <div class="w-full">
-      <div class="small text-muted mb-2"
-        >Select the Helm chart to use. Bring further Helm charts into your selection list via
-        <a ui-sref="portainer.account({'#': 'helm-repositories'})">User settings - Helm repositories</a>.</div
-      >
-      <div class="relative flex w-fit gap-1 rounded-lg bg-gray-modern-3 p-4 text-sm th-highcontrast:bg-legacy-grey-3 th-dark:bg-legacy-grey-3 mt-2">
-        <div class="mt-0.5 shrink-0">
-          <svg
-            xmlns="http://www.w3.org/2000/svg"
-            width="24"
-            height="24"
-            viewBox="0 0 24 24"
-            fill="none"
-            stroke="currentColor"
-            stroke-width="2"
-            stroke-linecap="round"
-            stroke-linejoin="round"
-            class="lucide lucide-lightbulb h-4 text-warning-7 th-highcontrast:text-warning-6 th-dark:text-warning-6"
-          >
-            <path d="M15 14c.2-1 .7-1.7 1.5-2.5 1-.9 1.5-2.2 1.5-3.5A6 6 0 0 0 6 8c0 1 .2 2.2 1.5 3.5.7.7 1.3 1.5 1.5 2.5"></path>
-            <path d="M9 18h6"></path>
-            <path d="M10 22h4"></path>
-          </svg>
-        </div>
-        <div>
-          <p class="align-middle text-[0.9em] font-medium pr-10 mb-2">Disclaimer</p>
-          <div class="small">
-            At present Portainer does not support OCI format Helm charts. Support for OCI charts will be available in a future release.<br />
-            If you would like to provide feedback on OCI support or get access to early releases to test this functionality,
-            <a href="https://bit.ly/3WVkayl" target="_blank" rel="noopener noreferrer">please get in touch</a>.
-          </div>
+    <div class="relative flex w-fit gap-1 rounded-lg bg-gray-modern-3 p-4 text-sm th-highcontrast:bg-legacy-grey-3 th-dark:bg-legacy-grey-3 mt-2">
+      <div class="mt-0.5 shrink-0">
+        <svg
+          xmlns="http://www.w3.org/2000/svg"
+          width="24"
+          height="24"
+          viewBox="0 0 24 24"
+          fill="none"
+          stroke="currentColor"
+          stroke-width="2"
+          stroke-linecap="round"
+          stroke-linejoin="round"
+          class="lucide lucide-lightbulb h-4 text-warning-7 th-highcontrast:text-warning-6 th-dark:text-warning-6"
+        >
+          <path d="M15 14c.2-1 .7-1.7 1.5-2.5 1-.9 1.5-2.2 1.5-3.5A6 6 0 0 0 6 8c0 1 .2 2.2 1.5 3.5.7.7 1.3 1.5 1.5 2.5"></path>
+          <path d="M9 18h6"></path>
+          <path d="M10 22h4"></path>
+        </svg>
+      </div>
+      <div>
+        <p class="align-middle text-[0.9em] font-medium pr-10 mb-2">Disclaimer</p>
+        <div class="small">
+          At present Portainer does not support OCI format Helm charts. Support for OCI charts will be available in a future release.<br />
+          If you would like to provide feedback on OCI support or get access to early releases to test this functionality,
+          <a href="https://bit.ly/3WVkayl" target="_blank" rel="noopener noreferrer">please get in touch</a>.
         </div>
       </div>
     </div>
@@ -75,7 +69,7 @@
       on-select="($ctrl.selectAction)"
     >
     </helm-templates-list-item>
-    <div ng-if="!allCharts.length" class="text-muted small mt-4"> No Helm charts found </div>
+    <div ng-if="!$ctrl.loading && !allCharts.length && $ctrl.charts.length !== 0" class="text-muted small mt-4"> No Helm charts found </div>
     <div ng-if="$ctrl.loading" class="text-muted text-center">
       Loading...
       <div class="text-muted text-center"> Initial download of Helm charts can take a few minutes </div>

From b57855f20d9520018be97936268284adb36c3aae Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Mon, 10 Mar 2025 09:21:20 +1300
Subject: [PATCH 036/212] fix(app): datatable global checkbox doesn't reflect
 the selected state (#470)

---
 app/portainer/helpers/strings.ts              | 14 ++++----
 app/react/common/string-utils.ts              | 27 ++++++++++++++
 .../components/datatables/Datatable.test.tsx  | 36 +++++++++++++++++--
 app/react/components/datatables/Datatable.tsx |  9 +++++
 .../components/datatables/DatatableFooter.tsx |  4 ++-
 .../datatables/SelectedRowsCount.tsx          | 10 ++++--
 .../components/datatables/select-column.tsx   | 22 +++++++++---
 .../components/form-components/Checkbox.tsx   |  4 ++-
 .../app-templates/AppTemplatesList.tsx        |  1 +
 .../ListView/CustomTemplatesList.tsx          |  1 +
 10 files changed, 110 insertions(+), 18 deletions(-)
 create mode 100644 app/react/common/string-utils.ts

diff --git a/app/portainer/helpers/strings.ts b/app/portainer/helpers/strings.ts
index dc130b0e5..fb8d69bc6 100644
--- a/app/portainer/helpers/strings.ts
+++ b/app/portainer/helpers/strings.ts
@@ -1,7 +1,7 @@
-export function pluralize(val: number, word: string, plural = `${word}s`) {
-  return [1, -1].includes(Number(val)) ? word : plural;
-}
-
-export function addPlural(value: number, word: string, plural = `${word}s`) {
-  return `${value} ${pluralize(value, word, plural)}`;
-}
+// Re-exporting so we don't have to update one meeeeellion files that are already importing these
+// functions from here.
+export {
+  pluralize,
+  addPlural,
+  grammaticallyJoin,
+} from '@/react/common/string-utils';
diff --git a/app/react/common/string-utils.ts b/app/react/common/string-utils.ts
new file mode 100644
index 000000000..591d6de90
--- /dev/null
+++ b/app/react/common/string-utils.ts
@@ -0,0 +1,27 @@
+export function capitalize(s: string) {
+  return s.slice(0, 1).toUpperCase() + s.slice(1);
+}
+
+export function pluralize(val: number, word: string, plural = `${word}s`) {
+  return [1, -1].includes(Number(val)) ? word : plural;
+}
+
+export function addPlural(value: number, word: string, plural = `${word}s`) {
+  return `${value} ${pluralize(value, word, plural)}`;
+}
+
+/**
+ * Joins an array of strings into a grammatically correct sentence.
+ */
+export function grammaticallyJoin(
+  values: string[],
+  separator = ', ',
+  lastSeparator = ' and '
+) {
+  if (values.length === 0) return '';
+  if (values.length === 1) return values[0];
+
+  const allButLast = values.slice(0, -1);
+  const last = values[values.length - 1];
+  return `${allButLast.join(separator)}${lastSeparator}${last}`;
+}
diff --git a/app/react/components/datatables/Datatable.test.tsx b/app/react/components/datatables/Datatable.test.tsx
index 3b5a1e63f..5664a3ed6 100644
--- a/app/react/components/datatables/Datatable.test.tsx
+++ b/app/react/components/datatables/Datatable.test.tsx
@@ -1,4 +1,5 @@
 import { render, screen, fireEvent } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
 import { describe, it, expect } from 'vitest';
 import {
   createColumnHelper,
@@ -170,7 +171,7 @@ describe('Datatable', () => {
     fireEvent.click(selectAllCheckbox);
 
     // Check if all rows on the page are selected
-    expect(screen.getByText('2 item(s) selected')).toBeInTheDocument();
+    expect(screen.getByText('2 items selected')).toBeInTheDocument();
 
     // Deselect
     fireEvent.click(selectAllCheckbox);
@@ -192,13 +193,44 @@ describe('Datatable', () => {
     fireEvent.click(selectAllCheckbox, { shiftKey: true });
 
     // Check if all rows on the page are selected
-    expect(screen.getByText('3 item(s) selected')).toBeInTheDocument();
+    expect(screen.getByText('3 items selected')).toBeInTheDocument();
 
     // Deselect
     fireEvent.click(selectAllCheckbox, { shiftKey: true });
     const checkboxes: HTMLInputElement[] = screen.queryAllByRole('checkbox');
     expect(checkboxes.filter((checkbox) => checkbox.checked).length).toBe(0);
   });
+
+  it('shows indeterminate state and correct footer text when hidden rows are selected', async () => {
+    const user = userEvent.setup();
+    render(
+      <DatatableWithStore
+        dataset={mockData}
+        columns={mockColumns}
+        data-cy="test-table"
+        title="Test table with search"
+      />
+    );
+
+    // Select Jane
+    const checkboxes = screen.getAllByRole('checkbox');
+    await user.click(checkboxes[2]); // Select the second row
+
+    // Search for John (will hide selected Jane)
+    const searchInput = screen.getByPlaceholderText('Search...');
+    await user.type(searchInput, 'John');
+
+    // Check if the footer text is correct
+    expect(
+      await screen.findByText('1 item selected (1 hidden by filters)')
+    ).toBeInTheDocument();
+
+    // Check if the checkbox is indeterminate
+    const selectAllCheckbox: HTMLInputElement =
+      screen.getByLabelText('Select all rows');
+    expect(selectAllCheckbox.indeterminate).toBe(true);
+    expect(selectAllCheckbox.checked).toBe(false);
+  });
 });
 
 // Test the defaultGlobalFilterFn used in searches
diff --git a/app/react/components/datatables/Datatable.tsx b/app/react/components/datatables/Datatable.tsx
index f845e221d..4ca608aa3 100644
--- a/app/react/components/datatables/Datatable.tsx
+++ b/app/react/components/datatables/Datatable.tsx
@@ -171,6 +171,14 @@ export function Datatable<D extends DefaultType>({
 
   const selectedRowModel = tableInstance.getSelectedRowModel();
   const selectedItems = selectedRowModel.rows.map((row) => row.original);
+  const filteredItems = tableInstance
+    .getFilteredRowModel()
+    .rows.map((row) => row.original);
+
+  const hiddenSelectedItems = useMemo(
+    () => _.difference(selectedItems, filteredItems),
+    [selectedItems, filteredItems]
+  );
 
   return (
     <Table.Container noWidget={noWidget} aria-label={title}>
@@ -203,6 +211,7 @@ export function Datatable<D extends DefaultType>({
         pageSize={tableState.pagination.pageSize}
         pageCount={tableInstance.getPageCount()}
         totalSelected={selectedItems.length}
+        totalHiddenSelected={hiddenSelectedItems.length}
       />
     </Table.Container>
   );
diff --git a/app/react/components/datatables/DatatableFooter.tsx b/app/react/components/datatables/DatatableFooter.tsx
index 61e7b4dbf..0907ae260 100644
--- a/app/react/components/datatables/DatatableFooter.tsx
+++ b/app/react/components/datatables/DatatableFooter.tsx
@@ -5,6 +5,7 @@ import { SelectedRowsCount } from './SelectedRowsCount';
 
 interface Props {
   totalSelected: number;
+  totalHiddenSelected: number;
   pageSize: number;
   page: number;
   onPageChange(page: number): void;
@@ -14,6 +15,7 @@ interface Props {
 
 export function DatatableFooter({
   totalSelected,
+  totalHiddenSelected,
   pageSize,
   page,
   onPageChange,
@@ -22,7 +24,7 @@ export function DatatableFooter({
 }: Props) {
   return (
     <Table.Footer>
-      <SelectedRowsCount value={totalSelected} />
+      <SelectedRowsCount value={totalSelected} hidden={totalHiddenSelected} />
       <PaginationControls
         showAll
         pageLimit={pageSize}
diff --git a/app/react/components/datatables/SelectedRowsCount.tsx b/app/react/components/datatables/SelectedRowsCount.tsx
index 50c983270..502869148 100644
--- a/app/react/components/datatables/SelectedRowsCount.tsx
+++ b/app/react/components/datatables/SelectedRowsCount.tsx
@@ -1,9 +1,15 @@
+import { addPlural } from '@/react/common/string-utils';
+
 interface SelectedRowsCountProps {
   value: number;
+  hidden: number;
 }
 
-export function SelectedRowsCount({ value }: SelectedRowsCountProps) {
+export function SelectedRowsCount({ value, hidden }: SelectedRowsCountProps) {
   return value !== 0 ? (
-    <div className="infoBar">{value} item(s) selected</div>
+    <div className="infoBar">
+      {addPlural(value, 'item')} selected
+      {hidden !== 0 && ` (${hidden} hidden by filters)`}
+    </div>
   ) : null;
 }
diff --git a/app/react/components/datatables/select-column.tsx b/app/react/components/datatables/select-column.tsx
index f20f4dd0b..46329588a 100644
--- a/app/react/components/datatables/select-column.tsx
+++ b/app/react/components/datatables/select-column.tsx
@@ -1,7 +1,19 @@
-import { ColumnDef, Row } from '@tanstack/react-table';
+import { ColumnDef, Row, Table } from '@tanstack/react-table';
 
 import { Checkbox } from '@@/form-components/Checkbox';
 
+function allRowsSelected<T>(table: Table<T>) {
+  return table.getCoreRowModel().rows.every((row) => row.getIsSelected());
+}
+
+function someRowsSelected<T>(table: Table<T>) {
+  return table.getCoreRowModel().rows.some((row) => row.getIsSelected());
+}
+
+function somePageRowsSelected<T>(table: Table<T>) {
+  return table.getRowModel().rows.some((row) => row.getIsSelected());
+}
+
 export function createSelectColumn<T>(dataCy: string): ColumnDef<T> {
   let lastSelectedId = '';
 
@@ -11,15 +23,15 @@ export function createSelectColumn<T>(dataCy: string): ColumnDef<T> {
       <Checkbox
         id="select-all"
         data-cy={`select-all-checkbox-${dataCy}`}
-        checked={table.getIsAllPageRowsSelected()}
-        indeterminate={table.getIsSomeRowsSelected()}
+        checked={allRowsSelected(table)}
+        indeterminate={!allRowsSelected(table) && someRowsSelected(table)}
         onChange={(e) => {
           // Select all rows if shift key is held down, otherwise only page rows
           if (e.nativeEvent instanceof MouseEvent && e.nativeEvent.shiftKey) {
-            table.getToggleAllRowsSelectedHandler()(e);
+            table.toggleAllRowsSelected();
             return;
           }
-          table.getToggleAllPageRowsSelectedHandler()(e);
+          table.toggleAllPageRowsSelected(!somePageRowsSelected(table));
         }}
         disabled={table.getRowModel().rows.every((row) => !row.getCanSelect())}
         onClick={(e) => {
diff --git a/app/react/components/form-components/Checkbox.tsx b/app/react/components/form-components/Checkbox.tsx
index 3e01222b8..03f199de1 100644
--- a/app/react/components/form-components/Checkbox.tsx
+++ b/app/react/components/form-components/Checkbox.tsx
@@ -42,6 +42,8 @@ export const Checkbox = forwardRef<HTMLInputElement, Props>(
       resolvedRef = defaultRef;
     }
 
+    // Need to check this on every render as the browser will always set the element's
+    // indeterminate state to false when the checkbox is clicked, even if the indeterminate prop hasn't changed
     useEffect(() => {
       if (resolvedRef === null || resolvedRef.current === null) {
         return;
@@ -50,7 +52,7 @@ export const Checkbox = forwardRef<HTMLInputElement, Props>(
       if (typeof indeterminate !== 'undefined') {
         resolvedRef.current.indeterminate = indeterminate;
       }
-    }, [resolvedRef, indeterminate]);
+    });
 
     return (
       <div className="md-checkbox flex items-center" title={title || label}>
diff --git a/app/react/portainer/templates/app-templates/AppTemplatesList.tsx b/app/react/portainer/templates/app-templates/AppTemplatesList.tsx
index 00e4e54c5..35e446e8a 100644
--- a/app/react/portainer/templates/app-templates/AppTemplatesList.tsx
+++ b/app/react/portainer/templates/app-templates/AppTemplatesList.tsx
@@ -110,6 +110,7 @@ export function AppTemplatesList({
         pageSize={listState.pageSize}
         pageCount={Math.ceil(filteredTemplates.length / listState.pageSize)}
         totalSelected={0}
+        totalHiddenSelected={0}
       />
     </Table.Container>
   );
diff --git a/app/react/portainer/templates/custom-templates/ListView/CustomTemplatesList.tsx b/app/react/portainer/templates/custom-templates/ListView/CustomTemplatesList.tsx
index a0bb23720..18b1bdaa9 100644
--- a/app/react/portainer/templates/custom-templates/ListView/CustomTemplatesList.tsx
+++ b/app/react/portainer/templates/custom-templates/ListView/CustomTemplatesList.tsx
@@ -86,6 +86,7 @@ export function CustomTemplatesList({
         pageSize={listState.pageSize}
         pageCount={Math.ceil(filteredTemplates.length / listState.pageSize)}
         totalSelected={0}
+        totalHiddenSelected={0}
       />
     </Table.Container>
   );

From 28b222fffacf4a030aedadd3496d5ef91a431505 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Wed, 12 Mar 2025 10:34:07 +1300
Subject: [PATCH 037/212] fix(app): Make sure empty tables don't have select
 all rows checkbox checked (#489)

---
 app/react/components/datatables/Datatable.test.tsx | 3 +++
 app/react/components/datatables/select-column.tsx  | 3 ++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/react/components/datatables/Datatable.test.tsx b/app/react/components/datatables/Datatable.test.tsx
index 5664a3ed6..67ff85f70 100644
--- a/app/react/components/datatables/Datatable.test.tsx
+++ b/app/react/components/datatables/Datatable.test.tsx
@@ -155,6 +155,9 @@ describe('Datatable', () => {
     );
 
     expect(screen.getByText('No data available')).toBeInTheDocument();
+    const selectAllCheckbox: HTMLInputElement =
+      screen.getByLabelText('Select all rows');
+    expect(selectAllCheckbox.checked).toBe(false);
   });
 
   it('selects/deselects only page rows when select all is clicked', () => {
diff --git a/app/react/components/datatables/select-column.tsx b/app/react/components/datatables/select-column.tsx
index 46329588a..2e4a04272 100644
--- a/app/react/components/datatables/select-column.tsx
+++ b/app/react/components/datatables/select-column.tsx
@@ -3,7 +3,8 @@ import { ColumnDef, Row, Table } from '@tanstack/react-table';
 import { Checkbox } from '@@/form-components/Checkbox';
 
 function allRowsSelected<T>(table: Table<T>) {
-  return table.getCoreRowModel().rows.every((row) => row.getIsSelected());
+  const { rows } = table.getCoreRowModel();
+  return rows.length > 0 && rows.every((row) => row.getIsSelected());
 }
 
 function someRowsSelected<T>(table: Table<T>) {

From 798fa2396a892cb95737cdab62edea51f0ae206a Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Wed, 12 Mar 2025 22:34:00 +1300
Subject: [PATCH 038/212] feat: kubernets service - display external hostname
 (#486)

---
 api/http/models/kubernetes/services.go        |  4 +-
 api/kubernetes/cli/service.go                 |  6 +--
 .../columns/externalHost.tsx                  | 38 +++++++++++++++++++
 .../ServicesDatatable/columns/index.tsx       |  2 +
 4 files changed, 45 insertions(+), 5 deletions(-)
 create mode 100644 app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/externalHost.tsx

diff --git a/api/http/models/kubernetes/services.go b/api/http/models/kubernetes/services.go
index 04ac27bf3..bcbddf3ae 100644
--- a/api/http/models/kubernetes/services.go
+++ b/api/http/models/kubernetes/services.go
@@ -35,8 +35,8 @@ type (
 	}
 
 	K8sServiceIngress struct {
-		IP   string `json:"IP"`
-		Host string `json:"Host"`
+		IP       string `json:"IP"`
+		Hostname string `json:"Hostname"`
 	}
 
 	// K8sServiceDeleteRequests is a mapping of namespace names to a slice of
diff --git a/api/kubernetes/cli/service.go b/api/kubernetes/cli/service.go
index 8a7ef03ab..a70c5ca3e 100644
--- a/api/kubernetes/cli/service.go
+++ b/api/kubernetes/cli/service.go
@@ -81,8 +81,8 @@ func parseService(service corev1.Service) models.K8sServiceInfo {
 	ingressStatus := make([]models.K8sServiceIngress, 0)
 	for _, status := range service.Status.LoadBalancer.Ingress {
 		ingressStatus = append(ingressStatus, models.K8sServiceIngress{
-			IP:   status.IP,
-			Host: status.Hostname,
+			IP:       status.IP,
+			Hostname: status.Hostname,
 		})
 	}
 
@@ -130,7 +130,7 @@ func (kcl *KubeClient) convertToK8sService(info models.K8sServiceInfo) corev1.Se
 	for _, i := range info.IngressStatus {
 		service.Status.LoadBalancer.Ingress = append(
 			service.Status.LoadBalancer.Ingress,
-			corev1.LoadBalancerIngress{IP: i.IP, Hostname: i.Host},
+			corev1.LoadBalancerIngress{IP: i.IP, Hostname: i.Hostname},
 		)
 	}
 
diff --git a/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/externalHost.tsx b/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/externalHost.tsx
new file mode 100644
index 000000000..7a0e8c386
--- /dev/null
+++ b/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/externalHost.tsx
@@ -0,0 +1,38 @@
+import { CellContext } from '@tanstack/react-table';
+
+import { ServiceRowData } from '../types';
+
+import { columnHelper } from './helper';
+
+export const externalHost = columnHelper.accessor(
+  (row) => {
+    if (row.Type === 'ExternalName') {
+      return row.ExternalName || '-';
+    }
+
+    return (
+      row.IngressStatus?.map((status) => status.Hostname)
+        .filter(Boolean)
+        .join(' ,') || '-'
+    );
+  },
+  {
+    header: 'External Host',
+    id: 'externalHost',
+    cell: Cell,
+  }
+);
+
+function Cell({ row }: CellContext<ServiceRowData, string>) {
+  if (row.original.Type === 'ExternalName') {
+    return <div>{row.original.ExternalName || '-'}</div>;
+  }
+
+  return (
+    <div>
+      {row.original.IngressStatus?.map((status) => status.Hostname)
+        .filter(Boolean)
+        .join(' ,') || '-'}
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/index.tsx b/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/index.tsx
index e061b3e70..1cc66e106 100644
--- a/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/index.tsx
+++ b/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/index.tsx
@@ -3,6 +3,7 @@ import { type } from './type';
 import { namespace } from './namespace';
 import { ports } from './ports';
 import { clusterIP } from './clusterIP';
+import { externalHost } from './externalHost';
 import { externalIP } from './externalIP';
 import { targetPorts } from './targetPorts';
 import { application } from './application';
@@ -16,6 +17,7 @@ export const columns = [
   ports,
   targetPorts,
   clusterIP,
+  externalHost,
   externalIP,
   created,
 ];

From 0d25f3f43084038893eac9ad4deffa2e91c481f4 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Wed, 12 Mar 2025 14:00:31 +0100
Subject: [PATCH 039/212] fix(app): restore gitops update options (#419)

---
 app/portainer/components/forms/git-form/index.ts            | 2 +-
 app/portainer/react/components/git-form.ts                  | 1 +
 app/react/edge/edge-stacks/CreateView/DockerComposeForm.tsx | 1 +
 app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx  | 2 ++
 app/react/portainer/gitops/GitForm.tsx                      | 5 +++--
 go.mod                                                      | 2 +-
 6 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/portainer/components/forms/git-form/index.ts b/app/portainer/components/forms/git-form/index.ts
index e478b62ca..26793f584 100644
--- a/app/portainer/components/forms/git-form/index.ts
+++ b/app/portainer/components/forms/git-form/index.ts
@@ -7,7 +7,7 @@ import { gitFormRefField } from './git-form-ref-field';
 
 export const gitFormModule = angular
   .module('portainer.app.components.git-form', [])
-  .component('gitForm', gitForm)
+  .component('gitForm', gitForm) // kube deploy + docker stack create
   .component('gitFormAuthFieldset', gitFormAuthFieldset)
   .component('gitFormAutoUpdateFieldset', gitFormAutoUpdate)
   .component('gitFormRefField', gitFormRefField).name;
diff --git a/app/portainer/react/components/git-form.ts b/app/portainer/react/components/git-form.ts
index bc74e3715..af0c7d460 100644
--- a/app/portainer/react/components/git-form.ts
+++ b/app/portainer/react/components/git-form.ts
@@ -29,6 +29,7 @@ export const gitFormModule = angular
       'webhookId',
       'webhooksDocs',
       'createdFromCustomTemplateId',
+      'isAutoUpdateVisible',
     ])
   )
   .component(
diff --git a/app/react/edge/edge-stacks/CreateView/DockerComposeForm.tsx b/app/react/edge/edge-stacks/CreateView/DockerComposeForm.tsx
index 2f4c29f83..608e97500 100644
--- a/app/react/edge/edge-stacks/CreateView/DockerComposeForm.tsx
+++ b/app/react/edge/edge-stacks/CreateView/DockerComposeForm.tsx
@@ -139,6 +139,7 @@ export function DockerComposeForm({ webhookId, onChangeTemplate }: Props) {
             }
             baseWebhookUrl={baseEdgeStackWebhookUrl()}
             webhookId={webhookId}
+            isAutoUpdateVisible={isBE}
           />
 
           {isBE && (
diff --git a/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx b/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx
index 0428f5859..1c516d86e 100644
--- a/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx
+++ b/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx
@@ -4,6 +4,7 @@ import { FormikErrors } from 'formik';
 import { GitForm } from '@/react/portainer/gitops/GitForm';
 import { GitFormModel } from '@/react/portainer/gitops/types';
 import { baseEdgeStackWebhookUrl } from '@/portainer/helpers/webhookHelper';
+import { isBE } from '@/react/portainer/feature-flags/feature-flags.service';
 
 import { BoxSelector } from '@@/BoxSelector';
 import { WebEditorForm } from '@@/WebEditorForm';
@@ -109,6 +110,7 @@ export function KubeManifestForm({
           }
           baseWebhookUrl={baseEdgeStackWebhookUrl()}
           webhookId={webhookId}
+          isAutoUpdateVisible={isBE}
         />
       )}
     </>
diff --git a/app/react/portainer/gitops/GitForm.tsx b/app/react/portainer/gitops/GitForm.tsx
index 834de6e82..89cb062bf 100644
--- a/app/react/portainer/gitops/GitForm.tsx
+++ b/app/react/portainer/gitops/GitForm.tsx
@@ -7,7 +7,6 @@ import { RefField } from '@/react/portainer/gitops/RefField';
 import { GitFormUrlField } from '@/react/portainer/gitops/GitFormUrlField';
 import { DeployMethod, GitFormModel } from '@/react/portainer/gitops/types';
 import { TimeWindowDisplay } from '@/react/portainer/gitops/TimeWindowDisplay';
-import { isBE } from '@/react/portainer/feature-flags/feature-flags.service';
 
 import { FormSection } from '@@/form-components/FormSection';
 import { validateForm } from '@@/form-components/validate-form';
@@ -35,6 +34,7 @@ interface Props {
   webhookId?: string;
   webhooksDocs?: string;
   createdFromCustomTemplateId?: number;
+  isAutoUpdateVisible?: boolean;
 }
 
 export function GitForm({
@@ -51,6 +51,7 @@ export function GitForm({
   webhookId,
   webhooksDocs,
   createdFromCustomTemplateId,
+  isAutoUpdateVisible = true,
 }: Props) {
   const [value, setValue] = useState(initialValue); // TODO: remove this state when form is not inside angularjs
 
@@ -117,7 +118,7 @@ export function GitForm({
         />
       )}
 
-      {isBE && value.AutoUpdate && (
+      {isAutoUpdateVisible && value.AutoUpdate && (
         <AutoUpdateFieldset
           environmentType={environmentType}
           webhookId={webhookId || ''}
diff --git a/go.mod b/go.mod
index 8f39fe3a9..1749b8c20 100644
--- a/go.mod
+++ b/go.mod
@@ -30,6 +30,7 @@ require (
 	github.com/gorilla/csrf v1.7.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.0
+	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/joho/godotenv v1.4.0
 	github.com/jpillora/chisel v1.10.0
@@ -147,7 +148,6 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect

From b5961d79f8a76fe60283281fc0610e6bcf39a3d9 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Thu, 13 Mar 2025 12:20:16 +1300
Subject: [PATCH 040/212] refactor(helm): helm binary to sdk refactor [r8s-229]
 (#463)

Co-authored-by: stevensbkang <skan070@gmail.com>
---
 api/cmd/portainer/main.go                     |   7 +-
 api/database/boltdb/json_test.go              |   2 +-
 .../test_data/output_24_to_latest.json        |   2 +-
 api/http/handler/helm/handler.go              |  14 +-
 api/http/handler/helm/helm_delete_test.go     |   4 +-
 api/http/handler/helm/helm_install.go         |  14 +-
 api/http/handler/helm/helm_install_test.go    |   6 +-
 api/http/handler/helm/helm_list_test.go       |   4 +-
 .../handler/helm/helm_repo_search_test.go     |   6 +-
 api/http/handler/helm/helm_show_test.go       |   6 +-
 api/http/handler/settings/settings_update.go  |   2 +-
 api/http/server.go                            |   4 +-
 api/portainer.go                              |  10 +-
 .../HelmApplicationView.test.tsx              |  14 +-
 .../HelmApplicationView.tsx                   |  55 +--
 .../HelmApplicationView/HelmDetailsWidget.tsx |  67 ++++
 build/build_binary.sh                         |   2 -
 build/download_binaries.sh                    |  10 -
 build/download_helm_binary.sh                 |  21 --
 build/linux/Dockerfile                        |   1 -
 build/linux/alpine.Dockerfile                 |   1 -
 build/windows/Dockerfile                      |   1 -
 go.mod                                        | 114 ++++--
 go.sum                                        | 297 ++++++++++-----
 pkg/build/info.go                             |   4 -
 pkg/libhelm/binary/get.go                     |  29 --
 pkg/libhelm/binary/helm_package.go            |  62 ----
 pkg/libhelm/binary/install.go                 |  48 ---
 pkg/libhelm/binary/install_test.go            | 118 ------
 pkg/libhelm/binary/list.go                    |  38 --
 pkg/libhelm/binary/search_repo.go             | 118 ------
 pkg/libhelm/binary/search_repo_test.go        |  50 ---
 pkg/libhelm/binary/show.go                    |  29 --
 pkg/libhelm/binary/uninstall.go               |  29 --
 pkg/libhelm/manager.go                        |  19 +-
 pkg/libhelm/options/cluster_access.go         |   3 +
 pkg/libhelm/sdk/client.go                     | 165 ++++++++
 pkg/libhelm/sdk/client_test.go                | 156 ++++++++
 pkg/libhelm/sdk/install.go                    | 210 +++++++++++
 pkg/libhelm/sdk/install_test.go               | 190 ++++++++++
 pkg/libhelm/sdk/list.go                       | 108 ++++++
 pkg/libhelm/sdk/list_test.go                  |  72 ++++
 pkg/libhelm/sdk/manager.go                    |  23 ++
 pkg/libhelm/sdk/manager_test.go               |  29 ++
 pkg/libhelm/sdk/search_repo.go                | 351 ++++++++++++++++++
 pkg/libhelm/sdk/search_repo_test.go           |  84 +++++
 pkg/libhelm/sdk/show.go                       | 131 +++++++
 pkg/libhelm/sdk/show_test.go                  | 102 +++++
 pkg/libhelm/sdk/uninstall.go                  |  70 ++++
 pkg/libhelm/sdk/uninstall_test.go             |  65 ++++
 pkg/libhelm/sdk/values.go                     |  42 +++
 .../{libhelmtest => test}/integration.go      |   2 +-
 pkg/libhelm/{binary => }/test/mock.go         |   6 +-
 pkg/libhelm/{helm.go => types/types.go}       |  14 +-
 pkg/libhelm/validate_repo.go                  |   4 +
 pkg/libhelm/validate_repo_test.go             |   6 +-
 56 files changed, 2222 insertions(+), 819 deletions(-)
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx
 delete mode 100755 build/download_helm_binary.sh
 delete mode 100644 pkg/libhelm/binary/get.go
 delete mode 100644 pkg/libhelm/binary/helm_package.go
 delete mode 100644 pkg/libhelm/binary/install.go
 delete mode 100644 pkg/libhelm/binary/install_test.go
 delete mode 100644 pkg/libhelm/binary/list.go
 delete mode 100644 pkg/libhelm/binary/search_repo.go
 delete mode 100644 pkg/libhelm/binary/search_repo_test.go
 delete mode 100644 pkg/libhelm/binary/show.go
 delete mode 100644 pkg/libhelm/binary/uninstall.go
 create mode 100644 pkg/libhelm/sdk/client.go
 create mode 100644 pkg/libhelm/sdk/client_test.go
 create mode 100644 pkg/libhelm/sdk/install.go
 create mode 100644 pkg/libhelm/sdk/install_test.go
 create mode 100644 pkg/libhelm/sdk/list.go
 create mode 100644 pkg/libhelm/sdk/list_test.go
 create mode 100644 pkg/libhelm/sdk/manager.go
 create mode 100644 pkg/libhelm/sdk/manager_test.go
 create mode 100644 pkg/libhelm/sdk/search_repo.go
 create mode 100644 pkg/libhelm/sdk/search_repo_test.go
 create mode 100644 pkg/libhelm/sdk/show.go
 create mode 100644 pkg/libhelm/sdk/show_test.go
 create mode 100644 pkg/libhelm/sdk/uninstall.go
 create mode 100644 pkg/libhelm/sdk/uninstall_test.go
 create mode 100644 pkg/libhelm/sdk/values.go
 rename pkg/libhelm/{libhelmtest => test}/integration.go (93%)
 rename pkg/libhelm/{binary => }/test/mock.go (95%)
 rename pkg/libhelm/{helm.go => types/types.go} (72%)

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 88e21f17b..068f31565 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -49,6 +49,7 @@ import (
 	"github.com/portainer/portainer/pkg/build"
 	"github.com/portainer/portainer/pkg/featureflags"
 	"github.com/portainer/portainer/pkg/libhelm"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"
 
 	"github.com/gofrs/uuid"
@@ -169,8 +170,8 @@ func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheMan
 	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
 }
 
-func initHelmPackageManager(assetsPath string) (libhelm.HelmPackageManager, error) {
-	return libhelm.NewHelmPackageManager(libhelm.HelmConfig{BinaryPath: assetsPath})
+func initHelmPackageManager() (libhelmtypes.HelmPackageManager, error) {
+	return libhelm.NewHelmPackageManager()
 }
 
 func initAPIKeyService(datastore dataservices.DataStore) apikey.APIKeyService {
@@ -437,7 +438,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
 
-	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
+	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed initializing helm package manager")
 	}
diff --git a/api/database/boltdb/json_test.go b/api/database/boltdb/json_test.go
index ba0863efd..577aa2cfd 100644
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -10,7 +10,7 @@ import (
 )
 
 const (
-	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://kubernetes.github.io/ingress-nginx","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"InternalAuthSettings": {"RequiredPasswordLength": 12}"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
 	passphrase = "my secret key"
 )
 
diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 8c5dc01e7..89d781169 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -605,7 +605,7 @@
     "GlobalDeploymentOptions": {
       "hideStacksFunctionality": false
     },
-    "HelmRepositoryURL": "",
+    "HelmRepositoryURL": "https://charts.bitnami.com/bitnami",
     "InternalAuthSettings": {
       "RequiredPasswordLength": 12
     },
diff --git a/api/http/handler/helm/handler.go b/api/http/handler/helm/handler.go
index fb941940b..b776fe168 100644
--- a/api/http/handler/helm/handler.go
+++ b/api/http/handler/helm/handler.go
@@ -1,6 +1,7 @@
 package helm
 
 import (
+	"fmt"
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
@@ -8,8 +9,8 @@ import (
 	"github.com/portainer/portainer/api/http/middlewares"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
@@ -23,11 +24,11 @@ type Handler struct {
 	jwtService               portainer.JWTService
 	kubeClusterAccessService kubernetes.KubeClusterAccessService
 	kubernetesDeployer       portainer.KubernetesDeployer
-	helmPackageManager       libhelm.HelmPackageManager
+	helmPackageManager       libhelmtypes.HelmPackageManager
 }
 
 // NewHandler creates a handler to manage endpoint group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelm.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, jwtService portainer.JWTService, kubernetesDeployer portainer.KubernetesDeployer, helmPackageManager libhelmtypes.HelmPackageManager, kubeClusterAccessService kubernetes.KubeClusterAccessService) *Handler {
 	h := &Handler{
 		Router:                   mux.NewRouter(),
 		requestBouncer:           bouncer,
@@ -57,7 +58,7 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 }
 
 // NewTemplateHandler creates a template handler to manage environment(endpoint) group operations.
-func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelm.HelmPackageManager) *Handler {
+func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libhelmtypes.HelmPackageManager) *Handler {
 	h := &Handler{
 		Router:             mux.NewRouter(),
 		helmPackageManager: helmPackageManager,
@@ -78,7 +79,7 @@ func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libh
 
 // getHelmClusterAccess obtains the core k8s cluster access details from request.
 // The cluster access includes the cluster server url, the user's bearer token and the tls certificate.
-// The cluster access is passed in as kube config CLI params to helm binary.
+// The cluster access is passed in as kube config CLI params to helm.
 func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.KubernetesClusterAccess, *httperror.HandlerError) {
 	endpoint, err := middlewares.FetchEndpoint(r)
 	if err != nil {
@@ -107,6 +108,9 @@ func (handler *Handler) getHelmClusterAccess(r *http.Request) (*options.Kubernet
 
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
 	return &options.KubernetesClusterAccess{
+		ClusterName:              fmt.Sprintf("%s-%s", "portainer-cluster", endpoint.Name),
+		ContextName:              fmt.Sprintf("%s-%s", "portainer-ctx", endpoint.Name),
+		UserName:                 fmt.Sprintf("%s-%s", "portainer-sa-user", tokenData.Username),
 		ClusterServerURL:         kubeConfigInternal.ClusterServerURL,
 		CertificateAuthorityFile: kubeConfigInternal.CertificateAuthorityFile,
 		AuthToken:                bearerToken,
diff --git a/api/http/handler/helm/helm_delete_test.go b/api/http/handler/helm/helm_delete_test.go
index 7d676fab9..ed77abdd2 100644
--- a/api/http/handler/helm/helm_delete_test.go
+++ b/api/http/handler/helm/helm_delete_test.go
@@ -13,8 +13,8 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -34,7 +34,7 @@ func Test_helmDelete(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
diff --git a/api/http/handler/helm/helm_install.go b/api/http/handler/helm/helm_install.go
index dd1365f82..fffdf21bb 100644
--- a/api/http/handler/helm/helm_install.go
+++ b/api/http/handler/helm/helm_install.go
@@ -99,15 +99,11 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 	}
 
 	installOpts := options.InstallOptions{
-		Name:      p.Name,
-		Chart:     p.Chart,
-		Namespace: p.Namespace,
-		Repo:      p.Repo,
-		KubernetesClusterAccess: &options.KubernetesClusterAccess{
-			ClusterServerURL:         clusterAccess.ClusterServerURL,
-			CertificateAuthorityFile: clusterAccess.CertificateAuthorityFile,
-			AuthToken:                clusterAccess.AuthToken,
-		},
+		Name:                    p.Name,
+		Chart:                   p.Chart,
+		Namespace:               p.Namespace,
+		Repo:                    p.Repo,
+		KubernetesClusterAccess: clusterAccess,
 	}
 
 	if p.Values != "" {
diff --git a/api/http/handler/helm/helm_install_test.go b/api/http/handler/helm/helm_install_test.go
index 0b87d3a23..ab2da85e6 100644
--- a/api/http/handler/helm/helm_install_test.go
+++ b/api/http/handler/helm/helm_install_test.go
@@ -15,9 +15,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -38,14 +38,14 @@ func Test_helmInstall(t *testing.T) {
 	is.NoError(err, "Error initiating jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
 	is.NotNil(h, "Handler should not fail")
 
 	// Install a single chart.  We expect to get these values back
-	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default", Repo: "https://kubernetes.github.io/ingress-nginx"}
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default", Repo: "https://charts.bitnami.com/bitnami"}
 	optdata, err := json.Marshal(options)
 	is.NoError(err)
 
diff --git a/api/http/handler/helm/helm_list_test.go b/api/http/handler/helm/helm_list_test.go
index 8ef51b324..b8dd40354 100644
--- a/api/http/handler/helm/helm_list_test.go
+++ b/api/http/handler/helm/helm_list_test.go
@@ -14,9 +14,9 @@ import (
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
 	"github.com/portainer/portainer/api/kubernetes"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -37,7 +37,7 @@ func Test_helmList(t *testing.T) {
 	is.NoError(err, "Error initialising jwt service")
 
 	kubernetesDeployer := exectest.NewKubernetesDeployer()
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
 	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
 
diff --git a/api/http/handler/helm/helm_repo_search_test.go b/api/http/handler/helm/helm_repo_search_test.go
index a556908b9..63dac43b5 100644
--- a/api/http/handler/helm/helm_repo_search_test.go
+++ b/api/http/handler/helm/helm_repo_search_test.go
@@ -8,19 +8,19 @@ import (
 	"testing"
 
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )
 
 func Test_helmRepoSearch(t *testing.T) {
 	is := assert.New(t)
 
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)
 
 	assert.NotNil(t, h, "Handler should not fail")
 
-	repos := []string{"https://kubernetes.github.io/ingress-nginx", "https://portainer.github.io/k8s"}
+	repos := []string{"https://charts.bitnami.com/bitnami", "https://portainer.github.io/k8s"}
 
 	for _, repo := range repos {
 		t.Run(repo, func(t *testing.T) {
diff --git a/api/http/handler/helm/helm_show_test.go b/api/http/handler/helm/helm_show_test.go
index fed59388d..385843b65 100644
--- a/api/http/handler/helm/helm_show_test.go
+++ b/api/http/handler/helm/helm_show_test.go
@@ -9,14 +9,14 @@ import (
 	"testing"
 
 	helper "github.com/portainer/portainer/api/internal/testhelpers"
-	"github.com/portainer/portainer/pkg/libhelm/binary/test"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )
 
 func Test_helmShow(t *testing.T) {
 	is := assert.New(t)
 
-	helmPackageManager := test.NewMockHelmBinaryPackageManager("")
+	helmPackageManager := test.NewMockHelmPackageManager()
 	h := NewTemplateHandler(helper.NewTestRequestBouncer(), helmPackageManager)
 
 	is.NotNil(h, "Handler should not fail")
@@ -31,7 +31,7 @@ func Test_helmShow(t *testing.T) {
 		t.Run(cmd, func(t *testing.T) {
 			is.NotNil(h, "Handler should not fail")
 
-			repoUrlEncoded := url.QueryEscape("https://kubernetes.github.io/ingress-nginx")
+			repoUrlEncoded := url.QueryEscape("https://charts.bitnami.com/bitnami")
 			chart := "nginx"
 			req := httptest.NewRequest("GET", fmt.Sprintf("/templates/helm/%s?repo=%s&chart=%s", cmd, repoUrlEncoded, chart), nil)
 			rr := httptest.NewRecorder()
diff --git a/api/http/handler/settings/settings_update.go b/api/http/handler/settings/settings_update.go
index 895da489c..0b36dbc62 100644
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -46,7 +46,7 @@ type settingsUpdatePayload struct {
 	// Whether telemetry is enabled
 	EnableTelemetry *bool `example:"false"`
 	// Helm repository URL
-	HelmRepositoryURL *string `example:"https://kubernetes.github.io/ingress-nginx"`
+	HelmRepositoryURL *string `example:"https://charts.bitnami.com/bitnami"`
 	// Kubectl Shell Image
 	KubectlShellImage *string `example:"portainer/kubectl-shell:latest"`
 	// TrustOnFirstConnect makes Portainer accepting edge agent connection by default
diff --git a/api/http/server.go b/api/http/server.go
index c5bb0d40f..3dcc84d2d 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -67,7 +67,7 @@ import (
 	"github.com/portainer/portainer/api/platform"
 	"github.com/portainer/portainer/api/scheduler"
 	"github.com/portainer/portainer/api/stacks/deployments"
-	"github.com/portainer/portainer/pkg/libhelm"
+	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 
 	"github.com/rs/zerolog/log"
 )
@@ -103,7 +103,7 @@ type Server struct {
 	DockerClientFactory         *dockerclient.ClientFactory
 	KubernetesClientFactory     *cli.ClientFactory
 	KubernetesDeployer          portainer.KubernetesDeployer
-	HelmPackageManager          libhelm.HelmPackageManager
+	HelmPackageManager          libhelmtypes.HelmPackageManager
 	Scheduler                   *scheduler.Scheduler
 	ShutdownCtx                 context.Context
 	ShutdownTrigger             context.CancelFunc
diff --git a/api/portainer.go b/api/portainer.go
index 990747813..9e1451633 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -588,7 +588,7 @@ type (
 		// User identifier
 		UserID UserID `json:"UserId" example:"1"`
 		// Helm repository URL
-		URL string `json:"URL" example:"https://kubernetes.github.io/ingress-nginx"`
+		URL string `json:"URL" example:"https://charts.bitnami.com/bitnami"`
 	}
 
 	// QuayRegistryData represents data required for Quay registry to work
@@ -984,8 +984,8 @@ type (
 		KubeconfigExpiry string `json:"KubeconfigExpiry" example:"24h"`
 		// Whether telemetry is enabled
 		EnableTelemetry bool `json:"EnableTelemetry" example:"false"`
-		// Helm repository URL, defaults to ""
-		HelmRepositoryURL string `json:"HelmRepositoryURL"`
+		// Helm repository URL, defaults to "https://charts.bitnami.com/bitnami"
+		HelmRepositoryURL string `json:"HelmRepositoryURL" example:"https://charts.bitnami.com/bitnami"`
 		// KubectlImage, defaults to portainer/kubectl-shell
 		KubectlShellImage string `json:"KubectlShellImage" example:"portainer/kubectl-shell"`
 		// TrustOnFirstConnect makes Portainer accepting edge agent connection by default
@@ -1673,8 +1673,8 @@ const (
 	DefaultEdgeAgentCheckinIntervalInSeconds = 5
 	// DefaultTemplatesURL represents the URL to the official templates supported by Portainer
 	DefaultTemplatesURL = "https://raw.githubusercontent.com/portainer/templates/v3/templates.json"
-	// DefaultHelmrepositoryURL set to empty string until oci support is added
-	DefaultHelmRepositoryURL = ""
+	// DefaultHelmrepositoryURL represents the URL to the official templates supported by Bitnami
+	DefaultHelmRepositoryURL = "https://charts.bitnami.com/bitnami"
 	// DefaultUserSessionTimeout represents the default timeout after which the user session is cleared
 	DefaultUserSessionTimeout = "8h"
 	// DefaultUserSessionTimeout represents the default timeout after which the user session is cleared
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
index 296b17ff5..63b0468eb 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
@@ -62,19 +62,19 @@ describe('HelmApplicationView', () => {
     expect(await screen.findByText('Helm details')).toBeInTheDocument();
 
     // Check for the release details
-    expect(screen.getByText('Release')).toBeInTheDocument();
+    expect(await screen.findByText('Release')).toBeInTheDocument();
 
     // Check for the table content
-    expect(screen.getByText('Name')).toBeInTheDocument();
-    expect(screen.getByText('Chart')).toBeInTheDocument();
-    expect(screen.getByText('App version')).toBeInTheDocument();
+    expect(await screen.findByText('Name')).toBeInTheDocument();
+    expect(await screen.findByText('Chart')).toBeInTheDocument();
+    expect(await screen.findByText('App version')).toBeInTheDocument();
 
     // Check for the actual values
-    expect(screen.getByTestId('k8sAppDetail-appName')).toHaveTextContent(
+    expect(await screen.findByTestId('k8sAppDetail-appName')).toHaveTextContent(
       'test-release'
     );
-    expect(screen.getByText('test-chart-1.0.0')).toBeInTheDocument();
-    expect(screen.getByText('1.0.0')).toBeInTheDocument();
+    expect(await screen.findByText('test-chart-1.0.0')).toBeInTheDocument();
+    expect(await screen.findByText('1.0.0')).toBeInTheDocument();
   });
 
   it('should display error message when API request fails', async () => {
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
index f50b59154..fa02574cc 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -1,37 +1,13 @@
 import { useCurrentStateAndParams } from '@uirouter/react';
 
 import { PageHeader } from '@/react/components/PageHeader';
-import { Widget, WidgetBody, WidgetTitle } from '@/react/components/Widget';
-import helm from '@/assets/ico/vendor/helm.svg?c';
-import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
 
-import { ViewLoading } from '@@/ViewLoading';
-import { Alert } from '@@/Alert';
-
-import { useHelmRelease } from './queries/useHelmRelease';
+import { HelmDetailsWidget } from './HelmDetailsWidget';
 
 export function HelmApplicationView() {
   const { params } = useCurrentStateAndParams();
-  const environmentId = useEnvironmentId();
 
-  const name = params.name as string;
-  const namespace = params.namespace as string;
-
-  const {
-    data: release,
-    isLoading,
-    error,
-  } = useHelmRelease(environmentId, name, namespace);
-
-  if (isLoading) {
-    return <ViewLoading />;
-  }
-
-  if (error || !release) {
-    return (
-      <Alert color="error" title="Failed to load Helm application details" />
-    );
-  }
+  const { name, namespace } = params;
 
   return (
     <>
@@ -46,32 +22,7 @@ export function HelmApplicationView() {
 
       <div className="row">
         <div className="col-sm-12">
-          <Widget>
-            <WidgetTitle icon={helm} title="Release" />
-            <WidgetBody>
-              <table className="table">
-                <tbody>
-                  <tr>
-                    <td className="!border-none w-40">Name</td>
-                    <td
-                      className="!border-none min-w-[140px]"
-                      data-cy="k8sAppDetail-appName"
-                    >
-                      {release.name}
-                    </td>
-                  </tr>
-                  <tr>
-                    <td className="!border-t">Chart</td>
-                    <td className="!border-t">{release.chart}</td>
-                  </tr>
-                  <tr>
-                    <td>App version</td>
-                    <td>{release.app_version}</td>
-                  </tr>
-                </tbody>
-              </table>
-            </WidgetBody>
-          </Widget>
+          <HelmDetailsWidget name={name} namespace={namespace} />
         </div>
       </div>
     </>
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx
new file mode 100644
index 000000000..97703e0ff
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx
@@ -0,0 +1,67 @@
+import {
+  Loading,
+  Widget,
+  WidgetBody,
+  WidgetTitle,
+} from '@/react/components/Widget';
+import helm from '@/assets/ico/vendor/helm.svg?c';
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+
+import { Alert } from '@@/Alert';
+
+import { useHelmRelease } from './queries/useHelmRelease';
+
+interface HelmDetailsWidgetProps {
+  name: string;
+  namespace: string;
+}
+
+export function HelmDetailsWidget({ name, namespace }: HelmDetailsWidgetProps) {
+  const environmentId = useEnvironmentId();
+
+  const {
+    data: release,
+    isInitialLoading,
+    isError,
+  } = useHelmRelease(environmentId, name, namespace);
+
+  return (
+    <Widget>
+      <WidgetTitle icon={helm} title="Release" />
+      <WidgetBody>
+        {isInitialLoading && <Loading />}
+
+        {isError && (
+          <Alert
+            color="error"
+            title="Failed to load Helm application details"
+          />
+        )}
+
+        {!isInitialLoading && !isError && release && (
+          <table className="table">
+            <tbody>
+              <tr>
+                <td className="!border-none w-40">Name</td>
+                <td
+                  className="!border-none min-w-[140px]"
+                  data-cy="k8sAppDetail-appName"
+                >
+                  {release.name}
+                </td>
+              </tr>
+              <tr>
+                <td className="!border-t">Chart</td>
+                <td className="!border-t">{release.chart}</td>
+              </tr>
+              <tr>
+                <td>App version</td>
+                <td>{release.app_version}</td>
+              </tr>
+            </tbody>
+          </table>
+        )}
+      </WidgetBody>
+    </Widget>
+  );
+}
diff --git a/build/build_binary.sh b/build/build_binary.sh
index 6f87cd939..9051c76d2 100755
--- a/build/build_binary.sh
+++ b/build/build_binary.sh
@@ -23,7 +23,6 @@ GIT_COMMIT_HASH=${GIT_COMMIT_HASH:-$(git rev-parse --short HEAD)}
 
 # populate dependencies versions
 DOCKER_VERSION=$(jq -r '.docker' < "${BINARY_VERSION_FILE}")
-HELM_VERSION=$(jq -r '.helm' < "${BINARY_VERSION_FILE}")
 KUBECTL_VERSION=$(jq -r '.kubectl' < "${BINARY_VERSION_FILE}")
 COMPOSE_VERSION=$(go list -m -f '{{.Version}}' github.com/docker/compose/v2)
 
@@ -52,7 +51,6 @@ ldflags="-s -X 'github.com/portainer/liblicense.LicenseServerBaseURL=https://api
 -X 'github.com/portainer/portainer/pkg/build.GoVersion=${GO_VERSION}' \
 -X 'github.com/portainer/portainer/pkg/build.DepComposeVersion=${COMPOSE_VERSION}' \
 -X 'github.com/portainer/portainer/pkg/build.DepDockerVersion=${DOCKER_VERSION}' \
--X 'github.com/portainer/portainer/pkg/build.DepHelmVersion=${HELM_VERSION}' \
 -X 'github.com/portainer/portainer/pkg/build.DepKubectlVersion=${KUBECTL_VERSION}'"
 
 echo "$ldflags"
diff --git a/build/download_binaries.sh b/build/download_binaries.sh
index 75e571a20..05c2c780b 100755
--- a/build/download_binaries.sh
+++ b/build/download_binaries.sh
@@ -17,12 +17,10 @@ echo "Checking and downloading binaries for docker ${dockerVersion}, helm ${helm
 
 # Determine the binary file names based on the platform
 dockerBinary="dist/docker"
-helmBinary="dist/helm"
 kubectlBinary="dist/kubectl"
 
 if [ "$PLATFORM" == "windows" ]; then
     dockerBinary="dist/docker.exe"
-    helmBinary="dist/helm.exe"
     kubectlBinary="dist/kubectl.exe"
 fi
 
@@ -34,14 +32,6 @@ else
     echo "Docker binary already exists, skipping download."
 fi
 
-# Check and download helm binary
-if [ ! -f "$helmBinary" ]; then
-    echo "Downloading helm binary..."
-    /usr/bin/env bash ./build/download_helm_binary.sh "$PLATFORM" "$ARCH" "$helmVersion"
-else
-    echo "Helm binary already exists, skipping download."
-fi
-
 # Check and download kubectl binary
 if [ ! -f "$kubectlBinary" ]; then
     echo "Downloading kubectl binary..."
diff --git a/build/download_helm_binary.sh b/build/download_helm_binary.sh
deleted file mode 100755
index ae3de93e7..000000000
--- a/build/download_helm_binary.sh
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-if [[ $# -ne 3 ]]; then
-    echo "Illegal number of parameters" >&2
-    exit 1
-fi
-
-PLATFORM=$1
-ARCH=$2
-HELM_VERSION=$3
-HELM_DIST="helm-$HELM_VERSION-$PLATFORM-$ARCH"
-
-
-if [[ ${PLATFORM} == "windows" ]]; then
-  wget --tries=3 --waitretry=30 --quiet  -O tmp.zip "https://get.helm.sh/${HELM_DIST}.zip" && unzip -o -j tmp.zip "${PLATFORM}-${ARCH}/helm.exe" -d dist && rm -f tmp.zip
-else
-  wget -qO- "https://get.helm.sh/${HELM_DIST}.tar.gz" | tar -x -z --strip-components 1 "${PLATFORM}-${ARCH}/helm"
-  mv "helm" "dist/helm"
-  chmod +x "dist/helm"
-fi
diff --git a/build/linux/Dockerfile b/build/linux/Dockerfile
index f7a921220..eeded41c1 100644
--- a/build/linux/Dockerfile
+++ b/build/linux/Dockerfile
@@ -11,7 +11,6 @@ LABEL org.opencontainers.image.title="Portainer" \
   com.docker.extension.additional-urls="[{\"title\":\"Website\",\"url\":\"https://www.portainer.io?utm_campaign=DockerCon&utm_source=DockerDesktop\"},{\"title\":\"Documentation\",\"url\":\"https://docs.portainer.io\"},{\"title\":\"Support\",\"url\":\"https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA\"}]"
 
 COPY dist/docker /
-COPY dist/helm /
 COPY dist/kubectl /
 COPY dist/mustache-templates /mustache-templates/
 COPY dist/portainer /
diff --git a/build/linux/alpine.Dockerfile b/build/linux/alpine.Dockerfile
index 0f7b29145..e2ced7d3e 100644
--- a/build/linux/alpine.Dockerfile
+++ b/build/linux/alpine.Dockerfile
@@ -11,7 +11,6 @@ LABEL org.opencontainers.image.title="Portainer" \
     com.docker.extension.additional-urls="[{\"title\":\"Website\",\"url\":\"https://www.portainer.io?utm_campaign=DockerCon&utm_source=DockerDesktop\"},{\"title\":\"Documentation\",\"url\":\"https://docs.portainer.io\"},{\"title\":\"Support\",\"url\":\"https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA\"}]"
 
 COPY dist/docker /
-COPY dist/helm /
 COPY dist/kubectl /
 COPY dist/mustache-templates /mustache-templates/
 COPY dist/portainer /
diff --git a/build/windows/Dockerfile b/build/windows/Dockerfile
index bf9f0f41b..324e68f04 100644
--- a/build/windows/Dockerfile
+++ b/build/windows/Dockerfile
@@ -10,7 +10,6 @@ USER ContainerAdministrator
 
 COPY dist/mingit/ mingit/
 COPY dist/docker.exe /
-COPY dist/helm.exe /
 COPY dist/kubectl.exe /
 COPY dist/mustache-templates /mustache-templates/
 COPY dist/portainer.exe /
diff --git a/go.mod b/go.mod
index 1749b8c20..78f3a8adb 100644
--- a/go.mod
+++ b/go.mod
@@ -55,10 +55,11 @@ require (
 	golang.org/x/sync v0.10.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/yaml.v3 v3.0.1
-	k8s.io/api v0.29.2
-	k8s.io/apimachinery v0.29.2
-	k8s.io/client-go v0.29.2
-	k8s.io/metrics v0.27.4
+	helm.sh/helm/v3 v3.17.1
+	k8s.io/api v0.32.1
+	k8s.io/apimachinery v0.32.1
+	k8s.io/client-go v0.32.1
+	k8s.io/metrics v0.32.1
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
 
@@ -70,8 +71,12 @@ require (
 	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
-	github.com/BurntSushi/toml v1.3.2 // indirect
-	github.com/Masterminds/semver/v3 v3.2.1 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/MakeNowJust/heredoc v1.0.0 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
+	github.com/Masterminds/semver/v3 v3.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/ProtonMail/go-crypto v1.1.3 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
@@ -89,9 +94,11 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/chai2010/gettext-go v1.0.2 // indirect
 	github.com/cloudflare/cfssl v1.6.4 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/console v1.0.4 // indirect
@@ -106,8 +113,8 @@ require (
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/ocicrypt v1.1.10 // indirect
 	github.com/containers/storage v1.53.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.2.5 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/buildx v0.18.0 // indirect
 	github.com/docker/cli-docs-tool v0.8.0 // indirect
@@ -120,39 +127,49 @@ require (
 	github.com/eiannone/keyboard v0.0.0-20220611211555-0d226195f203 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
+	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/fatih/color v1.15.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsevents v0.2.0 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
+	github.com/go-errors/errors v1.4.2 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.0 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/go-gorp/gorp/v3 v3.1.0 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
-	github.com/go-openapi/swag v0.22.10 // indirect
+	github.com/go-openapi/swag v0.23.0 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/btree v1.0.1 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 // indirect
+	github.com/gosuri/uitable v0.0.4 // indirect
+	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/imdario/mergo v0.3.16 // indirect
+	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jmoiron/sqlx v1.4.0 // indirect
 	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/ansi v1.0.3 // indirect
@@ -162,22 +179,28 @@ require (
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
 	github.com/klauspost/pgzip v1.2.6 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/leodido/go-urn v1.2.2 // indirect
+	github.com/lib/pq v1.10.9 // indirect
+	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
+	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/buildkit v0.17.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
-	github.com/moby/spdystream v0.2.0 // indirect
+	github.com/moby/spdystream v0.5.0 // indirect
 	github.com/moby/sys/capability v0.4.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
@@ -188,28 +211,34 @@ require (
 	github.com/moby/term v0.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opencontainers/runtime-spec v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_golang v1.17.0 // indirect
-	github.com/prometheus/client_model v0.5.0 // indirect
-	github.com/prometheus/common v0.44.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/r3labs/sse v0.0.0-20210224172625-26fe804710bc // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
+	github.com/rubenv/sql-migrate v1.7.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/segmentio/asm v1.1.3 // indirect
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
@@ -223,44 +252,55 @@ require (
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
 	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
+	github.com/xlab/treeprint v1.2.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 // indirect
-	go.opentelemetry.io/otel v1.25.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
+	go.opentelemetry.io/otel v1.28.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0 // indirect
-	go.opentelemetry.io/otel/metric v1.25.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.25.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.21.0 // indirect
-	go.opentelemetry.io/otel/trace v1.25.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.1.0 // indirect
+	go.opentelemetry.io/otel/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.28.0 // indirect
+	go.opentelemetry.io/otel/trace v1.28.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/time v0.7.0 // indirect
 	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
 	google.golang.org/grpc v1.68.0 // indirect
 	google.golang.org/protobuf v1.35.1 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
+	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
-	k8s.io/klog/v2 v2.110.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect
-	k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect
-	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
+	k8s.io/apiextensions-apiserver v0.32.1 // indirect
+	k8s.io/apiserver v0.32.1 // indirect
+	k8s.io/cli-runtime v0.32.1 // indirect
+	k8s.io/component-base v0.32.1 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
+	k8s.io/kubectl v0.32.1 // indirect
+	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
+	oras.land/oras-go v1.2.5 // indirect
+	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
+	sigs.k8s.io/kustomize/api v0.18.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/yaml v1.4.0 // indirect
 	tags.cncf.io/container-device-interface v0.8.0 // indirect
 )
diff --git a/go.sum b/go.sum
index 6427b69de..278c4cdd3 100644
--- a/go.sum
+++ b/go.sum
@@ -1,9 +1,7 @@
-cloud.google.com/go v0.112.0 h1:tpFCD7hpHFlQ8yPwT3x+QeXqc2T6+n6T+hmABHfDUSM=
-cloud.google.com/go/compute v1.24.0 h1:phWcR2eWzRJaL/kOiJwfFsPs4BaKq1j6vnpZrc1YlVg=
-cloud.google.com/go/compute/metadata v0.5.0 h1:Zr0eK8JbFv6+Wi4ilXAR8FJ3wyNdpxHKJNPos6LTZOY=
-cloud.google.com/go/compute/metadata v0.5.0/go.mod h1:aHnloV2TPI38yx4s9+wAZhHykWvVCfu7hQbF+9CWoiY=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
 github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
@@ -15,12 +13,22 @@ github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg6
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
-github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
+github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
+github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
+github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver v1.5.0 h1:H65muMkzWKEuNDnfl9d70GUjFniHKHRbFPGBuZ3QEww=
 github.com/Masterminds/semver v1.5.0/go.mod h1:MB6lktGJrhw8PrUyiEoblNEGEQ+RzHPF078ddwwvV3Y=
-github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
-github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
+github.com/Masterminds/semver/v3 v3.3.0 h1:B8LGeaivUe71a5qox1ICM/JLl0NqZSW5CHyL+hmvYS0=
+github.com/Masterminds/semver/v3 v3.3.0/go.mod h1:4V+yj/TJE1HU9XfppCwVMZq3I84lprf4nC11bSS5beM=
+github.com/Masterminds/sprig/v3 v3.3.0 h1:mQh0Yrg1XPo6vjYXgtf5OtijNAKJRNcTdOOGZe3tPhs=
+github.com/Masterminds/sprig/v3 v3.3.0/go.mod h1:Zy1iXRYNqNLUolqCpL4uhk6SHUMAOSCzdgBfDb35Lz0=
+github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM=
+github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
@@ -90,7 +98,11 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bitly/go-hostpool v0.1.0/go.mod h1:4gOCgp6+NZnVqlKyZ/iBZFTAJKembaVENUpMkpg42fw=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
+github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
+github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70=
+github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
 github.com/buger/goterm v1.0.4 h1:Z9YvGmOih81P0FbVtEYTFF6YsSgxSUKEhf/f9bTMXbY=
 github.com/buger/goterm v1.0.4/go.mod h1:HiFWV3xnkolgrBV3mY8m0X0Pumt4zg4QhbdOzQtB8tE=
 github.com/bugsnag/bugsnag-go v1.0.5-0.20150529004307-13fd6b8acda0 h1:s7+5BfS4WFJoVF9pnB8kBk03S7pZXRdKamnV0FOl5Sc=
@@ -106,13 +118,13 @@ github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyY
 github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/chai2010/gettext-go v1.0.2 h1:1Lwwip6Q2QGsAdl/ZKPCwTe9fe0CjlUbqj5bFNSjIRk=
+github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHeQQ+5AjwawxA=
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
 github.com/cloudflare/cfssl v1.6.4 h1:NMOvfrEjFfC63K3SGXgAnFdsgkmiq4kATme5BfcqrO8=
 github.com/cloudflare/cfssl v1.6.4/go.mod h1:8b3CQMxfWPAeom3zBnGJ6sd+G1NkL5TXqmDXacb+1J0=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 h1:QVw89YDxXxEe+l8gU8ETbOasdwEV+avkR75ZzsVV9WI=
-github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
 github.com/compose-spec/compose-go/v2 v2.4.5 h1:p4ih4Jb6VgGPLPxh3fSFVKAjFHtZd+7HVLCSFzcFx9Y=
@@ -161,14 +173,17 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
 github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/cyphar/filepath-securejoin v0.2.5 h1:6iR5tXJ/e6tJZzzdMc1km3Sa7RRIVBKAK32O2s7AYfo=
-github.com/cyphar/filepath-securejoin v0.2.5/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
+github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
+github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5 h1:RAV05c0xOkJ3dZGS0JFybxFKZ2WMLabgx3uXnd7rpGs=
 github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
 github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
+github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc=
+github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/buildx v0.18.0 h1:rSauXHeJt90NvtXrLK5J992Eb0UPJZs2vV3u1zTf1nE=
@@ -209,13 +224,19 @@ github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxER
 github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
-github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM=
-github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
-github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
-github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
+github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
+github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
+github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
+github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/foxcpp/go-mockdns v1.1.0 h1:jI0rD8M0wuYAxL7r/ynTrCQQq0BVqfB99Vgk7DlmewI=
+github.com/foxcpp/go-mockdns v1.1.0/go.mod h1:IhLeSFGed3mJIAXPH2aiRQB+kqz7oqu8ld2qVbOu7Wk=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsevents v0.2.0 h1:BRlvlqjvNTfogHfeBOFvSC9N0Ddy+wzQCQukyoD7o/c=
 github.com/fsnotify/fsevents v0.2.0/go.mod h1:B3eEk39i4hz8y1zaWS/wPrAP4O6wkIl7HQwKBr1qH/w=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
@@ -223,12 +244,16 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
 github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
 github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQmYw=
 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
+github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
+github.com/fxamacker/cbor/v2 v2.7.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814 h1:gWvniJ4GbFfkf700kykAImbLiEMU0Q3QN9hQ26Js1pU=
 github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814/go.mod h1:secRm32Ro77eD23BmPVbgLbWN+JWDw7pJszenjxI4bI=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-asn1-ber/asn1-ber v1.5.1 h1:pDbRAunXzIUXfx4CB2QJFv5IuPiuoW+sWvr/Us009o8=
 github.com/go-asn1-ber/asn1-ber v1.5.1/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
+github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=
+github.com/go-errors/errors v1.4.2/go.mod h1:sIVyrIiJhuEF+Pj9Ebtd6P/rEYROXFi3BopGUQ5a5Og=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
 github.com/go-git/go-billy/v5 v5.6.0 h1:w2hPNtoehvJIxR00Vb4xX94qHQi/ApZfX+nBE2Cjio8=
@@ -237,24 +262,26 @@ github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMj
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
 github.com/go-git/go-git/v5 v5.13.0 h1:vLn5wlGIh/X78El6r3Jr+30W16Blk0CTcxTYcYPWi5E=
 github.com/go-git/go-git/v5 v5.13.0/go.mod h1:Wjo7/JyVKtQgUNdXYXIepzWfJQkUEIGvkvVkiXRR/zw=
+github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
+github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-ldap/ldap/v3 v3.4.1 h1:fU/0xli6HY02ocbMuozHAYsaHLcnkLjvho2r5a34BUU=
 github.com/go-ldap/ldap/v3 v3.4.1/go.mod h1:iYS1MdmrmceOJ1QOTnRXrIs7i3kloqtmGQjRvjKpyMg=
 github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9GBnD5lWE=
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonpointer v0.21.0 h1:YgdVicSA9vH5RiHs9TZW5oyafXZFc6+2Vc1rr/O9oNQ=
+github.com/go-openapi/jsonpointer v0.21.0/go.mod h1:IUyH9l/+uyhIYQ/PXVA41Rexl+kOkAPDdXEYns6fzUY=
 github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
 github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
-github.com/go-openapi/swag v0.22.10 h1:4y86NVn7Z2yYd6pfS4Z+Nyh3aAUL3Nul+LMbhFKy0gA=
-github.com/go-openapi/swag v0.22.10/go.mod h1:Cnn8BYtRlx6BNE3DPN86f/xkapGIcLWzh3CLEb4C1jI=
+github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
+github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
@@ -264,13 +291,15 @@ github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91
 github.com/go-playground/validator/v10 v10.12.0 h1:E4gtWgxWxp8YSxExrQFv5BpCahla0PVF2oTTEYaWQGI=
 github.com/go-playground/validator/v10 v10.12.0/go.mod h1:hCAPuzYvKdP33pxWa+2+6AIKXEKqjIUyqsNCtbsSJrA=
 github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
-github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
-github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
+github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
+github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
 github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
 github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
+github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
 github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
@@ -293,6 +322,10 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k=
+github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
+github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
+github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
 github.com/google/certificate-transparency-go v1.0.10-0.20180222191210-5ab67e519c93/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.4 h1:hCyXHDbtqlr/lMXU0D4WgbalXL0Zk4dSWWMbPV8VrqY=
 github.com/google/certificate-transparency-go v1.1.4/go.mod h1:D6lvbfwckhNrbM9WVl1EVeMOyzC19mpIjMOI4nxBHtQ=
@@ -305,24 +338,29 @@ github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
-github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db h1:097atOisP2aRj7vFgYQBbFN4U4JNXUNYpxael3UzMyo=
+github.com/google/pprof v0.0.0-20241029153458-d1b30febd7db/go.mod h1:vavhavw2zAxS5dIdcRluK6cSGGPlZynqzFM8NdvU144=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
 github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
+github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
-github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0 h1:Wqo399gCIufwto+VfwCSvsnfGpF/w5E9CNxSwbpD6No=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0/go.mod h1:qmOFXW2epJhM0qSnUUYpldc7gVz2KMQwJ/QYCDIa7XU=
+github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
+github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
+github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -339,8 +377,8 @@ github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uG
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4=
-github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY=
+github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
+github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/in-toto/in-toto-golang v0.9.0 h1:tHny7ac4KgtsfrG6ybU8gVOZux2H8jN05AXJ9EBM1XU=
 github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3lUTQd+eF9HdeMo=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
@@ -357,8 +395,8 @@ github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9Y
 github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
 github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/jmoiron/sqlx v1.3.3 h1:j82X0bf7oQ27XeqxicSZsTU5suPwKElg3oyxNn43iTk=
-github.com/jmoiron/sqlx v1.3.3/go.mod h1:2BljVx/86SuTyjE+aPYlHCTNvZrnJXghYGpNiXLBMCQ=
+github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
+github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
 github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
@@ -402,9 +440,17 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
 github.com/leodido/go-urn v1.2.2 h1:7z68G0FCGvDk646jz1AelTYNYWrTNm0bEcFAo147wt4=
 github.com/leodido/go-urn v1.2.2/go.mod h1:kUaIbLZWttglzwNuG0pgsh5vuV6u2YcGBYz1hIPjtOQ=
 github.com/lib/pq v0.0.0-20150723085316-0dad96c0b94f/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
+github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
+github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/magiconair/properties v1.5.3 h1:C8fxWnhYyME3n0klPOhVM7PtYUB3eV1W3DeFmN3j53Y=
 github.com/magiconair/properties v1.5.3/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
@@ -423,19 +469,27 @@ github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
+github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
+github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
-github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b h1:j7+1HpAFS1zy5+Q4qx1fWh90gTKwiN4QCGoY9TWyyO4=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
+github.com/miekg/dns v1.1.57 h1:Jzi7ApEIzwEPLHWRcafCN9LZSBbqQpxjt/wpgvg7wcM=
+github.com/miekg/dns v1.1.57/go.mod h1:uqRjCRUuEAA6qsOiJvDd+CFo/vW+y5WR6SNmHE55hZk=
 github.com/miekg/pkcs11 v1.0.2/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
 github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
+github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
+github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/mapstructure v0.0.0-20150613213606-2caf8efc9366/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
+github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/buildkit v0.17.2 h1:/jgk/MuXbA7jeXMkknOpHYB+Ct4aNvQHkBB7SxD3D4U=
 github.com/moby/buildkit v0.17.2/go.mod h1:vr5vltV8wt4F2jThbNOChfbAklJ0DOW11w36v210hOg=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
@@ -444,8 +498,8 @@ github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
-github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8=
-github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c=
+github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
+github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
 github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk=
 github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
@@ -469,6 +523,8 @@ github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lN
 github.com/modern-go/reflect2 v1.0.1/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
 github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/2gBQ3RWajuToeY6ZtZTIKv2v7ThUy5KKusIT0yc0=
+github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -480,12 +536,12 @@ github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLA
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.12.0 h1:Iw5WCbBcaAAd0fpRb1c9r5YCylv4XDoCSigm1zLevwU=
 github.com/onsi/ginkgo v1.12.0/go.mod h1:oUhWkIvk5aDxtKvDDuw8gItl8pKl42LzjC9KZE0HfGg=
-github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
-github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
+github.com/onsi/ginkgo/v2 v2.21.0 h1:7rg/4f3rB88pb5obDgNZrNHrQ4e6WpjonchcpuBRnZM=
+github.com/onsi/ginkgo/v2 v2.21.0/go.mod h1:7Du3c42kxCUegi0IImZ1wUQzMBVecgIHjR1C+NkhLQo=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
-github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
-github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
+github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
+github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -505,6 +561,10 @@ github.com/patrickmn/go-cache v2.1.0+incompatible h1:HRMgzkcYKYpi3C8ajMPV8OFXaaR
 github.com/patrickmn/go-cache v2.1.0+incompatible/go.mod h1:3Qf8kWWT7OJRJbdiICTKqZju1ZixQ/KpMGzzAfe6+WQ=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
+github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI=
+github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI=
+github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE=
 github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4=
 github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI=
 github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
@@ -513,24 +573,27 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
 github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
+github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg=
 github.com/prometheus/client_golang v0.9.0-pre1.0.20180209125602-c332b6f63c06/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
-github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
+github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
+github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
 github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
-github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
+github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
+github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
 github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
-github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
+github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
@@ -544,11 +607,14 @@ github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
+github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w=
 github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
+github.com/rubenv/sql-migrate v1.7.1 h1:f/o0WgfO/GqNuVg+6801K/KW3WdDSupzSjDYODmiUq4=
+github.com/rubenv/sql-migrate v1.7.1/go.mod h1:Ob2Psprc0/3ggbM6wCzyYVFFuc6FyZrb2AS+ezLDFb4=
+github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/rwtodd/Go.Sed v0.0.0-20210816025313-55464686f9ef/go.mod h1:8AEUvGVi2uQ5b24BIhcr0GCcpd/RNAFWaN2CJFrWIIQ=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
@@ -563,6 +629,8 @@ github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b h1:h+3JX2VoWTFuyQ
 github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b/go.mod h1:/yeG0My1xr/u+HZrFQ1tOQQQQrOawfyMUH13ai5brBc=
 github.com/shibumi/go-pathspec v1.3.0 h1:QUyMZhFo0Md5B8zV8x2tesohbb5kfbpTi9rBnKh5dkI=
 github.com/shibumi/go-pathspec v1.3.0/go.mod h1:Xutfslp817l2I1cZvgcfeMQJG5QnU2lh5tVaaMCl3jE=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
@@ -575,8 +643,9 @@ github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 h1:JIAuq3EE
 github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966/go.mod h1:sUM3LWHvSMaG192sy56D9F7CNvL7jUJVXoqM1QKLnog=
 github.com/spdx/tools-golang v0.5.3 h1:ialnHeEYUC4+hkm5vJm4qz2x+oEJbS0mAMFrNXdQraY=
 github.com/spdx/tools-golang v0.5.3/go.mod h1:/ETOahiAo96Ob0/RAIBmFZw6XN0yTnyr/uFZm2NTMhI=
-github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94 h1:JmfC365KywYwHB946TTiQWEb8kqPY+pybPLoGE9GgVk=
 github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
@@ -592,6 +661,8 @@ github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoHMkEqE=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
@@ -632,6 +703,8 @@ github.com/viney-shih/go-lock v1.1.1 h1:SwzDPPAiHpcwGCr5k8xD15d2gQSo8d4roRYd7TDV
 github.com/viney-shih/go-lock v1.1.1/go.mod h1:Yijm78Ljteb3kRiJrbLAxVntkUukGu5uzSxq/xV7OO8=
 github.com/weppos/publicsuffix-go v0.15.1-0.20210511084619-b1f36a2d6c0b h1:FsyNrX12e5BkplJq7wKOLk0+C6LZ+KGXvuEcKUYm5ss=
 github.com/weppos/publicsuffix-go v0.15.1-0.20210511084619-b1f36a2d6c0b/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
+github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
+github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
 github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
@@ -641,9 +714,17 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
+github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI=
+github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
+github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE=
+github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
+github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY=
+github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
 github.com/zmap/zcrypto v0.0.0-20210511125630-18f1e0152cfc h1:zkGwegkOW709y0oiAraH/3D8njopUR/pARHv4tZZ6pw=
 github.com/zmap/zcrypto v0.0.0-20210511125630-18f1e0152cfc/go.mod h1:FM4U1E3NzlNMRnSUTU3P1UdukWhYGifqEsjk9fn7BCk=
 github.com/zmap/zlint/v3 v3.1.0 h1:WjVytZo79m/L1+/Mlphl09WBob6YTGljN5IGWZFpAv0=
@@ -652,34 +733,34 @@ go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
 go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 h1:SpGay3w+nEwMpfVnbqOLH5gY52/foP8RE8UzTZ1pdSE=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 h1:gbhw/u49SS3gkPWiYweQNJGm/uJN5GkI/FrosxSHT7A=
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1/go.mod h1:GnOaBaFQ2we3b9AGWJpsBa7v1S5RlQzlC3O7dRMxZhM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0 h1:cEPbyTSEHlQR89XVlyo78gqluF8Y3oMeBkXGWzQsfXY=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.50.0/go.mod h1:DKdbWcT4GH1D0Y3Sqt/PFXt2naRKDWtU+eE6oLdFNA8=
-go.opentelemetry.io/otel v1.25.0 h1:gldB5FfhRl7OJQbUHt/8s0a7cE8fbsPAtdpRaApKy4k=
-go.opentelemetry.io/otel v1.25.0/go.mod h1:Wa2ds5NOXEMkCmUou1WA7ZBfLTHWIsp034OVD7AO+Vg=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
+go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
+go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0 h1:jd0+5t/YynESZqsSyPz+7PAFdEop0dlN0+PkyHYo8oI=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0/go.mod h1:U707O40ee1FpQGyhvqnzmCJm1Wh6OX6GGBVn0E6Uyyk=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0 h1:bflGWrfYyuulcdxf14V6n9+CoQcu5SAAdHmDPAJnlps=
 go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0/go.mod h1:qcTO4xHAxZLaLxPd60TdE88rxtItPHgHWqOhOGRr0as=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0 h1:dT33yIHtmsqpixFsSQPwNeY5drM9wTcoL8h0FWF4oGM=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.25.0/go.mod h1:h95q0LBGh7hlAC08X2DhSeyIG02YQ0UyioTCVAqRPmc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0 h1:Mbi5PKN7u322woPa85d7ebZ+SOvEoPvoiBu+ryHWgfA=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0/go.mod h1:e7ciERRhZaOZXVjx5MiL8TK5+Xv7G5Gv5PA2ZDEJdL8=
-go.opentelemetry.io/otel/metric v1.25.0 h1:LUKbS7ArpFL/I2jJHdJcqMGxkRdxpPHE0VU/D4NuEwA=
-go.opentelemetry.io/otel/metric v1.25.0/go.mod h1:rkDLUSd2lC5lq2dFNrX9LGAbINP5B7WBkC78RXCpH5s=
-go.opentelemetry.io/otel/sdk v1.25.0 h1:PDryEJPC8YJZQSyLY5eqLeafHtG+X7FWnf3aXMtxbqo=
-go.opentelemetry.io/otel/sdk v1.25.0/go.mod h1:oFgzCM2zdsxKzz6zwpTZYLLQsFwc+K0daArPdIhuxkw=
-go.opentelemetry.io/otel/sdk/metric v1.21.0 h1:smhI5oD714d6jHE6Tie36fPx4WDFIg+Y6RfAY4ICcR0=
-go.opentelemetry.io/otel/sdk/metric v1.21.0/go.mod h1:FJ8RAsoPGv/wYMgBdUJXOm+6pzFY3YdljnXtv1SBE8Q=
-go.opentelemetry.io/otel/trace v1.25.0 h1:tqukZGLwQYRIFtSQM2u2+yfMVTgGVeqRLPUYx1Dq6RM=
-go.opentelemetry.io/otel/trace v1.25.0/go.mod h1:hCCs70XM/ljO+BeQkyFnbK28SBIJ/Emuha+ccrCRT7I=
-go.opentelemetry.io/proto/otlp v1.1.0 h1:2Di21piLrCqJ3U3eXGCTPHE9R8Nh+0uglSnOyxikMeI=
-go.opentelemetry.io/proto/otlp v1.1.0/go.mod h1:GpBHCBWiqvVLDqmHZsoMM3C5ySeKTC7ej/RNTae6MdY=
+go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
+go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
+go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
+go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
+go.opentelemetry.io/otel/sdk/metric v1.28.0 h1:OkuaKgKrgAbYrrY0t92c+cC+2F6hsFNnCQArXCKlg08=
+go.opentelemetry.io/otel/sdk/metric v1.28.0/go.mod h1:cWPjykihLAPvXKi4iZc1dpER3Jdq2Z0YLse3moQUCpg=
+go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
+go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
+go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
+go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
@@ -769,15 +850,15 @@ golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
 golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
+golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.25.0 h1:oFU9pkj/iJgs+0DT+VMHrx+oBKs/LJMV+Uvg78sl+fE=
-golang.org/x/tools v0.25.0/go.mod h1:/vtpO8WL1N9cQC3FN5zPqb//fRXskFHbLKk4OW1Q7rg=
+golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
+golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -805,6 +886,8 @@ gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
+gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
@@ -826,26 +909,44 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A=
-k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0=
-k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8=
-k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU=
-k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg=
-k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA=
-k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
-k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
-k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780=
-k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
-k8s.io/metrics v0.27.4 h1:2s04bods7rA507iouGbxD55YrKNlFjLYzm30noOl9Sk=
-k8s.io/metrics v0.27.4/go.mod h1:kRvfhFC7wCQEFvu6H92uiV7v05z3Ty/vtluYT5D2Xpk=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI=
-k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
-sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+helm.sh/helm/v3 v3.17.1 h1:gzVoAD+qVuoJU6KDMSAeo0xRJ6N1znRxz3wyuXRmJDk=
+helm.sh/helm/v3 v3.17.1/go.mod h1:nvreuhuR+j78NkQcLC3TYoprCKStLyw5P4T7E5itv2w=
+k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
+k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
+k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
+k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
+k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
+k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/apiserver v0.32.1 h1:oo0OozRos66WFq87Zc5tclUX2r0mymoVHRq8JmR7Aak=
+k8s.io/apiserver v0.32.1/go.mod h1:UcB9tWjBY7aryeI5zAgzVJB/6k7E97bkr1RgqDz0jPw=
+k8s.io/cli-runtime v0.32.1 h1:19nwZPlYGJPUDbhAxDIS2/oydCikvKMHsxroKNGA2mM=
+k8s.io/cli-runtime v0.32.1/go.mod h1:NJPbeadVFnV2E7B7vF+FvU09mpwYlZCu8PqjzfuOnkY=
+k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
+k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
+k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk=
+k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
+k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
+k8s.io/kubectl v0.32.1 h1:/btLtXLQUU1rWx8AEvX9jrb9LaI6yeezt3sFALhB8M8=
+k8s.io/kubectl v0.32.1/go.mod h1:sezNuyWi1STk4ZNPVRIFfgjqMI6XMf+oCVLjZen/pFQ=
+k8s.io/metrics v0.32.1 h1:Ou4nrEtZS2vFf7OJCf9z3+2kr0A00kQzfoSwxg0gXps=
+k8s.io/metrics v0.32.1/go.mod h1:cLnai9XKYby1tNMX+xe8p9VLzTqrxYPcmqfCBoWObcM=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
+k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
+oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
+sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
+sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo=
+sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U=
+sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E=
+sigs.k8s.io/kustomize/kyaml v0.18.1/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
+sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78/go.mod h1:B7Wf0Ya4DHF9Yw+qfZuJijQYkWicqDa+79Ytmmq3Kjg=
 tags.cncf.io/container-device-interface v0.8.0 h1:8bCFo/g9WODjWx3m6EYl3GfUG31eKJbaggyBDxEldRc=
diff --git a/pkg/build/info.go b/pkg/build/info.go
index fac320b4f..026a317ef 100644
--- a/pkg/build/info.go
+++ b/pkg/build/info.go
@@ -42,9 +42,6 @@ var (
 	// DepDockerVersion is the version of the Docker binary shipped with the application.
 	DepDockerVersion string
 
-	// DepHelmVersion is the version of the Helm binary shipped with the application.
-	DepHelmVersion string
-
 	// DepKubectlVersion is the version of the Kubectl binary shipped with the application.
 	DepKubectlVersion string
 )
@@ -92,7 +89,6 @@ func GetBuildInfo() BuildInfo {
 func GetDependenciesInfo() DependenciesInfo {
 	return DependenciesInfo{
 		DockerVersion:  DepDockerVersion,
-		HelmVersion:    DepHelmVersion,
 		KubectlVersion: DepKubectlVersion,
 		ComposeVersion: DepComposeVersion,
 	}
diff --git a/pkg/libhelm/binary/get.go b/pkg/libhelm/binary/get.go
deleted file mode 100644
index 0df41bbc8..000000000
--- a/pkg/libhelm/binary/get.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package binary
-
-import (
-	"github.com/pkg/errors"
-	"github.com/portainer/portainer/pkg/libhelm/options"
-)
-
-// Get runs `helm get` with specified get options.
-// The get options translate to CLI arguments which are passed in to the helm binary when executing install.
-func (hbpm *helmBinaryPackageManager) Get(getOpts options.GetOptions) ([]byte, error) {
-	if getOpts.Name == "" || getOpts.ReleaseResource == "" {
-		return nil, errors.New("release name and release resource are required")
-	}
-
-	args := []string{
-		string(getOpts.ReleaseResource),
-		getOpts.Name,
-	}
-	if getOpts.Namespace != "" {
-		args = append(args, "--namespace", getOpts.Namespace)
-	}
-
-	result, err := hbpm.runWithKubeConfig("get", args, getOpts.KubernetesClusterAccess, getOpts.Env)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to run helm get on specified args")
-	}
-
-	return result, nil
-}
diff --git a/pkg/libhelm/binary/helm_package.go b/pkg/libhelm/binary/helm_package.go
deleted file mode 100644
index 2e64a8a2b..000000000
--- a/pkg/libhelm/binary/helm_package.go
+++ /dev/null
@@ -1,62 +0,0 @@
-package binary
-
-import (
-	"bytes"
-	"os"
-	"os/exec"
-	"path"
-	"runtime"
-
-	"github.com/pkg/errors"
-	"github.com/portainer/portainer/pkg/libhelm/options"
-)
-
-// helmBinaryPackageManager is a wrapper for the helm binary which implements HelmPackageManager
-type helmBinaryPackageManager struct {
-	binaryPath string
-}
-
-// NewHelmBinaryPackageManager initializes a new HelmPackageManager service.
-func NewHelmBinaryPackageManager(binaryPath string) *helmBinaryPackageManager {
-	return &helmBinaryPackageManager{binaryPath: binaryPath}
-}
-
-// runWithKubeConfig will execute run against the provided Kubernetes cluster with kubeconfig as cli arguments.
-func (hbpm *helmBinaryPackageManager) runWithKubeConfig(command string, args []string, kca *options.KubernetesClusterAccess, env []string) ([]byte, error) {
-	cmdArgs := make([]string, 0)
-	if kca != nil {
-		cmdArgs = append(cmdArgs, "--kube-apiserver", kca.ClusterServerURL)
-		cmdArgs = append(cmdArgs, "--kube-token", kca.AuthToken)
-		cmdArgs = append(cmdArgs, "--kube-ca-file", kca.CertificateAuthorityFile)
-	}
-	cmdArgs = append(cmdArgs, args...)
-	return hbpm.run(command, cmdArgs, env)
-}
-
-// run will execute helm command against the provided Kubernetes cluster.
-// The endpointId and authToken are dynamic params (based on the user) that allow helm to execute commands
-// in the context of the current user against specified k8s cluster.
-func (hbpm *helmBinaryPackageManager) run(command string, args []string, env []string) ([]byte, error) {
-	cmdArgs := make([]string, 0)
-	cmdArgs = append(cmdArgs, command)
-	cmdArgs = append(cmdArgs, args...)
-
-	helmPath := path.Join(hbpm.binaryPath, "helm")
-	if runtime.GOOS == "windows" {
-		helmPath = path.Join(hbpm.binaryPath, "helm.exe")
-	}
-
-	var stderr bytes.Buffer
-	cmd := exec.Command(helmPath, cmdArgs...)
-	cmd.Stderr = &stderr
-
-	cmd.Env = os.Environ()
-	cmd.Env = append(cmd.Env, env...)
-
-	output, err := cmd.Output()
-	if err != nil {
-		return nil, errors.Wrap(err, stderr.String())
-	}
-
-	return output, nil
-}
diff --git a/pkg/libhelm/binary/install.go b/pkg/libhelm/binary/install.go
deleted file mode 100644
index 937df1500..000000000
--- a/pkg/libhelm/binary/install.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package binary
-
-import (
-	"github.com/portainer/portainer/pkg/libhelm/options"
-	"github.com/portainer/portainer/pkg/libhelm/release"
-
-	"github.com/pkg/errors"
-	"github.com/segmentio/encoding/json"
-)
-
-// Install runs `helm install` with specified install options.
-// The install options translate to CLI arguments which are passed in to the helm binary when executing install.
-func (hbpm *helmBinaryPackageManager) Install(installOpts options.InstallOptions) (*release.Release, error) {
-	if installOpts.Name == "" {
-		installOpts.Name = "--generate-name"
-	}
-	args := []string{
-		installOpts.Name,
-		installOpts.Chart,
-		"--repo", installOpts.Repo,
-		"--output", "json",
-	}
-	if installOpts.Namespace != "" {
-		args = append(args, "--namespace", installOpts.Namespace)
-	}
-	if installOpts.ValuesFile != "" {
-		args = append(args, "--values", installOpts.ValuesFile)
-	}
-	if installOpts.Wait {
-		args = append(args, "--wait")
-	}
-	if installOpts.PostRenderer != "" {
-		args = append(args, "--post-renderer", installOpts.PostRenderer)
-	}
-
-	result, err := hbpm.runWithKubeConfig("install", args, installOpts.KubernetesClusterAccess, installOpts.Env)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to run helm install on specified args")
-	}
-
-	response := &release.Release{}
-	err = json.Unmarshal(result, &response)
-	if err != nil {
-		return nil, errors.Wrap(err, "failed to unmarshal helm install response to Release struct")
-	}
-
-	return response, nil
-}
diff --git a/pkg/libhelm/binary/install_test.go b/pkg/libhelm/binary/install_test.go
deleted file mode 100644
index 3d6c74707..000000000
--- a/pkg/libhelm/binary/install_test.go
+++ /dev/null
@@ -1,118 +0,0 @@
-package binary
-
-import (
-	"os"
-	"os/exec"
-	"path/filepath"
-	"testing"
-
-	"github.com/portainer/portainer/pkg/libhelm/options"
-	"github.com/stretchr/testify/assert"
-)
-
-func createValuesFile(values string) (string, error) {
-	file, err := os.CreateTemp("", "helm-values")
-	if err != nil {
-		return "", err
-	}
-
-	_, err = file.WriteString(values)
-	if err != nil {
-		file.Close()
-		return "", err
-	}
-
-	err = file.Close()
-	if err != nil {
-		return "", err
-	}
-
-	return file.Name(), nil
-}
-
-// getHelmBinaryPath is helper function to get local helm binary path (if helm is in path)
-func getHelmBinaryPath() (string, error) {
-	path, err := exec.LookPath("helm")
-	if err != nil {
-		return "", err
-	}
-	dir, err := filepath.Abs(filepath.Dir(path))
-	if err != nil {
-		return "", err
-	}
-	return dir, nil
-}
-
-func Test_Install(t *testing.T) {
-	ensureIntegrationTest(t)
-	is := assert.New(t)
-
-	path, err := getHelmBinaryPath()
-	is.NoError(err, "helm binary must exist in path to run tests")
-
-	hbpm := NewHelmBinaryPackageManager(path)
-
-	t.Run("successfully installs nginx chart with name test-nginx", func(t *testing.T) {
-		// helm install test-nginx --repo https://kubernetes.github.io/ingress-nginx nginx
-		installOpts := options.InstallOptions{
-			Name:  "test-nginx",
-			Chart: "nginx",
-			Repo:  "https://kubernetes.github.io/ingress-nginx",
-		}
-
-		release, err := hbpm.Install(installOpts)
-		defer hbpm.run("uninstall", []string{"test-nginx"}, nil)
-
-		is.NoError(err, "should successfully install release", release)
-	})
-
-	t.Run("successfully installs nginx chart with generated name", func(t *testing.T) {
-		// helm install --generate-name --repo https://kubernetes.github.io/ingress-nginx nginx
-		installOpts := options.InstallOptions{
-			Chart: "nginx",
-			Repo:  "https://kubernetes.github.io/ingress-nginx",
-		}
-		release, err := hbpm.Install(installOpts)
-		defer hbpm.run("uninstall", []string{release.Name}, nil)
-
-		is.NoError(err, "should successfully install release", release)
-	})
-
-	t.Run("successfully installs nginx with values", func(t *testing.T) {
-		// helm install test-nginx-2 --repo https://kubernetes.github.io/ingress-nginx nginx --values /tmp/helm-values3161785816
-		values, err := createValuesFile("service:\n  port:  8081")
-		is.NoError(err, "should create a values file")
-
-		defer os.Remove(values)
-
-		installOpts := options.InstallOptions{
-			Name:       "test-nginx-2",
-			Chart:      "nginx",
-			Repo:       "https://kubernetes.github.io/ingress-nginx",
-			ValuesFile: values,
-		}
-		release, err := hbpm.Install(installOpts)
-		defer hbpm.run("uninstall", []string{"test-nginx-2"}, nil)
-
-		is.NoError(err, "should successfully install release", release)
-	})
-
-	t.Run("successfully installs portainer chart with name portainer-test", func(t *testing.T) {
-		// helm install portainer-test portainer --repo https://portainer.github.io/k8s/
-		installOpts := options.InstallOptions{
-			Name:  "portainer-test",
-			Chart: "portainer",
-			Repo:  "https://portainer.github.io/k8s/",
-		}
-		release, err := hbpm.Install(installOpts)
-		defer hbpm.run("uninstall", []string{installOpts.Name}, nil)
-
-		is.NoError(err, "should successfully install release", release)
-	})
-}
-
-func ensureIntegrationTest(t *testing.T) {
-	if _, ok := os.LookupEnv("INTEGRATION_TEST"); !ok {
-		t.Skip("skip an integration test")
-	}
-}
diff --git a/pkg/libhelm/binary/list.go b/pkg/libhelm/binary/list.go
deleted file mode 100644
index 886d4c5ea..000000000
--- a/pkg/libhelm/binary/list.go
+++ /dev/null
@@ -1,38 +0,0 @@
-package binary
-
-import (
-	"github.com/portainer/portainer/pkg/libhelm/options"
-	"github.com/portainer/portainer/pkg/libhelm/release"
-
-	"github.com/pkg/errors"
-	"github.com/segmentio/encoding/json"
-)
-
-// List runs `helm list --output json --filter <filter> --selector <selector> --namespace <namespace>` with specified list options.
-// The list options translate to CLI args the helm binary
-func (hbpm *helmBinaryPackageManager) List(listOpts options.ListOptions) ([]release.ReleaseElement, error) {
-	args := []string{"--output", "json"}
-
-	if listOpts.Filter != "" {
-		args = append(args, "--filter", listOpts.Filter)
-	}
-	if listOpts.Selector != "" {
-		args = append(args, "--selector", listOpts.Selector)
-	}
-	if listOpts.Namespace != "" {
-		args = append(args, "--namespace", listOpts.Namespace)
-	}
-
-	result, err := hbpm.runWithKubeConfig("list", args, listOpts.KubernetesClusterAccess, listOpts.Env)
-	if err != nil {
-		return []release.ReleaseElement{}, errors.Wrap(err, "failed to run helm list on specified args")
-	}
-
-	response := []release.ReleaseElement{}
-	err = json.Unmarshal(result, &response)
-	if err != nil {
-		return []release.ReleaseElement{}, errors.Wrap(err, "failed to unmarshal helm list response to releastElement list")
-	}
-
-	return response, nil
-}
diff --git a/pkg/libhelm/binary/search_repo.go b/pkg/libhelm/binary/search_repo.go
deleted file mode 100644
index f875589cb..000000000
--- a/pkg/libhelm/binary/search_repo.go
+++ /dev/null
@@ -1,118 +0,0 @@
-package binary
-
-// Package common implements common functionality for the helm.
-// The functionality does not rely on the implementation of `HelmPackageManager`
-
-import (
-	"net/http"
-	"net/url"
-	"path"
-	"time"
-
-	"github.com/portainer/portainer/pkg/libhelm/options"
-
-	"github.com/pkg/errors"
-	"github.com/segmentio/encoding/json"
-	"gopkg.in/yaml.v3"
-)
-
-var errRequiredSearchOptions = errors.New("repo is required")
-var errInvalidRepoURL = errors.New("the request failed since either the Helm repository was not found or the index.yaml is not valid")
-
-type File struct {
-	APIVersion string             `yaml:"apiVersion" json:"apiVersion"`
-	Entries    map[string][]Entry `yaml:"entries" json:"entries"`
-	Generated  string             `yaml:"generated" json:"generated"`
-}
-
-type Annotations struct {
-	Category string `yaml:"category" json:"category"`
-}
-
-type Entry struct {
-	Annotations *Annotations `yaml:"annotations" json:"annotations,omitempty"`
-	Created     string       `yaml:"created" json:"created"`
-	Deprecated  bool         `yaml:"deprecated" json:"deprecated"`
-	Description string       `yaml:"description" json:"description"`
-	Digest      string       `yaml:"digest" json:"digest"`
-	Home        string       `yaml:"home" json:"home"`
-	Name        string       `yaml:"name" json:"name"`
-	Sources     []string     `yaml:"sources" json:"sources"`
-	Urls        []string     `yaml:"urls" json:"urls"`
-	Version     string       `yaml:"version" json:"version"`
-	Icon        string       `yaml:"icon" json:"icon,omitempty"`
-}
-
-// SearchRepo downloads the `index.yaml` file for specified repo, parses it and returns JSON to caller.
-// The functionality is similar to that of what `helm search repo [chart] --repo <repo>` CLI runs;
-// this approach is used instead since the `helm search repo` requires a repo to be added to the global helm cache
-func (hbpm *helmBinaryPackageManager) SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error) {
-	if searchRepoOpts.Repo == "" {
-		return nil, errRequiredSearchOptions
-	}
-
-	client := searchRepoOpts.Client
-
-	if client == nil {
-		// The current index.yaml is ~9MB on bitnami.
-		// At a slow @2mbit download = 40s. @100bit = ~1s.
-		// I'm seeing 3 - 4s over wifi.
-		// Give ample time but timeout for now.  Can be improved in the future
-		client = &http.Client{
-			Timeout:   300 * time.Second,
-			Transport: http.DefaultTransport,
-		}
-	}
-
-	// Allow redirect behavior to be overridden if specified.
-	if client.CheckRedirect == nil {
-		client.CheckRedirect = defaultCheckRedirect
-	}
-
-	url, err := url.ParseRequestURI(searchRepoOpts.Repo)
-	if err != nil {
-		return nil, errors.Wrap(err, "invalid helm chart URL: "+searchRepoOpts.Repo)
-	}
-
-	url.Path = path.Join(url.Path, "index.yaml")
-	resp, err := client.Get(url.String())
-	if err != nil {
-		return nil, errInvalidRepoURL
-	}
-	defer resp.Body.Close()
-
-	var file File
-	err = yaml.NewDecoder(resp.Body).Decode(&file)
-	if err != nil {
-		return nil, errInvalidRepoURL
-	}
-
-	// Validate index.yaml
-	if file.APIVersion == "" || file.Entries == nil {
-		return nil, errInvalidRepoURL
-	}
-
-	result, err := json.Marshal(file)
-	if err != nil {
-		return nil, errInvalidRepoURL
-	}
-
-	return result, nil
-}
-
-// defaultCheckRedirect is a default CheckRedirect for helm
-// We don't allow redirects to URLs not ending in index.yaml
-// After that we follow the go http client behavior which is to stop
-// after a maximum of 10 redirects
-func defaultCheckRedirect(req *http.Request, via []*http.Request) error {
-	// The request url must end in index.yaml
-	if path.Base(req.URL.Path) != "index.yaml" {
-		return errors.New("the request URL must end in index.yaml")
-	}
-
-	// default behavior below
-	if len(via) >= 10 {
-		return errors.New("stopped after 10 redirects")
-	}
-	return nil
-}
diff --git a/pkg/libhelm/binary/search_repo_test.go b/pkg/libhelm/binary/search_repo_test.go
deleted file mode 100644
index 48786a0d7..000000000
--- a/pkg/libhelm/binary/search_repo_test.go
+++ /dev/null
@@ -1,50 +0,0 @@
-package binary
-
-import (
-	"testing"
-
-	"github.com/portainer/portainer/pkg/libhelm/libhelmtest"
-	"github.com/portainer/portainer/pkg/libhelm/options"
-	"github.com/stretchr/testify/assert"
-)
-
-func Test_SearchRepo(t *testing.T) {
-	libhelmtest.EnsureIntegrationTest(t)
-	is := assert.New(t)
-
-	hpm := NewHelmBinaryPackageManager("")
-
-	type testCase struct {
-		name    string
-		url     string
-		invalid bool
-	}
-
-	tests := []testCase{
-		{"not a helm repo", "https://portainer.io", true},
-		{"ingress helm repo", "https://kubernetes.github.io/ingress-nginx", false},
-		{"portainer helm repo", "https://portainer.github.io/k8s/", false},
-		{"gitlap helm repo with trailing slash", "https://charts.gitlab.io/", false},
-		{"elastic helm repo with trailing slash", "https://helm.elastic.co/", false},
-		{"fabric8.io helm repo with trailing slash", "https://fabric8.io/helm/", false},
-		{"lensesio helm repo without trailing slash", "https://lensesio.github.io/kafka-helm-charts", false},
-	}
-
-	for _, test := range tests {
-		func(tc testCase) {
-			t.Run(tc.name, func(t *testing.T) {
-				t.Parallel()
-				response, err := hpm.SearchRepo(options.SearchRepoOptions{Repo: tc.url})
-				if tc.invalid {
-					is.Errorf(err, "error expected: %s", tc.url)
-				} else {
-					is.NoError(err, "no error expected: %s", tc.url)
-				}
-
-				if err == nil {
-					is.NotEmpty(response, "response expected")
-				}
-			})
-		}(test)
-	}
-}
diff --git a/pkg/libhelm/binary/show.go b/pkg/libhelm/binary/show.go
deleted file mode 100644
index 848e8ab26..000000000
--- a/pkg/libhelm/binary/show.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package binary
-
-import (
-	"github.com/pkg/errors"
-	"github.com/portainer/portainer/pkg/libhelm/options"
-)
-
-var errRequiredShowOptions = errors.New("chart, repo and output format are required")
-
-// Show runs `helm show <command> <chart> --repo <repo>` with specified show options.
-// The show options translate to CLI arguments which are passed in to the helm binary when executing install.
-func (hbpm *helmBinaryPackageManager) Show(showOpts options.ShowOptions) ([]byte, error) {
-	if showOpts.Chart == "" || showOpts.Repo == "" || showOpts.OutputFormat == "" {
-		return nil, errRequiredShowOptions
-	}
-
-	args := []string{
-		string(showOpts.OutputFormat),
-		showOpts.Chart,
-		"--repo", showOpts.Repo,
-	}
-
-	result, err := hbpm.run("show", args, showOpts.Env)
-	if err != nil {
-		return nil, errors.New("the request failed since either the Helm repository was not found or the chart does not exist")
-	}
-
-	return result, nil
-}
diff --git a/pkg/libhelm/binary/uninstall.go b/pkg/libhelm/binary/uninstall.go
deleted file mode 100644
index b926e8ee5..000000000
--- a/pkg/libhelm/binary/uninstall.go
+++ /dev/null
@@ -1,29 +0,0 @@
-package binary
-
-import (
-	"github.com/pkg/errors"
-	"github.com/portainer/portainer/pkg/libhelm/options"
-)
-
-var errRequiredUninstallOptions = errors.New("release name is required")
-
-// Uninstall runs `helm uninstall <name> --namespace <namespace>` with specified uninstall options.
-// The uninstall options translate to CLI arguments which are passed in to the helm binary when executing uninstall.
-func (hbpm *helmBinaryPackageManager) Uninstall(uninstallOpts options.UninstallOptions) error {
-	if uninstallOpts.Name == "" {
-		return errRequiredUninstallOptions
-	}
-
-	args := []string{uninstallOpts.Name}
-
-	if uninstallOpts.Namespace != "" {
-		args = append(args, "--namespace", uninstallOpts.Namespace)
-	}
-
-	_, err := hbpm.runWithKubeConfig("uninstall", args, uninstallOpts.KubernetesClusterAccess, uninstallOpts.Env)
-	if err != nil {
-		return errors.Wrap(err, "failed to run helm uninstall on specified args")
-	}
-
-	return nil
-}
diff --git a/pkg/libhelm/manager.go b/pkg/libhelm/manager.go
index f378b2e55..1396195bd 100644
--- a/pkg/libhelm/manager.go
+++ b/pkg/libhelm/manager.go
@@ -1,22 +1,11 @@
 package libhelm
 
 import (
-	"errors"
-
-	"github.com/portainer/portainer/pkg/libhelm/binary"
+	"github.com/portainer/portainer/pkg/libhelm/sdk"
+	"github.com/portainer/portainer/pkg/libhelm/types"
 )
 
-// HelmConfig is a struct that holds the configuration for the Helm package manager
-type HelmConfig struct {
-	BinaryPath string `example:"/portainer/dist"`
-}
-
-var errBinaryPathNotSpecified = errors.New("binary path not specified")
-
 // NewHelmPackageManager returns a new instance of HelmPackageManager based on HelmConfig
-func NewHelmPackageManager(config HelmConfig) (HelmPackageManager, error) {
-	if config.BinaryPath != "" {
-		return binary.NewHelmBinaryPackageManager(config.BinaryPath), nil
-	}
-	return nil, errBinaryPathNotSpecified
+func NewHelmPackageManager() (types.HelmPackageManager, error) {
+	return sdk.NewHelmSDKPackageManager(), nil
 }
diff --git a/pkg/libhelm/options/cluster_access.go b/pkg/libhelm/options/cluster_access.go
index a66acdc5c..1fe079c12 100644
--- a/pkg/libhelm/options/cluster_access.go
+++ b/pkg/libhelm/options/cluster_access.go
@@ -2,6 +2,9 @@ package options
 
 // KubernetesClusterAccess represents core details which can be used to generate KubeConfig file/data
 type KubernetesClusterAccess struct {
+	ClusterName              string `example:"portainer-cluster-endpoint-1"`
+	ContextName              string `example:"portainer-ctx-endpoint-1"`
+	UserName                 string `example:"portainer-user-endpoint-1"`
 	ClusterServerURL         string `example:"https://mycompany.k8s.com"`
 	CertificateAuthorityFile string `example:"/data/tls/localhost.crt"`
 	AuthToken                string `example:"ey..."`
diff --git a/pkg/libhelm/sdk/client.go b/pkg/libhelm/sdk/client.go
new file mode 100644
index 000000000..7989e4558
--- /dev/null
+++ b/pkg/libhelm/sdk/client.go
@@ -0,0 +1,165 @@
+package sdk
+
+import (
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/chartutil"
+	"helm.sh/helm/v3/pkg/cli"
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/client-go/discovery"
+	"k8s.io/client-go/discovery/cached/memory"
+	"k8s.io/client-go/rest"
+	"k8s.io/client-go/restmapper"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/tools/clientcmd/api"
+)
+
+// newRESTClientGetter creates a custom RESTClientGetter using the provided client config
+type clientConfigGetter struct {
+	clientConfig clientcmd.ClientConfig
+	namespace    string
+}
+
+// initActionConfig initializes the action configuration with kubernetes config
+func (hspm *HelmSDKPackageManager) initActionConfig(actionConfig *action.Configuration, namespace string, k8sAccess *options.KubernetesClusterAccess) error {
+	// If namespace is not provided, use the default namespace
+	if namespace == "" {
+		namespace = "default"
+	}
+
+	if k8sAccess == nil {
+		// Use default kubeconfig
+		settings := cli.New()
+		clientGetter := settings.RESTClientGetter()
+		return actionConfig.Init(clientGetter, namespace, "secret", hspm.logf)
+	}
+
+	// Create client config
+	configAPI := generateConfigAPI(namespace, k8sAccess)
+	clientConfig := clientcmd.NewDefaultClientConfig(*configAPI, &clientcmd.ConfigOverrides{})
+
+	// Create a custom RESTClientGetter that uses our in-memory config
+	clientGetter, err := newRESTClientGetter(clientConfig, namespace)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("cluster_name", k8sAccess.ClusterName).
+			Str("cluster_url", k8sAccess.ClusterServerURL).
+			Str("user_name", k8sAccess.UserName).
+			Err(err).
+			Msg("failed to create client getter")
+		return err
+	}
+
+	return actionConfig.Init(clientGetter, namespace, "secret", hspm.logf)
+}
+
+// generateConfigAPI generates a new kubeconfig configuration
+func generateConfigAPI(namespace string, k8sAccess *options.KubernetesClusterAccess) *api.Config {
+	// Create in-memory kubeconfig configuration
+	configAPI := api.NewConfig()
+
+	// Create cluster
+	cluster := api.NewCluster()
+	cluster.Server = k8sAccess.ClusterServerURL
+
+	if k8sAccess.CertificateAuthorityFile != "" {
+		// If we have a CA file, use it
+		cluster.CertificateAuthority = k8sAccess.CertificateAuthorityFile
+	} else {
+		// Otherwise skip TLS verification
+		cluster.InsecureSkipTLSVerify = true
+	}
+
+	// Create auth info with token
+	authInfo := api.NewAuthInfo()
+	authInfo.Token = k8sAccess.AuthToken
+
+	// Create context
+	context := api.NewContext()
+	context.Cluster = k8sAccess.ClusterName
+	context.AuthInfo = k8sAccess.UserName
+	context.Namespace = namespace
+
+	// Add to config
+	configAPI.Clusters[k8sAccess.ClusterName] = cluster
+	configAPI.AuthInfos[k8sAccess.UserName] = authInfo
+	configAPI.Contexts[k8sAccess.ContextName] = context
+	configAPI.CurrentContext = k8sAccess.ContextName
+
+	return configAPI
+}
+
+func newRESTClientGetter(clientConfig clientcmd.ClientConfig, namespace string) (*clientConfigGetter, error) {
+	if clientConfig == nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Msg("client config is nil")
+
+		return nil, errors.New("client config provided during the helm client initialization was nil. Check the kubernetes cluster access configuration")
+	}
+
+	return &clientConfigGetter{
+		clientConfig: clientConfig,
+		namespace:    namespace,
+	}, nil
+}
+
+func (c *clientConfigGetter) ToRESTConfig() (*rest.Config, error) {
+	if c.clientConfig == nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Msg("client config is nil")
+
+		return nil, errors.New("client config provided during the helm client initialization was nil. Check the kubernetes cluster access configuration")
+	}
+
+	return c.clientConfig.ClientConfig()
+}
+
+func (c *clientConfigGetter) ToDiscoveryClient() (discovery.CachedDiscoveryInterface, error) {
+	config, err := c.ToRESTConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	// Create the discovery client
+	discoveryClient, err := discovery.NewDiscoveryClientForConfig(config)
+	if err != nil {
+		return nil, err
+	}
+
+	// Wrap the discovery client with a cached discovery client
+	return memory.NewMemCacheClient(discoveryClient), nil
+}
+
+func (c *clientConfigGetter) ToRESTMapper() (meta.RESTMapper, error) {
+	discoveryClient, err := c.ToDiscoveryClient()
+	if err != nil {
+		return nil, err
+	}
+
+	// Create a REST mapper from the discovery client
+	return restmapper.NewDeferredDiscoveryRESTMapper(discoveryClient), nil
+}
+
+func (c *clientConfigGetter) ToRawKubeConfigLoader() clientcmd.ClientConfig {
+	return c.clientConfig
+}
+
+// parseValues parses YAML values data into a map
+func (hspm *HelmSDKPackageManager) parseValues(data []byte) (map[string]any, error) {
+	// Use Helm's built-in chartutil.ReadValues which properly handles the conversion
+	// from map[interface{}]interface{} to map[string]interface{}
+	return chartutil.ReadValues(data)
+}
+
+// logf is a log helper function for Helm
+func (hspm *HelmSDKPackageManager) logf(format string, v ...any) {
+	// Use zerolog for structured logging
+	log.Debug().
+		Str("context", "HelmClient").
+		Msgf(format, v...)
+}
diff --git a/pkg/libhelm/sdk/client_test.go b/pkg/libhelm/sdk/client_test.go
new file mode 100644
index 000000000..9dd7afffe
--- /dev/null
+++ b/pkg/libhelm/sdk/client_test.go
@@ -0,0 +1,156 @@
+package sdk
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/stretchr/testify/assert"
+	"helm.sh/helm/v3/pkg/action"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/client-go/tools/clientcmd/api"
+)
+
+func Test_InitActionConfig(t *testing.T) {
+	is := assert.New(t)
+	hspm := NewHelmSDKPackageManager()
+
+	t.Run("with nil k8sAccess should use default kubeconfig", func(t *testing.T) {
+		actionConfig := new(action.Configuration)
+		err := hspm.(*HelmSDKPackageManager).initActionConfig(actionConfig, "default", nil)
+
+		// The function should not fail by design, even when not running in a k8s environment
+		is.NoError(err, "should not return error when not in k8s environment")
+	})
+
+	t.Run("with k8sAccess should create in-memory config", func(t *testing.T) {
+		actionConfig := new(action.Configuration)
+		k8sAccess := &options.KubernetesClusterAccess{
+			ClusterServerURL: "https://kubernetes.default.svc",
+			AuthToken:        "test-token",
+		}
+
+		// The function should not fail by design
+		err := hspm.(*HelmSDKPackageManager).initActionConfig(actionConfig, "default", k8sAccess)
+		is.NoError(err, "should not return error when using in-memory config")
+	})
+
+	t.Run("with k8sAccess and CA file should create config with CA", func(t *testing.T) {
+		actionConfig := new(action.Configuration)
+		k8sAccess := &options.KubernetesClusterAccess{
+			ClusterServerURL:         "https://kubernetes.default.svc",
+			AuthToken:                "test-token",
+			CertificateAuthorityFile: "/path/to/ca.crt",
+		}
+
+		// The function should not fail by design
+		err := hspm.(*HelmSDKPackageManager).initActionConfig(actionConfig, "default", k8sAccess)
+		is.NoError(err, "should not return error when using in-memory config with CA")
+	})
+}
+
+func Test_ClientConfigGetter(t *testing.T) {
+	is := assert.New(t)
+
+	// Create a mock client config
+	configAPI := api.NewConfig()
+
+	// Create cluster
+	cluster := api.NewCluster()
+	cluster.Server = "https://kubernetes.default.svc"
+	cluster.InsecureSkipTLSVerify = true
+
+	// Create auth info
+	authInfo := api.NewAuthInfo()
+	authInfo.Token = "test-token"
+
+	// Create context
+	context := api.NewContext()
+	context.Cluster = "test-cluster"
+	context.AuthInfo = "test-user"
+	context.Namespace = "default"
+
+	// Add to config
+	configAPI.Clusters["test-cluster"] = cluster
+	configAPI.AuthInfos["test-user"] = authInfo
+	configAPI.Contexts["test-context"] = context
+	configAPI.CurrentContext = "test-context"
+
+	clientConfig := clientcmd.NewDefaultClientConfig(*configAPI, &clientcmd.ConfigOverrides{})
+
+	// Create client config getter
+	clientGetter, err := newRESTClientGetter(clientConfig, "default")
+	is.NoError(err, "should not return error when creating client getter")
+
+	// Test ToRESTConfig
+	restConfig, err := clientGetter.ToRESTConfig()
+	is.NoError(err, "should not return error when creating REST config")
+	is.NotNil(restConfig, "should return non-nil REST config")
+	is.Equal("https://kubernetes.default.svc", restConfig.Host, "host should be https://kubernetes.default.svc")
+	is.Equal("test-token", restConfig.BearerToken, "bearer token should be test-token")
+
+	// Test ToDiscoveryClient
+	discoveryClient, err := clientGetter.ToDiscoveryClient()
+	is.NoError(err, "should not return error when creating discovery client")
+	is.NotNil(discoveryClient, "should return non-nil discovery client")
+
+	// Test ToRESTMapper
+	restMapper, err := clientGetter.ToRESTMapper()
+	is.NoError(err, "should not return error when creating REST mapper")
+	is.NotNil(restMapper, "should return non-nil REST mapper")
+
+	// Test ToRawKubeConfigLoader
+	config := clientGetter.ToRawKubeConfigLoader()
+	is.NotNil(config, "should return non-nil config loader")
+}
+
+func Test_ParseValues(t *testing.T) {
+	is := assert.New(t)
+	hspm := NewHelmSDKPackageManager()
+
+	t.Run("should parse valid YAML values", func(t *testing.T) {
+		yamlData := []byte(`
+service:
+  type: ClusterIP
+  port: 80
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+`)
+		values, err := hspm.(*HelmSDKPackageManager).parseValues(yamlData)
+		is.NoError(err, "should parse valid YAML without error")
+		is.NotNil(values, "should return non-nil values")
+
+		// Verify structure
+		service, ok := values["service"].(map[string]interface{})
+		is.True(ok, "service should be a map")
+		is.Equal("ClusterIP", service["type"], "service type should be ClusterIP")
+		is.Equal(float64(80), service["port"], "service port should be 80")
+
+		resources, ok := values["resources"].(map[string]interface{})
+		is.True(ok, "resources should be a map")
+		limits, ok := resources["limits"].(map[string]interface{})
+		is.True(ok, "limits should be a map")
+		is.Equal("100m", limits["cpu"], "cpu limit should be 100m")
+		is.Equal("128Mi", limits["memory"], "memory limit should be 128Mi")
+	})
+
+	t.Run("should handle invalid YAML", func(t *testing.T) {
+		yamlData := []byte(`
+service:
+  type: ClusterIP
+  port: 80
+  invalid yaml
+`)
+		_, err := hspm.(*HelmSDKPackageManager).parseValues(yamlData)
+		is.Error(err, "should return error for invalid YAML")
+	})
+
+	t.Run("should handle empty YAML", func(t *testing.T) {
+		yamlData := []byte(``)
+		values, err := hspm.(*HelmSDKPackageManager).parseValues(yamlData)
+		is.NoError(err, "should not return error for empty YAML")
+		is.NotNil(values, "should return non-nil values for empty YAML")
+		is.Len(values, 0, "should return empty map for empty YAML")
+	})
+}
diff --git a/pkg/libhelm/sdk/install.go b/pkg/libhelm/sdk/install.go
new file mode 100644
index 000000000..26b50927b
--- /dev/null
+++ b/pkg/libhelm/sdk/install.go
@@ -0,0 +1,210 @@
+package sdk
+
+import (
+	"os"
+
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/downloader"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/postrender"
+)
+
+// Install implements the HelmPackageManager interface by using the Helm SDK to install a chart.
+func (hspm *HelmSDKPackageManager) Install(installOpts options.InstallOptions) (*release.Release, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("chart", installOpts.Chart).
+		Str("name", installOpts.Name).
+		Str("namespace", installOpts.Namespace).
+		Str("repo", installOpts.Repo).
+		Bool("wait", installOpts.Wait).
+		Msg("Installing Helm chart")
+
+	if installOpts.Name == "" {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", installOpts.Chart).
+			Str("name", installOpts.Name).
+			Str("namespace", installOpts.Namespace).
+			Str("repo", installOpts.Repo).
+			Bool("wait", installOpts.Wait).
+			Msg("Name is required for helm release installation")
+		return nil, errors.New("name is required for helm release installation")
+	}
+
+	// Initialize action configuration with kubernetes config
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, installOpts.Namespace, installOpts.KubernetesClusterAccess)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", installOpts.Chart).
+			Str("namespace", installOpts.Namespace).
+			Err(err).
+			Msg("Failed to initialize helm configuration for helm release installation")
+		return nil, errors.Wrap(err, "failed to initialize helm configuration for helm release installation")
+	}
+
+	installClient, err := initInstallClient(actionConfig, installOpts)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to initialize helm install client for helm release installation")
+		return nil, errors.Wrap(err, "failed to initialize helm install client for helm release installation")
+	}
+
+	values, err := hspm.GetHelmValuesFromFile(installOpts.ValuesFile)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to get Helm values from file for helm release installation")
+		return nil, errors.Wrap(err, "failed to get Helm values from file for helm release installation")
+	}
+
+	chart, err := hspm.loadAndValidateChart(installClient, installOpts)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to load and validate chart for helm release installation")
+		return nil, errors.Wrap(err, "failed to load and validate chart for helm release installation")
+	}
+
+	// Run the installation
+	log.Info().
+		Str("context", "HelmClient").
+		Str("chart", installOpts.Chart).
+		Str("name", installOpts.Name).
+		Str("namespace", installOpts.Namespace).
+		Msg("Running chart installation for helm release")
+
+	helmRelease, err := installClient.Run(chart, values)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", installOpts.Chart).
+			Str("name", installOpts.Name).
+			Str("namespace", installOpts.Namespace).
+			Err(err).
+			Msg("Failed to install helm chart for helm release installation")
+		return nil, errors.Wrap(err, "helm was not able to install the chart for helm release installation")
+	}
+
+	return &release.Release{
+		Name:      helmRelease.Name,
+		Namespace: helmRelease.Namespace,
+		Chart: release.Chart{
+			Metadata: &release.Metadata{
+				Name:       helmRelease.Chart.Metadata.Name,
+				Version:    helmRelease.Chart.Metadata.Version,
+				AppVersion: helmRelease.Chart.Metadata.AppVersion,
+			},
+		},
+		Labels:   helmRelease.Labels,
+		Version:  helmRelease.Version,
+		Manifest: helmRelease.Manifest,
+	}, nil
+}
+
+// loadAndValidateChart locates and loads the chart, and validates it.
+// it also checks for chart dependencies and updates them if necessary.
+// it returns the chart information.
+func (hspm *HelmSDKPackageManager) loadAndValidateChart(installClient *action.Install, installOpts options.InstallOptions) (*chart.Chart, error) {
+	// Locate and load the chart
+	chartPath, err := installClient.ChartPathOptions.LocateChart(installOpts.Chart, hspm.settings)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", installOpts.Chart).
+			Err(err).
+			Msg("Failed to locate chart for helm release installation")
+		return nil, errors.Wrapf(err, "failed to find the helm chart at the path: %s/%s", installOpts.Repo, installOpts.Chart)
+	}
+
+	chartReq, err := loader.Load(chartPath)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart_path", chartPath).
+			Err(err).
+			Msg("Failed to load chart for helm release installation")
+		return nil, errors.Wrap(err, "failed to load chart for helm release installation")
+	}
+
+	// Check chart dependencies to make sure all are present in /charts
+	if chartDependencies := chartReq.Metadata.Dependencies; chartDependencies != nil {
+		if err := action.CheckDependencies(chartReq, chartDependencies); err != nil {
+			err = errors.Wrap(err, "failed to check chart dependencies for helm release installation")
+			if !installClient.DependencyUpdate {
+				return nil, err
+			}
+
+			log.Debug().
+				Str("context", "HelmClient").
+				Str("chart", installOpts.Chart).
+				Msg("Updating chart dependencies for helm release installation")
+
+			providers := getter.All(hspm.settings)
+			manager := &downloader.Manager{
+				Out:              os.Stdout,
+				ChartPath:        chartPath,
+				Keyring:          installClient.ChartPathOptions.Keyring,
+				SkipUpdate:       false,
+				Getters:          providers,
+				RepositoryConfig: hspm.settings.RepositoryConfig,
+				RepositoryCache:  hspm.settings.RepositoryCache,
+				Debug:            hspm.settings.Debug,
+			}
+			if err := manager.Update(); err != nil {
+				log.Error().
+					Str("context", "HelmClient").
+					Str("chart", installOpts.Chart).
+					Err(err).
+					Msg("Failed to update chart dependencies for helm release installation")
+				return nil, errors.Wrap(err, "failed to update chart dependencies for helm release installation")
+			}
+
+			// Reload the chart with the updated Chart.lock file.
+			if chartReq, err = loader.Load(chartPath); err != nil {
+				log.Error().
+					Str("context", "HelmClient").
+					Str("chart_path", chartPath).
+					Err(err).
+					Msg("Failed to reload chart after dependency update for helm release installation")
+				return nil, errors.Wrap(err, "failed to reload chart after dependency update for helm release installation")
+			}
+		}
+	}
+
+	return chartReq, nil
+}
+
+// initInstallClient initializes the install client with the given options
+// and return the install client.
+func initInstallClient(actionConfig *action.Configuration, installOpts options.InstallOptions) (*action.Install, error) {
+	installClient := action.NewInstall(actionConfig)
+	installClient.CreateNamespace = true
+	installClient.DependencyUpdate = true
+
+	installClient.ReleaseName = installOpts.Name
+	installClient.Namespace = installOpts.Namespace
+	installClient.ChartPathOptions.RepoURL = installOpts.Repo
+	installClient.Wait = installOpts.Wait
+	if installOpts.PostRenderer != "" {
+		postRenderer, err := postrender.NewExec(installOpts.PostRenderer)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to create post renderer")
+		}
+		installClient.PostRenderer = postRenderer
+	}
+
+	return installClient, nil
+}
diff --git a/pkg/libhelm/sdk/install_test.go b/pkg/libhelm/sdk/install_test.go
new file mode 100644
index 000000000..9bd0d04f3
--- /dev/null
+++ b/pkg/libhelm/sdk/install_test.go
@@ -0,0 +1,190 @@
+package sdk
+
+import (
+	"os"
+	"testing"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func createValuesFile(values string) (string, error) {
+	file, err := os.CreateTemp("", "helm-values")
+	if err != nil {
+		return "", err
+	}
+
+	_, err = file.WriteString(values)
+	if err != nil {
+		file.Close()
+		return "", err
+	}
+
+	err = file.Close()
+	if err != nil {
+		return "", err
+	}
+
+	return file.Name(), nil
+}
+
+func Test_Install(t *testing.T) {
+	test.EnsureIntegrationTest(t)
+	is := assert.New(t)
+
+	// Create a new SDK package manager
+	hspm := NewHelmSDKPackageManager()
+
+	t.Run("successfully installs nginx chart with name test-nginx", func(t *testing.T) {
+		// SDK equivalent of: helm install test-nginx --repo https://kubernetes.github.io/ingress-nginx nginx
+		installOpts := options.InstallOptions{
+			Name:  "test-nginx",
+			Chart: "ingress-nginx",
+			Repo:  "https://kubernetes.github.io/ingress-nginx",
+		}
+
+		release, err := hspm.Install(installOpts)
+		if release != nil {
+			defer hspm.Uninstall(options.UninstallOptions{
+				Name: "test-nginx",
+			})
+		}
+
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+		is.Equal("test-nginx", release.Name, "release name should match")
+		is.Equal(1, release.Version, "release version should be 1")
+		is.NotEmpty(release.Manifest, "release manifest should not be empty")
+	})
+
+	t.Run("successfully installs nginx with values", func(t *testing.T) {
+		// SDK equivalent of: helm install test-nginx-2 --repo https://kubernetes.github.io/ingress-nginx nginx --values /tmp/helm-values3161785816
+		values, err := createValuesFile("service:\n  port:  8081")
+		is.NoError(err, "should create a values file")
+
+		defer os.Remove(values)
+
+		installOpts := options.InstallOptions{
+			Name:       "test-nginx-2",
+			Chart:      "ingress-nginx",
+			Repo:       "https://kubernetes.github.io/ingress-nginx",
+			ValuesFile: values,
+		}
+		release, err := hspm.Install(installOpts)
+		if release != nil {
+			defer hspm.Uninstall(options.UninstallOptions{
+				Name: "test-nginx-2",
+			})
+		}
+
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+		is.Equal("test-nginx-2", release.Name, "release name should match")
+		is.Equal(1, release.Version, "release version should be 1")
+		is.NotEmpty(release.Manifest, "release manifest should not be empty")
+	})
+
+	t.Run("successfully installs portainer chart with name portainer-test", func(t *testing.T) {
+		// SDK equivalent of: helm install portainer-test portainer --repo https://portainer.github.io/k8s/
+		installOpts := options.InstallOptions{
+			Name:  "portainer-test",
+			Chart: "portainer",
+			Repo:  "https://portainer.github.io/k8s/",
+		}
+		release, err := hspm.Install(installOpts)
+		if release != nil {
+			defer hspm.Uninstall(options.UninstallOptions{
+				Name: installOpts.Name,
+			})
+		}
+
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+		is.Equal("portainer-test", release.Name, "release name should match")
+		is.Equal(1, release.Version, "release version should be 1")
+		is.NotEmpty(release.Manifest, "release manifest should not be empty")
+	})
+
+	t.Run("install with values as string", func(t *testing.T) {
+		// First create a values file since InstallOptions doesn't support values as string directly
+		values, err := createValuesFile("service:\n  port:  8082")
+		is.NoError(err, "should create a values file")
+
+		defer os.Remove(values)
+
+		// Install with values file
+		installOpts := options.InstallOptions{
+			Name:       "test-nginx-3",
+			Chart:      "ingress-nginx",
+			Repo:       "https://kubernetes.github.io/ingress-nginx",
+			ValuesFile: values,
+		}
+		release, err := hspm.Install(installOpts)
+		if release != nil {
+			defer hspm.Uninstall(options.UninstallOptions{
+				Name: "test-nginx-3",
+			})
+		}
+
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+		is.Equal("test-nginx-3", release.Name, "release name should match")
+	})
+
+	t.Run("install with namespace", func(t *testing.T) {
+		// Install with namespace
+		installOpts := options.InstallOptions{
+			Name:      "test-nginx-4",
+			Chart:     "ingress-nginx",
+			Repo:      "https://kubernetes.github.io/ingress-nginx",
+			Namespace: "default",
+		}
+		release, err := hspm.Install(installOpts)
+		if release != nil {
+			defer hspm.Uninstall(options.UninstallOptions{
+				Name:      "test-nginx-4",
+				Namespace: "default",
+			})
+		}
+
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+		is.Equal("test-nginx-4", release.Name, "release name should match")
+		is.Equal("default", release.Namespace, "release namespace should match")
+	})
+
+	t.Run("returns an error when name is not provided", func(t *testing.T) {
+		installOpts := options.InstallOptions{
+			Chart: "ingress-nginx",
+			Repo:  "https://kubernetes.github.io/ingress-nginx",
+		}
+		_, err := hspm.Install(installOpts)
+
+		is.Error(err, "should return an error when name is not provided")
+		is.Equal(err.Error(), "name is required")
+	})
+
+	t.Run("install with invalid chart", func(t *testing.T) {
+		// Install with invalid chart
+		installOpts := options.InstallOptions{
+			Name:  "test-invalid",
+			Chart: "non-existent-chart",
+			Repo:  "https://kubernetes.github.io/ingress-nginx",
+		}
+		_, err := hspm.Install(installOpts)
+		is.Error(err, "should return error when chart doesn't exist")
+		is.Equal(err.Error(), "failed to find the helm chart at the path: https://kubernetes.github.io/ingress-nginx/non-existent-chart")
+	})
+
+	t.Run("install with invalid repo", func(t *testing.T) {
+		// Install with invalid repo
+		installOpts := options.InstallOptions{
+			Name:  "test-invalid-repo",
+			Chart: "nginx",
+			Repo:  "https://non-existent-repo.example.com",
+		}
+		_, err := hspm.Install(installOpts)
+		is.Error(err, "should return error when repo doesn't exist")
+	})
+}
diff --git a/pkg/libhelm/sdk/list.go b/pkg/libhelm/sdk/list.go
new file mode 100644
index 000000000..494298a91
--- /dev/null
+++ b/pkg/libhelm/sdk/list.go
@@ -0,0 +1,108 @@
+package sdk
+
+import (
+	"fmt"
+	"strconv"
+
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	sdkrelease "helm.sh/helm/v3/pkg/release"
+)
+
+// List implements the HelmPackageManager interface by using the Helm SDK to list releases.
+// It returns a slice of ReleaseElement.
+func (hspm *HelmSDKPackageManager) List(listOpts options.ListOptions) ([]release.ReleaseElement, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("namespace", listOpts.Namespace).
+		Str("filter", listOpts.Filter).
+		Str("selector", listOpts.Selector).
+		Msg("Listing Helm releases")
+
+	// Initialize action configuration with kubernetes config
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, listOpts.Namespace, listOpts.KubernetesClusterAccess)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", listOpts.Namespace).
+			Err(err).
+			Msg("Failed to initialize helm configuration")
+		return nil, errors.Wrap(err, "failed to initialize helm configuration")
+	}
+
+	listClient, err := initListClient(actionConfig, listOpts)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to initialize helm list client")
+	}
+
+	// Run the list operation
+	releases, err := listClient.Run()
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to list helm releases")
+		return []release.ReleaseElement{}, errors.Wrap(err, "failed to list helm releases")
+	}
+
+	// Convert from SDK release type to our release element type and return
+	return convertToReleaseElements(releases), nil
+}
+
+// convertToReleaseElements converts from the SDK release type to our release element type
+func convertToReleaseElements(releases []*sdkrelease.Release) []release.ReleaseElement {
+	elements := make([]release.ReleaseElement, len(releases))
+
+	for i, rel := range releases {
+		chartName := fmt.Sprintf("%s-%s", rel.Chart.Metadata.Name, rel.Chart.Metadata.Version)
+
+		elements[i] = release.ReleaseElement{
+			Name:       rel.Name,
+			Namespace:  rel.Namespace,
+			Revision:   strconv.Itoa(rel.Version),
+			Updated:    rel.Info.LastDeployed.String(),
+			Status:     string(rel.Info.Status),
+			Chart:      chartName,
+			AppVersion: rel.Chart.Metadata.AppVersion,
+		}
+	}
+
+	return elements
+}
+
+// initListClient initializes the list client with the given options
+// and return the list client.
+func initListClient(actionConfig *action.Configuration, listOpts options.ListOptions) (*action.List, error) {
+	listClient := action.NewList(actionConfig)
+
+	// Configure list options
+	if listOpts.Filter != "" {
+		listClient.Filter = listOpts.Filter
+	}
+
+	if listOpts.Selector != "" {
+		listClient.Selector = listOpts.Selector
+	}
+
+	// If no namespace is specified in options, list across all namespaces
+	if listOpts.Namespace == "" {
+		listClient.AllNamespaces = true
+	}
+
+	// No limit by default
+	listClient.Limit = 0
+	// Show all releases, even if in a pending or failed state
+	listClient.All = true
+
+	// Set state mask to ensure proper filtering by status
+	listClient.SetStateMask()
+
+	return listClient, nil
+}
diff --git a/pkg/libhelm/sdk/list_test.go b/pkg/libhelm/sdk/list_test.go
new file mode 100644
index 000000000..c2f0ac43c
--- /dev/null
+++ b/pkg/libhelm/sdk/list_test.go
@@ -0,0 +1,72 @@
+package sdk
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/time"
+)
+
+func Test_ConvertToReleaseElements(t *testing.T) {
+	is := assert.New(t)
+
+	// Create mock releases
+	releases := []*release.Release{
+		{
+			Name:      "release1",
+			Namespace: "default",
+			Version:   1,
+			Info: &release.Info{
+				Status:       release.StatusDeployed,
+				LastDeployed: time.Now(),
+			},
+			Chart: &chart.Chart{
+				Metadata: &chart.Metadata{
+					Name:       "chart1",
+					Version:    "1.0.0",
+					AppVersion: "1.0.0",
+				},
+			},
+		},
+		{
+			Name:      "release2",
+			Namespace: "kube-system",
+			Version:   2,
+			Info: &release.Info{
+				Status:       release.StatusFailed,
+				LastDeployed: time.Now(),
+			},
+			Chart: &chart.Chart{
+				Metadata: &chart.Metadata{
+					Name:       "chart2",
+					Version:    "2.0.0",
+					AppVersion: "2.0.0",
+				},
+			},
+		},
+	}
+
+	// Convert to release elements
+	elements := convertToReleaseElements(releases)
+
+	// Verify conversion
+	is.Len(elements, 2, "should return 2 release elements")
+
+	// Verify first release
+	is.Equal("release1", elements[0].Name, "first release name should be release1")
+	is.Equal("default", elements[0].Namespace, "first release namespace should be default")
+	is.Equal("1", elements[0].Revision, "first release revision should be 1")
+	is.Equal(string(release.StatusDeployed), elements[0].Status, "first release status should be deployed")
+	is.Equal("chart1-1.0.0", elements[0].Chart, "first release chart should be chart1-1.0.0")
+	is.Equal("1.0.0", elements[0].AppVersion, "first release app version should be 1.0.0")
+
+	// Verify second release
+	is.Equal("release2", elements[1].Name, "second release name should be release2")
+	is.Equal("kube-system", elements[1].Namespace, "second release namespace should be kube-system")
+	is.Equal("2", elements[1].Revision, "second release revision should be 2")
+	is.Equal(string(release.StatusFailed), elements[1].Status, "second release status should be failed")
+	is.Equal("chart2-2.0.0", elements[1].Chart, "second release chart should be chart2-2.0.0")
+	is.Equal("2.0.0", elements[1].AppVersion, "second release app version should be 2.0.0")
+}
diff --git a/pkg/libhelm/sdk/manager.go b/pkg/libhelm/sdk/manager.go
new file mode 100644
index 000000000..8652dd724
--- /dev/null
+++ b/pkg/libhelm/sdk/manager.go
@@ -0,0 +1,23 @@
+package sdk
+
+import (
+	"time"
+
+	"github.com/portainer/portainer/pkg/libhelm/types"
+	"helm.sh/helm/v3/pkg/cli"
+)
+
+// HelmSDKPackageManager is a wrapper for the helm SDK which implements HelmPackageManager
+type HelmSDKPackageManager struct {
+	settings *cli.EnvSettings
+	timeout  time.Duration
+}
+
+// NewHelmSDKPackageManager initializes a new HelmPackageManager service using the Helm SDK
+func NewHelmSDKPackageManager() types.HelmPackageManager {
+	settings := cli.New()
+	return &HelmSDKPackageManager{
+		settings: settings,
+		timeout:  300 * time.Second, // 5 minutes default timeout
+	}
+}
diff --git a/pkg/libhelm/sdk/manager_test.go b/pkg/libhelm/sdk/manager_test.go
new file mode 100644
index 000000000..018794501
--- /dev/null
+++ b/pkg/libhelm/sdk/manager_test.go
@@ -0,0 +1,29 @@
+package sdk
+
+import (
+	"testing"
+	"time"
+
+	"github.com/portainer/portainer/pkg/libhelm/types"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_NewHelmSDKPackageManager(t *testing.T) {
+	is := assert.New(t)
+
+	// Test that NewHelmSDKPackageManager returns a non-nil HelmPackageManager
+	manager := NewHelmSDKPackageManager()
+	is.NotNil(manager, "should return non-nil HelmPackageManager")
+
+	// Test that the returned manager is of the correct type
+	_, ok := manager.(*HelmSDKPackageManager)
+	is.True(ok, "should return a *HelmSDKPackageManager")
+
+	// Test that the manager has the expected fields
+	sdkManager := manager.(*HelmSDKPackageManager)
+	is.NotNil(sdkManager.settings, "should have non-nil settings")
+	is.Equal(300*time.Second, sdkManager.timeout, "should have 5 minute timeout")
+
+	// Test that the manager implements the HelmPackageManager interface
+	var _ types.HelmPackageManager = manager
+}
diff --git a/pkg/libhelm/sdk/search_repo.go b/pkg/libhelm/sdk/search_repo.go
new file mode 100644
index 000000000..90dd98529
--- /dev/null
+++ b/pkg/libhelm/sdk/search_repo.go
@@ -0,0 +1,351 @@
+package sdk
+
+import (
+	"net/url"
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/rs/zerolog/log"
+	"github.com/segmentio/encoding/json"
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/repo"
+)
+
+var (
+	errRequiredSearchOptions = errors.New("repo is required")
+	errInvalidRepoURL        = errors.New("the request failed since either the Helm repository was not found or the index.yaml is not valid")
+)
+
+type RepoIndex struct {
+	APIVersion string                 `json:"apiVersion"`
+	Entries    map[string][]ChartInfo `json:"entries"`
+	Generated  string                 `json:"generated"`
+}
+
+// SearchRepo downloads the `index.yaml` file for specified repo, parses it and returns JSON to caller.
+func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error) {
+	// Validate input options
+	if err := validateSearchRepoOptions(searchRepoOpts); err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("repo", searchRepoOpts.Repo).
+			Err(err).
+			Msg("Missing required search repo options")
+		return nil, err
+	}
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("repo", searchRepoOpts.Repo).
+		Msg("Searching repository")
+
+	// Parse and validate the repository URL
+	repoURL, err := parseRepoURL(searchRepoOpts.Repo)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("repo", searchRepoOpts.Repo).
+			Err(err).
+			Msg("Invalid repository URL")
+		return nil, err
+	}
+
+	// Set up Helm CLI environment
+	repoSettings := cli.New()
+
+	// Ensure all required Helm directories exist
+	if err := ensureHelmDirectoriesExist(repoSettings); err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to ensure Helm directories exist")
+		return nil, errors.Wrap(err, "failed to ensure Helm directories exist")
+	}
+
+	// Download the index file and update repository configuration
+	indexPath, err := downloadRepoIndex(repoURL.String(), repoSettings, searchRepoOpts.Repo)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("repo_url", repoURL.String()).
+			Err(err).
+			Msg("Failed to download repository index")
+		return nil, err
+	}
+
+	// Load and parse the index file
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("index_path", indexPath).
+		Msg("Loading index file")
+
+	indexFile, err := loadIndexFile(indexPath)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("index_path", indexPath).
+			Err(err).
+			Msg("Failed to load index file")
+		return nil, err
+	}
+
+	// Convert the index file to our response format
+	result, err := convertIndexToResponse(indexFile)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to convert index to response format")
+		return nil, errors.Wrap(err, "failed to convert index to response format")
+	}
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("repo", searchRepoOpts.Repo).
+		Int("entries_count", len(indexFile.Entries)).
+		Msg("Successfully searched repository")
+
+	return json.Marshal(result)
+}
+
+// validateSearchRepoOptions validates the required search repository options.
+func validateSearchRepoOptions(opts options.SearchRepoOptions) error {
+	if opts.Repo == "" {
+		return errRequiredSearchOptions
+	}
+	return nil
+}
+
+// parseRepoURL parses and validates the repository URL.
+func parseRepoURL(repoURL string) (*url.URL, error) {
+	parsedURL, err := url.ParseRequestURI(repoURL)
+	if err != nil {
+		return nil, errors.Wrap(err, "invalid helm chart URL: "+repoURL)
+	}
+	return parsedURL, nil
+}
+
+// downloadRepoIndex downloads the index.yaml file from the repository and updates
+// the repository configuration.
+func downloadRepoIndex(repoURLString string, repoSettings *cli.EnvSettings, repoName string) (string, error) {
+	log.Debug().
+		Str("context", "helm_sdk_repo_index").
+		Str("repo_url", repoURLString).
+		Str("repo_name", repoName).
+		Msg("Creating chart repository object")
+
+	// Create chart repository object
+	rep, err := repo.NewChartRepository(
+		&repo.Entry{
+			URL: repoURLString,
+		},
+		getter.All(repoSettings),
+	)
+	if err != nil {
+		log.Error().
+			Str("context", "helm_sdk_repo_index").
+			Str("repo_url", repoURLString).
+			Err(err).
+			Msg("Failed to create chart repository object")
+		return "", errInvalidRepoURL
+	}
+
+	// Load repository configuration file
+	f, err := repo.LoadFile(repoSettings.RepositoryConfig)
+	if err != nil {
+		log.Error().
+			Str("context", "helm_sdk_repo_index").
+			Str("repo_config", repoSettings.RepositoryConfig).
+			Err(err).
+			Msg("Failed to load repo config")
+		return "", errors.Wrap(err, "failed to load repo config")
+	}
+
+	// Download the index file
+	log.Debug().
+		Str("context", "helm_sdk_repo_index").
+		Str("repo_url", repoURLString).
+		Msg("Downloading index file")
+
+	indexPath, err := rep.DownloadIndexFile()
+	if err != nil {
+		log.Error().
+			Str("context", "helm_sdk_repo_index").
+			Str("repo_url", repoURLString).
+			Err(err).
+			Msg("Failed to download index file")
+		return "", errors.Wrapf(err, "looks like %q is not a valid chart repository or cannot be reached", repoURLString)
+	}
+
+	// Update repository configuration
+	c := repo.Entry{
+		Name: repoName,
+		URL:  repoURLString,
+	}
+	f.Update(&c)
+
+	// Write updated configuration
+	repoFile := repoSettings.RepositoryConfig
+	if err := f.WriteFile(repoFile, 0644); err != nil {
+		log.Error().
+			Str("context", "helm_sdk_repo_index").
+			Str("repo_file", repoSettings.RepositoryConfig).
+			Err(err).
+			Msg("Failed to write repository configuration")
+		return "", errors.Wrap(err, "failed to write repository configuration")
+	}
+
+	log.Debug().
+		Str("context", "helm_sdk_repo_index").
+		Str("index_path", indexPath).
+		Msg("Successfully downloaded index file")
+
+	return indexPath, nil
+}
+
+// loadIndexFile loads the index file from the given path.
+func loadIndexFile(indexPath string) (*repo.IndexFile, error) {
+	indexFile, err := repo.LoadIndexFile(indexPath)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to load downloaded index file: %s", indexPath)
+	}
+	return indexFile, nil
+}
+
+// convertIndexToResponse converts the Helm index file to our response format.
+func convertIndexToResponse(indexFile *repo.IndexFile) (RepoIndex, error) {
+	result := RepoIndex{
+		APIVersion: indexFile.APIVersion,
+		Entries:    make(map[string][]ChartInfo),
+		Generated:  indexFile.Generated.String(),
+	}
+
+	// Convert Helm SDK types to our response types
+	for name, charts := range indexFile.Entries {
+		result.Entries[name] = convertChartsToChartInfo(charts)
+	}
+
+	return result, nil
+}
+
+// convertChartsToChartInfo converts Helm chart entries to ChartInfo objects.
+func convertChartsToChartInfo(charts []*repo.ChartVersion) []ChartInfo {
+	chartInfos := make([]ChartInfo, len(charts))
+	for i, chart := range charts {
+		chartInfos[i] = ChartInfo{
+			Name:        chart.Name,
+			Version:     chart.Version,
+			AppVersion:  chart.AppVersion,
+			Description: chart.Description,
+			Deprecated:  chart.Deprecated,
+			Created:     chart.Created.String(),
+			Digest:      chart.Digest,
+			Home:        chart.Home,
+			Sources:     chart.Sources,
+			URLs:        chart.URLs,
+			Icon:        chart.Icon,
+			Annotations: chart.Annotations,
+		}
+	}
+	return chartInfos
+}
+
+// ChartInfo represents a Helm chart in the repository index
+type ChartInfo struct {
+	Name        string   `json:"name"`
+	Version     string   `json:"version"`
+	AppVersion  string   `json:"appVersion"`
+	Description string   `json:"description"`
+	Deprecated  bool     `json:"deprecated"`
+	Created     string   `json:"created"`
+	Digest      string   `json:"digest"`
+	Home        string   `json:"home"`
+	Sources     []string `json:"sources"`
+	URLs        []string `json:"urls"`
+	Icon        string   `json:"icon,omitempty"`
+	Annotations any      `json:"annotations,omitempty"`
+}
+
+// ensureHelmDirectoriesExist checks and creates required Helm directories if they don't exist
+func ensureHelmDirectoriesExist(settings *cli.EnvSettings) error {
+	log.Debug().
+		Str("context", "helm_sdk_dirs").
+		Msg("Ensuring Helm directories exist")
+
+	// List of directories to ensure exist
+	directories := []string{
+		filepath.Dir(settings.RepositoryConfig), // Repository config directory
+		settings.RepositoryCache,                // Repository cache directory
+		filepath.Dir(settings.RegistryConfig),   // Registry config directory
+		settings.PluginsDirectory,               // Plugins directory
+	}
+
+	// Create each directory if it doesn't exist
+	for _, dir := range directories {
+		if dir == "" {
+			continue // Skip empty paths
+		}
+
+		if _, err := os.Stat(dir); os.IsNotExist(err) {
+			if err := os.MkdirAll(dir, 0700); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("directory", dir).
+					Err(err).
+					Msg("Failed to create directory")
+				return errors.Wrapf(err, "failed to create directory: %s", dir)
+			}
+		}
+	}
+
+	// Ensure registry config file exists
+	if settings.RegistryConfig != "" {
+		if _, err := os.Stat(settings.RegistryConfig); os.IsNotExist(err) {
+			// Create the directory if it doesn't exist
+			dir := filepath.Dir(settings.RegistryConfig)
+			if err := os.MkdirAll(dir, 0700); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("directory", dir).
+					Err(err).
+					Msg("Failed to create directory")
+				return errors.Wrapf(err, "failed to create directory: %s", dir)
+			}
+
+			// Create an empty registry config file
+			if _, err := os.Create(settings.RegistryConfig); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("file", settings.RegistryConfig).
+					Err(err).
+					Msg("Failed to create registry config file")
+				return errors.Wrapf(err, "failed to create registry config file: %s", settings.RegistryConfig)
+			}
+		}
+	}
+
+	// Ensure repository config file exists
+	if settings.RepositoryConfig != "" {
+		if _, err := os.Stat(settings.RepositoryConfig); os.IsNotExist(err) {
+			// Create an empty repository config file with default yaml structure
+			f := repo.NewFile()
+			if err := f.WriteFile(settings.RepositoryConfig, 0644); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("file", settings.RepositoryConfig).
+					Err(err).
+					Msg("Failed to create repository config file")
+				return errors.Wrapf(err, "failed to create repository config file: %s", settings.RepositoryConfig)
+			}
+		}
+	}
+
+	log.Debug().
+		Str("context", "helm_sdk_dirs").
+		Msg("Successfully ensured all Helm directories exist")
+
+	return nil
+}
diff --git a/pkg/libhelm/sdk/search_repo_test.go b/pkg/libhelm/sdk/search_repo_test.go
new file mode 100644
index 000000000..d4cfd9b46
--- /dev/null
+++ b/pkg/libhelm/sdk/search_repo_test.go
@@ -0,0 +1,84 @@
+package sdk
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/stretchr/testify/assert"
+)
+
+type testCase struct {
+	name    string
+	url     string
+	invalid bool
+}
+
+var tests = []testCase{
+	{"not a helm repo", "https://portainer.io", true},
+	{"ingress helm repo", "https://kubernetes.github.io/ingress-nginx", false},
+	{"portainer helm repo", "https://portainer.github.io/k8s/", false},
+	{"elastic helm repo with trailing slash", "https://helm.elastic.co/", false},
+	{"lensesio helm repo without trailing slash", "https://lensesio.github.io/kafka-helm-charts", false},
+}
+
+func Test_SearchRepo(t *testing.T) {
+	is := assert.New(t)
+
+	// Create a new SDK package manager
+	hspm := NewHelmSDKPackageManager()
+
+	for _, test := range tests {
+		func(tc testCase) {
+			t.Run(tc.name, func(t *testing.T) {
+				t.Parallel()
+				response, err := hspm.SearchRepo(options.SearchRepoOptions{Repo: tc.url})
+				if tc.invalid {
+					is.Errorf(err, "error expected: %s", tc.url)
+				} else {
+					is.NoError(err, "no error expected: %s", tc.url)
+				}
+
+				if err == nil {
+					is.NotEmpty(response, "response expected")
+				}
+			})
+		}(test)
+	}
+
+	t.Run("search repo with keyword", func(t *testing.T) {
+		// Search for charts with keyword
+		searchOpts := options.SearchRepoOptions{
+			Repo: "https://kubernetes.github.io/ingress-nginx",
+		}
+		responseBytes, err := hspm.SearchRepo(searchOpts)
+
+		// The function should not fail by design, even when not running in a k8s environment
+		is.NoError(err, "should not return error when not in k8s environment")
+		is.NotNil(responseBytes, "should return non-nil response")
+		is.NotEmpty(responseBytes, "should return non-empty response")
+
+		// Parse the 	ext response
+		var repoIndex RepoIndex
+		err = json.Unmarshal(responseBytes, &repoIndex)
+		is.NoError(err, "should parse JSON response without error")
+		is.NotEmpty(repoIndex, "should have at least one chart")
+
+		// Verify charts structure apiVersion, entries, generated
+		is.Equal("v1", repoIndex.APIVersion, "apiVersion should be v1")
+		is.NotEmpty(repoIndex.Entries, "entries should not be empty")
+		is.NotEmpty(repoIndex.Generated, "generated should not be empty")
+
+		// there should be at least one chart
+		is.Greater(len(repoIndex.Entries), 0, "should have at least one chart")
+	})
+
+	t.Run("search repo with empty repo URL", func(t *testing.T) {
+		// Search with empty repo URL
+		searchOpts := options.SearchRepoOptions{
+			Repo: "",
+		}
+		_, err := hspm.SearchRepo(searchOpts)
+		is.Error(err, "should return error when repo URL is empty")
+	})
+}
diff --git a/pkg/libhelm/sdk/show.go b/pkg/libhelm/sdk/show.go
new file mode 100644
index 000000000..aa674a8c0
--- /dev/null
+++ b/pkg/libhelm/sdk/show.go
@@ -0,0 +1,131 @@
+package sdk
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+)
+
+var errRequiredShowOptions = errors.New("chart, repo and output format are required")
+
+// Show implements the HelmPackageManager interface by using the Helm SDK to show chart information.
+// It supports showing chart values, readme, and chart details based on the provided ShowOptions.
+func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, error) {
+	if showOpts.Chart == "" || showOpts.Repo == "" || showOpts.OutputFormat == "" {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", showOpts.Chart).
+			Str("repo", showOpts.Repo).
+			Str("output_format", string(showOpts.OutputFormat)).
+			Msg("Missing required show options")
+		return nil, errRequiredShowOptions
+	}
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("chart", showOpts.Chart).
+		Str("repo", showOpts.Repo).
+		Str("output_format", string(showOpts.OutputFormat)).
+		Msg("Showing chart information")
+
+	// Initialize action configuration
+	actionConfig := new(action.Configuration)
+	if err := actionConfig.Init(nil, "", "", func(format string, v ...interface{}) {}); err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to initialize helm configuration")
+		return nil, fmt.Errorf("failed to initialize helm configuration: %w", err)
+	}
+
+	// Create temporary directory for chart download
+	tempDir, err := os.MkdirTemp("", "helm-show-*")
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to create temp directory")
+		return nil, fmt.Errorf("failed to create temp directory: %w", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	// Create showClient action
+	showClient, err := initShowClient(actionConfig, showOpts)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to initialize helm show client")
+		return nil, fmt.Errorf("failed to initialize helm show client: %w", err)
+	}
+
+	// Locate and load the chart
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("chart", showOpts.Chart).
+		Str("repo", showOpts.Repo).
+		Msg("Locating chart")
+
+	chartPath, err := showClient.ChartPathOptions.LocateChart(showOpts.Chart, hspm.settings)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", showOpts.Chart).
+			Str("repo", showOpts.Repo).
+			Err(err).
+			Msg("Failed to locate chart")
+		return nil, fmt.Errorf("failed to locate chart: %w", err)
+	}
+
+	// Get the output based on the requested format
+	output, err := showClient.Run(chartPath)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart_path", chartPath).
+			Str("output_format", string(showOpts.OutputFormat)).
+			Err(err).
+			Msg("Failed to show chart info")
+		return nil, fmt.Errorf("failed to show chart info: %w", err)
+	}
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("chart", showOpts.Chart).
+		Int("output_size", len(output)).
+		Msg("Successfully retrieved chart information")
+
+	return []byte(output), nil
+}
+
+// initShowClient initializes the show client with the given options
+// and return the show client.
+func initShowClient(actionConfig *action.Configuration, showOpts options.ShowOptions) (*action.Show, error) {
+	showClient := action.NewShowWithConfig(action.ShowAll, actionConfig)
+	showClient.ChartPathOptions.RepoURL = showOpts.Repo
+	showClient.ChartPathOptions.Version = "" // Latest version
+
+	// Set output type based on ShowOptions
+	switch showOpts.OutputFormat {
+	case options.ShowAll:
+		showClient.OutputFormat = action.ShowAll
+	case options.ShowChart:
+		showClient.OutputFormat = action.ShowChart
+	case options.ShowValues:
+		showClient.OutputFormat = action.ShowValues
+	case options.ShowReadme:
+		showClient.OutputFormat = action.ShowReadme
+	default:
+		log.Error().
+			Str("context", "HelmClient").
+			Str("output_format", string(showOpts.OutputFormat)).
+			Msg("Unsupported output format")
+		return nil, fmt.Errorf("unsupported output format: %s", showOpts.OutputFormat)
+	}
+
+	return showClient, nil
+}
diff --git a/pkg/libhelm/sdk/show_test.go b/pkg/libhelm/sdk/show_test.go
new file mode 100644
index 000000000..124aac02d
--- /dev/null
+++ b/pkg/libhelm/sdk/show_test.go
@@ -0,0 +1,102 @@
+package sdk
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Show(t *testing.T) {
+	test.EnsureIntegrationTest(t)
+	is := assert.New(t)
+
+	// Create a new SDK package manager
+	hspm := NewHelmSDKPackageManager()
+
+	// install the ingress-nginx chart to test the show command
+	installOpts := options.InstallOptions{
+		Name:  "ingress-nginx",
+		Chart: "ingress-nginx",
+		Repo:  "https://kubernetes.github.io/ingress-nginx",
+	}
+	release, err := hspm.Install(installOpts)
+	if release != nil || err != nil {
+		defer hspm.Uninstall(options.UninstallOptions{
+			Name: "ingress-nginx",
+		})
+	}
+
+	t.Run("show requires chart, repo and output format", func(t *testing.T) {
+		showOpts := options.ShowOptions{
+			Chart:        "",
+			Repo:         "",
+			OutputFormat: "",
+		}
+		_, err := hspm.Show(showOpts)
+		is.Error(err, "should return error when required options are missing")
+		is.Contains(err.Error(), "chart, repo and output format are required", "error message should indicate required options")
+	})
+
+	t.Run("show chart values", func(t *testing.T) {
+		showOpts := options.ShowOptions{
+			Chart:        "ingress-nginx",
+			Repo:         "https://kubernetes.github.io/ingress-nginx",
+			OutputFormat: options.ShowValues,
+		}
+		values, err := hspm.Show(showOpts)
+
+		is.NoError(err, "should not return error when not in k8s environment")
+		is.NotEmpty(values, "should return non-empty values")
+	})
+
+	t.Run("show chart readme", func(t *testing.T) {
+		showOpts := options.ShowOptions{
+			Chart:        "ingress-nginx",
+			Repo:         "https://kubernetes.github.io/ingress-nginx",
+			OutputFormat: options.ShowReadme,
+		}
+		readme, err := hspm.Show(showOpts)
+
+		is.NoError(err, "should not return error when not in k8s environment")
+		is.NotEmpty(readme, "should return non-empty readme")
+	})
+
+	t.Run("show chart definition", func(t *testing.T) {
+		showOpts := options.ShowOptions{
+			Chart:        "ingress-nginx",
+			Repo:         "https://kubernetes.github.io/ingress-nginx",
+			OutputFormat: options.ShowChart,
+		}
+		chart, err := hspm.Show(showOpts)
+
+		is.NoError(err, "should not return error when not in k8s environment")
+		is.NotNil(chart, "should return non-nil chart definition")
+	})
+
+	t.Run("show all chart info", func(t *testing.T) {
+		showOpts := options.ShowOptions{
+			Chart:        "ingress-nginx",
+			Repo:         "https://kubernetes.github.io/ingress-nginx",
+			OutputFormat: options.ShowAll,
+		}
+		info, err := hspm.Show(showOpts)
+
+		is.NoError(err, "should not return error when not in k8s environment")
+		is.NotEmpty(info, "should return non-empty chart info")
+	})
+
+	t.Run("show with invalid output format", func(t *testing.T) {
+		// Show with invalid output format
+		showOpts := options.ShowOptions{
+			Chart:        "ingress-nginx",
+			Repo:         "https://kubernetes.github.io/ingress-nginx",
+			OutputFormat: "invalid",
+		}
+		_, err := hspm.Show(showOpts)
+
+		is.Error(err, "should return error with invalid output format")
+		is.Contains(err.Error(), "unsupported output format", "error message should indicate invalid output format")
+	})
+}
diff --git a/pkg/libhelm/sdk/uninstall.go b/pkg/libhelm/sdk/uninstall.go
new file mode 100644
index 000000000..5459b9e84
--- /dev/null
+++ b/pkg/libhelm/sdk/uninstall.go
@@ -0,0 +1,70 @@
+package sdk
+
+import (
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+)
+
+// Uninstall implements the HelmPackageManager interface by using the Helm SDK to uninstall a release.
+func (hspm *HelmSDKPackageManager) Uninstall(uninstallOpts options.UninstallOptions) error {
+	if uninstallOpts.Name == "" {
+		log.Error().
+			Str("context", "HelmClient").
+			Msg("Release name is required")
+		return errors.New("release name is required")
+	}
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("release", uninstallOpts.Name).
+		Str("namespace", uninstallOpts.Namespace).
+		Msg("Uninstalling Helm release")
+
+	// Initialize action configuration with kubernetes config
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, uninstallOpts.Namespace, uninstallOpts.KubernetesClusterAccess)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("release", uninstallOpts.Name).
+			Str("namespace", uninstallOpts.Namespace).
+			Err(err).
+			Msg("Failed to initialize helm configuration")
+		return errors.Wrap(err, "failed to initialize helm configuration")
+	}
+
+	// Create uninstallClient action
+	uninstallClient := action.NewUninstall(actionConfig)
+	// 'foreground' means the parent object remains in a "terminating" state until all of its children are deleted. This ensures that all dependent resources are completely removed before finalizing the deletion of the parent resource.
+	uninstallClient.DeletionPropagation = "foreground" // "background" or "orphan"
+
+	// Run the uninstallation
+	log.Info().
+		Str("context", "HelmClient").
+		Str("release", uninstallOpts.Name).
+		Str("namespace", uninstallOpts.Namespace).
+		Msg("Running uninstallation")
+
+	result, err := uninstallClient.Run(uninstallOpts.Name)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("release", uninstallOpts.Name).
+			Str("namespace", uninstallOpts.Namespace).
+			Err(err).
+			Msg("Failed to uninstall helm release")
+		return errors.Wrap(err, "failed to uninstall helm release")
+	}
+
+	if result != nil {
+		log.Debug().
+			Str("context", "HelmClient").
+			Str("release", uninstallOpts.Name).
+			Str("release_info", result.Release.Info.Description).
+			Msg("Uninstall result details")
+	}
+
+	return nil
+}
diff --git a/pkg/libhelm/sdk/uninstall_test.go b/pkg/libhelm/sdk/uninstall_test.go
new file mode 100644
index 000000000..28ef1cb21
--- /dev/null
+++ b/pkg/libhelm/sdk/uninstall_test.go
@@ -0,0 +1,65 @@
+package sdk
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Uninstall(t *testing.T) {
+	test.EnsureIntegrationTest(t)
+	is := assert.New(t)
+
+	// Create a new SDK package manager
+	hspm := NewHelmSDKPackageManager()
+
+	t.Run("uninstall requires a release name", func(t *testing.T) {
+		// Try to uninstall without a release name
+		uninstallOpts := options.UninstallOptions{
+			Name: "",
+		}
+		err := hspm.Uninstall(uninstallOpts)
+		is.Error(err, "should return error when release name is empty")
+		is.Contains(err.Error(), "release name is required", "error message should indicate release name is required")
+	})
+
+	t.Run("uninstall a non-existent release", func(t *testing.T) {
+		// Try to uninstall a release that doesn't exist
+		uninstallOpts := options.UninstallOptions{
+			Name: "non-existent-release",
+		}
+		err := hspm.Uninstall(uninstallOpts)
+
+		// The function should not fail by design, even when not running in a k8s environment
+		// However, it should return an error for a non-existent release
+		is.Error(err, "should return error when release doesn't exist")
+		is.Contains(err.Error(), "not found", "error message should indicate release not found")
+	})
+
+	// This test is commented out as it requires a real release to be installed first
+	t.Run("successfully uninstall an existing release", func(t *testing.T) {
+		// First install a release
+		installOpts := options.InstallOptions{
+			Name:  "test-uninstall",
+			Chart: "nginx",
+			Repo:  "https://kubernetes.github.io/ingress-nginx",
+		}
+
+		// Install the release
+		_, err := hspm.Install(installOpts)
+		if err != nil {
+			t.Logf("Error installing release: %v", err)
+			t.Skip("Skipping uninstall test because install failed")
+			return
+		}
+
+		// Now uninstall it
+		uninstallOpts := options.UninstallOptions{
+			Name: "test-uninstall",
+		}
+		err = hspm.Uninstall(uninstallOpts)
+		is.NoError(err, "should successfully uninstall release")
+	})
+}
diff --git a/pkg/libhelm/sdk/values.go b/pkg/libhelm/sdk/values.go
new file mode 100644
index 000000000..37ad46775
--- /dev/null
+++ b/pkg/libhelm/sdk/values.go
@@ -0,0 +1,42 @@
+package sdk
+
+import (
+	"os"
+
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
+)
+
+// GetHelmValuesFromFile reads the values file and parses it into a map[string]any
+// and returns the map.
+func (hspm *HelmSDKPackageManager) GetHelmValuesFromFile(valuesFile string) (map[string]any, error) {
+	var vals map[string]any
+	if valuesFile != "" {
+		log.Debug().
+			Str("context", "HelmClient").
+			Str("values_file", valuesFile).
+			Msg("Reading values file")
+
+		valuesData, err := os.ReadFile(valuesFile)
+		if err != nil {
+			log.Error().
+				Str("context", "HelmClient").
+				Str("values_file", valuesFile).
+				Err(err).
+				Msg("Failed to read values file")
+			return nil, errors.Wrap(err, "failed to read values file")
+		}
+
+		vals, err = hspm.parseValues(valuesData)
+		if err != nil {
+			log.Error().
+				Str("context", "HelmClient").
+				Str("values_file", valuesFile).
+				Err(err).
+				Msg("Failed to parse values file")
+			return nil, errors.Wrap(err, "failed to parse values file")
+		}
+	}
+
+	return vals, nil
+}
diff --git a/pkg/libhelm/libhelmtest/integration.go b/pkg/libhelm/test/integration.go
similarity index 93%
rename from pkg/libhelm/libhelmtest/integration.go
rename to pkg/libhelm/test/integration.go
index f8febab65..0939f460e 100644
--- a/pkg/libhelm/libhelmtest/integration.go
+++ b/pkg/libhelm/test/integration.go
@@ -1,4 +1,4 @@
-package libhelmtest
+package test
 
 import (
 	"os"
diff --git a/pkg/libhelm/binary/test/mock.go b/pkg/libhelm/test/mock.go
similarity index 95%
rename from pkg/libhelm/binary/test/mock.go
rename to pkg/libhelm/test/mock.go
index e019ee248..0b7712aab 100644
--- a/pkg/libhelm/binary/test/mock.go
+++ b/pkg/libhelm/test/mock.go
@@ -3,9 +3,9 @@ package test
 import (
 	"strings"
 
-	"github.com/portainer/portainer/pkg/libhelm"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/types"
 
 	"github.com/pkg/errors"
 	"github.com/segmentio/encoding/json"
@@ -31,8 +31,8 @@ const (
 // Do not use this package for concurrent tests.
 type helmMockPackageManager struct{}
 
-// NewMockHelmBinaryPackageManager initializes a new HelmPackageManager service (a mock instance)
-func NewMockHelmBinaryPackageManager(binaryPath string) libhelm.HelmPackageManager {
+// NewMockHelmPackageManager initializes a new HelmPackageManager service (a mock instance)
+func NewMockHelmPackageManager() types.HelmPackageManager {
 	return &helmMockPackageManager{}
 }
 
diff --git a/pkg/libhelm/helm.go b/pkg/libhelm/types/types.go
similarity index 72%
rename from pkg/libhelm/helm.go
rename to pkg/libhelm/types/types.go
index 3f718e64f..91b777270 100644
--- a/pkg/libhelm/helm.go
+++ b/pkg/libhelm/types/types.go
@@ -1,16 +1,26 @@
-package libhelm
+package types
 
 import (
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"helm.sh/helm/v3/pkg/cli"
+	"helm.sh/helm/v3/pkg/repo"
 )
 
 // HelmPackageManager represents a service that interfaces with Helm
 type HelmPackageManager interface {
 	Show(showOpts options.ShowOptions) ([]byte, error)
 	SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error)
-	Get(getOpts options.GetOptions) ([]byte, error)
 	List(listOpts options.ListOptions) ([]release.ReleaseElement, error)
 	Install(installOpts options.InstallOptions) (*release.Release, error)
 	Uninstall(uninstallOpts options.UninstallOptions) error
 }
+
+type Repository interface {
+	Charts() (repo.ChartVersions, error)
+}
+
+type HelmRepo struct {
+	Settings *cli.EnvSettings
+	Orig     *repo.Entry
+}
diff --git a/pkg/libhelm/validate_repo.go b/pkg/libhelm/validate_repo.go
index 872dad165..1b4de5dc5 100644
--- a/pkg/libhelm/validate_repo.go
+++ b/pkg/libhelm/validate_repo.go
@@ -15,6 +15,10 @@ func ValidateHelmRepositoryURL(repoUrl string, client *http.Client) error {
 		return errors.New("URL is required")
 	}
 
+	if strings.HasPrefix(repoUrl, "oci://") {
+		return errors.New("OCI repositories are not supported yet")
+	}
+
 	url, err := url.ParseRequestURI(repoUrl)
 	if err != nil {
 		return fmt.Errorf("invalid helm repository URL '%s': %w", repoUrl, err)
diff --git a/pkg/libhelm/validate_repo_test.go b/pkg/libhelm/validate_repo_test.go
index dce1257d0..55d9d4736 100644
--- a/pkg/libhelm/validate_repo_test.go
+++ b/pkg/libhelm/validate_repo_test.go
@@ -3,12 +3,12 @@ package libhelm
 import (
 	"testing"
 
-	"github.com/portainer/portainer/pkg/libhelm/libhelmtest"
+	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
 )
 
 func Test_ValidateHelmRepositoryURL(t *testing.T) {
-	libhelmtest.EnsureIntegrationTest(t)
+	test.EnsureIntegrationTest(t)
 	is := assert.New(t)
 
 	type testCase struct {
@@ -26,7 +26,7 @@ func Test_ValidateHelmRepositoryURL(t *testing.T) {
 		{"not helm repo", "http://google.com", true},
 		{"not valid repo with trailing slash", "http://google.com/", true},
 		{"not valid repo with trailing slashes", "http://google.com////", true},
-		{"ingress helm repo", "https://kubernetes.github.io/ingress-nginx/", false},
+		{"bitnami helm repo", "https://charts.bitnami.com/bitnami/", false},
 		{"gitlap helm repo", "https://charts.gitlab.io/", false},
 		{"portainer helm repo", "https://portainer.github.io/k8s/", false},
 		{"elastic helm repo", "https://helm.elastic.co/", false},

From 8b7aef883a96052a6f91b77712f1142527644dc3 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 13 Mar 2025 14:13:18 +1300
Subject: [PATCH 041/212] fix: display unscheduled applications (#496)

Co-authored-by: JamesPlayer <james.player@portainer.io>
---
 api/http/handler/kubernetes/application.go    |   9 +-
 api/kubernetes/cli/applications.go            | 410 +++++++++++-----
 api/kubernetes/cli/applications_test.go       | 461 ++++++++++++++++++
 api/kubernetes/cli/configmap.go               |   6 +-
 api/kubernetes/cli/pod.go                     |  70 ++-
 api/kubernetes/cli/role.go                    |   3 +-
 api/kubernetes/cli/role_binding.go            |   8 +-
 api/kubernetes/cli/secret.go                  |   6 +-
 api/kubernetes/cli/service.go                 |   4 +-
 api/kubernetes/cli/service_account.go         |   3 +-
 api/kubernetes/cli/volumes.go                 |   8 +-
 api/portainer.go                              |   2 +-
 .../ApplicationsDatatable.tsx                 |   1 -
 .../ApplicationsStacksDatatable.tsx           |   1 -
 .../applications/queries/query-keys.ts        |   1 -
 .../applications/queries/useApplications.ts   |   1 -
 app/react/kubernetes/applications/utils.ts    |   2 +-
 .../ItemView/NamespaceAppsDatatable.tsx       |   1 -
 18 files changed, 796 insertions(+), 201 deletions(-)
 create mode 100644 api/kubernetes/cli/applications_test.go

diff --git a/api/http/handler/kubernetes/application.go b/api/http/handler/kubernetes/application.go
index 2da8d0fd4..cb67cd7af 100644
--- a/api/http/handler/kubernetes/application.go
+++ b/api/http/handler/kubernetes/application.go
@@ -69,7 +69,6 @@ func (handler *Handler) getApplicationsResources(w http.ResponseWriter, r *http.
 // @param id path int true "Environment(Endpoint) identifier"
 // @param namespace query string true "Namespace name"
 // @param nodeName query string true "Node name"
-// @param withDependencies query boolean false "Include dependencies in the response"
 // @success 200 {array} models.K8sApplication "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
@@ -117,12 +116,6 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.BadRequest("Unable to parse the namespace query parameter", err)
 	}
 
-	withDependencies, err := request.RetrieveBooleanQueryParameter(r, "withDependencies", true)
-	if err != nil {
-		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the withDependencies query parameter")
-		return nil, httperror.BadRequest("Unable to parse the withDependencies query parameter", err)
-	}
-
 	nodeName, err := request.RetrieveQueryParameter(r, "nodeName", true)
 	if err != nil {
 		log.Error().Err(err).Str("context", "getAllKubernetesApplications").Msg("Unable to parse the nodeName query parameter")
@@ -135,7 +128,7 @@ func (handler *Handler) getAllKubernetesApplications(r *http.Request) ([]models.
 		return nil, httperror.InternalServerError("Unable to get a Kubernetes client for the user", httpErr)
 	}
 
-	applications, err := cli.GetApplications(namespace, nodeName, withDependencies)
+	applications, err := cli.GetApplications(namespace, nodeName)
 	if err != nil {
 		if k8serrors.IsUnauthorized(err) {
 			log.Error().Err(err).Str("context", "getAllKubernetesApplications").Str("namespace", namespace).Str("nodeName", nodeName).Msg("Unable to get the list of applications")
diff --git a/api/kubernetes/cli/applications.go b/api/kubernetes/cli/applications.go
index e68137c69..c08329a7b 100644
--- a/api/kubernetes/cli/applications.go
+++ b/api/kubernetes/cli/applications.go
@@ -12,45 +12,58 @@ import (
 	labels "k8s.io/apimachinery/pkg/labels"
 )
 
+// PortainerApplicationResources contains collections of various Kubernetes resources
+// associated with a Portainer application.
+type PortainerApplicationResources struct {
+	Pods                     []corev1.Pod
+	ReplicaSets              []appsv1.ReplicaSet
+	Deployments              []appsv1.Deployment
+	StatefulSets             []appsv1.StatefulSet
+	DaemonSets               []appsv1.DaemonSet
+	Services                 []corev1.Service
+	HorizontalPodAutoscalers []autoscalingv2.HorizontalPodAutoscaler
+}
+
 // GetAllKubernetesApplications gets a list of kubernetes workloads (or applications) across all namespaces in the cluster
 // if the user is an admin, all namespaces in the current k8s environment(endpoint) are fetched using the fetchApplications function.
 // otherwise, namespaces the non-admin user has access to will be used to filter the applications based on the allowed namespaces.
-func (kcl *KubeClient) GetApplications(namespace, nodeName string, withDependencies bool) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) GetApplications(namespace, nodeName string) ([]models.K8sApplication, error) {
 	if kcl.IsKubeAdmin {
-		return kcl.fetchApplications(namespace, nodeName, withDependencies)
+		return kcl.fetchApplications(namespace, nodeName)
 	}
 
-	return kcl.fetchApplicationsForNonAdmin(namespace, nodeName, withDependencies)
+	return kcl.fetchApplicationsForNonAdmin(namespace, nodeName)
 }
 
 // fetchApplications fetches the applications in the namespaces the user has access to.
 // This function is called when the user is an admin.
-func (kcl *KubeClient) fetchApplications(namespace, nodeName string, withDependencies bool) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) fetchApplications(namespace, nodeName string) ([]models.K8sApplication, error) {
 	podListOptions := metav1.ListOptions{}
 	if nodeName != "" {
 		podListOptions.FieldSelector = "spec.nodeName=" + nodeName
 	}
-	if !withDependencies {
-		// TODO: make sure not to fetch services in fetchAllApplicationsListResources from this call
-		pods, replicaSets, deployments, statefulSets, daemonSets, _, _, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
-		if err != nil {
-			return nil, err
-		}
 
-		return kcl.convertPodsToApplications(pods, replicaSets, deployments, statefulSets, daemonSets, nil, nil)
-	}
-
-	pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
 	if err != nil {
 		return nil, err
 	}
 
-	return kcl.convertPodsToApplications(pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas)
+	applications, err := kcl.convertPodsToApplications(portainerApplicationResources)
+	if err != nil {
+		return nil, err
+	}
+
+	unhealthyApplications, err := fetchUnhealthyApplications(portainerApplicationResources)
+	if err != nil {
+		return nil, err
+	}
+
+	return append(applications, unhealthyApplications...), nil
 }
 
 // fetchApplicationsForNonAdmin fetches the applications in the namespaces the user has access to.
 // This function is called when the user is not an admin.
-func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string, withDependencies bool) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string) ([]models.K8sApplication, error) {
 	log.Debug().Msgf("Fetching applications for non-admin user: %v", kcl.NonAdminNamespaces)
 
 	if len(kcl.NonAdminNamespaces) == 0 {
@@ -62,28 +75,24 @@ func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string,
 		podListOptions.FieldSelector = "spec.nodeName=" + nodeName
 	}
 
-	if !withDependencies {
-		pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets(namespace, podListOptions)
-		if err != nil {
-			return nil, err
-		}
-
-		return kcl.convertPodsToApplications(pods, replicaSets, nil, nil, nil, nil, nil)
-	}
-
-	pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources(namespace, podListOptions)
 	if err != nil {
 		return nil, err
 	}
 
-	applications, err := kcl.convertPodsToApplications(pods, replicaSets, deployments, statefulSets, daemonSets, services, hpas)
+	applications, err := kcl.convertPodsToApplications(portainerApplicationResources)
+	if err != nil {
+		return nil, err
+	}
+
+	unhealthyApplications, err := fetchUnhealthyApplications(portainerApplicationResources)
 	if err != nil {
 		return nil, err
 	}
 
 	nonAdminNamespaceSet := kcl.buildNonAdminNamespacesMap()
 	results := make([]models.K8sApplication, 0)
-	for _, application := range applications {
+	for _, application := range append(applications, unhealthyApplications...) {
 		if _, ok := nonAdminNamespaceSet[application.ResourcePool]; ok {
 			results = append(results, application)
 		}
@@ -93,11 +102,11 @@ func (kcl *KubeClient) fetchApplicationsForNonAdmin(namespace, nodeName string,
 }
 
 // convertPodsToApplications processes pods and converts them to applications, ensuring uniqueness by owner reference.
-func (kcl *KubeClient) convertPodsToApplications(pods []corev1.Pod, replicaSets []appsv1.ReplicaSet, deployments []appsv1.Deployment, statefulSets []appsv1.StatefulSet, daemonSets []appsv1.DaemonSet, services []corev1.Service, hpas []autoscalingv2.HorizontalPodAutoscaler) ([]models.K8sApplication, error) {
+func (kcl *KubeClient) convertPodsToApplications(portainerApplicationResources PortainerApplicationResources) ([]models.K8sApplication, error) {
 	applications := []models.K8sApplication{}
 	processedOwners := make(map[string]struct{})
 
-	for _, pod := range pods {
+	for _, pod := range portainerApplicationResources.Pods {
 		if len(pod.OwnerReferences) > 0 {
 			ownerUID := string(pod.OwnerReferences[0].UID)
 			if _, exists := processedOwners[ownerUID]; exists {
@@ -106,7 +115,7 @@ func (kcl *KubeClient) convertPodsToApplications(pods []corev1.Pod, replicaSets
 			processedOwners[ownerUID] = struct{}{}
 		}
 
-		application, err := kcl.ConvertPodToApplication(pod, replicaSets, deployments, statefulSets, daemonSets, services, hpas, true)
+		application, err := kcl.ConvertPodToApplication(pod, portainerApplicationResources, true)
 		if err != nil {
 			return nil, err
 		}
@@ -151,7 +160,9 @@ func (kcl *KubeClient) GetApplicationNamesFromConfigMap(configMap models.K8sConf
 	for _, pod := range pods {
 		if pod.Namespace == configMap.Namespace {
 			if isPodUsingConfigMap(&pod, configMap.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
+				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
+					ReplicaSets: replicaSets,
+				}, false)
 				if err != nil {
 					return nil, err
 				}
@@ -168,7 +179,9 @@ func (kcl *KubeClient) GetApplicationNamesFromSecret(secret models.K8sSecret, po
 	for _, pod := range pods {
 		if pod.Namespace == secret.Namespace {
 			if isPodUsingSecret(&pod, secret.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
+				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
+					ReplicaSets: replicaSets,
+				}, false)
 				if err != nil {
 					return nil, err
 				}
@@ -181,12 +194,12 @@ func (kcl *KubeClient) GetApplicationNamesFromSecret(secret models.K8sSecret, po
 }
 
 // ConvertPodToApplication converts a pod to an application, updating owner references if necessary
-func (kcl *KubeClient) ConvertPodToApplication(pod corev1.Pod, replicaSets []appsv1.ReplicaSet, deployments []appsv1.Deployment, statefulSets []appsv1.StatefulSet, daemonSets []appsv1.DaemonSet, services []corev1.Service, hpas []autoscalingv2.HorizontalPodAutoscaler, withResource bool) (*models.K8sApplication, error) {
+func (kcl *KubeClient) ConvertPodToApplication(pod corev1.Pod, portainerApplicationResources PortainerApplicationResources, withResource bool) (*models.K8sApplication, error) {
 	if isReplicaSetOwner(pod) {
-		updateOwnerReferenceToDeployment(&pod, replicaSets)
+		updateOwnerReferenceToDeployment(&pod, portainerApplicationResources.ReplicaSets)
 	}
 
-	application := createApplication(&pod, deployments, statefulSets, daemonSets, services, hpas)
+	application := createApplicationFromPod(&pod, portainerApplicationResources)
 	if application.ID == "" && application.Name == "" {
 		return nil, nil
 	}
@@ -203,9 +216,9 @@ func (kcl *KubeClient) ConvertPodToApplication(pod corev1.Pod, replicaSets []app
 	return &application, nil
 }
 
-// createApplication creates a K8sApplication object from a pod
+// createApplicationFromPod creates a K8sApplication object from a pod
 // it sets the application name, namespace, kind, image, stack id, stack name, and labels
-func createApplication(pod *corev1.Pod, deployments []appsv1.Deployment, statefulSets []appsv1.StatefulSet, daemonSets []appsv1.DaemonSet, services []corev1.Service, hpas []autoscalingv2.HorizontalPodAutoscaler) models.K8sApplication {
+func createApplicationFromPod(pod *corev1.Pod, portainerApplicationResources PortainerApplicationResources) models.K8sApplication {
 	kind := "Pod"
 	name := pod.Name
 
@@ -221,120 +234,172 @@ func createApplication(pod *corev1.Pod, deployments []appsv1.Deployment, statefu
 
 	switch kind {
 	case "Deployment":
-		for _, deployment := range deployments {
+		for _, deployment := range portainerApplicationResources.Deployments {
 			if deployment.Name == name && deployment.Namespace == pod.Namespace {
-				application.ApplicationType = "Deployment"
-				application.Kind = "Deployment"
-				application.ID = string(deployment.UID)
-				application.ResourcePool = deployment.Namespace
-				application.Name = name
-				application.Image = deployment.Spec.Template.Spec.Containers[0].Image
-				application.ApplicationOwner = deployment.Labels["io.portainer.kubernetes.application.owner"]
-				application.StackID = deployment.Labels["io.portainer.kubernetes.application.stackid"]
-				application.StackName = deployment.Labels["io.portainer.kubernetes.application.stack"]
-				application.Labels = deployment.Labels
-				application.MatchLabels = deployment.Spec.Selector.MatchLabels
-				application.CreationDate = deployment.CreationTimestamp.Time
-				application.TotalPodsCount = int(deployment.Status.Replicas)
-				application.RunningPodsCount = int(deployment.Status.ReadyReplicas)
-				application.DeploymentType = "Replicated"
-				application.Metadata = &models.Metadata{
-					Labels: deployment.Labels,
-				}
-
+				populateApplicationFromDeployment(&application, deployment)
 				break
 			}
 		}
-
 	case "StatefulSet":
-		for _, statefulSet := range statefulSets {
+		for _, statefulSet := range portainerApplicationResources.StatefulSets {
 			if statefulSet.Name == name && statefulSet.Namespace == pod.Namespace {
-				application.Kind = "StatefulSet"
-				application.ApplicationType = "StatefulSet"
-				application.ID = string(statefulSet.UID)
-				application.ResourcePool = statefulSet.Namespace
-				application.Name = name
-				application.Image = statefulSet.Spec.Template.Spec.Containers[0].Image
-				application.ApplicationOwner = statefulSet.Labels["io.portainer.kubernetes.application.owner"]
-				application.StackID = statefulSet.Labels["io.portainer.kubernetes.application.stackid"]
-				application.StackName = statefulSet.Labels["io.portainer.kubernetes.application.stack"]
-				application.Labels = statefulSet.Labels
-				application.MatchLabels = statefulSet.Spec.Selector.MatchLabels
-				application.CreationDate = statefulSet.CreationTimestamp.Time
-				application.TotalPodsCount = int(statefulSet.Status.Replicas)
-				application.RunningPodsCount = int(statefulSet.Status.ReadyReplicas)
-				application.DeploymentType = "Replicated"
-				application.Metadata = &models.Metadata{
-					Labels: statefulSet.Labels,
-				}
-
+				populateApplicationFromStatefulSet(&application, statefulSet)
 				break
 			}
 		}
-
 	case "DaemonSet":
-		for _, daemonSet := range daemonSets {
+		for _, daemonSet := range portainerApplicationResources.DaemonSets {
 			if daemonSet.Name == name && daemonSet.Namespace == pod.Namespace {
-				application.Kind = "DaemonSet"
-				application.ApplicationType = "DaemonSet"
-				application.ID = string(daemonSet.UID)
-				application.ResourcePool = daemonSet.Namespace
-				application.Name = name
-				application.Image = daemonSet.Spec.Template.Spec.Containers[0].Image
-				application.ApplicationOwner = daemonSet.Labels["io.portainer.kubernetes.application.owner"]
-				application.StackID = daemonSet.Labels["io.portainer.kubernetes.application.stackid"]
-				application.StackName = daemonSet.Labels["io.portainer.kubernetes.application.stack"]
-				application.Labels = daemonSet.Labels
-				application.MatchLabels = daemonSet.Spec.Selector.MatchLabels
-				application.CreationDate = daemonSet.CreationTimestamp.Time
-				application.TotalPodsCount = int(daemonSet.Status.DesiredNumberScheduled)
-				application.RunningPodsCount = int(daemonSet.Status.NumberReady)
-				application.DeploymentType = "Global"
-				application.Metadata = &models.Metadata{
-					Labels: daemonSet.Labels,
-				}
-
+				populateApplicationFromDaemonSet(&application, daemonSet)
 				break
 			}
 		}
-
 	case "Pod":
-		runningPodsCount := 1
-		if pod.Status.Phase != corev1.PodRunning {
-			runningPodsCount = 0
-		}
-
-		application.ApplicationType = "Pod"
-		application.Kind = "Pod"
-		application.ID = string(pod.UID)
-		application.ResourcePool = pod.Namespace
-		application.Name = pod.Name
-		application.Image = pod.Spec.Containers[0].Image
-		application.ApplicationOwner = pod.Labels["io.portainer.kubernetes.application.owner"]
-		application.StackID = pod.Labels["io.portainer.kubernetes.application.stackid"]
-		application.StackName = pod.Labels["io.portainer.kubernetes.application.stack"]
-		application.Labels = pod.Labels
-		application.MatchLabels = pod.Labels
-		application.CreationDate = pod.CreationTimestamp.Time
-		application.TotalPodsCount = 1
-		application.RunningPodsCount = runningPodsCount
-		application.DeploymentType = string(pod.Status.Phase)
-		application.Metadata = &models.Metadata{
-			Labels: pod.Labels,
-		}
+		populateApplicationFromPod(&application, *pod)
 	}
 
-	if application.ID != "" && application.Name != "" && len(services) > 0 {
-		updateApplicationWithService(&application, services)
+	if application.ID != "" && application.Name != "" && len(portainerApplicationResources.Services) > 0 {
+		updateApplicationWithService(&application, portainerApplicationResources.Services)
 	}
 
-	if application.ID != "" && application.Name != "" && len(hpas) > 0 {
-		updateApplicationWithHorizontalPodAutoscaler(&application, hpas)
+	if application.ID != "" && application.Name != "" && len(portainerApplicationResources.HorizontalPodAutoscalers) > 0 {
+		updateApplicationWithHorizontalPodAutoscaler(&application, portainerApplicationResources.HorizontalPodAutoscalers)
 	}
 
 	return application
 }
 
+// createApplicationFromDeployment creates a K8sApplication from a Deployment
+func createApplicationFromDeployment(deployment appsv1.Deployment) models.K8sApplication {
+	var app models.K8sApplication
+	populateApplicationFromDeployment(&app, deployment)
+	return app
+}
+
+// createApplicationFromStatefulSet creates a K8sApplication from a StatefulSet
+func createApplicationFromStatefulSet(statefulSet appsv1.StatefulSet) models.K8sApplication {
+	var app models.K8sApplication
+	populateApplicationFromStatefulSet(&app, statefulSet)
+	return app
+}
+
+// createApplicationFromDaemonSet creates a K8sApplication from a DaemonSet
+func createApplicationFromDaemonSet(daemonSet appsv1.DaemonSet) models.K8sApplication {
+	var app models.K8sApplication
+	populateApplicationFromDaemonSet(&app, daemonSet)
+	return app
+}
+
+func populateApplicationFromDeployment(application *models.K8sApplication, deployment appsv1.Deployment) {
+	application.ApplicationType = "Deployment"
+	application.Kind = "Deployment"
+	application.ID = string(deployment.UID)
+	application.ResourcePool = deployment.Namespace
+	application.Name = deployment.Name
+	application.ApplicationOwner = deployment.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = deployment.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = deployment.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = deployment.Labels
+	application.MatchLabels = deployment.Spec.Selector.MatchLabels
+	application.CreationDate = deployment.CreationTimestamp.Time
+	application.TotalPodsCount = 0
+	if deployment.Spec.Replicas != nil {
+		application.TotalPodsCount = int(*deployment.Spec.Replicas)
+	}
+	application.RunningPodsCount = int(deployment.Status.ReadyReplicas)
+	application.DeploymentType = "Replicated"
+	application.Metadata = &models.Metadata{
+		Labels: deployment.Labels,
+	}
+
+	// If the deployment has containers, use the first container's image
+	if len(deployment.Spec.Template.Spec.Containers) > 0 {
+		application.Image = deployment.Spec.Template.Spec.Containers[0].Image
+	}
+}
+
+func populateApplicationFromStatefulSet(application *models.K8sApplication, statefulSet appsv1.StatefulSet) {
+	application.Kind = "StatefulSet"
+	application.ApplicationType = "StatefulSet"
+	application.ID = string(statefulSet.UID)
+	application.ResourcePool = statefulSet.Namespace
+	application.Name = statefulSet.Name
+	application.ApplicationOwner = statefulSet.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = statefulSet.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = statefulSet.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = statefulSet.Labels
+	application.MatchLabels = statefulSet.Spec.Selector.MatchLabels
+	application.CreationDate = statefulSet.CreationTimestamp.Time
+	application.TotalPodsCount = 0
+	if statefulSet.Spec.Replicas != nil {
+		application.TotalPodsCount = int(*statefulSet.Spec.Replicas)
+	}
+	application.RunningPodsCount = int(statefulSet.Status.ReadyReplicas)
+	application.DeploymentType = "Replicated"
+	application.Metadata = &models.Metadata{
+		Labels: statefulSet.Labels,
+	}
+
+	// If the statefulSet has containers, use the first container's image
+	if len(statefulSet.Spec.Template.Spec.Containers) > 0 {
+		application.Image = statefulSet.Spec.Template.Spec.Containers[0].Image
+	}
+}
+
+func populateApplicationFromDaemonSet(application *models.K8sApplication, daemonSet appsv1.DaemonSet) {
+	application.Kind = "DaemonSet"
+	application.ApplicationType = "DaemonSet"
+	application.ID = string(daemonSet.UID)
+	application.ResourcePool = daemonSet.Namespace
+	application.Name = daemonSet.Name
+	application.ApplicationOwner = daemonSet.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = daemonSet.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = daemonSet.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = daemonSet.Labels
+	application.MatchLabels = daemonSet.Spec.Selector.MatchLabels
+	application.CreationDate = daemonSet.CreationTimestamp.Time
+	application.TotalPodsCount = int(daemonSet.Status.DesiredNumberScheduled)
+	application.RunningPodsCount = int(daemonSet.Status.NumberReady)
+	application.DeploymentType = "Global"
+	application.Metadata = &models.Metadata{
+		Labels: daemonSet.Labels,
+	}
+
+	if len(daemonSet.Spec.Template.Spec.Containers) > 0 {
+		application.Image = daemonSet.Spec.Template.Spec.Containers[0].Image
+	}
+}
+
+func populateApplicationFromPod(application *models.K8sApplication, pod corev1.Pod) {
+	runningPodsCount := 1
+	if pod.Status.Phase != corev1.PodRunning {
+		runningPodsCount = 0
+	}
+
+	application.ApplicationType = "Pod"
+	application.Kind = "Pod"
+	application.ID = string(pod.UID)
+	application.ResourcePool = pod.Namespace
+	application.Name = pod.Name
+	application.ApplicationOwner = pod.Labels["io.portainer.kubernetes.application.owner"]
+	application.StackID = pod.Labels["io.portainer.kubernetes.application.stackid"]
+	application.StackName = pod.Labels["io.portainer.kubernetes.application.stack"]
+	application.Labels = pod.Labels
+	application.MatchLabels = pod.Labels
+	application.CreationDate = pod.CreationTimestamp.Time
+	application.TotalPodsCount = 1
+	application.RunningPodsCount = runningPodsCount
+	application.DeploymentType = string(pod.Status.Phase)
+	application.Metadata = &models.Metadata{
+		Labels: pod.Labels,
+	}
+
+	// If the pod has containers, use the first container's image
+	if len(pod.Spec.Containers) > 0 {
+		application.Image = pod.Spec.Containers[0].Image
+	}
+}
+
 // updateApplicationWithService updates the application with the services that match the application's selector match labels
 // and are in the same namespace as the application
 func updateApplicationWithService(application *models.K8sApplication, services []corev1.Service) {
@@ -410,7 +475,9 @@ func (kcl *KubeClient) GetApplicationConfigurationOwnersFromConfigMap(configMap
 	for _, pod := range pods {
 		if pod.Namespace == configMap.Namespace {
 			if isPodUsingConfigMap(&pod, configMap.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
+				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
+					ReplicaSets: replicaSets,
+				}, false)
 				if err != nil {
 					return nil, err
 				}
@@ -436,7 +503,9 @@ func (kcl *KubeClient) GetApplicationConfigurationOwnersFromSecret(secret models
 	for _, pod := range pods {
 		if pod.Namespace == secret.Namespace {
 			if isPodUsingSecret(&pod, secret.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, replicaSets, nil, nil, nil, nil, nil, false)
+				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
+					ReplicaSets: replicaSets,
+				}, false)
 				if err != nil {
 					return nil, err
 				}
@@ -454,3 +523,84 @@ func (kcl *KubeClient) GetApplicationConfigurationOwnersFromSecret(secret models
 
 	return configurationOwners, nil
 }
+
+// fetchUnhealthyApplications fetches applications that failed to schedule any pods
+// due to issues like missing resource limits or other scheduling constraints
+func fetchUnhealthyApplications(resources PortainerApplicationResources) ([]models.K8sApplication, error) {
+	var unhealthyApplications []models.K8sApplication
+
+	// Process Deployments
+	for _, deployment := range resources.Deployments {
+		if hasNoScheduledPods(deployment) {
+			app := createApplicationFromDeployment(deployment)
+			addRelatedResourcesToApplication(&app, resources)
+			unhealthyApplications = append(unhealthyApplications, app)
+		}
+	}
+
+	// Process StatefulSets
+	for _, statefulSet := range resources.StatefulSets {
+		if hasNoScheduledPods(statefulSet) {
+			app := createApplicationFromStatefulSet(statefulSet)
+			addRelatedResourcesToApplication(&app, resources)
+			unhealthyApplications = append(unhealthyApplications, app)
+		}
+	}
+
+	// Process DaemonSets
+	for _, daemonSet := range resources.DaemonSets {
+		if hasNoScheduledPods(daemonSet) {
+			app := createApplicationFromDaemonSet(daemonSet)
+			addRelatedResourcesToApplication(&app, resources)
+			unhealthyApplications = append(unhealthyApplications, app)
+		}
+	}
+
+	return unhealthyApplications, nil
+}
+
+// addRelatedResourcesToApplication adds Services and HPA information to the application
+func addRelatedResourcesToApplication(app *models.K8sApplication, resources PortainerApplicationResources) {
+	if app.ID == "" || app.Name == "" {
+		return
+	}
+
+	if len(resources.Services) > 0 {
+		updateApplicationWithService(app, resources.Services)
+	}
+
+	if len(resources.HorizontalPodAutoscalers) > 0 {
+		updateApplicationWithHorizontalPodAutoscaler(app, resources.HorizontalPodAutoscalers)
+	}
+}
+
+// hasNoScheduledPods checks if a workload has completely failed to schedule any pods
+// it checks for no replicas desired, i.e. nothing to schedule and see if any pods are running
+// if any pods exist at all (even if not ready), it returns false
+func hasNoScheduledPods(obj interface{}) bool {
+	switch resource := obj.(type) {
+	case appsv1.Deployment:
+		if resource.Status.Replicas > 0 {
+			return false
+		}
+
+		return resource.Status.ReadyReplicas == 0 && resource.Status.AvailableReplicas == 0
+
+	case appsv1.StatefulSet:
+		if resource.Status.Replicas > 0 {
+			return false
+		}
+
+		return resource.Status.ReadyReplicas == 0 && resource.Status.CurrentReplicas == 0
+
+	case appsv1.DaemonSet:
+		if resource.Status.CurrentNumberScheduled > 0 || resource.Status.NumberMisscheduled > 0 {
+			return false
+		}
+
+		return resource.Status.NumberReady == 0 && resource.Status.DesiredNumberScheduled > 0
+
+	default:
+		return false
+	}
+}
diff --git a/api/kubernetes/cli/applications_test.go b/api/kubernetes/cli/applications_test.go
new file mode 100644
index 000000000..81a5cfb71
--- /dev/null
+++ b/api/kubernetes/cli/applications_test.go
@@ -0,0 +1,461 @@
+package cli
+
+import (
+	"context"
+	"testing"
+
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
+	"github.com/stretchr/testify/assert"
+	appsv1 "k8s.io/api/apps/v1"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes/fake"
+)
+
+// Helper functions to create test resources
+func createTestDeployment(name, namespace string, replicas int32) *appsv1.Deployment {
+	return &appsv1.Deployment{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("deploy-" + name),
+			Labels: map[string]string{
+				"app": name,
+			},
+		},
+		Spec: appsv1.DeploymentSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": name,
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": name,
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  name,
+							Image: "nginx:latest",
+							Resources: corev1.ResourceRequirements{
+								Limits:   corev1.ResourceList{},
+								Requests: corev1.ResourceList{},
+							},
+						},
+					},
+				},
+			},
+		},
+		Status: appsv1.DeploymentStatus{
+			Replicas:      replicas,
+			ReadyReplicas: replicas,
+		},
+	}
+}
+
+func createTestReplicaSet(name, namespace, deploymentName string) *appsv1.ReplicaSet {
+	return &appsv1.ReplicaSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("rs-" + name),
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					Kind: "Deployment",
+					Name: deploymentName,
+					UID:  types.UID("deploy-" + deploymentName),
+				},
+			},
+		},
+		Spec: appsv1.ReplicaSetSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": deploymentName,
+				},
+			},
+		},
+	}
+}
+
+func createTestStatefulSet(name, namespace string, replicas int32) *appsv1.StatefulSet {
+	return &appsv1.StatefulSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("sts-" + name),
+			Labels: map[string]string{
+				"app": name,
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: &replicas,
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": name,
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": name,
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  name,
+							Image: "redis:latest",
+							Resources: corev1.ResourceRequirements{
+								Limits:   corev1.ResourceList{},
+								Requests: corev1.ResourceList{},
+							},
+						},
+					},
+				},
+			},
+		},
+		Status: appsv1.StatefulSetStatus{
+			Replicas:      replicas,
+			ReadyReplicas: replicas,
+		},
+	}
+}
+
+func createTestDaemonSet(name, namespace string) *appsv1.DaemonSet {
+	return &appsv1.DaemonSet{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("ds-" + name),
+			Labels: map[string]string{
+				"app": name,
+			},
+		},
+		Spec: appsv1.DaemonSetSpec{
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{
+					"app": name,
+				},
+			},
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						"app": name,
+					},
+				},
+				Spec: corev1.PodSpec{
+					Containers: []corev1.Container{
+						{
+							Name:  name,
+							Image: "fluentd:latest",
+							Resources: corev1.ResourceRequirements{
+								Limits:   corev1.ResourceList{},
+								Requests: corev1.ResourceList{},
+							},
+						},
+					},
+				},
+			},
+		},
+		Status: appsv1.DaemonSetStatus{
+			DesiredNumberScheduled: 2,
+			NumberReady:            2,
+		},
+	}
+}
+
+func createTestPod(name, namespace, ownerKind, ownerName string, isRunning bool) *corev1.Pod {
+	phase := corev1.PodPending
+	if isRunning {
+		phase = corev1.PodRunning
+	}
+
+	var ownerReferences []metav1.OwnerReference
+	if ownerKind != "" && ownerName != "" {
+		ownerReferences = []metav1.OwnerReference{
+			{
+				Kind: ownerKind,
+				Name: ownerName,
+				UID:  types.UID(ownerKind + "-" + ownerName),
+			},
+		}
+	}
+
+	return &corev1.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:            name,
+			Namespace:       namespace,
+			UID:             types.UID("pod-" + name),
+			OwnerReferences: ownerReferences,
+			Labels: map[string]string{
+				"app": ownerName,
+			},
+		},
+		Spec: corev1.PodSpec{
+			Containers: []corev1.Container{
+				{
+					Name:  "container-" + name,
+					Image: "busybox:latest",
+					Resources: corev1.ResourceRequirements{
+						Limits:   corev1.ResourceList{},
+						Requests: corev1.ResourceList{},
+					},
+				},
+			},
+		},
+		Status: corev1.PodStatus{
+			Phase: phase,
+		},
+	}
+}
+
+func createTestService(name, namespace string, selector map[string]string) *corev1.Service {
+	return &corev1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			UID:       types.UID("svc-" + name),
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: selector,
+			Type:     corev1.ServiceTypeClusterIP,
+		},
+	}
+}
+
+func TestGetApplications(t *testing.T) {
+	t.Run("Admin user - Mix of deployments, statefulsets and daemonsets with and without pods", func(t *testing.T) {
+		// Create a fake K8s client
+		fakeClient := fake.NewSimpleClientset()
+
+		// Setup the test namespace
+		namespace := "test-namespace"
+		defaultNamespace := "default"
+
+		// Create resources in the test namespace
+		// 1. Deployment with pods
+		deployWithPods := createTestDeployment("deploy-with-pods", namespace, 2)
+		_, err := fakeClient.AppsV1().Deployments(namespace).Create(context.TODO(), deployWithPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		replicaSet := createTestReplicaSet("rs-deploy-with-pods", namespace, "deploy-with-pods")
+		_, err = fakeClient.AppsV1().ReplicaSets(namespace).Create(context.TODO(), replicaSet, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod1 := createTestPod("pod1-deploy", namespace, "ReplicaSet", "rs-deploy-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod2 := createTestPod("pod2-deploy", namespace, "ReplicaSet", "rs-deploy-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 2. Deployment without pods (scaled to 0)
+		deployNoPods := createTestDeployment("deploy-no-pods", namespace, 0)
+		_, err = fakeClient.AppsV1().Deployments(namespace).Create(context.TODO(), deployNoPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 3. StatefulSet with pods
+		stsWithPods := createTestStatefulSet("sts-with-pods", namespace, 1)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace).Create(context.TODO(), stsWithPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod3 := createTestPod("pod1-sts", namespace, "StatefulSet", "sts-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod3, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 4. StatefulSet without pods
+		stsNoPods := createTestStatefulSet("sts-no-pods", namespace, 0)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace).Create(context.TODO(), stsNoPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 5. DaemonSet with pods
+		dsWithPods := createTestDaemonSet("ds-with-pods", namespace)
+		_, err = fakeClient.AppsV1().DaemonSets(namespace).Create(context.TODO(), dsWithPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod4 := createTestPod("pod1-ds", namespace, "DaemonSet", "ds-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod4, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod5 := createTestPod("pod2-ds", namespace, "DaemonSet", "ds-with-pods", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod5, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 6. Naked Pod (no owner reference)
+		nakedPod := createTestPod("naked-pod", namespace, "", "", true)
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), nakedPod, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 7. Resources in another namespace
+		deployOtherNs := createTestDeployment("deploy-other-ns", defaultNamespace, 1)
+		_, err = fakeClient.AppsV1().Deployments(defaultNamespace).Create(context.TODO(), deployOtherNs, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		podOtherNs := createTestPod("pod-other-ns", defaultNamespace, "Deployment", "deploy-other-ns", true)
+		_, err = fakeClient.CoreV1().Pods(defaultNamespace).Create(context.TODO(), podOtherNs, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// 8. Add a service (dependency)
+		service := createTestService("svc-deploy", namespace, map[string]string{"app": "deploy-with-pods"})
+		_, err = fakeClient.CoreV1().Services(namespace).Create(context.TODO(), service, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create the KubeClient with admin privileges
+		kubeClient := &KubeClient{
+			cli:         fakeClient,
+			instanceID:  "test-instance",
+			IsKubeAdmin: true,
+		}
+
+		// Test cases
+
+		// 1. All resources, no filtering
+		t.Run("All resources with dependencies", func(t *testing.T) {
+			apps, err := kubeClient.GetApplications("", "")
+			assert.NoError(t, err)
+
+			// We expect 7 resources: 2 deployments + 2 statefulsets + 1 daemonset + 1 naked pod + 1 deployment in other namespace
+			// Note: Each controller with pods should count once, not per pod
+			assert.Equal(t, 7, len(apps))
+
+			// Verify one of the deployments has services attached
+			appsWithServices := []models.K8sApplication{}
+			for _, app := range apps {
+				if len(app.Services) > 0 {
+					appsWithServices = append(appsWithServices, app)
+				}
+			}
+			assert.Equal(t, 1, len(appsWithServices))
+			assert.Equal(t, "deploy-with-pods", appsWithServices[0].Name)
+		})
+
+		// 2. Filter by namespace
+		t.Run("Filter by namespace", func(t *testing.T) {
+			apps, err := kubeClient.GetApplications(namespace, "")
+			assert.NoError(t, err)
+
+			// We expect 6 resources in the test namespace
+			assert.Equal(t, 6, len(apps))
+
+			// Verify resources from other namespaces are not included
+			for _, app := range apps {
+				assert.Equal(t, namespace, app.ResourcePool)
+			}
+		})
+	})
+
+	t.Run("Non-admin user - Resources filtered by accessible namespaces", func(t *testing.T) {
+		// Create a fake K8s client
+		fakeClient := fake.NewSimpleClientset()
+
+		// Setup the test namespaces
+		namespace1 := "allowed-ns"
+		namespace2 := "restricted-ns"
+
+		// Create resources in the allowed namespace
+		sts1 := createTestStatefulSet("sts-allowed", namespace1, 1)
+		_, err := fakeClient.AppsV1().StatefulSets(namespace1).Create(context.TODO(), sts1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod1 := createTestPod("pod-allowed", namespace1, "StatefulSet", "sts-allowed", true)
+		_, err = fakeClient.CoreV1().Pods(namespace1).Create(context.TODO(), pod1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Add a StatefulSet without pods in the allowed namespace
+		stsNoPods := createTestStatefulSet("sts-no-pods-allowed", namespace1, 0)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace1).Create(context.TODO(), stsNoPods, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create resources in the restricted namespace
+		sts2 := createTestStatefulSet("sts-restricted", namespace2, 1)
+		_, err = fakeClient.AppsV1().StatefulSets(namespace2).Create(context.TODO(), sts2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod2 := createTestPod("pod-restricted", namespace2, "StatefulSet", "sts-restricted", true)
+		_, err = fakeClient.CoreV1().Pods(namespace2).Create(context.TODO(), pod2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create the KubeClient with non-admin privileges (only allowed namespace1)
+		kubeClient := &KubeClient{
+			cli:                fakeClient,
+			instanceID:         "test-instance",
+			IsKubeAdmin:        false,
+			NonAdminNamespaces: []string{namespace1},
+		}
+
+		// Test that only resources from allowed namespace are returned
+		apps, err := kubeClient.GetApplications("", "")
+		assert.NoError(t, err)
+
+		// We expect 2 resources from the allowed namespace (1 sts with pod + 1 sts without pod)
+		assert.Equal(t, 2, len(apps))
+
+		// Verify resources are from the allowed namespace
+		for _, app := range apps {
+			assert.Equal(t, namespace1, app.ResourcePool)
+			assert.Equal(t, "StatefulSet", app.Kind)
+		}
+
+		// Verify names of returned resources
+		stsNames := make(map[string]bool)
+		for _, app := range apps {
+			stsNames[app.Name] = true
+		}
+
+		assert.True(t, stsNames["sts-allowed"], "Expected StatefulSet 'sts-allowed' was not found")
+		assert.True(t, stsNames["sts-no-pods-allowed"], "Expected StatefulSet 'sts-no-pods-allowed' was not found")
+	})
+
+	t.Run("Filter by node name", func(t *testing.T) {
+		// Create a fake K8s client
+		fakeClient := fake.NewSimpleClientset()
+
+		// Setup test namespace
+		namespace := "node-filter-ns"
+		nodeName := "worker-node-1"
+
+		// Create a deployment with pods on specific node
+		deploy := createTestDeployment("node-deploy", namespace, 2)
+		_, err := fakeClient.AppsV1().Deployments(namespace).Create(context.TODO(), deploy, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create ReplicaSet for the deployment
+		rs := createTestReplicaSet("rs-node-deploy", namespace, "node-deploy")
+		_, err = fakeClient.AppsV1().ReplicaSets(namespace).Create(context.TODO(), rs, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create 2 pods, one on the specified node, one on a different node
+		pod1 := createTestPod("pod-on-node", namespace, "ReplicaSet", "rs-node-deploy", true)
+		pod1.Spec.NodeName = nodeName
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod1, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		pod2 := createTestPod("pod-other-node", namespace, "ReplicaSet", "rs-node-deploy", true)
+		pod2.Spec.NodeName = "worker-node-2"
+		_, err = fakeClient.CoreV1().Pods(namespace).Create(context.TODO(), pod2, metav1.CreateOptions{})
+		assert.NoError(t, err)
+
+		// Create the KubeClient
+		kubeClient := &KubeClient{
+			cli:         fakeClient,
+			instanceID:  "test-instance",
+			IsKubeAdmin: true,
+		}
+
+		// Test filtering by node name
+		apps, err := kubeClient.GetApplications(namespace, nodeName)
+		assert.NoError(t, err)
+
+		// We expect to find only the pod on the specified node
+		assert.Equal(t, 1, len(apps))
+		if len(apps) > 0 {
+			assert.Equal(t, "node-deploy", apps[0].Name)
+		}
+	})
+}
diff --git a/api/kubernetes/cli/configmap.go b/api/kubernetes/cli/configmap.go
index 57f36cf74..eb0eec935 100644
--- a/api/kubernetes/cli/configmap.go
+++ b/api/kubernetes/cli/configmap.go
@@ -24,7 +24,7 @@ func (kcl *KubeClient) GetConfigMaps(namespace string) ([]models.K8sConfigMap, e
 // fetchConfigMapsForNonAdmin fetches the configMaps in the namespaces the user has access to.
 // This function is called when the user is not an admin.
 func (kcl *KubeClient) fetchConfigMapsForNonAdmin(namespace string) ([]models.K8sConfigMap, error) {
-	log.Debug().Msgf("Fetching volumes for non-admin user: %v", kcl.NonAdminNamespaces)
+	log.Debug().Msgf("Fetching configMaps for non-admin user: %v", kcl.NonAdminNamespaces)
 
 	if len(kcl.NonAdminNamespaces) == 0 {
 		return nil, nil
@@ -102,7 +102,7 @@ func parseConfigMap(configMap *corev1.ConfigMap, withData bool) models.K8sConfig
 func (kcl *KubeClient) CombineConfigMapsWithApplications(configMaps []models.K8sConfigMap) ([]models.K8sConfigMap, error) {
 	updatedConfigMaps := make([]models.K8sConfigMap, len(configMaps))
 
-	pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets("", metav1.ListOptions{})
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("an error occurred during the CombineConfigMapsWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
 	}
@@ -110,7 +110,7 @@ func (kcl *KubeClient) CombineConfigMapsWithApplications(configMaps []models.K8s
 	for index, configMap := range configMaps {
 		updatedConfigMap := configMap
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, pods, replicaSets)
+		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, portainerApplicationResources.Pods, portainerApplicationResources.ReplicaSets)
 		if err != nil {
 			return nil, fmt.Errorf("an error occurred during the CombineConfigMapsWithApplications operation, unable to get applications from config map. Error: %w", err)
 		}
diff --git a/api/kubernetes/cli/pod.go b/api/kubernetes/cli/pod.go
index 8d22a20db..bb3e46077 100644
--- a/api/kubernetes/cli/pod.go
+++ b/api/kubernetes/cli/pod.go
@@ -11,7 +11,6 @@ import (
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	appsv1 "k8s.io/api/apps/v1"
-	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -110,7 +109,7 @@ func (kcl *KubeClient) CreateUserShellPod(ctx context.Context, serviceAccountNam
 		},
 	}
 
-	shellPod, err := kcl.cli.CoreV1().Pods(portainerNamespace).Create(ctx, podSpec, metav1.CreateOptions{})
+	shellPod, err := kcl.cli.CoreV1().Pods(portainerNamespace).Create(context.TODO(), podSpec, metav1.CreateOptions{})
 	if err != nil {
 		return nil, errors.Wrap(err, "error creating shell pod")
 	}
@@ -158,7 +157,7 @@ func (kcl *KubeClient) waitForPodStatus(ctx context.Context, phase corev1.PodPha
 		case <-ctx.Done():
 			return ctx.Err()
 		default:
-			pod, err := kcl.cli.CoreV1().Pods(pod.Namespace).Get(ctx, pod.Name, metav1.GetOptions{})
+			pod, err := kcl.cli.CoreV1().Pods(pod.Namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
 			if err != nil {
 				return err
 			}
@@ -172,70 +171,67 @@ func (kcl *KubeClient) waitForPodStatus(ctx context.Context, phase corev1.PodPha
 	}
 }
 
-// fetchAllPodsAndReplicaSets fetches all pods and replica sets across the cluster, i.e. all namespaces
-func (kcl *KubeClient) fetchAllPodsAndReplicaSets(namespace string, podListOptions metav1.ListOptions) ([]corev1.Pod, []appsv1.ReplicaSet, []appsv1.Deployment, []appsv1.StatefulSet, []appsv1.DaemonSet, []corev1.Service, []autoscalingv2.HorizontalPodAutoscaler, error) {
-	return kcl.fetchResourcesWithOwnerReferences(namespace, podListOptions, false, false)
-}
-
 // fetchAllApplicationsListResources fetches all pods, replica sets, stateful sets, and daemon sets across the cluster, i.e. all namespaces
 // this is required for the applications list view
-func (kcl *KubeClient) fetchAllApplicationsListResources(namespace string, podListOptions metav1.ListOptions) ([]corev1.Pod, []appsv1.ReplicaSet, []appsv1.Deployment, []appsv1.StatefulSet, []appsv1.DaemonSet, []corev1.Service, []autoscalingv2.HorizontalPodAutoscaler, error) {
+func (kcl *KubeClient) fetchAllApplicationsListResources(namespace string, podListOptions metav1.ListOptions) (PortainerApplicationResources, error) {
 	return kcl.fetchResourcesWithOwnerReferences(namespace, podListOptions, true, true)
 }
 
 // fetchResourcesWithOwnerReferences fetches pods and other resources based on owner references
-func (kcl *KubeClient) fetchResourcesWithOwnerReferences(namespace string, podListOptions metav1.ListOptions, includeStatefulSets, includeDaemonSets bool) ([]corev1.Pod, []appsv1.ReplicaSet, []appsv1.Deployment, []appsv1.StatefulSet, []appsv1.DaemonSet, []corev1.Service, []autoscalingv2.HorizontalPodAutoscaler, error) {
+func (kcl *KubeClient) fetchResourcesWithOwnerReferences(namespace string, podListOptions metav1.ListOptions, includeStatefulSets, includeDaemonSets bool) (PortainerApplicationResources, error) {
 	pods, err := kcl.cli.CoreV1().Pods(namespace).List(context.Background(), podListOptions)
 	if err != nil {
 		if k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, nil
+			return PortainerApplicationResources{}, nil
 		}
-		return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list pods across the cluster: %w", err)
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list pods across the cluster: %w", err)
 	}
 
-	// if replicaSet owner reference exists, fetch the replica sets
-	// this also means that the deployments will be fetched because deployments own replica sets
-	replicaSets := &appsv1.ReplicaSetList{}
-	deployments := &appsv1.DeploymentList{}
-	if containsReplicaSetOwnerReference(pods) {
-		replicaSets, err = kcl.cli.AppsV1().ReplicaSets(namespace).List(context.Background(), metav1.ListOptions{})
-		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list replica sets across the cluster: %w", err)
-		}
-
-		deployments, err = kcl.cli.AppsV1().Deployments(namespace).List(context.Background(), metav1.ListOptions{})
-		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list deployments across the cluster: %w", err)
-		}
+	portainerApplicationResources := PortainerApplicationResources{
+		Pods: pods.Items,
 	}
 
-	statefulSets := &appsv1.StatefulSetList{}
-	if includeStatefulSets && containsStatefulSetOwnerReference(pods) {
-		statefulSets, err = kcl.cli.AppsV1().StatefulSets(namespace).List(context.Background(), metav1.ListOptions{})
+	replicaSets, err := kcl.cli.AppsV1().ReplicaSets(namespace).List(context.Background(), metav1.ListOptions{})
+	if err != nil && !k8serrors.IsNotFound(err) {
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list replica sets across the cluster: %w", err)
+	}
+	portainerApplicationResources.ReplicaSets = replicaSets.Items
+
+	deployments, err := kcl.cli.AppsV1().Deployments(namespace).List(context.Background(), metav1.ListOptions{})
+	if err != nil && !k8serrors.IsNotFound(err) {
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list deployments across the cluster: %w", err)
+	}
+	portainerApplicationResources.Deployments = deployments.Items
+
+	if includeStatefulSets {
+		statefulSets, err := kcl.cli.AppsV1().StatefulSets(namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list stateful sets across the cluster: %w", err)
+			return PortainerApplicationResources{}, fmt.Errorf("unable to list stateful sets across the cluster: %w", err)
 		}
+		portainerApplicationResources.StatefulSets = statefulSets.Items
 	}
 
-	daemonSets := &appsv1.DaemonSetList{}
-	if includeDaemonSets && containsDaemonSetOwnerReference(pods) {
-		daemonSets, err = kcl.cli.AppsV1().DaemonSets(namespace).List(context.Background(), metav1.ListOptions{})
+	if includeDaemonSets {
+		daemonSets, err := kcl.cli.AppsV1().DaemonSets(namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil && !k8serrors.IsNotFound(err) {
-			return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list daemon sets across the cluster: %w", err)
+			return PortainerApplicationResources{}, fmt.Errorf("unable to list daemon sets across the cluster: %w", err)
 		}
+		portainerApplicationResources.DaemonSets = daemonSets.Items
 	}
 
 	services, err := kcl.cli.CoreV1().Services(namespace).List(context.Background(), metav1.ListOptions{})
 	if err != nil && !k8serrors.IsNotFound(err) {
-		return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list services across the cluster: %w", err)
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list services across the cluster: %w", err)
 	}
+	portainerApplicationResources.Services = services.Items
 
 	hpas, err := kcl.cli.AutoscalingV2().HorizontalPodAutoscalers(namespace).List(context.Background(), metav1.ListOptions{})
 	if err != nil && !k8serrors.IsNotFound(err) {
-		return nil, nil, nil, nil, nil, nil, nil, fmt.Errorf("unable to list horizontal pod autoscalers across the cluster: %w", err)
+		return PortainerApplicationResources{}, fmt.Errorf("unable to list horizontal pod autoscalers across the cluster: %w", err)
 	}
+	portainerApplicationResources.HorizontalPodAutoscalers = hpas.Items
 
-	return pods.Items, replicaSets.Items, deployments.Items, statefulSets.Items, daemonSets.Items, services.Items, hpas.Items, nil
+	return portainerApplicationResources, nil
 }
 
 // isPodUsingConfigMap checks if a pod is using a specific ConfigMap
diff --git a/api/kubernetes/cli/role.go b/api/kubernetes/cli/role.go
index 9a3c6635f..c45e2c299 100644
--- a/api/kubernetes/cli/role.go
+++ b/api/kubernetes/cli/role.go
@@ -10,7 +10,6 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // GetRoles gets all the roles for either at the cluster level or a given namespace in a k8s endpoint.
@@ -137,7 +136,7 @@ func (kcl *KubeClient) DeleteRoles(reqs models.K8sRoleDeleteRequests) error {
 		for _, name := range reqs[namespace] {
 			client := kcl.cli.RbacV1().Roles(namespace)
 
-			role, err := client.Get(context.Background(), name, v1.GetOptions{})
+			role, err := client.Get(context.Background(), name, metav1.GetOptions{})
 			if err != nil {
 				if k8serrors.IsNotFound(err) {
 					continue
diff --git a/api/kubernetes/cli/role_binding.go b/api/kubernetes/cli/role_binding.go
index e8e90cbb0..7775748e2 100644
--- a/api/kubernetes/cli/role_binding.go
+++ b/api/kubernetes/cli/role_binding.go
@@ -7,11 +7,9 @@ import (
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/portainer/portainer/api/internal/errorlist"
 	"github.com/rs/zerolog/log"
-	corev1 "k8s.io/api/rbac/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
 // GetRoleBindings gets all the roleBindings for either at the cluster level or a given namespace in a k8s endpoint.
@@ -98,7 +96,7 @@ func (kcl *KubeClient) isSystemRoleBinding(rb *rbacv1.RoleBinding) bool {
 	return false
 }
 
-func (kcl *KubeClient) getRole(namespace, name string) (*corev1.Role, error) {
+func (kcl *KubeClient) getRole(namespace, name string) (*rbacv1.Role, error) {
 	client := kcl.cli.RbacV1().Roles(namespace)
 	return client.Get(context.Background(), name, metav1.GetOptions{})
 }
@@ -111,7 +109,7 @@ func (kcl *KubeClient) DeleteRoleBindings(reqs models.K8sRoleBindingDeleteReques
 		for _, name := range reqs[namespace] {
 			client := kcl.cli.RbacV1().RoleBindings(namespace)
 
-			roleBinding, err := client.Get(context.Background(), name, v1.GetOptions{})
+			roleBinding, err := client.Get(context.Background(), name, metav1.GetOptions{})
 			if err != nil {
 				if k8serrors.IsNotFound(err) {
 					continue
@@ -125,7 +123,7 @@ func (kcl *KubeClient) DeleteRoleBindings(reqs models.K8sRoleBindingDeleteReques
 				log.Error().Str("role_name", name).Msg("ignoring delete of 'system' role binding, not allowed")
 			}
 
-			if err := client.Delete(context.Background(), name, v1.DeleteOptions{}); err != nil {
+			if err := client.Delete(context.Background(), name, metav1.DeleteOptions{}); err != nil {
 				errors = append(errors, err)
 			}
 		}
diff --git a/api/kubernetes/cli/secret.go b/api/kubernetes/cli/secret.go
index 8e38c9857..5b7bf4fef 100644
--- a/api/kubernetes/cli/secret.go
+++ b/api/kubernetes/cli/secret.go
@@ -31,7 +31,7 @@ func (kcl *KubeClient) GetSecrets(namespace string) ([]models.K8sSecret, error)
 // getSecretsForNonAdmin fetches the secrets in the namespaces the user has access to.
 // This function is called when the user is not an admin.
 func (kcl *KubeClient) getSecretsForNonAdmin(namespace string) ([]models.K8sSecret, error) {
-	log.Debug().Msgf("Fetching volumes for non-admin user: %v", kcl.NonAdminNamespaces)
+	log.Debug().Msgf("Fetching secrets for non-admin user: %v", kcl.NonAdminNamespaces)
 
 	if len(kcl.NonAdminNamespaces) == 0 {
 		return nil, nil
@@ -118,7 +118,7 @@ func parseSecret(secret *corev1.Secret, withData bool) models.K8sSecret {
 func (kcl *KubeClient) CombineSecretsWithApplications(secrets []models.K8sSecret) ([]models.K8sSecret, error) {
 	updatedSecrets := make([]models.K8sSecret, len(secrets))
 
-	pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets("", metav1.ListOptions{})
+	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 	if err != nil {
 		return nil, fmt.Errorf("an error occurred during the CombineSecretsWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
 	}
@@ -126,7 +126,7 @@ func (kcl *KubeClient) CombineSecretsWithApplications(secrets []models.K8sSecret
 	for index, secret := range secrets {
 		updatedSecret := secret
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, pods, replicaSets)
+		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, portainerApplicationResources.Pods, portainerApplicationResources.ReplicaSets)
 		if err != nil {
 			return nil, fmt.Errorf("an error occurred during the CombineSecretsWithApplications operation, unable to get applications from secret. Error: %w", err)
 		}
diff --git a/api/kubernetes/cli/service.go b/api/kubernetes/cli/service.go
index a70c5ca3e..3f0543735 100644
--- a/api/kubernetes/cli/service.go
+++ b/api/kubernetes/cli/service.go
@@ -174,7 +174,7 @@ func (kcl *KubeClient) UpdateService(namespace string, info models.K8sServiceInf
 func (kcl *KubeClient) CombineServicesWithApplications(services []models.K8sServiceInfo) ([]models.K8sServiceInfo, error) {
 	if containsServiceWithSelector(services) {
 		updatedServices := make([]models.K8sServiceInfo, len(services))
-		pods, replicaSets, _, _, _, _, _, err := kcl.fetchAllPodsAndReplicaSets("", metav1.ListOptions{})
+		portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 		if err != nil {
 			return nil, fmt.Errorf("an error occurred during the CombineServicesWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
 		}
@@ -182,7 +182,7 @@ func (kcl *KubeClient) CombineServicesWithApplications(services []models.K8sServ
 		for index, service := range services {
 			updatedService := service
 
-			application, err := kcl.GetApplicationFromServiceSelector(pods, service, replicaSets)
+			application, err := kcl.GetApplicationFromServiceSelector(portainerApplicationResources.Pods, service, portainerApplicationResources.ReplicaSets)
 			if err != nil {
 				return services, fmt.Errorf("an error occurred during the CombineServicesWithApplications operation, unable to get application from service. Error: %w", err)
 			}
diff --git a/api/kubernetes/cli/service_account.go b/api/kubernetes/cli/service_account.go
index 831080efc..af674d794 100644
--- a/api/kubernetes/cli/service_account.go
+++ b/api/kubernetes/cli/service_account.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/http/models/kubernetes"
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/portainer/portainer/api/internal/errorlist"
 	corev1 "k8s.io/api/core/v1"
@@ -92,7 +91,7 @@ func (kcl *KubeClient) isSystemServiceAccount(namespace string) bool {
 
 // DeleteServices processes a K8sServiceDeleteRequest by deleting each service
 // in its given namespace.
-func (kcl *KubeClient) DeleteServiceAccounts(reqs kubernetes.K8sServiceAccountDeleteRequests) error {
+func (kcl *KubeClient) DeleteServiceAccounts(reqs models.K8sServiceAccountDeleteRequests) error {
 	var errors []error
 	for namespace := range reqs {
 		for _, serviceName := range reqs[namespace] {
diff --git a/api/kubernetes/cli/volumes.go b/api/kubernetes/cli/volumes.go
index 52ee02ab8..d8a3cbf56 100644
--- a/api/kubernetes/cli/volumes.go
+++ b/api/kubernetes/cli/volumes.go
@@ -7,7 +7,6 @@ import (
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/rs/zerolog/log"
 	appsv1 "k8s.io/api/apps/v1"
-	autoscalingv2 "k8s.io/api/autoscaling/v2"
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
@@ -265,7 +264,12 @@ func (kcl *KubeClient) updateVolumesWithOwningApplications(volumes *[]models.K8s
 			if pod.Spec.Volumes != nil {
 				for _, podVolume := range pod.Spec.Volumes {
 					if podVolume.VolumeSource.PersistentVolumeClaim != nil && podVolume.VolumeSource.PersistentVolumeClaim.ClaimName == volume.PersistentVolumeClaim.Name && pod.Namespace == volume.PersistentVolumeClaim.Namespace {
-						application, err := kcl.ConvertPodToApplication(pod, replicaSetItems, deploymentItems, statefulSetItems, daemonSetItems, []corev1.Service{}, []autoscalingv2.HorizontalPodAutoscaler{}, false)
+						application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
+							ReplicaSets:  replicaSetItems,
+							Deployments:  deploymentItems,
+							StatefulSets: statefulSetItems,
+							DaemonSets:   daemonSetItems,
+						}, false)
 						if err != nil {
 							log.Error().Err(err).Msg("Failed to convert pod to application")
 							return nil, fmt.Errorf("an error occurred during the CombineServicesWithApplications operation, unable to convert pod to application. Error: %w", err)
diff --git a/api/portainer.go b/api/portainer.go
index 9e1451633..5b7d177da 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1544,7 +1544,7 @@ type (
 		GetConfigMaps(namespace string) ([]models.K8sConfigMap, error)
 		GetSecrets(namespace string) ([]models.K8sSecret, error)
 		GetIngressControllers() (models.K8sIngressControllers, error)
-		GetApplications(namespace, nodename string, withDependencies bool) ([]models.K8sApplication, error)
+		GetApplications(namespace, nodename string) ([]models.K8sApplication, error)
 		GetMetrics() (models.K8sMetrics, error)
 		GetStorage() ([]KubernetesStorageClassConfig, error)
 		CreateIngress(namespace string, info models.K8sIngressInfo, owner string) error
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx
index a12cbd20e..4e6712939 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx
@@ -57,7 +57,6 @@ export function ApplicationsDatatable({
   const applicationsQuery = useApplications(environmentId, {
     refetchInterval: tableState.autoRefreshRate * 1000,
     namespace: tableState.namespace,
-    withDependencies: true,
   });
   const ingressesQuery = useIngresses(environmentId);
   const ingresses = ingressesQuery.data ?? [];
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/ApplicationsStacksDatatable.tsx b/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/ApplicationsStacksDatatable.tsx
index f95dbe19b..f0e1bf622 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/ApplicationsStacksDatatable.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/ApplicationsStacksDatatable.tsx
@@ -38,7 +38,6 @@ export function ApplicationsStacksDatatable({
   const applicationsQuery = useApplications(environmentId, {
     refetchInterval: tableState.autoRefreshRate * 1000,
     namespace: tableState.namespace,
-    withDependencies: true,
   });
   const ingressesQuery = useIngresses(environmentId);
   const ingresses = ingressesQuery.data ?? [];
diff --git a/app/react/kubernetes/applications/queries/query-keys.ts b/app/react/kubernetes/applications/queries/query-keys.ts
index 87c042dc4..f787b92bf 100644
--- a/app/react/kubernetes/applications/queries/query-keys.ts
+++ b/app/react/kubernetes/applications/queries/query-keys.ts
@@ -3,7 +3,6 @@ import { EnvironmentId } from '@/react/portainer/environments/types';
 export type GetAppsParams = {
   namespace?: string;
   nodeName?: string;
-  withDependencies?: boolean;
 };
 
 export const queryKeys = {
diff --git a/app/react/kubernetes/applications/queries/useApplications.ts b/app/react/kubernetes/applications/queries/useApplications.ts
index 9d09ffad0..6419dd853 100644
--- a/app/react/kubernetes/applications/queries/useApplications.ts
+++ b/app/react/kubernetes/applications/queries/useApplications.ts
@@ -11,7 +11,6 @@ import { queryKeys } from './query-keys';
 type GetAppsParams = {
   namespace?: string;
   nodeName?: string;
-  withDependencies?: boolean;
 };
 
 type GetAppsQueryOptions = {
diff --git a/app/react/kubernetes/applications/utils.ts b/app/react/kubernetes/applications/utils.ts
index d705e75c1..a919edd76 100644
--- a/app/react/kubernetes/applications/utils.ts
+++ b/app/react/kubernetes/applications/utils.ts
@@ -33,7 +33,7 @@ export function isExternalApplication(application: Application) {
 
 function getDeploymentRunningPods(deployment: Deployment): number {
   const availableReplicas = deployment.status?.availableReplicas ?? 0;
-  const totalReplicas = deployment.status?.replicas ?? 0;
+  const totalReplicas = deployment.spec?.replicas ?? 0;
   const unavailableReplicas = deployment.status?.unavailableReplicas ?? 0;
   return availableReplicas || totalReplicas - unavailableReplicas;
 }
diff --git a/app/react/kubernetes/namespaces/ItemView/NamespaceAppsDatatable.tsx b/app/react/kubernetes/namespaces/ItemView/NamespaceAppsDatatable.tsx
index 1ab17c5d7..e66e9f875 100644
--- a/app/react/kubernetes/namespaces/ItemView/NamespaceAppsDatatable.tsx
+++ b/app/react/kubernetes/namespaces/ItemView/NamespaceAppsDatatable.tsx
@@ -30,7 +30,6 @@ export function NamespaceAppsDatatable({ namespace }: { namespace: string }) {
   const applicationsQuery = useApplications(environmentId, {
     refetchInterval: tableState.autoRefreshRate * 1000,
     namespace,
-    withDependencies: true,
   });
   const applications = applicationsQuery.data ?? [];
 

From 417891675d80efe1c30e7b2aaeb5a3d3ccf903ca Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 13 Mar 2025 16:43:56 +1300
Subject: [PATCH 042/212] fix: ensure no non-admin users have access to system
 namespaces (#499)

---
 api/kubernetes/cli/namespace.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/api/kubernetes/cli/namespace.go b/api/kubernetes/cli/namespace.go
index 0ebb6189a..11307d651 100644
--- a/api/kubernetes/cli/namespace.go
+++ b/api/kubernetes/cli/namespace.go
@@ -265,9 +265,12 @@ func isSystemNamespace(namespace *corev1.Namespace) bool {
 		return systemLabelValue == "true"
 	}
 
-	systemNamespaces := defaultSystemNamespaces()
+	return isSystemDefaultNamespace(namespace.Name)
+}
 
-	_, isSystem := systemNamespaces[namespace.Name]
+func isSystemDefaultNamespace(namespace string) bool {
+	systemNamespaces := defaultSystemNamespaces()
+	_, isSystem := systemNamespaces[namespace]
 	return isSystem
 }
 
@@ -390,7 +393,9 @@ func (kcl *KubeClient) CombineNamespaceWithResourceQuota(namespace portainer.K8s
 func (kcl *KubeClient) buildNonAdminNamespacesMap() map[string]struct{} {
 	nonAdminNamespaceSet := make(map[string]struct{}, len(kcl.NonAdminNamespaces))
 	for _, namespace := range kcl.NonAdminNamespaces {
-		nonAdminNamespaceSet[namespace] = struct{}{}
+		if !isSystemDefaultNamespace(namespace) {
+			nonAdminNamespaceSet[namespace] = struct{}{}
+		}
 	}
 
 	return nonAdminNamespaceSet

From 58317edb6dad965bcd5cc3e4952a73f29d310757 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Fri, 14 Mar 2025 07:57:06 +1300
Subject: [PATCH 043/212] fix(namespaces): only show namespaces with access
 [r8s-251] (#501)

---
 app/kubernetes/services/resourcePoolService.js  | 13 ++++++++++---
 app/kubernetes/views/deploy/deployController.js |  6 +++---
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/app/kubernetes/services/resourcePoolService.js b/app/kubernetes/services/resourcePoolService.js
index 639c44db1..d829afa0b 100644
--- a/app/kubernetes/services/resourcePoolService.js
+++ b/app/kubernetes/services/resourcePoolService.js
@@ -3,6 +3,7 @@ import _ from 'lodash-es';
 import angular from 'angular';
 import KubernetesResourcePoolConverter from 'Kubernetes/converters/resourcePool';
 import KubernetesResourceQuotaHelper from 'Kubernetes/helpers/resourceQuotaHelper';
+import { getNamespaces } from '@/react/kubernetes/namespaces/queries/useNamespacesQuery';
 
 /* @ngInject */
 export function KubernetesResourcePoolService(
@@ -11,7 +12,8 @@ export function KubernetesResourcePoolService(
   KubernetesNamespaceService,
   KubernetesResourceQuotaService,
   KubernetesIngressService,
-  KubernetesPortainerNamespaces
+  KubernetesPortainerNamespaces,
+  EndpointProvider
 ) {
   return {
     get,
@@ -37,9 +39,14 @@ export function KubernetesResourcePoolService(
 
   // getting the quota for all namespaces is costly by default, so disable getting it by default
   async function getAll({ getQuota = false }) {
-    const namespaces = await KubernetesNamespaceService.get();
+    const namespaces = await getNamespaces(EndpointProvider.endpointID());
+    // there is a lot of downstream logic using the angular namespace type with a '.Status' field (not '.Status.phase'), so format the status here to match this logic
+    const namespacesFormattedStatus = namespaces.map((namespace) => ({
+      ...namespace,
+      Status: namespace.Status.phase,
+    }));
     const pools = await Promise.all(
-      _.map(namespaces, async (namespace) => {
+      _.map(namespacesFormattedStatus, async (namespace) => {
         const name = namespace.Name;
         const pool = KubernetesResourcePoolConverter.apiToResourcePool(namespace);
         if (getQuota) {
diff --git a/app/kubernetes/views/deploy/deployController.js b/app/kubernetes/views/deploy/deployController.js
index 50c923d58..79549084a 100644
--- a/app/kubernetes/views/deploy/deployController.js
+++ b/app/kubernetes/views/deploy/deployController.js
@@ -6,13 +6,13 @@ import PortainerError from '@/portainer/error';
 import { KubernetesDeployManifestTypes, KubernetesDeployBuildMethods, KubernetesDeployRequestMethods, RepositoryMechanismTypes } from 'Kubernetes/models/deploy';
 import { isTemplateVariablesEnabled, renderTemplate } from '@/react/portainer/custom-templates/components/utils';
 import { getDeploymentOptions } from '@/react/portainer/environments/environment.service';
-import { kubernetes } from '@@/BoxSelector/common-options/deployment-methods';
-import { editor, git, customTemplate, url, helm } from '@@/BoxSelector/common-options/build-methods';
 import { parseAutoUpdateResponse, transformAutoUpdateViewModel } from '@/react/portainer/gitops/AutoUpdateFieldset/utils';
 import { baseStackWebhookUrl, createWebhookId } from '@/portainer/helpers/webhookHelper';
-import { confirmWebEditorDiscard } from '@@/modals/confirm';
 import { getVariablesFieldDefaultValues } from '@/react/portainer/custom-templates/components/CustomTemplatesVariablesField';
 import { KUBE_STACK_NAME_VALIDATION_REGEX } from '@/react/kubernetes/DeployView/StackName/constants';
+import { confirmWebEditorDiscard } from '@@/modals/confirm';
+import { editor, git, customTemplate, url, helm } from '@@/BoxSelector/common-options/build-methods';
+import { kubernetes } from '@@/BoxSelector/common-options/deployment-methods';
 
 class KubernetesDeployController {
   /* @ngInject */

From 993f69db37ccb6929937472eeb93b98e26b20a19 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Fri, 14 Mar 2025 10:37:14 +1300
Subject: [PATCH 044/212] chore(app): Migrate helm templates list to react
 (#492)

---
 .../helm-templates-list-item.css              |   9 -
 .../helm-templates-list-item.html             |  40 ----
 .../helm-templates-list-item.js               |  17 --
 .../helm-templates-list.controller.js         |  43 ----
 .../helm-templates-list.html                  |  79 --------
 .../helm-templates-list.js                    |  14 --
 .../helm/helm-templates/helm-templates.html   |   2 +-
 app/kubernetes/react/components/index.ts      |  15 ++
 .../HelmTemplates/HelmTemplatesList.test.tsx  | 190 ++++++++++++++++++
 .../helm/HelmTemplates/HelmTemplatesList.tsx  | 179 +++++++++++++++++
 .../HelmTemplates/HelmTemplatesListItem.tsx   |  74 +++++++
 11 files changed, 459 insertions(+), 203 deletions(-)
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.css
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.html
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.js
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.controller.js
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.js
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx

diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.css b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.css
deleted file mode 100644
index a618dc68b..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.css
+++ /dev/null
@@ -1,9 +0,0 @@
-.helm-template-item-details {
-  display: flex;
-  justify-content: space-between;
-  flex-wrap: wrap;
-}
-
-.helm-template-item-details .helm-template-item-details-sub {
-  width: 100%;
-}
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.html b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.html
deleted file mode 100644
index 43658b833..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.html
+++ /dev/null
@@ -1,40 +0,0 @@
-<!-- helm chart -->
-<div ng-class="{ 'blocklist-item--selected': $ctrl.model.Selected }" class="blocklist-item template-item mx-0" ng-click="$ctrl.onSelect($ctrl.model)" role="listitem">
-  <div class="blocklist-item-box">
-    <!-- helmchart-image -->
-    <span class="shrink-0">
-      <fallback-image src="$ctrl.model.icon" fallback-icon="$ctrl.fallbackIcon" class-name="'blocklist-item-logo h-16 w-auto'" size="'3xl'"></fallback-image>
-    </span>
-    <!-- helmchart-details -->
-    <div class="col-sm-12 helm-template-item-details">
-      <!-- blocklist-item-line1 -->
-      <div class="blocklist-item-line">
-        <span>
-          <span class="blocklist-item-title">
-            {{ $ctrl.model.name }}
-          </span>
-          <span class="space-left blocklist-item-subtitle">
-            <span class="vertical-center">
-              <pr-icon icon="'svg-helm'" mode="'primary'"></pr-icon>
-            </span>
-            <span> Helm </span>
-          </span>
-        </span>
-      </div>
-      <!-- !blocklist-item-line1 -->
-      <span class="blocklist-item-actions" ng-transclude="actions"></span>
-      <!-- blocklist-item-line2 -->
-      <div class="blocklist-item-line helm-template-item-details-sub">
-        <span class="blocklist-item-desc">
-          {{ $ctrl.model.description }}
-        </span>
-        <span class="small text-muted" ng-if="$ctrl.model.annotations.category">
-          {{ $ctrl.model.annotations.category }}
-        </span>
-      </div>
-      <!-- !blocklist-item-line2 -->
-    </div>
-    <!-- !helmchart-details -->
-  </div>
-  <!-- !helm chart -->
-</div>
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.js b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.js
deleted file mode 100644
index adde64a03..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list-item/helm-templates-list-item.js
+++ /dev/null
@@ -1,17 +0,0 @@
-import angular from 'angular';
-import './helm-templates-list-item.css';
-import { HelmIcon } from '../../HelmIcon';
-
-angular.module('portainer.kubernetes').component('helmTemplatesListItem', {
-  templateUrl: './helm-templates-list-item.html',
-  bindings: {
-    model: '<',
-    onSelect: '<',
-  },
-  transclude: {
-    actions: '?templateItemActions',
-  },
-  controller() {
-    this.fallbackIcon = HelmIcon;
-  },
-});
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.controller.js b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.controller.js
deleted file mode 100644
index 9ba2a579d..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.controller.js
+++ /dev/null
@@ -1,43 +0,0 @@
-export default class HelmTemplatesListController {
-  /* @ngInject */
-  constructor($async, $scope, HelmService, Notifications) {
-    this.$async = $async;
-    this.$scope = $scope;
-    this.HelmService = HelmService;
-    this.Notifications = Notifications;
-
-    this.state = {
-      textFilter: '',
-      selectedCategory: '',
-      categories: [],
-    };
-
-    this.updateCategories = this.updateCategories.bind(this);
-    this.onCategoryChange = this.onCategoryChange.bind(this);
-  }
-
-  async updateCategories() {
-    try {
-      const annotationCategories = this.charts
-        .map((t) => t.annotations) // get annotations
-        .filter((a) => a) // filter out undefined/nulls
-        .map((c) => c.category); // get annotation category
-      const availableCategories = [...new Set(annotationCategories)].sort(); // unique and sort
-      this.state.categories = availableCategories.map((cat) => ({ label: cat, value: cat }));
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm charts categories');
-    }
-  }
-
-  onCategoryChange(value) {
-    return this.$scope.$evalAsync(() => {
-      this.state.selectedCategory = value || '';
-    });
-  }
-
-  $onChanges() {
-    if (this.charts.length > 0) {
-      this.updateCategories();
-    }
-  }
-}
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
deleted file mode 100644
index cd2c1131d..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.html
+++ /dev/null
@@ -1,79 +0,0 @@
-<section class="datatable" aria-label="Helm charts">
-  <div class="toolBar vertical-center relative w-full flex-wrap !gap-x-5 !gap-y-1 !px-0">
-    <div class="toolBarTitle vertical-center"> {{ $ctrl.titleText }} </div>
-
-    <div class="searchBar vertical-center !mr-0">
-      <pr-icon icon="'search'" class="searchIcon"></pr-icon>
-      <input
-        type="text"
-        data-cy="helm-templates-search"
-        class="searchInput"
-        ng-model="$ctrl.state.textFilter"
-        placeholder="Search..."
-        auto-focus
-        ng-model-options="{ debounce: 300 }"
-        aria-label="Search input"
-      />
-    </div>
-    <div class="w-1/5">
-      <por-select
-        placeholder="'Select a category'"
-        value="$ctrl.state.selectedCategory"
-        options="$ctrl.state.categories"
-        on-change="($ctrl.onCategoryChange)"
-        is-clearable="true"
-        bind-to-body="true"
-      ></por-select>
-    </div>
-  </div>
-  <div class="w-full">
-    <div class="small text-muted mb-2"
-      >Select the Helm chart to use. Bring further Helm charts into your selection list via
-      <a ui-sref="portainer.account({'#': 'helm-repositories'})">User settings - Helm repositories</a>.</div
-    >
-    <div class="relative flex w-fit gap-1 rounded-lg bg-gray-modern-3 p-4 text-sm th-highcontrast:bg-legacy-grey-3 th-dark:bg-legacy-grey-3 mt-2">
-      <div class="mt-0.5 shrink-0">
-        <svg
-          xmlns="http://www.w3.org/2000/svg"
-          width="24"
-          height="24"
-          viewBox="0 0 24 24"
-          fill="none"
-          stroke="currentColor"
-          stroke-width="2"
-          stroke-linecap="round"
-          stroke-linejoin="round"
-          class="lucide lucide-lightbulb h-4 text-warning-7 th-highcontrast:text-warning-6 th-dark:text-warning-6"
-        >
-          <path d="M15 14c.2-1 .7-1.7 1.5-2.5 1-.9 1.5-2.2 1.5-3.5A6 6 0 0 0 6 8c0 1 .2 2.2 1.5 3.5.7.7 1.3 1.5 1.5 2.5"></path>
-          <path d="M9 18h6"></path>
-          <path d="M10 22h4"></path>
-        </svg>
-      </div>
-      <div>
-        <p class="align-middle text-[0.9em] font-medium pr-10 mb-2">Disclaimer</p>
-        <div class="small">
-          At present Portainer does not support OCI format Helm charts. Support for OCI charts will be available in a future release.<br />
-          If you would like to provide feedback on OCI support or get access to early releases to test this functionality,
-          <a href="https://bit.ly/3WVkayl" target="_blank" rel="noopener noreferrer">please get in touch</a>.
-        </div>
-      </div>
-    </div>
-  </div>
-
-  <div class="blocklist !px-0" role="list">
-    <helm-templates-list-item
-      ng-repeat="chart in allCharts = ($ctrl.charts | filter:$ctrl.state.textFilter | filter: $ctrl.state.selectedCategory)"
-      model="chart"
-      type-label="helm"
-      on-select="($ctrl.selectAction)"
-    >
-    </helm-templates-list-item>
-    <div ng-if="!$ctrl.loading && !allCharts.length && $ctrl.charts.length !== 0" class="text-muted small mt-4"> No Helm charts found </div>
-    <div ng-if="$ctrl.loading" class="text-muted text-center">
-      Loading...
-      <div class="text-muted text-center"> Initial download of Helm charts can take a few minutes </div>
-    </div>
-    <div ng-if="!$ctrl.loading && $ctrl.charts.length === 0" class="text-muted text-center"> No helm charts available. </div>
-  </div>
-</section>
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.js b/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.js
deleted file mode 100644
index 2366e8d5a..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates-list/helm-templates-list.js
+++ /dev/null
@@ -1,14 +0,0 @@
-import angular from 'angular';
-import controller from './helm-templates-list.controller';
-
-angular.module('portainer.kubernetes').component('helmTemplatesList', {
-  templateUrl: './helm-templates-list.html',
-  controller,
-  bindings: {
-    loading: '<',
-    titleText: '@',
-    charts: '<',
-    tableKey: '@',
-    selectAction: '<',
-  },
-});
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates.html b/app/kubernetes/components/helm/helm-templates/helm-templates.html
index a5f8dc960..4b998cf76 100644
--- a/app/kubernetes/components/helm/helm-templates/helm-templates.html
+++ b/app/kubernetes/components/helm/helm-templates/helm-templates.html
@@ -101,7 +101,7 @@
 <div class="row" ng-if="!$ctrl.state.chart">
   <div class="col-sm-12 p-0">
     <helm-templates-list
-      title-text="Helm chart"
+      title-text="'Helm chart'"
       charts="$ctrl.state.charts"
       table-key="$ctrl.state.charts"
       select-action="$ctrl.selectHelmChart"
diff --git a/app/kubernetes/react/components/index.ts b/app/kubernetes/react/components/index.ts
index 9775b9453..041fc35d2 100644
--- a/app/kubernetes/react/components/index.ts
+++ b/app/kubernetes/react/components/index.ts
@@ -58,6 +58,8 @@ import { AppDeploymentTypeFormSection } from '@/react/kubernetes/applications/co
 import { EnvironmentVariablesFormSection } from '@/react/kubernetes/applications/components/EnvironmentVariablesFormSection/EnvironmentVariablesFormSection';
 import { kubeEnvVarValidationSchema } from '@/react/kubernetes/applications/components/EnvironmentVariablesFormSection/kubeEnvVarValidationSchema';
 import { IntegratedAppsDatatable } from '@/react/kubernetes/components/IntegratedAppsDatatable/IntegratedAppsDatatable';
+import { HelmTemplatesList } from '@/react/kubernetes/helm/HelmTemplates/HelmTemplatesList';
+import { HelmTemplatesListItem } from '@/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem';
 
 import { namespacesModule } from './namespaces';
 import { clusterManagementModule } from './clusterManagement';
@@ -205,6 +207,19 @@ export const ngModule = angular
       'tableTitle',
       'dataCy',
     ])
+  )
+  .component(
+    'helmTemplatesList',
+    r2a(withUIRouter(withCurrentUser(HelmTemplatesList)), [
+      'loading',
+      'titleText',
+      'charts',
+      'selectAction',
+    ])
+  )
+  .component(
+    'helmTemplatesListItem',
+    r2a(HelmTemplatesListItem, ['model', 'onSelect', 'actions'])
   );
 
 export const componentsModule = ngModule.name;
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
new file mode 100644
index 000000000..e08e50cad
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
@@ -0,0 +1,190 @@
+import { render, screen, fireEvent } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+
+import { HelmTemplatesList } from './HelmTemplatesList';
+import { Chart } from './HelmTemplatesListItem';
+
+// Sample test data
+const mockCharts: Chart[] = [
+  {
+    name: 'test-chart-1',
+    description: 'Test Chart 1 Description',
+    annotations: {
+      category: 'database',
+    },
+  },
+  {
+    name: 'test-chart-2',
+    description: 'Test Chart 2 Description',
+    annotations: {
+      category: 'database',
+    },
+  },
+  {
+    name: 'nginx-chart',
+    description: 'Nginx Web Server',
+    annotations: {
+      category: 'web',
+    },
+  },
+];
+
+const selectActionMock = vi.fn();
+
+function renderComponent({
+  loading = false,
+  titleText = 'Test Helm Templates',
+  charts = mockCharts,
+  selectAction = selectActionMock,
+} = {}) {
+  const user = new UserViewModel({ Username: 'user' });
+  const Wrapped = withTestQueryProvider(
+    withUserProvider(
+      withTestRouter(() => (
+        <HelmTemplatesList
+          loading={loading}
+          titleText={titleText}
+          charts={charts}
+          selectAction={selectAction}
+        />
+      )),
+      user
+    )
+  );
+  return { ...render(<Wrapped />), user };
+}
+
+describe('HelmTemplatesList', () => {
+  beforeEach(() => {
+    selectActionMock.mockClear();
+  });
+
+  it('should display title and charts list', async () => {
+    renderComponent();
+
+    // Check for the title
+    expect(screen.getByText('Test Helm Templates')).toBeInTheDocument();
+
+    // Check for charts
+    expect(screen.getByText('test-chart-1')).toBeInTheDocument();
+    expect(screen.getByText('Test Chart 1 Description')).toBeInTheDocument();
+    expect(screen.getByText('nginx-chart')).toBeInTheDocument();
+    expect(screen.getByText('Nginx Web Server')).toBeInTheDocument();
+  });
+
+  it('should call selectAction when a chart is clicked', async () => {
+    renderComponent();
+
+    // Find the first chart item
+    const firstChartItem = screen.getByText('test-chart-1').closest('button');
+    expect(firstChartItem).not.toBeNull();
+
+    // Click on the chart item
+    if (firstChartItem) {
+      fireEvent.click(firstChartItem);
+    }
+
+    // Check if selectAction was called with the correct chart
+    expect(selectActionMock).toHaveBeenCalledWith(mockCharts[0]);
+  });
+
+  it('should filter charts by text search', async () => {
+    renderComponent();
+    const user = userEvent.setup();
+
+    // Find search input and type "nginx"
+    const searchInput = screen.getByPlaceholderText('Search...');
+    await user.type(searchInput, 'nginx');
+
+    // Wait 300ms for debounce
+    await new Promise((resolve) => {
+      setTimeout(() => {
+        resolve(undefined);
+      }, 300);
+    });
+
+    // Should show only nginx chart
+    expect(screen.getByText('nginx-chart')).toBeInTheDocument();
+    expect(screen.queryByText('test-chart-1')).not.toBeInTheDocument();
+    expect(screen.queryByText('test-chart-2')).not.toBeInTheDocument();
+  });
+
+  it('should filter charts by category', async () => {
+    renderComponent();
+    const user = userEvent.setup();
+
+    // Find the category select
+    const categorySelect = screen.getByText('Select a category');
+    await user.click(categorySelect);
+
+    // Select "web" category
+    const webCategory = screen.getByText('web', {
+      selector: '[tabindex="-1"]',
+    });
+    await user.click(webCategory);
+
+    // Should show only web category charts
+    expect(screen.queryByText('nginx-chart')).toBeInTheDocument();
+    expect(screen.queryByText('test-chart-1')).not.toBeInTheDocument();
+    expect(screen.queryByText('test-chart-2')).not.toBeInTheDocument();
+  });
+
+  it('should show loading message when loading prop is true', async () => {
+    renderComponent({ loading: true });
+
+    // Check for loading message
+    expect(screen.getByText('Loading...')).toBeInTheDocument();
+    expect(
+      screen.getByText('Initial download of Helm charts can take a few minutes')
+    ).toBeInTheDocument();
+  });
+
+  it('should show empty message when no charts are available', async () => {
+    renderComponent({ charts: [] });
+
+    // Check for empty message
+    expect(screen.getByText('No helm charts available.')).toBeInTheDocument();
+  });
+
+  it('should show no results message when search has no matches', async () => {
+    renderComponent();
+    const user = userEvent.setup();
+
+    // Find search input and type text that won't match any charts
+    const searchInput = screen.getByPlaceholderText('Search...');
+    await user.type(searchInput, 'nonexistent chart');
+
+    // Wait 300ms for debounce
+    await new Promise((resolve) => {
+      setTimeout(() => {
+        resolve(undefined);
+      }, 300);
+    });
+
+    // Check for no results message
+    expect(screen.getByText('No Helm charts found')).toBeInTheDocument();
+  });
+
+  it('should handle keyboard navigation and selection', async () => {
+    renderComponent();
+    const user = userEvent.setup();
+
+    // Find the first chart item
+    const firstChartItem = screen.getByText('test-chart-1').closest('button');
+    expect(firstChartItem).not.toBeNull();
+
+    // Focus and press Enter
+    if (firstChartItem) {
+      (firstChartItem as HTMLElement).focus();
+      await user.keyboard('{Enter}');
+    }
+
+    // Check if selectAction was called with the correct chart
+    expect(selectActionMock).toHaveBeenCalledWith(mockCharts[0]);
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
new file mode 100644
index 000000000..5cfdb6953
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
@@ -0,0 +1,179 @@
+import { useState, useMemo } from 'react';
+
+import { PortainerSelect } from '@/react/components/form-components/PortainerSelect';
+import { Link } from '@/react/components/Link';
+
+import { InsightsBox } from '@@/InsightsBox';
+import { SearchBar } from '@@/datatables/SearchBar';
+
+import { Chart, HelmTemplatesListItem } from './HelmTemplatesListItem';
+
+interface Props {
+  loading: boolean;
+  titleText: string;
+  charts?: Chart[];
+  selectAction: (chart: Chart) => void;
+}
+
+/**
+ * Get categories from charts
+ * @param charts - The charts to get the categories from
+ * @returns Categories
+ */
+function getCategories(charts: Chart[]) {
+  const annotationCategories = charts
+    .map((chart) => chart.annotations?.category) // get category
+    .filter((c): c is string => !!c); // filter out nulls/undefined
+
+  const availableCategories = [...new Set(annotationCategories)].sort(); // unique and sort
+
+  // Create options array in the format expected by PortainerSelect
+  return availableCategories.map((cat) => ({
+    label: cat,
+    value: cat,
+  }));
+}
+
+/**
+ * Get filtered charts
+ * @param charts - The charts to get the filtered charts from
+ * @param textFilter - The text filter
+ * @param selectedCategory - The selected category
+ * @returns Filtered charts
+ */
+function getFilteredCharts(
+  charts: Chart[],
+  textFilter: string,
+  selectedCategory: string | null
+) {
+  return charts.filter((chart) => {
+    // Text filter
+    if (
+      textFilter &&
+      !chart.name.toLowerCase().includes(textFilter.toLowerCase()) &&
+      !chart.description.toLowerCase().includes(textFilter.toLowerCase())
+    ) {
+      return false;
+    }
+
+    // Category filter
+    if (
+      selectedCategory &&
+      (!chart.annotations || chart.annotations.category !== selectedCategory)
+    ) {
+      return false;
+    }
+
+    return true;
+  });
+}
+
+export function HelmTemplatesList({
+  loading,
+  titleText,
+  charts = [],
+  selectAction,
+}: Props) {
+  const [textFilter, setTextFilter] = useState('');
+  const [selectedCategory, setSelectedCategory] = useState<string | null>(null);
+
+  const categories = useMemo(() => getCategories(charts), [charts]);
+
+  const filteredCharts = useMemo(
+    () => getFilteredCharts(charts, textFilter, selectedCategory),
+    [charts, textFilter, selectedCategory]
+  );
+
+  return (
+    <section className="datatable" aria-label="Helm charts">
+      <div className="toolBar vertical-center relative w-full flex-wrap !gap-x-5 !gap-y-1 !px-0">
+        <div className="toolBarTitle vertical-center">{titleText}</div>
+
+        <SearchBar
+          value={textFilter}
+          onChange={(value) => setTextFilter(value)}
+          placeholder="Search..."
+          data-cy="helm-templates-search"
+          className="!mr-0 h-9"
+        />
+
+        <div className="w-full sm:w-1/5">
+          <PortainerSelect
+            placeholder="Select a category"
+            value={selectedCategory}
+            options={categories}
+            onChange={(value) => setSelectedCategory(value)}
+            isClearable
+            bindToBody
+            data-cy="helm-category-select"
+          />
+        </div>
+      </div>
+      <div className="w-fit">
+        <div className="small text-muted mb-2">
+          Select the Helm chart to use. Bring further Helm charts into your
+          selection list via{' '}
+          <Link
+            to="portainer.account"
+            params={{ '#': 'helm-repositories' }}
+            data-cy="helm-repositories-link"
+          >
+            User settings - Helm repositories
+          </Link>
+          .
+        </div>
+
+        <InsightsBox
+          header="Disclaimer"
+          type="slim"
+          content={
+            <>
+              At present Portainer does not support OCI format Helm charts.
+              Support for OCI charts will be available in a future release.
+              <br />
+              If you would like to provide feedback on OCI support or get access
+              to early releases to test this functionality,{' '}
+              <a
+                href="https://bit.ly/3WVkayl"
+                target="_blank"
+                rel="noopener noreferrer"
+              >
+                please get in touch
+              </a>
+              .
+            </>
+          }
+        />
+      </div>
+
+      <div className="blocklist !px-0" role="list">
+        {filteredCharts.map((chart) => (
+          <HelmTemplatesListItem
+            key={chart.name}
+            model={chart}
+            onSelect={selectAction}
+          />
+        ))}
+
+        {filteredCharts.length === 0 && textFilter && (
+          <div className="text-muted small mt-4">No Helm charts found</div>
+        )}
+
+        {loading && (
+          <div className="text-muted text-center">
+            Loading...
+            <div className="text-muted text-center">
+              Initial download of Helm charts can take a few minutes
+            </div>
+          </div>
+        )}
+
+        {!loading && charts.length === 0 && (
+          <div className="text-muted text-center">
+            No helm charts available.
+          </div>
+        )}
+      </div>
+    </section>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
new file mode 100644
index 000000000..b51fb5cdd
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
@@ -0,0 +1,74 @@
+import React from 'react';
+
+import { HelmIcon } from '@/kubernetes/components/helm/helm-templates/HelmIcon';
+import { FallbackImage } from '@/react/components/FallbackImage';
+
+import Svg from '@@/Svg';
+
+export interface Chart {
+  name: string;
+  description: string;
+  icon?: string;
+  annotations?: {
+    category?: string;
+  };
+}
+
+interface HelmTemplatesListItemProps {
+  model: Chart;
+  onSelect: (model: Chart) => void;
+  actions?: React.ReactNode;
+}
+
+export function HelmTemplatesListItem(props: HelmTemplatesListItemProps) {
+  const { model, onSelect, actions } = props;
+
+  function handleSelect() {
+    onSelect(model);
+  }
+
+  return (
+    <button
+      type="button"
+      className="blocklist-item mx-0 bg-inherit text-start"
+      onClick={handleSelect}
+      tabIndex={0}
+    >
+      <div className="blocklist-item-box">
+        <span className="shrink-0">
+          <FallbackImage
+            src={model.icon}
+            fallbackIcon={HelmIcon}
+            className="blocklist-item-logo h-16 w-auto"
+            alt="Helm chart icon"
+          />
+        </span>
+
+        <div className="col-sm-12 flex flex-wrap justify-between gap-2">
+          <div className="blocklist-item-line">
+            <span>
+              <span className="blocklist-item-title">{model.name}</span>
+              <span className="space-left blocklist-item-subtitle">
+                <span className="vertical-center">
+                  <Svg icon="helm" className="icon icon-primary" />
+                </span>
+                <span> Helm </span>
+              </span>
+            </span>
+          </div>
+
+          <span className="blocklist-item-actions">{actions}</span>
+
+          <div className="blocklist-item-line w-full">
+            <span className="blocklist-item-desc">{model.description}</span>
+            {model.annotations?.category && (
+              <span className="small text-muted">
+                {model.annotations.category}
+              </span>
+            )}
+          </div>
+        </div>
+      </div>
+    </button>
+  );
+}

From 66bcf9223a1506f146065cffd3928612ca81345f Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Fri, 14 Mar 2025 11:20:41 +1300
Subject: [PATCH 045/212] fix(k8s/config): avoid hardcoded
 "insecure-skip-tls-verify" in kubeconfig [BE-11651] (#500)

---
 api/http/handler/kubernetes/config.go      |  69 +++++++-
 api/http/handler/kubernetes/config_test.go | 186 +++++++++++++++++++++
 2 files changed, 254 insertions(+), 1 deletion(-)
 create mode 100644 api/http/handler/kubernetes/config_test.go

diff --git a/api/http/handler/kubernetes/config.go b/api/http/handler/kubernetes/config.go
index aad9c03a8..a42f98ee3 100644
--- a/api/http/handler/kubernetes/config.go
+++ b/api/http/handler/kubernetes/config.go
@@ -1,9 +1,14 @@
 package kubernetes
 
 import (
+	"crypto/x509"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
+	"os"
+	"strings"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/security"
@@ -162,11 +167,38 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 func (handler *Handler) buildCluster(r *http.Request, endpoint portainer.Endpoint, isInternal bool) clientV1.NamedCluster {
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(r.Host, endpoint.ID, isInternal)
 
+	selfSignedCert := false
+	serverUrl, err := url.Parse(kubeConfigInternal.ClusterServerURL)
+	if err != nil {
+		log.Warn().Err(err).Msg("Failed to parse server URL")
+	}
+
+	if strings.EqualFold(serverUrl.Scheme, "https") {
+		var certPem []byte
+		var err error
+
+		if kubeConfigInternal.CertificateAuthorityData != "" {
+			certPem = []byte(kubeConfigInternal.CertificateAuthorityData)
+		} else if kubeConfigInternal.CertificateAuthorityFile != "" {
+			certPem, err = os.ReadFile(kubeConfigInternal.CertificateAuthorityFile)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to open certificate file")
+			}
+		}
+
+		if certPem != nil {
+			selfSignedCert, err = IsSelfSignedCertificate(certPem)
+			if err != nil {
+				log.Warn().Err(err).Msg("Failed to verify if certificate is self-signed")
+			}
+		}
+	}
+
 	return clientV1.NamedCluster{
 		Name: buildClusterName(endpoint.Name),
 		Cluster: clientV1.Cluster{
 			Server:                kubeConfigInternal.ClusterServerURL,
-			InsecureSkipTLSVerify: true,
+			InsecureSkipTLSVerify: selfSignedCert,
 		},
 	}
 }
@@ -215,3 +247,38 @@ func writeFileContent(w http.ResponseWriter, r *http.Request, endpoints []portai
 	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment; %s.json", filenameBase))
 	return response.JSON(w, config)
 }
+
+func IsSelfSignedCertificate(certPem []byte) (bool, error) {
+	if certPem == nil {
+		return false, errors.New("certificate data is empty")
+	}
+
+	if !strings.Contains(string(certPem), "BEGIN CERTIFICATE") {
+		certPem = []byte(fmt.Sprintf("-----BEGIN CERTIFICATE-----\n%s\n-----END CERTIFICATE-----", string(certPem)))
+	}
+
+	block, _ := pem.Decode(certPem)
+	if block == nil {
+		return false, errors.New("failed to decode certificate")
+	}
+
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return false, err
+	}
+
+	if cert.Issuer.String() != cert.Subject.String() {
+		return false, nil
+	}
+
+	roots := x509.NewCertPool()
+	roots.AddCert(cert)
+
+	opts := x509.VerifyOptions{
+		Roots:       roots,
+		CurrentTime: cert.NotBefore,
+	}
+
+	_, err = cert.Verify(opts)
+	return err == nil, err
+}
diff --git a/api/http/handler/kubernetes/config_test.go b/api/http/handler/kubernetes/config_test.go
new file mode 100644
index 000000000..46875a460
--- /dev/null
+++ b/api/http/handler/kubernetes/config_test.go
@@ -0,0 +1,186 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsSelfSignedCertificate(t *testing.T) {
+
+	tc := []struct {
+		name     string
+		cert     string
+		expected bool
+	}{
+		{
+			name: "portainer self-signed",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIBUTCB+KADAgECAhBB7psNiJlJd/nRCCKUPVenMAoGCCqGSM49BAMCMAAwHhcN
+MjUwMzEzMDQwODI0WhcNMzAwMzEzMDQwODI0WjAAMFkwEwYHKoZIzj0CAQYIKoZI
+zj0DAQcDQgAESdGCaXq0r1GDxF89yKjjLeCIixiPDdXAg+lw4NqAWeJq2AOo+8IH
+vcCq9bSlYlezK8RzTsbf9Z1m5jRqUEbSjqNUMFIwDgYDVR0PAQH/BAQDAgWgMBMG
+A1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0RAQH/BBMwEYIJ
+bG9jYWxob3N0hwQAAAAAMAoGCCqGSM49BAMCA0gAMEUCIApLliukFaCZHbc/2pkH
+0VDY+fBMb12jhmVpgKh1Cqg9AiEAwFrMQLUkzATUpiHuukdUg5VsUiMIkWTPLglz
+E4+1dRc=
+-----END CERTIFICATE-----
+`,
+			expected: true,
+		},
+		{
+			name:     "portainer self-signed without header",
+			cert:     `MIIBUzCB+aADAgECAhEAjsskPzuCS5BeHjXGwYqc2jAKBggqhkjOPQQDAjAAMB4XDTI1MDMxMzA0MzQyNloXDTMwMDMxMzA0MzQyNlowADBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABITD+dNDLYQbLYDE3UMlTzD61OYRSVkVZspdp1MvZITIG4VOxtfQUqcW3P7OHQdoi52GIQ/GM6iDgxwB1BOyi3mjVDBSMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB0GA1UdEQEB/wQTMBGCCWxvY2FsaG9zdIcEAAAAADAKBggqhkjOPQQDAgNJADBGAiEA8SmyeYLhrnrNLAFcxZp0dk6nMN70XVAfqGnbK/s8NR8CIQDgQdqhfge8QvN2TsH4gg98a9VHDv+RlcOlJ80SS+G/Ww==`,
+			expected: true,
+		},
+		{
+			name: "custom certificate generated by openssl",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIB9TCCAZugAwIBAgIULTkNYfYHiqfOiX7mKOIGxRefx/YwCgYIKoZIzj0EAwIw
+SDELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNp
+c2NvMRQwEgYDVQQDEwtleGFtcGxlLm5ldDAeFw0yNTAyMjgwNjI3MDBaFw0zNTAy
+MjYwNjI3MDBaMAAwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAT3WlLvbGw7wPkQ
+3LuHFJEaNrDv3n359JMV1CkjQi3U37u0fJrjd+8o7TxPBYgt9HDD9vsURhy41DNo
+g71F2AIto4GqMIGnMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
+AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU+nMxx/VCE9fzrlHI
+FX9mF5SRPrkwHwYDVR0jBBgwFoAUOlUIToGwnBOqzZ1dBfOvdKbwNaAwKAYDVR0R
+AQH/BB4wHIIaZWRnZS4xNzIuMTcuMjIxLjIwOC5uaXAuaW8wCgYIKoZIzj0EAwID
+SAAwRQIgeYrkjY0z/ypMKXZbvbMi8qOK44qoISKkSErBUCBLuwoCIQDRaJA9r931
+utpXXnysVGecVXHHKOOl1YhWglmuPvcZhw==
+-----END CERTIFICATE-----`,
+			expected: false,
+		},
+		{
+			name: "google.com certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIOITCCDQmgAwIBAgIQKS0IQxknY8USDjt3IYchljANBgkqhkiG9w0BAQsFADA7
+MQswCQYDVQQGEwJVUzEeMBwGA1UEChMVR29vZ2xlIFRydXN0IFNlcnZpY2VzMQww
+CgYDVQQDEwNXUjIwHhcNMjUwMjI2MTUzMjU1WhcNMjUwNTIxMTUzMjU0WjAXMRUw
+EwYDVQQDDAwqLmdvb2dsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARx
+nMOmIG3BuO7my/BbF/rGPAMH/JbxBDufbYFQHV+6l5pF5sdT/Zov3X+qsR3IYFl7
+F2a0gAUmK1Bq7//zTb3uo4IMDjCCDAowDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQM
+MAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFN+aEjBz3PaUtelz
+3g9rVTkGRgU0MB8GA1UdIwQYMBaAFN4bHu15FdQ+NyTDIbvsNDltQrIwMFgGCCsG
+AQUFBwEBBEwwSjAhBggrBgEFBQcwAYYVaHR0cDovL28ucGtpLmdvb2cvd3IyMCUG
+CCsGAQUFBzAChhlodHRwOi8vaS5wa2kuZ29vZy93cjIuY3J0MIIJ5AYDVR0RBIIJ
+2zCCCdeCDCouZ29vZ2xlLmNvbYIWKi5hcHBlbmdpbmUuZ29vZ2xlLmNvbYIJKi5i
+ZG4uZGV2ghUqLm9yaWdpbi10ZXN0LmJkbi5kZXaCEiouY2xvdWQuZ29vZ2xlLmNv
+bYIYKi5jcm93ZHNvdXJjZS5nb29nbGUuY29tghgqLmRhdGFjb21wdXRlLmdvb2ds
+ZS5jb22CCyouZ29vZ2xlLmNhggsqLmdvb2dsZS5jbIIOKi5nb29nbGUuY28uaW6C
+DiouZ29vZ2xlLmNvLmpwgg4qLmdvb2dsZS5jby51a4IPKi5nb29nbGUuY29tLmFy
+gg8qLmdvb2dsZS5jb20uYXWCDyouZ29vZ2xlLmNvbS5icoIPKi5nb29nbGUuY29t
+LmNvgg8qLmdvb2dsZS5jb20ubXiCDyouZ29vZ2xlLmNvbS50coIPKi5nb29nbGUu
+Y29tLnZuggsqLmdvb2dsZS5kZYILKi5nb29nbGUuZXOCCyouZ29vZ2xlLmZyggsq
+Lmdvb2dsZS5odYILKi5nb29nbGUuaXSCCyouZ29vZ2xlLm5sggsqLmdvb2dsZS5w
+bIILKi5nb29nbGUucHSCDyouZ29vZ2xlYXBpcy5jboIRKi5nb29nbGV2aWRlby5j
+b22CDCouZ3N0YXRpYy5jboIQKi5nc3RhdGljLWNuLmNvbYIPZ29vZ2xlY25hcHBz
+LmNughEqLmdvb2dsZWNuYXBwcy5jboIRZ29vZ2xlYXBwcy1jbi5jb22CEyouZ29v
+Z2xlYXBwcy1jbi5jb22CDGdrZWNuYXBwcy5jboIOKi5na2VjbmFwcHMuY26CEmdv
+b2dsZWRvd25sb2Fkcy5jboIUKi5nb29nbGVkb3dubG9hZHMuY26CEHJlY2FwdGNo
+YS5uZXQuY26CEioucmVjYXB0Y2hhLm5ldC5jboIQcmVjYXB0Y2hhLWNuLm5ldIIS
+Ki5yZWNhcHRjaGEtY24ubmV0ggt3aWRldmluZS5jboINKi53aWRldmluZS5jboIR
+YW1wcHJvamVjdC5vcmcuY26CEyouYW1wcHJvamVjdC5vcmcuY26CEWFtcHByb2pl
+Y3QubmV0LmNughMqLmFtcHByb2plY3QubmV0LmNughdnb29nbGUtYW5hbHl0aWNz
+LWNuLmNvbYIZKi5nb29nbGUtYW5hbHl0aWNzLWNuLmNvbYIXZ29vZ2xlYWRzZXJ2
+aWNlcy1jbi5jb22CGSouZ29vZ2xlYWRzZXJ2aWNlcy1jbi5jb22CEWdvb2dsZXZh
+ZHMtY24uY29tghMqLmdvb2dsZXZhZHMtY24uY29tghFnb29nbGVhcGlzLWNuLmNv
+bYITKi5nb29nbGVhcGlzLWNuLmNvbYIVZ29vZ2xlb3B0aW1pemUtY24uY29tghcq
+Lmdvb2dsZW9wdGltaXplLWNuLmNvbYISZG91YmxlY2xpY2stY24ubmV0ghQqLmRv
+dWJsZWNsaWNrLWNuLm5ldIIYKi5mbHMuZG91YmxlY2xpY2stY24ubmV0ghYqLmcu
+ZG91YmxlY2xpY2stY24ubmV0gg5kb3VibGVjbGljay5jboIQKi5kb3VibGVjbGlj
+ay5jboIUKi5mbHMuZG91YmxlY2xpY2suY26CEiouZy5kb3VibGVjbGljay5jboIR
+ZGFydHNlYXJjaC1jbi5uZXSCEyouZGFydHNlYXJjaC1jbi5uZXSCHWdvb2dsZXRy
+YXZlbGFkc2VydmljZXMtY24uY29tgh8qLmdvb2dsZXRyYXZlbGFkc2VydmljZXMt
+Y24uY29tghhnb29nbGV0YWdzZXJ2aWNlcy1jbi5jb22CGiouZ29vZ2xldGFnc2Vy
+dmljZXMtY24uY29tghdnb29nbGV0YWdtYW5hZ2VyLWNuLmNvbYIZKi5nb29nbGV0
+YWdtYW5hZ2VyLWNuLmNvbYIYZ29vZ2xlc3luZGljYXRpb24tY24uY29tghoqLmdv
+b2dsZXN5bmRpY2F0aW9uLWNuLmNvbYIkKi5zYWZlZnJhbWUuZ29vZ2xlc3luZGlj
+YXRpb24tY24uY29tghZhcHAtbWVhc3VyZW1lbnQtY24uY29tghgqLmFwcC1tZWFz
+dXJlbWVudC1jbi5jb22CC2d2dDEtY24uY29tgg0qLmd2dDEtY24uY29tggtndnQy
+LWNuLmNvbYINKi5ndnQyLWNuLmNvbYILMm1kbi1jbi5uZXSCDSouMm1kbi1jbi5u
+ZXSCFGdvb2dsZWZsaWdodHMtY24ubmV0ghYqLmdvb2dsZWZsaWdodHMtY24ubmV0
+ggxhZG1vYi1jbi5jb22CDiouYWRtb2ItY24uY29tghRnb29nbGVzYW5kYm94LWNu
+LmNvbYIWKi5nb29nbGVzYW5kYm94LWNuLmNvbYIeKi5zYWZlbnVwLmdvb2dsZXNh
+bmRib3gtY24uY29tgg0qLmdzdGF0aWMuY29tghQqLm1ldHJpYy5nc3RhdGljLmNv
+bYIKKi5ndnQxLmNvbYIRKi5nY3BjZG4uZ3Z0MS5jb22CCiouZ3Z0Mi5jb22CDiou
+Z2NwLmd2dDIuY29tghAqLnVybC5nb29nbGUuY29tghYqLnlvdXR1YmUtbm9jb29r
+aWUuY29tggsqLnl0aW1nLmNvbYILYW5kcm9pZC5jb22CDSouYW5kcm9pZC5jb22C
+EyouZmxhc2guYW5kcm9pZC5jb22CBGcuY26CBiouZy5jboIEZy5jb4IGKi5nLmNv
+ggZnb28uZ2yCCnd3dy5nb28uZ2yCFGdvb2dsZS1hbmFseXRpY3MuY29tghYqLmdv
+b2dsZS1hbmFseXRpY3MuY29tggpnb29nbGUuY29tghJnb29nbGVjb21tZXJjZS5j
+b22CFCouZ29vZ2xlY29tbWVyY2UuY29tgghnZ3BodC5jboIKKi5nZ3BodC5jboIK
+dXJjaGluLmNvbYIMKi51cmNoaW4uY29tggh5b3V0dS5iZYILeW91dHViZS5jb22C
+DSoueW91dHViZS5jb22CEW11c2ljLnlvdXR1YmUuY29tghMqLm11c2ljLnlvdXR1
+YmUuY29tghR5b3V0dWJlZWR1Y2F0aW9uLmNvbYIWKi55b3V0dWJlZWR1Y2F0aW9u
+LmNvbYIPeW91dHViZWtpZHMuY29tghEqLnlvdXR1YmVraWRzLmNvbYIFeXQuYmWC
+ByoueXQuYmWCGmFuZHJvaWQuY2xpZW50cy5nb29nbGUuY29tghMqLmFuZHJvaWQu
+Z29vZ2xlLmNughIqLmNocm9tZS5nb29nbGUuY26CFiouZGV2ZWxvcGVycy5nb29n
+bGUuY26CFSouYWlzdHVkaW8uZ29vZ2xlLmNvbTATBgNVHSAEDDAKMAgGBmeBDAEC
+ATA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vYy5wa2kuZ29vZy93cjIvb0JGWVlh
+aHpnVkkuY3JsMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAzxFW7tUufK/zh1vZ
+aS6b6RpxZ0qwF+ysAdJbd87MOwgAAAGVQxqxaQAABAMASDBGAiEAk6r74vfyJIaa
+hYTWqNRsjl/RpCWq/wyzzMi21zgGmfkCIQCZafyS/fl0tiutICL9aOSnDBRfPYqd
+CeNqKOy11EjvigB1AN6FgddQJHxrzcuvVjfF54HGTORu1hdjn480pybJ4r03AAAB
+lUMasUkAAAQDAEYwRAIgYfG2iyRnmn8MI86RFDxOQW1/IOBAjQxNfIQ8toZlZkoC
+IA1BHw7cqmlTP7Ks+ebX6hGfNlVsgTQS8iYyKL5/BSvTMA0GCSqGSIb3DQEBCwUA
+A4IBAQAYSNtoW72rqhPfjV5Ug1ENbbimfqmqiJS4JdzaEFRpftzachTuvx8relaY
++7FAz5y4YULu9LGNjpBRYW8yW9pgfWyc53CCHSkDODguUOMCRo3hdglxZ2d5pJ/8
+TQY4zRBd8OHzOAx2kH6jLEj9I0nDie3vowSYm7FCBRLjzfForRNQWmzPu+5hS3De
+QM0R2jWpmPcG3ffQ5qQwnAQnP9HCK9oEZ5cFqLvOQWfttj/rzKOz856iSEoRpf8S
+wVFRu3Uv2TXQ6UYF2cDfiWCe6/mO35CIynC6FVkunze/Q/2rtaCDttLRYZcLllj8
+PSl7nmLhtqDlO7da/S34BFiyyRjN
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+		{
+			name: "let's encrypt certificate",
+			cert: `-----BEGIN CERTIFICATE-----
+MIIGMjCCBRqgAwIBAgISBVHH05rEMkaCuDQvABDjiam0MA0GCSqGSIb3DQEBCwUA
+MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
+EwNSMTAwHhcNMjUwMzEzMDIyMzE2WhcNMjUwNjExMDIyMzE1WjAkMSIwIAYDVQQD
+Exlvei1kZW1vLnBvcnRhaW5lcmNsb3VkLmlvMIICIjANBgkqhkiG9w0BAQEFAAOC
+Ag8AMIICCgKCAgEAwNCcr9azSaldEwgL54bQScuWBnmw3FMHgEATxDVp2MEawQkV
+I3VScUcJWBnlHlb7TUanRC/c/vJGbzc+KDuCRTZ2/Ob2yQ9G5mZjGttBAnBSQPpV
+arEEBFCClhVBn4LhLNmIsCjCy25+m0HY/dwWbKjTMT/KxpTa3L3mdmIFa7XNs6W2
+vEZGwYM+2JPMJ9DwemVrrrvRqd5vLWTZcWvWJQ7HMfw3PoELpeqyycmxDqd9PCMz
+yMp8q3UwLDur3+KfDXGtGOoubxcOuJrpemOe8JeM5cEYEhvOy8D16zmWwWYDT19D
+ElFfUbM0GGITpJ41Qie03DvmI0hDYDqTEZfKza967VsvD7K9bFgLHmHdv7gLNutB
+FConpziNqslapWwQ5j7bKircxKjRQVkOiXH48m2IUzylqWgJPVMvHukRu0YVnvbt
+Q53xNVZQEbjvZmIuz8jqo22Y/1Jr7Plnb1lUvvDznA58MHT0KA4LSZwk9tvMJJCw
+vh7AoWB6/Jnl8QVnApOdCa6M/An128rBwgrCmp0wSvhMecTkWC8/gsah0Q5wKFL3
+ziBth728Qy8RlNghRUw88e/y4pdGHN8egjK1NpdgsvTFdRNQ8qwu0lx9pO3b6TNQ
+qDG5pirXjS/DhPYvZtJRDK6SMTHJNm+0NGdWB8qpNssFrU6u2cRl0533LtECAwEA
+AaOCAk0wggJJMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
+KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUiQi/3pZamfPxRGPI8DTZ
+tej1494wHwYDVR0jBBgwFoAUu7zDR6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUH
+AQEESzBJMCIGCCsGAQUFBzABhhZodHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsG
+AQUFBzAChhdodHRwOi8vcjEwLmkubGVuY3Iub3JnLzAkBgNVHREEHTAbghlvei1k
+ZW1vLnBvcnRhaW5lcmNsb3VkLmlvMBMGA1UdIAQMMAowCAYGZ4EMAQIBMC4GA1Ud
+HwQnMCUwI6AhoB+GHWh0dHA6Ly9yMTAuYy5sZW5jci5vcmcvNTMuY3JsMIIBBAYK
+KwYBBAHWeQIEAgSB9QSB8gDwAHcAzPsPaoVxCWX+lZtTzumyfCLphVwNl422qX5U
+wP5MDbAAAAGVjYW7/QAABAMASDBGAiEA8CjMOIj7wqQ60BX22A5pDkA23IxZPzwV
+1MF5+VSgdqgCIQCZhry5AK2VyZX/cIODEl6eHBCUWS4vHB+J8RxeclKCpAB1AKLj
+CuRF772tm3447Udnd1PXgluElNcrXhssxLlQpEfnAAABlY2Fu/QAAAQDAEYwRAIg
+bwjJgZJew/1LoL9yzDD1P4Xkd8ezFucxfU3AzlV1XEYCIH5RPyW1HP9GSr+aAx+I
+o3inVl1NagJFYiApAPvFmIEgMA0GCSqGSIb3DQEBCwUAA4IBAQATJWi1sJSBstO+
+hyH7DsrAtDhiQTOWzUZezBlgCn8hfmA3nX5uKsHyxPPPEQ/GFYOltRD/+34X9kFF
+YNzUjJOP0bGk45I1JbspxRRvtbDpk0+dj2VE2toM8vLRDz3+DB4YB2lFofYlex++
+16xFzOIE+ZW41qBs3G8InsyHADsaFY2CQ9re/kZvenptU/ax1U2a21JJ3TT2DmXW
+AHZYQ5/whVIowsebw1e28I12VhLl2BKn7v4MpCn3GUzBBQAEbJ6TIjHtFKWWnVfH
+FisaUX6N4hMzGZVJOsbH4QVBGuNwUshHiD8MSpbans2w+T4bCe11XayerqxFhTao
+w/pjiPVy
+-----END CERTIFICATE-----
+`,
+			expected: false,
+		},
+	}
+
+	for _, tt := range tc {
+		t.Run(tt.name, func(t *testing.T) {
+			actual, err := IsSelfSignedCertificate([]byte(tt.cert))
+			assert.NoError(t, err)
+			assert.Equal(t, tt.expected, actual)
+		})
+	}
+}

From 2c05496962c73026fd5246ef784440074004fa58 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Sat, 15 Mar 2025 10:09:22 -0300
Subject: [PATCH 046/212] feat(edgeconfigs): parse .env config files for
 interpolation BE-11673 (#514)

---
 api/filesystem/serialize_per_dev_configs.go   |  33 +++--
 .../serialize_per_dev_configs_test.go         | 133 ++++++++++--------
 2 files changed, 96 insertions(+), 70 deletions(-)

diff --git a/api/filesystem/serialize_per_dev_configs.go b/api/filesystem/serialize_per_dev_configs.go
index 55881885a..7ae653934 100644
--- a/api/filesystem/serialize_per_dev_configs.go
+++ b/api/filesystem/serialize_per_dev_configs.go
@@ -15,15 +15,19 @@ type MultiFilterArgs []struct {
 }
 
 // MultiFilterDirForPerDevConfigs filers the given dirEntries with multiple filter args, returns the merged entries for the given device
-func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) []DirEntry {
+func MultiFilterDirForPerDevConfigs(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry
 
+	var envFiles []string
+
 	for _, multiFilterArg := range multiFilterArgs {
-		tmp := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
+		tmp, efs := FilterDirForPerDevConfigs(dirEntries, multiFilterArg.FilterKey, configPath, multiFilterArg.FilterType)
 		filteredDirEntries = append(filteredDirEntries, tmp...)
+
+		envFiles = append(envFiles, efs...)
 	}
 
-	return deduplicate(filteredDirEntries)
+	return deduplicate(filteredDirEntries), envFiles
 }
 
 func deduplicate(dirEntries []DirEntry) []DirEntry {
@@ -32,8 +36,7 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 	marks := make(map[string]struct{})
 
 	for _, dirEntry := range dirEntries {
-		_, ok := marks[dirEntry.Name]
-		if !ok {
+		if _, ok := marks[dirEntry.Name]; !ok {
 			marks[dirEntry.Name] = struct{}{}
 			deduplicatedDirEntries = append(deduplicatedDirEntries, dirEntry)
 		}
@@ -50,20 +53,25 @@ func deduplicate(dirEntries []DirEntry) []DirEntry {
 //  3. For filterType dir:
 //     dir entry:   A/B/C/<deviceName>
 //     all entries: A/B/C/<deviceName>/*
-func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) []DirEntry {
+func FilterDirForPerDevConfigs(dirEntries []DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) ([]DirEntry, []string) {
 	var filteredDirEntries []DirEntry
 
+	var envFiles []string
+
 	for _, dirEntry := range dirEntries {
 		if shouldIncludeEntry(dirEntry, deviceName, configPath, filterType) {
 			filteredDirEntries = append(filteredDirEntries, dirEntry)
+
+			if shouldParseEnvVars(dirEntry, deviceName, configPath, filterType) {
+				envFiles = append(envFiles, dirEntry.Name)
+			}
 		}
 	}
 
-	return filteredDirEntries
+	return filteredDirEntries, envFiles
 }
 
 func shouldIncludeEntry(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
-
 	// Include all entries outside of dir A
 	if !isInConfigDir(dirEntry, configPath) {
 		return true
@@ -120,6 +128,15 @@ func shouldIncludeDir(dirEntry DirEntry, deviceName, configPath string) bool {
 	return strings.HasPrefix(dirEntry.Name, filterPrefix)
 }
 
+func shouldParseEnvVars(dirEntry DirEntry, deviceName, configPath string, filterType portainer.PerDevConfigsFilterType) bool {
+	if !dirEntry.IsFile {
+		return false
+	}
+
+	return isInConfigDir(dirEntry, configPath) &&
+		filepath.Base(dirEntry.Name) == deviceName+".env"
+}
+
 func appendTailSeparator(path string) string {
 	return fmt.Sprintf("%s%c", path, os.PathSeparator)
 }
diff --git a/api/filesystem/serialize_per_dev_configs_test.go b/api/filesystem/serialize_per_dev_configs_test.go
index 55a1a4643..2330db68d 100644
--- a/api/filesystem/serialize_per_dev_configs_test.go
+++ b/api/filesystem/serialize_per_dev_configs_test.go
@@ -4,14 +4,17 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
-	type args struct {
-		dirEntries      []DirEntry
-		configPath      string
-		multiFilterArgs MultiFilterArgs
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantDirEntries []DirEntry) {
+		t.Helper()
+
+		dirEntries, _ = MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantDirEntries, dirEntries)
 	}
 
 	baseDirEntries := []DirEntry{
@@ -26,69 +29,75 @@ func TestMultiFilterDirForPerDevConfigs(t *testing.T) {
 		{"configs/folder2/config2", "", true, 420},
 	}
 
-	tests := []struct {
-		name string
-		args args
-		want []DirEntry
-	}{
-		{
-			name: "filter file1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	// Filter file1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"file1", portainer.PerDevConfigsTypeFile}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3]},
+	)
+
+	// Filter folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and folder1
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
+	)
+
+	// Filter file1 and file2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"file1", portainer.PerDevConfigsTypeFile},
+			{"file2", portainer.PerDevConfigsTypeFile},
 		},
-		{
-			name: "filter folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and folder1",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{{"folder1", portainer.PerDevConfigsTypeDir}},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6]},
-		},
-		{
-			name: "filter file1 and file2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"file1", portainer.PerDevConfigsTypeFile},
-					{"file2", portainer.PerDevConfigsTypeFile},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
-		},
-		{
-			name: "filter folder1 and folder2",
-			args: args{
-				baseDirEntries,
-				"configs",
-				MultiFilterArgs{
-					{"folder1", portainer.PerDevConfigsTypeDir},
-					{"folder2", portainer.PerDevConfigsTypeDir},
-				},
-			},
-			want: []DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[3], baseDirEntries[4]},
+	)
+
+	// Filter folder1 and folder2
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{
+			{"folder1", portainer.PerDevConfigsTypeDir},
+			{"folder2", portainer.PerDevConfigsTypeDir},
 		},
+		[]DirEntry{baseDirEntries[0], baseDirEntries[1], baseDirEntries[2], baseDirEntries[5], baseDirEntries[6], baseDirEntries[7], baseDirEntries[8]},
+	)
+}
+
+func TestMultiFilterDirForPerDevConfigsEnvFiles(t *testing.T) {
+	f := func(dirEntries []DirEntry, configPath string, multiFilterArgs MultiFilterArgs, wantEnvFiles []string) {
+		t.Helper()
+
+		_, envFiles := MultiFilterDirForPerDevConfigs(dirEntries, configPath, multiFilterArgs)
+		require.Equal(t, wantEnvFiles, envFiles)
 	}
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			assert.Equalf(t, tt.want, MultiFilterDirForPerDevConfigs(tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs), "MultiFilterDirForPerDevConfigs(%v, %v, %v)", tt.args.dirEntries, tt.args.configPath, tt.args.multiFilterArgs)
-		})
+	baseDirEntries := []DirEntry{
+		{".env", "", true, 420},
+		{"docker-compose.yaml", "", true, 420},
+		{"configs", "", false, 420},
+		{"configs/edge-id/edge-id.env", "", true, 420},
 	}
+
+	f(
+		baseDirEntries,
+		"configs",
+		MultiFilterArgs{{"edge-id", portainer.PerDevConfigsTypeDir}},
+		[]string{"configs/edge-id/edge-id.env"},
+	)
+
 }
 
 func TestIsInConfigDir(t *testing.T) {

From e1f9b69cd562538e46ce2d7d5a4a32851007f37e Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Sat, 15 Mar 2025 10:10:17 -0300
Subject: [PATCH 047/212] feat(edgestack): improve the structure to make JSON
 operations faster BE-11668 (#475)

---
 api/datastore/migrator/migrate_dbversion100.go |  4 ++++
 api/datastore/migrator/migrate_dbversion80.go  |  8 ++++++--
 api/portainer.go                               | 16 ++++++++--------
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/api/datastore/migrator/migrate_dbversion100.go b/api/datastore/migrator/migrate_dbversion100.go
index 458c10c95..59b15b08d 100644
--- a/api/datastore/migrator/migrate_dbversion100.go
+++ b/api/datastore/migrator/migrate_dbversion100.go
@@ -94,6 +94,10 @@ func (m *Migrator) updateEdgeStackStatusForDB100() error {
 				continue
 			}
 
+			if environmentStatus.Details == nil {
+				continue
+			}
+
 			statusArray := []portainer.EdgeStackDeploymentStatus{}
 			if environmentStatus.Details.Pending {
 				statusArray = append(statusArray, portainer.EdgeStackDeploymentStatus{
diff --git a/api/datastore/migrator/migrate_dbversion80.go b/api/datastore/migrator/migrate_dbversion80.go
index 77671745e..a738e5177 100644
--- a/api/datastore/migrator/migrate_dbversion80.go
+++ b/api/datastore/migrator/migrate_dbversion80.go
@@ -75,6 +75,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 
 	for _, edgeStack := range edgeStacks {
 		for endpointId, status := range edgeStack.Status {
+			if status.Details == nil {
+				status.Details = &portainer.EdgeStackStatusDetails{}
+			}
+
 			switch status.Type {
 			case portainer.EdgeStackStatusPending:
 				status.Details.Pending = true
@@ -93,10 +97,10 @@ func (m *Migrator) updateEdgeStackStatusForDB80() error {
 			edgeStack.Status[endpointId] = status
 		}
 
-		err = m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack)
-		if err != nil {
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
 			return err
 		}
 	}
+
 	return nil
 }
diff --git a/api/portainer.go b/api/portainer.go
index 5b7d177da..60d09a993 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -309,7 +309,7 @@ type (
 		// FileVersion is the version of the stack file, used to detect changes
 		FileVersion int `json:"FileVersion"`
 		// ConfigHash is the commit hash of the git repository used for deploying the stack
-		ConfigHash string `json:"ConfigHash"`
+		ConfigHash string `json:"ConfigHash,omitempty"`
 	}
 
 	// EdgeStack represents an edge stack
@@ -353,24 +353,24 @@ type (
 		// EE only feature
 		DeploymentInfo StackDeploymentInfo
 		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
-		ReadyRePullImage bool
+		ReadyRePullImage bool `json:"ReadyRePullImage,omitempty"`
 
 		// Deprecated
-		Details EdgeStackStatusDetails
+		Details *EdgeStackStatusDetails `json:"Details,omitempty"`
 		// Deprecated
-		Error string
+		Error string `json:"Error,omitempty"`
 		// Deprecated
-		Type EdgeStackStatusType `json:"Type"`
+		Type EdgeStackStatusType `json:"Type,omitempty"`
 	}
 
 	// EdgeStackDeploymentStatus represents an edge stack deployment status
 	EdgeStackDeploymentStatus struct {
 		Time  int64
 		Type  EdgeStackStatusType
-		Error string
+		Error string `json:"Error,omitempty"`
 		// EE only feature
-		RollbackTo *int
-		Version    int `json:"Version,omitempty"`
+		RollbackTo *int `json:"RollbackTo,omitempty"`
+		Version    int  `json:"Version,omitempty"`
 	}
 
 	// EdgeStackStatusType represents an edge stack status type

From 2791bd123cdc16495f9a018da5ee2ece711cdfc7 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Mon, 17 Mar 2025 12:24:39 +1300
Subject: [PATCH 048/212] fix: cve-2025-22869 develop (#511)

---
 binary-version.json |  4 ++--
 go.mod              | 10 +++++-----
 go.sum              | 20 ++++++++++----------
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/binary-version.json b/binary-version.json
index ff017d023..8b37fa345 100644
--- a/binary-version.json
+++ b/binary-version.json
@@ -1,6 +1,6 @@
 {
   "docker": "v27.5.1",
-  "helm": "v3.17.0",
-  "kubectl": "v1.32.1",
+  "helm": "v3.17.2",
+  "kubectl": "v1.32.2",
   "mingit": "2.48.1.1"
 }
diff --git a/go.mod b/go.mod
index 78f3a8adb..2c93a403a 100644
--- a/go.mod
+++ b/go.mod
@@ -48,11 +48,11 @@ require (
 	github.com/urfave/negroni v1.0.0
 	github.com/viney-shih/go-lock v1.1.1
 	go.etcd.io/bbolt v1.3.11
-	golang.org/x/crypto v0.31.0
+	golang.org/x/crypto v0.35.0
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0
 	golang.org/x/mod v0.21.0
 	golang.org/x/oauth2 v0.23.0
-	golang.org/x/sync v0.10.0
+	golang.org/x/sync v0.11.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.17.1
@@ -274,9 +274,9 @@ require (
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
diff --git a/go.sum b/go.sum
index 278c4cdd3..8aab3b540 100644
--- a/go.sum
+++ b/go.sum
@@ -776,8 +776,8 @@ golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
-golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -808,8 +808,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
-golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
+golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -836,20 +836,20 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
-golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
-golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
+golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
+golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
-golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
+golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

From a67b917bddf3493c6810c3d947fc29cf24b47784 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Mon, 17 Mar 2025 16:00:33 +1300
Subject: [PATCH 049/212] Bump version to 2.28.0 (#523)

---
 .github/ISSUE_TEMPLATE/bug_report.yml            | 14 +++++++-------
 api/datastore/test_data/output_24_to_latest.json |  4 ++--
 api/http/handler/handler.go                      |  2 +-
 api/portainer.go                                 |  4 ++--
 package.json                                     |  2 +-
 5 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 99d319aaf..4bd225980 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -2,18 +2,17 @@ name: Bug Report
 description: Create a report to help us improve.
 labels: kind/bug,bug/need-confirmation
 body:
-
   - type: markdown
     attributes:
       value: |
         # Welcome!
-        
+
         The issue tracker is for reporting bugs. If you have an [idea for a new feature](https://github.com/orgs/portainer/discussions/categories/ideas) or a [general question about Portainer](https://github.com/orgs/portainer/discussions/categories/help) please post in our [GitHub Discussions](https://github.com/orgs/portainer/discussions).
-        
+
         You can also ask for help in our [community Slack channel](https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA).
 
         Please note that we only provide support for current versions of Portainer. You can find a list of supported versions in our [lifecycle policy](https://docs.portainer.io/start/lifecycle).
-        
+
         **DO NOT FILE ISSUES FOR GENERAL SUPPORT QUESTIONS**.
 
   - type: checkboxes
@@ -45,7 +44,7 @@ body:
   - type: textarea
     attributes:
       label: Problem Description
-      description: A clear and concise description of what the bug is. 
+      description: A clear and concise description of what the bug is.
     validations:
       required: true
 
@@ -71,7 +70,7 @@ body:
         1. Go to '...'
         2. Click on '....'
         3. Scroll down to '....'
-        4. See error   
+        4. See error
     validations:
       required: true
 
@@ -95,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.28.0'
         - '2.27.1'
         - '2.27.0'
         - '2.26.1'
@@ -158,7 +158,7 @@ body:
   - type: input
     attributes:
       label: Browser
-      description: | 
+      description: |
         Enter your browser and version. Example: Google Chrome 114.0
     validations:
       required: false
diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 89d781169..dcbf37413 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.27.1",
+    "KubectlShellImage": "portainer/kubectl-shell:2.28.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.27.1\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.28.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 7603e345b..d9ac7fbc6 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.27.1
+// @version 2.28.0
 // @description.markdown api-description.md
 // @termsOfService
 
diff --git a/api/portainer.go b/api/portainer.go
index 60d09a993..b90e89b4e 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1637,9 +1637,9 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.27.1"
+	APIVersion = "2.28.0"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
-	APIVersionSupport = "LTS"
+	APIVersionSupport = "STS"
 	// Edition is what this edition of Portainer is called
 	Edition = PortainerCE
 	// ComposeSyntaxMaxVersion is a maximum supported version of the docker compose syntax
diff --git a/package.json b/package.json
index 2068b5454..9e28a2441 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.27.1",
+  "version": "2.28.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"

From 0296998faeb58a20284338cc7174a4ef31563397 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Tue, 18 Mar 2025 17:55:53 -0300
Subject: [PATCH 050/212] fix(users): optimize the /users/me API endpoint
 BE-11688 (#515)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
Co-authored-by: LP B <xAt0mZ@users.noreply.github.com>
Co-authored-by: JamesPlayer <james.player@portainer.io>
---
 api/connection.go                           |  2 ++
 api/database/boltdb/db.go                   | 26 +++++++++++++++++++
 api/database/boltdb/tx.go                   | 28 +++++++++++++++++++++
 api/dataservices/base.go                    | 14 +++++++++++
 api/dataservices/base_tx.go                 |  6 +++++
 api/http/handler/endpoints/endpoint_list.go | 23 +++++++----------
 api/http/security/bouncer.go                |  8 +++---
 api/internal/testhelpers/datastore.go       |  8 ++++++
 8 files changed, 96 insertions(+), 19 deletions(-)

diff --git a/api/connection.go b/api/connection.go
index 710b978da..14e2dc1ca 100644
--- a/api/connection.go
+++ b/api/connection.go
@@ -6,8 +6,10 @@ import (
 
 type ReadTransaction interface {
 	GetObject(bucketName string, key []byte, object any) error
+	GetRawBytes(bucketName string, key []byte) ([]byte, error)
 	GetAll(bucketName string, obj any, append func(o any) (any, error)) error
 	GetAllWithKeyPrefix(bucketName string, keyPrefix []byte, obj any, append func(o any) (any, error)) error
+	KeyExists(bucketName string, key []byte) (bool, error)
 }
 
 type Transaction interface {
diff --git a/api/database/boltdb/db.go b/api/database/boltdb/db.go
index cef93b345..a0db7f4e0 100644
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -244,6 +244,32 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object
 	})
 }
 
+func (connection *DbConnection) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	var value []byte
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		value, err = tx.GetRawBytes(bucketName, key)
+
+		return err
+	})
+
+	return value, err
+}
+
+func (connection *DbConnection) KeyExists(bucketName string, key []byte) (bool, error) {
+	var exists bool
+
+	err := connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = tx.KeyExists(bucketName, key)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (connection *DbConnection) getEncryptionKey() []byte {
 	if !connection.isEncrypted {
 		return nil
diff --git a/api/database/boltdb/tx.go b/api/database/boltdb/tx.go
index 5de5d5333..2e45ac7b9 100644
--- a/api/database/boltdb/tx.go
+++ b/api/database/boltdb/tx.go
@@ -6,6 +6,7 @@ import (
 
 	dserrors "github.com/portainer/portainer/api/dataservices/errors"
 
+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 	bolt "go.etcd.io/bbolt"
 )
@@ -31,6 +32,33 @@ func (tx *DbTransaction) GetObject(bucketName string, key []byte, object any) er
 	return tx.conn.UnmarshalObject(value, object)
 }
 
+func (tx *DbTransaction) GetRawBytes(bucketName string, key []byte) ([]byte, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+	if value == nil {
+		return nil, fmt.Errorf("%w (bucket=%s, key=%s)", dserrors.ErrObjectNotFound, bucketName, keyToString(key))
+	}
+
+	if tx.conn.getEncryptionKey() != nil {
+		var err error
+
+		if value, err = decrypt(value, tx.conn.getEncryptionKey()); err != nil {
+			return value, errors.Wrap(err, "Failed decrypting object")
+		}
+	}
+
+	return value, nil
+}
+
+func (tx *DbTransaction) KeyExists(bucketName string, key []byte) (bool, error) {
+	bucket := tx.tx.Bucket([]byte(bucketName))
+
+	value := bucket.Get(key)
+
+	return value != nil, nil
+}
+
 func (tx *DbTransaction) UpdateObject(bucketName string, key []byte, object any) error {
 	data, err := tx.conn.MarshalObject(object)
 	if err != nil {
diff --git a/api/dataservices/base.go b/api/dataservices/base.go
index 9b1a42a53..04af70b02 100644
--- a/api/dataservices/base.go
+++ b/api/dataservices/base.go
@@ -9,6 +9,7 @@ import (
 type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
+	Exists(ID I) (bool, error)
 	ReadAll() ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
@@ -42,6 +43,19 @@ func (service BaseDataService[T, I]) Read(ID I) (*T, error) {
 	})
 }
 
+func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
+	var exists bool
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		exists, err = service.Tx(tx).Exists(ID)
+
+		return err
+	})
+
+	return exists, err
+}
+
 func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)
 
diff --git a/api/dataservices/base_tx.go b/api/dataservices/base_tx.go
index db1e702cb..d9915b64c 100644
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -28,6 +28,12 @@ func (service BaseDataServiceTx[T, I]) Read(ID I) (*T, error) {
 	return &element, nil
 }
 
+func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	return service.Tx.KeyExists(service.Bucket, identifier)
+}
+
 func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
 	var collection = make([]T, 0)
 
diff --git a/api/http/handler/endpoints/endpoint_list.go b/api/http/handler/endpoints/endpoint_list.go
index dc95e15b0..7ea557910 100644
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -105,14 +105,16 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 
 	for idx := range paginatedEndpoints {
 		hideFields(&paginatedEndpoints[idx])
+
 		paginatedEndpoints[idx].ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 		if paginatedEndpoints[idx].EdgeCheckinInterval == 0 {
 			paginatedEndpoints[idx].EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
 		}
+
 		endpointutils.UpdateEdgeEndpointHeartbeat(&paginatedEndpoints[idx], settings)
+
 		if !query.excludeSnapshots {
-			err = handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx])
-			if err != nil {
+			if err := handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx]); err != nil {
 				return httperror.InternalServerError("Unable to add snapshot data", err)
 			}
 		}
@@ -120,6 +122,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 
 	w.Header().Set("X-Total-Count", strconv.Itoa(filteredEndpointCount))
 	w.Header().Set("X-Total-Available", strconv.Itoa(totalAvailableEndpoints))
+
 	return response.JSON(w, paginatedEndpoints)
 }
 
@@ -130,18 +133,8 @@ func paginateEndpoints(endpoints []portainer.Endpoint, start, limit int) []porta
 
 	endpointCount := len(endpoints)
 
-	if start < 0 {
-		start = 0
-	}
-
-	if start > endpointCount {
-		start = endpointCount
-	}
-
-	end := start + limit
-	if end > endpointCount {
-		end = endpointCount
-	}
+	start = min(max(start, 0), endpointCount)
+	end := min(start+limit, endpointCount)
 
 	return endpoints[start:end]
 }
@@ -151,8 +144,10 @@ func getEndpointGroup(groupID portainer.EndpointGroupID, groups []portainer.Endp
 	for _, group := range groups {
 		if group.ID == groupID {
 			endpointGroup = group
+
 			break
 		}
 	}
+
 	return endpointGroup
 }
diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index 00f69e328..eb240692d 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -243,8 +243,7 @@ func (bouncer *RequestBouncer) mwCheckPortainerAuthorizations(next http.Handler,
 			return
 		}
 
-		_, err = bouncer.dataStore.User().Read(tokenData.ID)
-		if bouncer.dataStore.IsErrObjectNotFound(err) {
+		if ok, err := bouncer.dataStore.User().Exists(tokenData.ID); !ok {
 			httperror.WriteError(w, http.StatusUnauthorized, "Unauthorized", httperrors.ErrUnauthorized)
 			return
 		} else if err != nil {
@@ -322,9 +321,8 @@ func (bouncer *RequestBouncer) mwAuthenticateFirst(tokenLookups []tokenLookup, n
 			return
 		}
 
-		user, _ := bouncer.dataStore.User().Read(token.ID)
-		if user == nil {
-			httperror.WriteError(w, http.StatusUnauthorized, "An authorization token is invalid", httperrors.ErrUnauthorized)
+		if ok, _ := bouncer.dataStore.User().Exists(token.ID); !ok {
+			httperror.WriteError(w, http.StatusUnauthorized, "The authorization token is invalid", httperrors.ErrUnauthorized)
 
 			return
 		}
diff --git a/api/internal/testhelpers/datastore.go b/api/internal/testhelpers/datastore.go
index 19d4df762..9a16ddfd2 100644
--- a/api/internal/testhelpers/datastore.go
+++ b/api/internal/testhelpers/datastore.go
@@ -153,6 +153,7 @@ func (s *stubUserService) UsersByRole(role portainer.UserRole) ([]portainer.User
 func (s *stubUserService) Create(user *portainer.User) error                      { return nil }
 func (s *stubUserService) Update(ID portainer.UserID, user *portainer.User) error { return nil }
 func (s *stubUserService) Delete(ID portainer.UserID) error                       { return nil }
+func (s *stubUserService) Exists(ID portainer.UserID) (bool, error)               { return false, nil }
 
 // WithUsers testDatastore option that will instruct testDatastore to return provided users
 func WithUsers(us []portainer.User) datastoreOption {
@@ -188,6 +189,9 @@ func (s *stubEdgeJobService) UpdateEdgeJobFunc(ID portainer.EdgeJobID, updateFun
 }
 func (s *stubEdgeJobService) Delete(ID portainer.EdgeJobID) error { return nil }
 func (s *stubEdgeJobService) GetNextIdentifier() int              { return 0 }
+func (s *stubEdgeJobService) Exists(ID portainer.EdgeJobID) (bool, error) {
+	return false, nil
+}
 
 // WithEdgeJobs option will instruct testDatastore to return provided jobs
 func WithEdgeJobs(js []portainer.EdgeJob) datastoreOption {
@@ -452,6 +456,10 @@ func (s *stubStacksService) GetNextIdentifier() int {
 	return len(s.stacks)
 }
 
+func (s *stubStacksService) Exists(ID portainer.StackID) (bool, error) {
+	return false, nil
+}
+
 // WithStacks option will instruct testDatastore to return provided stacks
 func WithStacks(stacks []portainer.Stack) datastoreOption {
 	return func(d *testDatastore) {

From c01f0271fef8e6845d413b2bcffe755d7c464cb1 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Wed, 19 Mar 2025 17:41:36 +1300
Subject: [PATCH 051/212] Update bug report template for 2.27.2 (#539)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 13 ++-----------
 1 file changed, 2 insertions(+), 11 deletions(-)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 4bd225980..dc640387c 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -91,10 +91,11 @@ body:
   - type: dropdown
     attributes:
       label: Portainer version
-      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [upgrading first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
+      description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
         - '2.28.0'
+        - '2.27.2'
         - '2.27.1'
         - '2.27.0'
         - '2.26.1'
@@ -111,16 +112,6 @@ body:
         - '2.21.2'
         - '2.21.1'
         - '2.21.0'
-        - '2.20.3'
-        - '2.20.2'
-        - '2.20.1'
-        - '2.20.0'
-        - '2.19.5'
-        - '2.19.4'
-        - '2.19.3'
-        - '2.19.2'
-        - '2.19.1'
-        - '2.19.0'
     validations:
       required: true
 

From 38562f9560b0202bc0f3d74c62caad9f77b884a6 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Wed, 19 Mar 2025 13:08:03 +0100
Subject: [PATCH 052/212] fix(api): remove duplicated /users/me route
 [BE-11689] (#516)

---
 api/http/handler/users/handler.go | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/api/http/handler/users/handler.go b/api/http/handler/users/handler.go
index c0abba8c4..54be6a24e 100644
--- a/api/http/handler/users/handler.go
+++ b/api/http/handler/users/handler.go
@@ -52,12 +52,12 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	teamLeaderRouter := h.NewRoute().Subrouter()
 	teamLeaderRouter.Use(bouncer.TeamLeaderAccess)
 
-	restrictedRouter := h.NewRoute().Subrouter()
-	restrictedRouter.Use(bouncer.RestrictedAccess)
-
 	authenticatedRouter := h.NewRoute().Subrouter()
 	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
 
+	restrictedRouter := h.NewRoute().Subrouter()
+	restrictedRouter.Use(bouncer.RestrictedAccess)
+
 	publicRouter := h.NewRoute().Subrouter()
 	publicRouter.Use(bouncer.PublicAccess)
 
@@ -65,7 +65,6 @@ func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimit
 	restrictedRouter.Handle("/users", httperror.LoggerHandler(h.userList)).Methods(http.MethodGet)
 
 	authenticatedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
-	restrictedRouter.Handle("/users/me", httperror.LoggerHandler(h.userInspectMe)).Methods(http.MethodGet)
 	restrictedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userInspect)).Methods(http.MethodGet)
 	authenticatedRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/users/{id}", httperror.LoggerHandler(h.userDelete)).Methods(http.MethodDelete)

From 4b992c6f3e33a50438dbdafbf04a07ce3b376d1a Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Thu, 20 Mar 2025 08:49:27 +1300
Subject: [PATCH 053/212] fix(k8s/config): force insecure-skip-tls-verify
 option for internal use [BE-11706] (#537)

---
 api/http/handler/kubernetes/config.go       | 10 ++++++++++
 api/kubernetes/kubeclusteraccess_service.go |  1 +
 2 files changed, 11 insertions(+)

diff --git a/api/http/handler/kubernetes/config.go b/api/http/handler/kubernetes/config.go
index a42f98ee3..b9de1824b 100644
--- a/api/http/handler/kubernetes/config.go
+++ b/api/http/handler/kubernetes/config.go
@@ -167,6 +167,16 @@ func (handler *Handler) buildConfig(r *http.Request, tokenData *portainer.TokenD
 func (handler *Handler) buildCluster(r *http.Request, endpoint portainer.Endpoint, isInternal bool) clientV1.NamedCluster {
 	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(r.Host, endpoint.ID, isInternal)
 
+	if isInternal {
+		return clientV1.NamedCluster{
+			Name: buildClusterName(endpoint.Name),
+			Cluster: clientV1.Cluster{
+				Server:                kubeConfigInternal.ClusterServerURL,
+				InsecureSkipTLSVerify: true,
+			},
+		}
+	}
+
 	selfSignedCert := false
 	serverUrl, err := url.Parse(kubeConfigInternal.ClusterServerURL)
 	if err != nil {
diff --git a/api/kubernetes/kubeclusteraccess_service.go b/api/kubernetes/kubeclusteraccess_service.go
index 60f0cc503..fce7f55ea 100644
--- a/api/kubernetes/kubeclusteraccess_service.go
+++ b/api/kubernetes/kubeclusteraccess_service.go
@@ -109,6 +109,7 @@ func (service *kubeClusterAccessService) GetClusterDetails(hostURL string, endpo
 		Str("host_URL", hostURL).
 		Str("HTTPS_bind_address", service.httpsBindAddr).
 		Str("base_URL", baseURL).
+		Bool("is_internal", isInternal).
 		Msg("kubeconfig")
 
 	clusterServerURL, err := url.JoinPath("https://", hostURL, baseURL, "/api/endpoints/", strconv.Itoa(int(endpointID)), "/kubernetes")

From 5d1b42b3144aa5d659eefdcc72fbc482f534c8ba Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 20 Mar 2025 15:54:53 +1300
Subject: [PATCH 054/212] Update bug report template for 2.28.1 (#549)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index dc640387c..ef5a073fb 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.28.1'
         - '2.28.0'
         - '2.27.2'
         - '2.27.1'

From a61c1004d31be34665470e6aebbbc63f9b619551 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Thu, 20 Mar 2025 10:05:15 +0100
Subject: [PATCH 055/212] fix(agent-updates): fix remote agent updates cannot
 be scheduled properly for large edge groups [BE-11691] (#528)

---
 .../environments/environment.service/index.ts |  2 ++
 app/react/portainer/environments/types.ts     |  2 ++
 .../common/RollbackOptions.tsx                | 24 +++++--------
 .../common/ScheduleTypeSelector.tsx           |  6 +---
 .../common/useEdgeGroupsEnvironmentIds.ts     | 34 ------------------
 .../common/useEnvironments.ts                 |  8 ++---
 .../update-schedules/queries/query-keys.ts    |  8 +++--
 .../queries/usePreviousVersions.ts            | 36 +++++++++++--------
 8 files changed, 46 insertions(+), 74 deletions(-)
 delete mode 100644 app/react/portainer/environments/update-schedules/common/useEdgeGroupsEnvironmentIds.ts

diff --git a/app/react/portainer/environments/environment.service/index.ts b/app/react/portainer/environments/environment.service/index.ts
index 8971a4af0..f96d57d69 100644
--- a/app/react/portainer/environments/environment.service/index.ts
+++ b/app/react/portainer/environments/environment.service/index.ts
@@ -7,6 +7,7 @@ import {
   EnvironmentStatus,
   EnvironmentGroupId,
   PlatformType,
+  EdgeGroupId,
 } from '@/react/portainer/environments/types';
 import { type TagId } from '@/portainer/tags/types';
 import { UserId } from '@/portainer/users/types';
@@ -47,6 +48,7 @@ export interface BaseEnvironmentsQueryParams {
   updateInformation?: boolean;
   edgeCheckInPassedSeconds?: number;
   platformTypes?: PlatformType[];
+  edgeGroupIds?: EdgeGroupId[];
 }
 
 export type EnvironmentsQueryParams = BaseEnvironmentsQueryParams &
diff --git a/app/react/portainer/environments/types.ts b/app/react/portainer/environments/types.ts
index e9dc5aa25..9279e0d4c 100644
--- a/app/react/portainer/environments/types.ts
+++ b/app/react/portainer/environments/types.ts
@@ -3,6 +3,8 @@ import { DockerSnapshot } from '@/react/docker/snapshots/types';
 
 export type EnvironmentGroupId = number;
 
+export type EdgeGroupId = number;
+
 type RoleId = number;
 interface AccessPolicy {
   RoleId: RoleId;
diff --git a/app/react/portainer/environments/update-schedules/common/RollbackOptions.tsx b/app/react/portainer/environments/update-schedules/common/RollbackOptions.tsx
index 4b4265a65..be354152c 100644
--- a/app/react/portainer/environments/update-schedules/common/RollbackOptions.tsx
+++ b/app/react/portainer/environments/update-schedules/common/RollbackOptions.tsx
@@ -9,7 +9,6 @@ import { TextTip } from '@@/Tip/TextTip';
 import { usePreviousVersions } from '../queries/usePreviousVersions';
 
 import { FormValues } from './types';
-import { useEdgeGroupsEnvironmentIds } from './useEdgeGroupsEnvironmentIds';
 
 export function RollbackOptions() {
   const { isLoading, count, version, versionError } = useSelectVersionOnMount();
@@ -50,24 +49,19 @@ function useSelectVersionOnMount() {
     errors: { version: versionError },
   } = useFormikContext<FormValues>();
 
-  const environmentIdsQuery = useEdgeGroupsEnvironmentIds(groupIds);
-
-  const previousVersionsQuery = usePreviousVersions<string[]>({
-    enabled: !!environmentIdsQuery.data,
-  });
+  const previousVersionsQuery = usePreviousVersions(groupIds ?? []);
 
   const previousVersions = useMemo(
     () =>
       previousVersionsQuery.data
-        ? _.uniq(
-            _.compact(
-              environmentIdsQuery.data?.map(
-                (envId) => previousVersionsQuery.data[envId]
-              )
-            )
-          )
+        ? _.uniq(Object.values(previousVersionsQuery.data))
         : [],
-    [environmentIdsQuery.data, previousVersionsQuery.data]
+    [previousVersionsQuery.data]
+  );
+
+  const previousVersionCount = useMemo(
+    () => Object.keys(previousVersions).length,
+    [previousVersions]
   );
 
   useEffect(() => {
@@ -91,7 +85,7 @@ function useSelectVersionOnMount() {
     isLoading: previousVersionsQuery.isLoading,
     versionError,
     version,
-    count: environmentIdsQuery.data?.length,
+    count: previousVersionCount,
   };
 }
 
diff --git a/app/react/portainer/environments/update-schedules/common/ScheduleTypeSelector.tsx b/app/react/portainer/environments/update-schedules/common/ScheduleTypeSelector.tsx
index 212ff7c00..8d088f7d2 100644
--- a/app/react/portainer/environments/update-schedules/common/ScheduleTypeSelector.tsx
+++ b/app/react/portainer/environments/update-schedules/common/ScheduleTypeSelector.tsx
@@ -7,7 +7,6 @@ import { NavContainer } from '@@/NavTabs/NavContainer';
 
 import { ScheduleType } from '../types';
 
-import { useEdgeGroupsEnvironmentIds } from './useEdgeGroupsEnvironmentIds';
 import { useEnvironments } from './useEnvironments';
 import { defaultValue } from './ScheduledTimeField';
 import { FormValues } from './types';
@@ -17,10 +16,7 @@ import { RollbackScheduleDetailsFieldset } from './RollbackScheduleDetailsFields
 export function ScheduleTypeSelector() {
   const { values, setFieldValue } = useFormikContext<FormValues>();
 
-  const environmentIdsQuery = useEdgeGroupsEnvironmentIds(values.groupIds);
-
-  const edgeGroupsEnvironmentIds = environmentIdsQuery.data || [];
-  const environments = useEnvironments(edgeGroupsEnvironmentIds);
+  const environments = useEnvironments(values.groupIds);
 
   // old version is version that doesn't support scheduling of updates
   const hasNoTimeZone = environments.some((env) => !env.LocalTimeZone);
diff --git a/app/react/portainer/environments/update-schedules/common/useEdgeGroupsEnvironmentIds.ts b/app/react/portainer/environments/update-schedules/common/useEdgeGroupsEnvironmentIds.ts
deleted file mode 100644
index 6f44c7dab..000000000
--- a/app/react/portainer/environments/update-schedules/common/useEdgeGroupsEnvironmentIds.ts
+++ /dev/null
@@ -1,34 +0,0 @@
-import _ from 'lodash';
-import { useMemo } from 'react';
-
-import { useEdgeGroups } from '@/react/edge/edge-groups/queries/useEdgeGroups';
-import { EdgeGroup } from '@/react/edge/edge-groups/types';
-
-export function useEdgeGroupsEnvironmentIds(
-  edgeGroupsIds: Array<EdgeGroup['Id']>
-) {
-  const groupsQuery = useEdgeGroups({
-    select: (groups) =>
-      Object.fromEntries(groups.map((g) => [g.Id, g.Endpoints])),
-  });
-
-  const envIds = useMemo(
-    () =>
-      _.uniq(
-        _.compact(
-          edgeGroupsIds.flatMap((id) =>
-            groupsQuery.data ? groupsQuery.data[id] : []
-          )
-        )
-      ),
-    [edgeGroupsIds, groupsQuery.data]
-  );
-
-  return useMemo(
-    () => ({
-      data: groupsQuery.data ? envIds : null,
-      isLoading: groupsQuery.isLoading,
-    }),
-    [envIds, groupsQuery.data, groupsQuery.isLoading]
-  );
-}
diff --git a/app/react/portainer/environments/update-schedules/common/useEnvironments.ts b/app/react/portainer/environments/update-schedules/common/useEnvironments.ts
index 94ef89d86..bfe9a83b4 100644
--- a/app/react/portainer/environments/update-schedules/common/useEnvironments.ts
+++ b/app/react/portainer/environments/update-schedules/common/useEnvironments.ts
@@ -1,11 +1,11 @@
 import { useEnvironmentList } from '@/react/portainer/environments/queries/useEnvironmentList';
-import { EdgeTypes, EnvironmentId } from '@/react/portainer/environments/types';
+import { EdgeGroupId, EdgeTypes } from '@/react/portainer/environments/types';
 
-export function useEnvironments(environmentsIds: Array<EnvironmentId>) {
+export function useEnvironments(edgeGroupIds: Array<EdgeGroupId>) {
   const environmentsQuery = useEnvironmentList(
-    { endpointIds: environmentsIds, types: EdgeTypes, pageLimit: 0 },
+    { edgeGroupIds, types: EdgeTypes, pageLimit: 0 },
     {
-      enabled: environmentsIds.length > 0,
+      enabled: edgeGroupIds.length > 0,
     }
   );
 
diff --git a/app/react/portainer/environments/update-schedules/queries/query-keys.ts b/app/react/portainer/environments/update-schedules/queries/query-keys.ts
index ebb0b5112..f6e51532e 100644
--- a/app/react/portainer/environments/update-schedules/queries/query-keys.ts
+++ b/app/react/portainer/environments/update-schedules/queries/query-keys.ts
@@ -1,4 +1,7 @@
-import { EnvironmentId } from '@/react/portainer/environments/types';
+import {
+  EdgeGroupId,
+  EnvironmentId,
+} from '@/react/portainer/environments/types';
 
 import { EdgeUpdateSchedule } from '../types';
 
@@ -11,5 +14,6 @@ export const queryKeys = {
     [...queryKeys.base(), 'active', { environmentIds }] as const,
   supportedAgentVersions: () =>
     [...queryKeys.base(), 'agent_versions'] as const,
-  previousVersions: () => [...queryKeys.base(), 'previous_versions'] as const,
+  previousVersions: (edgeGroupIds?: EdgeGroupId[]) =>
+    [...queryKeys.base(), 'previous_versions', { edgeGroupIds }] as const,
 };
diff --git a/app/react/portainer/environments/update-schedules/queries/usePreviousVersions.ts b/app/react/portainer/environments/update-schedules/queries/usePreviousVersions.ts
index be055ffdc..3f2905b2a 100644
--- a/app/react/portainer/environments/update-schedules/queries/usePreviousVersions.ts
+++ b/app/react/portainer/environments/update-schedules/queries/usePreviousVersions.ts
@@ -1,7 +1,10 @@
 import { useQuery } from '@tanstack/react-query';
 
 import axios, { parseAxiosError } from '@/portainer/services/axios';
-import { EnvironmentId } from '@/react/portainer/environments/types';
+import {
+  EdgeGroupId,
+  EnvironmentId,
+} from '@/react/portainer/environments/types';
 
 import { queryKeys } from './query-keys';
 import { buildUrl } from './urls';
@@ -12,22 +15,27 @@ interface Options<T> {
   enabled?: boolean;
 }
 
-export function usePreviousVersions<T = Record<EnvironmentId, string>>({
-  select,
-  onSuccess,
-  enabled,
-}: Options<T> = {}) {
-  return useQuery(queryKeys.previousVersions(), getPreviousVersions, {
-    select,
-    onSuccess,
-    enabled,
-  });
+export function usePreviousVersions<T = Record<EdgeGroupId, string>>(
+  edgeGroupIds: EdgeGroupId[],
+  { select, enabled }: Options<T> = {}
+) {
+  return useQuery(
+    queryKeys.previousVersions(edgeGroupIds),
+    () => getPreviousVersions(edgeGroupIds),
+    {
+      select,
+      enabled: enabled && edgeGroupIds.length > 0,
+    }
+  );
 }
 
-async function getPreviousVersions() {
+async function getPreviousVersions(edgeGroupIds: EdgeGroupId[]) {
   try {
-    const { data } = await axios.get<Record<EnvironmentId, string>>(
-      buildUrl(undefined, 'previous_versions')
+    const { data } = await axios.get<Record<EdgeGroupId, string>>(
+      buildUrl(undefined, 'previous_versions'),
+      {
+        params: { edgeGroupIds },
+      }
     );
     return data;
   } catch (err) {

From 4b218553c35aa52e94183f4df08b417da949656f Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Fri, 21 Mar 2025 09:19:25 +1300
Subject: [PATCH 056/212] fix(libstack): data loss for stack with relative path
 [FR-437] (#548)

---
 api/filesystem/copy.go                | 2 +-
 pkg/libstack/compose/composeplugin.go | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/filesystem/copy.go b/api/filesystem/copy.go
index abf4d33aa..bc0abb766 100644
--- a/api/filesystem/copy.go
+++ b/api/filesystem/copy.go
@@ -68,7 +68,7 @@ func copyFile(src, dst string) error {
 	defer from.Close()
 
 	// has to include 'execute' bit, otherwise fails. MkdirAll follows `mkdir -m` restrictions
-	if err := os.MkdirAll(filepath.Dir(dst), 0744); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dst), 0755); err != nil {
 		return err
 	}
 	to, err := os.Create(dst)
diff --git a/pkg/libstack/compose/composeplugin.go b/pkg/libstack/compose/composeplugin.go
index c83685351..8ebc12062 100644
--- a/pkg/libstack/compose/composeplugin.go
+++ b/pkg/libstack/compose/composeplugin.go
@@ -98,6 +98,11 @@ func withComposeService(
 			WorkingDir:  filepath.Dir(filePaths[0]),
 		}
 
+		if options.ProjectDir != "" {
+			// When relative paths are used in the compose file, the project directory is used as the base path
+			configDetails.WorkingDir = options.ProjectDir
+		}
+
 		for _, p := range filePaths {
 			configDetails.ConfigFiles = append(configDetails.ConfigFiles, types.ConfigFile{Filename: p})
 		}

From 1d8ea7b0eeb5de82a742c6c20aa2cbedc4be9f4b Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Fri, 21 Mar 2025 16:45:43 +1300
Subject: [PATCH 057/212] docs: review TeamUpdate API operation (#564)

---
 api/http/handler/teams/team_update.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/api/http/handler/teams/team_update.go b/api/http/handler/teams/team_update.go
index 3ad4a3151..5731f294c 100644
--- a/api/http/handler/teams/team_update.go
+++ b/api/http/handler/teams/team_update.go
@@ -30,7 +30,6 @@ func (payload *teamUpdatePayload) Validate(r *http.Request) error {
 // @param id path int true "Team identifier"
 // @param body body teamUpdatePayload true "Team details"
 // @success 200 {object} portainer.Team "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
 // @failure 404 "Team not found"

From 5d1cd670e93d7cf95bfbd097ee37d6778125427d Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Mon, 24 Mar 2025 09:55:33 +1300
Subject: [PATCH 058/212] docs: review TeamMembershipCreate API operation
 (#565)

---
 api/http/handler/teammemberships/teammembership_create.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/api/http/handler/teammemberships/teammembership_create.go b/api/http/handler/teammemberships/teammembership_create.go
index f94d58395..d9acb9b44 100644
--- a/api/http/handler/teammemberships/teammembership_create.go
+++ b/api/http/handler/teammemberships/teammembership_create.go
@@ -45,7 +45,6 @@ func (payload *teamMembershipCreatePayload) Validate(r *http.Request) error {
 // @produce json
 // @param body body teamMembershipCreatePayload true "Team membership details"
 // @success 200 {object} portainer.TeamMembership "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied to manage memberships"
 // @failure 409 "Team membership already registered"

From 34235199dd8950e68bf4739f30863363a799fb16 Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Tue, 25 Mar 2025 08:57:23 +1300
Subject: [PATCH 059/212] fix(libstack): correctly load COMPOSE_* env vars
 [BE-11474] (#536)

---
 go.mod                                        |   1 +
 go.sum                                        |   2 +
 pkg/libstack/compose/compose.go               |  14 +-
 pkg/libstack/compose/composeplugin.go         | 170 ++--
 pkg/libstack/compose/composeplugin_test.go    | 741 ++++++++++++++++++
 .../compose/composeplugin_windows_test.go     | 109 +++
 pkg/libstack/compose/status.go                |   2 +-
 7 files changed, 952 insertions(+), 87 deletions(-)
 create mode 100644 pkg/libstack/compose/composeplugin_windows_test.go

diff --git a/go.mod b/go.mod
index 2c93a403a..4a28e80a1 100644
--- a/go.mod
+++ b/go.mod
@@ -192,6 +192,7 @@ require (
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
diff --git a/go.sum b/go.sum
index 8aab3b540..8fbb68613 100644
--- a/go.sum
+++ b/go.sum
@@ -481,6 +481,8 @@ github.com/miekg/pkcs11 v1.1.1 h1:Ugu9pdy6vAYku5DEpVWVFPYnzV+bxB+iRdbuFSu7TvU=
 github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
+github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
+github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
diff --git a/pkg/libstack/compose/compose.go b/pkg/libstack/compose/compose.go
index 3cadae4ba..6e859a93f 100644
--- a/pkg/libstack/compose/compose.go
+++ b/pkg/libstack/compose/compose.go
@@ -1,8 +1,18 @@
 package compose
 
-type ComposeDeployer struct{}
+import (
+	"github.com/docker/cli/cli/command"
+	"github.com/docker/compose/v2/pkg/api"
+	"github.com/docker/compose/v2/pkg/compose"
+)
+
+type ComposeDeployer struct {
+	createComposeServiceFn func(command.Cli) api.Service
+}
 
 // NewComposeDeployer creates a new compose deployer
 func NewComposeDeployer() *ComposeDeployer {
-	return &ComposeDeployer{}
+	return &ComposeDeployer{
+		createComposeServiceFn: compose.NewComposeService,
+	}
 }
diff --git a/pkg/libstack/compose/composeplugin.go b/pkg/libstack/compose/composeplugin.go
index 8ebc12062..17126cc21 100644
--- a/pkg/libstack/compose/composeplugin.go
+++ b/pkg/libstack/compose/composeplugin.go
@@ -5,7 +5,6 @@ import (
 	"errors"
 	"fmt"
 	"maps"
-	"os"
 	"path/filepath"
 	"slices"
 	"strconv"
@@ -15,13 +14,14 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/pkg/libstack"
 
-	"github.com/compose-spec/compose-go/v2/dotenv"
-	"github.com/compose-spec/compose-go/v2/loader"
+	"github.com/compose-spec/compose-go/v2/cli"
 	"github.com/compose-spec/compose-go/v2/types"
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/flags"
+	cmdcompose "github.com/docker/compose/v2/cmd/compose"
 	"github.com/docker/compose/v2/pkg/api"
 	"github.com/docker/compose/v2/pkg/compose"
+	"github.com/docker/compose/v2/pkg/utils"
 	"github.com/docker/docker/registry"
 	"github.com/rs/zerolog/log"
 	"github.com/sirupsen/logrus"
@@ -75,66 +75,34 @@ func withCli(
 	return cliFn(ctx, cli)
 }
 
-func withComposeService(
+func (c *ComposeDeployer) withComposeService(
 	ctx context.Context,
 	filePaths []string,
 	options libstack.Options,
 	composeFn func(api.Service, *types.Project) error,
 ) error {
 	return withCli(ctx, options, func(ctx context.Context, cli *command.DockerCli) error {
-		composeService := compose.NewComposeService(cli)
+		composeService := c.createComposeServiceFn(cli)
 
 		if len(filePaths) == 0 {
 			return composeFn(composeService, nil)
 		}
 
-		env, err := parseEnvironment(options, filePaths)
+		project, err := createProject(ctx, filePaths, options)
 		if err != nil {
-			return err
+			return fmt.Errorf("failed to create compose project: %w", err)
 		}
 
-		configDetails := types.ConfigDetails{
-			Environment: env,
-			WorkingDir:  filepath.Dir(filePaths[0]),
-		}
-
-		if options.ProjectDir != "" {
-			// When relative paths are used in the compose file, the project directory is used as the base path
-			configDetails.WorkingDir = options.ProjectDir
-		}
-
-		for _, p := range filePaths {
-			configDetails.ConfigFiles = append(configDetails.ConfigFiles, types.ConfigFile{Filename: p})
-		}
-
-		project, err := loader.LoadWithContext(ctx, configDetails,
-			func(o *loader.Options) {
-				o.SkipResolveEnvironment = true
-				o.ResolvePaths = !slices.Contains(options.ConfigOptions, "--no-path-resolution")
-
-				if options.ProjectName != "" {
-					o.SetProjectName(options.ProjectName, true)
-				}
-			},
-		)
-		if err != nil {
-			return fmt.Errorf("failed to load the compose file: %w", err)
-		}
-
-		// Work around compose path handling
-		for i, service := range project.Services {
-			for j, envFile := range service.EnvFiles {
-				if !filepath.IsAbs(envFile.Path) {
-					project.Services[i].EnvFiles[j].Path = filepath.Join(configDetails.WorkingDir, envFile.Path)
-				}
+		parallel := 0
+		if v, ok := project.Environment[cmdcompose.ComposeParallelLimit]; ok {
+			i, err := strconv.Atoi(v)
+			if err != nil {
+				return fmt.Errorf("%s must be an integer (found: %q)", cmdcompose.ComposeParallelLimit, v)
 			}
+			parallel = i
 		}
-
-		// Set the services environment variables
-		if p, err := project.WithServicesEnvironmentResolved(true); err == nil {
-			project = p
-		} else {
-			return fmt.Errorf("failed to resolve services environment: %w", err)
+		if parallel > 0 {
+			composeService.MaxConcurrency(parallel)
 		}
 
 		return composeFn(composeService, project)
@@ -143,7 +111,7 @@ func withComposeService(
 
 // Deploy creates and starts containers
 func (c *ComposeDeployer) Deploy(ctx context.Context, filePaths []string, options libstack.DeployOptions) error {
-	return withComposeService(ctx, filePaths, options.Options, func(composeService api.Service, project *types.Project) error {
+	return c.withComposeService(ctx, filePaths, options.Options, func(composeService api.Service, project *types.Project) error {
 		addServiceLabels(project, false, options.EdgeStackID)
 
 		project = project.WithoutUnnecessaryResources()
@@ -154,6 +122,12 @@ func (c *ComposeDeployer) Deploy(ctx context.Context, filePaths []string, option
 		}
 
 		opts.Create.RemoveOrphans = options.RemoveOrphans
+		if removeOrphans, ok := project.Environment[cmdcompose.ComposeRemoveOrphans]; ok {
+			opts.Create.RemoveOrphans = utils.StringToBool(removeOrphans)
+		}
+		if ignoreOrphans, ok := project.Environment[cmdcompose.ComposeIgnoreOrphans]; ok {
+			opts.Create.IgnoreOrphans = utils.StringToBool(ignoreOrphans)
+		}
 
 		if options.AbortOnContainerExit {
 			opts.Start.OnExit = api.CascadeStop
@@ -175,7 +149,7 @@ func (c *ComposeDeployer) Deploy(ctx context.Context, filePaths []string, option
 
 // Run runs the given service just once, without considering dependencies
 func (c *ComposeDeployer) Run(ctx context.Context, filePaths []string, serviceName string, options libstack.RunOptions) error {
-	return withComposeService(ctx, filePaths, options.Options, func(composeService api.Service, project *types.Project) error {
+	return c.withComposeService(ctx, filePaths, options.Options, func(composeService api.Service, project *types.Project) error {
 		addServiceLabels(project, true, 0)
 
 		for name, service := range project.Services {
@@ -227,7 +201,7 @@ func (c *ComposeDeployer) Remove(ctx context.Context, projectName string, filePa
 
 // Pull pulls images
 func (c *ComposeDeployer) Pull(ctx context.Context, filePaths []string, options libstack.Options) error {
-	if err := withComposeService(ctx, filePaths, options, func(composeService api.Service, project *types.Project) error {
+	if err := c.withComposeService(ctx, filePaths, options, func(composeService api.Service, project *types.Project) error {
 		return composeService.Pull(ctx, project, api.PullOptions{})
 	}); err != nil {
 		return fmt.Errorf("compose pull operation failed: %w", err)
@@ -240,7 +214,7 @@ func (c *ComposeDeployer) Pull(ctx context.Context, filePaths []string, options
 
 // Validate validates stack file
 func (c *ComposeDeployer) Validate(ctx context.Context, filePaths []string, options libstack.Options) error {
-	return withComposeService(ctx, filePaths, options, func(composeService api.Service, project *types.Project) error {
+	return c.withComposeService(ctx, filePaths, options, func(composeService api.Service, project *types.Project) error {
 		return nil
 	})
 }
@@ -249,7 +223,7 @@ func (c *ComposeDeployer) Validate(ctx context.Context, filePaths []string, opti
 func (c *ComposeDeployer) Config(ctx context.Context, filePaths []string, options libstack.Options) ([]byte, error) {
 	var payload []byte
 
-	if err := withComposeService(ctx, filePaths, options, func(composeService api.Service, project *types.Project) error {
+	if err := c.withComposeService(ctx, filePaths, options, func(composeService api.Service, project *types.Project) error {
 		var err error
 		payload, err = project.MarshalYAML()
 		if err != nil {
@@ -267,7 +241,7 @@ func (c *ComposeDeployer) Config(ctx context.Context, filePaths []string, option
 func (c *ComposeDeployer) GetExistingEdgeStacks(ctx context.Context) ([]libstack.EdgeStack, error) {
 	m := make(map[int]libstack.EdgeStack)
 
-	if err := withComposeService(ctx, nil, libstack.Options{}, func(composeService api.Service, project *types.Project) error {
+	if err := c.withComposeService(ctx, nil, libstack.Options{}, func(composeService api.Service, project *types.Project) error {
 		stacks, err := composeService.List(ctx, api.ListOptions{
 			All: true,
 		})
@@ -332,43 +306,71 @@ func addServiceLabels(project *types.Project, oneOff bool, edgeStackID portainer
 	}
 }
 
-func parseEnvironment(options libstack.Options, filePaths []string) (map[string]string, error) {
-	env := make(map[string]string)
-
-	for _, envLine := range options.Env {
-		e, err := dotenv.UnmarshalWithLookup(envLine, nil)
-		if err != nil {
-			return nil, fmt.Errorf("unable to parse environment variables: %w", err)
-		}
-
-		maps.Copy(env, e)
+func createProject(ctx context.Context, configFilepaths []string, options libstack.Options) (*types.Project, error) {
+	var workingDir string
+	if len(configFilepaths) > 0 {
+		workingDir = filepath.Dir(configFilepaths[0])
 	}
 
-	if options.EnvFilePath == "" {
-		if len(filePaths) == 0 {
-			return env, nil
-		}
-
-		defaultDotEnv := filepath.Join(filepath.Dir(filePaths[0]), ".env")
-		s, err := os.Stat(defaultDotEnv)
-		if os.IsNotExist(err) {
-			return env, nil
-		}
-		if err != nil {
-			return env, err
-		}
-		if s.IsDir() {
-			return env, nil
-		}
-		options.EnvFilePath = defaultDotEnv
+	if options.WorkingDir != "" {
+		workingDir = options.WorkingDir
 	}
 
-	e, err := dotenv.GetEnvFromFile(make(map[string]string), []string{options.EnvFilePath})
+	if options.ProjectDir != "" {
+		// When relative paths are used in the compose file, the project directory is used as the base path
+		workingDir = options.ProjectDir
+	}
+
+	var envFiles []string
+	if options.EnvFilePath != "" {
+		envFiles = append(envFiles, options.EnvFilePath)
+	}
+
+	projectOptions, err := cli.NewProjectOptions(configFilepaths,
+		cli.WithWorkingDirectory(workingDir),
+		cli.WithName(options.ProjectName),
+		cli.WithoutEnvironmentResolution,
+		cli.WithResolvedPaths(!slices.Contains(options.ConfigOptions, "--no-path-resolution")),
+		cli.WithEnv(options.Env),
+		cli.WithEnvFiles(envFiles...),
+		func(o *cli.ProjectOptions) error {
+			if len(o.EnvFiles) > 0 {
+				return nil
+			}
+
+			if fs, ok := o.Environment[cmdcompose.ComposeEnvFiles]; ok {
+				o.EnvFiles = strings.Split(fs, ",")
+			}
+			return nil
+		},
+		cli.WithDotEnv,
+		cli.WithDefaultProfiles(),
+		cli.WithConfigFileEnv,
+	)
 	if err != nil {
-		return nil, fmt.Errorf("unable to get the environment from the env file: %w", err)
+		return nil, fmt.Errorf("failed to load the compose file options : %w", err)
 	}
 
-	maps.Copy(env, e)
+	project, err := projectOptions.LoadProject(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load the compose file : %w", err)
+	}
 
-	return env, nil
+	// Work around compose path handling
+	for i, service := range project.Services {
+		for j, envFile := range service.EnvFiles {
+			if !filepath.IsAbs(envFile.Path) {
+				project.Services[i].EnvFiles[j].Path = filepath.Join(workingDir, envFile.Path)
+			}
+		}
+	}
+
+	// Set the services environment variables
+	if p, err := project.WithServicesEnvironmentResolved(true); err == nil {
+		project = p
+	} else {
+		return nil, fmt.Errorf("failed to resolve services environment: %w", err)
+	}
+
+	return project, nil
 }
diff --git a/pkg/libstack/compose/composeplugin_test.go b/pkg/libstack/compose/composeplugin_test.go
index dd423b700..df71c5d36 100644
--- a/pkg/libstack/compose/composeplugin_test.go
+++ b/pkg/libstack/compose/composeplugin_test.go
@@ -2,14 +2,23 @@ package compose
 
 import (
 	"context"
+	"errors"
 	"log"
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"testing"
 
+	"github.com/compose-spec/compose-go/v2/consts"
+	"github.com/compose-spec/compose-go/v2/types"
+	"github.com/docker/cli/cli/command"
+	cmdcompose "github.com/docker/compose/v2/cmd/compose"
+	"github.com/docker/compose/v2/pkg/api"
+	"github.com/google/go-cmp/cmp"
 	"github.com/portainer/portainer/pkg/libstack"
+	zerolog "github.com/rs/zerolog/log"
 
 	"github.com/stretchr/testify/require"
 )
@@ -349,3 +358,735 @@ networks:
 		})
 	}
 }
+
+func Test_DeployWithRemoveOrphans(t *testing.T) {
+	const projectName = "compose_remove_orphans_test"
+
+	const composeFileContent = `services:
+  service-1:
+    image: alpine:latest
+  service-2:
+    image: alpine:latest`
+
+	const modifiedFileContent = `services:
+  service-2:
+    image: alpine:latest`
+
+	service1ContainerName := projectName + "-service-1"
+	service2ContainerName := projectName + "-service-2"
+
+	w := NewComposeDeployer()
+
+	dir := t.TempDir()
+
+	composeFilepath := createFile(t, dir, "docker-compose.yml", composeFileContent)
+	modifiedComposeFilepath := createFile(t, dir, "docker-compose-modified.yml", modifiedFileContent)
+
+	filepaths := []string{composeFilepath}
+	modifiedFilepaths := []string{modifiedComposeFilepath}
+
+	ctx := context.Background()
+
+	testCases := []struct {
+		name    string
+		options libstack.DeployOptions
+	}{
+		{
+			name: "Remove Orphans in env",
+			options: libstack.DeployOptions{
+				Options: libstack.Options{
+					ProjectName: projectName,
+					Env:         []string{cmdcompose.ComposeRemoveOrphans + "=true"},
+				},
+			},
+		},
+		{
+			name: "Remove Orphans in options",
+			options: libstack.DeployOptions{
+				Options: libstack.Options{
+					ProjectName: projectName,
+				},
+				RemoveOrphans: true,
+			},
+		},
+		{
+			name: "Remove Orphans in options and env",
+			options: libstack.DeployOptions{
+				Options: libstack.Options{
+					ProjectName: projectName,
+					Env:         []string{cmdcompose.ComposeRemoveOrphans + "=true"},
+				},
+				RemoveOrphans: false,
+			},
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			options := tc.options.Options
+
+			err := w.Validate(ctx, filepaths, options)
+			require.NoError(t, err)
+
+			err = w.Pull(ctx, filepaths, options)
+			require.NoError(t, err)
+
+			require.False(t, containerExists(service1ContainerName))
+			require.False(t, containerExists(service2ContainerName))
+
+			err = w.Deploy(ctx, filepaths, tc.options)
+			require.NoError(t, err)
+
+			defer func() {
+				err = w.Remove(ctx, projectName, filepaths, libstack.RemoveOptions{})
+				require.NoError(t, err)
+
+				require.False(t, containerExists(service1ContainerName))
+				require.False(t, containerExists(service2ContainerName))
+			}()
+
+			require.True(t, containerExists(service1ContainerName))
+			require.True(t, containerExists(service2ContainerName))
+
+			waitResult := w.WaitForStatus(ctx, projectName, libstack.StatusCompleted)
+
+			require.Empty(t, waitResult.ErrorMsg)
+			require.Equal(t, libstack.StatusCompleted, waitResult.Status)
+
+			err = w.Validate(ctx, modifiedFilepaths, options)
+			require.NoError(t, err)
+
+			err = w.Pull(ctx, modifiedFilepaths, options)
+			require.NoError(t, err)
+
+			require.True(t, containerExists(service1ContainerName))
+			require.True(t, containerExists(service2ContainerName))
+
+			err = w.Deploy(ctx, modifiedFilepaths, tc.options)
+			require.NoError(t, err)
+
+			require.False(t, containerExists(service1ContainerName))
+			require.True(t, containerExists(service2ContainerName))
+
+			waitResult = w.WaitForStatus(ctx, projectName, libstack.StatusCompleted)
+
+			require.Empty(t, waitResult.ErrorMsg)
+			require.Equal(t, libstack.StatusCompleted, waitResult.Status)
+		})
+	}
+}
+
+func Test_DeployWithIgnoreOrphans(t *testing.T) {
+	var logOutput strings.Builder
+	oldLogger := zerolog.Logger
+	zerolog.Logger = zerolog.Output(&logOutput)
+	defer func() {
+		zerolog.Logger = oldLogger
+	}()
+
+	const projectName = "compose_ignore_orphans_test"
+
+	const composeFileContent = `services:
+  service-1:
+    image: alpine:latest
+  service-2:
+    image: alpine:latest`
+
+	const modifiedFileContent = `services:
+  service-2:
+    image: alpine:latest`
+
+	service1ContainerName := projectName + "-service-1"
+	service2ContainerName := projectName + "-service-2"
+
+	w := NewComposeDeployer()
+
+	dir := t.TempDir()
+
+	composeFilepath := createFile(t, dir, "docker-compose.yml", composeFileContent)
+	modifiedComposeFilepath := createFile(t, dir, "docker-compose-modified.yml", modifiedFileContent)
+
+	filepaths := []string{composeFilepath}
+	modifiedFilepaths := []string{modifiedComposeFilepath}
+	options := libstack.Options{
+		ProjectName: projectName,
+		Env:         []string{cmdcompose.ComposeIgnoreOrphans + "=true"},
+	}
+
+	ctx := context.Background()
+
+	err := w.Validate(ctx, filepaths, options)
+	require.NoError(t, err)
+
+	err = w.Pull(ctx, filepaths, options)
+	require.NoError(t, err)
+
+	require.False(t, containerExists(service1ContainerName))
+	require.False(t, containerExists(service2ContainerName))
+
+	err = w.Deploy(ctx, filepaths, libstack.DeployOptions{Options: options})
+	require.NoError(t, err)
+
+	defer func() {
+		err = w.Remove(ctx, projectName, filepaths, libstack.RemoveOptions{})
+		require.NoError(t, err)
+
+		require.False(t, containerExists(service1ContainerName))
+		require.False(t, containerExists(service2ContainerName))
+	}()
+
+	require.True(t, containerExists(service1ContainerName))
+	require.True(t, containerExists(service2ContainerName))
+
+	waitResult := w.WaitForStatus(ctx, projectName, libstack.StatusCompleted)
+
+	require.Empty(t, waitResult.ErrorMsg)
+	require.Equal(t, libstack.StatusCompleted, waitResult.Status)
+
+	err = w.Validate(ctx, modifiedFilepaths, options)
+	require.NoError(t, err)
+
+	err = w.Pull(ctx, modifiedFilepaths, options)
+	require.NoError(t, err)
+
+	require.True(t, containerExists(service1ContainerName))
+	require.True(t, containerExists(service2ContainerName))
+
+	err = w.Deploy(ctx, modifiedFilepaths, libstack.DeployOptions{Options: options})
+	require.NoError(t, err)
+
+	require.True(t, containerExists(service1ContainerName))
+	require.True(t, containerExists(service2ContainerName))
+
+	waitResult = w.WaitForStatus(ctx, projectName, libstack.StatusCompleted)
+
+	require.Empty(t, waitResult.ErrorMsg)
+	require.Equal(t, libstack.StatusCompleted, waitResult.Status)
+
+	logString := logOutput.String()
+	require.False(t, strings.Contains(logString, "Found orphan containers ([compose_ignore_orphans_test-service-1-1])"))
+}
+
+func Test_MaxConcurrency(t *testing.T) {
+	const projectName = "compose_max_concurrency_test"
+
+	const composeFileContent = `services:
+  service-1:
+    image: alpine:latest`
+
+	w := ComposeDeployer{
+		createComposeServiceFn: createMockComposeService,
+	}
+
+	dir := t.TempDir()
+
+	composeFilepath := createFile(t, dir, "docker-compose.yml", composeFileContent)
+
+	expectedMaxConcurrency := 4
+
+	filepaths := []string{composeFilepath}
+	options := libstack.Options{
+		ProjectName: projectName,
+		Env:         []string{cmdcompose.ComposeParallelLimit + "=" + strconv.Itoa(expectedMaxConcurrency)},
+	}
+
+	ctx := context.Background()
+
+	err := w.Validate(ctx, filepaths, options)
+	require.NoError(t, err)
+
+	w.withComposeService(ctx, filepaths, options, func(service api.Service, _ *types.Project) error {
+		if mockS, ok := service.(*mockComposeService); ok {
+			require.Equal(t, mockS.maxConcurrency, expectedMaxConcurrency)
+		} else {
+			t.Fatalf("Expected mockComposeService but got %T", service)
+		}
+		return nil
+	})
+}
+
+func Test_createProject(t *testing.T) {
+	ctx := context.Background()
+	dir := t.TempDir()
+	projectName := "create-project-test"
+
+	defer func() {
+		err := os.RemoveAll(dir)
+		if err != nil {
+			t.Fatalf("Failed to remove temp dir: %v", err)
+		}
+	}()
+
+	createTestLibstackOptions := func(workingDir, projectName string, env []string, envFilepath string) libstack.Options {
+		return libstack.Options{
+			WorkingDir:  workingDir,
+			ProjectName: projectName,
+			Env:         env,
+			EnvFilePath: envFilepath,
+		}
+	}
+	testSimpleComposeConfig := `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest`
+
+	expectedSimpleComposeProject := func(workingDirectory string, envOverrides map[string]string) *types.Project {
+		env := types.Mapping{consts.ComposeProjectName: "create-project-test"}
+		env = env.Merge(envOverrides)
+
+		if workingDirectory == "" {
+			workingDirectory = dir
+		}
+
+		if !filepath.IsAbs(workingDirectory) {
+			absWorkingDir, err := filepath.Abs(workingDirectory)
+			if err != nil {
+				t.Fatalf("Failed to get absolute path of working directory (%s): %v", workingDirectory, err)
+			}
+			workingDirectory = absWorkingDir
+		}
+
+		return &types.Project{
+			Name:       projectName,
+			WorkingDir: workingDirectory,
+			Services: types.Services{
+				"nginx": {
+					Name:          "nginx",
+					ContainerName: "nginx",
+					Environment:   types.MappingWithEquals{},
+					Image:         "nginx:latest",
+					Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+				},
+			},
+			Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+			ComposeFiles: []string{
+				dir + "/docker-compose.yml",
+			},
+			Environment:      env,
+			DisabledServices: types.Services{},
+			Profiles:         []string{""},
+		}
+	}
+
+	testComposeProfilesConfig := `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest
+    profiles: ['web1']
+  apache:
+    container_name: apache
+    image: httpd:latest
+    profiles: ['web2']`
+
+	expectedComposeProfilesProject := func(envOverrides map[string]string) *types.Project {
+		env := types.Mapping{consts.ComposeProfiles: "web1", consts.ComposeProjectName: "create-project-test"}
+		env = env.Merge(envOverrides)
+
+		return &types.Project{
+			Name:       projectName,
+			WorkingDir: dir,
+			Services: types.Services{
+				"nginx": {
+					Name:          "nginx",
+					Profiles:      []string{"web1"},
+					ContainerName: "nginx",
+					Environment:   types.MappingWithEquals{},
+					Image:         "nginx:latest",
+					Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+				},
+			},
+			Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+			ComposeFiles: []string{
+				dir + "/docker-compose.yml",
+			},
+			Environment: env,
+			DisabledServices: types.Services{
+				"apache": {
+					Name:          "apache",
+					Profiles:      []string{"web2"},
+					ContainerName: "apache",
+					Environment:   nil,
+					Image:         "httpd:latest",
+					Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+				},
+			},
+			Profiles: []string{"web1"},
+		}
+	}
+
+	testcases := []struct {
+		name            string
+		filesToCreate   map[string]string
+		configFilepaths []string
+		options         libstack.Options
+		expectedProject *types.Project
+	}{
+		{
+			name: "Compose profiles in env",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testComposeProfilesConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{consts.ComposeProfiles + "=web1"}, ""),
+			expectedProject: expectedComposeProfilesProject(nil),
+		},
+		{
+			name: "Compose profiles in env file",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testComposeProfilesConfig,
+				"stack.env":          consts.ComposeProfiles + "=web1",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, nil, dir+"/stack.env"),
+			expectedProject: expectedComposeProfilesProject(nil),
+		},
+		{
+			name: "Compose profiles in env file in COMPOSE_ENV_FILES",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testComposeProfilesConfig,
+				"stack.env":          consts.ComposeProfiles + "=web1",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{cmdcompose.ComposeEnvFiles + "=" + dir + "/stack.env"}, ""),
+			expectedProject: expectedComposeProfilesProject(map[string]string{
+				cmdcompose.ComposeEnvFiles: dir + "/stack.env",
+			}),
+		},
+		{
+			name: "Compose profiles in both env and env file",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testComposeProfilesConfig,
+				"stack.env":          consts.ComposeProfiles + "=web2",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{consts.ComposeProfiles + "=web1"}, dir+"/stack.env"),
+			expectedProject: expectedComposeProfilesProject(nil),
+		},
+		{
+			name: "Compose project name in both options and env",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{consts.ComposeProjectName + "=totally_different_name"}, ""),
+			expectedProject: expectedSimpleComposeProject("", nil),
+		},
+		{
+			name: "Compose project name in only env",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, "", []string{consts.ComposeProjectName + "=totally_different_name"}, ""),
+			expectedProject: &types.Project{
+				Name:       "totally_different_name",
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "totally_different_name_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose.yml",
+				},
+				Environment:      types.Mapping{consts.ComposeProjectName: "totally_different_name"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "Compose files in env",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: nil,
+			options:         createTestLibstackOptions(dir, projectName, []string{consts.ComposeFilePath + "=" + dir + "/docker-compose.yml"}, ""),
+			expectedProject: expectedSimpleComposeProject("", map[string]string{
+				consts.ComposeFilePath: dir + "/docker-compose.yml",
+			}),
+		},
+		{
+			name: "Compose files in both options and env",
+			filesToCreate: map[string]string{
+				"docker-compose.yml":          testSimpleComposeConfig,
+				"profiles-docker-compose.yml": testComposeProfilesConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{consts.ComposeFilePath + "=" + dir + "/profiles-docker-compose.yml"}, ""),
+			expectedProject: expectedSimpleComposeProject("", map[string]string{
+				consts.ComposeFilePath: dir + "/profiles-docker-compose.yml",
+			}),
+		},
+		{
+			name: "Multiple Compose files in options",
+			filesToCreate: map[string]string{
+				"docker-compose-0.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest`,
+				"docker-compose-1.yml": `services:
+  apache:
+    container_name: apache
+    image: httpd:latest`,
+			},
+			configFilepaths: []string{dir + "/docker-compose-0.yml", dir + "/docker-compose-1.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{}, ""),
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+					"apache": {
+						Name:          "apache",
+						ContainerName: "apache",
+						Environment:   types.MappingWithEquals{},
+						Image:         "httpd:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose-0.yml",
+					dir + "/docker-compose-1.yml",
+				},
+				Environment:      types.Mapping{consts.ComposeProjectName: "create-project-test"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "Multiple Compose files in env",
+			filesToCreate: map[string]string{
+				"docker-compose-0.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest`,
+				"docker-compose-1.yml": `services:
+  apache:
+    container_name: apache
+    image: httpd:latest`,
+			},
+			configFilepaths: nil,
+			options:         createTestLibstackOptions(dir, projectName, []string{consts.ComposeFilePath + "=" + dir + "/docker-compose-0.yml:" + dir + "/docker-compose-1.yml"}, ""),
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+					"apache": {
+						Name:          "apache",
+						ContainerName: "apache",
+						Environment:   types.MappingWithEquals{},
+						Image:         "httpd:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose-0.yml",
+					dir + "/docker-compose-1.yml",
+				},
+				Environment:      types.Mapping{consts.ComposeProjectName: "create-project-test", consts.ComposeFilePath: dir + "/docker-compose-0.yml:" + dir + "/docker-compose-1.yml"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "Multiple Compose files in env with COMPOSE_PATH_SEPARATOR",
+			filesToCreate: map[string]string{
+				"docker-compose-0.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest`,
+				"docker-compose-1.yml": `services:
+  apache:
+    container_name: apache
+    image: httpd:latest`,
+			},
+			configFilepaths: nil,
+			options:         createTestLibstackOptions(dir, projectName, []string{consts.ComposePathSeparator + "=|", consts.ComposeFilePath + "=" + dir + "/docker-compose-0.yml|" + dir + "/docker-compose-1.yml"}, ""),
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+					"apache": {
+						Name:          "apache",
+						ContainerName: "apache",
+						Environment:   types.MappingWithEquals{},
+						Image:         "httpd:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose-0.yml",
+					dir + "/docker-compose-1.yml",
+				},
+				Environment:      types.Mapping{consts.ComposeProjectName: "create-project-test", consts.ComposePathSeparator: "|", consts.ComposeFilePath: dir + "/docker-compose-0.yml|" + dir + "/docker-compose-1.yml"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "compose ignore orphans",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{cmdcompose.ComposeIgnoreOrphans + "=true"}, ""),
+			expectedProject: expectedSimpleComposeProject("", map[string]string{
+				cmdcompose.ComposeIgnoreOrphans: "true",
+			}),
+		},
+		{
+			name: "compose remove orphans",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{cmdcompose.ComposeRemoveOrphans + "=true"}, ""),
+			expectedProject: expectedSimpleComposeProject("", map[string]string{
+				cmdcompose.ComposeRemoveOrphans: "true",
+			}),
+		},
+		{
+			name: "compose parallel limit",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options:         createTestLibstackOptions(dir, projectName, []string{cmdcompose.ComposeParallelLimit + "=true"}, ""),
+			expectedProject: expectedSimpleComposeProject("", map[string]string{
+				cmdcompose.ComposeParallelLimit: "true",
+			}),
+		},
+		{
+			name: "Absolute Working Directory",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				WorkingDir:  "/something-totally-different",
+				ProjectName: projectName,
+			},
+			expectedProject: expectedSimpleComposeProject("/something-totally-different", nil),
+		},
+		{
+			name: "Relative Working Directory",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				WorkingDir:  "something-totally-different",
+				ProjectName: projectName,
+			},
+			expectedProject: expectedSimpleComposeProject("something-totally-different", nil),
+		},
+		{
+			name: "Absolute Project Directory",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectDir:  "/something-totally-different",
+				ProjectName: projectName,
+			},
+			expectedProject: expectedSimpleComposeProject("/something-totally-different", nil),
+		},
+		{
+			name: "Relative Project Directory",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectDir:  "something-totally-different",
+				ProjectName: projectName,
+			},
+			expectedProject: expectedSimpleComposeProject("something-totally-different", nil),
+		},
+		{
+			name: "Absolute Project and Working Directory set",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				WorkingDir:  "/working-dir",
+				ProjectDir:  "/project-dir",
+				ProjectName: projectName,
+			},
+			expectedProject: expectedSimpleComposeProject("/project-dir", nil),
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			createdFiles := make([]string, 0, len(tc.filesToCreate))
+			for f, fc := range tc.filesToCreate {
+				createdFiles = append(createdFiles, createFile(t, dir, f, fc))
+			}
+
+			defer func() {
+				var errs []error
+				for _, f := range createdFiles {
+					errs = append(errs, os.Remove(f))
+				}
+
+				err := errors.Join(errs...)
+				if err != nil {
+					t.Fatalf("Failed to remove config files: %v", err)
+				}
+			}()
+
+			gotProject, err := createProject(ctx, tc.configFilepaths, tc.options)
+			if err != nil {
+				t.Fatalf("Failed to create new project: %v", err)
+			}
+
+			if diff := cmp.Diff(gotProject, tc.expectedProject); diff != "" {
+				t.Fatalf("Projects are different:\n%s", diff)
+			}
+		})
+	}
+}
+
+func createMockComposeService(dockerCli command.Cli) api.Service {
+	return &mockComposeService{}
+}
+
+type mockComposeService struct {
+	api.Service
+	maxConcurrency int
+}
+
+func (s *mockComposeService) MaxConcurrency(parallel int) {
+	s.maxConcurrency = parallel
+}
diff --git a/pkg/libstack/compose/composeplugin_windows_test.go b/pkg/libstack/compose/composeplugin_windows_test.go
new file mode 100644
index 000000000..c6f3f196a
--- /dev/null
+++ b/pkg/libstack/compose/composeplugin_windows_test.go
@@ -0,0 +1,109 @@
+package compose
+
+import (
+	"context"
+	"errors"
+	"os"
+	"testing"
+
+	"github.com/compose-spec/compose-go/v2/types"
+	"github.com/google/go-cmp/cmp"
+	"github.com/portainer/portainer/pkg/libstack"
+)
+
+func Test_createProject_win(t *testing.T) {
+	ctx := context.Background()
+	dir := t.TempDir()
+	projectName := "create-project-test"
+
+	defer func() {
+		err := os.RemoveAll(dir)
+		if err != nil {
+			t.Fatalf("Failed to remove temp dir: %v", err)
+		}
+	}()
+
+	testcases := []struct {
+		name            string
+		createFilesFn   func() []string
+		configFilepaths []string
+		options         libstack.Options
+		expectedProject *types.Project
+	}{
+		{
+			name: "Convert windows paths",
+			createFilesFn: func() []string {
+				var filepaths []string
+				filepaths = append(filepaths, createFile(t, dir, "docker-compose.yml", `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest
+    volumes:
+      - "C:\\Users\\Joey\\Desktop\\backend:/var/www/html"`))
+				return filepaths
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				WorkingDir:  dir,
+				ProjectName: projectName,
+				Env:         []string{"COMPOSE_CONVERT_WINDOWS_PATHS=true"},
+			},
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+						Volumes: []types.ServiceVolumeConfig{
+							{
+								Type:     "bind",
+								Source:   "/c/Users/Joey/Desktop/backend",
+								Target:   "/var/www/html",
+								ReadOnly: false,
+								Bind:     &types.ServiceVolumeBind{CreateHostPath: true},
+							},
+						},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose.yml",
+				},
+				Environment:      types.Mapping{"COMPOSE_PROJECT_NAME": "create-project-test", "COMPOSE_CONVERT_WINDOWS_PATHS": "true"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+	}
+
+	for _, tc := range testcases {
+		t.Run(tc.name, func(t *testing.T) {
+			createdFiles := tc.createFilesFn()
+
+			defer func() {
+				var errs []error
+				for _, f := range createdFiles {
+					errs = append(errs, os.Remove(f))
+				}
+
+				err := errors.Join(errs...)
+				if err != nil {
+					t.Fatalf("Failed to remove config files: %v", err)
+				}
+			}()
+
+			gotProject, err := createProject(ctx, tc.configFilepaths, tc.options)
+			if err != nil {
+				t.Fatalf("Failed to create new project: %v", err)
+			}
+
+			if diff := cmp.Diff(gotProject, tc.expectedProject); diff != "" {
+				t.Fatalf("Projects are different:\n%s", diff)
+			}
+		})
+	}
+}
diff --git a/pkg/libstack/compose/status.go b/pkg/libstack/compose/status.go
index bbbe2264b..b6ad44ebf 100644
--- a/pkg/libstack/compose/status.go
+++ b/pkg/libstack/compose/status.go
@@ -125,7 +125,7 @@ func (c *ComposeDeployer) WaitForStatus(ctx context.Context, name string, status
 
 		var containerSummaries []api.ContainerSummary
 
-		if err := withComposeService(ctx, nil, libstack.Options{ProjectName: name}, func(composeService api.Service, project *types.Project) error {
+		if err := c.withComposeService(ctx, nil, libstack.Options{ProjectName: name}, func(composeService api.Service, project *types.Project) error {
 			var err error
 
 			psCtx, cancelFunc := context.WithTimeout(context.Background(), time.Minute)

From 0dfde1374d321d1eeb37e0da3ba8bd4d83e2c541 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Tue, 25 Mar 2025 10:59:28 +1300
Subject: [PATCH 060/212] fix(kubernetes): Cluster reservation CPU not showing
 R8S-268 (#569)

---
 .../cluster/ClusterView/ClusterResourceReservation.test.tsx     | 2 +-
 .../ClusterView/queries/useClusterResourceReservationQuery.ts   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx b/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx
index ebeecc6c4..b243ab1d4 100644
--- a/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx
+++ b/app/react/kubernetes/cluster/ClusterView/ClusterResourceReservation.test.tsx
@@ -78,7 +78,7 @@ describe('ClusterResourceReservation', () => {
       ),
       http.get('/api/kubernetes/3/metrics/applications_resources', () =>
         HttpResponse.json({
-          CpuRequest: 1000,
+          CpuRequest: 1,
           MemoryRequest: '2Gi',
         })
       )
diff --git a/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts
index 50c68fd7d..8479212e1 100644
--- a/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts
+++ b/app/react/kubernetes/cluster/ClusterView/queries/useClusterResourceReservationQuery.ts
@@ -15,7 +15,7 @@ export function useClusterResourceReservationQuery(
     {
       enabled: !!environmentId && nodes.length > 0,
       select: (data) => ({
-        cpu: data.CpuRequest / 1000,
+        cpu: data.CpuRequest,
         memory: KubernetesResourceReservationHelper.megaBytesValue(
           data.MemoryRequest
         ),

From 995c3ef81bfe8bd1a86d129f11e48fde2acb084e Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 24 Mar 2025 19:33:05 -0300
Subject: [PATCH 061/212] feat(snapshots): avoid parsing raw snapshots when
 possible BE-11724 (#560)

---
 api/dataservices/interface.go                 |  1 +
 api/dataservices/snapshot/snapshot.go         | 13 +++++++++++
 api/dataservices/snapshot/tx.go               | 23 +++++++++++++++++++
 .../handler/endpoints/endpoint_inspect.go     | 19 +++++++--------
 api/http/handler/endpoints/endpoint_list.go   |  4 +++-
 api/http/handler/endpoints/endpoint_update.go |  2 +-
 api/http/handler/system/nodes_count.go        |  2 +-
 api/http/proxy/factory/docker/volumes.go      |  2 +-
 api/internal/snapshot/snapshot.go             | 16 +++++++++----
 api/portainer.go                              |  2 +-
 app/react/hooks/useCurrentEnvironment.ts      |  2 +-
 .../EnvironmentItem/EngineVersion.tsx         |  4 ++--
 .../EnvironmentList/EnvironmentList.tsx       |  1 +
 .../environments/environment.service/index.ts | 11 +++++++--
 .../environments/queries/useEnvironment.ts    | 13 +++++++++--
 .../common/useEnvironments.ts                 |  2 +-
 16 files changed, 89 insertions(+), 28 deletions(-)

diff --git a/api/dataservices/interface.go b/api/dataservices/interface.go
index 2bc2df7f3..8ba55531c 100644
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -159,6 +159,7 @@ type (
 
 	SnapshotService interface {
 		BaseCRUD[portainer.Snapshot, portainer.EndpointID]
+		ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error)
 	}
 
 	// SSLSettingsService represents a service for managing application settings
diff --git a/api/dataservices/snapshot/snapshot.go b/api/dataservices/snapshot/snapshot.go
index 1f9cd5f9f..155077677 100644
--- a/api/dataservices/snapshot/snapshot.go
+++ b/api/dataservices/snapshot/snapshot.go
@@ -38,3 +38,16 @@ func (service *Service) Tx(tx portainer.Transaction) ServiceTx {
 func (service *Service) Create(snapshot *portainer.Snapshot) error {
 	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service *Service) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot *portainer.Snapshot
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadWithoutSnapshotRaw(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}
diff --git a/api/dataservices/snapshot/tx.go b/api/dataservices/snapshot/tx.go
index c93a747d3..8a8dcc1c2 100644
--- a/api/dataservices/snapshot/tx.go
+++ b/api/dataservices/snapshot/tx.go
@@ -12,3 +12,26 @@ type ServiceTx struct {
 func (service ServiceTx) Create(snapshot *portainer.Snapshot) error {
 	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
 }
+
+func (service ServiceTx) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portainer.Snapshot, error) {
+	var snapshot struct {
+		Docker *struct {
+			X struct{} `json:"DockerSnapshotRaw"`
+			*portainer.DockerSnapshot
+		} `json:"Docker"`
+
+		portainer.Snapshot
+	}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	if snapshot.Docker != nil {
+		snapshot.Snapshot.Docker = snapshot.Docker.DockerSnapshot
+	}
+
+	return &snapshot.Snapshot, nil
+}
diff --git a/api/http/handler/endpoints/endpoint_inspect.go b/api/http/handler/endpoints/endpoint_inspect.go
index e25e79720..132ab6350 100644
--- a/api/http/handler/endpoints/endpoint_inspect.go
+++ b/api/http/handler/endpoints/endpoint_inspect.go
@@ -19,6 +19,8 @@ import (
 // @security jwt
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"
+// @param excludeSnapshot query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @success 200 {object} portainer.Endpoint "Success"
 // @failure 400 "Invalid request"
 // @failure 404 "Environment(Endpoint) not found"
@@ -37,8 +39,7 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to find an environment with the specified identifier inside the database", err)
 	}
 
-	err = handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
-	if err != nil {
+	if err := handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint); err != nil {
 		return httperror.Forbidden("Permission denied to access environment", err)
 	}
 
@@ -51,9 +52,11 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 	endpointutils.UpdateEdgeEndpointHeartbeat(endpoint, settings)
 	endpoint.ComposeSyntaxMaxVersion = handler.ComposeStackManager.ComposeSyntaxMaxVersion()
 
-	if !excludeSnapshot(r) {
-		err = handler.SnapshotService.FillSnapshotData(endpoint)
-		if err != nil {
+	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)
+
+	if !excludeSnapshot {
+		if err := handler.SnapshotService.FillSnapshotData(endpoint, !excludeRaw); err != nil {
 			return httperror.InternalServerError("Unable to add snapshot data", err)
 		}
 	}
@@ -83,9 +86,3 @@ func (handler *Handler) endpointInspect(w http.ResponseWriter, r *http.Request)
 
 	return response.JSON(w, endpoint)
 }
-
-func excludeSnapshot(r *http.Request) bool {
-	excludeSnapshot, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshot", true)
-
-	return excludeSnapshot
-}
diff --git a/api/http/handler/endpoints/endpoint_list.go b/api/http/handler/endpoints/endpoint_list.go
index 7ea557910..6be1c7ff2 100644
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -44,6 +44,7 @@ const (
 // @param edgeDeviceUntrusted query bool false "if true, show only untrusted edge agents, if false show only trusted edge agents (relevant only for edge agents)"
 // @param edgeCheckInPassedSeconds query number false "if bigger then zero, show only edge agents that checked-in in the last provided seconds (relevant only for edge agents)"
 // @param excludeSnapshots query bool false "if true, the snapshot data won't be retrieved"
+// @param excludeSnapshotRaw query bool false "if true, the SnapshotRaw field won't be retrieved"
 // @param name query string false "will return only environments(endpoints) with this name"
 // @param edgeStackId query portainer.EdgeStackID false "will return the environements of the specified edge stack"
 // @param edgeStackStatus query string false "only applied when edgeStackId exists. Filter the returned environments based on their deployment status in the stack (not the environment status!)" Enum("Pending", "Ok", "Error", "Acknowledged", "Remove", "RemoteUpdateSuccess", "ImagesPulled")
@@ -59,6 +60,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 	limit, _ := request.RetrieveNumericQueryParameter(r, "limit", true)
 	sortField, _ := request.RetrieveQueryParameter(r, "sort", true)
 	sortOrder, _ := request.RetrieveQueryParameter(r, "order", true)
+	excludeRaw, _ := request.RetrieveBooleanQueryParameter(r, "excludeSnapshotRaw", true)
 
 	endpointGroups, err := handler.DataStore.EndpointGroup().ReadAll()
 	if err != nil {
@@ -114,7 +116,7 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		endpointutils.UpdateEdgeEndpointHeartbeat(&paginatedEndpoints[idx], settings)
 
 		if !query.excludeSnapshots {
-			if err := handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx]); err != nil {
+			if err := handler.SnapshotService.FillSnapshotData(&paginatedEndpoints[idx], !excludeRaw); err != nil {
 				return httperror.InternalServerError("Unable to add snapshot data", err)
 			}
 		}
diff --git a/api/http/handler/endpoints/endpoint_update.go b/api/http/handler/endpoints/endpoint_update.go
index 0f57136df..71c9ef702 100644
--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@@ -272,7 +272,7 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}
 
-	if err := handler.SnapshotService.FillSnapshotData(endpoint); err != nil {
+	if err := handler.SnapshotService.FillSnapshotData(endpoint, true); err != nil {
 		return httperror.InternalServerError("Unable to add snapshot data", err)
 	}
 
diff --git a/api/http/handler/system/nodes_count.go b/api/http/handler/system/nodes_count.go
index 94ab320fa..7d150d911 100644
--- a/api/http/handler/system/nodes_count.go
+++ b/api/http/handler/system/nodes_count.go
@@ -33,7 +33,7 @@ func (handler *Handler) systemNodesCount(w http.ResponseWriter, r *http.Request)
 	var nodes int
 
 	for _, endpoint := range endpoints {
-		if err := snapshot.FillSnapshotData(handler.dataStore, &endpoint); err != nil {
+		if err := snapshot.FillSnapshotData(handler.dataStore, &endpoint, false); err != nil {
 			return httperror.InternalServerError("Unable to add snapshot data", err)
 		}
 
diff --git a/api/http/proxy/factory/docker/volumes.go b/api/http/proxy/factory/docker/volumes.go
index aae0a4602..858a940d8 100644
--- a/api/http/proxy/factory/docker/volumes.go
+++ b/api/http/proxy/factory/docker/volumes.go
@@ -224,7 +224,7 @@ func (transport *Transport) getDockerID() (string, error) {
 	if transport.snapshotService != nil {
 		endpoint := portainer.Endpoint{ID: transport.endpoint.ID}
 
-		if err := transport.snapshotService.FillSnapshotData(&endpoint); err == nil && len(endpoint.Snapshots) > 0 {
+		if err := transport.snapshotService.FillSnapshotData(&endpoint, true); err == nil && len(endpoint.Snapshots) > 0 {
 			if dockerID, err := snapshot.FetchDockerID(endpoint.Snapshots[0]); err == nil {
 				transport.dockerID = dockerID
 				return dockerID, nil
diff --git a/api/internal/snapshot/snapshot.go b/api/internal/snapshot/snapshot.go
index 019dec359..7bc109459 100644
--- a/api/internal/snapshot/snapshot.go
+++ b/api/internal/snapshot/snapshot.go
@@ -170,8 +170,8 @@ func (service *Service) Create(snapshot portainer.Snapshot) error {
 	return service.dataStore.Snapshot().Create(&snapshot)
 }
 
-func (service *Service) FillSnapshotData(endpoint *portainer.Endpoint) error {
-	return FillSnapshotData(service.dataStore, endpoint)
+func (service *Service) FillSnapshotData(endpoint *portainer.Endpoint, includeRaw bool) error {
+	return FillSnapshotData(service.dataStore, endpoint, includeRaw)
 }
 
 func (service *Service) snapshotKubernetesEndpoint(endpoint *portainer.Endpoint) error {
@@ -328,8 +328,16 @@ func FetchDockerID(snapshot portainer.DockerSnapshot) (string, error) {
 	return info.Swarm.Cluster.ID, nil
 }
 
-func FillSnapshotData(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint) error {
-	snapshot, err := tx.Snapshot().Read(endpoint.ID)
+func FillSnapshotData(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, includeRaw bool) error {
+	var snapshot *portainer.Snapshot
+	var err error
+
+	if includeRaw {
+		snapshot, err = tx.Snapshot().Read(endpoint.ID)
+	} else {
+		snapshot, err = tx.Snapshot().ReadWithoutSnapshotRaw(endpoint.ID)
+	}
+
 	if tx.IsErrObjectNotFound(err) {
 		endpoint.Snapshots = []portainer.DockerSnapshot{}
 		endpoint.Kubernetes.Snapshots = []portainer.KubernetesSnapshot{}
diff --git a/api/portainer.go b/api/portainer.go
index b90e89b4e..1f57b0ada 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1622,7 +1622,7 @@ type (
 		Start()
 		SetSnapshotInterval(snapshotInterval string) error
 		SnapshotEndpoint(endpoint *Endpoint) error
-		FillSnapshotData(endpoint *Endpoint) error
+		FillSnapshotData(endpoint *Endpoint, includeRaw bool) error
 	}
 
 	// SwarmStackManager represents a service to manage Swarm stacks
diff --git a/app/react/hooks/useCurrentEnvironment.ts b/app/react/hooks/useCurrentEnvironment.ts
index 7beaf6fb6..c65ca077b 100644
--- a/app/react/hooks/useCurrentEnvironment.ts
+++ b/app/react/hooks/useCurrentEnvironment.ts
@@ -4,5 +4,5 @@ import { useEnvironmentId } from './useEnvironmentId';
 
 export function useCurrentEnvironment(force = true) {
   const id = useEnvironmentId(force);
-  return useEnvironment(id);
+  return useEnvironment(id, undefined, { excludeSnapshot: false });
 }
diff --git a/app/react/portainer/HomeView/EnvironmentList/EnvironmentItem/EngineVersion.tsx b/app/react/portainer/HomeView/EnvironmentList/EnvironmentItem/EngineVersion.tsx
index 83e337686..30338d656 100644
--- a/app/react/portainer/HomeView/EnvironmentList/EnvironmentItem/EngineVersion.tsx
+++ b/app/react/portainer/HomeView/EnvironmentList/EnvironmentItem/EngineVersion.tsx
@@ -1,16 +1,16 @@
 import { DockerSnapshot } from '@/react/docker/snapshots/types';
-import { useIsPodman } from '@/react/portainer/environments/queries/useIsPodman';
 import {
   Environment,
   PlatformType,
   KubernetesSnapshot,
+  ContainerEngine,
 } from '@/react/portainer/environments/types';
 import { getPlatformType } from '@/react/portainer/environments/utils';
 import { getDockerEnvironmentType } from '@/react/portainer/environments/utils/getDockerEnvironmentType';
 
 export function EngineVersion({ environment }: { environment: Environment }) {
   const platform = getPlatformType(environment.Type);
-  const isPodman = useIsPodman(environment.Id);
+  const isPodman = environment.ContainerEngine === ContainerEngine.Podman;
 
   switch (platform) {
     case PlatformType.Docker:
diff --git a/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx b/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx
index 9884048b3..160e68684 100644
--- a/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx
+++ b/app/react/portainer/HomeView/EnvironmentList/EnvironmentList.tsx
@@ -110,6 +110,7 @@ export function EnvironmentList({ onClickBrowse, onRefresh }: Props) {
     updateInformation: isBE,
     edgeAsync: getEdgeAsyncValue(connectionTypes),
     platformTypes,
+    excludeSnapshotRaw: true,
   };
 
   const queryWithSort = {
diff --git a/app/react/portainer/environments/environment.service/index.ts b/app/react/portainer/environments/environment.service/index.ts
index f96d57d69..c6d770e74 100644
--- a/app/react/portainer/environments/environment.service/index.ts
+++ b/app/react/portainer/environments/environment.service/index.ts
@@ -42,6 +42,7 @@ export interface BaseEnvironmentsQueryParams {
   edgeAsync?: boolean;
   edgeDeviceUntrusted?: boolean;
   excludeSnapshots?: boolean;
+  excludeSnapshotRaw?: boolean;
   provisioned?: boolean;
   name?: string;
   agentVersions?: string[];
@@ -119,9 +120,15 @@ export async function getAgentVersions() {
   }
 }
 
-export async function getEndpoint(id: EnvironmentId) {
+export async function getEndpoint(
+  id: EnvironmentId,
+  excludeSnapshot = true,
+  excludeSnapshotRaw = true
+) {
   try {
-    const { data: endpoint } = await axios.get<Environment>(buildUrl(id));
+    const { data: endpoint } = await axios.get<Environment>(buildUrl(id), {
+      params: { excludeSnapshot, excludeSnapshotRaw },
+    });
     return endpoint;
   } catch (e) {
     throw parseAxiosError(e as Error);
diff --git a/app/react/portainer/environments/queries/useEnvironment.ts b/app/react/portainer/environments/queries/useEnvironment.ts
index 7a0b4961c..b2b8fd6bd 100644
--- a/app/react/portainer/environments/queries/useEnvironment.ts
+++ b/app/react/portainer/environments/queries/useEnvironment.ts
@@ -10,11 +10,20 @@ import { environmentQueryKeys } from './query-keys';
 export function useEnvironment<T = Environment>(
   environmentId?: EnvironmentId,
   select?: (environment: Environment) => T,
-  options?: { autoRefreshRate?: number }
+  options?: {
+    autoRefreshRate?: number;
+    excludeSnapshot?: boolean;
+    excludeSnapshotRaw?: boolean;
+  }
 ) {
   return useQuery(
     environmentQueryKeys.item(environmentId!),
-    () => getEndpoint(environmentId!),
+    () =>
+      getEndpoint(
+        environmentId!,
+        options?.excludeSnapshot ?? undefined,
+        options?.excludeSnapshotRaw ?? undefined
+      ),
     {
       select,
       ...withError('Failed loading environment'),
diff --git a/app/react/portainer/environments/update-schedules/common/useEnvironments.ts b/app/react/portainer/environments/update-schedules/common/useEnvironments.ts
index bfe9a83b4..7843cf27b 100644
--- a/app/react/portainer/environments/update-schedules/common/useEnvironments.ts
+++ b/app/react/portainer/environments/update-schedules/common/useEnvironments.ts
@@ -3,7 +3,7 @@ import { EdgeGroupId, EdgeTypes } from '@/react/portainer/environments/types';
 
 export function useEnvironments(edgeGroupIds: Array<EdgeGroupId>) {
   const environmentsQuery = useEnvironmentList(
-    { edgeGroupIds, types: EdgeTypes, pageLimit: 0 },
+    { edgeGroupIds, types: EdgeTypes, pageLimit: 0, excludeSnapshots: true },
     {
       enabled: edgeGroupIds.length > 0,
     }

From cdd9851f72d47a2d5e7f74ede293e4fc6046d66e Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 24 Mar 2025 19:56:08 -0300
Subject: [PATCH 062/212] fix(stubs): clean up the stubs and mocks BE-11722
 (#557)

---
 api/exec/exectest/kubernetes_mocks.go | 14 ++----
 api/internal/testhelpers/datastore.go | 72 +++++++--------------------
 2 files changed, 23 insertions(+), 63 deletions(-)

diff --git a/api/exec/exectest/kubernetes_mocks.go b/api/exec/exectest/kubernetes_mocks.go
index 22638216e..894e52135 100644
--- a/api/exec/exectest/kubernetes_mocks.go
+++ b/api/exec/exectest/kubernetes_mocks.go
@@ -4,17 +4,11 @@ import (
 	portainer "github.com/portainer/portainer/api"
 )
 
-type kubernetesMockDeployer struct{}
+type kubernetesMockDeployer struct {
+	portainer.KubernetesDeployer
+}
 
 // NewKubernetesDeployer creates a mock kubernetes deployer
-func NewKubernetesDeployer() portainer.KubernetesDeployer {
+func NewKubernetesDeployer() *kubernetesMockDeployer {
 	return &kubernetesMockDeployer{}
 }
-
-func (deployer *kubernetesMockDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return "", nil
-}
-
-func (deployer *kubernetesMockDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return "", nil
-}
diff --git a/api/internal/testhelpers/datastore.go b/api/internal/testhelpers/datastore.go
index 9a16ddfd2..d4a29ae09 100644
--- a/api/internal/testhelpers/datastore.go
+++ b/api/internal/testhelpers/datastore.go
@@ -110,9 +110,11 @@ type datastoreOption = func(d *testDatastore)
 func NewDatastore(options ...datastoreOption) *testDatastore {
 	conn, _ := database.NewDatabase("boltdb", "", nil)
 	d := testDatastore{connection: conn}
+
 	for _, o := range options {
 		o(&d)
 	}
+
 	return &d
 }
 
@@ -128,6 +130,7 @@ func (s *stubSettingsService) Settings() (*portainer.Settings, error) {
 
 func (s *stubSettingsService) UpdateSettings(settings *portainer.Settings) error {
 	s.settings = settings
+
 	return nil
 }
 
@@ -140,20 +143,16 @@ func WithSettingsService(settings *portainer.Settings) datastoreOption {
 }
 
 type stubUserService struct {
+	dataservices.UserService
+
 	users []portainer.User
 }
 
-func (s *stubUserService) BucketName() string                                      { return "users" }
-func (s *stubUserService) Read(ID portainer.UserID) (*portainer.User, error)       { return nil, nil }
-func (s *stubUserService) UserByUsername(username string) (*portainer.User, error) { return nil, nil }
-func (s *stubUserService) ReadAll() ([]portainer.User, error)                      { return s.users, nil }
+func (s *stubUserService) BucketName() string                 { return "users" }
+func (s *stubUserService) ReadAll() ([]portainer.User, error) { return s.users, nil }
 func (s *stubUserService) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	return s.users, nil
 }
-func (s *stubUserService) Create(user *portainer.User) error                      { return nil }
-func (s *stubUserService) Update(ID portainer.UserID, user *portainer.User) error { return nil }
-func (s *stubUserService) Delete(ID portainer.UserID) error                       { return nil }
-func (s *stubUserService) Exists(ID portainer.UserID) (bool, error)               { return false, nil }
 
 // WithUsers testDatastore option that will instruct testDatastore to return provided users
 func WithUsers(us []portainer.User) datastoreOption {
@@ -163,35 +162,13 @@ func WithUsers(us []portainer.User) datastoreOption {
 }
 
 type stubEdgeJobService struct {
+	dataservices.EdgeJobService
+
 	jobs []portainer.EdgeJob
 }
 
 func (s *stubEdgeJobService) BucketName() string                    { return "edgejobs" }
 func (s *stubEdgeJobService) ReadAll() ([]portainer.EdgeJob, error) { return s.jobs, nil }
-func (s *stubEdgeJobService) Read(ID portainer.EdgeJobID) (*portainer.EdgeJob, error) {
-	return nil, nil
-}
-
-func (s *stubEdgeJobService) Create(edgeJob *portainer.EdgeJob) error {
-	return nil
-}
-
-func (s *stubEdgeJobService) CreateWithID(ID portainer.EdgeJobID, edgeJob *portainer.EdgeJob) error {
-	return nil
-}
-
-func (s *stubEdgeJobService) Update(ID portainer.EdgeJobID, edgeJob *portainer.EdgeJob) error {
-	return nil
-}
-
-func (s *stubEdgeJobService) UpdateEdgeJobFunc(ID portainer.EdgeJobID, updateFunc func(edgeJob *portainer.EdgeJob)) error {
-	return nil
-}
-func (s *stubEdgeJobService) Delete(ID portainer.EdgeJobID) error { return nil }
-func (s *stubEdgeJobService) GetNextIdentifier() int              { return 0 }
-func (s *stubEdgeJobService) Exists(ID portainer.EdgeJobID) (bool, error) {
-	return false, nil
-}
 
 // WithEdgeJobs option will instruct testDatastore to return provided jobs
 func WithEdgeJobs(js []portainer.EdgeJob) datastoreOption {
@@ -201,6 +178,8 @@ func WithEdgeJobs(js []portainer.EdgeJob) datastoreOption {
 }
 
 type stubEndpointRelationService struct {
+	dataservices.EndpointRelationService
+
 	relations []portainer.EndpointRelation
 }
 
@@ -219,10 +198,6 @@ func (s *stubEndpointRelationService) EndpointRelation(ID portainer.EndpointID)
 	return nil, errors.ErrObjectNotFound
 }
 
-func (s *stubEndpointRelationService) Create(EndpointRelation *portainer.EndpointRelation) error {
-	return nil
-}
-
 func (s *stubEndpointRelationService) UpdateEndpointRelation(ID portainer.EndpointID, relation *portainer.EndpointRelation) error {
 	for i, r := range s.relations {
 		if r.EndpointID == ID {
@@ -257,11 +232,6 @@ func (s *stubEndpointRelationService) RemoveEndpointRelationsForEdgeStack(endpoi
 	return nil
 }
 
-func (s *stubEndpointRelationService) DeleteEndpointRelation(ID portainer.EndpointID) error {
-	return nil
-}
-func (s *stubEndpointRelationService) GetNextIdentifier() int { return 0 }
-
 // WithEndpointRelations option will instruct testDatastore to return provided jobs
 func WithEndpointRelations(relations []portainer.EndpointRelation) datastoreOption {
 	return func(d *testDatastore) {
@@ -360,6 +330,7 @@ func (s *stubEndpointService) EndpointsByTeamID(teamID portainer.TeamID) ([]port
 			}
 		}
 	}
+
 	return endpoints, nil
 }
 
@@ -371,29 +342,19 @@ func WithEndpoints(endpoints []portainer.Endpoint) datastoreOption {
 }
 
 type stubStacksService struct {
+	dataservices.StackService
 	stacks []portainer.Stack
 }
 
 func (s *stubStacksService) BucketName() string { return "stacks" }
 
-func (s *stubStacksService) Create(stack *portainer.Stack) error {
-	return nil
-}
-
-func (s *stubStacksService) Update(ID portainer.StackID, stack *portainer.Stack) error {
-	return nil
-}
-
-func (s *stubStacksService) Delete(ID portainer.StackID) error {
-	return nil
-}
-
 func (s *stubStacksService) Read(ID portainer.StackID) (*portainer.Stack, error) {
 	for _, stack := range s.stacks {
 		if stack.ID == ID {
 			return &stack, nil
 		}
 	}
+
 	return nil, errors.ErrObjectNotFound
 }
 
@@ -409,6 +370,7 @@ func (s *stubStacksService) StacksByEndpointID(endpointID portainer.EndpointID)
 			result = append(result, stack)
 		}
 	}
+
 	return result, nil
 }
 
@@ -420,6 +382,7 @@ func (s *stubStacksService) RefreshableStacks() ([]portainer.Stack, error) {
 			result = append(result, stack)
 		}
 	}
+
 	return result, nil
 }
 
@@ -429,6 +392,7 @@ func (s *stubStacksService) StackByName(name string) (*portainer.Stack, error) {
 			return &stack, nil
 		}
 	}
+
 	return nil, errors.ErrObjectNotFound
 }
 
@@ -440,6 +404,7 @@ func (s *stubStacksService) StacksByName(name string) ([]portainer.Stack, error)
 			result = append(result, stack)
 		}
 	}
+
 	return result, nil
 }
 
@@ -449,6 +414,7 @@ func (s *stubStacksService) StackByWebhookID(webhookID string) (*portainer.Stack
 			return &stack, nil
 		}
 	}
+
 	return nil, errors.ErrObjectNotFound
 }
 

From e68bd53e303461ae1249da121e4220806bd17705 Mon Sep 17 00:00:00 2001
From: samdulam <sam.dulam@portainer.io>
Date: Tue, 25 Mar 2025 08:40:15 +0530
Subject: [PATCH 063/212] Update bug_report template with 2.27.3 (#572)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index ef5a073fb..76b2e0f69 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -96,6 +96,7 @@ body:
       options:
         - '2.28.1'
         - '2.28.0'
+        - '2.27.3'
         - '2.27.2'
         - '2.27.1'
         - '2.27.0'

From 0ebfe047d1153fadd220cb3c31c31012b93f2084 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Wed, 26 Mar 2025 11:32:26 +1300
Subject: [PATCH 064/212] feat(helm): use helm upgrade for install [r8s-258]
 (#568)

---
 api/http/handler/helm/helm_delete_test.go |   2 +-
 api/http/handler/helm/helm_install.go     |   2 +-
 api/http/handler/helm/helm_list_test.go   |   2 +-
 pkg/libhelm/options/install_options.go    |   3 +
 pkg/libhelm/sdk/common.go                 |  87 +++++++++++
 pkg/libhelm/sdk/install.go                | 106 +++----------
 pkg/libhelm/sdk/install_test.go           |  88 ++++++-----
 pkg/libhelm/sdk/list.go                   |   6 +-
 pkg/libhelm/sdk/release.go                |  47 ++++++
 pkg/libhelm/sdk/show.go                   |  10 +-
 pkg/libhelm/sdk/show_test.go              |   2 +-
 pkg/libhelm/sdk/testutils/values.go       |  26 ++++
 pkg/libhelm/sdk/uninstall.go              |   7 +-
 pkg/libhelm/sdk/uninstall_test.go         |   2 +-
 pkg/libhelm/sdk/upgrade.go                | 161 +++++++++++++++++++
 pkg/libhelm/sdk/upgrade_test.go           | 179 ++++++++++++++++++++++
 pkg/libhelm/test/mock.go                  |   5 +
 pkg/libhelm/test/values.go                |  26 ++++
 pkg/libhelm/types/types.go                |   2 +-
 19 files changed, 613 insertions(+), 150 deletions(-)
 create mode 100644 pkg/libhelm/sdk/common.go
 create mode 100644 pkg/libhelm/sdk/release.go
 create mode 100644 pkg/libhelm/sdk/testutils/values.go
 create mode 100644 pkg/libhelm/sdk/upgrade.go
 create mode 100644 pkg/libhelm/sdk/upgrade_test.go
 create mode 100644 pkg/libhelm/test/values.go

diff --git a/api/http/handler/helm/helm_delete_test.go b/api/http/handler/helm/helm_delete_test.go
index ed77abdd2..3c90c1758 100644
--- a/api/http/handler/helm/helm_delete_test.go
+++ b/api/http/handler/helm/helm_delete_test.go
@@ -42,7 +42,7 @@ func Test_helmDelete(t *testing.T) {
 
 	// Install a single chart directly, to be deleted by the handler
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)
 
 	t.Run("helmDelete succeeds with admin user", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodDelete, "/1/kubernetes/helm/"+options.Name, nil)
diff --git a/api/http/handler/helm/helm_install.go b/api/http/handler/helm/helm_install.go
index fffdf21bb..d7254c1f4 100644
--- a/api/http/handler/helm/helm_install.go
+++ b/api/http/handler/helm/helm_install.go
@@ -125,7 +125,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		installOpts.ValuesFile = file.Name()
 	}
 
-	release, err := handler.helmPackageManager.Install(installOpts)
+	release, err := handler.helmPackageManager.Upgrade(installOpts)
 	if err != nil {
 		return nil, err
 	}
diff --git a/api/http/handler/helm/helm_list_test.go b/api/http/handler/helm/helm_list_test.go
index b8dd40354..9f69fe11d 100644
--- a/api/http/handler/helm/helm_list_test.go
+++ b/api/http/handler/helm/helm_list_test.go
@@ -43,7 +43,7 @@ func Test_helmList(t *testing.T) {
 
 	// Install a single chart.  We expect to get these values back
 	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
-	h.helmPackageManager.Install(options)
+	h.helmPackageManager.Upgrade(options)
 
 	t.Run("helmList", func(t *testing.T) {
 		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm", nil)
diff --git a/pkg/libhelm/options/install_options.go b/pkg/libhelm/options/install_options.go
index 5cc6081fb..943f28041 100644
--- a/pkg/libhelm/options/install_options.go
+++ b/pkg/libhelm/options/install_options.go
@@ -1,5 +1,7 @@
 package options
 
+import "time"
+
 type InstallOptions struct {
 	Name                    string
 	Chart                   string
@@ -8,6 +10,7 @@ type InstallOptions struct {
 	Wait                    bool
 	ValuesFile              string
 	PostRenderer            string
+	Timeout                 time.Duration
 	KubernetesClusterAccess *KubernetesClusterAccess
 
 	// Optional environment vars to pass when running helm
diff --git a/pkg/libhelm/sdk/common.go b/pkg/libhelm/sdk/common.go
new file mode 100644
index 000000000..b1d218cae
--- /dev/null
+++ b/pkg/libhelm/sdk/common.go
@@ -0,0 +1,87 @@
+package sdk
+
+import (
+	"os"
+
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/chart"
+	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/downloader"
+	"helm.sh/helm/v3/pkg/getter"
+)
+
+// loadAndValidateChartWithPathOptions locates and loads the chart, and validates it.
+// it also checks for chart dependencies and updates them if necessary.
+// it returns the chart information.
+func (hspm *HelmSDKPackageManager) loadAndValidateChartWithPathOptions(chartPathOptions *action.ChartPathOptions, chartName, repoURL string, dependencyUpdate bool, operation string) (*chart.Chart, error) {
+	// Locate and load the chart
+	chartPathOptions.RepoURL = repoURL
+	chartPath, err := chartPathOptions.LocateChart(chartName, hspm.settings)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", chartName).
+			Err(err).
+			Msg("Failed to locate chart for helm " + operation)
+		return nil, errors.Wrapf(err, "failed to find the helm chart at the path: %s/%s", repoURL, chartName)
+	}
+
+	chartReq, err := loader.Load(chartPath)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart_path", chartPath).
+			Err(err).
+			Msg("Failed to load chart for helm " + operation)
+		return nil, errors.Wrap(err, "failed to load chart for helm "+operation)
+	}
+
+	// Check chart dependencies to make sure all are present in /charts
+	if chartDependencies := chartReq.Metadata.Dependencies; chartDependencies != nil {
+		if err := action.CheckDependencies(chartReq, chartDependencies); err != nil {
+			err = errors.Wrap(err, "failed to check chart dependencies for helm "+operation)
+			if !dependencyUpdate {
+				return nil, err
+			}
+
+			log.Debug().
+				Str("context", "HelmClient").
+				Str("chart", chartName).
+				Msg("Updating chart dependencies for helm " + operation)
+
+			providers := getter.All(hspm.settings)
+			manager := &downloader.Manager{
+				Out:              os.Stdout,
+				ChartPath:        chartPath,
+				Keyring:          chartPathOptions.Keyring,
+				SkipUpdate:       false,
+				Getters:          providers,
+				RepositoryConfig: hspm.settings.RepositoryConfig,
+				RepositoryCache:  hspm.settings.RepositoryCache,
+				Debug:            hspm.settings.Debug,
+			}
+			if err := manager.Update(); err != nil {
+				log.Error().
+					Str("context", "HelmClient").
+					Str("chart", chartName).
+					Err(err).
+					Msg("Failed to update chart dependencies for helm " + operation)
+				return nil, errors.Wrap(err, "failed to update chart dependencies for helm "+operation)
+			}
+
+			// Reload the chart with the updated Chart.lock file.
+			if chartReq, err = loader.Load(chartPath); err != nil {
+				log.Error().
+					Str("context", "HelmClient").
+					Str("chart_path", chartPath).
+					Err(err).
+					Msg("Failed to reload chart after dependency update for helm " + operation)
+				return nil, errors.Wrap(err, "failed to reload chart after dependency update for helm "+operation)
+			}
+		}
+	}
+
+	return chartReq, nil
+}
diff --git a/pkg/libhelm/sdk/install.go b/pkg/libhelm/sdk/install.go
index 26b50927b..29f578806 100644
--- a/pkg/libhelm/sdk/install.go
+++ b/pkg/libhelm/sdk/install.go
@@ -1,22 +1,18 @@
 package sdk
 
 import (
-	"os"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
 	"github.com/rs/zerolog/log"
 	"helm.sh/helm/v3/pkg/action"
-	"helm.sh/helm/v3/pkg/chart"
-	"helm.sh/helm/v3/pkg/chart/loader"
-	"helm.sh/helm/v3/pkg/downloader"
-	"helm.sh/helm/v3/pkg/getter"
 	"helm.sh/helm/v3/pkg/postrender"
 )
 
 // Install implements the HelmPackageManager interface by using the Helm SDK to install a chart.
-func (hspm *HelmSDKPackageManager) Install(installOpts options.InstallOptions) (*release.Release, error) {
+func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (*release.Release, error) {
 	log.Debug().
 		Str("context", "HelmClient").
 		Str("chart", installOpts.Chart).
@@ -42,12 +38,7 @@ func (hspm *HelmSDKPackageManager) Install(installOpts options.InstallOptions) (
 	actionConfig := new(action.Configuration)
 	err := hspm.initActionConfig(actionConfig, installOpts.Namespace, installOpts.KubernetesClusterAccess)
 	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Str("chart", installOpts.Chart).
-			Str("namespace", installOpts.Namespace).
-			Err(err).
-			Msg("Failed to initialize helm configuration for helm release installation")
+		// error is already logged in initActionConfig
 		return nil, errors.Wrap(err, "failed to initialize helm configuration for helm release installation")
 	}
 
@@ -69,7 +60,7 @@ func (hspm *HelmSDKPackageManager) Install(installOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to get Helm values from file for helm release installation")
 	}
 
-	chart, err := hspm.loadAndValidateChart(installClient, installOpts)
+	chart, err := hspm.loadAndValidateChartWithPathOptions(&installClient.ChartPathOptions, installOpts.Chart, installOpts.Repo, installClient.DependencyUpdate, "release installation")
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -114,90 +105,29 @@ func (hspm *HelmSDKPackageManager) Install(installOpts options.InstallOptions) (
 	}, nil
 }
 
-// loadAndValidateChart locates and loads the chart, and validates it.
-// it also checks for chart dependencies and updates them if necessary.
-// it returns the chart information.
-func (hspm *HelmSDKPackageManager) loadAndValidateChart(installClient *action.Install, installOpts options.InstallOptions) (*chart.Chart, error) {
-	// Locate and load the chart
-	chartPath, err := installClient.ChartPathOptions.LocateChart(installOpts.Chart, hspm.settings)
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Str("chart", installOpts.Chart).
-			Err(err).
-			Msg("Failed to locate chart for helm release installation")
-		return nil, errors.Wrapf(err, "failed to find the helm chart at the path: %s/%s", installOpts.Repo, installOpts.Chart)
-	}
-
-	chartReq, err := loader.Load(chartPath)
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Str("chart_path", chartPath).
-			Err(err).
-			Msg("Failed to load chart for helm release installation")
-		return nil, errors.Wrap(err, "failed to load chart for helm release installation")
-	}
-
-	// Check chart dependencies to make sure all are present in /charts
-	if chartDependencies := chartReq.Metadata.Dependencies; chartDependencies != nil {
-		if err := action.CheckDependencies(chartReq, chartDependencies); err != nil {
-			err = errors.Wrap(err, "failed to check chart dependencies for helm release installation")
-			if !installClient.DependencyUpdate {
-				return nil, err
-			}
-
-			log.Debug().
-				Str("context", "HelmClient").
-				Str("chart", installOpts.Chart).
-				Msg("Updating chart dependencies for helm release installation")
-
-			providers := getter.All(hspm.settings)
-			manager := &downloader.Manager{
-				Out:              os.Stdout,
-				ChartPath:        chartPath,
-				Keyring:          installClient.ChartPathOptions.Keyring,
-				SkipUpdate:       false,
-				Getters:          providers,
-				RepositoryConfig: hspm.settings.RepositoryConfig,
-				RepositoryCache:  hspm.settings.RepositoryCache,
-				Debug:            hspm.settings.Debug,
-			}
-			if err := manager.Update(); err != nil {
-				log.Error().
-					Str("context", "HelmClient").
-					Str("chart", installOpts.Chart).
-					Err(err).
-					Msg("Failed to update chart dependencies for helm release installation")
-				return nil, errors.Wrap(err, "failed to update chart dependencies for helm release installation")
-			}
-
-			// Reload the chart with the updated Chart.lock file.
-			if chartReq, err = loader.Load(chartPath); err != nil {
-				log.Error().
-					Str("context", "HelmClient").
-					Str("chart_path", chartPath).
-					Err(err).
-					Msg("Failed to reload chart after dependency update for helm release installation")
-				return nil, errors.Wrap(err, "failed to reload chart after dependency update for helm release installation")
-			}
-		}
-	}
-
-	return chartReq, nil
-}
-
 // initInstallClient initializes the install client with the given options
 // and return the install client.
 func initInstallClient(actionConfig *action.Configuration, installOpts options.InstallOptions) (*action.Install, error) {
 	installClient := action.NewInstall(actionConfig)
 	installClient.CreateNamespace = true
 	installClient.DependencyUpdate = true
-
 	installClient.ReleaseName = installOpts.Name
-	installClient.Namespace = installOpts.Namespace
 	installClient.ChartPathOptions.RepoURL = installOpts.Repo
 	installClient.Wait = installOpts.Wait
+	installClient.Timeout = installOpts.Timeout
+
+	// Set default values if not specified
+	if installOpts.Timeout == 0 {
+		installClient.Timeout = 5 * time.Minute
+	} else {
+		installClient.Timeout = installOpts.Timeout
+	}
+	if installOpts.Namespace == "" {
+		installClient.Namespace = "default"
+	} else {
+		installClient.Namespace = installOpts.Namespace
+	}
+
 	if installOpts.PostRenderer != "" {
 		postRenderer, err := postrender.NewExec(installOpts.PostRenderer)
 		if err != nil {
diff --git a/pkg/libhelm/sdk/install_test.go b/pkg/libhelm/sdk/install_test.go
index 9bd0d04f3..d08ad3441 100644
--- a/pkg/libhelm/sdk/install_test.go
+++ b/pkg/libhelm/sdk/install_test.go
@@ -9,26 +9,6 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func createValuesFile(values string) (string, error) {
-	file, err := os.CreateTemp("", "helm-values")
-	if err != nil {
-		return "", err
-	}
-
-	_, err = file.WriteString(values)
-	if err != nil {
-		file.Close()
-		return "", err
-	}
-
-	err = file.Close()
-	if err != nil {
-		return "", err
-	}
-
-	return file.Name(), nil
-}
-
 func Test_Install(t *testing.T) {
 	test.EnsureIntegrationTest(t)
 	is := assert.New(t)
@@ -44,10 +24,14 @@ func Test_Install(t *testing.T) {
 			Repo:  "https://kubernetes.github.io/ingress-nginx",
 		}
 
-		release, err := hspm.Install(installOpts)
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts)
 		if release != nil {
 			defer hspm.Uninstall(options.UninstallOptions{
-				Name: "test-nginx",
+				Name: installOpts.Name,
 			})
 		}
 
@@ -60,9 +44,8 @@ func Test_Install(t *testing.T) {
 
 	t.Run("successfully installs nginx with values", func(t *testing.T) {
 		// SDK equivalent of: helm install test-nginx-2 --repo https://kubernetes.github.io/ingress-nginx nginx --values /tmp/helm-values3161785816
-		values, err := createValuesFile("service:\n  port:  8081")
+		values, err := test.CreateValuesFile("service:\n  port:  8081")
 		is.NoError(err, "should create a values file")
-
 		defer os.Remove(values)
 
 		installOpts := options.InstallOptions{
@@ -71,10 +54,15 @@ func Test_Install(t *testing.T) {
 			Repo:       "https://kubernetes.github.io/ingress-nginx",
 			ValuesFile: values,
 		}
-		release, err := hspm.Install(installOpts)
+
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts)
 		if release != nil {
 			defer hspm.Uninstall(options.UninstallOptions{
-				Name: "test-nginx-2",
+				Name: installOpts.Name,
 			})
 		}
 
@@ -92,7 +80,12 @@ func Test_Install(t *testing.T) {
 			Chart: "portainer",
 			Repo:  "https://portainer.github.io/k8s/",
 		}
-		release, err := hspm.Install(installOpts)
+
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts)
 		if release != nil {
 			defer hspm.Uninstall(options.UninstallOptions{
 				Name: installOpts.Name,
@@ -108,9 +101,8 @@ func Test_Install(t *testing.T) {
 
 	t.Run("install with values as string", func(t *testing.T) {
 		// First create a values file since InstallOptions doesn't support values as string directly
-		values, err := createValuesFile("service:\n  port:  8082")
+		values, err := test.CreateValuesFile("service:\n  port:  8082")
 		is.NoError(err, "should create a values file")
-
 		defer os.Remove(values)
 
 		// Install with values file
@@ -120,10 +112,15 @@ func Test_Install(t *testing.T) {
 			Repo:       "https://kubernetes.github.io/ingress-nginx",
 			ValuesFile: values,
 		}
-		release, err := hspm.Install(installOpts)
+
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts)
 		if release != nil {
 			defer hspm.Uninstall(options.UninstallOptions{
-				Name: "test-nginx-3",
+				Name: installOpts.Name,
 			})
 		}
 
@@ -140,11 +137,15 @@ func Test_Install(t *testing.T) {
 			Repo:      "https://kubernetes.github.io/ingress-nginx",
 			Namespace: "default",
 		}
-		release, err := hspm.Install(installOpts)
+
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts)
 		if release != nil {
 			defer hspm.Uninstall(options.UninstallOptions{
-				Name:      "test-nginx-4",
-				Namespace: "default",
+				Name: installOpts.Name,
 			})
 		}
 
@@ -159,10 +160,15 @@ func Test_Install(t *testing.T) {
 			Chart: "ingress-nginx",
 			Repo:  "https://kubernetes.github.io/ingress-nginx",
 		}
-		_, err := hspm.Install(installOpts)
+
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		_, err := hspm.Upgrade(installOpts)
 
 		is.Error(err, "should return an error when name is not provided")
-		is.Equal(err.Error(), "name is required")
+		// is.Equal(err.Error(), "name is required for helm release installation")
 	})
 
 	t.Run("install with invalid chart", func(t *testing.T) {
@@ -172,9 +178,8 @@ func Test_Install(t *testing.T) {
 			Chart: "non-existent-chart",
 			Repo:  "https://kubernetes.github.io/ingress-nginx",
 		}
-		_, err := hspm.Install(installOpts)
+		_, err := hspm.Upgrade(installOpts)
 		is.Error(err, "should return error when chart doesn't exist")
-		is.Equal(err.Error(), "failed to find the helm chart at the path: https://kubernetes.github.io/ingress-nginx/non-existent-chart")
 	})
 
 	t.Run("install with invalid repo", func(t *testing.T) {
@@ -184,7 +189,12 @@ func Test_Install(t *testing.T) {
 			Chart: "nginx",
 			Repo:  "https://non-existent-repo.example.com",
 		}
-		_, err := hspm.Install(installOpts)
+
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		_, err := hspm.Upgrade(installOpts)
 		is.Error(err, "should return error when repo doesn't exist")
 	})
 }
diff --git a/pkg/libhelm/sdk/list.go b/pkg/libhelm/sdk/list.go
index 494298a91..6e688d1b6 100644
--- a/pkg/libhelm/sdk/list.go
+++ b/pkg/libhelm/sdk/list.go
@@ -26,11 +26,7 @@ func (hspm *HelmSDKPackageManager) List(listOpts options.ListOptions) ([]release
 	actionConfig := new(action.Configuration)
 	err := hspm.initActionConfig(actionConfig, listOpts.Namespace, listOpts.KubernetesClusterAccess)
 	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Str("namespace", listOpts.Namespace).
-			Err(err).
-			Msg("Failed to initialize helm configuration")
+		// error is already logged in initActionConfig
 		return nil, errors.Wrap(err, "failed to initialize helm configuration")
 	}
 
diff --git a/pkg/libhelm/sdk/release.go b/pkg/libhelm/sdk/release.go
new file mode 100644
index 000000000..76f6840ff
--- /dev/null
+++ b/pkg/libhelm/sdk/release.go
@@ -0,0 +1,47 @@
+package sdk
+
+import (
+	"fmt"
+
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/release"
+	"helm.sh/helm/v3/pkg/storage/driver"
+)
+
+func (hspm *HelmSDKPackageManager) doesReleaseExist(releaseName, namespace string, clusterAccess *options.KubernetesClusterAccess) (bool, error) {
+	// Initialize action configuration
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, namespace, clusterAccess)
+	if err != nil {
+		// error is already logged in initActionConfig
+		return false, fmt.Errorf("failed to initialize helm configuration: %w", err)
+	}
+
+	historyClient, err := hspm.initHistoryClient(actionConfig, namespace, clusterAccess)
+	if err != nil {
+		// error is already logged in initHistoryClient
+		return false, fmt.Errorf("failed to initialize helm history client: %w", err)
+	}
+
+	versions, err := historyClient.Run(releaseName)
+	if errors.Is(err, driver.ErrReleaseNotFound) || isReleaseUninstalled(versions) {
+		return false, nil
+	} else if err != nil {
+		return false, fmt.Errorf("failed to get history: %w", err)
+	}
+
+	return true, nil
+}
+
+func isReleaseUninstalled(versions []*release.Release) bool {
+	return len(versions) > 0 && versions[len(versions)-1].Info.Status == release.StatusUninstalled
+}
+
+func (hspm *HelmSDKPackageManager) initHistoryClient(actionConfig *action.Configuration, namespace string, clusterAccess *options.KubernetesClusterAccess) (*action.History, error) {
+	historyClient := action.NewHistory(actionConfig)
+	historyClient.Max = 1
+
+	return historyClient, nil
+}
diff --git a/pkg/libhelm/sdk/show.go b/pkg/libhelm/sdk/show.go
index aa674a8c0..45f77719a 100644
--- a/pkg/libhelm/sdk/show.go
+++ b/pkg/libhelm/sdk/show.go
@@ -32,13 +32,11 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 		Str("output_format", string(showOpts.OutputFormat)).
 		Msg("Showing chart information")
 
-	// Initialize action configuration
+	// Initialize action configuration (no namespace or cluster access needed)
 	actionConfig := new(action.Configuration)
-	if err := actionConfig.Init(nil, "", "", func(format string, v ...interface{}) {}); err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Err(err).
-			Msg("Failed to initialize helm configuration")
+	err := hspm.initActionConfig(actionConfig, "", nil)
+	if err != nil {
+		// error is already logged in initActionConfig
 		return nil, fmt.Errorf("failed to initialize helm configuration: %w", err)
 	}
 
diff --git a/pkg/libhelm/sdk/show_test.go b/pkg/libhelm/sdk/show_test.go
index 124aac02d..302f188ca 100644
--- a/pkg/libhelm/sdk/show_test.go
+++ b/pkg/libhelm/sdk/show_test.go
@@ -21,7 +21,7 @@ func Test_Show(t *testing.T) {
 		Chart: "ingress-nginx",
 		Repo:  "https://kubernetes.github.io/ingress-nginx",
 	}
-	release, err := hspm.Install(installOpts)
+	release, err := hspm.Upgrade(installOpts)
 	if release != nil || err != nil {
 		defer hspm.Uninstall(options.UninstallOptions{
 			Name: "ingress-nginx",
diff --git a/pkg/libhelm/sdk/testutils/values.go b/pkg/libhelm/sdk/testutils/values.go
new file mode 100644
index 000000000..c1d14c3e7
--- /dev/null
+++ b/pkg/libhelm/sdk/testutils/values.go
@@ -0,0 +1,26 @@
+package testutils
+
+import (
+	"os"
+)
+
+// CreateValuesFile creates a temporary file with the given content for testing
+func CreateValuesFile(values string) (string, error) {
+	file, err := os.CreateTemp("", "helm-values")
+	if err != nil {
+		return "", err
+	}
+
+	_, err = file.WriteString(values)
+	if err != nil {
+		file.Close()
+		return "", err
+	}
+
+	err = file.Close()
+	if err != nil {
+		return "", err
+	}
+
+	return file.Name(), nil
+}
diff --git a/pkg/libhelm/sdk/uninstall.go b/pkg/libhelm/sdk/uninstall.go
index 5459b9e84..c2927999c 100644
--- a/pkg/libhelm/sdk/uninstall.go
+++ b/pkg/libhelm/sdk/uninstall.go
@@ -26,12 +26,7 @@ func (hspm *HelmSDKPackageManager) Uninstall(uninstallOpts options.UninstallOpti
 	actionConfig := new(action.Configuration)
 	err := hspm.initActionConfig(actionConfig, uninstallOpts.Namespace, uninstallOpts.KubernetesClusterAccess)
 	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Str("release", uninstallOpts.Name).
-			Str("namespace", uninstallOpts.Namespace).
-			Err(err).
-			Msg("Failed to initialize helm configuration")
+		// error is already logged in initActionConfig
 		return errors.Wrap(err, "failed to initialize helm configuration")
 	}
 
diff --git a/pkg/libhelm/sdk/uninstall_test.go b/pkg/libhelm/sdk/uninstall_test.go
index 28ef1cb21..684be1780 100644
--- a/pkg/libhelm/sdk/uninstall_test.go
+++ b/pkg/libhelm/sdk/uninstall_test.go
@@ -48,7 +48,7 @@ func Test_Uninstall(t *testing.T) {
 		}
 
 		// Install the release
-		_, err := hspm.Install(installOpts)
+		_, err := hspm.Upgrade(installOpts)
 		if err != nil {
 			t.Logf("Error installing release: %v", err)
 			t.Skip("Skipping uninstall test because install failed")
diff --git a/pkg/libhelm/sdk/upgrade.go b/pkg/libhelm/sdk/upgrade.go
new file mode 100644
index 000000000..cc284cf31
--- /dev/null
+++ b/pkg/libhelm/sdk/upgrade.go
@@ -0,0 +1,161 @@
+package sdk
+
+import (
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/postrender"
+)
+
+// Upgrade implements the HelmPackageManager interface by using the Helm SDK to upgrade a chart.
+// If the release does not exist, it will install it instead.
+func (hspm *HelmSDKPackageManager) Upgrade(upgradeOpts options.InstallOptions) (*release.Release, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("chart", upgradeOpts.Chart).
+		Str("name", upgradeOpts.Name).
+		Str("namespace", upgradeOpts.Namespace).
+		Str("repo", upgradeOpts.Repo).
+		Bool("wait", upgradeOpts.Wait).
+		Msg("Upgrading Helm chart")
+
+	if upgradeOpts.Name == "" {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", upgradeOpts.Chart).
+			Str("name", upgradeOpts.Name).
+			Str("namespace", upgradeOpts.Namespace).
+			Str("repo", upgradeOpts.Repo).
+			Bool("wait", upgradeOpts.Wait).
+			Msg("Name is required for helm release upgrade")
+		return nil, errors.New("name is required for helm release upgrade")
+	}
+
+	// Check if the release exists
+	exists, err := hspm.doesReleaseExist(upgradeOpts.Name, upgradeOpts.Namespace, upgradeOpts.KubernetesClusterAccess)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("name", upgradeOpts.Name).
+			Str("namespace", upgradeOpts.Namespace).
+			Err(err).
+			Msg("Failed to check if release exists")
+		return nil, errors.Wrap(err, "failed to check if release exists")
+	}
+
+	// If the release doesn't exist, install it instead
+	if !exists {
+		log.Info().
+			Str("context", "HelmClient").
+			Str("chart", upgradeOpts.Chart).
+			Str("name", upgradeOpts.Name).
+			Str("namespace", upgradeOpts.Namespace).
+			Msg("Release doesn't exist, installing instead")
+		return hspm.install(upgradeOpts)
+	}
+
+	// Initialize action configuration with kubernetes config
+	actionConfig := new(action.Configuration)
+	err = hspm.initActionConfig(actionConfig, upgradeOpts.Namespace, upgradeOpts.KubernetesClusterAccess)
+	if err != nil {
+		// error is already logged in initActionConfig
+		return nil, errors.Wrap(err, "failed to initialize helm configuration for helm release upgrade")
+	}
+
+	upgradeClient, err := initUpgradeClient(actionConfig, upgradeOpts)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to initialize helm upgrade client for helm release upgrade")
+		return nil, errors.Wrap(err, "failed to initialize helm upgrade client for helm release upgrade")
+	}
+
+	values, err := hspm.GetHelmValuesFromFile(upgradeOpts.ValuesFile)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to get Helm values from file for helm release upgrade")
+		return nil, errors.Wrap(err, "failed to get Helm values from file for helm release upgrade")
+	}
+
+	chart, err := hspm.loadAndValidateChartWithPathOptions(&upgradeClient.ChartPathOptions, upgradeOpts.Chart, upgradeOpts.Repo, upgradeClient.DependencyUpdate, "release upgrade")
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to load and validate chart for helm release upgrade")
+		return nil, errors.Wrap(err, "failed to load and validate chart for helm release upgrade")
+	}
+
+	log.Info().
+		Str("context", "HelmClient").
+		Str("chart", upgradeOpts.Chart).
+		Str("name", upgradeOpts.Name).
+		Str("namespace", upgradeOpts.Namespace).
+		Msg("Running chart upgrade for helm release")
+
+	helmRelease, err := upgradeClient.Run(upgradeOpts.Name, chart, values)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("chart", upgradeOpts.Chart).
+			Str("name", upgradeOpts.Name).
+			Str("namespace", upgradeOpts.Namespace).
+			Err(err).
+			Msg("Failed to upgrade helm chart for helm release upgrade")
+		return nil, errors.Wrap(err, "helm was not able to upgrade the chart for helm release upgrade")
+	}
+
+	return &release.Release{
+		Name:      helmRelease.Name,
+		Namespace: helmRelease.Namespace,
+		Chart: release.Chart{
+			Metadata: &release.Metadata{
+				Name:       helmRelease.Chart.Metadata.Name,
+				Version:    helmRelease.Chart.Metadata.Version,
+				AppVersion: helmRelease.Chart.Metadata.AppVersion,
+			},
+		},
+		Labels:   helmRelease.Labels,
+		Version:  helmRelease.Version,
+		Manifest: helmRelease.Manifest,
+	}, nil
+}
+
+// initUpgradeClient initializes the upgrade client with the given options
+// and return the upgrade client.
+func initUpgradeClient(actionConfig *action.Configuration, upgradeOpts options.InstallOptions) (*action.Upgrade, error) {
+	upgradeClient := action.NewUpgrade(actionConfig)
+	upgradeClient.DependencyUpdate = true
+	upgradeClient.Atomic = true
+	upgradeClient.ChartPathOptions.RepoURL = upgradeOpts.Repo
+	upgradeClient.Wait = upgradeOpts.Wait
+
+	// Set default values if not specified
+	if upgradeOpts.Timeout == 0 {
+		upgradeClient.Timeout = 5 * time.Minute
+	} else {
+		upgradeClient.Timeout = upgradeOpts.Timeout
+	}
+	if upgradeOpts.Namespace == "" {
+		upgradeOpts.Namespace = "default"
+	} else {
+		upgradeClient.Namespace = upgradeOpts.Namespace
+	}
+
+	if upgradeOpts.PostRenderer != "" {
+		postRenderer, err := postrender.NewExec(upgradeOpts.PostRenderer)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to create post renderer")
+		}
+		upgradeClient.PostRenderer = postRenderer
+	}
+
+	return upgradeClient, nil
+}
diff --git a/pkg/libhelm/sdk/upgrade_test.go b/pkg/libhelm/sdk/upgrade_test.go
new file mode 100644
index 000000000..86b88d0c5
--- /dev/null
+++ b/pkg/libhelm/sdk/upgrade_test.go
@@ -0,0 +1,179 @@
+package sdk
+
+import (
+	"os"
+	"testing"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestUpgrade(t *testing.T) {
+	test.EnsureIntegrationTest(t)
+	is := assert.New(t)
+
+	// Create a new SDK package manager
+	hspm := NewHelmSDKPackageManager()
+
+	t.Run("when no release exists, the chart should be installed", func(t *testing.T) {
+		// SDK equivalent of: helm upgrade --install test-new-nginx --repo https://kubernetes.github.io/ingress-nginx ingress-nginx
+		upgradeOpts := options.InstallOptions{
+			Name:      "test-new-nginx",
+			Namespace: "default",
+			Chart:     "ingress-nginx",
+			Repo:      "https://kubernetes.github.io/ingress-nginx",
+		}
+
+		// Ensure the release doesn't exist before test
+		hspm.Uninstall(options.UninstallOptions{
+			Name: upgradeOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(upgradeOpts)
+		if release != nil {
+			defer hspm.Uninstall(options.UninstallOptions{
+				Name: upgradeOpts.Name,
+			})
+		}
+
+		is.NoError(err, "should successfully install release via upgrade")
+		is.NotNil(release, "should return non-nil release")
+		is.Equal(upgradeOpts.Name, release.Name, "release name should match")
+		is.Equal(1, release.Version, "release version should be 1 for new install")
+		is.NotEmpty(release.Manifest, "release manifest should not be empty")
+
+		// Cleanup
+		defer hspm.Uninstall(options.UninstallOptions{
+			Name: upgradeOpts.Name,
+		})
+	})
+
+	t.Run("when release exists, the chart should be upgraded", func(t *testing.T) {
+		// First install a release
+		installOpts := options.InstallOptions{
+			Name:      "test-upgrade-nginx",
+			Chart:     "ingress-nginx",
+			Namespace: "default",
+			Repo:      "https://kubernetes.github.io/ingress-nginx",
+		}
+
+		// Ensure the release doesn't exist before test
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts)
+		defer hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+
+		// Upgrade the release with the same options
+		upgradedRelease, err := hspm.Upgrade(installOpts)
+
+		is.NoError(err, "should successfully upgrade release")
+		is.NotNil(upgradedRelease, "should return non-nil release")
+		is.Equal("test-upgrade-nginx", upgradedRelease.Name, "release name should match")
+		is.Equal(2, upgradedRelease.Version, "release version should be incremented to 2")
+		is.NotEmpty(upgradedRelease.Manifest, "release manifest should not be empty")
+	})
+
+	t.Run("should be able to upgrade with override values", func(t *testing.T) {
+		// First install a release
+		installOpts := options.InstallOptions{
+			Name:      "test-values-nginx",
+			Chart:     "ingress-nginx",
+			Namespace: "default",
+			Repo:      "https://kubernetes.github.io/ingress-nginx",
+		}
+
+		// Ensure the release doesn't exist before test
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts) // Cleanup
+		defer hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+
+		// Create values file
+		values, err := test.CreateValuesFile("service:\n  port:  8083")
+		is.NoError(err, "should create a values file")
+		defer os.Remove(values)
+
+		// Now upgrade with values
+		upgradeOpts := options.InstallOptions{
+			Name:       "test-values-nginx",
+			Chart:      "ingress-nginx",
+			Namespace:  "default",
+			Repo:       "https://kubernetes.github.io/ingress-nginx",
+			ValuesFile: values,
+		}
+
+		upgradedRelease, err := hspm.Upgrade(upgradeOpts)
+
+		is.NoError(err, "should successfully upgrade release with values")
+		is.NotNil(upgradedRelease, "should return non-nil release")
+		is.Equal("test-values-nginx", upgradedRelease.Name, "release name should match")
+		is.Equal(2, upgradedRelease.Version, "release version should be incremented to 2")
+		is.NotEmpty(upgradedRelease.Manifest, "release manifest should not be empty")
+	})
+
+	t.Run("should give an error if the override values are invalid", func(t *testing.T) {
+		// First install a release
+		installOpts := options.InstallOptions{
+			Name:      "test-invalid-values",
+			Chart:     "ingress-nginx",
+			Namespace: "default",
+			Repo:      "https://kubernetes.github.io/ingress-nginx",
+		}
+
+		// Ensure the release doesn't exist before test
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		release, err := hspm.Upgrade(installOpts)
+		defer hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+		is.NoError(err, "should successfully install release")
+		is.NotNil(release, "should return non-nil release")
+
+		// Create invalid values file
+		values, err := test.CreateValuesFile("this is not valid yaml")
+		is.NoError(err, "should create a values file")
+		defer os.Remove(values)
+
+		// Now upgrade with invalid values
+		upgradeOpts := options.InstallOptions{
+			Name:       "test-invalid-values",
+			Chart:      "ingress-nginx",
+			Namespace:  "default",
+			Repo:       "https://kubernetes.github.io/ingress-nginx",
+			ValuesFile: values,
+		}
+
+		_, err = hspm.Upgrade(upgradeOpts)
+
+		is.Error(err, "should return error with invalid values")
+	})
+
+	t.Run("should return error when name is not provided", func(t *testing.T) {
+		upgradeOpts := options.InstallOptions{
+			Chart:     "ingress-nginx",
+			Namespace: "default",
+			Repo:      "https://kubernetes.github.io/ingress-nginx",
+		}
+
+		_, err := hspm.Upgrade(upgradeOpts)
+
+		is.Error(err, "should return an error when name is not provided")
+		is.Equal("name is required for helm release upgrade", err.Error(), "should return correct error message")
+	})
+}
diff --git a/pkg/libhelm/test/mock.go b/pkg/libhelm/test/mock.go
index 0b7712aab..58d53715c 100644
--- a/pkg/libhelm/test/mock.go
+++ b/pkg/libhelm/test/mock.go
@@ -73,6 +73,11 @@ func (hpm *helmMockPackageManager) Install(installOpts options.InstallOptions) (
 	return newMockRelease(releaseElement), nil
 }
 
+// Upgrade a helm chart (not thread safe)
+func (hpm *helmMockPackageManager) Upgrade(upgradeOpts options.InstallOptions) (*release.Release, error) {
+	return hpm.Install(upgradeOpts)
+}
+
 // Show values/readme/chart etc
 func (hpm *helmMockPackageManager) Show(showOpts options.ShowOptions) ([]byte, error) {
 	switch showOpts.OutputFormat {
diff --git a/pkg/libhelm/test/values.go b/pkg/libhelm/test/values.go
new file mode 100644
index 000000000..a3f5df44c
--- /dev/null
+++ b/pkg/libhelm/test/values.go
@@ -0,0 +1,26 @@
+package test
+
+import (
+	"os"
+)
+
+// CreateValuesFile creates a temporary file with the given content for testing
+func CreateValuesFile(values string) (string, error) {
+	file, err := os.CreateTemp("", "helm-values")
+	if err != nil {
+		return "", err
+	}
+
+	_, err = file.WriteString(values)
+	if err != nil {
+		file.Close()
+		return "", err
+	}
+
+	err = file.Close()
+	if err != nil {
+		return "", err
+	}
+
+	return file.Name(), nil
+}
diff --git a/pkg/libhelm/types/types.go b/pkg/libhelm/types/types.go
index 91b777270..8c0caa80b 100644
--- a/pkg/libhelm/types/types.go
+++ b/pkg/libhelm/types/types.go
@@ -12,7 +12,7 @@ type HelmPackageManager interface {
 	Show(showOpts options.ShowOptions) ([]byte, error)
 	SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error)
 	List(listOpts options.ListOptions) ([]release.ReleaseElement, error)
-	Install(installOpts options.InstallOptions) (*release.Release, error)
+	Upgrade(upgradeOpts options.InstallOptions) (*release.Release, error)
 	Uninstall(uninstallOpts options.UninstallOptions) error
 }
 

From 81c5f4acc35f1dde2cf6518befe47b55089a3f66 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Thu, 27 Mar 2025 17:11:55 +1300
Subject: [PATCH 065/212] feat(editor): provide yaml validation for docker
 compose in the portainer web editor [BE-11697] (#526)

---
 .../components/code-editor/code-editor.html   |    1 +
 .../components/code-editor/code-editor.js     |    1 +
 .../form-components/web-editor-form/index.js  |    1 +
 .../web-editor-form/web-editor-form.html      |    1 +
 app/portainer/react/components/index.ts       |    1 +
 .../stacks/create/createStackController.js    |    7 +
 .../views/stacks/create/createstack.html      |    1 +
 app/portainer/views/stacks/edit/stack.html    |    6 +-
 .../views/stacks/edit/stackController.js      |    7 +
 app/react/components/CodeEditor.module.css    |   24 +
 app/react/components/CodeEditor.test.tsx      |  115 ++
 app/react/components/CodeEditor.tsx           |   90 +-
 app/react/components/WebEditorForm.tsx        |    9 +-
 .../CreateView/DockerContentField.tsx         |    7 +-
 .../CreateView/tests/app-templates.test.tsx   |    3 +-
 .../tests/custom-templates.test.tsx           |    3 +-
 .../CreateView/tests/utils.test.tsx           |    8 +-
 .../EditEdgeStackForm/ComposeForm.tsx         |    4 +
 .../docker-compose-schema.ts                  | 1100 +++++++++++++++++
 .../useDockerComposeSchema.ts                 |   37 +
 app/setup-tests/mock-codemirror.tsx           |   16 +
 app/setup-tests/setup-codemirror.ts           |   42 +
 package.json                                  |    5 +-
 tsconfig.json                                 |    4 +-
 vitest.config.mts                             |   10 +-
 webpack/webpack.common.js                     |    7 +
 yarn.lock                                     |  572 ++++++++-
 27 files changed, 2046 insertions(+), 36 deletions(-)
 create mode 100644 app/react/components/CodeEditor.test.tsx
 create mode 100644 app/react/hooks/useDockerComposeSchema/docker-compose-schema.ts
 create mode 100644 app/react/hooks/useDockerComposeSchema/useDockerComposeSchema.ts
 create mode 100644 app/setup-tests/mock-codemirror.tsx
 create mode 100644 app/setup-tests/setup-codemirror.ts

diff --git a/app/portainer/components/code-editor/code-editor.html b/app/portainer/components/code-editor/code-editor.html
index f7ad81fc4..2cf42b272 100644
--- a/app/portainer/components/code-editor/code-editor.html
+++ b/app/portainer/components/code-editor/code-editor.html
@@ -6,4 +6,5 @@
   on-change="($ctrl.handleChange)"
   value="$ctrl.value"
   height="$ctrl.height || undefined"
+  schema="$ctrl.schema"
 ></react-code-editor>
diff --git a/app/portainer/components/code-editor/code-editor.js b/app/portainer/components/code-editor/code-editor.js
index c20f6e6fb..db6a4fbaf 100644
--- a/app/portainer/components/code-editor/code-editor.js
+++ b/app/portainer/components/code-editor/code-editor.js
@@ -13,5 +13,6 @@ angular.module('portainer.app').component('codeEditor', {
     onChange: '<',
     value: '<',
     height: '@',
+    schema: '<',
   },
 });
diff --git a/app/portainer/components/form-components/web-editor-form/index.js b/app/portainer/components/form-components/web-editor-form/index.js
index 5fa476e61..45301f683 100644
--- a/app/portainer/components/form-components/web-editor-form/index.js
+++ b/app/portainer/components/form-components/web-editor-form/index.js
@@ -13,6 +13,7 @@ export const webEditorForm = {
     onChange: '<',
     hideTitle: '<',
     height: '@',
+    schema: '<',
   },
 
   transclude: {
diff --git a/app/portainer/components/form-components/web-editor-form/web-editor-form.html b/app/portainer/components/form-components/web-editor-form/web-editor-form.html
index 9dd875abf..1727cc893 100644
--- a/app/portainer/components/form-components/web-editor-form/web-editor-form.html
+++ b/app/portainer/components/form-components/web-editor-form/web-editor-form.html
@@ -48,6 +48,7 @@
           value="$ctrl.value"
           on-change="($ctrl.onChange)"
           height="{{ $ctrl.height }}"
+          schema="$ctrl.schema"
         ></code-editor>
       </div>
     </div>
diff --git a/app/portainer/react/components/index.ts b/app/portainer/react/components/index.ts
index db071b5f5..535032fae 100644
--- a/app/portainer/react/components/index.ts
+++ b/app/portainer/react/components/index.ts
@@ -232,6 +232,7 @@ export const ngModule = angular
       'data-cy',
       'versions',
       'onVersionChange',
+      'schema',
     ])
   )
   .component(
diff --git a/app/portainer/views/stacks/create/createStackController.js b/app/portainer/views/stacks/create/createStackController.js
index a07c4aa3f..118e2d23a 100644
--- a/app/portainer/views/stacks/create/createStackController.js
+++ b/app/portainer/views/stacks/create/createStackController.js
@@ -10,6 +10,7 @@ import { confirmWebEditorDiscard } from '@@/modals/confirm';
 import { parseAutoUpdateResponse, transformAutoUpdateViewModel } from '@/react/portainer/gitops/AutoUpdateFieldset/utils';
 import { baseStackWebhookUrl, createWebhookId } from '@/portainer/helpers/webhookHelper';
 import { getVariablesFieldDefaultValues } from '@/react/portainer/custom-templates/components/CustomTemplatesVariablesField';
+import { getDockerComposeSchema } from '@/react/hooks/useDockerComposeSchema/useDockerComposeSchema';
 
 angular
   .module('portainer.app')
@@ -351,6 +352,12 @@ angular
         } catch (err) {
           Notifications.error('Failure', err, 'Unable to retrieve Containers');
         }
+
+        try {
+          $scope.dockerComposeSchema = await getDockerComposeSchema();
+        } catch (err) {
+          Notifications.error('Failure', err, 'Unable to load schema validation for editor');
+        }
       }
 
       this.uiCanExit = async function () {
diff --git a/app/portainer/views/stacks/create/createstack.html b/app/portainer/views/stacks/create/createstack.html
index 4674c6e3a..406686f8a 100644
--- a/app/portainer/views/stacks/create/createstack.html
+++ b/app/portainer/views/stacks/create/createstack.html
@@ -130,6 +130,7 @@
             yml="true"
             placeholder="Define or paste the content of your docker compose file here"
             read-only="state.isEditorReadOnly"
+            schema="dockerComposeSchema"
           >
             <editor-description>
               <p>
diff --git a/app/portainer/views/stacks/edit/stack.html b/app/portainer/views/stacks/edit/stack.html
index caf7a4f92..14c5c8628 100644
--- a/app/portainer/views/stacks/edit/stack.html
+++ b/app/portainer/views/stacks/edit/stack.html
@@ -150,8 +150,9 @@
                 <span class="col-sm-12 text-muted small">
                   You can get more information about Compose file format in the <a href="https://docs.docker.com/compose/compose-file/" target="_blank">official documentation</a>.
                 </span>
-                <div class="col-sm-12" ng-if="state.yamlError">
-                  <span class="text-danger small">{{ state.yamlError }}</span>
+                <!-- opacity-0 with &nbsp; fixes the layout shift causing tooltips to go over hovered text -->
+                <div class="col-sm-12" ng-class="{ 'opacity-100': state.yamlError, 'opacity-0': !state.yamlError }">
+                  <span class="text-danger small">{{ state.yamlError || '&nbsp;' }}</span>
                 </div>
               </div>
               <div class="form-group">
@@ -163,6 +164,7 @@
                     yml="true"
                     on-change="(editorUpdate)"
                     value="stackFileContent"
+                    schema="dockerComposeSchema"
                   ></code-editor>
                 </div>
               </div>
diff --git a/app/portainer/views/stacks/edit/stackController.js b/app/portainer/views/stacks/edit/stackController.js
index 385b7101f..8e3db07ec 100644
--- a/app/portainer/views/stacks/edit/stackController.js
+++ b/app/portainer/views/stacks/edit/stackController.js
@@ -8,6 +8,7 @@ import { confirmStackUpdate } from '@/react/common/stacks/common/confirm-stack-u
 import { confirm, confirmDelete, confirmWebEditorDiscard } from '@@/modals/confirm';
 import { ModalType } from '@@/modals';
 import { buildConfirmButton } from '@@/modals/utils';
+import { getDockerComposeSchema } from '@/react/hooks/useDockerComposeSchema/useDockerComposeSchema';
 
 angular.module('portainer.app').controller('StackController', [
   '$async',
@@ -491,6 +492,12 @@ angular.module('portainer.app').controller('StackController', [
       }
 
       $scope.composeSyntaxMaxVersion = endpoint.ComposeSyntaxMaxVersion;
+
+      try {
+        $scope.dockerComposeSchema = await getDockerComposeSchema();
+      } catch (err) {
+        Notifications.error('Failure', err, 'Unable to load schema validation for editor');
+      }
     }
 
     initView();
diff --git a/app/react/components/CodeEditor.module.css b/app/react/components/CodeEditor.module.css
index d7ff66ce2..4936a56e4 100644
--- a/app/react/components/CodeEditor.module.css
+++ b/app/react/components/CodeEditor.module.css
@@ -11,6 +11,8 @@
   --bg-codemirror-gutters-color: var(--grey-17);
   --bg-codemirror-selected-color: var(--grey-22);
   --border-codemirror-cursor-color: var(--black-color);
+  --bg-tooltip-color: var(--white-color);
+  --text-tooltip-color: var(--black-color);
 }
 
 :global([theme='dark']) .root {
@@ -24,6 +26,8 @@
   --bg-codemirror-gutters-color: var(--grey-3);
   --bg-codemirror-selected-color: var(--grey-3);
   --border-codemirror-cursor-color: var(--white-color);
+  --bg-tooltip-color: var(--grey-3);
+  --text-tooltip-color: var(--white-color);
 }
 
 :global([theme='highcontrast']) .root {
@@ -37,6 +41,8 @@
   --bg-codemirror-gutters-color: var(--ui-gray-warm-11);
   --bg-codemirror-selected-color: var(--grey-3);
   --border-codemirror-cursor-color: var(--white-color);
+  --bg-tooltip-color: var(--black-color);
+  --text-tooltip-color: var(--white-color);
 }
 
 .root :global(.cm-editor .cm-gutters) {
@@ -138,3 +144,21 @@
 .root :global(.cm-panel.cm-search label) {
   @apply text-xs;
 }
+
+/* Tooltip styles for all themes */
+.root :global(.cm-tooltip) {
+  @apply bg-white border border-solid border-gray-5 shadow-md text-xs rounded h-min;
+  @apply th-dark:bg-gray-9 th-dark:border-gray-7 th-dark:text-white;
+  @apply th-highcontrast:bg-black th-highcontrast:border-gray-7 th-highcontrast:text-white;
+}
+
+/* Hide the completionInfo tooltip when it's empty */
+/* note: I only chose the complicated selector because the simple selector `.cm-tooltip.cm-completionInfo:empty` didn't work */
+.root :global(.cm-tooltip.cm-completionInfo:not(:has(*:not(:empty)))) {
+  display: none;
+}
+
+/* Active line gutter styles for all themes */
+.root :global(.cm-activeLineGutter) {
+  @apply bg-inherit;
+}
diff --git a/app/react/components/CodeEditor.test.tsx b/app/react/components/CodeEditor.test.tsx
new file mode 100644
index 000000000..1d1a3ae85
--- /dev/null
+++ b/app/react/components/CodeEditor.test.tsx
@@ -0,0 +1,115 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+
+import { CodeEditor } from './CodeEditor';
+
+vi.mock('yaml-schema', () => ({}));
+
+const defaultProps = {
+  id: 'test-editor',
+  onChange: vi.fn(),
+  value: '',
+  'data-cy': 'test-editor',
+};
+
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+
+test('should render with basic props', () => {
+  render(<CodeEditor {...defaultProps} />);
+  expect(screen.getByRole('textbox')).toBeInTheDocument();
+});
+
+test('should display placeholder when provided', async () => {
+  const placeholder = 'Enter your code here';
+  const { findByText } = render(
+    <CodeEditor {...defaultProps} placeholder={placeholder} />
+  );
+
+  const placeholderText = await findByText(placeholder);
+  expect(placeholderText).toBeVisible();
+});
+
+test('should show copy button and copy content', async () => {
+  const testValue = 'test content';
+  const { findByText } = render(
+    <CodeEditor {...defaultProps} value={testValue} />
+  );
+
+  const mockClipboard = {
+    writeText: vi.fn(),
+  };
+  Object.assign(navigator, {
+    clipboard: mockClipboard,
+  });
+
+  const copyButton = await findByText('Copy to clipboard');
+  expect(copyButton).toBeVisible();
+
+  await userEvent.click(copyButton);
+  expect(navigator.clipboard.writeText).toHaveBeenCalledWith(testValue);
+});
+
+test('should handle read-only mode', async () => {
+  const { findByRole } = render(<CodeEditor {...defaultProps} readonly />);
+  const editor = await findByRole('textbox');
+  // the editor should not editable
+  await userEvent.type(editor, 'test');
+  expect(editor).not.toHaveValue('test');
+});
+
+test('should show version selector when versions are provided', async () => {
+  const versions = [1, 2, 3];
+  const onVersionChange = vi.fn();
+  const { findByRole } = render(
+    <CodeEditor
+      {...defaultProps}
+      versions={versions}
+      onVersionChange={onVersionChange}
+    />
+  );
+
+  const selector = await findByRole('combobox');
+  expect(selector).toBeVisible();
+});
+
+test('should handle YAML indentation correctly', async () => {
+  const onChange = vi.fn();
+  const yamlContent = 'services:';
+
+  const { findByRole } = render(
+    <CodeEditor
+      {...defaultProps}
+      value={yamlContent}
+      onChange={onChange}
+      type="yaml"
+    />
+  );
+
+  const editor = await findByRole('textbox');
+  await userEvent.type(editor, '{enter}');
+  await userEvent.keyboard('database:');
+  await userEvent.keyboard('{enter}');
+  await userEvent.keyboard('image: nginx');
+  await userEvent.keyboard('{enter}');
+  await userEvent.keyboard('name: database');
+
+  // Wait for the debounced onChange to be called
+  setTimeout(() => {
+    expect(onChange).toHaveBeenCalledWith(
+      'services:\n  database:\n    image: nginx\n    name: database'
+    );
+    // debounce timeout is 300ms, so 500ms is enough
+  }, 500);
+});
+
+test('should apply custom height', async () => {
+  const customHeight = '300px';
+  const { findByRole } = render(
+    <CodeEditor {...defaultProps} height={customHeight} />
+  );
+
+  const editor = (await findByRole('textbox')).parentElement?.parentElement;
+  expect(editor).toHaveStyle({ height: customHeight });
+});
diff --git a/app/react/components/CodeEditor.tsx b/app/react/components/CodeEditor.tsx
index 5850fae87..206f7fc5b 100644
--- a/app/react/components/CodeEditor.tsx
+++ b/app/react/components/CodeEditor.tsx
@@ -1,11 +1,24 @@
-import CodeMirror from '@uiw/react-codemirror';
-import { StreamLanguage, LanguageSupport } from '@codemirror/language';
+import CodeMirror, {
+  keymap,
+  oneDarkHighlightStyle,
+} from '@uiw/react-codemirror';
+import {
+  StreamLanguage,
+  LanguageSupport,
+  syntaxHighlighting,
+  indentService,
+} from '@codemirror/language';
 import { yaml } from '@codemirror/legacy-modes/mode/yaml';
 import { dockerFile } from '@codemirror/legacy-modes/mode/dockerfile';
 import { shell } from '@codemirror/legacy-modes/mode/shell';
 import { useCallback, useMemo, useState } from 'react';
 import { createTheme } from '@uiw/codemirror-themes';
 import { tags as highlightTags } from '@lezer/highlight';
+import type { JSONSchema7 } from 'json-schema';
+import { lintKeymap, lintGutter } from '@codemirror/lint';
+import { defaultKeymap } from '@codemirror/commands';
+import { autocompletion, completionKeymap } from '@codemirror/autocomplete';
+import { yamlCompletion, yamlSchema } from 'yaml-schema';
 
 import { AutomationTestingProps } from '@/types';
 
@@ -28,6 +41,7 @@ interface Props extends AutomationTestingProps {
   height?: string;
   versions?: number[];
   onVersionChange?: (version: number) => void;
+  schema?: JSONSchema7;
 }
 
 const theme = createTheme({
@@ -57,18 +71,69 @@ const theme = createTheme({
   ],
 });
 
-const yamlLanguage = new LanguageSupport(StreamLanguage.define(yaml));
+// Custom indentation service for YAML
+const yamlIndentExtension = indentService.of((context, pos) => {
+  const prevLine = context.lineAt(pos, -1);
+
+  // Default to same as previous line
+  const prevIndent = /^\s*/.exec(prevLine.text)?.[0].length || 0;
+
+  // If previous line ends with a colon, increase indent
+  if (/:\s*$/.test(prevLine.text)) {
+    return prevIndent + 2; // Indent 2 spaces after a colon
+  }
+
+  return prevIndent;
+});
+
+// Create enhanced YAML language with custom indentation (from @codemirror/legacy-modes/mode/yaml)
+const yamlLanguageLegacy = new LanguageSupport(StreamLanguage.define(yaml), [
+  yamlIndentExtension,
+  syntaxHighlighting(oneDarkHighlightStyle),
+]);
+
 const dockerFileLanguage = new LanguageSupport(
   StreamLanguage.define(dockerFile)
 );
 const shellLanguage = new LanguageSupport(StreamLanguage.define(shell));
 
 const docTypeExtensionMap: Record<Type, LanguageSupport> = {
-  yaml: yamlLanguage,
+  yaml: yamlLanguageLegacy,
   dockerfile: dockerFileLanguage,
   shell: shellLanguage,
 };
 
+function schemaValidationExtensions(schema: JSONSchema7) {
+  // skip the hover extension because fields like 'networks' display as 'null' with no description when using the default hover
+  // skip the completion extension in favor of custom completion
+  const [yaml, linter, , , stateExtensions] = yamlSchema(schema);
+  return [
+    yaml,
+    linter,
+    autocompletion({
+      icons: false,
+      activateOnTypingDelay: 300,
+      selectOnOpen: true,
+      activateOnTyping: true,
+      override: [
+        (ctx) => {
+          const getCompletions = yamlCompletion();
+          const completions = getCompletions(ctx);
+          if (Array.isArray(completions)) {
+            return null;
+          }
+          return completions;
+        },
+      ],
+    }),
+    stateExtensions,
+    yamlIndentExtension,
+    syntaxHighlighting(oneDarkHighlightStyle),
+    lintGutter(),
+    keymap.of([...defaultKeymap, ...completionKeymap, ...lintKeymap]),
+  ];
+}
+
 export function CodeEditor({
   id,
   onChange,
@@ -79,17 +144,22 @@ export function CodeEditor({
   onVersionChange,
   height = '500px',
   type,
+  schema,
   'data-cy': dataCy,
 }: Props) {
   const [isRollback, setIsRollback] = useState(false);
 
   const extensions = useMemo(() => {
-    const extensions = [];
-    if (type && docTypeExtensionMap[type]) {
-      extensions.push(docTypeExtensionMap[type]);
+    if (!type || !docTypeExtensionMap[type]) {
+      return [];
     }
-    return extensions;
-  }, [type]);
+    // YAML-specific schema validation
+    if (schema && type === 'yaml') {
+      return schemaValidationExtensions(schema);
+    }
+    // Default language support
+    return [docTypeExtensionMap[type]];
+  }, [type, schema]);
 
   const handleVersionChange = useCallback(
     (version: number) => {
@@ -146,7 +216,7 @@ export function CodeEditor({
         height={height}
         basicSetup={{
           highlightSelectionMatches: false,
-          autocompletion: false,
+          autocompletion: !!schema,
         }}
         data-cy={dataCy}
       />
diff --git a/app/react/components/WebEditorForm.tsx b/app/react/components/WebEditorForm.tsx
index b9b95d4fd..222a4552f 100644
--- a/app/react/components/WebEditorForm.tsx
+++ b/app/react/components/WebEditorForm.tsx
@@ -1,11 +1,12 @@
 import {
+  ReactNode,
   ComponentProps,
   PropsWithChildren,
-  ReactNode,
-  useEffect,
   useMemo,
+  useEffect,
 } from 'react';
 import { useTransitionHook } from '@uirouter/react';
+import { JSONSchema7 } from 'json-schema';
 
 import { BROWSER_OS_PLATFORM } from '@/react/constants';
 
@@ -63,6 +64,7 @@ interface Props extends CodeEditorProps {
   titleContent?: ReactNode;
   hideTitle?: boolean;
   error?: string;
+  schema?: JSONSchema7;
 }
 
 export function WebEditorForm({
@@ -71,6 +73,7 @@ export function WebEditorForm({
   hideTitle,
   children,
   error,
+  schema,
   ...props
 }: PropsWithChildren<Props>) {
   return (
@@ -94,6 +97,8 @@ export function WebEditorForm({
           <div className="col-sm-12 col-lg-12">
             <CodeEditor
               id={id}
+              type="yaml"
+              schema={schema as JSONSchema7}
               // eslint-disable-next-line react/jsx-props-no-spreading
               {...props}
             />
diff --git a/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx b/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx
index 015efcce3..2f24354bb 100644
--- a/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx
+++ b/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx
@@ -1,3 +1,5 @@
+import { useDockerComposeSchema } from '@/react/hooks/useDockerComposeSchema/useDockerComposeSchema';
+
 import { InlineLoader } from '@@/InlineLoader';
 import { WebEditorForm } from '@@/WebEditorForm';
 
@@ -14,7 +16,9 @@ export function DockerContentField({
   readonly?: boolean;
   isLoading?: boolean;
 }) {
-  if (isLoading) {
+  const dockerComposeSchemaQuery = useDockerComposeSchema();
+
+  if (isLoading || dockerComposeSchemaQuery.isInitialLoading) {
     return <InlineLoader>Loading stack content...</InlineLoader>;
   }
 
@@ -27,6 +31,7 @@ export function DockerContentField({
       placeholder="Define or paste the content of your docker compose file here"
       error={error}
       readonly={readonly}
+      schema={dockerComposeSchemaQuery.data}
       data-cy="stack-creation-editor"
     >
       You can get more information about Compose file format in the{' '}
diff --git a/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx b/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx
index ac597e01a..9cb4ba546 100644
--- a/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx
+++ b/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx
@@ -4,8 +4,9 @@ import userEvent from '@testing-library/user-event';
 
 import { http, server } from '@/setup-tests/server';
 import selectEvent from '@/react/test-utils/react-select';
+import { mockCodeMirror } from '@/setup-tests/mock-codemirror';
 
-import { mockCodeMirror, renderCreateForm } from './utils.test';
+import { renderCreateForm } from './utils.test';
 
 // keep mockTemplateId and mockTemplateType in module scope
 let mockTemplateId: number;
diff --git a/app/react/edge/edge-stacks/CreateView/tests/custom-templates.test.tsx b/app/react/edge/edge-stacks/CreateView/tests/custom-templates.test.tsx
index e87cba38f..eaece356a 100644
--- a/app/react/edge/edge-stacks/CreateView/tests/custom-templates.test.tsx
+++ b/app/react/edge/edge-stacks/CreateView/tests/custom-templates.test.tsx
@@ -4,8 +4,9 @@ import userEvent from '@testing-library/user-event';
 
 import { http, server } from '@/setup-tests/server';
 import selectEvent from '@/react/test-utils/react-select';
+import { mockCodeMirror } from '@/setup-tests/mock-codemirror';
 
-import { mockCodeMirror, renderCreateForm } from './utils.test';
+import { renderCreateForm } from './utils.test';
 
 // keep mockTemplateId and mockTemplateType in module scope
 let mockTemplateId: number;
diff --git a/app/react/edge/edge-stacks/CreateView/tests/utils.test.tsx b/app/react/edge/edge-stacks/CreateView/tests/utils.test.tsx
index 179f67787..6af7868cd 100644
--- a/app/react/edge/edge-stacks/CreateView/tests/utils.test.tsx
+++ b/app/react/edge/edge-stacks/CreateView/tests/utils.test.tsx
@@ -6,6 +6,7 @@ import { withUserProvider } from '@/react/test-utils/withUserProvider';
 import { withTestRouter } from '@/react/test-utils/withRouter';
 import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
 import { http, server } from '@/setup-tests/server';
+import { mockCodeMirror } from '@/setup-tests/mock-codemirror';
 
 import { CreateForm } from '../CreateForm';
 
@@ -211,13 +212,6 @@ test('The form should render', async () => {
   });
 });
 
-export function mockCodeMirror() {
-  vi.mock('@uiw/react-codemirror', () => ({
-    __esModule: true,
-    default: () => <div />,
-  }));
-}
-
 export function renderCreateForm() {
   // user declaration needs to go at the start for user id related requests (e.g. git credentials)
   const user = new UserViewModel({ Username: 'user' });
diff --git a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx
index 118de09ac..806d793ab 100644
--- a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx
+++ b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx
@@ -1,5 +1,7 @@
 import { useFormikContext } from 'formik';
 
+import { useDockerComposeSchema } from '@/react/hooks/useDockerComposeSchema/useDockerComposeSchema';
+
 import { TextTip } from '@@/Tip/TextTip';
 import { WebEditorForm } from '@@/WebEditorForm';
 
@@ -19,6 +21,7 @@ export function ComposeForm({
   versionOptions: number[] | undefined;
 }) {
   const { errors, values } = useFormikContext<FormValues>();
+  const { data: dockerComposeSchema } = useDockerComposeSchema();
 
   return (
     <>
@@ -61,6 +64,7 @@ export function ComposeForm({
         data-cy="compose-editor"
         value={values.content}
         type="yaml"
+        schema={dockerComposeSchema}
         id="compose-editor"
         placeholder="Define or paste the content of your docker compose file here"
         onChange={(value) => handleContentChange(DeploymentType.Compose, value)}
diff --git a/app/react/hooks/useDockerComposeSchema/docker-compose-schema.ts b/app/react/hooks/useDockerComposeSchema/docker-compose-schema.ts
new file mode 100644
index 000000000..6440d8f9b
--- /dev/null
+++ b/app/react/hooks/useDockerComposeSchema/docker-compose-schema.ts
@@ -0,0 +1,1100 @@
+// based on https://github.com/compose-spec/compose-spec/blob/master/schema/compose-spec.json
+// with added descriptions from https://github.com/microsoft/compose-language-service/blob/7a74283ddb866988fed86241f461a657f0aee6d0/src/service/providers/KeyHoverProvider.ts#L57-L184
+// hopefully https://github.com/compose-spec/compose-spec/pull/581 will apply these same changes
+export const dockerComposeSchema = {
+  $schema: 'https://json-schema.org/draft-07/schema',
+  $id: 'compose_spec.json',
+  type: 'object',
+  title: 'Compose Specification',
+  description:
+    'The Compose file is a YAML file defining a multi-containers based application.',
+
+  properties: {
+    version: {
+      type: 'string',
+      description:
+        'The version of the Docker Compose document. Declared for backward compatibility, ignored in recent versions.',
+    },
+
+    name: {
+      type: 'string',
+      description:
+        'Define the Compose project name, until user defines one explicitly.',
+    },
+
+    include: {
+      type: 'array',
+      items: {
+        $ref: '#/definitions/include',
+      },
+      description: 'Compose sub-projects to be included.',
+    },
+
+    services: {
+      type: 'object',
+      description: 'The services in your project.',
+      patternProperties: {
+        '^[a-zA-Z0-9._-]+$': {
+          $ref: '#/definitions/service',
+        },
+      },
+      additionalProperties: false,
+    },
+
+    networks: {
+      type: 'object',
+      description: 'Networks that are shared among multiple services.',
+      patternProperties: {
+        '^[a-zA-Z0-9._-]+$': {
+          $ref: '#/definitions/network',
+        },
+      },
+    },
+
+    volumes: {
+      type: 'object',
+      description: 'Named volumes that are shared among multiple services.',
+      patternProperties: {
+        '^[a-zA-Z0-9._-]+$': {
+          $ref: '#/definitions/volume',
+        },
+      },
+      additionalProperties: false,
+    },
+
+    secrets: {
+      type: 'object',
+      description: 'Secrets that are shared among multiple services.',
+      patternProperties: {
+        '^[a-zA-Z0-9._-]+$': {
+          $ref: '#/definitions/secret',
+        },
+      },
+      additionalProperties: false,
+    },
+
+    configs: {
+      type: 'object',
+      description: 'Configurations for services in the project.',
+      patternProperties: {
+        '^[a-zA-Z0-9._-]+$': {
+          $ref: '#/definitions/config',
+        },
+      },
+      additionalProperties: false,
+    },
+  },
+
+  patternProperties: { '^x-': {} },
+  additionalProperties: false,
+
+  definitions: {
+    service: {
+      type: 'object',
+
+      properties: {
+        develop: { $ref: '#/definitions/development' },
+        deploy: { $ref: '#/definitions/deployment' },
+        annotations: { $ref: '#/definitions/list_or_dict' },
+        attach: { type: ['boolean', 'string'] },
+        build: {
+          oneOf: [
+            { type: 'string' },
+            {
+              type: 'object',
+              description: 'The context used for building the image.',
+              properties: {
+                context: {
+                  type: 'string',
+                  description: 'The context used for building the image.',
+                },
+                dockerfile: {
+                  type: 'string',
+                  description: 'The Dockerfile used for building the image.',
+                },
+                dockerfile_inline: { type: 'string' },
+                entitlements: { type: 'array', items: { type: 'string' } },
+                args: {
+                  $ref: '#/definitions/list_or_dict',
+                  description: 'Arguments used during the image build process.',
+                },
+                ssh: { $ref: '#/definitions/list_or_dict' },
+                labels: { $ref: '#/definitions/list_or_dict' },
+                cache_from: { type: 'array', items: { type: 'string' } },
+                cache_to: { type: 'array', items: { type: 'string' } },
+                no_cache: { type: ['boolean', 'string'] },
+                additional_contexts: { $ref: '#/definitions/list_or_dict' },
+                network: { type: 'string' },
+                pull: { type: ['boolean', 'string'] },
+                target: { type: 'string' },
+                shm_size: { type: ['integer', 'string'] },
+                extra_hosts: { $ref: '#/definitions/extra_hosts' },
+                isolation: { type: 'string' },
+                privileged: { type: ['boolean', 'string'] },
+                secrets: { $ref: '#/definitions/service_config_or_secret' },
+                tags: { type: 'array', items: { type: 'string' } },
+                ulimits: { $ref: '#/definitions/ulimits' },
+                platforms: { type: 'array', items: { type: 'string' } },
+              },
+              additionalProperties: false,
+              patternProperties: { '^x-': {} },
+            },
+          ],
+        },
+        blkio_config: {
+          type: 'object',
+          properties: {
+            device_read_bps: {
+              type: 'array',
+              items: { $ref: '#/definitions/blkio_limit' },
+            },
+            device_read_iops: {
+              type: 'array',
+              items: { $ref: '#/definitions/blkio_limit' },
+            },
+            device_write_bps: {
+              type: 'array',
+              items: { $ref: '#/definitions/blkio_limit' },
+            },
+            device_write_iops: {
+              type: 'array',
+              items: { $ref: '#/definitions/blkio_limit' },
+            },
+            weight: { type: ['integer', 'string'] },
+            weight_device: {
+              type: 'array',
+              items: { $ref: '#/definitions/blkio_weight' },
+            },
+          },
+          additionalProperties: false,
+        },
+        cap_add: {
+          type: 'array',
+          items: { type: 'string' },
+          uniqueItems: true,
+        },
+        cap_drop: {
+          type: 'array',
+          items: { type: 'string' },
+          uniqueItems: true,
+        },
+        cgroup: { type: 'string', enum: ['host', 'private'] },
+        cgroup_parent: { type: 'string' },
+        command: {
+          $ref: '#/definitions/command',
+          description: 'The command that will be run in the container.',
+        },
+        configs: {
+          $ref: '#/definitions/service_config_or_secret',
+          description: 'Configurations the service will have access to.',
+        },
+        container_name: {
+          type: 'string',
+          description: 'The name that will be given to the container.',
+        },
+        cpu_count: {
+          oneOf: [{ type: 'string' }, { type: 'integer', minimum: 0 }],
+        },
+        cpu_percent: {
+          oneOf: [
+            { type: 'string' },
+            { type: 'integer', minimum: 0, maximum: 100 },
+          ],
+        },
+        cpu_shares: { type: ['number', 'string'] },
+        cpu_quota: { type: ['number', 'string'] },
+        cpu_period: { type: ['number', 'string'] },
+        cpu_rt_period: { type: ['number', 'string'] },
+        cpu_rt_runtime: { type: ['number', 'string'] },
+        cpus: { type: ['number', 'string'] },
+        cpuset: { type: 'string' },
+        credential_spec: {
+          type: 'object',
+          properties: {
+            config: { type: 'string' },
+            file: { type: 'string' },
+            registry: { type: 'string' },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        depends_on: {
+          oneOf: [
+            { $ref: '#/definitions/list_of_strings' },
+            {
+              type: 'object',
+              additionalProperties: false,
+              patternProperties: {
+                '^[a-zA-Z0-9._-]+$': {
+                  type: 'object',
+                  additionalProperties: false,
+                  patternProperties: { '^x-': {} },
+                  properties: {
+                    restart: { type: ['boolean', 'string'] },
+                    required: {
+                      type: 'boolean',
+                      default: true,
+                    },
+                    condition: {
+                      type: 'string',
+                      enum: [
+                        'service_started',
+                        'service_healthy',
+                        'service_completed_successfully',
+                      ],
+                    },
+                  },
+                  required: ['condition'],
+                },
+              },
+            },
+          ],
+          description:
+            'Other services that this service depends on, which will be started before this one.',
+        },
+        device_cgroup_rules: { $ref: '#/definitions/list_of_strings' },
+        devices: {
+          type: 'array',
+          items: {
+            oneOf: [
+              { type: 'string' },
+              {
+                type: 'object',
+                required: ['source'],
+                properties: {
+                  source: { type: 'string' },
+                  target: { type: 'string' },
+                  permissions: { type: 'string' },
+                },
+                additionalProperties: false,
+                patternProperties: { '^x-': {} },
+              },
+            ],
+          },
+        },
+        dns: { $ref: '#/definitions/string_or_list' },
+        dns_opt: {
+          type: 'array',
+          items: { type: 'string' },
+          uniqueItems: true,
+        },
+        dns_search: { $ref: '#/definitions/string_or_list' },
+        domainname: { type: 'string' },
+        entrypoint: {
+          $ref: '#/definitions/command',
+          description: 'The entrypoint to the application in the container.',
+        },
+        env_file: {
+          $ref: '#/definitions/env_file',
+          description:
+            'Files containing environment variables that will be included.',
+        },
+        label_file: { $ref: '#/definitions/label_file' },
+        environment: {
+          $ref: '#/definitions/list_or_dict',
+          description: 'Environment variables that will be included.',
+        },
+
+        expose: {
+          type: 'array',
+          items: {
+            type: ['string', 'number'],
+          },
+          uniqueItems: true,
+          description:
+            'Ports exposed to the other services but not to the host machine.',
+        },
+        extends: {
+          oneOf: [
+            { type: 'string' },
+            {
+              type: 'object',
+
+              properties: {
+                service: { type: 'string' },
+                file: { type: 'string' },
+              },
+              required: ['service'],
+              additionalProperties: false,
+            },
+          ],
+        },
+        external_links: {
+          type: 'array',
+          items: { type: 'string' },
+          uniqueItems: true,
+        },
+        extra_hosts: { $ref: '#/definitions/extra_hosts' },
+        gpus: { $ref: '#/definitions/gpus' },
+        group_add: {
+          type: 'array',
+          items: {
+            type: ['string', 'number'],
+          },
+          uniqueItems: true,
+        },
+        healthcheck: {
+          $ref: '#/definitions/healthcheck',
+          description: 'A command for checking if the container is healthy.',
+        },
+        hostname: { type: 'string' },
+        image: {
+          type: 'string',
+          description:
+            'The image that will be pulled for the service. If `build` is specified, the built image will be given this tag.',
+        },
+        init: { type: ['boolean', 'string'] },
+        ipc: { type: 'string' },
+        isolation: { type: 'string' },
+        labels: {
+          $ref: '#/definitions/list_or_dict',
+          description: 'Labels that will be given to the container.',
+        },
+        links: { type: 'array', items: { type: 'string' }, uniqueItems: true },
+        logging: {
+          type: 'object',
+          description: 'Settings for logging for this service.',
+          properties: {
+            driver: { type: 'string' },
+            options: {
+              type: 'object',
+              patternProperties: {
+                '^.+$': { type: ['string', 'number', 'null'] },
+              },
+            },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        mac_address: { type: 'string' },
+        mem_limit: { type: ['number', 'string'] },
+        mem_reservation: { type: ['string', 'integer'] },
+        mem_swappiness: { type: ['integer', 'string'] },
+        memswap_limit: { type: ['number', 'string'] },
+        network_mode: { type: 'string' },
+        networks: {
+          oneOf: [
+            { $ref: '#/definitions/list_of_strings' },
+            {
+              type: 'object',
+              properties: {},
+              patternProperties: {
+                '^[a-zA-Z0-9._-]+$': {
+                  oneOf: [
+                    { type: 'null' },
+                    {
+                      type: 'object',
+                      properties: {
+                        aliases: { $ref: '#/definitions/list_of_strings' },
+                        ipv4_address: { type: 'string' },
+                        ipv6_address: { type: 'string' },
+                        link_local_ips: {
+                          $ref: '#/definitions/list_of_strings',
+                        },
+                        priority: { type: ['number', 'string'] },
+                      },
+                      additionalProperties: false,
+                      patternProperties: { '^x-': {} },
+                    },
+                  ],
+                },
+              },
+              additionalProperties: false,
+            },
+          ],
+          description:
+            'The service will be included in these networks, allowing it to reach other containers on the same network.',
+        },
+        oom_kill_disable: { type: ['boolean', 'string'] },
+        oom_score_adj: {
+          oneOf: [
+            { type: 'string' },
+            { type: 'integer', minimum: -1000, maximum: 1000 },
+          ],
+        },
+        pid: { type: ['string', 'null'] },
+        pids_limit: { type: ['number', 'string'] },
+        platform: { type: 'string' },
+        ports: {
+          type: 'array',
+          items: {
+            oneOf: [
+              { type: ['number', 'string'] },
+              {
+                type: 'object',
+                properties: {
+                  mode: { type: 'string' },
+                  host_ip: { type: 'string' },
+                  target: { type: ['number', 'string'] },
+                  published: { type: ['number', 'string'] },
+                  protocol: { type: 'string' },
+                },
+                additionalProperties: false,
+                patternProperties: { '^x-': {} },
+              },
+            ],
+          },
+          uniqueItems: true,
+          description: 'Ports that will be exposed to the host.',
+        },
+        post_start: {
+          type: 'array',
+          items: { $ref: '#/definitions/service_hook' },
+        },
+        pre_stop: {
+          type: 'array',
+          items: { $ref: '#/definitions/service_hook' },
+        },
+        privileged: { type: ['boolean', 'string'] },
+        profiles: {
+          type: 'array',
+          items: { type: 'string' },
+          uniqueItems: true,
+          description:
+            'Profiles that this service is a part of. When the profile is started, this service will be started.',
+        },
+        pull_policy: {
+          type: 'string',
+          pattern:
+            'always|never|build|if_not_present|missing|refresh|daily|weekly|every_([0-9]+[wdhms])+',
+        },
+        pull_refresh_after: { type: 'string' },
+        read_only: { type: ['boolean', 'string'] },
+        restart: { type: 'string' },
+        runtime: {
+          type: 'string',
+        },
+        scale: {
+          type: ['integer', 'string'],
+        },
+        security_opt: {
+          type: 'array',
+          items: { type: 'string' },
+          uniqueItems: true,
+        },
+        shm_size: { type: ['number', 'string'] },
+        secrets: {
+          $ref: '#/definitions/service_config_or_secret',
+          description: 'Secrets the service will have access to.',
+        },
+        sysctls: { $ref: '#/definitions/list_or_dict' },
+        stdin_open: { type: ['boolean', 'string'] },
+        stop_grace_period: { type: 'string' },
+        stop_signal: { type: 'string' },
+        storage_opt: { type: 'object' },
+        tmpfs: { $ref: '#/definitions/string_or_list' },
+        tty: { type: ['boolean', 'string'] },
+        ulimits: { $ref: '#/definitions/ulimits' },
+        user: {
+          type: 'string',
+          description:
+            'The username under which the app in the container will be started.',
+        },
+        uts: { type: 'string' },
+        userns_mode: { type: 'string' },
+        volumes: {
+          type: 'array',
+          items: {
+            oneOf: [
+              { type: 'string' },
+              {
+                type: 'object',
+                required: ['type'],
+                properties: {
+                  type: { type: 'string' },
+                  source: { type: 'string' },
+                  target: { type: 'string' },
+                  read_only: { type: ['boolean', 'string'] },
+                  consistency: { type: 'string' },
+                  bind: {
+                    type: 'object',
+                    properties: {
+                      propagation: { type: 'string' },
+                      create_host_path: { type: ['boolean', 'string'] },
+                      selinux: { type: 'string', enum: ['z', 'Z'] },
+                    },
+                    additionalProperties: false,
+                    patternProperties: { '^x-': {} },
+                  },
+                  volume: {
+                    type: 'object',
+                    properties: {
+                      nocopy: { type: ['boolean', 'string'] },
+                    },
+                    additionalProperties: false,
+                    patternProperties: { '^x-': {} },
+                  },
+                  tmpfs: {
+                    type: 'object',
+                    properties: {
+                      size: { type: ['number', 'string'] },
+                      mode: { type: ['number', 'string'] },
+                    },
+                    additionalProperties: false,
+                    patternProperties: { '^x-': {} },
+                  },
+                },
+                additionalProperties: false,
+                patternProperties: { '^x-': {} },
+              },
+            ],
+          },
+          uniqueItems: true,
+          description:
+            'Named volumes and paths on the host mapped to paths in the container.',
+        },
+        volumes_from: {
+          type: 'array',
+          items: { type: 'string' },
+          uniqueItems: true,
+        },
+        working_dir: {
+          type: 'string',
+          description:
+            'The working directory in which the entrypoint or command will be run.',
+        },
+      },
+      patternProperties: { '^x-': {} },
+      additionalProperties: false,
+    },
+
+    healthcheck: {
+      type: 'object',
+      properties: {
+        disable: { type: ['boolean', 'string'] },
+        interval: { type: 'string' },
+        retries: { type: ['number', 'string'] },
+        test: {
+          oneOf: [
+            { type: 'string' },
+            { type: 'array', items: { type: 'string' } },
+          ],
+        },
+        timeout: { type: 'string' },
+        start_period: { type: 'string' },
+        start_interval: { type: 'string' },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+    },
+    development: {
+      type: ['object', 'null'],
+      properties: {
+        watch: {
+          type: 'array',
+          items: {
+            type: 'object',
+            required: ['path', 'action'],
+            properties: {
+              ignore: { $ref: '#/definitions/string_or_list' },
+              include: { $ref: '#/definitions/string_or_list' },
+              path: { type: 'string' },
+              action: {
+                type: 'string',
+                enum: [
+                  'rebuild',
+                  'sync',
+                  'restart',
+                  'sync+restart',
+                  'sync+exec',
+                ],
+              },
+              target: { type: 'string' },
+              exec: { $ref: '#/definitions/service_hook' },
+            },
+            additionalProperties: false,
+            patternProperties: { '^x-': {} },
+          },
+        },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+    },
+    deployment: {
+      type: ['object', 'null'],
+      properties: {
+        mode: { type: 'string' },
+        endpoint_mode: { type: 'string' },
+        replicas: { type: ['integer', 'string'] },
+        labels: { $ref: '#/definitions/list_or_dict' },
+        rollback_config: {
+          type: 'object',
+          properties: {
+            parallelism: { type: ['integer', 'string'] },
+            delay: { type: 'string' },
+            failure_action: { type: 'string' },
+            monitor: { type: 'string' },
+            max_failure_ratio: { type: ['number', 'string'] },
+            order: { type: 'string', enum: ['start-first', 'stop-first'] },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        update_config: {
+          type: 'object',
+          properties: {
+            parallelism: { type: ['integer', 'string'] },
+            delay: { type: 'string' },
+            failure_action: { type: 'string' },
+            monitor: { type: 'string' },
+            max_failure_ratio: { type: ['number', 'string'] },
+            order: { type: 'string', enum: ['start-first', 'stop-first'] },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        resources: {
+          type: 'object',
+          properties: {
+            limits: {
+              type: 'object',
+              properties: {
+                cpus: { type: ['number', 'string'] },
+                memory: { type: 'string' },
+                pids: { type: ['integer', 'string'] },
+              },
+              additionalProperties: false,
+              patternProperties: { '^x-': {} },
+            },
+            reservations: {
+              type: 'object',
+              properties: {
+                cpus: { type: ['number', 'string'] },
+                memory: { type: 'string' },
+                generic_resources: { $ref: '#/definitions/generic_resources' },
+                devices: { $ref: '#/definitions/devices' },
+              },
+              additionalProperties: false,
+              patternProperties: { '^x-': {} },
+            },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        restart_policy: {
+          type: 'object',
+          properties: {
+            condition: { type: 'string' },
+            delay: { type: 'string' },
+            max_attempts: { type: ['integer', 'string'] },
+            window: { type: 'string' },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        placement: {
+          type: 'object',
+          properties: {
+            constraints: { type: 'array', items: { type: 'string' } },
+            preferences: {
+              type: 'array',
+              items: {
+                type: 'object',
+                properties: {
+                  spread: { type: 'string' },
+                },
+                additionalProperties: false,
+                patternProperties: { '^x-': {} },
+              },
+            },
+            max_replicas_per_node: { type: ['integer', 'string'] },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+    },
+
+    generic_resources: {
+      type: 'array',
+      items: {
+        type: 'object',
+        properties: {
+          discrete_resource_spec: {
+            type: 'object',
+            properties: {
+              kind: { type: 'string' },
+              value: { type: ['number', 'string'] },
+            },
+            additionalProperties: false,
+            patternProperties: { '^x-': {} },
+          },
+        },
+        additionalProperties: false,
+        patternProperties: { '^x-': {} },
+      },
+    },
+
+    devices: {
+      type: 'array',
+      items: {
+        type: 'object',
+        properties: {
+          capabilities: { $ref: '#/definitions/list_of_strings' },
+          count: { type: ['string', 'integer'] },
+          device_ids: { $ref: '#/definitions/list_of_strings' },
+          driver: { type: 'string' },
+          options: { $ref: '#/definitions/list_or_dict' },
+        },
+        additionalProperties: false,
+        patternProperties: { '^x-': {} },
+        required: ['capabilities'],
+      },
+    },
+
+    gpus: {
+      oneOf: [
+        { type: 'string', enum: ['all'] },
+        {
+          type: 'array',
+          items: {
+            type: 'object',
+            properties: {
+              capabilities: { $ref: '#/definitions/list_of_strings' },
+              count: { type: ['string', 'integer'] },
+              device_ids: { $ref: '#/definitions/list_of_strings' },
+              driver: { type: 'string' },
+              options: { $ref: '#/definitions/list_or_dict' },
+            },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+      ],
+    },
+
+    include: {
+      oneOf: [
+        { type: 'string' },
+        {
+          type: 'object',
+          properties: {
+            path: { $ref: '#/definitions/string_or_list' },
+            env_file: { $ref: '#/definitions/string_or_list' },
+            project_directory: { type: 'string' },
+          },
+          additionalProperties: false,
+        },
+      ],
+    },
+
+    network: {
+      type: ['object', 'null'],
+      properties: {
+        name: { type: 'string' },
+        driver: {
+          type: 'string',
+          description: 'The driver used for this network.',
+        },
+        driver_opts: {
+          type: 'object',
+          patternProperties: {
+            '^.+$': { type: ['string', 'number'] },
+          },
+        },
+        ipam: {
+          type: 'object',
+          properties: {
+            driver: { type: 'string' },
+            config: {
+              type: 'array',
+              items: {
+                type: 'object',
+                properties: {
+                  subnet: { type: 'string' },
+                  ip_range: { type: 'string' },
+                  gateway: { type: 'string' },
+                  aux_addresses: {
+                    type: 'object',
+                    additionalProperties: false,
+                    patternProperties: { '^.+$': { type: 'string' } },
+                  },
+                },
+                additionalProperties: false,
+                patternProperties: { '^x-': {} },
+              },
+            },
+            options: {
+              type: 'object',
+              additionalProperties: false,
+              patternProperties: { '^.+$': { type: 'string' } },
+            },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        external: {
+          type: ['boolean', 'string', 'object'],
+          properties: {
+            name: {
+              deprecated: true,
+              type: 'string',
+            },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        internal: { type: ['boolean', 'string'] },
+        enable_ipv4: { type: ['boolean', 'string'] },
+        enable_ipv6: { type: ['boolean', 'string'] },
+        attachable: { type: ['boolean', 'string'] },
+        labels: { $ref: '#/definitions/list_or_dict' },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+    },
+
+    volume: {
+      type: ['object', 'null'],
+      properties: {
+        name: { type: 'string' },
+        driver: {
+          type: 'string',
+          description: 'The driver used for this volume.',
+        },
+        driver_opts: {
+          type: 'object',
+          patternProperties: {
+            '^.+$': { type: ['string', 'number'] },
+          },
+        },
+        external: {
+          type: ['boolean', 'string', 'object'],
+          properties: {
+            name: {
+              deprecated: true,
+              type: 'string',
+            },
+          },
+          additionalProperties: false,
+          patternProperties: { '^x-': {} },
+        },
+        labels: { $ref: '#/definitions/list_or_dict' },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+    },
+
+    secret: {
+      type: 'object',
+      properties: {
+        name: { type: 'string' },
+        environment: { type: 'string' },
+        file: { type: 'string' },
+        external: {
+          type: ['boolean', 'string', 'object'],
+          properties: {
+            name: { type: 'string' },
+          },
+        },
+        labels: { $ref: '#/definitions/list_or_dict' },
+        driver: { type: 'string' },
+        driver_opts: {
+          type: 'object',
+          patternProperties: {
+            '^.+$': { type: ['string', 'number'] },
+          },
+        },
+        template_driver: { type: 'string' },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+    },
+
+    config: {
+      type: 'object',
+      properties: {
+        name: { type: 'string' },
+        content: { type: 'string' },
+        environment: { type: 'string' },
+        file: { type: 'string' },
+        external: {
+          type: ['boolean', 'string', 'object'],
+          properties: {
+            name: {
+              deprecated: true,
+              type: 'string',
+            },
+          },
+        },
+        labels: { $ref: '#/definitions/list_or_dict' },
+        template_driver: { type: 'string' },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+    },
+
+    command: {
+      oneOf: [
+        { type: 'null' },
+        { type: 'string' },
+        { type: 'array', items: { type: 'string' } },
+      ],
+    },
+
+    service_hook: {
+      type: 'object',
+      properties: {
+        command: { $ref: '#/definitions/command' },
+        user: { type: 'string' },
+        privileged: { type: ['boolean', 'string'] },
+        working_dir: { type: 'string' },
+        environment: { $ref: '#/definitions/list_or_dict' },
+      },
+      additionalProperties: false,
+      patternProperties: { '^x-': {} },
+      required: ['command'],
+    },
+
+    env_file: {
+      oneOf: [
+        { type: 'string' },
+        {
+          type: 'array',
+          items: {
+            oneOf: [
+              { type: 'string' },
+              {
+                type: 'object',
+                additionalProperties: false,
+                properties: {
+                  path: {
+                    type: 'string',
+                  },
+                  format: {
+                    type: 'string',
+                  },
+                  required: {
+                    type: ['boolean', 'string'],
+                    default: true,
+                  },
+                },
+                required: ['path'],
+              },
+            ],
+          },
+        },
+      ],
+    },
+
+    label_file: {
+      oneOf: [
+        { type: 'string' },
+        {
+          type: 'array',
+          items: { type: 'string' },
+        },
+      ],
+    },
+
+    string_or_list: {
+      oneOf: [{ type: 'string' }, { $ref: '#/definitions/list_of_strings' }],
+    },
+
+    list_of_strings: {
+      type: 'array',
+      items: { type: 'string' },
+      uniqueItems: true,
+    },
+
+    list_or_dict: {
+      oneOf: [
+        {
+          type: 'object',
+          patternProperties: {
+            '.+': {
+              type: ['string', 'number', 'boolean', 'null'],
+            },
+          },
+          additionalProperties: false,
+        },
+        { type: 'array', items: { type: 'string' }, uniqueItems: true },
+      ],
+    },
+
+    extra_hosts: {
+      oneOf: [
+        {
+          type: 'object',
+          patternProperties: {
+            '.+': {
+              oneOf: [
+                {
+                  type: 'string',
+                },
+                {
+                  type: 'array',
+                  items: {
+                    type: 'string',
+                  },
+                  uniqueItems: false,
+                },
+              ],
+            },
+          },
+          additionalProperties: false,
+        },
+        { type: 'array', items: { type: 'string' }, uniqueItems: true },
+      ],
+    },
+
+    blkio_limit: {
+      type: 'object',
+      properties: {
+        path: { type: 'string' },
+        rate: { type: ['integer', 'string'] },
+      },
+      additionalProperties: false,
+    },
+    blkio_weight: {
+      type: 'object',
+      properties: {
+        path: { type: 'string' },
+        weight: { type: ['integer', 'string'] },
+      },
+      additionalProperties: false,
+    },
+    service_config_or_secret: {
+      type: 'array',
+      items: {
+        oneOf: [
+          { type: 'string' },
+          {
+            type: 'object',
+            properties: {
+              source: { type: 'string' },
+              target: { type: 'string' },
+              uid: { type: 'string' },
+              gid: { type: 'string' },
+              mode: { type: ['number', 'string'] },
+            },
+            additionalProperties: false,
+            patternProperties: { '^x-': {} },
+          },
+        ],
+      },
+    },
+    ulimits: {
+      type: 'object',
+      patternProperties: {
+        '^[a-z]+$': {
+          oneOf: [
+            { type: ['integer', 'string'] },
+            {
+              type: 'object',
+              properties: {
+                hard: { type: ['integer', 'string'] },
+                soft: { type: ['integer', 'string'] },
+              },
+              required: ['soft', 'hard'],
+              additionalProperties: false,
+              patternProperties: { '^x-': {} },
+            },
+          ],
+        },
+      },
+    },
+  },
+};
diff --git a/app/react/hooks/useDockerComposeSchema/useDockerComposeSchema.ts b/app/react/hooks/useDockerComposeSchema/useDockerComposeSchema.ts
new file mode 100644
index 000000000..8c9578d8a
--- /dev/null
+++ b/app/react/hooks/useDockerComposeSchema/useDockerComposeSchema.ts
@@ -0,0 +1,37 @@
+import { JSONSchema7 } from 'json-schema';
+import { useQuery } from '@tanstack/react-query';
+import axios from 'axios';
+
+import { dockerComposeSchema } from './docker-compose-schema';
+
+const COMPOSE_SCHEMA_URL =
+  'https://raw.githubusercontent.com/compose-spec/compose-spec/master/schema/compose-spec.json';
+
+export function useDockerComposeSchema() {
+  return useQuery<JSONSchema7>(
+    ['docker-compose-schema'],
+    getDockerComposeSchema,
+    {
+      staleTime: 24 * 60 * 60 * 1000, // 24 hours
+      cacheTime: 30 * 24 * 60 * 60 * 1000, // 30 days
+      retry: 1,
+      refetchOnWindowFocus: false,
+      // Start with local schema while fetching
+      initialData: dockerComposeSchema as JSONSchema7,
+    }
+  );
+}
+
+export async function getDockerComposeSchema() {
+  try {
+    const response = await axios.get<JSONSchema7>(COMPOSE_SCHEMA_URL);
+    // just in case a non-object is returned from a proxy
+    if (typeof response.data !== 'object') {
+      return dockerComposeSchema as JSONSchema7;
+    }
+    return response.data;
+  } catch (error) {
+    // Return the local schema as fallback for airgapped environments
+    return dockerComposeSchema as JSONSchema7;
+  }
+}
diff --git a/app/setup-tests/mock-codemirror.tsx b/app/setup-tests/mock-codemirror.tsx
new file mode 100644
index 000000000..a6ffc8eda
--- /dev/null
+++ b/app/setup-tests/mock-codemirror.tsx
@@ -0,0 +1,16 @@
+export function mockCodeMirror() {
+  vi.mock('@uiw/react-codemirror', () => ({
+    __esModule: true,
+    default: () => <div />,
+    oneDarkHighlightStyle: {},
+    keymap: {
+      of: () => ({}),
+    },
+  }));
+  vi.mock('yaml-schema', () => ({
+    yamlSchema: () => [],
+    validation: () => ({
+      of: () => ({}),
+    }),
+  }));
+}
diff --git a/app/setup-tests/setup-codemirror.ts b/app/setup-tests/setup-codemirror.ts
new file mode 100644
index 000000000..e5f83fffc
--- /dev/null
+++ b/app/setup-tests/setup-codemirror.ts
@@ -0,0 +1,42 @@
+import 'vitest-dom/extend-expect';
+
+// Mock Range APIs that CodeMirror needs but JSDOM doesn't provide
+Range.prototype.getBoundingClientRect = () => ({
+  bottom: 0,
+  height: 0,
+  left: 0,
+  right: 0,
+  top: 0,
+  width: 0,
+  x: 0,
+  y: 0,
+  toJSON: vi.fn(),
+});
+
+Range.prototype.getClientRects = () => ({
+  item: () => null,
+  length: 0,
+  [Symbol.iterator]: vi.fn(),
+});
+
+// Mock createRange
+document.createRange = () => {
+  const range = new Range();
+  range.getBoundingClientRect = vi.fn();
+  range.getClientRects = () => ({
+    item: () => null,
+    length: 0,
+    [Symbol.iterator]: vi.fn(),
+  });
+  return range;
+};
+
+// Mock selection APIs
+const mockSelection = {
+  rangeCount: 0,
+  addRange: vi.fn(),
+  getRangeAt: vi.fn(),
+  removeAllRanges: vi.fn(),
+};
+
+window.getSelection = () => mockSelection as unknown as Selection;
diff --git a/package.json b/package.json
index 9e28a2441..889d9e8da 100644
--- a/package.json
+++ b/package.json
@@ -35,9 +35,10 @@
   "dependencies": {
     "@aws-crypto/sha256-js": "^2.0.0",
     "@codemirror/autocomplete": "^6.4.0",
+    "@codemirror/commands": "^6.8.0",
     "@codemirror/language": "^6.3.2",
     "@codemirror/legacy-modes": "^6.3.1",
-    "@codemirror/lint": "^6.1.0",
+    "@codemirror/lint": "^6.8.4",
     "@codemirror/search": "^6.2.3",
     "@codemirror/state": "^6.2.0",
     "@codemirror/theme-one-dark": "^6.1.0",
@@ -86,6 +87,7 @@
     "chart.js": "^2.7.0",
     "clsx": "^1.1.1",
     "codemirror": "^6.0.1",
+    "codemirror-json-schema": "^0.8.0",
     "core-js": "^3.19.3",
     "date-fns": "^2.29.3",
     "docker-types": "^1.43.1",
@@ -101,6 +103,7 @@
     "js-base64": "^3.7.2",
     "js-yaml": "^3.14.0",
     "jsdom": "^24.0.0",
+    "json-schema": "^0.4.0",
     "lodash": "^4.17.21",
     "lucide-react": "^0.468.0",
     "moment": "^2.29.1",
diff --git a/tsconfig.json b/tsconfig.json
index ab2985ba4..20380af1c 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -36,7 +36,9 @@
       "Azure/*": ["azure/*"],
       "Docker/*": ["docker/*"],
       "Kubernetes/*": ["kubernetes/*"],
-      "Portainer/*": ["portainer/*"]
+      "Portainer/*": ["portainer/*"],
+      // https://github.com/jsonnext/codemirror-json-schema/issues/107#issuecomment-2144584296
+      "yaml-schema": ["../node_modules/codemirror-json-schema/dist/yaml"]
     },
     "types": ["vitest/globals"]
   },
diff --git a/vitest.config.mts b/vitest.config.mts
index fed00b8c4..eca3b62ed 100644
--- a/vitest.config.mts
+++ b/vitest.config.mts
@@ -7,10 +7,16 @@ export default defineConfig({
   test: {
     globals: true,
     environment: 'jsdom',
-    setupFiles: ['./app/setup-tests/setup-msw.ts', './app/setup-tests/stub-modules.ts', './app/setup-tests/setup.ts', './app/setup-tests/setup-rtl.ts'],
+    setupFiles: [
+      './app/setup-tests/setup-msw.ts',
+      './app/setup-tests/stub-modules.ts',
+      './app/setup-tests/setup.ts',
+      './app/setup-tests/setup-codemirror.ts',
+      './app/setup-tests/setup-rtl.ts',
+    ],
     coverage: {
       provider: 'v8',
-      reporter: ['text', 'json', 'html'],      
+      reporter: ['text', 'json', 'html'],
       exclude: ['node_modules/', 'app/setup-tests/global-setup.js'],
     },
     bail: 2,
diff --git a/webpack/webpack.common.js b/webpack/webpack.common.js
index 856ca2726..5d2879ce8 100644
--- a/webpack/webpack.common.js
+++ b/webpack/webpack.common.js
@@ -89,6 +89,12 @@ module.exports = {
           },
         ],
       },
+      {
+        test: /\.m?js/,
+        resolve: {
+          fullySpecified: false,
+        },
+      },
     ],
   },
   devServer: {
@@ -188,6 +194,7 @@ module.exports = {
       Kubernetes: path.resolve(projectRoot, 'app/kubernetes'),
       Portainer: path.resolve(projectRoot, 'app/portainer'),
       'lodash-es': 'lodash',
+      'yaml-schema': path.resolve(projectRoot, 'node_modules/codemirror-json-schema/dist/yaml'),
     },
     extensions: ['.js', '.ts', '.tsx'],
     plugins: [
diff --git a/yarn.lock b/yarn.lock
index f2975f9c7..638c32535 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3166,7 +3166,17 @@
     "@codemirror/view" "^6.17.0"
     "@lezer/common" "^1.0.0"
 
-"@codemirror/commands@^6.0.0", "@codemirror/commands@^6.1.0":
+"@codemirror/autocomplete@^6.16.2":
+  version "6.18.6"
+  resolved "https://registry.yarnpkg.com/@codemirror/autocomplete/-/autocomplete-6.18.6.tgz#de26e864a1ec8192a1b241eb86addbb612964ddb"
+  integrity sha512-PHHBXFomUs5DF+9tCOM/UoW6XQ4R44lLNNhRaW9PKPTU0D7lIjRg3ElxaJnTwsl/oHiR93WSXDBrekhoUGCPtg==
+  dependencies:
+    "@codemirror/language" "^6.0.0"
+    "@codemirror/state" "^6.0.0"
+    "@codemirror/view" "^6.17.0"
+    "@lezer/common" "^1.0.0"
+
+"@codemirror/commands@^6.0.0", "@codemirror/commands@^6.1.0", "@codemirror/commands@^6.8.0":
   version "6.8.0"
   resolved "https://registry.yarnpkg.com/@codemirror/commands/-/commands-6.8.0.tgz#92f200b66f852939bd6ebb90d48c2d9e9c813d64"
   integrity sha512-q8VPEFaEP4ikSlt6ZxjB3zW72+7osfAYW9i8Zu943uqbKuz6utc1+F170hyLUCUltXORjQXRyYQNfkckzA/bPQ==
@@ -3176,6 +3186,27 @@
     "@codemirror/view" "^6.27.0"
     "@lezer/common" "^1.1.0"
 
+"@codemirror/lang-json@^6.0.1":
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/@codemirror/lang-json/-/lang-json-6.0.1.tgz#0a0be701a5619c4b0f8991f9b5e95fe33f462330"
+  integrity sha512-+T1flHdgpqDDlJZ2Lkil/rLiRy684WMLc74xUnjJH48GQdfJo/pudlTRreZmKwzP8/tGdKf83wlbAdOCzlJOGQ==
+  dependencies:
+    "@codemirror/language" "^6.0.0"
+    "@lezer/json" "^1.0.0"
+
+"@codemirror/lang-yaml@^6.1.1":
+  version "6.1.2"
+  resolved "https://registry.yarnpkg.com/@codemirror/lang-yaml/-/lang-yaml-6.1.2.tgz#c84280c68fa7af456a355d91183b5e537e9b7038"
+  integrity sha512-dxrfG8w5Ce/QbT7YID7mWZFKhdhsaTNOYjOkSIMt1qmC4VQnXSDSYVHHHn8k6kJUfIhtLo8t1JJgltlxWdsITw==
+  dependencies:
+    "@codemirror/autocomplete" "^6.0.0"
+    "@codemirror/language" "^6.0.0"
+    "@codemirror/state" "^6.0.0"
+    "@lezer/common" "^1.2.0"
+    "@lezer/highlight" "^1.2.0"
+    "@lezer/lr" "^1.0.0"
+    "@lezer/yaml" "^1.0.0"
+
 "@codemirror/language@^6.0.0", "@codemirror/language@^6.3.2":
   version "6.10.8"
   resolved "https://registry.yarnpkg.com/@codemirror/language/-/language-6.10.8.tgz#3e3a346a2b0a8cf63ee1cfe03349eb1965dce5f9"
@@ -3195,7 +3226,7 @@
   dependencies:
     "@codemirror/language" "^6.0.0"
 
-"@codemirror/lint@^6.0.0", "@codemirror/lint@^6.1.0":
+"@codemirror/lint@^6.0.0", "@codemirror/lint@^6.8.4":
   version "6.8.4"
   resolved "https://registry.yarnpkg.com/@codemirror/lint/-/lint-6.8.4.tgz#7d8aa5d1a6dec89ffcc23ad45ddca2e12e90982d"
   integrity sha512-u4q7PnZlJUojeRe8FJa/njJcMctISGgPQ4PnWsd9268R4ZTtU+tfFYmwkBvgcrK2+QQ8tYFVALVb5fVJykKc5A==
@@ -3892,7 +3923,7 @@
   resolved "https://registry.yarnpkg.com/@leichtgewicht/ip-codec/-/ip-codec-2.0.4.tgz#b2ac626d6cb9c8718ab459166d4bb405b8ffa78b"
   integrity sha512-Hcv+nVC0kZnQ3tD9GVu5xSMR4VVYOteQIr/hwFPVEvPdlXqgGEuRjiheChHgdM+JyqdgNcmzZOX/tnl0JOiI7A==
 
-"@lezer/common@^1.0.0", "@lezer/common@^1.1.0":
+"@lezer/common@^1.0.0", "@lezer/common@^1.1.0", "@lezer/common@^1.2.0":
   version "1.2.3"
   resolved "https://registry.yarnpkg.com/@lezer/common/-/common-1.2.3.tgz#138fcddab157d83da557554851017c6c1e5667fd"
   integrity sha512-w7ojc8ejBqr2REPsWxJjrMFsA/ysDCFICn8zEOR9mrqzOu2amhITYuLD8ag6XZf0CFXDrhKqw7+tW8cX66NaDA==
@@ -3902,7 +3933,7 @@
   resolved "https://registry.yarnpkg.com/@lezer/common/-/common-1.0.2.tgz#8fb9b86bdaa2ece57e7d59e5ffbcb37d71815087"
   integrity sha512-SVgiGtMnMnW3ActR8SXgsDhw7a0w0ChHSYAyAUxxrOiJ1OqYWEKk/xJd84tTSPo1mo6DXLObAJALNnd0Hrv7Ng==
 
-"@lezer/highlight@^1.0.0":
+"@lezer/highlight@^1.0.0", "@lezer/highlight@^1.2.0":
   version "1.2.1"
   resolved "https://registry.yarnpkg.com/@lezer/highlight/-/highlight-1.2.1.tgz#596fa8f9aeb58a608be0a563e960c373cbf23f8b"
   integrity sha512-Z5duk4RN/3zuVO7Jq0pGLJ3qynpxUVsh7IbUbGj88+uV2ApSAn6kWg2au3iJb+0Zi7kKtqffIESgNcRXWZWmSA==
@@ -3916,13 +3947,31 @@
   dependencies:
     "@lezer/common" "^1.0.0"
 
-"@lezer/lr@^1.0.0":
+"@lezer/json@^1.0.0":
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/@lezer/json/-/json-1.0.3.tgz#e773a012ad0088fbf07ce49cfba875cc9e5bc05f"
+  integrity sha512-BP9KzdF9Y35PDpv04r0VeSTKDeox5vVr3efE7eBbx3r4s3oNLfunchejZhjArmeieBH+nVOpgIiBJpEAv8ilqQ==
+  dependencies:
+    "@lezer/common" "^1.2.0"
+    "@lezer/highlight" "^1.0.0"
+    "@lezer/lr" "^1.0.0"
+
+"@lezer/lr@^1.0.0", "@lezer/lr@^1.4.0":
   version "1.4.2"
   resolved "https://registry.yarnpkg.com/@lezer/lr/-/lr-1.4.2.tgz#931ea3dea8e9de84e90781001dae30dea9ff1727"
   integrity sha512-pu0K1jCIdnQ12aWNaAVU5bzi7Bd1w54J3ECgANPmYLtQKP0HBj2cE/5coBD66MT10xbtIuUr7tg0Shbsvk0mDA==
   dependencies:
     "@lezer/common" "^1.0.0"
 
+"@lezer/yaml@^1.0.0":
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/@lezer/yaml/-/yaml-1.0.3.tgz#b23770ab42b390056da6b187d861b998fd60b1ff"
+  integrity sha512-GuBLekbw9jDBDhGur82nuwkxKQ+a3W5H0GfaAthDXcAu+XdpS43VlnxA9E9hllkpSP5ellRDKjLLj7Lu9Wr6xA==
+  dependencies:
+    "@lezer/common" "^1.2.0"
+    "@lezer/highlight" "^1.0.0"
+    "@lezer/lr" "^1.4.0"
+
 "@ljharb/through@^2.3.9":
   version "2.3.9"
   resolved "https://registry.yarnpkg.com/@ljharb/through/-/through-2.3.9.tgz#85f221eb82f9d555e180e87d6e50fb154af85408"
@@ -4606,6 +4655,83 @@
   resolved "https://registry.yarnpkg.com/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.9.6.tgz#2c1fb69e02a3f1506f52698cfdc3a8b6386df9a6"
   integrity sha512-jqzNLhNDvIZOrt69Ce4UjGRpXJBzhUBzawMwnaDAwyHriki3XollsewxWzOzz+4yOFDkuJHtTsZFwMxhYJWmLQ==
 
+"@sagold/json-pointer@^5.1.1", "@sagold/json-pointer@^5.1.2":
+  version "5.1.2"
+  resolved "https://registry.yarnpkg.com/@sagold/json-pointer/-/json-pointer-5.1.2.tgz#7f07884050fd2139eeb5d7423e917160ee7e0b8d"
+  integrity sha512-+wAhJZBXa6MNxRScg6tkqEbChEHMgVZAhTHVJ60Y7sbtXtu9XA49KfUkdWlS2x78D6H9nryiKePiYozumauPfA==
+
+"@sagold/json-query@^6.1.3":
+  version "6.2.0"
+  resolved "https://registry.yarnpkg.com/@sagold/json-query/-/json-query-6.2.0.tgz#2204a0259ea10f36cd5cb0a1505078e6d751eecd"
+  integrity sha512-7bOIdUE6eHeoWtFm8TvHQHfTVSZuCs+3RpOKmZCDBIOrxpvF/rNFTeuvIyjHva/RR0yVS3kQtr+9TW72LQEZjA==
+  dependencies:
+    "@sagold/json-pointer" "^5.1.2"
+    ebnf "^1.9.1"
+
+"@shikijs/core@1.29.2":
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/core/-/core-1.29.2.tgz#9c051d3ac99dd06ae46bd96536380c916e552bf3"
+  integrity sha512-vju0lY9r27jJfOY4Z7+Rt/nIOjzJpZ3y+nYpqtUZInVoXQ/TJZcfGnNOGnKjFdVZb8qexiCuSlZRKcGfhhTTZQ==
+  dependencies:
+    "@shikijs/engine-javascript" "1.29.2"
+    "@shikijs/engine-oniguruma" "1.29.2"
+    "@shikijs/types" "1.29.2"
+    "@shikijs/vscode-textmate" "^10.0.1"
+    "@types/hast" "^3.0.4"
+    hast-util-to-html "^9.0.4"
+
+"@shikijs/engine-javascript@1.29.2":
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/engine-javascript/-/engine-javascript-1.29.2.tgz#a821ad713a3e0b7798a1926fd9e80116e38a1d64"
+  integrity sha512-iNEZv4IrLYPv64Q6k7EPpOCE/nuvGiKl7zxdq0WFuRPF5PAE9PRo2JGq/d8crLusM59BRemJ4eOqrFrC4wiQ+A==
+  dependencies:
+    "@shikijs/types" "1.29.2"
+    "@shikijs/vscode-textmate" "^10.0.1"
+    oniguruma-to-es "^2.2.0"
+
+"@shikijs/engine-oniguruma@1.29.2":
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/engine-oniguruma/-/engine-oniguruma-1.29.2.tgz#d879717ced61d44e78feab16f701f6edd75434f1"
+  integrity sha512-7iiOx3SG8+g1MnlzZVDYiaeHe7Ez2Kf2HrJzdmGwkRisT7r4rak0e655AcM/tF9JG/kg5fMNYlLLKglbN7gBqA==
+  dependencies:
+    "@shikijs/types" "1.29.2"
+    "@shikijs/vscode-textmate" "^10.0.1"
+
+"@shikijs/langs@1.29.2":
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/langs/-/langs-1.29.2.tgz#4f1de46fde8991468c5a68fa4a67dd2875d643cd"
+  integrity sha512-FIBA7N3LZ+223U7cJDUYd5shmciFQlYkFXlkKVaHsCPgfVLiO+e12FmQE6Tf9vuyEsFe3dIl8qGWKXgEHL9wmQ==
+  dependencies:
+    "@shikijs/types" "1.29.2"
+
+"@shikijs/markdown-it@^1.22.2":
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/markdown-it/-/markdown-it-1.29.2.tgz#d46bd8c4c61ff054c69b2cba89feb2b951a2f65c"
+  integrity sha512-RPHqGU8RGQZ2TGMnEqLnSyM9CjPSjb0f8bwSLnJgBmWPWguoygoaFyYkXG0kwMtBtChNYsqQz1C0fLcbo6dY8g==
+  dependencies:
+    markdown-it "^14.1.0"
+    shiki "1.29.2"
+
+"@shikijs/themes@1.29.2":
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/themes/-/themes-1.29.2.tgz#293cc5c83dd7df3fdc8efa25cec8223f3a6acb0d"
+  integrity sha512-i9TNZlsq4uoyqSbluIcZkmPL9Bfi3djVxRnofUHwvx/h6SRW3cwgBC5SML7vsDcWyukY0eCzVN980rqP6qNl9g==
+  dependencies:
+    "@shikijs/types" "1.29.2"
+
+"@shikijs/types@1.29.2":
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/types/-/types-1.29.2.tgz#a93fdb410d1af8360c67bf5fc1d1a68d58e21c4f"
+  integrity sha512-VJjK0eIijTZf0QSTODEXCqinjBn0joAHQ+aPSBzrv4O2d/QSbsMw+ZeSRx03kV34Hy7NzUvV/7NqfYGRLrASmw==
+  dependencies:
+    "@shikijs/vscode-textmate" "^10.0.1"
+    "@types/hast" "^3.0.4"
+
+"@shikijs/vscode-textmate@^10.0.1":
+  version "10.0.2"
+  resolved "https://registry.yarnpkg.com/@shikijs/vscode-textmate/-/vscode-textmate-10.0.2.tgz#a90ab31d0cc1dfb54c66a69e515bf624fa7b2224"
+  integrity sha512-83yeghZ2xxin3Nj8z1NMd/NCuca+gsYXswywDy5bHvwlWL8tpTQmzGeUuHd9FC3E/SBEMvzJRwWEOz5gGes9Qg==
+
 "@simbathesailor/use-what-changed@^2.0.0":
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/@simbathesailor/use-what-changed/-/use-what-changed-2.0.0.tgz#7f82d78f92c8588b5fadd702065dde93bd781403"
@@ -5961,6 +6087,13 @@
   dependencies:
     "@types/node" "*"
 
+"@types/hast@^3.0.0", "@types/hast@^3.0.4":
+  version "3.0.4"
+  resolved "https://registry.yarnpkg.com/@types/hast/-/hast-3.0.4.tgz#1d6b39993b82cea6ad783945b0508c25903e15aa"
+  integrity sha512-WPs+bbQw5aCj+x6laNGWLH3wviHtoCv/P3+otBhbOhJgG8qtpdAMlTCxLtsTWA7LH1Oh/bFCHsBn0TPS5m30EQ==
+  dependencies:
+    "@types/unist" "*"
+
 "@types/html-minifier-terser@^6.0.0":
   version "6.1.0"
   resolved "https://registry.yarnpkg.com/@types/html-minifier-terser/-/html-minifier-terser-6.1.0.tgz#4fc33a00c1d0c16987b1a20cf92d20614c55ac35"
@@ -6062,6 +6195,13 @@
   resolved "https://registry.yarnpkg.com/@types/lodash/-/lodash-4.14.177.tgz#f70c0d19c30fab101cad46b52be60363c43c4578"
   integrity sha512-0fDwydE2clKe9MNfvXHBHF9WEahRuj+msTuQqOmAApNORFvhMYZKNGGJdCzuhheVjMps/ti0Ak/iJPACMaevvw==
 
+"@types/mdast@^4.0.0":
+  version "4.0.4"
+  resolved "https://registry.yarnpkg.com/@types/mdast/-/mdast-4.0.4.tgz#7ccf72edd2f1aa7dd3437e180c64373585804dd6"
+  integrity sha512-kGaNbPh1k7AFzgpud/gMdvIm5xuECykRR+JnWKQno9TAXVa6WIVCGTPvYGekIDL4uwCZQSYbUxNBSb1aUo79oA==
+  dependencies:
+    "@types/unist" "*"
+
 "@types/mdx@^2.0.0":
   version "2.0.5"
   resolved "https://registry.yarnpkg.com/@types/mdx/-/mdx-2.0.5.tgz#9a85a8f70c7c4d9e695a21d5ae5c93645eda64b1"
@@ -6309,6 +6449,11 @@
   dependencies:
     "@types/jquery" "*"
 
+"@types/unist@*", "@types/unist@^3.0.0":
+  version "3.0.3"
+  resolved "https://registry.yarnpkg.com/@types/unist/-/unist-3.0.3.tgz#acaab0f919ce69cce629c2d4ed2eb4adc1b6c20c"
+  integrity sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==
+
 "@types/unist@^2.0.0":
   version "2.0.6"
   resolved "https://registry.yarnpkg.com/@types/unist/-/unist-2.0.6.tgz#250a7b16c3b91f672a24552ec64678eeb1d3a08d"
@@ -6600,6 +6745,11 @@
     "@uiw/codemirror-extensions-basic-setup" "4.23.7"
     codemirror "^6.0.0"
 
+"@ungap/structured-clone@^1.0.0":
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/@ungap/structured-clone/-/structured-clone-1.3.0.tgz#d06bbb384ebcf6c505fde1c3d0ed4ddffe0aaff8"
+  integrity sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==
+
 "@vitest/coverage-v8@^2.0.4":
   version "2.1.8"
   resolved "https://registry.yarnpkg.com/@vitest/coverage-v8/-/coverage-v8-2.1.8.tgz#738527e6e79cef5004248452527e272e0df12284"
@@ -7190,6 +7340,11 @@ argparse@^1.0.7:
   dependencies:
     sprintf-js "~1.0.2"
 
+argparse@^2.0.1:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/argparse/-/argparse-2.0.1.tgz#246f50f3ca78a3240f6c997e8a9bd1eac49e4b38"
+  integrity sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==
+
 aria-hidden@^1.1.1:
   version "1.2.3"
   resolved "https://registry.yarnpkg.com/aria-hidden/-/aria-hidden-1.2.3.tgz#14aeb7fb692bbb72d69bebfa47279c1fd725e954"
@@ -7635,6 +7790,11 @@ batch@0.6.1:
   resolved "https://registry.yarnpkg.com/batch/-/batch-0.6.1.tgz#dc34314f4e679318093fc760272525f94bf25c16"
   integrity sha1-3DQxT05nkxgJP8dgJyUl+UvyXBY=
 
+best-effort-json-parser@^1.1.2:
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/best-effort-json-parser/-/best-effort-json-parser-1.1.3.tgz#aff97716cbe649e5aa31ffa614a19763f43cde3a"
+  integrity sha512-O3LfmiLJ5UQOGqrrl6ynCdfDgK50cd0nxy0JacFZ7ARhfhjdksTfScHAJ0580RNgNejLjRvu/7Yj9znY0sqeFA==
+
 better-opn@^3.0.2:
   version "3.0.2"
   resolved "https://registry.yarnpkg.com/better-opn/-/better-opn-3.0.2.tgz#f96f35deaaf8f34144a4102651babcf00d1d8817"
@@ -7996,6 +8156,11 @@ case-sensitive-paths-webpack-plugin@^2.4.0:
   resolved "https://registry.yarnpkg.com/case-sensitive-paths-webpack-plugin/-/case-sensitive-paths-webpack-plugin-2.4.0.tgz#db64066c6422eed2e08cc14b986ca43796dbc6d4"
   integrity sha512-roIFONhcxog0JSSWbvVAh3OocukmSgpqOH6YpMkCvav/ySIV3JKg4Dc8vYtQjYi/UxpNE36r/9v+VqTQqgkYmw==
 
+ccount@^2.0.0:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/ccount/-/ccount-2.0.1.tgz#17a3bf82302e0870d6da43a01311a8bc02a3ecf5"
+  integrity sha512-eyrF0jiFpY+3drT6383f1qhkbGsLSifNAjA61IUjZjmLCWjItY6LB9ft9YhoDgwfmclB2zhu51Lc7+95b8NRAg==
+
 chai@^5.1.2:
   version "5.1.2"
   resolved "https://registry.yarnpkg.com/chai/-/chai-5.1.2.tgz#3afbc340b994ae3610ca519a6c70ace77ad4378d"
@@ -8052,6 +8217,16 @@ change-case@^4.1.2:
     snake-case "^3.0.4"
     tslib "^2.0.3"
 
+character-entities-html4@^2.0.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/character-entities-html4/-/character-entities-html4-2.1.0.tgz#1f1adb940c971a4b22ba39ddca6b618dc6e56b2b"
+  integrity sha512-1v7fgQRj6hnSwFpq1Eu0ynr/CDEw0rXo2B61qXrLNdHZmPKgb7fqS1a2JwF0rISo9q77jDI8VMEHoApn8qDoZA==
+
+character-entities-legacy@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/character-entities-legacy/-/character-entities-legacy-3.0.0.tgz#76bc83a90738901d7bc223a9e93759fdd560125b"
+  integrity sha512-RpPp0asT/6ufRm//AJVwpViZbGM/MkjQFxJccQRHmISF/22NBtsHqAWmL+/pmkPWoIUJdWyeVleTl1wydHATVQ==
+
 chardet@^0.7.0:
   version "0.7.0"
   resolved "https://registry.yarnpkg.com/chardet/-/chardet-0.7.0.tgz#90094849f0937f2eedc2425d0d28a9e5f0cbad9e"
@@ -8270,6 +8445,40 @@ clsx@^2.0.0:
   resolved "https://registry.yarnpkg.com/clsx/-/clsx-2.1.0.tgz#e851283bcb5c80ee7608db18487433f7b23f77cb"
   integrity sha512-m3iNNWpd9rl3jvvcBnu70ylMdrXt8Vlq4HYadnU5fwcOtvkSQWPmj7amUcDT2qYI7risszBjI5AUIUox9D16pg==
 
+codemirror-json-schema@^0.8.0:
+  version "0.8.0"
+  resolved "https://registry.yarnpkg.com/codemirror-json-schema/-/codemirror-json-schema-0.8.0.tgz#3e8b39a038148645c23a006e505becce68397602"
+  integrity sha512-Hiww3eU/8zwPw6oWT2VNTT7w7vwWzFiE7+syleD8rYg5pCfKuGa2oiAAgZCXpx6EUJtIcq3LKP9gkEbNUD5jcA==
+  dependencies:
+    "@sagold/json-pointer" "^5.1.1"
+    "@shikijs/markdown-it" "^1.22.2"
+    best-effort-json-parser "^1.1.2"
+    json-schema "^0.4.0"
+    json-schema-library "^9.3.5"
+    loglevel "^1.9.1"
+    markdown-it "^14.1.0"
+    shiki "^1.22.2"
+    yaml "^2.3.4"
+  optionalDependencies:
+    "@codemirror/autocomplete" "^6.16.2"
+    "@codemirror/lang-json" "^6.0.1"
+    "@codemirror/lang-yaml" "^6.1.1"
+    codemirror-json5 "^1.0.3"
+    json5 "^2.2.3"
+
+codemirror-json5@^1.0.3:
+  version "1.0.3"
+  resolved "https://registry.yarnpkg.com/codemirror-json5/-/codemirror-json5-1.0.3.tgz#046101609776a97ae3bd0bfc4b9f15638e317793"
+  integrity sha512-HmmoYO2huQxoaoG5ARKjqQc9mz7/qmNPvMbISVfIE2Gk1+4vZQg9X3G6g49MYM5IK00Ol3aijd7OKrySuOkA7Q==
+  dependencies:
+    "@codemirror/language" "^6.0.0"
+    "@codemirror/state" "^6.0.0"
+    "@codemirror/view" "^6.0.0"
+    "@lezer/common" "^1.0.0"
+    "@lezer/highlight" "^1.0.0"
+    json5 "^2.2.1"
+    lezer-json5 "^2.0.2"
+
 codemirror@^6.0.0, codemirror@^6.0.1:
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/codemirror/-/codemirror-6.0.1.tgz#62b91142d45904547ee3e0e0e4c1a79158035a29"
@@ -8363,6 +8572,11 @@ combined-stream@^1.0.8:
   dependencies:
     delayed-stream "~1.0.0"
 
+comma-separated-tokens@^2.0.0:
+  version "2.0.3"
+  resolved "https://registry.yarnpkg.com/comma-separated-tokens/-/comma-separated-tokens-2.0.3.tgz#4e89c9458acb61bc8fef19f4529973b2392839ee"
+  integrity sha512-Fu4hJdvzeylCfQPp9SGWidpzrMs7tTrlu6Vb8XGaRGck8QSNZJJp538Wrb60Lax4fPwR64ViY468OIUTbRlGZg==
+
 commander@11.0.0:
   version "11.0.0"
   resolved "https://registry.yarnpkg.com/commander/-/commander-11.0.0.tgz#43e19c25dbedc8256203538e8d7e9346877a6f67"
@@ -8378,7 +8592,7 @@ commander@^10.0.1:
   resolved "https://registry.yarnpkg.com/commander/-/commander-10.0.1.tgz#881ee46b4f77d1c1dccc5823433aa39b022cbe06"
   integrity sha512-y4Mg2tXshplEbSGzx7amzPwKKOCGuoSRP/CjEdwwk0FOGlUbq6lKuoyDZTNZkmxHdJtp54hdfY/JUrdL7Xfdug==
 
-commander@^2.20.0, commander@^2.7.1, commander@^2.8.1:
+commander@^2.19.0, commander@^2.20.0, commander@^2.7.1, commander@^2.8.1:
   version "2.20.3"
   resolved "https://registry.yarnpkg.com/commander/-/commander-2.20.3.tgz#fd485e84c03eb4881c20722ba48035e8531aeb33"
   integrity sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ==
@@ -9073,7 +9287,7 @@ depd@~1.1.2:
   resolved "https://registry.yarnpkg.com/depd/-/depd-1.1.2.tgz#9bcd52e14c097763e749b274c4346ed2e560b5a9"
   integrity sha512-7emPTl6Dpo6JRXOXjLRxck+FlLRX5847cLKEn00PLAgc3g2hTZZgr+e4c2v6QpSmLeFP3n5yUo7ft6avBK/5jQ==
 
-dequal@^2.0.2, dequal@^2.0.3:
+dequal@^2.0.0, dequal@^2.0.2, dequal@^2.0.3:
   version "2.0.3"
   resolved "https://registry.yarnpkg.com/dequal/-/dequal-2.0.3.tgz#2644214f1997d39ed0ee0ece72335490a7ac67be"
   integrity sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==
@@ -9123,6 +9337,13 @@ detect-port@^1.3.0:
     address "^1.0.1"
     debug "4"
 
+devlop@^1.0.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/devlop/-/devlop-1.1.0.tgz#4db7c2ca4dc6e0e834c30be70c94bbc976dc7018"
+  integrity sha512-RWmIqhcFf1lRYBvNmr7qTNuyCt/7/ns2jbpp1+PalgE/rDQcBT0fioSMUpJ93irlUhC5hrg4cYqe6U+0ImW0rA==
+  dependencies:
+    dequal "^2.0.0"
+
 didyoumean@^1.2.2:
   version "1.2.2"
   resolved "https://registry.yarnpkg.com/didyoumean/-/didyoumean-1.2.2.tgz#989346ffe9e839b4555ecf5666edea0d3e8ad037"
@@ -9135,6 +9356,11 @@ dir-glob@^3.0.1:
   dependencies:
     path-type "^4.0.0"
 
+discontinuous-range@1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/discontinuous-range/-/discontinuous-range-1.0.0.tgz#e38331f0844bba49b9a9cb71c771585aab1bc65a"
+  integrity sha512-c68LpLbO+7kP/b1Hr1qs8/BJ09F5khZGTxqxZuhzxpmwJKOgRFHJWIb9/KmqnqHhLdO55aOxFH/EGBvUQbL/RQ==
+
 dlv@^1.1.3:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/dlv/-/dlv-1.1.3.tgz#5c198a8a11453596e751494d49874bc7732f2e79"
@@ -9308,6 +9534,11 @@ eastasianwidth@^0.2.0:
   resolved "https://registry.yarnpkg.com/eastasianwidth/-/eastasianwidth-0.2.0.tgz#696ce2ec0aa0e6ea93a397ffcf24aa7840c827cb"
   integrity sha512-I88TYZWc9XiYHRQ4/3c5rjjfgkjhLyW2luGIheGERbNQ6OY7yTybanSpDXZa8y7VUP9YmDcYa+eyq4ca7iLqWA==
 
+ebnf@^1.9.1:
+  version "1.9.1"
+  resolved "https://registry.yarnpkg.com/ebnf/-/ebnf-1.9.1.tgz#64c25d8208ec0d221ec11c3c5e8094015131a9d3"
+  integrity sha512-uW2UKSsuty9ANJ3YByIQE4ANkD8nqUPO7r6Fwcc1ADKPe9FRdcPpMl3VEput4JSvKBJ4J86npIC2MLP0pYkCuw==
+
 ee-first@1.1.1:
   version "1.1.1"
   resolved "https://registry.yarnpkg.com/ee-first/-/ee-first-1.1.1.tgz#590c61156b0ae2f4f0255732a158b266bc56b21d"
@@ -9345,6 +9576,11 @@ electron-to-chromium@^1.4.601:
   resolved "https://registry.yarnpkg.com/electron-to-chromium/-/electron-to-chromium-1.4.616.tgz#4bddbc2c76e1e9dbf449ecd5da3d8119826ea4fb"
   integrity sha512-1n7zWYh8eS0L9Uy+GskE0lkBUNK83cXTVJI0pU3mGprFsbfSdAc15VTFbo+A+Bq4pwstmL30AVcEU3Fo463lNg==
 
+emoji-regex-xs@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/emoji-regex-xs/-/emoji-regex-xs-1.0.0.tgz#e8af22e5d9dbd7f7f22d280af3d19d2aab5b0724"
+  integrity sha512-LRlerrMYoIDrT6jgpeZ2YYl/L8EulRTt5hQcYjy5AInh7HWXKimpqx68aknBFpGL2+/IcogTcaydJEgaTmOpDg==
+
 emoji-regex@^10.2.1:
   version "10.2.1"
   resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-10.2.1.tgz#a41c330d957191efd3d9dfe6e1e8e1e9ab048b3f"
@@ -10157,6 +10393,11 @@ extract-zip@^1.6.6:
     mkdirp "^0.5.4"
     yauzl "^2.10.0"
 
+fast-copy@^3.0.2:
+  version "3.0.2"
+  resolved "https://registry.yarnpkg.com/fast-copy/-/fast-copy-3.0.2.tgz#59c68f59ccbcac82050ba992e0d5c389097c9d35"
+  integrity sha512-dl0O9Vhju8IrcLndv2eU4ldt1ftXMqqfgN4H1cpmGV7P6jeB9FwpN9a2c8DPGE1Ys88rNUJVYDHq73CGAGOPfQ==
+
 fast-deep-equal@^3.1.1, fast-deep-equal@^3.1.3:
   version "3.1.3"
   resolved "https://registry.yarnpkg.com/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz#3a7d56b559d6cbc3eb512325244e619a65c6c525"
@@ -11078,6 +11319,30 @@ has@^1.0.3:
   dependencies:
     function-bind "^1.1.1"
 
+hast-util-to-html@^9.0.4:
+  version "9.0.5"
+  resolved "https://registry.yarnpkg.com/hast-util-to-html/-/hast-util-to-html-9.0.5.tgz#ccc673a55bb8e85775b08ac28380f72d47167005"
+  integrity sha512-OguPdidb+fbHQSU4Q4ZiLKnzWo8Wwsf5bZfbvu7//a9oTYoqD/fWpe96NuHkoS9h0ccGOTe0C4NGXdtS0iObOw==
+  dependencies:
+    "@types/hast" "^3.0.0"
+    "@types/unist" "^3.0.0"
+    ccount "^2.0.0"
+    comma-separated-tokens "^2.0.0"
+    hast-util-whitespace "^3.0.0"
+    html-void-elements "^3.0.0"
+    mdast-util-to-hast "^13.0.0"
+    property-information "^7.0.0"
+    space-separated-tokens "^2.0.0"
+    stringify-entities "^4.0.0"
+    zwitch "^2.0.4"
+
+hast-util-whitespace@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/hast-util-whitespace/-/hast-util-whitespace-3.0.0.tgz#7778ed9d3c92dd9e8c5c8f648a49c21fc51cb621"
+  integrity sha512-88JUN06ipLwsnv+dVn+OIYOvAuvBMy/Qoi6O7mQHxdPXpjy+Cd6xRkWwux7DKO+4sYILtLBRIKgsdpS2gQc7qw==
+  dependencies:
+    "@types/hast" "^3.0.0"
+
 he@1.2.x, he@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/he/-/he-1.2.0.tgz#84ae65fa7eafb165fddb61566ae14baf05664f0f"
@@ -11204,6 +11469,11 @@ html-tags@^3.1.0:
   resolved "https://registry.yarnpkg.com/html-tags/-/html-tags-3.3.1.tgz#a04026a18c882e4bba8a01a3d39cfe465d40b5ce"
   integrity sha512-ztqyC3kLto0e9WbNp0aeP+M3kTt+nbaIveGmUxAtZa+8iFgKLUOD4YKM5j+f3QD89bra7UeumolZHKuOXnTmeQ==
 
+html-void-elements@^3.0.0:
+  version "3.0.0"
+  resolved "https://registry.yarnpkg.com/html-void-elements/-/html-void-elements-3.0.0.tgz#fc9dbd84af9e747249034d4d62602def6517f1d7"
+  integrity sha512-bEqo66MRXsUGxWHV5IP0PUiAWwoEjba4VCzg0LjFJBpchPaTfyfCKTG6bc5F8ucKec3q5y6qOdGyYTSBEvhCrg==
+
 html-webpack-plugin@^5.5.0:
   version "5.5.0"
   resolved "https://registry.yarnpkg.com/html-webpack-plugin/-/html-webpack-plugin-5.5.0.tgz#c3911936f57681c1f9f4d8b68c158cd9dfe52f50"
@@ -12229,6 +12499,19 @@ json-parse-even-better-errors@^2.3.0, json-parse-even-better-errors@^2.3.1:
   resolved "https://registry.yarnpkg.com/json-parse-even-better-errors/-/json-parse-even-better-errors-2.3.1.tgz#7c47805a94319928e05777405dc12e1f7a4ee02d"
   integrity sha512-xyFwyhro/JEof6Ghe2iz2NcXoj2sloNsWr/XsERDK/oiPCfaNhl5ONfp+jQdAZRQQ0IJWNzH9zIZF7li91kh2w==
 
+json-schema-library@^9.3.5:
+  version "9.3.5"
+  resolved "https://registry.yarnpkg.com/json-schema-library/-/json-schema-library-9.3.5.tgz#dd66002257a13572acd681854a023e1da0e86bfa"
+  integrity sha512-5eBDx7cbfs+RjylsVO+N36b0GOPtv78rfqgf2uON+uaHUIC62h63Y8pkV2ovKbaL4ZpQcHp21968x5nx/dFwqQ==
+  dependencies:
+    "@sagold/json-pointer" "^5.1.2"
+    "@sagold/json-query" "^6.1.3"
+    deepmerge "^4.3.1"
+    fast-copy "^3.0.2"
+    fast-deep-equal "^3.1.3"
+    smtp-address-parser "1.0.10"
+    valid-url "^1.0.9"
+
 json-schema-traverse@^0.4.1:
   version "0.4.1"
   resolved "https://registry.yarnpkg.com/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz#69f6a87d9513ab8bb8fe63bdb0979c448e684660"
@@ -12239,6 +12522,11 @@ json-schema-traverse@^1.0.0:
   resolved "https://registry.yarnpkg.com/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz#ae7bcb3656ab77a73ba5c49bf654f38e6b6860e2"
   integrity sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==
 
+json-schema@^0.4.0:
+  version "0.4.0"
+  resolved "https://registry.yarnpkg.com/json-schema/-/json-schema-0.4.0.tgz#f7de4cf6efab838ebaeb3236474cbba5a1930ab5"
+  integrity sha512-es94M3nTIfsEPisRafak+HDLfHXnKBhV3vU5eqPcS3flIWqcxJWgXHXiey3YrpaNsanY5ei1VoYEbOzijuq9BA==
+
 json-stable-stringify-without-jsonify@^1.0.1:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/json-stable-stringify-without-jsonify/-/json-stable-stringify-without-jsonify-1.0.1.tgz#9db7b59496ad3f3cfef30a75142d2d930ad72651"
@@ -12258,7 +12546,7 @@ json5@^1.0.1, json5@^1.0.2:
   dependencies:
     minimist "^1.2.0"
 
-json5@^2.1.2, json5@^2.2.2, json5@^2.2.3:
+json5@^2.1.2, json5@^2.2.1, json5@^2.2.2, json5@^2.2.3:
   version "2.2.3"
   resolved "https://registry.yarnpkg.com/json5/-/json5-2.2.3.tgz#78cd6f1a19bdc12b73db5ad0c61efd66c1e29283"
   integrity sha512-XmOWe7eyHYH14cLdVPoyg+GOH3rYX++KpzrylJwSW98t3Nk+U8XOl8FWKOgwtzdb8lXGf6zYwDUzeHMWfxasyg==
@@ -12368,6 +12656,13 @@ levn@^0.4.1:
     prelude-ls "^1.2.1"
     type-check "~0.4.0"
 
+lezer-json5@^2.0.2:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/lezer-json5/-/lezer-json5-2.0.2.tgz#ba3756e0d352d9529517dcf264d27db8579ae577"
+  integrity sha512-NRmtBlKW/f8mA7xatKq8IUOq045t8GVHI4kZXrUtYYUdiVeGiO6zKGAV7/nUAnf5q+rYTY+SWX/gvQdFXMjNxQ==
+  dependencies:
+    "@lezer/lr" "^1.0.0"
+
 liftoff@^4.0.0:
   version "4.0.0"
   resolved "https://registry.yarnpkg.com/liftoff/-/liftoff-4.0.0.tgz#1a463b9073335cd425cdaa3b468996f7d66d2d81"
@@ -12397,6 +12692,13 @@ lines-and-columns@^1.1.6:
   resolved "https://registry.yarnpkg.com/lines-and-columns/-/lines-and-columns-1.2.4.tgz#eca284f75d2965079309dc0ad9255abb2ebc1632"
   integrity sha512-7ylylesZQ/PV29jhEDl3Ufjo6ZX7gCqJr5F7PKrqc93v7fzSymt1BpwEU8nAUXs8qzzvqhbjhK5QZg6Mt/HkBg==
 
+linkify-it@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/linkify-it/-/linkify-it-5.0.0.tgz#9ef238bfa6dc70bd8e7f9572b52d369af569b421"
+  integrity sha512-5aHCbzQRADcdP+ATqnDuhhJ/MRIqDkZX5pyjFHRRysS8vZ5AbqGEoFIb6pYHPZ+L/OC2Lc+xT8uHVVR5CAK/wQ==
+  dependencies:
+    uc.micro "^2.0.0"
+
 lint-staged@^14.0.1:
   version "14.0.1"
   resolved "https://registry.yarnpkg.com/lint-staged/-/lint-staged-14.0.1.tgz#57dfa3013a3d60762d9af5d9c83bdb51291a6232"
@@ -12592,6 +12894,11 @@ logform@^2.3.2:
     safe-stable-stringify "^1.1.0"
     triple-beam "^1.3.0"
 
+loglevel@^1.9.1:
+  version "1.9.2"
+  resolved "https://registry.yarnpkg.com/loglevel/-/loglevel-1.9.2.tgz#c2e028d6c757720107df4e64508530db6621ba08"
+  integrity sha512-HgMmCqIJSAKqo68l0rS2AanEWfkxaZ5wNiEFb5ggm08lDs9Xl2KxBlX3PTcaD2chBM1gXAYf491/M2Rv8Jwayg==
+
 loose-envify@^1.0.0, loose-envify@^1.1.0, loose-envify@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/loose-envify/-/loose-envify-1.4.0.tgz#71ee51fa7be4caec1a63839f7e682d8132d30caf"
@@ -12736,6 +13043,18 @@ map-or-similar@^1.5.0:
   resolved "https://registry.yarnpkg.com/map-or-similar/-/map-or-similar-1.5.0.tgz#6de2653174adfb5d9edc33c69d3e92a1b76faf08"
   integrity sha512-0aF7ZmVon1igznGI4VS30yugpduQW3y3GkcgGJOp7d8x8QrizhigUxjI/m2UojsXXto+jLAH3KSz+xOJTiORjg==
 
+markdown-it@^14.1.0:
+  version "14.1.0"
+  resolved "https://registry.yarnpkg.com/markdown-it/-/markdown-it-14.1.0.tgz#3c3c5992883c633db4714ccb4d7b5935d98b7d45"
+  integrity sha512-a54IwgWPaeBCAAsv13YgmALOF1elABB08FxO9i+r4VFk5Vl4pKokRPeX8u5TCgSsPi6ec1otfLjdOpVcgbpshg==
+  dependencies:
+    argparse "^2.0.1"
+    entities "^4.4.0"
+    linkify-it "^5.0.0"
+    mdurl "^2.0.0"
+    punycode.js "^2.3.1"
+    uc.micro "^2.1.0"
+
 markdown-to-jsx@^7.1.8:
   version "7.2.0"
   resolved "https://registry.yarnpkg.com/markdown-to-jsx/-/markdown-to-jsx-7.2.0.tgz#e7b46b65955f6a04d48a753acd55874a14bdda4b"
@@ -12757,6 +13076,21 @@ mdast-util-definitions@^4.0.0:
   dependencies:
     unist-util-visit "^2.0.0"
 
+mdast-util-to-hast@^13.0.0:
+  version "13.2.0"
+  resolved "https://registry.yarnpkg.com/mdast-util-to-hast/-/mdast-util-to-hast-13.2.0.tgz#5ca58e5b921cc0a3ded1bc02eed79a4fe4fe41f4"
+  integrity sha512-QGYKEuUsYT9ykKBCMOEDLsU5JRObWQusAolFMeko/tYPufNkRffBAQjIE+99jbA87xv6FgmjLtwjh9wBWajwAA==
+  dependencies:
+    "@types/hast" "^3.0.0"
+    "@types/mdast" "^4.0.0"
+    "@ungap/structured-clone" "^1.0.0"
+    devlop "^1.0.0"
+    micromark-util-sanitize-uri "^2.0.0"
+    trim-lines "^3.0.0"
+    unist-util-position "^5.0.0"
+    unist-util-visit "^5.0.0"
+    vfile "^6.0.0"
+
 mdast-util-to-string@^1.0.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/mdast-util-to-string/-/mdast-util-to-string-1.1.0.tgz#27055500103f51637bd07d01da01eb1967a43527"
@@ -12772,6 +13106,11 @@ mdn-data@2.0.30:
   resolved "https://registry.yarnpkg.com/mdn-data/-/mdn-data-2.0.30.tgz#ce4df6f80af6cfbe218ecd5c552ba13c4dfa08cc"
   integrity sha512-GaqWWShW4kv/G9IEucWScBx9G1/vsFZZJUO+tD26M8J8z3Kw5RDQjaoZe03YAClgeS/SWPOcb4nkFBTEi5DUEA==
 
+mdurl@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/mdurl/-/mdurl-2.0.0.tgz#80676ec0433025dd3e17ee983d0fe8de5a2237e0"
+  integrity sha512-Lf+9+2r+Tdp5wXDXC4PcIBjTDtq4UKjCPMQhKIuzpJNW0b96kVqSwW0bT7FhRSfmAiFYgP+SCRvdrDozfh0U5w==
+
 media-typer@0.3.0:
   version "0.3.0"
   resolved "https://registry.yarnpkg.com/media-typer/-/media-typer-0.3.0.tgz#8710d7af0aa626f8fffa1ce00168545263255748"
@@ -12823,6 +13162,38 @@ methods@~1.1.2:
   resolved "https://registry.yarnpkg.com/methods/-/methods-1.1.2.tgz#5529a4d67654134edcc5266656835b0f851afcee"
   integrity sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==
 
+micromark-util-character@^2.0.0:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/micromark-util-character/-/micromark-util-character-2.1.1.tgz#2f987831a40d4c510ac261e89852c4e9703ccda6"
+  integrity sha512-wv8tdUTJ3thSFFFJKtpYKOYiGP2+v96Hvk4Tu8KpCAsTMs6yi+nVmGh1syvSCsaxz45J6Jbw+9DD6g97+NV67Q==
+  dependencies:
+    micromark-util-symbol "^2.0.0"
+    micromark-util-types "^2.0.0"
+
+micromark-util-encode@^2.0.0:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/micromark-util-encode/-/micromark-util-encode-2.0.1.tgz#0d51d1c095551cfaac368326963cf55f15f540b8"
+  integrity sha512-c3cVx2y4KqUnwopcO9b/SCdo2O67LwJJ/UyqGfbigahfegL9myoEFoDYZgkT7f36T0bLrM9hZTAaAyH+PCAXjw==
+
+micromark-util-sanitize-uri@^2.0.0:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/micromark-util-sanitize-uri/-/micromark-util-sanitize-uri-2.0.1.tgz#ab89789b818a58752b73d6b55238621b7faa8fd7"
+  integrity sha512-9N9IomZ/YuGGZZmQec1MbgxtlgougxTodVwDzzEouPKo3qFWvymFHWcnDi2vzV1ff6kas9ucW+o3yzJK9YB1AQ==
+  dependencies:
+    micromark-util-character "^2.0.0"
+    micromark-util-encode "^2.0.0"
+    micromark-util-symbol "^2.0.0"
+
+micromark-util-symbol@^2.0.0:
+  version "2.0.1"
+  resolved "https://registry.yarnpkg.com/micromark-util-symbol/-/micromark-util-symbol-2.0.1.tgz#e5da494e8eb2b071a0d08fb34f6cefec6c0a19b8"
+  integrity sha512-vs5t8Apaud9N28kgCrRUdEed4UJ+wWNvicHLPxCa9ENlYuAY31M0ETy5y1vA33YoNPDFTghEbnh6efaE8h4x0Q==
+
+micromark-util-types@^2.0.0:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/micromark-util-types/-/micromark-util-types-2.0.2.tgz#f00225f5f5a0ebc3254f96c36b6605c4b393908e"
+  integrity sha512-Yw0ECSpJoViF1qTU4DC6NwtC4aWGt1EkzaQB8KPPyCRR8z9TWeV0HbEFGTO+ZY1wB22zmxnJqhPyTpOVCpeHTA==
+
 micromatch@4.0.5, micromatch@^4.0.2, micromatch@^4.0.4, micromatch@^4.0.5:
   version "4.0.5"
   resolved "https://registry.yarnpkg.com/micromatch/-/micromatch-4.0.5.tgz#bc8999a7cbbf77cdc89f132f6e467051b49090c6"
@@ -12989,6 +13360,11 @@ moment@^2.10.2, moment@^2.16.0, moment@^2.21.0, moment@^2.24.0, moment@^2.29.1,
   resolved "https://registry.yarnpkg.com/moment/-/moment-2.29.4.tgz#3dbe052889fe7c1b2ed966fcb3a77328964ef108"
   integrity sha512-5LC9SOxjSc2HF6vO2CyuTDNivEdoz2IvyJJGj6X8DJ0eFyfszE0QiEd+iXmBvUP3WHxSjFH/vIsA0EN00cgr8w==
 
+moo@^0.5.0:
+  version "0.5.2"
+  resolved "https://registry.yarnpkg.com/moo/-/moo-0.5.2.tgz#f9fe82473bc7c184b0d32e2215d3f6e67278733c"
+  integrity sha512-iSAJLHYKnX41mKcJKjqvnAN9sf0LMDTXDEvFv+ffuRR9a1MIuXLjMNL6EsnDHSkKLTWNqQQ5uo61P4EbU4NU+Q==
+
 mri@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/mri/-/mri-1.2.0.tgz#6721480fec2a11a4889861115a48b6cbe7cc8f0b"
@@ -13095,6 +13471,16 @@ natural-compare@^1.4.0:
   resolved "https://registry.yarnpkg.com/natural-compare/-/natural-compare-1.4.0.tgz#4abebfeed7541f2c27acfb29bdbbd15c8d5ba4f7"
   integrity sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=
 
+nearley@^2.20.1:
+  version "2.20.1"
+  resolved "https://registry.yarnpkg.com/nearley/-/nearley-2.20.1.tgz#246cd33eff0d012faf197ff6774d7ac78acdd474"
+  integrity sha512-+Mc8UaAebFzgV+KpI5n7DasuuQCHA89dmwm7JXw3TV43ukfNQ9DnBH3Mdb2g/I4Fdxc26pwimBWvjIw0UAILSQ==
+  dependencies:
+    commander "^2.19.0"
+    moo "^0.5.0"
+    railroad-diagrams "^1.0.0"
+    randexp "0.4.6"
+
 negotiator@0.6.2:
   version "0.6.2"
   resolved "https://registry.yarnpkg.com/negotiator/-/negotiator-0.6.2.tgz#feacf7ccf525a77ae9634436a64883ffeca346fb"
@@ -13520,6 +13906,15 @@ onetime@^6.0.0:
   dependencies:
     mimic-fn "^4.0.0"
 
+oniguruma-to-es@^2.2.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/oniguruma-to-es/-/oniguruma-to-es-2.3.0.tgz#35ea9104649b7c05f3963c6b3b474d964625028b"
+  integrity sha512-bwALDxriqfKGfUufKGGepCzu9x7nJQuoRoAFp4AnwehhC2crqrDIAP/uN2qdlsAvSMpeRC3+Yzhqc7hLmle5+g==
+  dependencies:
+    emoji-regex-xs "^1.0.0"
+    regex "^5.1.1"
+    regex-recursion "^5.1.1"
+
 open@^8.0.4, open@^8.4.0:
   version "8.4.2"
   resolved "https://registry.yarnpkg.com/open/-/open-8.4.2.tgz#5b5ffe2a8f793dcd2aad73e550cb87b59cb084f9"
@@ -14399,6 +14794,11 @@ property-expr@^2.0.4:
   resolved "https://registry.yarnpkg.com/property-expr/-/property-expr-2.0.4.tgz#37b925478e58965031bb612ec5b3260f8241e910"
   integrity sha512-sFPkHQjVKheDNnPvotjQmm3KD3uk1fWKUN7CrpdbwmUx3CrG3QiM8QpTSimvig5vTXmTvjz7+TDvXOI9+4rkcg==
 
+property-information@^7.0.0:
+  version "7.0.0"
+  resolved "https://registry.yarnpkg.com/property-information/-/property-information-7.0.0.tgz#3508a6d6b0b8eb3ca6eb2c6623b164d2ed2ab112"
+  integrity sha512-7D/qOz/+Y4X/rzSB6jKxKUsQnphO046ei8qxG59mtM3RG3DHgTK81HrxrmoDVINJb8NKT5ZsRbwHvQ6B68Iyhg==
+
 proxy-addr@~2.0.7:
   version "2.0.7"
   resolved "https://registry.yarnpkg.com/proxy-addr/-/proxy-addr-2.0.7.tgz#f19fe69ceab311eeb94b42e70e8c2070f9ba1025"
@@ -14442,6 +14842,11 @@ pumpify@^1.3.3:
     inherits "^2.0.3"
     pump "^2.0.0"
 
+punycode.js@^2.3.1:
+  version "2.3.1"
+  resolved "https://registry.yarnpkg.com/punycode.js/-/punycode.js-2.3.1.tgz#6b53e56ad75588234e79f4affa90972c7dd8cdb7"
+  integrity sha512-uxFIHU0YlHYhDQtV4R9J6a52SLx28BCjT+4ieh7IGbgwVJWO+km431c4yRlREUAsAmt/uMjQUyQHNEPf0M39CA==
+
 punycode@^1.4.1:
   version "1.4.1"
   resolved "https://registry.yarnpkg.com/punycode/-/punycode-1.4.1.tgz#c0d5a63b2718800ad8e1eb0fa5269c84dd41845e"
@@ -14509,11 +14914,24 @@ queue-microtask@^1.2.2:
   resolved "https://registry.yarnpkg.com/queue-microtask/-/queue-microtask-1.2.3.tgz#4929228bbc724dfac43e0efb058caf7b6cfb6243"
   integrity sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==
 
+railroad-diagrams@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/railroad-diagrams/-/railroad-diagrams-1.0.0.tgz#eb7e6267548ddedfb899c1b90e57374559cddb7e"
+  integrity sha512-cz93DjNeLY0idrCNOH6PviZGRN9GJhsdm9hpn1YCS879fj4W+x5IFJhhkRZcwVgMmFF7R82UA/7Oh+R8lLZg6A==
+
 ramda@0.29.0:
   version "0.29.0"
   resolved "https://registry.yarnpkg.com/ramda/-/ramda-0.29.0.tgz#fbbb67a740a754c8a4cbb41e2a6e0eb8507f55fb"
   integrity sha512-BBea6L67bYLtdbOqfp8f58fPMqEwx0doL+pAi8TZyp2YWz8R9G8z9x75CZI8W+ftqhFHCpEX2cRnUUXK130iKA==
 
+randexp@0.4.6:
+  version "0.4.6"
+  resolved "https://registry.yarnpkg.com/randexp/-/randexp-0.4.6.tgz#e986ad5e5e31dae13ddd6f7b3019aa7c87f60ca3"
+  integrity sha512-80WNmd9DA0tmZrw9qQa62GPPWfuXJknrmVmLcxvq4uZBdYqb1wYoKTmnlGUchvVWe0XiLupYkBoXVOxz3C8DYQ==
+  dependencies:
+    discontinuous-range "1.0.0"
+    ret "~0.1.10"
+
 randombytes@^2.0.3, randombytes@^2.1.0:
   version "2.1.0"
   resolved "https://registry.yarnpkg.com/randombytes/-/randombytes-2.1.0.tgz#df6f84372f0270dc65cdf6291349ab7a473d4f2a"
@@ -15019,6 +15437,26 @@ regex-parser@^2.2.11:
   resolved "https://registry.yarnpkg.com/regex-parser/-/regex-parser-2.2.11.tgz#3b37ec9049e19479806e878cabe7c1ca83ccfe58"
   integrity sha512-jbD/FT0+9MBU2XAZluI7w2OBs1RBi6p9M83nkoZayQXXU9e8Robt69FcZc7wU4eJD/YFTjn1JdCk3rbMJajz8Q==
 
+regex-recursion@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/regex-recursion/-/regex-recursion-5.1.1.tgz#5a73772d18adbf00f57ad097bf54171b39d78f8b"
+  integrity sha512-ae7SBCbzVNrIjgSbh7wMznPcQel1DNlDtzensnFxpiNpXt1U2ju/bHugH422r+4LAVS1FpW1YCwilmnNsjum9w==
+  dependencies:
+    regex "^5.1.1"
+    regex-utilities "^2.3.0"
+
+regex-utilities@^2.3.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/regex-utilities/-/regex-utilities-2.3.0.tgz#87163512a15dce2908cf079c8960d5158ff43280"
+  integrity sha512-8VhliFJAWRaUiVvREIiW2NXXTmHs4vMNnSzuJVhscgmGav3g9VDxLrQndI3dZZVVdp0ZO/5v0xmX516/7M9cng==
+
+regex@^5.1.1:
+  version "5.1.1"
+  resolved "https://registry.yarnpkg.com/regex/-/regex-5.1.1.tgz#cf798903f24d6fe6e531050a36686e082b29bd03"
+  integrity sha512-dN5I359AVGPnwzJm2jN1k0W9LPZ+ePvoOeVMMfqIMFz53sSwXkxaJoxr50ptnsC771lK95BnTrVSZxq0b9yCGw==
+  dependencies:
+    regex-utilities "^2.3.0"
+
 regexp.prototype.flags@^1.4.3, regexp.prototype.flags@^1.5.0:
   version "1.5.0"
   resolved "https://registry.yarnpkg.com/regexp.prototype.flags/-/regexp.prototype.flags-1.5.0.tgz#fe7ce25e7e4cca8db37b6634c8a2c7009199b9cb"
@@ -15228,6 +15666,11 @@ restore-cursor@^4.0.0:
     onetime "^5.1.0"
     signal-exit "^3.0.2"
 
+ret@~0.1.10:
+  version "0.1.15"
+  resolved "https://registry.yarnpkg.com/ret/-/ret-0.1.15.tgz#b8a4825d5bdb1fc3f6f53c2bc33f81388681c7bc"
+  integrity sha512-TTlYpa+OL+vMMNG24xSlQGEJ3B/RzEfUlLct7b5G/ytav+wPrplCpVMFuwzXbkecJrb6IYo1iFb0S9v37754mg==
+
 retry@^0.13.1:
   version "0.13.1"
   resolved "https://registry.yarnpkg.com/retry/-/retry-0.13.1.tgz#185b1587acf67919d63b357349e03537b2484658"
@@ -15604,6 +16047,20 @@ shellwords@^0.1.1:
   resolved "https://registry.yarnpkg.com/shellwords/-/shellwords-0.1.1.tgz#d6b9181c1a48d397324c84871efbcfc73fc0654b"
   integrity sha512-vFwSUfQvqybiICwZY5+DAWIPLKsWO31Q91JSKl3UYv+K5c2QRPzn0qzec6QPu1Qc9eHYItiP3NdJqNVqetYAww==
 
+shiki@1.29.2, shiki@^1.22.2:
+  version "1.29.2"
+  resolved "https://registry.yarnpkg.com/shiki/-/shiki-1.29.2.tgz#5c93771f2d5305ce9c05975c33689116a27dc657"
+  integrity sha512-njXuliz/cP+67jU2hukkxCNuH1yUi4QfdZZY+sMr5PPrIyXSu5iTb/qYC4BiWWB0vZ+7TbdvYUCeL23zpwCfbg==
+  dependencies:
+    "@shikijs/core" "1.29.2"
+    "@shikijs/engine-javascript" "1.29.2"
+    "@shikijs/engine-oniguruma" "1.29.2"
+    "@shikijs/langs" "1.29.2"
+    "@shikijs/themes" "1.29.2"
+    "@shikijs/types" "1.29.2"
+    "@shikijs/vscode-textmate" "^10.0.1"
+    "@types/hast" "^3.0.4"
+
 should-equal@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/should-equal/-/should-equal-2.0.0.tgz#6072cf83047360867e68e98b09d71143d04ee0c3"
@@ -15735,6 +16192,13 @@ slice-ansi@^5.0.0:
     ansi-styles "^6.0.0"
     is-fullwidth-code-point "^4.0.0"
 
+smtp-address-parser@1.0.10:
+  version "1.0.10"
+  resolved "https://registry.yarnpkg.com/smtp-address-parser/-/smtp-address-parser-1.0.10.tgz#9fc4ed6021f13dc3d8f591e0ad0d50454073025e"
+  integrity sha512-Osg9LmvGeAG/hyao4mldbflLOkkr3a+h4m1lwKCK5U8M6ZAr7tdXEz/+/vr752TSGE4MNUlUl9cIK2cB8cgzXg==
+  dependencies:
+    nearley "^2.20.1"
+
 snake-case@^3.0.4:
   version "3.0.4"
   resolved "https://registry.yarnpkg.com/snake-case/-/snake-case-3.0.4.tgz#4f2bbd568e9935abdfd593f34c691dadb49c452c"
@@ -15799,6 +16263,11 @@ space-separated-tokens@^1.0.0:
   resolved "https://registry.yarnpkg.com/space-separated-tokens/-/space-separated-tokens-1.1.5.tgz#85f32c3d10d9682007e917414ddc5c26d1aa6899"
   integrity sha512-q/JSVd1Lptzhf5bkYm4ob4iWPjx0KiRe3sRFBNrVqbJkFaBm5vbbowy1mymoPNLRa52+oadOhJ+K49wsSeSjTA==
 
+space-separated-tokens@^2.0.0:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/space-separated-tokens/-/space-separated-tokens-2.0.2.tgz#1ecd9d2350a3844572c3f4a312bceb018348859f"
+  integrity sha512-PEGlAwrG8yXGXRjW32fGbg66JAlOAwbObuqVoJpv/mRgoWDQfgH1wDPvtzWyUSNAXBGSk8h755YDbbcEy3SH2Q==
+
 spdx-correct@^3.0.0:
   version "3.2.0"
   resolved "https://registry.yarnpkg.com/spdx-correct/-/spdx-correct-3.2.0.tgz#4f5ab0668f0059e34f9c00dce331784a12de4e9c"
@@ -16068,6 +16537,14 @@ string_decoder@~1.1.1:
   dependencies:
     safe-buffer "~5.1.0"
 
+stringify-entities@^4.0.0:
+  version "4.0.4"
+  resolved "https://registry.yarnpkg.com/stringify-entities/-/stringify-entities-4.0.4.tgz#b3b79ef5f277cc4ac73caeb0236c5ba939b3a4f3"
+  integrity sha512-IwfBptatlO+QCJUo19AqvrPNqlVMpW9YEL2LIVY+Rpv2qsjCGxaDLNRgeGsQWJhfItebuJhsGSLjaBbNSQ+ieg==
+  dependencies:
+    character-entities-html4 "^2.0.0"
+    character-entities-legacy "^3.0.0"
+
 "strip-ansi-cjs@npm:strip-ansi@^6.0.1":
   version "6.0.1"
   resolved "https://registry.yarnpkg.com/strip-ansi/-/strip-ansi-6.0.1.tgz#9e26c63d30f53443e9489495b2105d37b67a85d9"
@@ -16612,6 +17089,11 @@ tr46@~0.0.3:
   resolved "https://registry.yarnpkg.com/tr46/-/tr46-0.0.3.tgz#8184fd347dac9cdc185992f3a6622e14b9d9ab6a"
   integrity sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==
 
+trim-lines@^3.0.0:
+  version "3.0.1"
+  resolved "https://registry.yarnpkg.com/trim-lines/-/trim-lines-3.0.1.tgz#d802e332a07df861c48802c04321017b1bd87338"
+  integrity sha512-kRj8B+YHZCc9kQYdWfJB2/oUl9rA99qbowYYBtr4ui4mZyAQ2JpvVBd/6U2YloATfqBhBTSMhTpgBHtU0Mf3Rg==
+
 triple-beam@^1.2.0, triple-beam@^1.3.0:
   version "1.3.0"
   resolved "https://registry.yarnpkg.com/triple-beam/-/triple-beam-1.3.0.tgz#a595214c7298db8339eeeee083e4d10bd8cb8dd9"
@@ -16796,6 +17278,11 @@ typescript@^5.5.2:
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-5.5.2.tgz#c26f023cb0054e657ce04f72583ea2d85f8d0507"
   integrity sha512-NcRtPEOsPFFWjobJEtfihkLCZCXZt/os3zf8nTxjVH3RvTSxjrCamJpbExGvYOF+tFHc3pA65qpdwPbzjohhew==
 
+uc.micro@^2.0.0, uc.micro@^2.1.0:
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/uc.micro/-/uc.micro-2.1.0.tgz#f8d3f7d0ec4c3dea35a7e3c8efa4cb8b45c9e7ee"
+  integrity sha512-ARDJmphmdvUk6Glw7y9DQ2bFkKBHwQHLi2lsaH6PPmz/Ka9sFOBsBluozhDltWmnv9u/cF6Rt87znRTPV+yp/A==
+
 uglify-js@3.4.x:
   version "3.4.10"
   resolved "https://registry.yarnpkg.com/uglify-js/-/uglify-js-3.4.10.tgz#9ad9563d8eb3acdfb8d38597d2af1d815f6a755f"
@@ -16884,6 +17371,27 @@ unist-util-is@^4.0.0:
   resolved "https://registry.yarnpkg.com/unist-util-is/-/unist-util-is-4.1.0.tgz#976e5f462a7a5de73d94b706bac1b90671b57797"
   integrity sha512-ZOQSsnce92GrxSqlnEEseX0gi7GH9zTJZ0p9dtu87WRb/37mMPO2Ilx1s/t9vBHrFhbgweUwb+t7cIn5dxPhZg==
 
+unist-util-is@^6.0.0:
+  version "6.0.0"
+  resolved "https://registry.yarnpkg.com/unist-util-is/-/unist-util-is-6.0.0.tgz#b775956486aff107a9ded971d996c173374be424"
+  integrity sha512-2qCTHimwdxLfz+YzdGfkqNlH0tLi9xjTnHddPmJwtIG9MGsdbutfTc4P+haPD7l7Cjxf/WZj+we5qfVPvvxfYw==
+  dependencies:
+    "@types/unist" "^3.0.0"
+
+unist-util-position@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/unist-util-position/-/unist-util-position-5.0.0.tgz#678f20ab5ca1207a97d7ea8a388373c9cf896be4"
+  integrity sha512-fucsC7HjXvkB5R3kTCO7kUjRdrS0BJt3M/FPxmHMBOm8JQi2BsHAHFsy27E0EolP8rp0NzXsJ+jNPyDWvOJZPA==
+  dependencies:
+    "@types/unist" "^3.0.0"
+
+unist-util-stringify-position@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/unist-util-stringify-position/-/unist-util-stringify-position-4.0.0.tgz#449c6e21a880e0855bf5aabadeb3a740314abac2"
+  integrity sha512-0ASV06AAoKCDkS2+xw5RXJywruurpbC4JZSm7nr7MOt1ojAzvyyaO+UxZf18j8FCF6kmzCZKcAgN/yu2gm2XgQ==
+  dependencies:
+    "@types/unist" "^3.0.0"
+
 unist-util-visit-parents@^3.0.0:
   version "3.1.1"
   resolved "https://registry.yarnpkg.com/unist-util-visit-parents/-/unist-util-visit-parents-3.1.1.tgz#65a6ce698f78a6b0f56aa0e88f13801886cdaef6"
@@ -16892,6 +17400,14 @@ unist-util-visit-parents@^3.0.0:
     "@types/unist" "^2.0.0"
     unist-util-is "^4.0.0"
 
+unist-util-visit-parents@^6.0.0:
+  version "6.0.1"
+  resolved "https://registry.yarnpkg.com/unist-util-visit-parents/-/unist-util-visit-parents-6.0.1.tgz#4d5f85755c3b8f0dc69e21eca5d6d82d22162815"
+  integrity sha512-L/PqWzfTP9lzzEa6CKs0k2nARxTdZduw3zyh8d2NVBnsyvHjSX4TWse388YrrQKbvI8w20fGjGlhgT96WwKykw==
+  dependencies:
+    "@types/unist" "^3.0.0"
+    unist-util-is "^6.0.0"
+
 unist-util-visit@^2.0.0:
   version "2.0.3"
   resolved "https://registry.yarnpkg.com/unist-util-visit/-/unist-util-visit-2.0.3.tgz#c3703893146df47203bb8a9795af47d7b971208c"
@@ -16901,6 +17417,15 @@ unist-util-visit@^2.0.0:
     unist-util-is "^4.0.0"
     unist-util-visit-parents "^3.0.0"
 
+unist-util-visit@^5.0.0:
+  version "5.0.0"
+  resolved "https://registry.yarnpkg.com/unist-util-visit/-/unist-util-visit-5.0.0.tgz#a7de1f31f72ffd3519ea71814cccf5fd6a9217d6"
+  integrity sha512-MR04uvD+07cwl/yhVuVWAtw+3GOR/knlL55Nd/wAdblk27GCVt3lqpTivy/tkJcZoNPzTwS1Y+KMojlLDhoTzg==
+  dependencies:
+    "@types/unist" "^3.0.0"
+    unist-util-is "^6.0.0"
+    unist-util-visit-parents "^6.0.0"
+
 universalify@^0.2.0:
   version "0.2.0"
   resolved "https://registry.yarnpkg.com/universalify/-/universalify-0.2.0.tgz#6451760566fa857534745ab1dde952d1b1761be0"
@@ -17086,6 +17611,11 @@ v@^0.3.0:
   optionalDependencies:
     deasync "^0.1.9"
 
+valid-url@^1.0.9:
+  version "1.0.9"
+  resolved "https://registry.yarnpkg.com/valid-url/-/valid-url-1.0.9.tgz#1c14479b40f1397a75782f115e4086447433a200"
+  integrity sha512-QQDsV8OnSf5Uc30CKSwG9lnhMPe6exHtTXLRYX8uMwKENy640pU+2BgBL0LRbDh/eYRahNCS7aewCx0wf3NYVA==
+
 validate-npm-package-license@^3.0.1:
   version "3.0.4"
   resolved "https://registry.yarnpkg.com/validate-npm-package-license/-/validate-npm-package-license-3.0.4.tgz#fc91f6b9c7ba15c857f4cb2c5defeec39d4f410a"
@@ -17109,6 +17639,22 @@ vary@~1.1.2:
   resolved "https://registry.yarnpkg.com/vary/-/vary-1.1.2.tgz#2299f02c6ded30d4a5961b0b9f74524a18f634fc"
   integrity sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==
 
+vfile-message@^4.0.0:
+  version "4.0.2"
+  resolved "https://registry.yarnpkg.com/vfile-message/-/vfile-message-4.0.2.tgz#c883c9f677c72c166362fd635f21fc165a7d1181"
+  integrity sha512-jRDZ1IMLttGj41KcZvlrYAaI3CfqpLpfpf+Mfig13viT6NKvRzWZ+lXz0Y5D60w6uJIBAOGq9mSHf0gktF0duw==
+  dependencies:
+    "@types/unist" "^3.0.0"
+    unist-util-stringify-position "^4.0.0"
+
+vfile@^6.0.0:
+  version "6.0.3"
+  resolved "https://registry.yarnpkg.com/vfile/-/vfile-6.0.3.tgz#3652ab1c496531852bf55a6bac57af981ebc38ab"
+  integrity sha512-KzIbH/9tXat2u30jf+smMwFCsno4wHVdNmzFyL+T/L3UGqqk6JKfVqOFOZEpZSHADH1k40ab6NUIXZq422ov3Q==
+  dependencies:
+    "@types/unist" "^3.0.0"
+    vfile-message "^4.0.0"
+
 vite-node@2.1.8:
   version "2.1.8"
   resolved "https://registry.yarnpkg.com/vite-node/-/vite-node-2.1.8.tgz#9495ca17652f6f7f95ca7c4b568a235e0c8dbac5"
@@ -17742,6 +18288,11 @@ yaml@^1.10.0, yaml@^1.10.2:
   resolved "https://registry.yarnpkg.com/yaml/-/yaml-1.10.2.tgz#2301c5ffbf12b467de8da2333a459e29e7920e4b"
   integrity sha512-r3vXyErRCYJ7wg28yvBY5VSoAF8ZvlcW9/BwUzEtUsjvX/DKs24dIkuwjtuprwJJHsbyUbLApepYTR1BN4uHrg==
 
+yaml@^2.3.4:
+  version "2.7.0"
+  resolved "https://registry.yarnpkg.com/yaml/-/yaml-2.7.0.tgz#aef9bb617a64c937a9a748803786ad8d3ffe1e98"
+  integrity sha512-+hSoy/QHluxmC9kCIJyL/uyFmLmc+e5CFR5Wa+bpIhIj85LVb9ZH2nVnqrHoSvKogwODv0ClqZkmiSSaIH5LTA==
+
 yargs-parser@^18.1.2:
   version "18.1.3"
   resolved "https://registry.yarnpkg.com/yargs-parser/-/yargs-parser-18.1.3.tgz#be68c4975c6b2abf469236b0c870362fab09a7b0"
@@ -17859,3 +18410,8 @@ zustand@^4.1.1:
   integrity sha512-h4F3WMqsZgvvaE0n3lThx4MM81Ls9xebjvrABNzf5+jb3/03YjNTSgZXeyrvXDArMeV9untvWXRw1tY+ntPYbA==
   dependencies:
     use-sync-external-store "1.2.0"
+
+zwitch@^2.0.4:
+  version "2.0.4"
+  resolved "https://registry.yarnpkg.com/zwitch/-/zwitch-2.0.4.tgz#c827d4b0acb76fc3e685a4c6ec2902d51070e9d7"
+  integrity sha512-bXE4cR/kVZhKZX/RjPEflHaKVhUVl85noU3v6b8apfQEc1x4A+zBxjZ4lN8LqGd6WZ3dl98pY4o717VFmoPp+A==

From 7c01f84a5c4b4f6f54b5d3debf83fcdbaa40fd66 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 28 Mar 2025 10:52:59 +1300
Subject: [PATCH 066/212] fix: improve the node view for detecting roles -
 develop (#354)

---
 .../cluster/HomeView/NodesDatatable/utils.ts  | 27 +++++++------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts b/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts
index a5d4b0b4d..05bac7ce0 100644
--- a/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts
+++ b/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts
@@ -6,36 +6,29 @@ export function getInternalNodeIpAddress(node?: Node) {
   )?.address;
 }
 
-// most kube clusters set control-plane label, older clusters set master, microk8s doesn't have either but instead sets microk8s-controlplane
 const controlPlaneLabels = [
   'node-role.kubernetes.io/control-plane',
   'node-role.kubernetes.io/master',
-  'node.kubernetes.io/microk8s-controlplane',
+  'node.kubernetes.io/microk8s-controlplane'
 ];
 
-const roleLabels = ['kubernetes.io/role'];
+const roleLabels = [
+  'kubernetes.io/role',
+  'node.kubernetes.io/role'
+];
 
-/**
- * Returns the role of the node based on the labels.
- * @param node The node to get the role of.
- * It uses similar logic to https://github.com/kubernetes/kubectl/blob/04bb64c802171066ed0d886c437590c0b7ff1ed3/pkg/describe/describe.go#L5523C1-L5541C2 ,
- * but only returns 'Control plane' or 'Worker'. It also has an additional check for microk8s.
- */
 export function getRole(node: Node): 'Control plane' | 'Worker' {
   const hasControlPlaneLabel = controlPlaneLabels.some(
-    (label) =>
-      // the label can be set to an empty string, so we need to check for undefined
-      // e.g. node-role.kubernetes.io/control-plane: ""
-      node.metadata?.labels?.[label] !== undefined
+    (label) => node.metadata?.labels?.[label] !== undefined
   );
+
   const hasControlPlaneLabelValue = roleLabels.some(
     (label) =>
       node.metadata?.labels?.[label] === 'control-plane' ||
       node.metadata?.labels?.[label] === 'master'
   );
 
-  if (hasControlPlaneLabel || hasControlPlaneLabelValue) {
-    return 'Control plane';
-  }
-  return 'Worker';
+  return hasControlPlaneLabel || hasControlPlaneLabelValue
+    ? 'Control plane'
+    : 'Worker';
 }

From 1d12011eb579f04c338cdce136de389ff0c32384 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Fri, 28 Mar 2025 15:16:05 +0100
Subject: [PATCH 067/212] fix(edge groups): make large edge groups editable
 [BE-11720] (#558)

---
 api/http/handler/endpoints/endpoint_list.go   |   3 +
 api/http/handler/endpoints/filter.go          |  86 +++++++++++++
 app/edge/react/components/index.ts            |  10 ++
 .../AssociatedEdgeEnvironmentsSelector.tsx    |  13 +-
 ...ssociatedEdgeGroupEnvironmentsSelector.tsx | 116 ++++++++++++++++++
 .../EdgeEnvironmentsAssociationTable.tsx      |  77 ++++++++++++
 .../components/EdgeGroupAssociationTable.tsx  |  62 +++++-----
 .../associationTableColumnHelper.ts           |  30 +++++
 .../EdgeGroupForm/EdgeGroupForm.tsx           |   2 +
 .../EdgeGroupForm/StaticGroupFieldset.tsx     |   5 +-
 .../components/EdgeGroupForm/types.tsx        |   6 +-
 .../EdgeGroupForm/useValidation.tsx           |   1 +
 .../cluster/HomeView/NodesDatatable/utils.ts  |   7 +-
 .../environments/environment.service/index.ts |   1 +
 14 files changed, 373 insertions(+), 46 deletions(-)
 create mode 100644 app/react/edge/components/AssociatedEdgeGroupEnvironmentsSelector.tsx
 create mode 100644 app/react/edge/components/EdgeEnvironmentsAssociationTable.tsx
 create mode 100644 app/react/edge/components/associationTableColumnHelper.ts

diff --git a/api/http/handler/endpoints/endpoint_list.go b/api/http/handler/endpoints/endpoint_list.go
index 6be1c7ff2..86f1b1d3c 100644
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -38,6 +38,7 @@ const (
 // @param tagIds query []int false "search environments(endpoints) with these tags (depends on tagsPartialMatch)"
 // @param tagsPartialMatch query bool false "If true, will return environment(endpoint) which has one of tagIds, if false (or missing) will return only environments(endpoints) that has all the tags"
 // @param endpointIds query []int false "will return only these environments(endpoints)"
+// @param excludeIds query []int false "will exclude these environments(endpoints)"
 // @param provisioned query bool false "If true, will return environment(endpoint) that were provisioned"
 // @param agentVersions query []string false "will return only environments with on of these agent versions"
 // @param edgeAsync query bool false "if exists true show only edge async agents, false show only standard edge agents. if missing, will show both types (relevant only for edge agents)"
@@ -48,6 +49,8 @@ const (
 // @param name query string false "will return only environments(endpoints) with this name"
 // @param edgeStackId query portainer.EdgeStackID false "will return the environements of the specified edge stack"
 // @param edgeStackStatus query string false "only applied when edgeStackId exists. Filter the returned environments based on their deployment status in the stack (not the environment status!)" Enum("Pending", "Ok", "Error", "Acknowledged", "Remove", "RemoteUpdateSuccess", "ImagesPulled")
+// @param edgeGroupIds query []int false "List environments(endpoints) of these edge groups"
+// @param excludeEdgeGroupIds query []int false "Exclude environments(endpoints) of these edge groups"
 // @success 200 {array} portainer.Endpoint "Endpoints"
 // @failure 500 "Server error"
 // @router /endpoints [get]
diff --git a/api/http/handler/endpoints/filter.go b/api/http/handler/endpoints/filter.go
index df230f99e..6dc41b0bd 100644
--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@@ -37,6 +37,8 @@ type EnvironmentsQuery struct {
 	edgeStackId              portainer.EdgeStackID
 	edgeStackStatus          *portainer.EdgeStackStatusType
 	excludeIds               []portainer.EndpointID
+	edgeGroupIds             []portainer.EdgeGroupID
+	excludeEdgeGroupIds      []portainer.EdgeGroupID
 }
 
 func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
@@ -77,6 +79,16 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		return EnvironmentsQuery{}, err
 	}
 
+	edgeGroupIDs, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "edgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
+	excludeEdgeGroupIds, err := getNumberArrayQueryParameter[portainer.EdgeGroupID](r, "excludeEdgeGroupIds")
+	if err != nil {
+		return EnvironmentsQuery{}, err
+	}
+
 	agentVersions := getArrayQueryParameter(r, "agentVersions")
 
 	name, _ := request.RetrieveQueryParameter(r, "name", true)
@@ -117,6 +129,8 @@ func parseQuery(r *http.Request) (EnvironmentsQuery, error) {
 		edgeCheckInPassedSeconds: edgeCheckInPassedSeconds,
 		edgeStackId:              portainer.EdgeStackID(edgeStackId),
 		edgeStackStatus:          edgeStackStatus,
+		edgeGroupIds:             edgeGroupIDs,
+		excludeEdgeGroupIds:      excludeEdgeGroupIds,
 	}, nil
 }
 
@@ -143,6 +157,14 @@ func (handler *Handler) filterEndpointsByQuery(
 		filteredEndpoints = filterEndpointsByGroupIDs(filteredEndpoints, query.groupIds)
 	}
 
+	if len(query.edgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByEdgeGroupIDs(filteredEndpoints, edgeGroups, query.edgeGroupIds)
+	}
+
+	if len(query.excludeEdgeGroupIds) > 0 {
+		filteredEndpoints, edgeGroups = filterEndpointsByExcludeEdgeGroupIDs(filteredEndpoints, edgeGroups, query.excludeEdgeGroupIds)
+	}
+
 	if query.name != "" {
 		filteredEndpoints = filterEndpointsByName(filteredEndpoints, query.name)
 	}
@@ -295,6 +317,70 @@ func filterEndpointsByGroupIDs(endpoints []portainer.Endpoint, endpointGroupIDs
 	return endpoints[:n]
 }
 
+func filterEndpointsByEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeGroupIDs []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	edgeGroupIDFilterSet := make(map[portainer.EdgeGroupID]struct{}, len(edgeGroupIDs))
+	for _, id := range edgeGroupIDs {
+		edgeGroupIDFilterSet[id] = struct{}{}
+	}
+
+	n := 0
+	for _, edgeGroup := range edgeGroups {
+		if _, exists := edgeGroupIDFilterSet[edgeGroup.ID]; exists {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	endpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		for _, endpointID := range edgeGroup.Endpoints {
+			endpointIDSet[endpointID] = struct{}{}
+		}
+	}
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, exists := endpointIDSet[endpoint.ID]; exists {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
+func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []portainer.EdgeGroup, excludeEdgeGroupIds []portainer.EdgeGroupID) ([]portainer.Endpoint, []portainer.EdgeGroup) {
+	excludeEdgeGroupIDSet := make(map[portainer.EdgeGroupID]struct{}, len(excludeEdgeGroupIds))
+	for _, id := range excludeEdgeGroupIds {
+		excludeEdgeGroupIDSet[id] = struct{}{}
+	}
+
+	n := 0
+	excludeEndpointIDSet := make(map[portainer.EndpointID]struct{})
+	for _, edgeGroup := range edgeGroups {
+		if _, ok := excludeEdgeGroupIDSet[edgeGroup.ID]; ok {
+			for _, endpointID := range edgeGroup.Endpoints {
+				excludeEndpointIDSet[endpointID] = struct{}{}
+			}
+		} else {
+			edgeGroups[n] = edgeGroup
+			n++
+		}
+	}
+	edgeGroups = edgeGroups[:n]
+
+	n = 0
+	for _, endpoint := range endpoints {
+		if _, ok := excludeEndpointIDSet[endpoint.ID]; !ok {
+			endpoints[n] = endpoint
+			n++
+		}
+	}
+
+	return endpoints[:n], edgeGroups
+}
+
 func filterEndpointsBySearchCriteria(
 	endpoints []portainer.Endpoint,
 	endpointGroups []portainer.EndpointGroup,
diff --git a/app/edge/react/components/index.ts b/app/edge/react/components/index.ts
index b4913e51c..1902af60a 100644
--- a/app/edge/react/components/index.ts
+++ b/app/edge/react/components/index.ts
@@ -8,6 +8,7 @@ import { EdgeAsyncIntervalsForm } from '@/react/edge/components/EdgeAsyncInterva
 import { EdgeCheckinIntervalField } from '@/react/edge/components/EdgeCheckInIntervalField';
 import { EdgeScriptForm } from '@/react/edge/components/EdgeScriptForm';
 import { EdgeGroupsSelector } from '@/react/edge/edge-stacks/components/EdgeGroupsSelector';
+import { AssociatedEdgeGroupEnvironmentsSelector } from '@/react/edge/components/AssociatedEdgeGroupEnvironmentsSelector';
 
 const ngModule = angular
   .module('portainer.edge.react.components', [])
@@ -61,6 +62,15 @@ const ngModule = angular
       'value',
       'error',
     ])
+  )
+  .component(
+    'associatedEdgeGroupEnvironmentsSelector',
+    r2a(withReactQuery(AssociatedEdgeGroupEnvironmentsSelector), [
+      'onChange',
+      'value',
+      'error',
+      'edgeGroupId',
+    ])
   );
 
 export const componentsModule = ngModule.name;
diff --git a/app/react/edge/components/AssociatedEdgeEnvironmentsSelector.tsx b/app/react/edge/components/AssociatedEdgeEnvironmentsSelector.tsx
index 7c8bce1d5..1fdd0e30c 100644
--- a/app/react/edge/components/AssociatedEdgeEnvironmentsSelector.tsx
+++ b/app/react/edge/components/AssociatedEdgeEnvironmentsSelector.tsx
@@ -1,10 +1,9 @@
 import { EdgeTypes, EnvironmentId } from '@/react/portainer/environments/types';
+import { EdgeEnvironmentsAssociationTable } from '@/react/edge/components/EdgeEnvironmentsAssociationTable';
 
 import { FormError } from '@@/form-components/FormError';
 import { ArrayError } from '@@/form-components/InputList/InputList';
 
-import { EdgeGroupAssociationTable } from './EdgeGroupAssociationTable';
-
 export function AssociatedEdgeEnvironmentsSelector({
   onChange,
   value,
@@ -20,9 +19,9 @@ export function AssociatedEdgeEnvironmentsSelector({
   return (
     <>
       <div className="col-sm-12 small text-muted">
-        You can select which environment should be part of this group by moving
-        them to the associated environments table. Simply click on any
-        environment entry to move it from one table to the other.
+        You can also select environments individually by moving them to the
+        associated environments table. Simply click on any environment entry to
+        move it from one table to the other.
       </div>
 
       {error && (
@@ -36,7 +35,7 @@ export function AssociatedEdgeEnvironmentsSelector({
       <div className="col-sm-12 mt-4">
         <div className="flex">
           <div className="w-1/2">
-            <EdgeGroupAssociationTable
+            <EdgeEnvironmentsAssociationTable
               title="Available environments"
               query={{
                 types: EdgeTypes,
@@ -51,7 +50,7 @@ export function AssociatedEdgeEnvironmentsSelector({
             />
           </div>
           <div className="w-1/2">
-            <EdgeGroupAssociationTable
+            <EdgeEnvironmentsAssociationTable
               title="Associated environments"
               query={{
                 types: EdgeTypes,
diff --git a/app/react/edge/components/AssociatedEdgeGroupEnvironmentsSelector.tsx b/app/react/edge/components/AssociatedEdgeGroupEnvironmentsSelector.tsx
new file mode 100644
index 000000000..6a8ee3bb2
--- /dev/null
+++ b/app/react/edge/components/AssociatedEdgeGroupEnvironmentsSelector.tsx
@@ -0,0 +1,116 @@
+import { useState } from 'react';
+
+import {
+  EdgeGroupId,
+  Environment,
+  EnvironmentId,
+} from '@/react/portainer/environments/types';
+
+import { FormError } from '@@/form-components/FormError';
+import { ArrayError } from '@@/form-components/InputList/InputList';
+
+import { EdgeGroupAssociationTable } from './EdgeGroupAssociationTable';
+
+export function AssociatedEdgeGroupEnvironmentsSelector({
+  onChange,
+  value,
+  error,
+  edgeGroupId,
+}: {
+  onChange: (
+    value: EnvironmentId[],
+    meta: { type: 'add' | 'remove'; value: EnvironmentId }
+  ) => void;
+  value: EnvironmentId[];
+  error?: ArrayError<Array<EnvironmentId>>;
+  edgeGroupId?: EdgeGroupId;
+}) {
+  const [associatedEnvironments, setAssociatedEnvironments] = useState<
+    Environment[]
+  >([]);
+  const [dissociatedEnvironments, setDissociatedEnvironments] = useState<
+    Environment[]
+  >([]);
+
+  function updateEditedEnvironments(env: Environment) {
+    // If the env is associated, this update is a dissociation
+    const isAssociated = value.includes(env.Id);
+
+    setAssociatedEnvironments((prev) =>
+      isAssociated
+        ? prev.filter((prevEnv) => prevEnv.Id !== env.Id)
+        : [...prev, env]
+    );
+
+    setDissociatedEnvironments((prev) =>
+      isAssociated
+        ? [...prev, env]
+        : prev.filter((prevEnv) => prevEnv.Id !== env.Id)
+    );
+
+    const updatedValue = isAssociated
+      ? value.filter((id) => id !== env.Id)
+      : [...value, env.Id];
+
+    onChange(updatedValue, {
+      type: isAssociated ? 'remove' : 'add',
+      value: env.Id,
+    });
+  }
+
+  return (
+    <>
+      <div className="col-sm-12 small text-muted">
+        You can select which environment should be part of this group by moving
+        them to the associated environments table. Simply click on any
+        environment entry to move it from one table to the other.
+      </div>
+
+      {error && (
+        <div className="col-sm-12">
+          <FormError>
+            {typeof error === 'string' ? error : error.join(', ')}
+          </FormError>
+        </div>
+      )}
+
+      <div className="col-sm-12 mt-4">
+        <div className="flex">
+          <div className="w-1/2">
+            <EdgeGroupAssociationTable
+              title="Available environments"
+              query={{
+                excludeEdgeGroupIds: edgeGroupId ? [edgeGroupId] : [],
+              }}
+              addEnvironments={dissociatedEnvironments}
+              excludeEnvironments={associatedEnvironments}
+              onClickRow={(env) => {
+                if (!value.includes(env.Id)) {
+                  updateEditedEnvironments(env);
+                }
+              }}
+              data-cy="edgeGroupCreate-availableEndpoints"
+            />
+          </div>
+          <div className="w-1/2">
+            <EdgeGroupAssociationTable
+              title="Associated environments"
+              query={{
+                edgeGroupIds: edgeGroupId ? [edgeGroupId] : [],
+                endpointIds: edgeGroupId ? undefined : [], // workaround to avoid showing all environments for new edge group
+              }}
+              addEnvironments={associatedEnvironments}
+              excludeEnvironments={dissociatedEnvironments}
+              onClickRow={(env) => {
+                if (value.includes(env.Id)) {
+                  updateEditedEnvironments(env);
+                }
+              }}
+              data-cy="edgeGroupCreate-associatedEndpointsTable"
+            />
+          </div>
+        </div>
+      </div>
+    </>
+  );
+}
diff --git a/app/react/edge/components/EdgeEnvironmentsAssociationTable.tsx b/app/react/edge/components/EdgeEnvironmentsAssociationTable.tsx
new file mode 100644
index 000000000..d7d87ec51
--- /dev/null
+++ b/app/react/edge/components/EdgeEnvironmentsAssociationTable.tsx
@@ -0,0 +1,77 @@
+import { useMemo, useState } from 'react';
+
+import { useEnvironmentList } from '@/react/portainer/environments/queries';
+import { EdgeTypes, Environment } from '@/react/portainer/environments/types';
+import { useGroups } from '@/react/portainer/environments/environment-groups/queries';
+import { useTags } from '@/portainer/tags/queries';
+import { EnvironmentsQueryParams } from '@/react/portainer/environments/environment.service';
+import { AutomationTestingProps } from '@/types';
+
+import { useTableStateWithoutStorage } from '@@/datatables/useTableState';
+import { Datatable, TableRow } from '@@/datatables';
+
+import { columns, DecoratedEnvironment } from './associationTableColumnHelper';
+
+export function EdgeEnvironmentsAssociationTable({
+  title,
+  query,
+  onClickRow = () => {},
+  'data-cy': dataCy,
+}: {
+  title: string;
+  query: EnvironmentsQueryParams;
+  onClickRow?: (env: Environment) => void;
+} & AutomationTestingProps) {
+  const tableState = useTableStateWithoutStorage('Name');
+  const [page, setPage] = useState(0);
+  const environmentsQuery = useEnvironmentList({
+    pageLimit: tableState.pageSize,
+    page: page + 1,
+    search: tableState.search,
+    sort: tableState.sortBy?.id as 'Group' | 'Name',
+    order: tableState.sortBy?.desc ? 'desc' : 'asc',
+    types: EdgeTypes,
+    ...query,
+  });
+  const groupsQuery = useGroups({
+    enabled: environmentsQuery.environments.length > 0,
+  });
+  const tagsQuery = useTags({
+    enabled: environmentsQuery.environments.length > 0,
+  });
+
+  const memoizedEnvironments: Array<DecoratedEnvironment> = useMemo(
+    () =>
+      environmentsQuery.environments.map((env) => ({
+        ...env,
+        Group: groupsQuery.data?.find((g) => g.Id === env.GroupId)?.Name || '',
+        Tags: env.TagIds.map(
+          (tagId) => tagsQuery.data?.find((t) => t.ID === tagId)?.Name || ''
+        ),
+      })),
+    [environmentsQuery.environments, groupsQuery.data, tagsQuery.data]
+  );
+
+  const { totalCount } = environmentsQuery;
+
+  return (
+    <Datatable<DecoratedEnvironment>
+      title={title}
+      columns={columns}
+      settingsManager={tableState}
+      dataset={memoizedEnvironments}
+      isServerSidePagination
+      page={page}
+      onPageChange={setPage}
+      totalCount={totalCount}
+      renderRow={(row) => (
+        <TableRow<DecoratedEnvironment>
+          cells={row.getVisibleCells()}
+          onClick={() => onClickRow(row.original)}
+        />
+      )}
+      data-cy={dataCy}
+      disableSelect
+    />
+  );
+}
diff --git a/app/react/edge/components/EdgeGroupAssociationTable.tsx b/app/react/edge/components/EdgeGroupAssociationTable.tsx
index 70ff66a08..1f58950ca 100644
--- a/app/react/edge/components/EdgeGroupAssociationTable.tsx
+++ b/app/react/edge/components/EdgeGroupAssociationTable.tsx
@@ -1,52 +1,32 @@
-import { createColumnHelper } from '@tanstack/react-table';
-import { truncate } from 'lodash';
 import { useMemo, useState } from 'react';
 
 import { useTags } from '@/portainer/tags/queries';
 import { useGroups } from '@/react/portainer/environments/environment-groups/queries';
 import { EnvironmentsQueryParams } from '@/react/portainer/environments/environment.service';
 import { useEnvironmentList } from '@/react/portainer/environments/queries';
-import { Environment } from '@/react/portainer/environments/types';
+import { EdgeTypes, Environment } from '@/react/portainer/environments/types';
 import { AutomationTestingProps } from '@/types';
+import {
+  columns,
+  DecoratedEnvironment,
+} from '@/react/edge/components/associationTableColumnHelper';
 
 import { Datatable, TableRow } from '@@/datatables';
 import { useTableStateWithoutStorage } from '@@/datatables/useTableState';
 
-type DecoratedEnvironment = Environment & {
-  Tags: string[];
-  Group: string;
-};
-
-const columHelper = createColumnHelper<DecoratedEnvironment>();
-
-const columns = [
-  columHelper.accessor('Name', {
-    header: 'Name',
-    id: 'Name',
-    cell: ({ getValue }) => truncate(getValue(), { length: 64 }),
-  }),
-  columHelper.accessor('Group', {
-    header: 'Group',
-    id: 'Group',
-    cell: ({ getValue }) => truncate(getValue(), { length: 64 }),
-  }),
-  columHelper.accessor((row) => row.Tags.join(','), {
-    header: 'Tags',
-    id: 'tags',
-    enableSorting: false,
-    cell: ({ getValue }) => truncate(getValue(), { length: 64 }),
-  }),
-];
-
 export function EdgeGroupAssociationTable({
   title,
   query,
   onClickRow = () => {},
+  addEnvironments = [],
+  excludeEnvironments = [],
   'data-cy': dataCy,
 }: {
   title: string;
   query: EnvironmentsQueryParams;
   onClickRow?: (env: Environment) => void;
+  addEnvironments?: Environment[];
+  excludeEnvironments?: Environment[];
 } & AutomationTestingProps) {
   const tableState = useTableStateWithoutStorage('Name');
   const [page, setPage] = useState(0);
@@ -56,8 +36,11 @@ export function EdgeGroupAssociationTable({
     search: tableState.search,
     sort: tableState.sortBy?.id as 'Group' | 'Name',
     order: tableState.sortBy?.desc ? 'desc' : 'asc',
+    types: EdgeTypes,
+    excludeIds: excludeEnvironments?.map((env) => env.Id),
     ...query,
   });
+
   const groupsQuery = useGroups({
     enabled: environmentsQuery.environments.length > 0,
   });
@@ -65,7 +48,7 @@ export function EdgeGroupAssociationTable({
     enabled: environmentsQuery.environments.length > 0,
   });
 
-  const environments: Array<DecoratedEnvironment> = useMemo(
+  const memoizedEnvironments: Array<DecoratedEnvironment> = useMemo(
     () =>
       environmentsQuery.environments.map((env) => ({
         ...env,
@@ -79,12 +62,29 @@ export function EdgeGroupAssociationTable({
 
   const { totalCount } = environmentsQuery;
 
+  const memoizedAddEnvironments: Array<DecoratedEnvironment> = useMemo(
+    () =>
+      addEnvironments.map((env) => ({
+        ...env,
+        Group: groupsQuery.data?.find((g) => g.Id === env.GroupId)?.Name || '',
+        Tags: env.TagIds.map(
+          (tagId) => tagsQuery.data?.find((t) => t.ID === tagId)?.Name || ''
+        ),
+      })),
+    [addEnvironments, groupsQuery.data, tagsQuery.data]
+  );
+
+  // Filter out environments that are already in the table, this is to prevent duplicates, which can happen when an environment is associated and then disassociated
+  const filteredAddEnvironments = memoizedAddEnvironments.filter(
+    (env) => !memoizedEnvironments.some((e) => e.Id === env.Id)
+  );
+
   return (
     <Datatable<DecoratedEnvironment>
       title={title}
       columns={columns}
       settingsManager={tableState}
-      dataset={environments}
+      dataset={memoizedEnvironments.concat(filteredAddEnvironments)}
       isServerSidePagination
       page={page}
       onPageChange={setPage}
diff --git a/app/react/edge/components/associationTableColumnHelper.ts b/app/react/edge/components/associationTableColumnHelper.ts
new file mode 100644
index 000000000..6c83be77f
--- /dev/null
+++ b/app/react/edge/components/associationTableColumnHelper.ts
@@ -0,0 +1,30 @@
+import { createColumnHelper } from '@tanstack/react-table';
+import { truncate } from 'lodash';
+
+import { Environment } from '@/react/portainer/environments/types';
+
+export type DecoratedEnvironment = Environment & {
+  Tags: string[];
+  Group: string;
+};
+
+const columHelper = createColumnHelper<DecoratedEnvironment>();
+
+export const columns = [
+  columHelper.accessor('Name', {
+    header: 'Name',
+    id: 'Name',
+    cell: ({ getValue }) => truncate(getValue(), { length: 64 }),
+  }),
+  columHelper.accessor('Group', {
+    header: 'Group',
+    id: 'Group',
+    cell: ({ getValue }) => truncate(getValue(), { length: 64 }),
+  }),
+  columHelper.accessor((row) => row.Tags.join(','), {
+    header: 'Tags',
+    id: 'tags',
+    enableSorting: false,
+    cell: ({ getValue }) => truncate(getValue(), { length: 64 }),
+  }),
+];
diff --git a/app/react/edge/edge-groups/components/EdgeGroupForm/EdgeGroupForm.tsx b/app/react/edge/edge-groups/components/EdgeGroupForm/EdgeGroupForm.tsx
index 1e401dfa7..7287875d8 100644
--- a/app/react/edge/edge-groups/components/EdgeGroupForm/EdgeGroupForm.tsx
+++ b/app/react/edge/edge-groups/components/EdgeGroupForm/EdgeGroupForm.tsx
@@ -35,6 +35,7 @@ export function EdgeGroupForm({
               name: group.Name,
               partialMatch: group.PartialMatch,
               tagIds: group.TagIds,
+              edgeGroupId: group.Id,
             }
           : {
               name: '',
@@ -42,6 +43,7 @@ export function EdgeGroupForm({
               environmentIds: [],
               partialMatch: false,
               tagIds: [],
+              edgeGroupId: 0,
             }
       }
       onSubmit={onSubmit}
diff --git a/app/react/edge/edge-groups/components/EdgeGroupForm/StaticGroupFieldset.tsx b/app/react/edge/edge-groups/components/EdgeGroupForm/StaticGroupFieldset.tsx
index bb333af7b..aecec7fc9 100644
--- a/app/react/edge/edge-groups/components/EdgeGroupForm/StaticGroupFieldset.tsx
+++ b/app/react/edge/edge-groups/components/EdgeGroupForm/StaticGroupFieldset.tsx
@@ -1,6 +1,6 @@
 import { useFormikContext } from 'formik';
 
-import { AssociatedEdgeEnvironmentsSelector } from '@/react/edge/components/AssociatedEdgeEnvironmentsSelector';
+import { AssociatedEdgeGroupEnvironmentsSelector } from '@/react/edge/components/AssociatedEdgeGroupEnvironmentsSelector';
 
 import { FormSection } from '@@/form-components/FormSection';
 import { confirmDestructive } from '@@/modals/confirm';
@@ -14,7 +14,7 @@ export function StaticGroupFieldset({ isEdit }: { isEdit?: boolean }) {
   return (
     <FormSection title="Associated environments">
       <div className="form-group">
-        <AssociatedEdgeEnvironmentsSelector
+        <AssociatedEdgeGroupEnvironmentsSelector
           value={values.environmentIds}
           error={errors.environmentIds}
           onChange={async (environmentIds, meta) => {
@@ -33,6 +33,7 @@ export function StaticGroupFieldset({ isEdit }: { isEdit?: boolean }) {
 
             setFieldValue('environmentIds', environmentIds);
           }}
+          edgeGroupId={values.edgeGroupId}
         />
       </div>
     </FormSection>
diff --git a/app/react/edge/edge-groups/components/EdgeGroupForm/types.tsx b/app/react/edge/edge-groups/components/EdgeGroupForm/types.tsx
index 2c4e0d6bf..1d67d9322 100644
--- a/app/react/edge/edge-groups/components/EdgeGroupForm/types.tsx
+++ b/app/react/edge/edge-groups/components/EdgeGroupForm/types.tsx
@@ -1,7 +1,11 @@
-import { EnvironmentId } from '@/react/portainer/environments/types';
+import {
+  EdgeGroupId,
+  EnvironmentId,
+} from '@/react/portainer/environments/types';
 import { TagId } from '@/portainer/tags/types';
 
 export interface FormValues {
+  edgeGroupId: EdgeGroupId;
   name: string;
   dynamic: boolean;
   environmentIds: EnvironmentId[];
diff --git a/app/react/edge/edge-groups/components/EdgeGroupForm/useValidation.tsx b/app/react/edge/edge-groups/components/EdgeGroupForm/useValidation.tsx
index 7f4bc8284..436cd6888 100644
--- a/app/react/edge/edge-groups/components/EdgeGroupForm/useValidation.tsx
+++ b/app/react/edge/edge-groups/components/EdgeGroupForm/useValidation.tsx
@@ -21,6 +21,7 @@ export function useValidation({
           is: true,
           then: (schema) => schema.min(1, 'Tags are required'),
         }),
+        edgeGroupId: number().default(0).notRequired(),
       }),
     [nameValidation]
   );
diff --git a/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts b/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts
index 05bac7ce0..d1450f404 100644
--- a/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts
+++ b/app/react/kubernetes/cluster/HomeView/NodesDatatable/utils.ts
@@ -9,13 +9,10 @@ export function getInternalNodeIpAddress(node?: Node) {
 const controlPlaneLabels = [
   'node-role.kubernetes.io/control-plane',
   'node-role.kubernetes.io/master',
-  'node.kubernetes.io/microk8s-controlplane'
+  'node.kubernetes.io/microk8s-controlplane',
 ];
 
-const roleLabels = [
-  'kubernetes.io/role',
-  'node.kubernetes.io/role'
-];
+const roleLabels = ['kubernetes.io/role', 'node.kubernetes.io/role'];
 
 export function getRole(node: Node): 'Control plane' | 'Worker' {
   const hasControlPlaneLabel = controlPlaneLabels.some(
diff --git a/app/react/portainer/environments/environment.service/index.ts b/app/react/portainer/environments/environment.service/index.ts
index c6d770e74..6d4e22d63 100644
--- a/app/react/portainer/environments/environment.service/index.ts
+++ b/app/react/portainer/environments/environment.service/index.ts
@@ -50,6 +50,7 @@ export interface BaseEnvironmentsQueryParams {
   edgeCheckInPassedSeconds?: number;
   platformTypes?: PlatformType[];
   edgeGroupIds?: EdgeGroupId[];
+  excludeEdgeGroupIds?: EdgeGroupId[];
 }
 
 export type EnvironmentsQueryParams = BaseEnvironmentsQueryParams &

From a0d36cf87a91171b70c04f0e2f86ea12a0281914 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 31 Mar 2025 18:58:20 -0300
Subject: [PATCH 068/212] fix(server): add panic logging middleware BE-11750
 (#599)

---
 api/http/middlewares/panic_logger.go | 25 +++++++++++++++++++++++++
 api/http/server.go                   |  2 +-
 2 files changed, 26 insertions(+), 1 deletion(-)
 create mode 100644 api/http/middlewares/panic_logger.go

diff --git a/api/http/middlewares/panic_logger.go b/api/http/middlewares/panic_logger.go
new file mode 100644
index 000000000..6f3b2076f
--- /dev/null
+++ b/api/http/middlewares/panic_logger.go
@@ -0,0 +1,25 @@
+package middlewares
+
+import (
+	"net/http"
+	"runtime/debug"
+
+	"github.com/rs/zerolog/log"
+)
+
+func WithPanicLogger(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+		defer func() {
+			if err := recover(); err != nil {
+				log.Error().
+					Any("panic", err).
+					Str("method", req.Method).
+					Str("url", req.URL.String()).
+					Str("stack", string(debug.Stack())).
+					Msg("Panic in request handler")
+			}
+		}()
+
+		next.ServeHTTP(w, req)
+	})
+}
diff --git a/api/http/server.go b/api/http/server.go
index 3dcc84d2d..12925d479 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -335,7 +335,7 @@ func (server *Server) Start() error {
 
 	handler := adminMonitor.WithRedirect(offlineGate.WaitingMiddleware(time.Minute, server.Handler))
 
-	handler = middlewares.WithSlowRequestsLogger(handler)
+	handler = middlewares.WithPanicLogger(middlewares.WithSlowRequestsLogger(handler))
 
 	handler, err := csrf.WithProtect(handler)
 	if err != nil {

From 4066a70ea55aad2cb7994d697a3a8612aae63032 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Tue, 1 Apr 2025 13:24:55 +1300
Subject: [PATCH 069/212] api: fix typo in operation name (#585)

---
 api/http/handler/edgegroups/edgegroup_update.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/http/handler/edgegroups/edgegroup_update.go b/api/http/handler/edgegroups/edgegroup_update.go
index 319a1b03b..d6a03a7ef 100644
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -35,7 +35,7 @@ func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
 	return nil
 }
 
-// @id EgeGroupUpdate
+// @id EdgeGroupUpdate
 // @summary Updates an EdgeGroup
 // @description **Access policy**: administrator
 // @tags edge_groups

From 1edc56c0ceb601d4eab3108ef485cee404ab99ea Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Tue, 1 Apr 2025 13:25:09 +1300
Subject: [PATCH 070/212] api: remove name from edgegroupupdate payload
 validation (#588)

---
 api/http/handler/edgegroups/edgegroup_update.go | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/api/http/handler/edgegroups/edgegroup_update.go b/api/http/handler/edgegroups/edgegroup_update.go
index d6a03a7ef..7831b634e 100644
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -24,10 +24,6 @@ type edgeGroupUpdatePayload struct {
 }
 
 func (payload *edgeGroupUpdatePayload) Validate(r *http.Request) error {
-	if len(payload.Name) == 0 {
-		return errors.New("invalid Edge group name")
-	}
-
 	if payload.Dynamic && len(payload.TagIDs) == 0 {
 		return errors.New("tagIDs is mandatory for a dynamic Edge group")
 	}

From 7e5db1f55e62126b927e6dfa8655b40f934fd4d5 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Tue, 1 Apr 2025 14:05:56 +1300
Subject: [PATCH 071/212] refactor(edgegroup): optimize edge group search
 performance [BE-11716] (#579)

---
 api/internal/edge/edgegroup.go | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/api/internal/edge/edgegroup.go b/api/internal/edge/edgegroup.go
index 255f5f55f..9a292b7e2 100644
--- a/api/internal/edge/edgegroup.go
+++ b/api/internal/edge/edgegroup.go
@@ -13,21 +13,19 @@ func EdgeGroupRelatedEndpoints(edgeGroup *portainer.EdgeGroup, endpoints []porta
 		return edgeGroup.Endpoints
 	}
 
+	endpointGroupsMap := map[portainer.EndpointGroupID]*portainer.EndpointGroup{}
+	for i, group := range endpointGroups {
+		endpointGroupsMap[group.ID] = &endpointGroups[i]
+	}
+
 	endpointIDs := []portainer.EndpointID{}
 	for _, endpoint := range endpoints {
 		if !endpointutils.IsEdgeEndpoint(&endpoint) {
 			continue
 		}
 
-		var endpointGroup portainer.EndpointGroup
-		for _, group := range endpointGroups {
-			if endpoint.GroupID == group.ID {
-				endpointGroup = group
-				break
-			}
-		}
-
-		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, &endpointGroup) {
+		endpointGroup := endpointGroupsMap[endpoint.GroupID]
+		if edgeGroupRelatedToEndpoint(edgeGroup, &endpoint, endpointGroup) {
 			endpointIDs = append(endpointIDs, endpoint.ID)
 		}
 	}

From 4c1e80ff58cc88c27288efe4ee6ed86abb2c0abd Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Wed, 2 Apr 2025 08:51:58 +1300
Subject: [PATCH 072/212] fix(axios): correctly encode urls [BE-11648] (#517)

fix(edgegroup): nil pointer defer
---
 api/internal/edge/edgegroup.go  |  12 +--
 app/portainer/services/axios.ts |   4 +
 package.json                    |   1 +
 yarn.lock                       | 145 ++++++++++++++++++++++++++++++++
 4 files changed, 154 insertions(+), 8 deletions(-)

diff --git a/api/internal/edge/edgegroup.go b/api/internal/edge/edgegroup.go
index 9a292b7e2..64aa296a5 100644
--- a/api/internal/edge/edgegroup.go
+++ b/api/internal/edge/edgegroup.go
@@ -1,6 +1,8 @@
 package edge
 
 import (
+	"slices"
+
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@@ -70,17 +72,11 @@ func GetEndpointsFromEdgeGroups(edgeGroupIDs []portainer.EdgeGroupID, datastore
 // edgeGroupRelatedToEndpoint returns true if edgeGroup is associated with environment(endpoint)
 func edgeGroupRelatedToEndpoint(edgeGroup *portainer.EdgeGroup, endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup) bool {
 	if !edgeGroup.Dynamic {
-		for _, endpointID := range edgeGroup.Endpoints {
-			if endpoint.ID == endpointID {
-				return true
-			}
-		}
-
-		return false
+		return slices.Contains(edgeGroup.Endpoints, endpoint.ID)
 	}
 
 	endpointTags := tag.Set(endpoint.TagIDs)
-	if endpointGroup.TagIDs != nil {
+	if endpointGroup != nil && endpointGroup.TagIDs != nil {
 		endpointTags = tag.Union(endpointTags, tag.Set(endpointGroup.TagIDs))
 	}
 
diff --git a/app/portainer/services/axios.ts b/app/portainer/services/axios.ts
index 7f7683cd1..d5c8d5840 100644
--- a/app/portainer/services/axios.ts
+++ b/app/portainer/services/axios.ts
@@ -12,6 +12,7 @@ import {
 } from 'axios-cache-interceptor';
 import { loadProgressBar } from 'axios-progress-bar';
 import 'axios-progress-bar/dist/nprogress.css';
+import qs from 'qs';
 
 import PortainerError from '@/portainer/error';
 
@@ -53,6 +54,9 @@ function headerInterpreter(
 const axios = Axios.create({
   baseURL: 'api',
   maxDockerAPIVersion: MAX_DOCKER_API_VERSION,
+  paramsSerializer: {
+    serialize: (params) => qs.stringify(params, { arrayFormat: 'brackets' }),
+  },
 });
 axios.interceptors.request.use((req) => {
   dispatchCacheRefreshEventIfNeeded(req);
diff --git a/package.json b/package.json
index 889d9e8da..b67cd56ff 100644
--- a/package.json
+++ b/package.json
@@ -111,6 +111,7 @@
     "mustache": "^4.2.0",
     "ng-file-upload": "~12.2.13",
     "parse-duration": "^1.0.2",
+    "qs": "^6.14.0",
     "rc-slider": "^10.0.0",
     "react": "^17.0.2",
     "react-calendar": "^4.8.0",
diff --git a/yarn.lock b/yarn.lock
index 638c32535..a041f9578 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8073,6 +8073,14 @@ cache-parser@1.2.4:
   resolved "https://registry.yarnpkg.com/cache-parser/-/cache-parser-1.2.4.tgz#60975135ef2330e6a1d60895279d7237a2a9b398"
   integrity sha512-O0KwuHuJnbHUrghHi2kGp0SxnWSIBXTYt7M8WVhW0kbPRUNUKoE/Of6e1rRD6AAxmfxFunKnt90yEK09D+sc5g==
 
+call-bind-apply-helpers@^1.0.1, call-bind-apply-helpers@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz#4b5428c222be985d79c3d82657479dbe0b59b2d6"
+  integrity sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==
+  dependencies:
+    es-errors "^1.3.0"
+    function-bind "^1.1.2"
+
 call-bind@^1.0.0, call-bind@^1.0.2:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/call-bind/-/call-bind-1.0.2.tgz#b1d4e89e688119c3c9a903ad30abb2f6a919be3c"
@@ -8081,6 +8089,14 @@ call-bind@^1.0.0, call-bind@^1.0.2:
     function-bind "^1.1.1"
     get-intrinsic "^1.0.2"
 
+call-bound@^1.0.2:
+  version "1.0.4"
+  resolved "https://registry.yarnpkg.com/call-bound/-/call-bound-1.0.4.tgz#238de935d2a2a692928c538c7ccfa91067fd062a"
+  integrity sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==
+  dependencies:
+    call-bind-apply-helpers "^1.0.2"
+    get-intrinsic "^1.3.0"
+
 call-me-maybe@^1.0.1:
   version "1.0.2"
   resolved "https://registry.yarnpkg.com/call-me-maybe/-/call-me-maybe-1.0.2.tgz#03f964f19522ba643b1b0693acb9152fe2074baa"
@@ -9514,6 +9530,15 @@ dotenv@^8.2.0:
   resolved "https://registry.yarnpkg.com/dotenv/-/dotenv-8.6.0.tgz#061af664d19f7f4d8fc6e4ff9b584ce237adcb8b"
   integrity sha512-IrPdXQsk2BbzvCBGBOTmmSH5SodmqZNt4ERAZDmW4CT+tL8VtvinqywuANaFu4bOMWki16nqf0e4oC0QIaDr/g==
 
+dunder-proto@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/dunder-proto/-/dunder-proto-1.0.1.tgz#d7ae667e1dc83482f8b70fd0f6eefc50da30f58a"
+  integrity sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==
+  dependencies:
+    call-bind-apply-helpers "^1.0.1"
+    es-errors "^1.3.0"
+    gopd "^1.2.0"
+
 duplexer@^0.1.2:
   version "0.1.2"
   resolved "https://registry.yarnpkg.com/duplexer/-/duplexer-0.1.2.tgz#3abe43aef3835f8ae077d136ddce0f276b0400e6"
@@ -9757,6 +9782,16 @@ es-abstract@^1.22.1:
     unbox-primitive "^1.0.2"
     which-typed-array "^1.1.11"
 
+es-define-property@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/es-define-property/-/es-define-property-1.0.1.tgz#983eb2f9a6724e9303f61addf011c72e09e0b0fa"
+  integrity sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==
+
+es-errors@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/es-errors/-/es-errors-1.3.0.tgz#05f75a25dab98e4fb1dcd5e1472c0546d5057c8f"
+  integrity sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==
+
 es-get-iterator@^1.1.3:
   version "1.1.3"
   resolved "https://registry.yarnpkg.com/es-get-iterator/-/es-get-iterator-1.1.3.tgz#3ef87523c5d464d41084b2c3c9c214f1199763d6"
@@ -9807,6 +9842,13 @@ es-module-lexer@^1.5.4:
   resolved "https://registry.yarnpkg.com/es-module-lexer/-/es-module-lexer-1.5.4.tgz#a8efec3a3da991e60efa6b633a7cad6ab8d26b78"
   integrity sha512-MVNK56NiMrOwitFB7cqDwq0CQutbw+0BvLshJSse0MUNU+y1FC3bUS/AQg7oUng+/wKrrki7JfmwtVHkVfPLlw==
 
+es-object-atoms@^1.0.0, es-object-atoms@^1.1.1:
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/es-object-atoms/-/es-object-atoms-1.1.1.tgz#1c4f2c4837327597ce69d2ca190a7fdd172338c1"
+  integrity sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==
+  dependencies:
+    es-errors "^1.3.0"
+
 es-set-tostringtag@^2.0.1:
   version "2.0.1"
   resolved "https://registry.yarnpkg.com/es-set-tostringtag/-/es-set-tostringtag-2.0.1.tgz#338d502f6f674301d710b80c8592de8a15f09cd8"
@@ -10893,6 +10935,11 @@ function-bind@^1.1.1:
   resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.1.tgz#a56899d3ea3c9bab874bb9773b7c5ede92f4895d"
   integrity sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==
 
+function-bind@^1.1.2:
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/function-bind/-/function-bind-1.1.2.tgz#2c02d864d97f3ea6c8830c464cbd11ab6eab7a1c"
+  integrity sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==
+
 function.prototype.name@^1.1.5:
   version "1.1.5"
   resolved "https://registry.yarnpkg.com/function.prototype.name/-/function.prototype.name-1.1.5.tgz#cce0505fe1ffb80503e6f9e46cc64e46a12a9621"
@@ -10947,6 +10994,22 @@ get-intrinsic@^1.1.3:
     has "^1.0.3"
     has-symbols "^1.0.3"
 
+get-intrinsic@^1.2.5, get-intrinsic@^1.3.0:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/get-intrinsic/-/get-intrinsic-1.3.0.tgz#743f0e3b6964a93a5491ed1bffaae054d7f98d01"
+  integrity sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==
+  dependencies:
+    call-bind-apply-helpers "^1.0.2"
+    es-define-property "^1.0.1"
+    es-errors "^1.3.0"
+    es-object-atoms "^1.1.1"
+    function-bind "^1.1.2"
+    get-proto "^1.0.1"
+    gopd "^1.2.0"
+    has-symbols "^1.1.0"
+    hasown "^2.0.2"
+    math-intrinsics "^1.1.0"
+
 get-nonce@^1.0.0:
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/get-nonce/-/get-nonce-1.0.1.tgz#fdf3f0278073820d2ce9426c18f07481b1e0cdf3"
@@ -10967,6 +11030,14 @@ get-port@^5.1.1:
   resolved "https://registry.yarnpkg.com/get-port/-/get-port-5.1.1.tgz#0469ed07563479de6efb986baf053dcd7d4e3193"
   integrity sha512-g/Q1aTSDOxFpchXC4i8ZWvxA1lnPqx/JHqcpIw0/LX9T8x/GBbi6YnlN5nhaKIFkT8oFsscUKgDJYxfwfS6QsQ==
 
+get-proto@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/get-proto/-/get-proto-1.0.1.tgz#150b3f2743869ef3e851ec0c49d15b1d14d00ee1"
+  integrity sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==
+  dependencies:
+    dunder-proto "^1.0.1"
+    es-object-atoms "^1.0.0"
+
 get-stream@^2.2.0:
   version "2.3.1"
   resolved "https://registry.yarnpkg.com/get-stream/-/get-stream-2.3.1.tgz#5f38f93f346009666ee0150a054167f91bdd95de"
@@ -11195,6 +11266,11 @@ gopd@^1.0.1:
   dependencies:
     get-intrinsic "^1.1.3"
 
+gopd@^1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/gopd/-/gopd-1.2.0.tgz#89f56b8217bdbc8802bd299df6d7f1081d7e51a1"
+  integrity sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==
+
 graceful-fs@^4.1.10, graceful-fs@^4.2.6:
   version "4.2.8"
   resolved "https://registry.yarnpkg.com/graceful-fs/-/graceful-fs-4.2.8.tgz#e412b8d33f5e006593cbd3cee6df9f2cebbe802a"
@@ -11305,6 +11381,11 @@ has-symbols@^1.0.2, has-symbols@^1.0.3:
   resolved "https://registry.yarnpkg.com/has-symbols/-/has-symbols-1.0.3.tgz#bb7b2c4349251dce87b125f7bdf874aa7c8b39f8"
   integrity sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==
 
+has-symbols@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/has-symbols/-/has-symbols-1.1.0.tgz#fc9c6a783a084951d0b971fe1018de813707a338"
+  integrity sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==
+
 has-tostringtag@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/has-tostringtag/-/has-tostringtag-1.0.0.tgz#7e133818a7d394734f941e73c3d3f9291e658b25"
@@ -11319,6 +11400,13 @@ has@^1.0.3:
   dependencies:
     function-bind "^1.1.1"
 
+hasown@^2.0.2:
+  version "2.0.2"
+  resolved "https://registry.yarnpkg.com/hasown/-/hasown-2.0.2.tgz#003eaf91be7adc372e84ec59dc37252cedb80003"
+  integrity sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==
+  dependencies:
+    function-bind "^1.1.2"
+
 hast-util-to-html@^9.0.4:
   version "9.0.5"
   resolved "https://registry.yarnpkg.com/hast-util-to-html/-/hast-util-to-html-9.0.5.tgz#ccc673a55bb8e85775b08ac28380f72d47167005"
@@ -13060,6 +13148,11 @@ markdown-to-jsx@^7.1.8:
   resolved "https://registry.yarnpkg.com/markdown-to-jsx/-/markdown-to-jsx-7.2.0.tgz#e7b46b65955f6a04d48a753acd55874a14bdda4b"
   integrity sha512-3l4/Bigjm4bEqjCR6Xr+d4DtM1X6vvtGsMGSjJYyep8RjjIvcWtrXBS8Wbfe1/P+atKNMccpsraESIaWVplzVg==
 
+math-intrinsics@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz#a0dd74be81e2aa5c2f27e65ce283605ee4e2b7f9"
+  integrity sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==
+
 md5@^2.2.1:
   version "2.3.0"
   resolved "https://registry.yarnpkg.com/md5/-/md5-2.3.0.tgz#c3da9a6aae3a30b46b7b0c349b87b110dc3bda4f"
@@ -13754,6 +13847,11 @@ object-inspect@^1.12.3, object-inspect@^1.9.0:
   resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.12.3.tgz#ba62dffd67ee256c8c086dfae69e016cd1f198b9"
   integrity sha512-geUvdk7c+eizMNUDkRpW1wJwgfOiOeHbxBR/hLXK1aT6zmVSO0jsQcs7fj6MGw89jC/cjGfLcNOrtMYtGqm81g==
 
+object-inspect@^1.13.3:
+  version "1.13.4"
+  resolved "https://registry.yarnpkg.com/object-inspect/-/object-inspect-1.13.4.tgz#8375265e21bc20d0fa582c22e1b13485d6e00213"
+  integrity sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==
+
 object-is@^1.0.1, object-is@^1.1.5:
   version "1.1.5"
   resolved "https://registry.yarnpkg.com/object-is/-/object-is-1.1.5.tgz#b9deeaa5fc7f1846a0faecdceec138e5778f53ac"
@@ -14904,6 +15002,13 @@ qs@^6.11.2:
   dependencies:
     side-channel "^1.0.4"
 
+qs@^6.14.0:
+  version "6.14.0"
+  resolved "https://registry.yarnpkg.com/qs/-/qs-6.14.0.tgz#c63fa40680d2c5c941412a0e899c89af60c0a930"
+  integrity sha512-YWWTjgABSKcvs/nWBi9PycY/JiPJqOD4JA6o9Sej2AtvSGarXxKC3OQSk4pAarbdQlKAh5D4FCQkJNkW+GAn3w==
+  dependencies:
+    side-channel "^1.1.0"
+
 querystringify@^2.1.1:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/querystringify/-/querystringify-2.2.0.tgz#3345941b4153cb9d082d8eee4cda2016a9aef7f6"
@@ -16105,6 +16210,35 @@ should@^13.2.1:
     should-type-adaptors "^1.0.1"
     should-util "^1.0.0"
 
+side-channel-list@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/side-channel-list/-/side-channel-list-1.0.0.tgz#10cb5984263115d3b7a0e336591e290a830af8ad"
+  integrity sha512-FCLHtRD/gnpCiCHEiJLOwdmFP+wzCmDEkc9y7NsYxeF4u7Btsn1ZuwgwJGxImImHicJArLP4R0yX4c2KCrMrTA==
+  dependencies:
+    es-errors "^1.3.0"
+    object-inspect "^1.13.3"
+
+side-channel-map@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/side-channel-map/-/side-channel-map-1.0.1.tgz#d6bb6b37902c6fef5174e5f533fab4c732a26f42"
+  integrity sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==
+  dependencies:
+    call-bound "^1.0.2"
+    es-errors "^1.3.0"
+    get-intrinsic "^1.2.5"
+    object-inspect "^1.13.3"
+
+side-channel-weakmap@^1.0.2:
+  version "1.0.2"
+  resolved "https://registry.yarnpkg.com/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz#11dda19d5368e40ce9ec2bdc1fb0ecbc0790ecea"
+  integrity sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==
+  dependencies:
+    call-bound "^1.0.2"
+    es-errors "^1.3.0"
+    get-intrinsic "^1.2.5"
+    object-inspect "^1.13.3"
+    side-channel-map "^1.0.1"
+
 side-channel@^1.0.4:
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.0.4.tgz#efce5c8fdc104ee751b25c58d4290011fa5ea2cf"
@@ -16114,6 +16248,17 @@ side-channel@^1.0.4:
     get-intrinsic "^1.0.2"
     object-inspect "^1.9.0"
 
+side-channel@^1.1.0:
+  version "1.1.0"
+  resolved "https://registry.yarnpkg.com/side-channel/-/side-channel-1.1.0.tgz#c3fcff9c4da932784873335ec9765fa94ff66bc9"
+  integrity sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==
+  dependencies:
+    es-errors "^1.3.0"
+    object-inspect "^1.13.3"
+    side-channel-list "^1.0.0"
+    side-channel-map "^1.0.1"
+    side-channel-weakmap "^1.0.2"
+
 siginfo@^2.0.0:
   version "2.0.0"
   resolved "https://registry.yarnpkg.com/siginfo/-/siginfo-2.0.0.tgz#32e76c70b79724e3bb567cb9d543eb858ccfaf30"

From a5d857d5e794553431b058ad5c39b0fa7cbaa71c Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Thu, 3 Apr 2025 09:13:01 +1300
Subject: [PATCH 073/212] feat(docker): add --pull-limit-check-disabled cli
 flag [BE-11739] (#581)

---
 api/cli/cli.go                                |  1 +
 api/cli/defaults.go                           | 33 ++++++++---------
 api/cli/defaults_windows.go                   | 35 ++++++++++---------
 api/cmd/portainer/main.go                     |  1 +
 .../endpoints/endpoint_dockerhub_status.go    |  7 ++++
 api/http/handler/endpoints/handler.go         | 27 +++++++-------
 api/http/server.go                            |  2 ++
 api/portainer.go                              |  3 ++
 8 files changed, 63 insertions(+), 46 deletions(-)

diff --git a/api/cli/cli.go b/api/cli/cli.go
index 67005fddb..f6035f298 100644
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -60,6 +60,7 @@ func CLIFlags() *portainer.CLIFlags {
 		LogLevel:                  kingpin.Flag("log-level", "Set the minimum logging level to show").Default("INFO").Enum("DEBUG", "INFO", "WARN", "ERROR"),
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
 		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
+		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 	}
 }
 
diff --git a/api/cli/defaults.go b/api/cli/defaults.go
index ca426cdad..13aa2df93 100644
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -4,20 +4,21 @@
 package cli
 
 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "/data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "/certs/ca.pem"
-	defaultTLSCertPath         = "/certs/cert.pem"
-	defaultTLSKeyPath          = "/certs/key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "/data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "/certs/ca.pem"
+	defaultTLSCertPath            = "/certs/cert.pem"
+	defaultTLSKeyPath             = "/certs/key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
diff --git a/api/cli/defaults_windows.go b/api/cli/defaults_windows.go
index ed5996004..a9d02da65 100644
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -1,21 +1,22 @@
 package cli
 
 const (
-	defaultBindAddress         = ":9000"
-	defaultHTTPSBindAddress    = ":9443"
-	defaultTunnelServerAddress = "0.0.0.0"
-	defaultTunnelServerPort    = "8000"
-	defaultDataDirectory       = "C:\\data"
-	defaultAssetsDirectory     = "./"
-	defaultTLS                 = "false"
-	defaultTLSSkipVerify       = "false"
-	defaultTLSCACertPath       = "C:\\certs\\ca.pem"
-	defaultTLSCertPath         = "C:\\certs\\cert.pem"
-	defaultTLSKeyPath          = "C:\\certs\\key.pem"
-	defaultHTTPDisabled        = "false"
-	defaultHTTPEnabled         = "false"
-	defaultSSL                 = "false"
-	defaultSnapshotInterval    = "5m"
-	defaultBaseURL             = "/"
-	defaultSecretKeyName       = "portainer"
+	defaultBindAddress            = ":9000"
+	defaultHTTPSBindAddress       = ":9443"
+	defaultTunnelServerAddress    = "0.0.0.0"
+	defaultTunnelServerPort       = "8000"
+	defaultDataDirectory          = "C:\\data"
+	defaultAssetsDirectory        = "./"
+	defaultTLS                    = "false"
+	defaultTLSSkipVerify          = "false"
+	defaultTLSCACertPath          = "C:\\certs\\ca.pem"
+	defaultTLSCertPath            = "C:\\certs\\cert.pem"
+	defaultTLSKeyPath             = "C:\\certs\\key.pem"
+	defaultHTTPDisabled           = "false"
+	defaultHTTPEnabled            = "false"
+	defaultSSL                    = "false"
+	defaultSnapshotInterval       = "5m"
+	defaultBaseURL                = "/"
+	defaultSecretKeyName          = "portainer"
+	defaultPullLimitCheckDisabled = "false"
 )
diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 068f31565..f16b3db0f 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -576,6 +576,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		AdminCreationDone:           adminCreationDone,
 		PendingActionsService:       pendingActionsService,
 		PlatformService:             platformService,
+		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
 	}
 }
 
diff --git a/api/http/handler/endpoints/endpoint_dockerhub_status.go b/api/http/handler/endpoints/endpoint_dockerhub_status.go
index 7427a8750..c7d43149f 100644
--- a/api/http/handler/endpoints/endpoint_dockerhub_status.go
+++ b/api/http/handler/endpoints/endpoint_dockerhub_status.go
@@ -80,6 +80,13 @@ func (handler *Handler) endpointDockerhubStatus(w http.ResponseWriter, r *http.R
 		}
 	}
 
+	if handler.PullLimitCheckDisabled {
+		return response.JSON(w, &dockerhubStatusResponse{
+			Limit:     10,
+			Remaining: 10,
+		})
+	}
+
 	httpClient := client.NewHTTPClient()
 	token, err := getDockerHubToken(httpClient, registry)
 	if err != nil {
diff --git a/api/http/handler/endpoints/handler.go b/api/http/handler/endpoints/handler.go
index d1e323e8f..0260acaf0 100644
--- a/api/http/handler/endpoints/handler.go
+++ b/api/http/handler/endpoints/handler.go
@@ -26,19 +26,20 @@ func hideFields(endpoint *portainer.Endpoint) {
 // Handler is the HTTP handler used to handle environment(endpoint) operations.
 type Handler struct {
 	*mux.Router
-	requestBouncer        security.BouncerService
-	DataStore             dataservices.DataStore
-	FileService           portainer.FileService
-	ProxyManager          *proxy.Manager
-	ReverseTunnelService  portainer.ReverseTunnelService
-	SnapshotService       portainer.SnapshotService
-	K8sClientFactory      *cli.ClientFactory
-	ComposeStackManager   portainer.ComposeStackManager
-	AuthorizationService  *authorization.Service
-	DockerClientFactory   *dockerclient.ClientFactory
-	BindAddress           string
-	BindAddressHTTPS      string
-	PendingActionsService *pendingactions.PendingActionsService
+	requestBouncer         security.BouncerService
+	DataStore              dataservices.DataStore
+	FileService            portainer.FileService
+	ProxyManager           *proxy.Manager
+	ReverseTunnelService   portainer.ReverseTunnelService
+	SnapshotService        portainer.SnapshotService
+	K8sClientFactory       *cli.ClientFactory
+	ComposeStackManager    portainer.ComposeStackManager
+	AuthorizationService   *authorization.Service
+	DockerClientFactory    *dockerclient.ClientFactory
+	BindAddress            string
+	BindAddressHTTPS       string
+	PendingActionsService  *pendingactions.PendingActionsService
+	PullLimitCheckDisabled bool
 }
 
 // NewHandler creates a handler to manage environment(endpoint) operations.
diff --git a/api/http/server.go b/api/http/server.go
index 12925d479..3b3fff77d 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -112,6 +112,7 @@ type Server struct {
 	AdminCreationDone           chan struct{}
 	PendingActionsService       *pendingactions.PendingActionsService
 	PlatformService             platform.Service
+	PullLimitCheckDisabled      bool
 }
 
 // Start starts the HTTP server
@@ -181,6 +182,7 @@ func (server *Server) Start() error {
 	endpointHandler.BindAddress = server.BindAddress
 	endpointHandler.BindAddressHTTPS = server.BindAddressHTTPS
 	endpointHandler.PendingActionsService = server.PendingActionsService
+	endpointHandler.PullLimitCheckDisabled = server.PullLimitCheckDisabled
 
 	var endpointEdgeHandler = endpointedge.NewHandler(requestBouncer, server.DataStore, server.FileService, server.ReverseTunnelService)
 
diff --git a/api/portainer.go b/api/portainer.go
index 1f57b0ada..0c8b92b08 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -134,6 +134,7 @@ type (
 		LogLevel                  *string
 		LogMode                   *string
 		KubectlShellImage         *string
+		PullLimitCheckDisabled    *bool
 	}
 
 	// CustomTemplateVariableDefinition
@@ -1689,6 +1690,8 @@ const (
 	PortainerCacheHeader = "X-Portainer-Cache"
 	// KubectlShellImageEnvVar is the environment variable used to override the default kubectl shell image
 	KubectlShellImageEnvVar = "KUBECTL_SHELL_IMAGE"
+	// PullLimitCheckDisabledEnvVar is the environment variable used to disable the pull limit check
+	PullLimitCheckDisabledEnvVar = "PULL_LIMIT_CHECK_DISABLED"
 )
 
 // List of supported features

From 3800249921aac7d0c2bfbfbf19d8157ed07e49e0 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Thu, 3 Apr 2025 11:12:24 +1300
Subject: [PATCH 074/212] api: use response code 200 (#604)

---
 api/http/handler/users/user_create_access_token.go      | 4 ++--
 api/http/handler/users/user_create_access_token_test.go | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/api/http/handler/users/user_create_access_token.go b/api/http/handler/users/user_create_access_token.go
index a2e63cf5c..673c0af76 100644
--- a/api/http/handler/users/user_create_access_token.go
+++ b/api/http/handler/users/user_create_access_token.go
@@ -50,7 +50,7 @@ type accessTokenResponse struct {
 // @produce json
 // @param id path int true "User identifier"
 // @param body body userAccessTokenCreatePayload true "details"
-// @success 200 {object} accessTokenResponse "Created"
+// @success 200 {object} accessTokenResponse "Success"
 // @failure 400 "Invalid request"
 // @failure 401 "Unauthorized"
 // @failure 403 "Permission denied"
@@ -115,7 +115,7 @@ func (handler *Handler) userCreateAccessToken(w http.ResponseWriter, r *http.Req
 		return httperror.InternalServerError("Internal Server Error", err)
 	}
 
-	return response.JSONWithStatus(w, accessTokenResponse{rawAPIKey, *apiKey}, http.StatusCreated)
+	return response.JSONWithStatus(w, accessTokenResponse{rawAPIKey, *apiKey}, http.StatusOK)
 }
 
 func (handler *Handler) usesInternalAuthentication(userid portainer.UserID) (bool, error) {
diff --git a/api/http/handler/users/user_create_access_token_test.go b/api/http/handler/users/user_create_access_token_test.go
index 5199366a2..b7e49d96b 100644
--- a/api/http/handler/users/user_create_access_token_test.go
+++ b/api/http/handler/users/user_create_access_token_test.go
@@ -60,7 +60,7 @@ func Test_userCreateAccessToken(t *testing.T) {
 		rr := httptest.NewRecorder()
 		h.ServeHTTP(rr, req)
 
-		is.Equal(http.StatusCreated, rr.Code)
+		is.Equal(http.StatusOK, rr.Code)
 
 		body, err := io.ReadAll(rr.Body)
 		is.NoError(err, "ReadAll should not return error")

From f6f07f4690a429fa1e42a0058491ba6631289989 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Thu, 3 Apr 2025 14:18:31 +1300
Subject: [PATCH 075/212] improvement(kubernetes): right align tags in
 datatables R8S-250 (#601)

Co-authored-by: testA113 <aliharriss1995@gmail.com>
---
 app/react/components/Badge/ExternalBadge.tsx           |  8 ++++++--
 app/react/components/Badge/SystemBadge.tsx             |  8 ++++++--
 .../ListView/ApplicationsDatatable/columns.name.tsx    |  6 +++++-
 .../ListView/ApplicationsDatatable/columns.tsx         |  2 +-
 .../ListView/ApplicationsStacksDatatable/columns.tsx   |  2 +-
 .../cluster/HomeView/NodesDatatable/columns/name.tsx   |  7 +++++--
 .../NodeApplicationsDatatable/columns.name.tsx         | 10 ++++++----
 .../IngressClassDatatable/columns/name.tsx             |  4 ++--
 app/react/kubernetes/components/ExternalBadge.tsx      |  5 -----
 app/react/kubernetes/components/SystemBadge.tsx        |  5 -----
 .../ListView/ConfigMapsDatatable/columns/name.tsx      |  9 ++++++---
 .../configs/ListView/SecretsDatatable/columns/name.tsx | 10 ++++++----
 .../ingresses/IngressDatatable/columns/name.tsx        |  2 +-
 .../ClusterRoleBindingsDatatable/columns/name.tsx      |  2 +-
 .../ClusterRolesDatatable/columns/name.tsx             |  6 ++++--
 .../JobsView/CronJobsDatatable/columns/name.tsx        |  2 +-
 .../JobsView/JobsDatatable/columns/name.tsx            |  2 +-
 .../RolesView/RoleBindingsDatatable/columns/name.tsx   |  2 +-
 .../RolesView/RolesDatatable/columns/name.tsx          |  6 ++++--
 .../ServiceAccountsDatatable/columns/name.tsx          |  2 +-
 .../namespaces/ListView/columns/useColumns.tsx         | 10 +++-------
 .../ServicesView/ServicesDatatable/columns/name.tsx    |  7 ++++---
 app/react/kubernetes/volumes/ListView/columns.name.tsx |  6 +++---
 23 files changed, 68 insertions(+), 55 deletions(-)
 delete mode 100644 app/react/kubernetes/components/ExternalBadge.tsx
 delete mode 100644 app/react/kubernetes/components/SystemBadge.tsx

diff --git a/app/react/components/Badge/ExternalBadge.tsx b/app/react/components/Badge/ExternalBadge.tsx
index 5cf85b844..e49afd07a 100644
--- a/app/react/components/Badge/ExternalBadge.tsx
+++ b/app/react/components/Badge/ExternalBadge.tsx
@@ -1,5 +1,9 @@
 import { Badge } from '@@/Badge';
 
-export function ExternalBadge() {
-  return <Badge type="info">External</Badge>;
+export function ExternalBadge({ className }: { className?: string }) {
+  return (
+    <Badge type="info" className={className}>
+      External
+    </Badge>
+  );
 }
diff --git a/app/react/components/Badge/SystemBadge.tsx b/app/react/components/Badge/SystemBadge.tsx
index e09b944ff..204d01bbd 100644
--- a/app/react/components/Badge/SystemBadge.tsx
+++ b/app/react/components/Badge/SystemBadge.tsx
@@ -1,5 +1,9 @@
 import { Badge } from '@@/Badge';
 
-export function SystemBadge() {
-  return <Badge type="success">System</Badge>;
+export function SystemBadge({ className }: { className?: string }) {
+  return (
+    <Badge type="success" className={className}>
+      System
+    </Badge>
+  );
 }
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.name.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.name.tsx
index e0801cb8f..e7ff26593 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.name.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.name.tsx
@@ -43,7 +43,11 @@ function Cell({
         </Link>
       )}
 
-      {isSystem ? <SystemBadge /> : !item.ApplicationOwner && <ExternalBadge />}
+      {isSystem ? (
+        <SystemBadge className="ml-auto" />
+      ) : (
+        !item.ApplicationOwner && <ExternalBadge className="ml-auto" />
+      )}
     </div>
   );
 }
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx
index f5473b954..0ece6ed2e 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx
@@ -31,7 +31,7 @@ function NamespaceCell({ row, getValue }: CellContext<Application, string>) {
       >
         {value}
       </Link>
-      {isSystem && <SystemBadge />}
+      {isSystem && <SystemBadge className="ml-auto" />}
     </div>
   );
 }
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/columns.tsx b/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/columns.tsx
index 40358f277..833bad58c 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/columns.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/columns.tsx
@@ -30,7 +30,7 @@ function NamespaceCell({ row, getValue }: CellContext<Stack, string>) {
       >
         {value}
       </Link>
-      {isSystem && <SystemBadge />}
+      {isSystem && <SystemBadge className="ml-auto" />}
     </div>
   );
 }
diff --git a/app/react/kubernetes/cluster/HomeView/NodesDatatable/columns/name.tsx b/app/react/kubernetes/cluster/HomeView/NodesDatatable/columns/name.tsx
index 1a0ddce53..cf1252919 100644
--- a/app/react/kubernetes/cluster/HomeView/NodesDatatable/columns/name.tsx
+++ b/app/react/kubernetes/cluster/HomeView/NodesDatatable/columns/name.tsx
@@ -34,8 +34,11 @@ function NameCell({
           {nodeName}
         </Link>
       </Authorized>
-      {node.isApi && <Badge type="info">api</Badge>}
-      {node.isPublishedNode && <Badge type="success">environment IP</Badge>}
+
+      <div className="ml-auto flex gap-2">
+        {node.isApi && <Badge type="info">api</Badge>}
+        {node.isPublishedNode && <Badge type="success">environment IP</Badge>}
+      </div>
     </div>
   );
 }
diff --git a/app/react/kubernetes/cluster/NodeView/NodeApplicationsDatatable/columns.name.tsx b/app/react/kubernetes/cluster/NodeView/NodeApplicationsDatatable/columns.name.tsx
index e7c6ecacf..bcc246dee 100644
--- a/app/react/kubernetes/cluster/NodeView/NodeApplicationsDatatable/columns.name.tsx
+++ b/app/react/kubernetes/cluster/NodeView/NodeApplicationsDatatable/columns.name.tsx
@@ -2,11 +2,11 @@ import { CellContext } from '@tanstack/react-table';
 
 import { isExternalApplication } from '@/react/kubernetes/applications/utils';
 import { useIsSystemNamespace } from '@/react/kubernetes/namespaces/queries/useIsSystemNamespace';
-import { ExternalBadge } from '@/react/kubernetes/components/ExternalBadge';
-import { SystemBadge } from '@/react/kubernetes/components/SystemBadge';
 import { Application } from '@/react/kubernetes/applications/ListView/ApplicationsDatatable/types';
 
 import { Link } from '@@/Link';
+import { SystemBadge } from '@@/Badge/SystemBadge';
+import { ExternalBadge } from '@@/Badge/ExternalBadge';
 
 import { helper } from './columns.helper';
 
@@ -28,9 +28,11 @@ function Cell({ row: { original: item } }: CellContext<Application, string>) {
       </Link>
 
       {isSystem ? (
-        <SystemBadge />
+        <SystemBadge className="ml-auto" />
       ) : (
-        isExternalApplication({ metadata: item.Metadata }) && <ExternalBadge />
+        isExternalApplication({ metadata: item.Metadata }) && (
+          <ExternalBadge className="ml-auto" />
+        )
       )}
     </div>
   );
diff --git a/app/react/kubernetes/cluster/ingressClass/IngressClassDatatable/columns/name.tsx b/app/react/kubernetes/cluster/ingressClass/IngressClassDatatable/columns/name.tsx
index be22a5362..70a2dc765 100644
--- a/app/react/kubernetes/cluster/ingressClass/IngressClassDatatable/columns/name.tsx
+++ b/app/react/kubernetes/cluster/ingressClass/IngressClassDatatable/columns/name.tsx
@@ -19,9 +19,9 @@ function NameCell({
   const className = getValue();
 
   return (
-    <span className="flex flex-nowrap">
+    <span className="flex gap-2 flex-nowrap">
       {className}
-      {row.original.New && <Badge className="ml-1">Newly detected</Badge>}
+      {row.original.New && <Badge className="ml-auto">Newly detected</Badge>}
     </span>
   );
 }
diff --git a/app/react/kubernetes/components/ExternalBadge.tsx b/app/react/kubernetes/components/ExternalBadge.tsx
deleted file mode 100644
index cba18f3f1..000000000
--- a/app/react/kubernetes/components/ExternalBadge.tsx
+++ /dev/null
@@ -1,5 +0,0 @@
-import { Badge } from '@@/Badge';
-
-export function ExternalBadge() {
-  return <Badge type="info">external</Badge>;
-}
diff --git a/app/react/kubernetes/components/SystemBadge.tsx b/app/react/kubernetes/components/SystemBadge.tsx
deleted file mode 100644
index 17552d755..000000000
--- a/app/react/kubernetes/components/SystemBadge.tsx
+++ /dev/null
@@ -1,5 +0,0 @@
-import { Badge } from '@@/Badge';
-
-export function SystemBadge() {
-  return <Badge type="success">system</Badge>;
-}
diff --git a/app/react/kubernetes/configs/ListView/ConfigMapsDatatable/columns/name.tsx b/app/react/kubernetes/configs/ListView/ConfigMapsDatatable/columns/name.tsx
index 526e009fa..065994322 100644
--- a/app/react/kubernetes/configs/ListView/ConfigMapsDatatable/columns/name.tsx
+++ b/app/react/kubernetes/configs/ListView/ConfigMapsDatatable/columns/name.tsx
@@ -55,9 +55,12 @@ function Cell({ row }: CellContext<ConfigMapRowData, string>) {
         >
           {name}
         </Link>
-        {isSystemConfigMap && <SystemBadge />}
-        {!isSystemToken && !hasConfigurationOwner && <ExternalBadge />}
-        {!row.original.inUse && !isSystemConfigMap && <UnusedBadge />}
+
+        <div className="ml-auto flex gap-2">
+          {isSystemConfigMap && <SystemBadge />}
+          {!isSystemToken && !hasConfigurationOwner && <ExternalBadge />}
+          {!row.original.inUse && !isSystemConfigMap && <UnusedBadge />}
+        </div>
       </div>
     </Authorized>
   );
diff --git a/app/react/kubernetes/configs/ListView/SecretsDatatable/columns/name.tsx b/app/react/kubernetes/configs/ListView/SecretsDatatable/columns/name.tsx
index ce0e6033c..31c30e0bb 100644
--- a/app/react/kubernetes/configs/ListView/SecretsDatatable/columns/name.tsx
+++ b/app/react/kubernetes/configs/ListView/SecretsDatatable/columns/name.tsx
@@ -43,7 +43,7 @@ function Cell({ row }: CellContext<SecretRowData, string>) {
 
   return (
     <Authorized authorizations="K8sSecretsR" childrenUnauthorized={name}>
-      <div className="flex w-fit gap-x-2">
+      <div className="flex gap-2">
         <Link
           to="kubernetes.secrets.secret"
           params={{
@@ -56,9 +56,11 @@ function Cell({ row }: CellContext<SecretRowData, string>) {
         >
           {name}
         </Link>
-        {isSystemSecret && <SystemBadge />}
-        {!isSystemToken && !hasConfigurationOwner && <ExternalBadge />}
-        {!row.original.inUse && !isSystemSecret && <UnusedBadge />}
+        <div className="ml-auto flex gap-2">
+          {isSystemSecret && <SystemBadge />}
+          {!isSystemToken && !hasConfigurationOwner && <ExternalBadge />}
+          {!row.original.inUse && !isSystemSecret && <UnusedBadge />}
+        </div>
       </div>
     </Authorized>
   );
diff --git a/app/react/kubernetes/ingresses/IngressDatatable/columns/name.tsx b/app/react/kubernetes/ingresses/IngressDatatable/columns/name.tsx
index d8574c47a..33c3f546f 100644
--- a/app/react/kubernetes/ingresses/IngressDatatable/columns/name.tsx
+++ b/app/react/kubernetes/ingresses/IngressDatatable/columns/name.tsx
@@ -35,7 +35,7 @@ function Cell({ row, getValue }: CellContext<Ingress, string>) {
           {name}
         </Link>
       </Authorized>
-      {row.original.IsSystem && <SystemBadge />}
+      {row.original.IsSystem && <SystemBadge className="ml-auto" />}
     </div>
   );
 }
diff --git a/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRoleBindingsDatatable/columns/name.tsx b/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRoleBindingsDatatable/columns/name.tsx
index 45ebb750e..6b6d02da7 100644
--- a/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRoleBindingsDatatable/columns/name.tsx
+++ b/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRoleBindingsDatatable/columns/name.tsx
@@ -15,7 +15,7 @@ export const name = columnHelper.accessor(
     cell: ({ row }) => (
       <div className="flex gap-2">
         {row.original.name}
-        {row.original.isSystem && <SystemBadge />}
+        {row.original.isSystem && <SystemBadge className="ml-auto" />}
       </div>
     ),
   }
diff --git a/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/columns/name.tsx b/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/columns/name.tsx
index 53addd62e..e42129606 100644
--- a/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/columns/name.tsx
+++ b/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/columns/name.tsx
@@ -17,8 +17,10 @@ export const name = columnHelper.accessor(
     cell: ({ row }) => (
       <div className="flex gap-2">
         {row.original.name}
-        {row.original.isSystem && <SystemBadge />}
-        {row.original.isUnused && <UnusedBadge />}
+        <div className="ml-auto flex gap-2">
+          {row.original.isSystem && <SystemBadge />}
+          {row.original.isUnused && <UnusedBadge />}
+        </div>
       </div>
     ),
   }
diff --git a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/name.tsx b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/name.tsx
index a3394f57e..09620b65e 100644
--- a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/name.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/name.tsx
@@ -16,7 +16,7 @@ export const name = columnHelper.accessor(
     cell: ({ row }) => (
       <div className="flex gap-2">
         {row.original.Name}
-        {row.original.IsSystem && <SystemBadge />}
+        {row.original.IsSystem && <SystemBadge className="ml-auto" />}
       </div>
     ),
   }
diff --git a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/name.tsx b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/name.tsx
index a3394f57e..09620b65e 100644
--- a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/name.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/name.tsx
@@ -16,7 +16,7 @@ export const name = columnHelper.accessor(
     cell: ({ row }) => (
       <div className="flex gap-2">
         {row.original.Name}
-        {row.original.IsSystem && <SystemBadge />}
+        {row.original.IsSystem && <SystemBadge className="ml-auto" />}
       </div>
     ),
   }
diff --git a/app/react/kubernetes/more-resources/RolesView/RoleBindingsDatatable/columns/name.tsx b/app/react/kubernetes/more-resources/RolesView/RoleBindingsDatatable/columns/name.tsx
index 45ebb750e..6b6d02da7 100644
--- a/app/react/kubernetes/more-resources/RolesView/RoleBindingsDatatable/columns/name.tsx
+++ b/app/react/kubernetes/more-resources/RolesView/RoleBindingsDatatable/columns/name.tsx
@@ -15,7 +15,7 @@ export const name = columnHelper.accessor(
     cell: ({ row }) => (
       <div className="flex gap-2">
         {row.original.name}
-        {row.original.isSystem && <SystemBadge />}
+        {row.original.isSystem && <SystemBadge className="ml-auto" />}
       </div>
     ),
   }
diff --git a/app/react/kubernetes/more-resources/RolesView/RolesDatatable/columns/name.tsx b/app/react/kubernetes/more-resources/RolesView/RolesDatatable/columns/name.tsx
index b73bc6180..16482e5ca 100644
--- a/app/react/kubernetes/more-resources/RolesView/RolesDatatable/columns/name.tsx
+++ b/app/react/kubernetes/more-resources/RolesView/RolesDatatable/columns/name.tsx
@@ -20,8 +20,10 @@ export const name = columnHelper.accessor(
     cell: ({ row }) => (
       <div className="flex gap-2">
         {row.original.name}
-        {row.original.isSystem && <SystemBadge />}
-        {row.original.isUnused && <UnusedBadge />}
+        <div className="ml-auto flex gap-2">
+          {row.original.isSystem && <SystemBadge />}
+          {row.original.isUnused && <UnusedBadge />}
+        </div>
       </div>
     ),
   }
diff --git a/app/react/kubernetes/more-resources/ServiceAccountsView/ServiceAccountsDatatable/columns/name.tsx b/app/react/kubernetes/more-resources/ServiceAccountsView/ServiceAccountsDatatable/columns/name.tsx
index e4749af9b..7a551f78c 100644
--- a/app/react/kubernetes/more-resources/ServiceAccountsView/ServiceAccountsDatatable/columns/name.tsx
+++ b/app/react/kubernetes/more-resources/ServiceAccountsView/ServiceAccountsDatatable/columns/name.tsx
@@ -16,7 +16,7 @@ export const name = columnHelper.accessor(
     cell: ({ row }) => (
       <div className="flex gap-2">
         <div>{row.original.name}</div>
-        {row.original.isSystem && <SystemBadge />}
+        {row.original.isSystem && <SystemBadge className="ml-auto" />}
       </div>
     ),
   }
diff --git a/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx b/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx
index 0da487973..541c2315f 100644
--- a/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx
+++ b/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx
@@ -28,7 +28,7 @@ export function useColumns() {
             const name = getValue();
 
             return (
-              <>
+              <div className="flex gap-2">
                 <Link
                   to="kubernetes.resourcePools.resourcePool"
                   params={{
@@ -38,12 +38,8 @@ export function useColumns() {
                 >
                   {name}
                 </Link>
-                {item.IsSystem && (
-                  <span className="ml-2">
-                    <SystemBadge />
-                  </span>
-                )}
-              </>
+                {item.IsSystem && <SystemBadge className="ml-auto" />}
+              </div>
             );
           },
         }),
diff --git a/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/name.tsx b/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/name.tsx
index 3a7183299..3dbc5dccc 100644
--- a/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/name.tsx
+++ b/app/react/kubernetes/services/ServicesView/ServicesDatatable/columns/name.tsx
@@ -36,9 +36,10 @@ export const name = columnHelper.accessor(
           <Authorized authorizations="K8sServiceW" childrenUnauthorized={name}>
             {name}
 
-            {row.original.IsSystem && <SystemBadge />}
-
-            {isExternal && !row.original.IsSystem && <ExternalBadge />}
+            <div className="ml-auto flex gap-2">
+              {row.original.IsSystem && <SystemBadge />}
+              {isExternal && !row.original.IsSystem && <ExternalBadge />}
+            </div>
           </Authorized>
         </div>
       );
diff --git a/app/react/kubernetes/volumes/ListView/columns.name.tsx b/app/react/kubernetes/volumes/ListView/columns.name.tsx
index f1fc25138..ff2e986a1 100644
--- a/app/react/kubernetes/volumes/ListView/columns.name.tsx
+++ b/app/react/kubernetes/volumes/ListView/columns.name.tsx
@@ -41,12 +41,12 @@ export function NameCell({
         {item.PersistentVolumeClaim.Name}
       </Link>
       {isSystem ? (
-        <SystemBadge />
+        <SystemBadge className="ml-auto" />
       ) : (
-        <>
+        <div className="ml-auto flex gap-2">
           {item.PersistentVolumeClaim.IsExternal && <ExternalBadge />}
           {!isVolumeUsed(item) && <UnusedBadge />}
-        </>
+        </div>
       )}
     </div>
   );

From 1b8fbbe7d7649bd0c26d0a40bcdff66fabc5e52d Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Fri, 4 Apr 2025 09:07:35 +1300
Subject: [PATCH 076/212] fix(libstack): compose project working directory
 [BE-11751] (#600)

---
 pkg/libstack/compose/composeplugin.go      | 4 ----
 pkg/libstack/compose/composeplugin_test.go | 8 ++++++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkg/libstack/compose/composeplugin.go b/pkg/libstack/compose/composeplugin.go
index 17126cc21..07fed9dbe 100644
--- a/pkg/libstack/compose/composeplugin.go
+++ b/pkg/libstack/compose/composeplugin.go
@@ -312,10 +312,6 @@ func createProject(ctx context.Context, configFilepaths []string, options libsta
 		workingDir = filepath.Dir(configFilepaths[0])
 	}
 
-	if options.WorkingDir != "" {
-		workingDir = options.WorkingDir
-	}
-
 	if options.ProjectDir != "" {
 		// When relative paths are used in the compose file, the project directory is used as the base path
 		workingDir = options.ProjectDir
diff --git a/pkg/libstack/compose/composeplugin_test.go b/pkg/libstack/compose/composeplugin_test.go
index df71c5d36..a7121eadf 100644
--- a/pkg/libstack/compose/composeplugin_test.go
+++ b/pkg/libstack/compose/composeplugin_test.go
@@ -991,10 +991,12 @@ func Test_createProject(t *testing.T) {
 			},
 			configFilepaths: []string{dir + "/docker-compose.yml"},
 			options: libstack.Options{
+				// Note that this is the execution working directory not the compose project working directory
+				// and so it has no affect on the created projects working directory
 				WorkingDir:  "/something-totally-different",
 				ProjectName: projectName,
 			},
-			expectedProject: expectedSimpleComposeProject("/something-totally-different", nil),
+			expectedProject: expectedSimpleComposeProject("", nil),
 		},
 		{
 			name: "Relative Working Directory",
@@ -1003,10 +1005,12 @@ func Test_createProject(t *testing.T) {
 			},
 			configFilepaths: []string{dir + "/docker-compose.yml"},
 			options: libstack.Options{
+				// Note that this is the execution working directory not the compose project working directory
+				// and so it has no affect on the created projects working directory
 				WorkingDir:  "something-totally-different",
 				ProjectName: projectName,
 			},
-			expectedProject: expectedSimpleComposeProject("something-totally-different", nil),
+			expectedProject: expectedSimpleComposeProject("", nil),
 		},
 		{
 			name: "Absolute Project Directory",

From 940bf990f97a5a5767ea128193294eeace29d2a9 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Fri, 4 Apr 2025 11:56:42 +1300
Subject: [PATCH 077/212] fix(edgeconfig): add edge config file interpolation
 info message on edge stack page [BE-11741] (#606)

---
 .../RelativePathFieldset/RelativePathFieldset.tsx | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/app/react/portainer/gitops/RelativePathFieldset/RelativePathFieldset.tsx b/app/react/portainer/gitops/RelativePathFieldset/RelativePathFieldset.tsx
index 4b4dac139..3c143394a 100644
--- a/app/react/portainer/gitops/RelativePathFieldset/RelativePathFieldset.tsx
+++ b/app/react/portainer/gitops/RelativePathFieldset/RelativePathFieldset.tsx
@@ -10,6 +10,7 @@ import { TextTip } from '@@/Tip/TextTip';
 import { FormControl } from '@@/form-components/FormControl';
 import { Input, Select } from '@@/form-components/Input';
 import { useDocsUrl } from '@@/PageHeader/ContextHelp';
+import { InsightsBox } from '@@/InsightsBox';
 
 import { RelativePathModel, getPerDevConfigsFilterType } from './types';
 
@@ -135,6 +136,20 @@ export function RelativePathFieldset({
 
           {value.SupportPerDeviceConfigs && (
             <>
+              <InsightsBox
+                content={
+                  <p>
+                    Files named <code>$&#123;PORTAINER_EDGE_ID&#125;.env</code>{' '}
+                    and/or <code>$&#123;PORTAINER_EDGE_GROUP&#125;.env</code>{' '}
+                    contained by the config folder will be loaded for compose
+                    file interpolation.
+                  </p>
+                }
+                header="GitOps Edge Configurations"
+                insightCloseId="edge-config-interpolation-info"
+                className="mb-3"
+              />
+
               <div className="form-group">
                 <div className="col-sm-12">
                   <TextTip color="blue">{pathTipSwarm}</TextTip>

From 0f10b8ba2bb1d433983cbf9878497c779a53b311 Mon Sep 17 00:00:00 2001
From: Anthony Lapenna <anthony.lapenna@portainer.io>
Date: Mon, 7 Apr 2025 11:25:23 +1200
Subject: [PATCH 078/212] api: update TeamInspect doc (#618)

---
 api/http/handler/teams/team_inspect.go | 1 -
 1 file changed, 1 deletion(-)

diff --git a/api/http/handler/teams/team_inspect.go b/api/http/handler/teams/team_inspect.go
index ee92b7bc2..857636590 100644
--- a/api/http/handler/teams/team_inspect.go
+++ b/api/http/handler/teams/team_inspect.go
@@ -21,7 +21,6 @@ import (
 // @produce json
 // @param id path int true "Team identifier"
 // @success 200 {object} portainer.Team "Success"
-// @success 204 "Success"
 // @failure 400 "Invalid request"
 // @failure 403 "Permission denied"
 // @failure 404 "Team not found"

From ad89df4d0d0ac446deadf1eea5389a588da0d2a4 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Mon, 7 Apr 2025 17:14:51 +0200
Subject: [PATCH 079/212] refactor(app): reword docker security features (#608)

---
 .../docker-features-configuration.html           | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/app/docker/views/docker-features-configuration/docker-features-configuration.html b/app/docker/views/docker-features-configuration/docker-features-configuration.html
index dab4efa2d..8edd5843f 100644
--- a/app/docker/views/docker-features-configuration/docker-features-configuration.html
+++ b/app/docker/views/docker-features-configuration/docker-features-configuration.html
@@ -67,7 +67,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableBindMountsForRegularUsers"
                 name="'disableBindMountsForRegularUsers'"
-                label="'Disable bind mounts for non-administrators'"
+                label="'Hide bind mounts for non-administrators'"
                 tooltip="'When enabled, regular users will not be able to use bind mounts when creating containers.'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableBindMountsForRegularUsers)"
@@ -79,7 +79,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disablePrivilegedModeForRegularUsers"
                 name="'disablePrivilegedModeForRegularUsers'"
-                label="'Disable privileged mode for non-administrators'"
+                label="'Hide privileged mode for non-administrators'"
                 tooltip="'When enabled, regular users will not be able to use privileged mode when creating containers.'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisablePrivilegedModeForRegularUsers)"
@@ -91,7 +91,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableHostNamespaceForRegularUsers"
                 name="'disableHostNamespaceForRegularUsers'"
-                label="'Disable the use of host PID 1 for non-administrators'"
+                label="'Hide the use of host PID 1 for non-administrators'"
                 tooltip="'Prevent users from accessing the host filesystem through the host PID namespace.'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableHostNamespaceForRegularUsers)"
@@ -103,7 +103,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableStackManagementForRegularUsers"
                 name="'disableStackManagementForRegularUsers'"
-                label="'Disable the use of Stacks for non-administrators'"
+                label="'Hide the use of Stacks for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableStackManagementForRegularUsers)"
               ></por-switch-field>
@@ -114,7 +114,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableDeviceMappingForRegularUsers"
                 name="'disableDeviceMappingForRegularUsers'"
-                label="'Disable device mappings for non-administrators'"
+                label="'Hide device mappings for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableDeviceMappingForRegularUsers)"
               ></por-switch-field>
@@ -125,7 +125,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableContainerCapabilitiesForRegularUsers"
                 name="'disableContainerCapabilitiesForRegularUsers'"
-                label="'Disable container capabilities for non-administrators'"
+                label="'Hide container capabilities for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableContainerCapabilitiesForRegularUsers)"
               ></por-switch-field>
@@ -136,7 +136,7 @@
               <por-switch-field
                 checked="$ctrl.formValues.disableSysctlSettingForRegularUsers"
                 name="'disableSysctlSettingForRegularUsers'"
-                label="'Disable sysctl settings for non-administrators'"
+                label="'Hide sysctl settings for non-administrators'"
                 label-class="'col-sm-7 col-lg-4'"
                 on-change="($ctrl.onChangeDisableSysctlSettingForRegularUsers)"
               ></por-switch-field>
@@ -146,7 +146,7 @@
           <div class="form-group" ng-if="$ctrl.isContainerEditDisabled()">
             <span class="col-sm-12 text-muted small">
               <pr-icon icon="'info'" mode="'primary'" class-name="'mr-0.5'"></pr-icon>
-              Note: The recreate/duplicate/edit feature is currently disabled (for non-admin users) by one or more security settings.
+              Note: The recreate/duplicate/edit feature is currently hidden (for non-admin users) by one or more security settings.
             </span>
           </div>
           <!-- !security -->

From 264ff5457b8fafcec44640af71bf9e2112b1a6be Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Tue, 8 Apr 2025 12:51:36 +1200
Subject: [PATCH 080/212] chore(kubernetes): Migrate Helm Templates View to
 React R8S-239 (#587)

---
 .../helm-templates.controller.js              | 207 ------------------
 .../helm/helm-templates/helm-templates.html   | 113 ----------
 .../helm/helm-templates/helm-templates.js     |  14 --
 app/kubernetes/react/components/index.ts      |  18 +-
 app/kubernetes/views/deploy/deploy.html       |   8 +-
 .../views/deploy/deployController.js          |   6 +-
 app/react/components/modals/confirm.ts        |  10 +
 app/react/hooks/useCanExit.ts                 |  17 ++
 .../helm/HelmTemplates}/HelmIcon.tsx          |   0
 .../helm/HelmTemplates/HelmTemplates.tsx      |  55 +++++
 .../HelmTemplates/HelmTemplatesList.test.tsx  |  10 +-
 .../helm/HelmTemplates/HelmTemplatesList.tsx  |   8 +-
 .../HelmTemplates/HelmTemplatesListItem.tsx   |  14 +-
 .../HelmTemplatesSelectedItem.test.tsx        | 148 +++++++++++++
 .../HelmTemplatesSelectedItem.tsx             | 188 ++++++++++++++++
 .../queries/useHelmChartInstall.ts            |  40 ++++
 .../HelmTemplates/queries/useHelmChartList.ts |  79 +++++++
 .../queries/useHelmChartValues.ts             |  32 +++
 app/react/kubernetes/helm/types.ts            |  37 ++++
 vitest.config.mts                             |   3 +
 20 files changed, 635 insertions(+), 372 deletions(-)
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates.controller.js
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates.html
 delete mode 100644 app/kubernetes/components/helm/helm-templates/helm-templates.js
 create mode 100644 app/react/hooks/useCanExit.ts
 rename app/{kubernetes/components/helm/helm-templates => react/kubernetes/helm/HelmTemplates}/HelmIcon.tsx (100%)
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartValues.ts
 create mode 100644 app/react/kubernetes/helm/types.ts

diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates.controller.js b/app/kubernetes/components/helm/helm-templates/helm-templates.controller.js
deleted file mode 100644
index 8b62c6af0..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates.controller.js
+++ /dev/null
@@ -1,207 +0,0 @@
-import _ from 'lodash-es';
-import KubernetesNamespaceHelper from 'Kubernetes/helpers/namespaceHelper';
-import { confirmWebEditorDiscard } from '@@/modals/confirm';
-import { HelmIcon } from './HelmIcon';
-export default class HelmTemplatesController {
-  /* @ngInject */
-  constructor($analytics, $async, $state, $window, $anchorScroll, Authentication, HelmService, KubernetesResourcePoolService, Notifications) {
-    this.$analytics = $analytics;
-    this.$async = $async;
-    this.$window = $window;
-    this.$state = $state;
-    this.$anchorScroll = $anchorScroll;
-    this.Authentication = Authentication;
-    this.HelmService = HelmService;
-    this.KubernetesResourcePoolService = KubernetesResourcePoolService;
-    this.Notifications = Notifications;
-
-    this.fallbackIcon = HelmIcon;
-
-    this.editorUpdate = this.editorUpdate.bind(this);
-    this.uiCanExit = this.uiCanExit.bind(this);
-    this.installHelmchart = this.installHelmchart.bind(this);
-    this.getHelmValues = this.getHelmValues.bind(this);
-    this.selectHelmChart = this.selectHelmChart.bind(this);
-    this.getHelmRepoURLs = this.getHelmRepoURLs.bind(this);
-    this.getLatestCharts = this.getLatestCharts.bind(this);
-    this.getResourcePools = this.getResourcePools.bind(this);
-    this.clearHelmChart = this.clearHelmChart.bind(this);
-
-    $window.onbeforeunload = () => {
-      if (this.state.isEditorDirty) {
-        return '';
-      }
-    };
-  }
-
-  clearHelmChart() {
-    this.state.chart = null;
-    this.onSelectHelmChart('');
-  }
-
-  editorUpdate(contentvalues) {
-    if (this.state.originalvalues === contentvalues) {
-      this.state.isEditorDirty = false;
-    } else {
-      this.state.values = contentvalues;
-      this.state.isEditorDirty = true;
-    }
-  }
-
-  async uiCanExit() {
-    if (this.state.isEditorDirty) {
-      return confirmWebEditorDiscard();
-    }
-  }
-
-  async installHelmchart() {
-    this.state.actionInProgress = true;
-    try {
-      const payload = {
-        Name: this.name,
-        Repo: this.state.chart.repo,
-        Chart: this.state.chart.name,
-        Values: this.state.values,
-        Namespace: this.namespace,
-      };
-      await this.HelmService.install(this.endpoint.Id, payload);
-      this.Notifications.success('Success', 'Helm chart successfully installed');
-      this.$analytics.eventTrack('kubernetes-helm-install', { category: 'kubernetes', metadata: { 'chart-name': this.state.chart.name } });
-      this.state.isEditorDirty = false;
-      this.$state.go('kubernetes.applications');
-    } catch (err) {
-      this.Notifications.error('Installation error', err);
-    } finally {
-      this.state.actionInProgress = false;
-    }
-  }
-
-  async getHelmValues() {
-    this.state.loadingValues = true;
-    try {
-      const { values } = await this.HelmService.values(this.state.chart.repo, this.state.chart.name);
-      this.state.values = values;
-      this.state.originalvalues = values;
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm chart values.');
-    } finally {
-      this.state.loadingValues = false;
-    }
-  }
-
-  async selectHelmChart(chart) {
-    window.scrollTo(0, 0);
-    this.state.showCustomValues = false;
-    this.state.chart = chart;
-    this.onSelectHelmChart(chart.name);
-    await this.getHelmValues();
-  }
-
-  /**
-   * @description This function is used to get the helm repo urls for the endpoint and user
-   * @returns {Promise<string[]>} list of helm repo urls
-   */
-  async getHelmRepoURLs() {
-    this.state.reposLoading = true;
-    try {
-      // fetch globally set helm repo and user helm repos (parallel)
-      const { GlobalRepository, UserRepositories } = await this.HelmService.getHelmRepositories(this.user.ID);
-      this.state.globalRepository = GlobalRepository;
-      const userHelmReposUrls = UserRepositories.map((repo) => repo.URL);
-      const uniqueHelmRepos = [...new Set([GlobalRepository, ...userHelmReposUrls])].map((url) => url.toLowerCase()).filter((url) => url); // remove duplicates and blank, to lowercase
-      this.state.repos = uniqueHelmRepos;
-      return uniqueHelmRepos;
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm repo urls.');
-    } finally {
-      this.state.reposLoading = false;
-    }
-  }
-
-  /**
-   * @description This function is used to fetch the respective index.yaml files for the provided helm repo urls
-   * @param {string[]} helmRepos list of helm repositories
-   * @param {bool} append append charts returned from repo to existing list of helm charts
-   */
-  async getLatestCharts(helmRepos) {
-    this.state.chartsLoading = true;
-    try {
-      const promiseList = helmRepos.map((repo) => this.HelmService.search(repo));
-      // fetch helm charts from all the provided helm repositories (parallel)
-      // Promise.allSettled is used to account for promise failure(s) - in cases the  user has provided invalid helm repo
-      const chartPromises = await Promise.allSettled(promiseList);
-      const latestCharts = chartPromises
-        .filter((tp) => tp.status === 'fulfilled') // remove failed promises
-        .map((tp) => ({ entries: tp.value.entries, repo: helmRepos[chartPromises.indexOf(tp)] })) // extract chart entries with respective repo data
-        .flatMap(
-          ({ entries, repo }) => Object.values(entries).map((charts) => ({ ...charts[0], repo })) // flatten chart entries to single array with respective repo
-        );
-
-      this.state.charts = latestCharts;
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve helm repo charts.');
-    } finally {
-      this.state.chartsLoading = false;
-    }
-  }
-
-  async getResourcePools() {
-    this.state.resourcePoolsLoading = true;
-    try {
-      const resourcePools = await this.KubernetesResourcePoolService.get();
-
-      const nonSystemNamespaces = resourcePools.filter(
-        (resourcePool) => !KubernetesNamespaceHelper.isSystemNamespace(resourcePool.Namespace.Name) && resourcePool.Namespace.Status === 'Active'
-      );
-      this.state.resourcePools = _.sortBy(nonSystemNamespaces, ({ Namespace }) => (Namespace.Name === 'default' ? 0 : 1));
-      this.state.resourcePool = this.state.resourcePools[0];
-    } catch (err) {
-      this.Notifications.error('Failure', err, 'Unable to retrieve initial helm data.');
-    } finally {
-      this.state.resourcePoolsLoading = false;
-    }
-  }
-
-  $onInit() {
-    return this.$async(async () => {
-      this.user = this.Authentication.getUserDetails();
-
-      this.state = {
-        appName: '',
-        chart: null,
-        showCustomValues: false,
-        actionInProgress: false,
-        resourcePools: [],
-        resourcePool: '',
-        values: null,
-        originalvalues: null,
-        repos: [],
-        charts: [],
-        loadingValues: false,
-        isEditorDirty: false,
-        chartsLoading: false,
-        resourcePoolsLoading: false,
-        viewReady: false,
-        isAdmin: this.Authentication.isAdmin(),
-        globalRepository: undefined,
-      };
-
-      const helmRepos = await this.getHelmRepoURLs();
-      if (helmRepos) {
-        await Promise.all([this.getLatestCharts(helmRepos), this.getResourcePools()]);
-      }
-      if (this.state.charts.length > 0 && this.$state.params.chartName) {
-        const chart = this.state.charts.find((chart) => chart.name === this.$state.params.chartName);
-        if (chart) {
-          this.selectHelmChart(chart);
-        }
-      }
-
-      this.state.viewReady = true;
-    });
-  }
-
-  $onDestroy() {
-    this.state.isEditorDirty = false;
-  }
-}
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates.html b/app/kubernetes/components/helm/helm-templates/helm-templates.html
deleted file mode 100644
index 4b998cf76..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates.html
+++ /dev/null
@@ -1,113 +0,0 @@
-<div class="row">
-  <!-- helmchart-form -->
-  <div class="col-sm-12 p-0" ng-if="$ctrl.state.chart">
-    <rd-widget>
-      <div class="flex">
-        <div class="basis-3/4 rounded-[8px] m-2 bg-gray-4 th-highcontrast:bg-black th-highcontrast:text-white th-dark:bg-gray-iron-10 th-dark:text-white">
-          <div class="vertical-center p-5">
-            <fallback-image src="$ctrl.state.chart.icon" fallback-icon="$ctrl.fallbackIcon" class-name="'h-16 w-16'" size="'lg'"></fallback-image>
-            <div class="font-medium ml-4">
-              <div class="toolBarTitle text-[24px] mb-2">
-                {{ $ctrl.state.chart.name }}
-                <span class="space-left text-[14px] vertical-center font-normal">
-                  <pr-icon icon="'svg-helm'" mode="'primary'"></pr-icon>
-                  Helm
-                </span>
-              </div>
-              <div class="text-muted text-xs" ng-bind-html="$ctrl.state.chart.description"></div>
-            </div>
-          </div>
-        </div>
-        <div class="basis-1/4">
-          <div class="h-full w-full vertical-center justify-end pr-5">
-            <button type="button" class="btn btn-sm btn-link !text-gray-8 hover:no-underline th-highcontrast:!text-white th-dark:!text-white" ng-click="$ctrl.clearHelmChart()">
-              Clear selection
-              <pr-icon icon="'x'" class="ml-1"></pr-icon>
-            </button>
-          </div>
-        </div>
-      </div>
-    </rd-widget>
-
-    <form class="form-horizontal" name="$ctrl.helmTemplateCreationForm">
-      <div class="form-group mt-4">
-        <div class="col-sm-12">
-          <button
-            ng-if="!$ctrl.state.showCustomValues && !$ctrl.state.loadingValues"
-            class="btn btn-xs btn-default vertical-center !ml-0 mr-2"
-            ng-click="$ctrl.state.showCustomValues = true;"
-          >
-            <pr-icon icon="'plus'" class="vertical-center"></pr-icon>
-            Show custom values
-          </button>
-          <span class="small interactive vertical-center" ng-if="$ctrl.state.loadingValues" role="status">
-            <inline-loader children="'Loading values.yaml...'" />
-          </span>
-          <button ng-if="$ctrl.state.showCustomValues" class="btn btn-xs btn-default vertical-center !ml-0 mr-2" ng-click="$ctrl.state.showCustomValues = false;">
-            <pr-icon icon="'minus'" class="vertical-center"></pr-icon>
-            Hide custom values
-          </button>
-        </div>
-      </div>
-      <!-- values override -->
-      <div ng-if="$ctrl.state.showCustomValues">
-        <!-- web-editor -->
-        <div class="form-group">
-          <div class="col-sm-12">
-            <web-editor-form
-              identifier="helm-app-creation-editor"
-              value="$ctrl.state.values"
-              on-change="($ctrl.editorUpdate)"
-              yml="true"
-              placeholder="Define or paste the content of your values yaml file here"
-            >
-              <editor-description class="vertical-center">
-                <pr-icon icon="'info'" mode="'primary'"></pr-icon>
-                <span>
-                  You can get more information about Helm values file format in the
-                  <a href="https://helm.sh/docs/chart_template_guide/values_files/" target="_blank" class="hyperlink">official documentation</a>.
-                </span>
-              </editor-description>
-            </web-editor-form>
-          </div>
-        </div>
-        <!-- !web-editor -->
-      </div>
-      <!-- !values override -->
-      <!-- helm actions -->
-      <div class="col-sm-12 form-section-title"> Actions </div>
-      <div class="form-group">
-        <div class="col-sm-12">
-          <button
-            type="button"
-            class="btn btn-primary btn-sm !ml-0"
-            ng-disabled="!$ctrl.state.resourcePool || $ctrl.state.loadingValues || $ctrl.state.actionInProgress || !$ctrl.name"
-            ng-click="$ctrl.installHelmchart()"
-            button-spinner="$ctrl.state.actionInProgress"
-            data-cy="helm-install"
-          >
-            <span ng-hide="$ctrl.state.actionInProgress">Install</span>
-            <span ng-hide="!$ctrl.state.actionInProgress">Installing Helm chart</span>
-          </button>
-        </div>
-      </div>
-      <!-- !helm actions -->
-    </form>
-  </div>
-  <!-- helmchart-form -->
-</div>
-
-<!-- Helm Charts Component -->
-<div class="row" ng-if="!$ctrl.state.chart">
-  <div class="col-sm-12 p-0">
-    <helm-templates-list
-      title-text="'Helm chart'"
-      charts="$ctrl.state.charts"
-      table-key="$ctrl.state.charts"
-      select-action="$ctrl.selectHelmChart"
-      loading="$ctrl.state.chartsLoading || $ctrl.state.resourcePoolsLoading"
-    >
-    </helm-templates-list>
-  </div>
-</div>
-<!-- !Helm Charts Component -->
diff --git a/app/kubernetes/components/helm/helm-templates/helm-templates.js b/app/kubernetes/components/helm/helm-templates/helm-templates.js
deleted file mode 100644
index 9cd4b1158..000000000
--- a/app/kubernetes/components/helm/helm-templates/helm-templates.js
+++ /dev/null
@@ -1,14 +0,0 @@
-import angular from 'angular';
-import controller from './helm-templates.controller';
-
-angular.module('portainer.kubernetes').component('helmTemplatesView', {
-  templateUrl: './helm-templates.html',
-  controller,
-  bindings: {
-    endpoint: '<',
-    namespace: '<',
-    stackName: '<',
-    onSelectHelmChart: '<',
-    name: '<',
-  },
-});
diff --git a/app/kubernetes/react/components/index.ts b/app/kubernetes/react/components/index.ts
index 041fc35d2..27aa04444 100644
--- a/app/kubernetes/react/components/index.ts
+++ b/app/kubernetes/react/components/index.ts
@@ -58,8 +58,7 @@ import { AppDeploymentTypeFormSection } from '@/react/kubernetes/applications/co
 import { EnvironmentVariablesFormSection } from '@/react/kubernetes/applications/components/EnvironmentVariablesFormSection/EnvironmentVariablesFormSection';
 import { kubeEnvVarValidationSchema } from '@/react/kubernetes/applications/components/EnvironmentVariablesFormSection/kubeEnvVarValidationSchema';
 import { IntegratedAppsDatatable } from '@/react/kubernetes/components/IntegratedAppsDatatable/IntegratedAppsDatatable';
-import { HelmTemplatesList } from '@/react/kubernetes/helm/HelmTemplates/HelmTemplatesList';
-import { HelmTemplatesListItem } from '@/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem';
+import { HelmTemplates } from '@/react/kubernetes/helm/HelmTemplates/HelmTemplates';
 
 import { namespacesModule } from './namespaces';
 import { clusterManagementModule } from './clusterManagement';
@@ -209,17 +208,12 @@ export const ngModule = angular
     ])
   )
   .component(
-    'helmTemplatesList',
-    r2a(withUIRouter(withCurrentUser(HelmTemplatesList)), [
-      'loading',
-      'titleText',
-      'charts',
-      'selectAction',
+    'helmTemplatesView',
+    r2a(withUIRouter(withCurrentUser(HelmTemplates)), [
+      'onSelectHelmChart',
+      'namespace',
+      'name',
     ])
-  )
-  .component(
-    'helmTemplatesListItem',
-    r2a(HelmTemplatesListItem, ['model', 'onSelect', 'actions'])
   );
 
 export const componentsModule = ngModule.name;
diff --git a/app/kubernetes/views/deploy/deploy.html b/app/kubernetes/views/deploy/deploy.html
index 35701b76c..5eda2d3a7 100644
--- a/app/kubernetes/views/deploy/deploy.html
+++ b/app/kubernetes/views/deploy/deploy.html
@@ -187,13 +187,7 @@
                 <!-- Helm -->
                 <div ng-show="ctrl.state.BuildMethod === ctrl.BuildMethods.HELM">
                   <div class="col-sm-12 form-section-title" ng-if="ctrl.state.selectedHelmChart">Selected Helm chart</div>
-                  <helm-templates-view
-                    on-select-helm-chart="(ctrl.onSelectHelmChart)"
-                    endpoint="ctrl.endpoint"
-                    namespace="ctrl.formValues.Namespace"
-                    stack-name="ctrl.formValues.StackName"
-                    name="ctrl.formValues.Name"
-                  ></helm-templates-view>
+                  <helm-templates-view on-select-helm-chart="(ctrl.onSelectHelmChart)" namespace="ctrl.formValues.Namespace" name="ctrl.formValues.Name" />
                 </div>
                 <!-- !Helm -->
 
diff --git a/app/kubernetes/views/deploy/deployController.js b/app/kubernetes/views/deploy/deployController.js
index 79549084a..89f416ac3 100644
--- a/app/kubernetes/views/deploy/deployController.js
+++ b/app/kubernetes/views/deploy/deployController.js
@@ -16,7 +16,8 @@ import { kubernetes } from '@@/BoxSelector/common-options/deployment-methods';
 
 class KubernetesDeployController {
   /* @ngInject */
-  constructor($async, $state, $window, Authentication, Notifications, KubernetesResourcePoolService, StackService, CustomTemplateService, KubernetesApplicationService) {
+  constructor($scope, $async, $state, $window, Authentication, Notifications, KubernetesResourcePoolService, StackService, CustomTemplateService, KubernetesApplicationService) {
+    this.$scope = $scope;
     this.$async = $async;
     this.$state = $state;
     this.$window = $window;
@@ -110,6 +111,9 @@ class KubernetesDeployController {
 
   onSelectHelmChart(chart) {
     this.state.selectedHelmChart = chart;
+
+    // Force a digest cycle to ensure the change is reflected in the UI
+    this.$scope.$apply();
   }
 
   onChangeTemplateVariables(value) {
diff --git a/app/react/components/modals/confirm.ts b/app/react/components/modals/confirm.ts
index 4ca4a7e91..c7f3ba677 100644
--- a/app/react/components/modals/confirm.ts
+++ b/app/react/components/modals/confirm.ts
@@ -47,6 +47,16 @@ export function confirmWebEditorDiscard() {
   });
 }
 
+export function confirmGenericDiscard() {
+  return openConfirm({
+    modalType: ModalType.Warn,
+    title: 'Are you sure?',
+    message:
+      'You currently have unsaved changes. Are you sure you want to leave?',
+    confirmButton: buildConfirmButton('Yes', 'danger'),
+  });
+}
+
 export function confirmDelete(message: ReactNode) {
   return confirmDestructive({
     title: 'Are you sure?',
diff --git a/app/react/hooks/useCanExit.ts b/app/react/hooks/useCanExit.ts
new file mode 100644
index 000000000..b7366be23
--- /dev/null
+++ b/app/react/hooks/useCanExit.ts
@@ -0,0 +1,17 @@
+/**
+ * Copied from https://github.com/ui-router/react/blob/master/src/hooks/useCanExit.ts
+ * TODO: Use package version of this hook when it becomes available: https://github.com/ui-router/react/pull/1227
+ */
+import { useParentView, useTransitionHook } from '@uirouter/react';
+
+/**
+ * A hook that can stop the router from exiting the state the hook is used in.
+ * If the callback returns true/undefined (or a Promise that resolves to true/undefined), the Transition will be allowed to continue.
+ * If the callback returns false (or a Promise that resolves to false), the Transition will be cancelled.
+ */
+export function useCanExit(
+  canExitCallback: () => boolean | undefined | Promise<boolean | undefined>
+) {
+  const stateName = useParentView().context.name;
+  useTransitionHook('onBefore', { exiting: stateName }, canExitCallback);
+}
diff --git a/app/kubernetes/components/helm/helm-templates/HelmIcon.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmIcon.tsx
similarity index 100%
rename from app/kubernetes/components/helm/helm-templates/HelmIcon.tsx
rename to app/react/kubernetes/helm/HelmTemplates/HelmIcon.tsx
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
new file mode 100644
index 000000000..c8def2077
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
@@ -0,0 +1,55 @@
+import { useState } from 'react';
+
+import { useCurrentUser } from '@/react/hooks/useUser';
+
+import { Chart } from '../types';
+
+import { useHelmChartList } from './queries/useHelmChartList';
+import { HelmTemplatesList } from './HelmTemplatesList';
+import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
+
+interface Props {
+  onSelectHelmChart: (chartName: string) => void;
+  namespace?: string;
+  name?: string;
+}
+
+export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
+  const [selectedChart, setSelectedChart] = useState<Chart | null>(null);
+
+  const { user } = useCurrentUser();
+  const { data: charts = [], isLoading: chartsLoading } = useHelmChartList(
+    user.Id
+  );
+
+  function clearHelmChart() {
+    setSelectedChart(null);
+    onSelectHelmChart('');
+  }
+
+  function handleChartSelection(chart: Chart) {
+    setSelectedChart(chart);
+    onSelectHelmChart(chart.name);
+  }
+
+  return (
+    <div className="row">
+      <div className="col-sm-12 p-0">
+        {selectedChart ? (
+          <HelmTemplatesSelectedItem
+            selectedChart={selectedChart}
+            clearHelmChart={clearHelmChart}
+            namespace={namespace}
+            name={name}
+          />
+        ) : (
+          <HelmTemplatesList
+            charts={charts}
+            selectAction={handleChartSelection}
+            loading={chartsLoading}
+          />
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
index e08e50cad..3c080d077 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
@@ -6,14 +6,16 @@ import { withUserProvider } from '@/react/test-utils/withUserProvider';
 import { withTestRouter } from '@/react/test-utils/withRouter';
 import { UserViewModel } from '@/portainer/models/user';
 
+import { Chart } from '../types';
+
 import { HelmTemplatesList } from './HelmTemplatesList';
-import { Chart } from './HelmTemplatesListItem';
 
 // Sample test data
 const mockCharts: Chart[] = [
   {
     name: 'test-chart-1',
     description: 'Test Chart 1 Description',
+    repo: 'https://example.com',
     annotations: {
       category: 'database',
     },
@@ -21,6 +23,7 @@ const mockCharts: Chart[] = [
   {
     name: 'test-chart-2',
     description: 'Test Chart 2 Description',
+    repo: 'https://example.com',
     annotations: {
       category: 'database',
     },
@@ -28,6 +31,7 @@ const mockCharts: Chart[] = [
   {
     name: 'nginx-chart',
     description: 'Nginx Web Server',
+    repo: 'https://example.com',
     annotations: {
       category: 'web',
     },
@@ -38,7 +42,6 @@ const selectActionMock = vi.fn();
 
 function renderComponent({
   loading = false,
-  titleText = 'Test Helm Templates',
   charts = mockCharts,
   selectAction = selectActionMock,
 } = {}) {
@@ -48,7 +51,6 @@ function renderComponent({
       withTestRouter(() => (
         <HelmTemplatesList
           loading={loading}
-          titleText={titleText}
           charts={charts}
           selectAction={selectAction}
         />
@@ -68,7 +70,7 @@ describe('HelmTemplatesList', () => {
     renderComponent();
 
     // Check for the title
-    expect(screen.getByText('Test Helm Templates')).toBeInTheDocument();
+    expect(screen.getByText('Helm chart')).toBeInTheDocument();
 
     // Check for charts
     expect(screen.getByText('test-chart-1')).toBeInTheDocument();
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
index 5cfdb6953..3d9034f4c 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
@@ -6,11 +6,12 @@ import { Link } from '@/react/components/Link';
 import { InsightsBox } from '@@/InsightsBox';
 import { SearchBar } from '@@/datatables/SearchBar';
 
-import { Chart, HelmTemplatesListItem } from './HelmTemplatesListItem';
+import { Chart } from '../types';
+
+import { HelmTemplatesListItem } from './HelmTemplatesListItem';
 
 interface Props {
   loading: boolean;
-  titleText: string;
   charts?: Chart[];
   selectAction: (chart: Chart) => void;
 }
@@ -70,7 +71,6 @@ function getFilteredCharts(
 
 export function HelmTemplatesList({
   loading,
-  titleText,
   charts = [],
   selectAction,
 }: Props) {
@@ -87,7 +87,7 @@ export function HelmTemplatesList({
   return (
     <section className="datatable" aria-label="Helm charts">
       <div className="toolBar vertical-center relative w-full flex-wrap !gap-x-5 !gap-y-1 !px-0">
-        <div className="toolBarTitle vertical-center">{titleText}</div>
+        <div className="toolBarTitle vertical-center">Helm chart</div>
 
         <SearchBar
           value={textFilter}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
index b51fb5cdd..de8272bcb 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
@@ -1,18 +1,12 @@
 import React from 'react';
 
-import { HelmIcon } from '@/kubernetes/components/helm/helm-templates/HelmIcon';
 import { FallbackImage } from '@/react/components/FallbackImage';
 
 import Svg from '@@/Svg';
 
-export interface Chart {
-  name: string;
-  description: string;
-  icon?: string;
-  annotations?: {
-    category?: string;
-  };
-}
+import { Chart } from '../types';
+
+import { HelmIcon } from './HelmIcon';
 
 interface HelmTemplatesListItemProps {
   model: Chart;
@@ -30,7 +24,7 @@ export function HelmTemplatesListItem(props: HelmTemplatesListItemProps) {
   return (
     <button
       type="button"
-      className="blocklist-item mx-0 bg-inherit text-start"
+      className="blocklist-item !mx-0 bg-inherit text-start"
       onClick={handleSelect}
       tabIndex={0}
     >
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
new file mode 100644
index 000000000..655b1d928
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
@@ -0,0 +1,148 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { MutationOptions } from '@tanstack/react-query';
+import { vi } from 'vitest';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+
+import { Chart } from '../types';
+
+import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
+
+const mockMutate = vi.fn();
+const mockNotifySuccess = vi.fn();
+
+// Mock dependencies
+vi.mock('@/portainer/services/notifications', () => ({
+  notifySuccess: (title: string, text: string) =>
+    mockNotifySuccess(title, text),
+}));
+
+vi.mock('./queries/useHelmChartValues', () => ({
+  useHelmChartValues: vi.fn().mockReturnValue({
+    data: { values: 'test-values' },
+    isLoading: false,
+  }),
+}));
+
+vi.mock('./queries/useHelmChartInstall', () => ({
+  useHelmChartInstall: vi.fn().mockReturnValue({
+    mutate: (params: Record<string, string>, options?: MutationOptions) =>
+      mockMutate(params, options),
+    isLoading: false,
+  }),
+}));
+
+vi.mock('@/react/hooks/useAnalytics', () => ({
+  useAnalytics: vi.fn().mockReturnValue({
+    trackEvent: vi.fn(),
+  }),
+}));
+
+// Sample test data
+const mockChart: Chart = {
+  name: 'test-chart',
+  description: 'Test Chart Description',
+  repo: 'https://example.com',
+  icon: 'test-icon-url',
+  annotations: {
+    category: 'database',
+  },
+};
+
+const clearHelmChartMock = vi.fn();
+const mockRouterStateService = {
+  go: vi.fn(),
+};
+
+function renderComponent({
+  selectedChart = mockChart,
+  clearHelmChart = clearHelmChartMock,
+  namespace = 'test-namespace',
+  name = 'test-name',
+} = {}) {
+  const user = new UserViewModel({ Username: 'user' });
+
+  const Wrapped = withTestQueryProvider(
+    withUserProvider(
+      withTestRouter(() => (
+        <HelmTemplatesSelectedItem
+          selectedChart={selectedChart}
+          clearHelmChart={clearHelmChart}
+          namespace={namespace}
+          name={name}
+        />
+      )),
+      user
+    )
+  );
+
+  return {
+    ...render(<Wrapped />),
+    user,
+    mockRouterStateService,
+  };
+}
+
+describe('HelmTemplatesSelectedItem', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('should display selected chart information', () => {
+    renderComponent();
+
+    // Check for chart details
+    expect(screen.getByText('test-chart')).toBeInTheDocument();
+    expect(screen.getByText('Test Chart Description')).toBeInTheDocument();
+    expect(screen.getByText('Clear selection')).toBeInTheDocument();
+    expect(screen.getByText('Helm')).toBeInTheDocument();
+  });
+
+  it('should toggle custom values editor', async () => {
+    renderComponent();
+    const user = userEvent.setup();
+
+    // First show the editor
+    await user.click(await screen.findByText('Custom values'));
+
+    // Verify editor is visible
+    expect(screen.getByTestId('helm-app-creation-editor')).toBeInTheDocument();
+
+    // Now hide the editor
+    await user.click(await screen.findByText('Custom values'));
+
+    // Editor should be hidden
+    expect(
+      screen.queryByTestId('helm-app-creation-editor')
+    ).not.toBeInTheDocument();
+  });
+
+  it('should install helm chart and navigate when install button is clicked', async () => {
+    const user = userEvent.setup();
+    renderComponent();
+
+    // Click install button
+    await user.click(screen.getByText('Install'));
+
+    // Check mutate was called with correct values
+    expect(mockMutate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        Name: 'test-name',
+        Repo: 'https://example.com',
+        Chart: 'test-chart',
+        Values: 'test-values',
+        Namespace: 'test-namespace',
+      }),
+      expect.objectContaining({ onSuccess: expect.any(Function) })
+    );
+  });
+
+  it('should disable install button when namespace or name is undefined', () => {
+    renderComponent({ namespace: '' });
+    expect(screen.getByText('Install')).toBeDisabled();
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
new file mode 100644
index 000000000..088c0c69a
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
@@ -0,0 +1,188 @@
+import { useRef } from 'react';
+import { X } from 'lucide-react';
+import { Form, Formik, FormikProps } from 'formik';
+import { useRouter } from '@uirouter/react';
+
+import { notifySuccess } from '@/portainer/services/notifications';
+import { useAnalytics } from '@/react/hooks/useAnalytics';
+import { useCanExit } from '@/react/hooks/useCanExit';
+
+import { Widget } from '@@/Widget';
+import { Button } from '@@/buttons/Button';
+import { FallbackImage } from '@@/FallbackImage';
+import Svg from '@@/Svg';
+import { Icon } from '@@/Icon';
+import { WebEditorForm } from '@@/WebEditorForm';
+import { confirmGenericDiscard } from '@@/modals/confirm';
+import { FormSection } from '@@/form-components/FormSection';
+import { InlineLoader } from '@@/InlineLoader';
+import { FormActions } from '@@/form-components/FormActions';
+
+import { Chart } from '../types';
+
+import { useHelmChartValues } from './queries/useHelmChartValues';
+import { HelmIcon } from './HelmIcon';
+import { useHelmChartInstall } from './queries/useHelmChartInstall';
+
+type Props = {
+  selectedChart: Chart;
+  clearHelmChart: () => void;
+  namespace?: string;
+  name?: string;
+};
+
+type FormValues = {
+  values: string;
+};
+
+const emptyValues: FormValues = {
+  values: '',
+};
+
+export function HelmTemplatesSelectedItem({
+  selectedChart,
+  clearHelmChart,
+  namespace,
+  name,
+}: Props) {
+  const router = useRouter();
+  const analytics = useAnalytics();
+
+  const { mutate: installHelmChart, isLoading: isInstalling } =
+    useHelmChartInstall();
+  const { data: initialValues, isLoading: loadingValues } =
+    useHelmChartValues(selectedChart);
+
+  const formikRef = useRef<FormikProps<FormValues>>(null);
+  useCanExit(() => !formikRef.current?.dirty || confirmGenericDiscard());
+
+  function handleSubmit(values: FormValues) {
+    if (!name || !namespace) {
+      // Theoretically this should never happen and is mainly to keep typescript happy
+      return;
+    }
+
+    installHelmChart(
+      {
+        Name: name,
+        Repo: selectedChart.repo,
+        Chart: selectedChart.name,
+        Values: values.values,
+        Namespace: namespace,
+      },
+      {
+        onSuccess() {
+          analytics.trackEvent('kubernetes-helm-install', {
+            category: 'kubernetes',
+            metadata: {
+              'chart-name': selectedChart.name,
+            },
+          });
+          notifySuccess('Success', 'Helm chart successfully installed');
+
+          // Reset the form so page can be navigated away from without getting "Are you sure?"
+          formikRef.current?.resetForm();
+          router.stateService.go('kubernetes.applications');
+        },
+      }
+    );
+  }
+
+  return (
+    <>
+      <Widget>
+        <div className="flex">
+          <div className="basis-3/4 rounded-[8px] m-2 bg-gray-4 th-highcontrast:bg-black th-highcontrast:text-white th-dark:bg-gray-iron-10 th-dark:text-white">
+            <div className="vertical-center p-5">
+              <FallbackImage
+                src={selectedChart.icon}
+                fallbackIcon={HelmIcon}
+                className="h-16 w-16"
+              />
+              <div className="col-sm-12">
+                <div className="flex justify-between">
+                  <span>
+                    <span className="text-2xl font-bold">
+                      {selectedChart.name}
+                    </span>
+                    <span className="space-left pr-2 text-xs">
+                      <span className="vertical-center">
+                        <Svg icon="helm" className="icon icon-primary" />
+                      </span>{' '}
+                      <span>Helm</span>
+                    </span>
+                  </span>
+                </div>
+                <div className="text-muted text-xs">
+                  {selectedChart.description}
+                </div>
+              </div>
+            </div>
+          </div>
+          <div className="basis-1/4">
+            <div className="h-full w-full vertical-center justify-end pr-5">
+              <Button
+                color="link"
+                className="!text-gray-8 hover:no-underline th-highcontrast:!text-white th-dark:!text-white"
+                onClick={clearHelmChart}
+                data-cy="clear-selection"
+              >
+                Clear selection
+                <Icon icon={X} className="ml-1" />
+              </Button>
+            </div>
+          </div>
+        </div>
+      </Widget>
+      <Formik
+        innerRef={formikRef}
+        initialValues={initialValues ?? emptyValues}
+        enableReinitialize
+        onSubmit={(values) => handleSubmit(values)}
+      >
+        {({ values, setFieldValue }) => (
+          <Form className="form-horizontal">
+            <div className="form-group !m-0">
+              <FormSection title="Custom values" isFoldable className="mt-4">
+                {loadingValues && (
+                  <div className="col-sm-12 p-0">
+                    <InlineLoader>Loading values.yaml...</InlineLoader>
+                  </div>
+                )}
+                {!!initialValues && (
+                  <WebEditorForm
+                    id="helm-app-creation-editor"
+                    value={values.values}
+                    onChange={(value) => setFieldValue('values', value)}
+                    type="yaml"
+                    data-cy="helm-app-creation-editor"
+                    placeholder="Define or paste the content of your values yaml file here"
+                  >
+                    You can get more information about Helm values file format
+                    in the{' '}
+                    <a
+                      href="https://helm.sh/docs/chart_template_guide/values_files/"
+                      target="_blank"
+                      rel="noreferrer"
+                    >
+                      official documentation
+                    </a>
+                    .
+                  </WebEditorForm>
+                )}
+              </FormSection>
+            </div>
+
+            <FormActions
+              submitLabel="Install"
+              loadingText="Installing Helm chart"
+              isLoading={isInstalling}
+              isValid={!!namespace && !!name && !loadingValues}
+              data-cy="helm-install"
+            />
+          </Form>
+        )}
+      </Formik>
+    </>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts
new file mode 100644
index 000000000..e6664a317
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts
@@ -0,0 +1,40 @@
+import { useMutation } from '@tanstack/react-query';
+
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import {
+  queryClient,
+  withGlobalError,
+  withInvalidate,
+} from '@/react-tools/react-query';
+import { queryKeys } from '@/react/kubernetes/applications/queries/query-keys';
+
+import { InstallChartPayload } from '../../types';
+
+async function installHelmChart(
+  payload: InstallChartPayload,
+  environmentId: EnvironmentId
+) {
+  try {
+    const response = await axios.post(
+      `endpoints/${environmentId}/kubernetes/helm`,
+      payload
+    );
+    return response.data;
+  } catch (err) {
+    throw parseAxiosError(err as Error, 'Installation error');
+  }
+}
+
+export function useHelmChartInstall() {
+  const environmentId = useEnvironmentId();
+
+  return useMutation(
+    (values: InstallChartPayload) => installHelmChart(values, environmentId),
+    {
+      ...withGlobalError('Unable to install Helm chart'),
+      ...withInvalidate(queryClient, [queryKeys.applications(environmentId)]),
+    }
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts
new file mode 100644
index 000000000..60791fe59
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts
@@ -0,0 +1,79 @@
+import { useQuery } from '@tanstack/react-query';
+import { compact } from 'lodash';
+
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { withGlobalError } from '@/react-tools/react-query';
+
+import {
+  Chart,
+  HelmChartsResponse,
+  HelmRepositoriesResponse,
+} from '../../types';
+
+async function getHelmRepositories(userId: number): Promise<string[]> {
+  try {
+    const response = await axios.get<HelmRepositoriesResponse>(
+      `users/${userId}/helm/repositories`
+    );
+    const { GlobalRepository, UserRepositories } = response.data;
+
+    // Extract URLs from user repositories
+    const userHelmReposUrls = UserRepositories.map((repo) => repo.URL);
+
+    // Combine global and user repositories, remove duplicates and empty values
+    const uniqueHelmRepos = [
+      ...new Set([GlobalRepository, ...userHelmReposUrls]),
+    ]
+      .map((url) => url.toLowerCase())
+      .filter((url) => url);
+
+    return uniqueHelmRepos;
+  } catch (err) {
+    throw parseAxiosError(err, 'Failed to fetch Helm repositories');
+  }
+}
+
+async function getChartsFromRepo(repo: string): Promise<Chart[]> {
+  try {
+    // Construct the URL with required repo parameter
+    const response = await axios.get<HelmChartsResponse>('templates/helm', {
+      params: { repo },
+    });
+
+    return compact(
+      Object.values(response.data.entries).map((versions) =>
+        versions[0] ? { ...versions[0], repo } : null
+      )
+    );
+  } catch (error) {
+    // Ignore errors from chart repositories as some may error but others may not
+    return [];
+  }
+}
+
+async function getCharts(userId: number): Promise<Chart[]> {
+  try {
+    // First, get all the helm repositories
+    const repos = await getHelmRepositories(userId);
+
+    // Then fetch charts from each repository in parallel
+    const chartsPromises = repos.map((repo) => getChartsFromRepo(repo));
+    const chartsArrays = await Promise.all(chartsPromises);
+
+    // Flatten the arrays of charts into a single array
+    return chartsArrays.flat();
+  } catch (err) {
+    throw parseAxiosError(err, 'Failed to fetch Helm charts');
+  }
+}
+
+/**
+ * React hook to fetch helm charts from all accessible repositories
+ * @param userId User ID
+ */
+export function useHelmChartList(userId: number) {
+  return useQuery([userId, 'helm-charts'], () => getCharts(userId), {
+    enabled: !!userId,
+    ...withGlobalError('Unable to retrieve Helm charts'),
+  });
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartValues.ts b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartValues.ts
new file mode 100644
index 000000000..29ec6e45a
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartValues.ts
@@ -0,0 +1,32 @@
+import { useQuery } from '@tanstack/react-query';
+
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { withGlobalError } from '@/react-tools/react-query';
+
+import { Chart } from '../../types';
+
+async function getHelmChartValues(chart: string, repo: string) {
+  try {
+    const response = await axios.get<string>(`/templates/helm/values`, {
+      params: {
+        repo,
+        chart,
+      },
+    });
+    return response.data;
+  } catch (err) {
+    throw parseAxiosError(err as Error, 'Unable to get Helm chart values');
+  }
+}
+
+export function useHelmChartValues(chart: Chart) {
+  return useQuery({
+    queryKey: ['helm-chart-values', chart.repo, chart.name],
+    queryFn: () => getHelmChartValues(chart.name, chart.repo),
+    enabled: !!chart.name,
+    select: (data) => ({
+      values: data,
+    }),
+    ...withGlobalError('Unable to get Helm chart values'),
+  });
+}
diff --git a/app/react/kubernetes/helm/types.ts b/app/react/kubernetes/helm/types.ts
new file mode 100644
index 000000000..8b043a080
--- /dev/null
+++ b/app/react/kubernetes/helm/types.ts
@@ -0,0 +1,37 @@
+export interface Chart extends HelmChartResponse {
+  repo: string;
+}
+
+export interface HelmChartResponse {
+  name: string;
+  description: string;
+  icon?: string;
+  annotations?: {
+    category?: string;
+  };
+}
+
+export interface HelmRepositoryResponse {
+  Id: number;
+  UserId: number;
+  URL: string;
+}
+
+export interface HelmRepositoriesResponse {
+  GlobalRepository: string;
+  UserRepositories: HelmRepositoryResponse[];
+}
+
+export interface HelmChartsResponse {
+  entries: Record<string, HelmChartResponse[]>;
+  apiVersion: string;
+  generated: string;
+}
+
+export type InstallChartPayload = {
+  Name: string;
+  Repo: string;
+  Chart: string;
+  Values: string;
+  Namespace: string;
+};
diff --git a/vitest.config.mts b/vitest.config.mts
index eca3b62ed..7c343f6b7 100644
--- a/vitest.config.mts
+++ b/vitest.config.mts
@@ -24,6 +24,9 @@ export default defineConfig({
     env: {
       PORTAINER_EDITION: 'CE',
     },
+    deps: {
+      inline: [/@radix-ui/, /codemirror-json-schema/], // https://github.com/radix-ui/primitives/issues/2974#issuecomment-2186808459
+    },
   },
   plugins: [svgr({ include: /\?c$/ }), tsconfigPaths()],
 });

From 64c796a8c36fc8fddafd9752c1028b1b7223018b Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Tue, 8 Apr 2025 12:52:21 +1200
Subject: [PATCH 081/212] fix(kubernetes): Config maps and secrets show as
 unused BE-11684 (#596)

Co-authored-by: stevensbkang <skan070@gmail.com>
---
 api/http/handler/kubernetes/configmaps.go |   4 +-
 api/http/handler/kubernetes/secrets.go    |   4 +-
 api/kubernetes/cli/applications.go        | 100 +++++++---------------
 api/kubernetes/cli/configmap.go           |  48 +++++------
 api/kubernetes/cli/pod.go                 |  21 +++--
 api/kubernetes/cli/secret.go              |  47 +++++-----
 6 files changed, 91 insertions(+), 133 deletions(-)

diff --git a/api/http/handler/kubernetes/configmaps.go b/api/http/handler/kubernetes/configmaps.go
index 633afe92d..bd10ae15d 100644
--- a/api/http/handler/kubernetes/configmaps.go
+++ b/api/http/handler/kubernetes/configmaps.go
@@ -146,13 +146,11 @@ func (handler *Handler) getAllKubernetesConfigMaps(r *http.Request) ([]models.K8
 	}
 
 	if isUsed {
-		configMapsWithApplications, err := cli.CombineConfigMapsWithApplications(configMaps)
+		err = cli.SetConfigMapsIsUsed(&configMaps)
 		if err != nil {
 			log.Error().Err(err).Str("context", "getAllKubernetesConfigMaps").Msg("Unable to combine configMaps with associated applications")
 			return nil, httperror.InternalServerError("Unable to combine configMaps with associated applications", err)
 		}
-
-		return configMapsWithApplications, nil
 	}
 
 	return configMaps, nil
diff --git a/api/http/handler/kubernetes/secrets.go b/api/http/handler/kubernetes/secrets.go
index 1375e9e6b..782e6107e 100644
--- a/api/http/handler/kubernetes/secrets.go
+++ b/api/http/handler/kubernetes/secrets.go
@@ -130,13 +130,11 @@ func (handler *Handler) getAllKubernetesSecrets(r *http.Request) ([]models.K8sSe
 	}
 
 	if isUsed {
-		secretsWithApplications, err := cli.CombineSecretsWithApplications(secrets)
+		err = cli.SetSecretsIsUsed(&secrets)
 		if err != nil {
 			log.Error().Err(err).Str("context", "GetAllKubernetesSecrets").Msg("Unable to combine secrets with associated applications")
 			return nil, httperror.InternalServerError("unable to combine secrets with associated applications. Error: ", err)
 		}
-
-		return secretsWithApplications, nil
 	}
 
 	return secrets, nil
diff --git a/api/kubernetes/cli/applications.go b/api/kubernetes/cli/applications.go
index c08329a7b..8dd4d72b2 100644
--- a/api/kubernetes/cli/applications.go
+++ b/api/kubernetes/cli/applications.go
@@ -153,46 +153,6 @@ func (kcl *KubeClient) GetApplicationsResource(namespace, node string) (models.K
 	return resource, nil
 }
 
-// GetApplicationsFromConfigMap gets a list of applications that use a specific ConfigMap
-// by checking all pods in the same namespace as the ConfigMap
-func (kcl *KubeClient) GetApplicationNamesFromConfigMap(configMap models.K8sConfigMap, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]string, error) {
-	applications := []string{}
-	for _, pod := range pods {
-		if pod.Namespace == configMap.Namespace {
-			if isPodUsingConfigMap(&pod, configMap.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
-					ReplicaSets: replicaSets,
-				}, false)
-				if err != nil {
-					return nil, err
-				}
-				applications = append(applications, application.Name)
-			}
-		}
-	}
-
-	return applications, nil
-}
-
-func (kcl *KubeClient) GetApplicationNamesFromSecret(secret models.K8sSecret, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]string, error) {
-	applications := []string{}
-	for _, pod := range pods {
-		if pod.Namespace == secret.Namespace {
-			if isPodUsingSecret(&pod, secret.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
-					ReplicaSets: replicaSets,
-				}, false)
-				if err != nil {
-					return nil, err
-				}
-				applications = append(applications, application.Name)
-			}
-		}
-	}
-
-	return applications, nil
-}
-
 // ConvertPodToApplication converts a pod to an application, updating owner references if necessary
 func (kcl *KubeClient) ConvertPodToApplication(pod corev1.Pod, portainerApplicationResources PortainerApplicationResources, withResource bool) (*models.K8sApplication, error) {
 	if isReplicaSetOwner(pod) {
@@ -473,23 +433,23 @@ func (kcl *KubeClient) GetApplicationFromServiceSelector(pods []corev1.Pod, serv
 func (kcl *KubeClient) GetApplicationConfigurationOwnersFromConfigMap(configMap models.K8sConfigMap, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]models.K8sConfigurationOwnerResource, error) {
 	configurationOwners := []models.K8sConfigurationOwnerResource{}
 	for _, pod := range pods {
-		if pod.Namespace == configMap.Namespace {
-			if isPodUsingConfigMap(&pod, configMap.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
-					ReplicaSets: replicaSets,
-				}, false)
-				if err != nil {
-					return nil, err
-				}
+		if isPodUsingConfigMap(&pod, configMap) {
+			kind := "Pod"
+			name := pod.Name
 
-				if application != nil {
-					configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
-						Name:         application.Name,
-						ResourceKind: application.Kind,
-						Id:           application.UID,
-					})
-				}
+			if len(pod.OwnerReferences) > 0 {
+				kind = pod.OwnerReferences[0].Kind
+				name = pod.OwnerReferences[0].Name
 			}
+
+			if isReplicaSetOwner(pod) {
+				updateOwnerReferenceToDeployment(&pod, replicaSets)
+			}
+
+			configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
+				Name:         name,
+				ResourceKind: kind,
+			})
 		}
 	}
 
@@ -501,23 +461,23 @@ func (kcl *KubeClient) GetApplicationConfigurationOwnersFromConfigMap(configMap
 func (kcl *KubeClient) GetApplicationConfigurationOwnersFromSecret(secret models.K8sSecret, pods []corev1.Pod, replicaSets []appsv1.ReplicaSet) ([]models.K8sConfigurationOwnerResource, error) {
 	configurationOwners := []models.K8sConfigurationOwnerResource{}
 	for _, pod := range pods {
-		if pod.Namespace == secret.Namespace {
-			if isPodUsingSecret(&pod, secret.Name) {
-				application, err := kcl.ConvertPodToApplication(pod, PortainerApplicationResources{
-					ReplicaSets: replicaSets,
-				}, false)
-				if err != nil {
-					return nil, err
-				}
+		if isPodUsingSecret(&pod, secret) {
+			kind := "Pod"
+			name := pod.Name
 
-				if application != nil {
-					configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
-						Name:         application.Name,
-						ResourceKind: application.Kind,
-						Id:           application.UID,
-					})
-				}
+			if len(pod.OwnerReferences) > 0 {
+				kind = pod.OwnerReferences[0].Kind
+				name = pod.OwnerReferences[0].Name
 			}
+
+			if isReplicaSetOwner(pod) {
+				updateOwnerReferenceToDeployment(&pod, replicaSets)
+			}
+
+			configurationOwners = append(configurationOwners, models.K8sConfigurationOwnerResource{
+				Name:         name,
+				ResourceKind: kind,
+			})
 		}
 	}
 
diff --git a/api/kubernetes/cli/configmap.go b/api/kubernetes/cli/configmap.go
index eb0eec935..fafa81346 100644
--- a/api/kubernetes/cli/configmap.go
+++ b/api/kubernetes/cli/configmap.go
@@ -7,6 +7,7 @@ import (
 
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/rs/zerolog/log"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -95,35 +96,28 @@ func parseConfigMap(configMap *corev1.ConfigMap, withData bool) models.K8sConfig
 	return result
 }
 
-// CombineConfigMapsWithApplications combines the config maps with the applications that use them.
+// SetConfigMapsIsUsed combines the config maps with the applications that use them.
 // the function fetches all the pods and replica sets in the cluster and checks if the config map is used by any of the pods.
 // if the config map is used by a pod, the application that uses the pod is added to the config map.
 // otherwise, the config map is returned as is.
-func (kcl *KubeClient) CombineConfigMapsWithApplications(configMaps []models.K8sConfigMap) ([]models.K8sConfigMap, error) {
-	updatedConfigMaps := make([]models.K8sConfigMap, len(configMaps))
-
+func (kcl *KubeClient) SetConfigMapsIsUsed(configMaps *[]models.K8sConfigMap) error {
 	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("an error occurred during the CombineConfigMapsWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
+		return fmt.Errorf("an error occurred during the SetConfigMapsIsUsed operation, unable to fetch Portainer application resources. Error: %w", err)
 	}
 
-	for index, configMap := range configMaps {
-		updatedConfigMap := configMap
+	for i := range *configMaps {
+		configMap := &(*configMaps)[i]
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, portainerApplicationResources.Pods, portainerApplicationResources.ReplicaSets)
-		if err != nil {
-			return nil, fmt.Errorf("an error occurred during the CombineConfigMapsWithApplications operation, unable to get applications from config map. Error: %w", err)
+		for _, pod := range portainerApplicationResources.Pods {
+			if isPodUsingConfigMap(&pod, *configMap) {
+				configMap.IsUsed = true
+				break
+			}
 		}
-
-		if len(applicationConfigurationOwners) > 0 {
-			updatedConfigMap.ConfigurationOwnerResources = applicationConfigurationOwners
-			updatedConfigMap.IsUsed = true
-		}
-
-		updatedConfigMaps[index] = updatedConfigMap
 	}
 
-	return updatedConfigMaps, nil
+	return nil
 }
 
 // CombineConfigMapWithApplications combines the config map with the applications that use it.
@@ -141,20 +135,22 @@ func (kcl *KubeClient) CombineConfigMapWithApplications(configMap models.K8sConf
 		break
 	}
 
+	var replicaSets *appsv1.ReplicaSetList
 	if containsReplicaSetOwner {
-		replicaSets, err := kcl.cli.AppsV1().ReplicaSets(configMap.Namespace).List(context.Background(), metav1.ListOptions{})
+		replicaSets, err = kcl.cli.AppsV1().ReplicaSets(configMap.Namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil {
 			return models.K8sConfigMap{}, fmt.Errorf("an error occurred during the CombineConfigMapWithApplications operation, unable to get replica sets. Error: %w", err)
 		}
+	}
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, pods.Items, replicaSets.Items)
-		if err != nil {
-			return models.K8sConfigMap{}, fmt.Errorf("an error occurred during the CombineConfigMapWithApplications operation, unable to get applications from config map. Error: %w", err)
-		}
+	applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromConfigMap(configMap, pods.Items, replicaSets.Items)
+	if err != nil {
+		return models.K8sConfigMap{}, fmt.Errorf("an error occurred during the CombineConfigMapWithApplications operation, unable to get applications from config map. Error: %w", err)
+	}
 
-		if len(applicationConfigurationOwners) > 0 {
-			configMap.ConfigurationOwnerResources = applicationConfigurationOwners
-		}
+	if len(applicationConfigurationOwners) > 0 {
+		configMap.ConfigurationOwnerResources = applicationConfigurationOwners
+		configMap.IsUsed = true
 	}
 
 	return configMap, nil
diff --git a/api/kubernetes/cli/pod.go b/api/kubernetes/cli/pod.go
index bb3e46077..eb8992124 100644
--- a/api/kubernetes/cli/pod.go
+++ b/api/kubernetes/cli/pod.go
@@ -7,6 +7,7 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
 
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
@@ -235,16 +236,20 @@ func (kcl *KubeClient) fetchResourcesWithOwnerReferences(namespace string, podLi
 }
 
 // isPodUsingConfigMap checks if a pod is using a specific ConfigMap
-func isPodUsingConfigMap(pod *corev1.Pod, configMapName string) bool {
+func isPodUsingConfigMap(pod *corev1.Pod, configMap models.K8sConfigMap) bool {
+	if pod.Namespace != configMap.Namespace {
+		return false
+	}
+
 	for _, volume := range pod.Spec.Volumes {
-		if volume.ConfigMap != nil && volume.ConfigMap.Name == configMapName {
+		if volume.ConfigMap != nil && volume.ConfigMap.Name == configMap.Name {
 			return true
 		}
 	}
 
 	for _, container := range pod.Spec.Containers {
 		for _, env := range container.Env {
-			if env.ValueFrom != nil && env.ValueFrom.ConfigMapKeyRef != nil && env.ValueFrom.ConfigMapKeyRef.Name == configMapName {
+			if env.ValueFrom != nil && env.ValueFrom.ConfigMapKeyRef != nil && env.ValueFrom.ConfigMapKeyRef.Name == configMap.Name {
 				return true
 			}
 		}
@@ -254,16 +259,20 @@ func isPodUsingConfigMap(pod *corev1.Pod, configMapName string) bool {
 }
 
 // isPodUsingSecret checks if a pod is using a specific Secret
-func isPodUsingSecret(pod *corev1.Pod, secretName string) bool {
+func isPodUsingSecret(pod *corev1.Pod, secret models.K8sSecret) bool {
+	if pod.Namespace != secret.Namespace {
+		return false
+	}
+
 	for _, volume := range pod.Spec.Volumes {
-		if volume.Secret != nil && volume.Secret.SecretName == secretName {
+		if volume.Secret != nil && volume.Secret.SecretName == secret.Name {
 			return true
 		}
 	}
 
 	for _, container := range pod.Spec.Containers {
 		for _, env := range container.Env {
-			if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil && env.ValueFrom.SecretKeyRef.Name == secretName {
+			if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil && env.ValueFrom.SecretKeyRef.Name == secret.Name {
 				return true
 			}
 		}
diff --git a/api/kubernetes/cli/secret.go b/api/kubernetes/cli/secret.go
index 5b7bf4fef..5bcd386cb 100644
--- a/api/kubernetes/cli/secret.go
+++ b/api/kubernetes/cli/secret.go
@@ -8,6 +8,7 @@ import (
 
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/rs/zerolog/log"
+	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -111,34 +112,28 @@ func parseSecret(secret *corev1.Secret, withData bool) models.K8sSecret {
 	return result
 }
 
-// CombineSecretsWithApplications combines the secrets with the applications that use them.
+// SetSecretsIsUsed combines the secrets with the applications that use them.
 // the function fetches all the pods and replica sets in the cluster and checks if the secret is used by any of the pods.
 // if the secret is used by a pod, the application that uses the pod is added to the secret.
 // otherwise, the secret is returned as is.
-func (kcl *KubeClient) CombineSecretsWithApplications(secrets []models.K8sSecret) ([]models.K8sSecret, error) {
-	updatedSecrets := make([]models.K8sSecret, len(secrets))
-
+func (kcl *KubeClient) SetSecretsIsUsed(secrets *[]models.K8sSecret) error {
 	portainerApplicationResources, err := kcl.fetchAllApplicationsListResources("", metav1.ListOptions{})
 	if err != nil {
-		return nil, fmt.Errorf("an error occurred during the CombineSecretsWithApplications operation, unable to fetch pods and replica sets. Error: %w", err)
+		return fmt.Errorf("an error occurred during the SetSecretsIsUsed operation, unable to fetch Portainer application resources. Error: %w", err)
 	}
 
-	for index, secret := range secrets {
-		updatedSecret := secret
+	for i := range *secrets {
+		secret := &(*secrets)[i]
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, portainerApplicationResources.Pods, portainerApplicationResources.ReplicaSets)
-		if err != nil {
-			return nil, fmt.Errorf("an error occurred during the CombineSecretsWithApplications operation, unable to get applications from secret. Error: %w", err)
+		for _, pod := range portainerApplicationResources.Pods {
+			if isPodUsingSecret(&pod, *secret) {
+				secret.IsUsed = true
+				break
+			}
 		}
-
-		if len(applicationConfigurationOwners) > 0 {
-			updatedSecret.ConfigurationOwnerResources = applicationConfigurationOwners
-		}
-
-		updatedSecrets[index] = updatedSecret
 	}
 
-	return updatedSecrets, nil
+	return nil
 }
 
 // CombineSecretWithApplications combines the secret with the applications that use it.
@@ -156,20 +151,22 @@ func (kcl *KubeClient) CombineSecretWithApplications(secret models.K8sSecret) (m
 		break
 	}
 
+	var replicaSets *appsv1.ReplicaSetList
 	if containsReplicaSetOwner {
-		replicaSets, err := kcl.cli.AppsV1().ReplicaSets(secret.Namespace).List(context.Background(), metav1.ListOptions{})
+		replicaSets, err = kcl.cli.AppsV1().ReplicaSets(secret.Namespace).List(context.Background(), metav1.ListOptions{})
 		if err != nil {
 			return models.K8sSecret{}, fmt.Errorf("an error occurred during the CombineSecretWithApplications operation, unable to get replica sets. Error: %w", err)
 		}
+	}
 
-		applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, pods.Items, replicaSets.Items)
-		if err != nil {
-			return models.K8sSecret{}, fmt.Errorf("an error occurred during the CombineSecretWithApplications operation, unable to get applications from secret. Error: %w", err)
-		}
+	applicationConfigurationOwners, err := kcl.GetApplicationConfigurationOwnersFromSecret(secret, pods.Items, replicaSets.Items)
+	if err != nil {
+		return models.K8sSecret{}, fmt.Errorf("an error occurred during the CombineSecretWithApplications operation, unable to get applications from secret. Error: %w", err)
+	}
 
-		if len(applicationConfigurationOwners) > 0 {
-			secret.ConfigurationOwnerResources = applicationConfigurationOwners
-		}
+	if len(applicationConfigurationOwners) > 0 {
+		secret.ConfigurationOwnerResources = applicationConfigurationOwners
+		secret.IsUsed = true
 	}
 
 	return secret, nil

From 46eddbe7b968e7a3b9657b89c89578d1daf373b3 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Wed, 9 Apr 2025 09:09:07 +1200
Subject: [PATCH 082/212] fix(UI): Make sure localStorage.getUserId actually
 returns user id R8S-290 (#623)

---
 app/portainer/services/localStorage.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/portainer/services/localStorage.js b/app/portainer/services/localStorage.js
index d00150d6c..038c75244 100644
--- a/app/portainer/services/localStorage.js
+++ b/app/portainer/services/localStorage.js
@@ -30,7 +30,7 @@ angular.module('portainer.app').factory('LocalStorage', [
         return localStorageService.get('UI_STATE');
       },
       getUserId() {
-        localStorageService.get('USER_ID');
+        return localStorageService.get('USER_ID');
       },
       storeUserId: function (userId) {
         localStorageService.set('USER_ID', userId);

From 0ca9321db1b73b52a5197bb856d53c62376a5e92 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Thu, 10 Apr 2025 16:08:24 +1200
Subject: [PATCH 083/212] feat(helm): update helm view [r8s-256] (#582)

Co-authored-by: Cara Ryan <cara.ryan@portainer.io>
Co-authored-by: James Player <james.player@portainer.io>
Co-authored-by: stevensbkang <skan070@gmail.com>
---
 api/http/handler/helm/handler.go              |   8 +
 api/http/handler/helm/helm_get.go             |  67 ++++
 api/http/handler/helm/helm_get_test.go        |  66 ++++
 api/http/handler/helm/helm_history.go         |  58 ++++
 api/http/handler/helm/helm_history_test.go    |  67 ++++
 api/http/handler/kubernetes/describe.go       |  73 +++++
 api/http/handler/kubernetes/handler.go        |  35 +++
 app/react/components/CodeEditor.tsx           |   4 +-
 app/react/components/NavTabs/index.ts         |   1 +
 app/react/components/StatusBadge.tsx          |  61 +++-
 app/react/components/datatables/Datatable.tsx |   3 +
 .../components/datatables/DatatableHeader.tsx |   8 +-
 app/react/components/modals/Modal/Modal.tsx   |  12 +-
 app/react/kubernetes/HelmView/.keep           |   0
 .../HelmApplicationView.test.tsx              | 122 +++++---
 .../HelmApplicationView.tsx                   |  64 +++-
 .../HelmApplicationView/HelmDetailsWidget.tsx |  67 ----
 .../helm/HelmApplicationView/HelmSummary.tsx  | 111 +++++++
 .../ReleaseDetails/ManifestDetails.tsx        |  18 ++
 .../ReleaseDetails/NotesDetails.tsx           |   9 +
 .../ReleaseDetails/ReleaseTabs.tsx            |  68 ++++
 .../ResourcesTable/DescribeModal.test.tsx     | 123 ++++++++
 .../ResourcesTable/DescribeModal.tsx          |  57 ++++
 .../ResourcesTable/ResourcesTable.test.tsx    | 148 +++++++++
 .../ResourcesTable/ResourcesTable.tsx         |  38 +++
 .../ResourcesTable/columns/actions.tsx        |  46 +++
 .../ResourcesTable/columns/helper.ts          |   5 +
 .../ResourcesTable/columns/index.ts           |   7 +
 .../ResourcesTable/columns/name.tsx           |  33 ++
 .../ResourcesTable/columns/resourceType.tsx   |   6 +
 .../ResourcesTable/columns/status.tsx         |  18 ++
 .../ResourcesTable/columns/statusMessage.tsx  |  11 +
 .../queries/useDescribeResource.ts            |  62 ++++
 .../ReleaseDetails/ResourcesTable/types.ts    |  27 ++
 .../ResourcesTable/useResourceRows.ts         |  93 ++++++
 .../ReleaseDetails/ValuesDetails.tsx          |  44 +++
 .../queries/useHelmRelease.ts                 |  81 ++---
 app/react/kubernetes/helm/types.ts            |  76 +++++
 go.mod                                        |   7 +-
 go.sum                                        |   4 +
 package.json                                  |   1 +
 pkg/libhelm/options/get_options.go            |  20 +-
 pkg/libhelm/options/history_options.go        |   9 +
 pkg/libhelm/release/release.go                |  18 +-
 pkg/libhelm/sdk/get.go                        | 100 ++++++
 pkg/libhelm/sdk/get_test.go                   |  39 +++
 pkg/libhelm/sdk/history.go                    |  68 ++++
 pkg/libhelm/sdk/history_test.go               |  33 ++
 pkg/libhelm/sdk/resources.go                  | 291 ++++++++++++++++++
 pkg/libhelm/sdk/resources_test.go             | 143 +++++++++
 pkg/libhelm/sdk/values.go                     |  76 +++++
 pkg/libhelm/test/mock.go                      |  40 +--
 pkg/libhelm/types/types.go                    |   2 +
 pkg/libkubectl/client.go                      |  63 ++++
 pkg/libkubectl/client_test.go                 | 101 ++++++
 pkg/libkubectl/describe.go                    |  40 +++
 yarn.lock                                     |   5 +
 57 files changed, 2635 insertions(+), 222 deletions(-)
 create mode 100644 api/http/handler/helm/helm_get.go
 create mode 100644 api/http/handler/helm/helm_get_test.go
 create mode 100644 api/http/handler/helm/helm_history.go
 create mode 100644 api/http/handler/helm/helm_history_test.go
 create mode 100644 api/http/handler/kubernetes/describe.go
 delete mode 100644 app/react/kubernetes/HelmView/.keep
 delete mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/actions.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/helper.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/index.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/statusMessage.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/queries/useDescribeResource.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/types.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx
 create mode 100644 pkg/libhelm/options/history_options.go
 create mode 100644 pkg/libhelm/sdk/get.go
 create mode 100644 pkg/libhelm/sdk/get_test.go
 create mode 100644 pkg/libhelm/sdk/history.go
 create mode 100644 pkg/libhelm/sdk/history_test.go
 create mode 100644 pkg/libhelm/sdk/resources.go
 create mode 100644 pkg/libhelm/sdk/resources_test.go
 create mode 100644 pkg/libkubectl/client.go
 create mode 100644 pkg/libkubectl/client_test.go
 create mode 100644 pkg/libkubectl/describe.go

diff --git a/api/http/handler/helm/handler.go b/api/http/handler/helm/handler.go
index b776fe168..e87e98410 100644
--- a/api/http/handler/helm/handler.go
+++ b/api/http/handler/helm/handler.go
@@ -54,6 +54,14 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	h.Handle("/{id}/kubernetes/helm",
 		httperror.LoggerHandler(h.helmInstall)).Methods(http.MethodPost)
 
+	// `helm get all [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}",
+		httperror.LoggerHandler(h.helmGet)).Methods(http.MethodGet)
+
+	// `helm history [RELEASE_NAME]`
+	h.Handle("/{id}/kubernetes/helm/{release}/history",
+		httperror.LoggerHandler(h.helmGetHistory)).Methods(http.MethodGet)
+
 	return h
 }
 
diff --git a/api/http/handler/helm/helm_get.go b/api/http/handler/helm/helm_get.go
new file mode 100644
index 000000000..bd8ea3e60
--- /dev/null
+++ b/api/http/handler/helm/helm_get.go
@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGet
+// @summary Get a helm release
+// @description Get details of a helm release by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @param showResources query boolean false "show resources of the release"
+// @param revision query int false "specify an optional revision"
+// @success 200 {object} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the release."
+// @router /endpoints/{id}/kubernetes/helm/{name} [get]
+func (handler *Handler) helmGet(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	// build the get options
+	getOpts := options.GetOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	// optional namespace.  The library defaults to "default"
+	if namespace != "" {
+		getOpts.Namespace = namespace
+	}
+	showResources, _ := request.RetrieveBooleanQueryParameter(r, "showResources", true)
+	getOpts.ShowResources = showResources
+	revision, _ := request.RetrieveNumericQueryParameter(r, "revision", true)
+	// optional revision.  The library defaults to the latest revision if not specified
+	if revision > 0 {
+		getOpts.Revision = revision
+	}
+
+	releases, err := handler.helmPackageManager.Get(getOpts)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}
diff --git a/api/http/handler/helm/helm_get_test.go b/api/http/handler/helm/helm_get_test.go
new file mode 100644
index 000000000..2dad6ef59
--- /dev/null
+++ b/api/http/handler/helm/helm_get_test.go
@@ -0,0 +1,66 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGet(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGet sucessfuly retrieves helm release", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal("nginx-1", data.Name)
+	})
+}
diff --git a/api/http/handler/helm/helm_history.go b/api/http/handler/helm/helm_history.go
new file mode 100644
index 000000000..68169bcd4
--- /dev/null
+++ b/api/http/handler/helm/helm_history.go
@@ -0,0 +1,58 @@
+package helm
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmGetHistory
+// @summary Get a historical list of releases
+// @description Get a historical list of releases by release name
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param name path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @success 200 {array} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve the historical list of releases."
+// @router /endpoints/{id}/kubernetes/helm/{release}/history [get]
+func (handler *Handler) helmGetHistory(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	historyOptions := options.HistoryOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+	}
+
+	// optional namespace.  The library defaults to "default"
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	if namespace != "" {
+		historyOptions.Namespace = namespace
+	}
+
+	releases, err := handler.helmPackageManager.GetHistory(historyOptions)
+	if err != nil {
+		return httperror.InternalServerError("Helm returned an error", err)
+	}
+
+	return response.JSON(w, releases)
+}
diff --git a/api/http/handler/helm/helm_history_test.go b/api/http/handler/helm/helm_history_test.go
new file mode 100644
index 000000000..10fadfb1f
--- /dev/null
+++ b/api/http/handler/helm/helm_history_test.go
@@ -0,0 +1,67 @@
+package helm
+
+import (
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/exec/exectest"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	helper "github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_helmGetHistory(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{ID: 1})
+	is.NoError(err, "Error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "Error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	kubernetesDeployer := exectest.NewKubernetesDeployer()
+	helmPackageManager := test.NewMockHelmPackageManager()
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+	h := NewHandler(helper.NewTestRequestBouncer(), store, jwtService, kubernetesDeployer, helmPackageManager, kubeClusterAccessService)
+
+	is.NotNil(h, "Handler should not fail")
+
+	// Install a single chart, to be retrieved by the handler
+	options := options.InstallOptions{Name: "nginx-1", Chart: "nginx", Namespace: "default"}
+	h.helmPackageManager.Upgrade(options)
+
+	t.Run("helmGetHistory sucessfuly retrieves helm release history", func(t *testing.T) {
+		req := httptest.NewRequest(http.MethodGet, "/1/kubernetes/helm/"+options.Name+"/history?namespace="+options.Namespace, nil)
+		ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+		req = req.WithContext(ctx)
+		testhelpers.AddTestSecurityCookie(req, "Bearer dummytoken")
+
+		rr := httptest.NewRecorder()
+		h.ServeHTTP(rr, req)
+
+		data := []release.Release{}
+		body, err := io.ReadAll(rr.Body)
+		is.NoError(err, "ReadAll should not return error")
+		json.Unmarshal(body, &data)
+		is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+		is.Equal(1, len(data))
+		is.Equal("nginx-1", data[0].Name)
+	})
+}
diff --git a/api/http/handler/kubernetes/describe.go b/api/http/handler/kubernetes/describe.go
new file mode 100644
index 000000000..ce8f17418
--- /dev/null
+++ b/api/http/handler/kubernetes/describe.go
@@ -0,0 +1,73 @@
+package kubernetes
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/libkubectl"
+	"github.com/rs/zerolog/log"
+)
+
+type describeResourceResponse struct {
+	Describe string `json:"describe"`
+}
+
+// @id DescribeResource
+// @summary Get a description of a kubernetes resource
+// @description Get a description of a kubernetes resource.
+// @description **Access policy**: Authenticated user.
+// @tags kubernetes
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment identifier"
+// @param name query string true "Resource name"
+// @param kind query string true "Resource kind"
+// @param namespace query string false "Namespace"
+// @success 200 {object} describeResourceResponse "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier."
+// @failure 500 "Server error occurred while attempting to retrieve resource description"
+// @router /kubernetes/{id}/describe [get]
+func (handler *Handler) describeResource(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	name, err := request.RetrieveQueryParameter(r, "name", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter name")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter name. Error: ", err)
+	}
+
+	kind, err := request.RetrieveQueryParameter(r, "kind", false)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter kind")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter kind. Error: ", err)
+	}
+
+	namespace, err := request.RetrieveQueryParameter(r, "namespace", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Invalid query parameter namespace")
+		return httperror.BadRequest("an error occurred during the describeResource operation, invalid query parameter namespace. Error: ", err)
+	}
+
+	// fetches the token and the correct server URL for the endpoint, similar to getHelmClusterAccess
+	libKubectlAccess, err := handler.getLibKubectlAccess(r)
+	if err != nil {
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to get libKubectlAccess. Error: ", err)
+	}
+
+	client, err := libkubectl.NewClient(libKubectlAccess, namespace, "", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to create kubernetes client")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to create kubernetes client. Error: ", err)
+	}
+
+	out, err := client.Describe(namespace, name, kind)
+	if err != nil {
+		log.Error().Err(err).Str("context", "describeResource").Msg("Failed to describe kubernetes resource")
+		return httperror.InternalServerError("an error occurred during the describeResource operation, failed to describe kubernetes resource. Error: ", err)
+	}
+
+	return response.JSON(w, describeResourceResponse{Describe: out})
+}
diff --git a/api/http/handler/kubernetes/handler.go b/api/http/handler/kubernetes/handler.go
index a47bd6ed9..cc068e4a4 100644
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libkubectl"
 	"github.com/rs/zerolog/log"
 
 	"github.com/gorilla/mux"
@@ -102,6 +103,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	endpointRouter.Handle("/cluster_roles/delete", httperror.LoggerHandler(h.deleteClusterRoles)).Methods(http.MethodPost)
 	endpointRouter.Handle("/cluster_role_bindings", httperror.LoggerHandler(h.getAllKubernetesClusterRoleBindings)).Methods(http.MethodGet)
 	endpointRouter.Handle("/cluster_role_bindings/delete", httperror.LoggerHandler(h.deleteClusterRoleBindings)).Methods(http.MethodPost)
+	endpointRouter.Handle("/describe", httperror.LoggerHandler(h.describeResource)).Methods(http.MethodGet)
 
 	// namespaces
 	// in the future this piece of code might be in another package (or a few different packages - namespaces/namespace?)
@@ -269,3 +271,36 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func (handler *Handler) getLibKubectlAccess(r *http.Request) (*libkubectl.ClientAccess, error) {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve user authentication token", err)
+	}
+
+	bearerToken, _, err := handler.JwtService.GenerateToken(tokenData)
+	if err != nil {
+		return nil, httperror.Unauthorized("Unauthorized", err)
+	}
+
+	endpoint, err := middlewares.FetchEndpoint(r)
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to find the Kubernetes endpoint associated to the request.", err)
+	}
+
+	sslSettings, err := handler.DataStore.SSLSettings().Settings()
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve settings from the database", err)
+	}
+
+	hostURL := "localhost"
+	if !sslSettings.SelfSigned {
+		hostURL = r.Host
+	}
+
+	kubeConfigInternal := handler.kubeClusterAccessService.GetClusterDetails(hostURL, endpoint.ID, true)
+	return &libkubectl.ClientAccess{
+		Token:     bearerToken,
+		ServerUrl: kubeConfigInternal.ClusterServerURL,
+	}, nil
+}
diff --git a/app/react/components/CodeEditor.tsx b/app/react/components/CodeEditor.tsx
index 206f7fc5b..09cc9591a 100644
--- a/app/react/components/CodeEditor.tsx
+++ b/app/react/components/CodeEditor.tsx
@@ -36,7 +36,7 @@ interface Props extends AutomationTestingProps {
   placeholder?: string;
   type?: Type;
   readonly?: boolean;
-  onChange: (value: string) => void;
+  onChange?: (value: string) => void;
   value: string;
   height?: string;
   versions?: number[];
@@ -136,7 +136,7 @@ function schemaValidationExtensions(schema: JSONSchema7) {
 
 export function CodeEditor({
   id,
-  onChange,
+  onChange = () => {},
   placeholder,
   readonly,
   value,
diff --git a/app/react/components/NavTabs/index.ts b/app/react/components/NavTabs/index.ts
index 20f2d03a6..cacdb47c6 100644
--- a/app/react/components/NavTabs/index.ts
+++ b/app/react/components/NavTabs/index.ts
@@ -1 +1,2 @@
 export { NavTabs } from './NavTabs';
+export type { Option } from './NavTabs';
diff --git a/app/react/components/StatusBadge.tsx b/app/react/components/StatusBadge.tsx
index 81b03f6ad..688fcd81f 100644
--- a/app/react/components/StatusBadge.tsx
+++ b/app/react/components/StatusBadge.tsx
@@ -3,6 +3,56 @@ import { AriaAttributes, PropsWithChildren } from 'react';
 
 import { Icon, IconProps } from '@@/Icon';
 
+export type StatusBadgeType =
+  | 'success'
+  | 'danger'
+  | 'warning'
+  | 'info'
+  | 'successLite'
+  | 'dangerLite'
+  | 'warningLite'
+  | 'mutedLite'
+  | 'infoLite'
+  | 'default';
+
+const typeClasses: Record<StatusBadgeType, string> = {
+  success: clsx(
+    'text-white bg-success-7',
+    'th-dark:text-white th-dark:bg-success-9'
+  ),
+  warning: clsx(
+    'text-white bg-warning-7',
+    'th-dark:text-white th-dark:bg-warning-9'
+  ),
+  danger: clsx(
+    'text-white bg-error-7',
+    'th-dark:text-white th-dark:bg-error-9'
+  ),
+  info: clsx('text-white bg-blue-7', 'th-dark:text-white th-dark:bg-blue-9'),
+  // the lite classes are a bit lighter in light mode and the same in dark mode
+  successLite: clsx(
+    'text-success-9 bg-success-3',
+    'th-dark:text-white th-dark:bg-success-9'
+  ),
+  warningLite: clsx(
+    'text-warning-9 bg-warning-3',
+    'th-dark:text-white th-dark:bg-warning-9'
+  ),
+  dangerLite: clsx(
+    'text-error-9 bg-error-3',
+    'th-dark:text-white th-dark:bg-error-9'
+  ),
+  mutedLite: clsx(
+    'text-gray-9 bg-gray-3',
+    'th-dark:text-white th-dark:bg-gray-9'
+  ),
+  infoLite: clsx(
+    'text-blue-9 bg-blue-3',
+    'th-dark:text-white th-dark:bg-blue-9'
+  ),
+  default: '',
+};
+
 export function StatusBadge({
   className,
   children,
@@ -12,7 +62,7 @@ export function StatusBadge({
 }: PropsWithChildren<
   {
     className?: string;
-    color?: 'success' | 'danger' | 'warning' | 'info' | 'default';
+    color?: StatusBadgeType;
     icon?: IconProps['icon'];
   } & AriaAttributes
 >) {
@@ -21,13 +71,8 @@ export function StatusBadge({
       className={clsx(
         'inline-flex items-center gap-1 rounded',
         'w-fit px-1.5 py-0.5',
-        'text-sm font-medium text-white',
-        {
-          'bg-success-7 th-dark:bg-success-9': color === 'success',
-          'bg-warning-7 th-dark:bg-warning-9': color === 'warning',
-          'bg-error-7 th-dark:bg-error-9': color === 'danger',
-          'bg-blue-9': color === 'info',
-        },
+        'text-sm font-medium',
+        typeClasses[color],
         className
       )}
       // eslint-disable-next-line react/jsx-props-no-spreading
diff --git a/app/react/components/datatables/Datatable.tsx b/app/react/components/datatables/Datatable.tsx
index 4ca608aa3..2d0b2dfa8 100644
--- a/app/react/components/datatables/Datatable.tsx
+++ b/app/react/components/datatables/Datatable.tsx
@@ -70,6 +70,7 @@ export interface Props<D extends DefaultType> extends AutomationTestingProps {
   getRowCanExpand?(row: Row<D>): boolean;
   noWidget?: boolean;
   extendTableOptions?: (options: TableOptions<D>) => TableOptions<D>;
+  includeSearch?: boolean;
 }
 
 export function Datatable<D extends DefaultType>({
@@ -98,6 +99,7 @@ export function Datatable<D extends DefaultType>({
   totalCount = dataset.length,
   isServerSidePagination = false,
   extendTableOptions = (value) => value,
+  includeSearch,
 }: Props<D> & PaginationProps) {
   const pageCount = useMemo(
     () => Math.ceil(totalCount / settings.pageSize),
@@ -192,6 +194,7 @@ export function Datatable<D extends DefaultType>({
         renderTableActions={() => renderTableActions(selectedItems)}
         renderTableSettings={() => renderTableSettings(tableInstance)}
         data-cy={`${dataCy}-header`}
+        includeSearch={includeSearch}
       />
 
       <DatatableContent<D>
diff --git a/app/react/components/datatables/DatatableHeader.tsx b/app/react/components/datatables/DatatableHeader.tsx
index bba2cf405..810f13c7a 100644
--- a/app/react/components/datatables/DatatableHeader.tsx
+++ b/app/react/components/datatables/DatatableHeader.tsx
@@ -16,6 +16,7 @@ type Props = {
   renderTableActions?(): ReactNode;
   description?: ReactNode;
   titleId?: string;
+  includeSearch?: boolean;
 } & AutomationTestingProps;
 
 export function DatatableHeader({
@@ -28,8 +29,9 @@ export function DatatableHeader({
   description,
   titleId,
   'data-cy': dataCy,
+  includeSearch = !!title,
 }: Props) {
-  if (!title) {
+  if (!title && !includeSearch) {
     return null;
   }
 
@@ -50,12 +52,12 @@ export function DatatableHeader({
   return (
     <Table.Title
       id={titleId}
-      label={title}
+      label={title ?? ''}
       icon={titleIcon}
       description={description}
       data-cy={dataCy}
     >
-      {searchBar}
+      {includeSearch && searchBar}
       {tableActions}
       {tableTitleSettings}
     </Table.Title>
diff --git a/app/react/components/modals/Modal/Modal.tsx b/app/react/components/modals/Modal/Modal.tsx
index 25f5a75aa..1f2cb729b 100644
--- a/app/react/components/modals/Modal/Modal.tsx
+++ b/app/react/components/modals/Modal/Modal.tsx
@@ -47,10 +47,14 @@ export function Modal({
         <DialogContent
           aria-label={ariaLabel}
           aria-labelledby={ariaLabelledBy}
-          className={clsx(styles.modalDialog, 'bg-transparent p-0', {
-            'w-[450px]': size === 'md',
-            'w-[700px]': size === 'lg',
-          })}
+          className={clsx(
+            styles.modalDialog,
+            'max-w-[calc(100vw-2rem)] bg-transparent p-0',
+            {
+              'w-[450px]': size === 'md',
+              'w-[700px]': size === 'lg',
+            }
+          )}
         >
           <div className={clsx(styles.modalContent, 'relative', className)}>
             {children}
diff --git a/app/react/kubernetes/HelmView/.keep b/app/react/kubernetes/HelmView/.keep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
index 63b0468eb..c0e6b8d71 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
@@ -6,6 +6,7 @@ import { server, http } from '@/setup-tests/server';
 import { withTestRouter } from '@/react/test-utils/withRouter';
 import { UserViewModel } from '@/portainer/models/user';
 import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { mockCodeMirror } from '@/setup-tests/mock-codemirror';
 
 import { HelmApplicationView } from './HelmApplicationView';
 
@@ -22,6 +23,41 @@ vi.mock('@/react/hooks/useEnvironmentId', () => ({
   useEnvironmentId: () => mockUseEnvironmentId(),
 }));
 
+mockCodeMirror();
+
+const minimalHelmRelease = {
+  name: 'test-release',
+  version: '1',
+  namespace: 'default',
+  chart: {
+    metadata: {
+      name: 'test-chart',
+      // appVersion: '1.0.0', // can be missing for a minimal release
+      version: '2.2.2',
+    },
+  },
+  info: {
+    status: 'deployed',
+    // notes: 'This is a test note', // can be missing for a minimal release
+  },
+  manifest: 'This is a test manifest',
+};
+
+const helmReleaseWithAdditionalDetails = {
+  ...minimalHelmRelease,
+  info: {
+    ...minimalHelmRelease.info,
+    notes: 'This is a test note',
+  },
+  chart: {
+    ...minimalHelmRelease.chart,
+    metadata: {
+      ...minimalHelmRelease.chart.metadata,
+      appVersion: '1.0.0',
+    },
+  },
+};
+
 function renderComponent() {
   const user = new UserViewModel({ Username: 'user' });
   const Wrapped = withTestQueryProvider(
@@ -40,47 +76,52 @@ describe('HelmApplicationView', () => {
         namespace: 'default',
       },
     });
-
-    // Set up default mock API responses
-    server.use(
-      http.get('/api/endpoints/3/kubernetes/helm', () =>
-        HttpResponse.json([
-          {
-            name: 'test-release',
-            chart: 'test-chart-1.0.0',
-            app_version: '1.0.0',
-          },
-        ])
-      )
-    );
   });
 
-  it('should display helm release details when data is loaded', async () => {
-    renderComponent();
+  it('should display helm release details for minimal release when data is loaded', async () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+
+    server.use(
+      http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
+        HttpResponse.json(minimalHelmRelease)
+      )
+    );
+
+    const { findByText, findAllByText } = renderComponent();
 
     // Check for the page header
-    expect(await screen.findByText('Helm details')).toBeInTheDocument();
+    expect(await findByText('Helm details')).toBeInTheDocument();
 
-    // Check for the release details
-    expect(await screen.findByText('Release')).toBeInTheDocument();
-
-    // Check for the table content
-    expect(await screen.findByText('Name')).toBeInTheDocument();
-    expect(await screen.findByText('Chart')).toBeInTheDocument();
-    expect(await screen.findByText('App version')).toBeInTheDocument();
+    // Check for the badge content
+    expect(await findByText(/Namespace/)).toBeInTheDocument();
+    expect(await findByText(/Chart version:/)).toBeInTheDocument();
+    expect(await findByText(/Chart:/)).toBeInTheDocument();
+    expect(await findByText(/Revision/)).toBeInTheDocument();
 
     // Check for the actual values
-    expect(await screen.findByTestId('k8sAppDetail-appName')).toHaveTextContent(
-      'test-release'
-    );
-    expect(await screen.findByText('test-chart-1.0.0')).toBeInTheDocument();
-    expect(await screen.findByText('1.0.0')).toBeInTheDocument();
+    expect(await findAllByText(/test-release/)).toHaveLength(2); // title and badge
+    expect(await findAllByText(/test-chart/)).toHaveLength(2);
+
+    // There shouldn't be a notes tab when there are no notes
+    expect(screen.queryByText(/Notes/)).not.toBeInTheDocument();
+
+    // There shouldn't be an app version badge when it's missing
+    expect(screen.queryByText(/App version/)).not.toBeInTheDocument();
+
+    // Ensure there are no console errors
+    // eslint-disable-next-line no-console
+    expect(console.error).not.toHaveBeenCalled();
+
+    // Restore console.error
+    vi.spyOn(console, 'error').mockRestore();
   });
 
   it('should display error message when API request fails', async () => {
     // Mock API failure
     server.use(
-      http.get('/api/endpoints/3/kubernetes/helm', () => HttpResponse.error())
+      http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
+        HttpResponse.error()
+      )
     );
 
     // Mock console.error to prevent test output pollution
@@ -97,23 +138,20 @@ describe('HelmApplicationView', () => {
     vi.spyOn(console, 'error').mockRestore();
   });
 
-  it('should display error message when release is not found', async () => {
-    // Mock empty response (no releases found)
+  it('should display additional details when available in helm release', async () => {
     server.use(
-      http.get('/api/endpoints/3/kubernetes/helm', () => HttpResponse.json([]))
+      http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
+        HttpResponse.json(helmReleaseWithAdditionalDetails)
+      )
     );
 
-    // Mock console.error to prevent test output pollution
-    vi.spyOn(console, 'error').mockImplementation(() => {});
+    const { findByText } = renderComponent();
 
-    renderComponent();
+    // Check for the notes tab when notes are available
+    expect(await findByText(/Notes/)).toBeInTheDocument();
 
-    // Wait for the error message to appear
-    expect(
-      await screen.findByText('Failed to load Helm application details')
-    ).toBeInTheDocument();
-
-    // Restore console.error
-    vi.spyOn(console, 'error').mockRestore();
+    // Check for the app version badge when it's available
+    expect(await findByText(/App version/)).toBeInTheDocument();
+    expect(await findByText('1.0.0', { exact: false })).toBeInTheDocument();
   });
 });
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
index fa02574cc..2fc5fb601 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -1,12 +1,21 @@
 import { useCurrentStateAndParams } from '@uirouter/react';
 
+import helm from '@/assets/ico/vendor/helm.svg?c';
 import { PageHeader } from '@/react/components/PageHeader';
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+import { EnvironmentId } from '@/react/portainer/environments/types';
 
-import { HelmDetailsWidget } from './HelmDetailsWidget';
+import { WidgetTitle, WidgetBody, Widget, Loading } from '@@/Widget';
+import { Card } from '@@/Card';
+import { Alert } from '@@/Alert';
+
+import { HelmSummary } from './HelmSummary';
+import { ReleaseTabs } from './ReleaseDetails/ReleaseTabs';
+import { useHelmRelease } from './queries/useHelmRelease';
 
 export function HelmApplicationView() {
+  const environmentId = useEnvironmentId();
   const { params } = useCurrentStateAndParams();
-
   const { name, namespace } = params;
 
   return (
@@ -22,9 +31,58 @@ export function HelmApplicationView() {
 
       <div className="row">
         <div className="col-sm-12">
-          <HelmDetailsWidget name={name} namespace={namespace} />
+          <Widget>
+            {name && <WidgetTitle icon={helm} title={name} />}
+            <WidgetBody className="!pt-1">
+              <HelmDetails
+                name={name}
+                namespace={namespace}
+                environmentId={environmentId}
+              />
+            </WidgetBody>
+          </Widget>
         </div>
       </div>
     </>
   );
 }
+
+type HelmDetailsProps = {
+  name: string;
+  namespace: string;
+  environmentId: EnvironmentId;
+};
+
+function HelmDetails({ name, namespace, environmentId }: HelmDetailsProps) {
+  const {
+    data: release,
+    isInitialLoading,
+    isError,
+  } = useHelmRelease(environmentId, name, namespace, {
+    showResources: true,
+  });
+
+  if (isInitialLoading) {
+    return <Loading />;
+  }
+
+  if (isError) {
+    return (
+      <Alert color="error" title="Failed to load Helm application details" />
+    );
+  }
+
+  if (!release) {
+    return <Alert color="error" title="No Helm application details found" />;
+  }
+
+  return (
+    <>
+      <HelmSummary release={release} />
+      <div className="my-6 h-[1px] w-full bg-gray-5 th-dark:bg-gray-7 th-highcontrast:bg-white" />
+      <Card className="bg-inherit">
+        <ReleaseTabs release={release} />
+      </Card>
+    </>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx
deleted file mode 100644
index 97703e0ff..000000000
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmDetailsWidget.tsx
+++ /dev/null
@@ -1,67 +0,0 @@
-import {
-  Loading,
-  Widget,
-  WidgetBody,
-  WidgetTitle,
-} from '@/react/components/Widget';
-import helm from '@/assets/ico/vendor/helm.svg?c';
-import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
-
-import { Alert } from '@@/Alert';
-
-import { useHelmRelease } from './queries/useHelmRelease';
-
-interface HelmDetailsWidgetProps {
-  name: string;
-  namespace: string;
-}
-
-export function HelmDetailsWidget({ name, namespace }: HelmDetailsWidgetProps) {
-  const environmentId = useEnvironmentId();
-
-  const {
-    data: release,
-    isInitialLoading,
-    isError,
-  } = useHelmRelease(environmentId, name, namespace);
-
-  return (
-    <Widget>
-      <WidgetTitle icon={helm} title="Release" />
-      <WidgetBody>
-        {isInitialLoading && <Loading />}
-
-        {isError && (
-          <Alert
-            color="error"
-            title="Failed to load Helm application details"
-          />
-        )}
-
-        {!isInitialLoading && !isError && release && (
-          <table className="table">
-            <tbody>
-              <tr>
-                <td className="!border-none w-40">Name</td>
-                <td
-                  className="!border-none min-w-[140px]"
-                  data-cy="k8sAppDetail-appName"
-                >
-                  {release.name}
-                </td>
-              </tr>
-              <tr>
-                <td className="!border-t">Chart</td>
-                <td className="!border-t">{release.chart}</td>
-              </tr>
-              <tr>
-                <td>App version</td>
-                <td>{release.app_version}</td>
-              </tr>
-            </tbody>
-          </table>
-        )}
-      </WidgetBody>
-    </Widget>
-  );
-}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx
new file mode 100644
index 000000000..29f9e07d8
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx
@@ -0,0 +1,111 @@
+import { Badge } from '@/react/components/Badge';
+
+import { Alert } from '@@/Alert';
+
+import { HelmRelease } from '../types';
+
+interface Props {
+  release: HelmRelease;
+}
+
+export enum DeploymentStatus {
+  DEPLOYED = 'deployed',
+  FAILED = 'failed',
+  PENDING = 'pending-install',
+  PENDINGUPGRADE = 'pending-upgrade',
+  PENDINGROLLBACK = 'pending-rollback',
+  SUPERSEDED = 'superseded',
+  UNINSTALLED = 'uninstalled',
+  UNINSTALLING = 'uninstalling',
+}
+
+export function HelmSummary({ release }: Props) {
+  const isSuccess =
+    release.info?.status === DeploymentStatus.DEPLOYED ||
+    release.info?.status === DeploymentStatus.SUPERSEDED;
+
+  return (
+    <div>
+      <div className="flex flex-col gap-y-4">
+        <div>
+          <Badge type={getStatusColor(release.info?.status)}>
+            {getText(release.info?.status)}
+          </Badge>
+        </div>
+        <div className="flex flex-wrap gap-2">
+          {!!release.namespace && <Badge>Namespace: {release.namespace}</Badge>}
+          {!!release.version && <Badge>Revision: #{release.version}</Badge>}
+          {!!release.chart?.metadata?.name && (
+            <Badge>Chart: {release.chart.metadata.name}</Badge>
+          )}
+          {!!release.chart?.metadata?.appVersion && (
+            <Badge>App version: {release.chart.metadata.appVersion}</Badge>
+          )}
+          {!!release.chart?.metadata?.version && (
+            <Badge>
+              Chart version: {release.chart.metadata.name}-
+              {release.chart.metadata.version}
+            </Badge>
+          )}
+        </div>
+        {!!release.info?.description && !isSuccess && (
+          <Alert color={getAlertColor(release.info?.status)}>
+            {release.info?.description}
+          </Alert>
+        )}
+      </div>
+    </div>
+  );
+}
+
+function getAlertColor(status?: string) {
+  switch (status?.toLowerCase()) {
+    case DeploymentStatus.DEPLOYED:
+      return 'success';
+    case DeploymentStatus.FAILED:
+      return 'error';
+    case DeploymentStatus.PENDING:
+    case DeploymentStatus.PENDINGUPGRADE:
+    case DeploymentStatus.PENDINGROLLBACK:
+    case DeploymentStatus.UNINSTALLING:
+      return 'warn';
+    case DeploymentStatus.SUPERSEDED:
+    default:
+      return 'info';
+  }
+}
+
+function getStatusColor(status?: string) {
+  switch (status?.toLowerCase()) {
+    case DeploymentStatus.DEPLOYED:
+      return 'success';
+    case DeploymentStatus.FAILED:
+      return 'danger';
+    case DeploymentStatus.PENDING:
+    case DeploymentStatus.PENDINGUPGRADE:
+    case DeploymentStatus.PENDINGROLLBACK:
+    case DeploymentStatus.UNINSTALLING:
+      return 'warn';
+    case DeploymentStatus.SUPERSEDED:
+    default:
+      return 'info';
+  }
+}
+
+function getText(status?: string) {
+  switch (status?.toLowerCase()) {
+    case DeploymentStatus.DEPLOYED:
+      return 'Deployed';
+    case DeploymentStatus.FAILED:
+      return 'Failed';
+    case DeploymentStatus.PENDING:
+    case DeploymentStatus.PENDINGUPGRADE:
+    case DeploymentStatus.PENDINGROLLBACK:
+    case DeploymentStatus.UNINSTALLING:
+      return 'Pending';
+    case DeploymentStatus.SUPERSEDED:
+      return 'Superseded';
+    default:
+      return 'Unknown';
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx
new file mode 100644
index 000000000..c95886d3f
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx
@@ -0,0 +1,18 @@
+import { CodeEditor } from '@@/CodeEditor';
+
+type Props = {
+  manifest: string;
+};
+
+export function ManifestDetails({ manifest }: Props) {
+  return (
+    <CodeEditor
+      id="helm-manifest"
+      type="yaml"
+      data-cy="helm-manifest"
+      value={manifest}
+      height="600px"
+      readonly
+    />
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx
new file mode 100644
index 000000000..74a6135bd
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx
@@ -0,0 +1,9 @@
+import Markdown from 'markdown-to-jsx';
+
+type Props = {
+  notes: string;
+};
+
+export function NotesDetails({ notes }: Props) {
+  return <Markdown className="list-inside mt-6">{notes}</Markdown>;
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
new file mode 100644
index 000000000..6a954d1fc
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
@@ -0,0 +1,68 @@
+import { useState } from 'react';
+import { compact } from 'lodash';
+
+import { NavTabs, Option } from '@@/NavTabs';
+
+import { HelmRelease } from '../../types';
+
+import { ManifestDetails } from './ManifestDetails';
+import { NotesDetails } from './NotesDetails';
+import { ValuesDetails } from './ValuesDetails';
+import { ResourcesTable } from './ResourcesTable/ResourcesTable';
+
+type Props = {
+  release: HelmRelease;
+};
+
+type Tab = 'values' | 'notes' | 'manifest' | 'resources';
+
+function helmTabs(
+  release: HelmRelease,
+  isUserSupplied: boolean,
+  setIsUserSupplied: (isUserSupplied: boolean) => void
+): Option<Tab>[] {
+  return compact([
+    {
+      label: 'Resources',
+      id: 'resources',
+      children: <ResourcesTable resources={release.info?.resources ?? []} />,
+    },
+    {
+      label: 'Values',
+      id: 'values',
+      children: (
+        <ValuesDetails
+          values={release.values}
+          isUserSupplied={isUserSupplied}
+          setIsUserSupplied={setIsUserSupplied}
+        />
+      ),
+    },
+    {
+      label: 'Manifest',
+      id: 'manifest',
+      children: <ManifestDetails manifest={release.manifest} />,
+    },
+    !!release.info?.notes && {
+      label: 'Notes',
+      id: 'notes',
+      children: <NotesDetails notes={release.info.notes} />,
+    },
+  ]);
+}
+
+export function ReleaseTabs({ release }: Props) {
+  const [tab, setTab] = useState<Tab>('resources');
+  // state is here so that the state isn't lost when the tab changes
+  const [isUserSupplied, setIsUserSupplied] = useState(true);
+
+  return (
+    <NavTabs<Tab>
+      onSelect={setTab}
+      selectedId={tab}
+      type="pills"
+      justified
+      options={helmTabs(release, isUserSupplied, setIsUserSupplied)}
+    />
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx
new file mode 100644
index 000000000..a1510aef8
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx
@@ -0,0 +1,123 @@
+import { render, screen } from '@testing-library/react';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+
+import { DescribeModal } from './DescribeModal';
+
+const mockUseDescribeResource = vi.fn();
+
+vi.mock('yaml-schema', () => ({}));
+vi.mock('./queries/useDescribeResource', () => ({
+  useDescribeResource: (...args: unknown[]) => mockUseDescribeResource(...args),
+}));
+
+function renderComponent({
+  name = 'test-resource',
+  resourceType = 'Deployment',
+  namespace = 'default',
+  onDismiss = vi.fn(),
+} = {}) {
+  const Wrapped = withTestQueryProvider(DescribeModal);
+  return render(
+    <Wrapped
+      name={name}
+      resourceType={resourceType}
+      namespace={namespace}
+      onDismiss={onDismiss}
+    />
+  );
+}
+
+describe('DescribeModal', () => {
+  beforeEach(() => {
+    mockUseDescribeResource.mockReset();
+  });
+
+  it('should display loading state initially', () => {
+    mockUseDescribeResource.mockReturnValue({
+      isLoading: true,
+      data: undefined,
+      isError: false,
+    });
+
+    renderComponent();
+    expect(screen.getByText('Loading...')).toBeInTheDocument();
+  });
+
+  it('should display resource details when data is loaded successfully', () => {
+    const mockDescribeData = {
+      describe: 'Name: test-resource\nNamespace: default\nStatus: Running',
+    };
+
+    mockUseDescribeResource.mockReturnValue({
+      isLoading: false,
+      data: mockDescribeData,
+      isError: false,
+    });
+
+    renderComponent();
+
+    // Check for modal title
+    expect(screen.getByText('Describe Deployment')).toBeInTheDocument();
+
+    // Check for content
+    const editor = screen.getByTestId('describe-resource');
+    expect(editor).toBeInTheDocument();
+    expect(editor).toHaveTextContent('Name: test-resource');
+    expect(editor).toHaveTextContent('Namespace: default');
+    expect(editor).toHaveTextContent('Status: Running');
+  });
+
+  it('should display error message when query fails', () => {
+    mockUseDescribeResource.mockReturnValue({
+      isLoading: false,
+      data: undefined,
+      isError: true,
+    });
+
+    renderComponent();
+
+    expect(
+      screen.getByText('Error loading resource details')
+    ).toBeInTheDocument();
+  });
+
+  it('should call onDismiss when modal is closed', () => {
+    mockUseDescribeResource.mockReturnValue({
+      isLoading: false,
+      data: { describe: '' },
+      isError: false,
+    });
+
+    const onDismiss = vi.fn();
+    renderComponent({ onDismiss });
+
+    // Find and click the close button
+    const closeButton = screen.getByText('×');
+    closeButton.click();
+
+    expect(onDismiss).toHaveBeenCalled();
+  });
+
+  it('should pass correct parameters to useDescribeResource', () => {
+    mockUseDescribeResource.mockReturnValue({
+      isLoading: true,
+      data: undefined,
+      isError: false,
+    });
+
+    const props = {
+      name: 'my-resource',
+      resourceType: 'Pod',
+      namespace: 'kube-system',
+    };
+
+    renderComponent(props);
+
+    expect(mockUseDescribeResource).toHaveBeenCalledWith(
+      props.name,
+      props.resourceType,
+      props.namespace
+    );
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.tsx
new file mode 100644
index 000000000..f75fbf802
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.tsx
@@ -0,0 +1,57 @@
+import { Alert } from '@@/Alert';
+import { InlineLoader } from '@@/InlineLoader';
+import { Modal } from '@@/modals';
+import { ModalBody } from '@@/modals/Modal/ModalBody';
+import { ModalHeader } from '@@/modals/Modal/ModalHeader';
+import { CodeEditor } from '@@/CodeEditor';
+
+import { useDescribeResource } from './queries/useDescribeResource';
+
+type Props = {
+  name: string;
+  resourceType?: string;
+  namespace?: string;
+  onDismiss: () => void;
+};
+
+export function DescribeModal({
+  name,
+  resourceType,
+  namespace,
+  onDismiss,
+}: Props) {
+  const title = `Describe ${resourceType}`;
+
+  const { data, isLoading, isError } = useDescribeResource(
+    name,
+    resourceType,
+    namespace
+  );
+
+  return (
+    <Modal onDismiss={onDismiss} size="lg" aria-label={title}>
+      <ModalHeader title={title} />
+      <ModalBody>
+        {isLoading ? (
+          <InlineLoader>Loading...</InlineLoader>
+        ) : (
+          <>
+            {isError ? (
+              <Alert color="error" title="Error">
+                Error loading resource details
+              </Alert>
+            ) : (
+              <CodeEditor
+                id="describe-resource"
+                data-cy="describe-resource"
+                readonly
+                value={data?.describe}
+                type="yaml"
+              />
+            )}
+          </>
+        )}
+      </ModalBody>
+    </Modal>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
new file mode 100644
index 000000000..cf0dfde71
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
@@ -0,0 +1,148 @@
+import { render, screen, cleanup } from '@testing-library/react';
+import { describe, it, expect, vi, afterEach } from 'vitest';
+
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+
+import { GenericResource } from '../../../types';
+
+import { ResourcesTable } from './ResourcesTable';
+
+const successResources = [
+  {
+    kind: 'ValidatingWebhookConfiguration',
+    apiVersion: 'admissionregistration.k8s.io/v1',
+    metadata: {
+      name: 'ingress-nginx-1743063493-admission',
+      uid: 'e5388792-c184-479d-9133-390759c4bded',
+      labels: {
+        'app.kubernetes.io/name': 'ingress-nginx',
+      },
+    },
+    status: {
+      healthSummary: {
+        status: 'Healthy',
+        reason: 'Exists',
+      },
+    },
+  },
+  {
+    kind: 'Deployment',
+    apiVersion: 'apps/v1',
+    metadata: {
+      name: 'ingress-nginx-1743063493-controller2',
+      namespace: 'default',
+      uid: 'dcfe325b-7065-47ed-91e3-47f60301cf2e',
+      labels: {
+        'app.kubernetes.io/name': 'ingress-nginx',
+      },
+    },
+    status: {
+      healthSummary: {
+        status: 'Healthy',
+        reason: 'MinimumReplicasAvailable',
+        message: 'Deployment has minimum availability.',
+      },
+    },
+  },
+  {
+    kind: 'Pod',
+    apiVersion: 'v1',
+    metadata: {
+      name: 'ingress-nginx-1743063493-controller2-54d8f7d8c5-lsf9p',
+      generateName: 'ingress-nginx-1743063493-controller2-54d8f7d8c5-',
+      namespace: 'default',
+      uid: '7176ad7c-0f83-4a65-a45e-d40076adc302',
+      labels: {
+        'app.kubernetes.io/name': 'ingress-nginx',
+        'pod-template-hash': '54d8f7d8c5',
+      },
+    },
+    status: {
+      phase: 'Running',
+      healthSummary: {
+        status: 'Unknown',
+        reason: 'Running',
+      },
+      hostIP: '198.19.249.2',
+      startTime: '2025-03-27T20:39:05Z',
+    },
+  },
+];
+const failedResources = [
+  {
+    kind: 'PodDisruptionBudget',
+    metadata: {
+      name: 'probe-failure-nginx-bad',
+      namespace: 'my-namespace',
+      uid: 'e4e15f7a-9a68-448e-86b3-d74ef29c718c',
+      labels: {
+        'app.kubernetes.io/name': 'nginx',
+      },
+    },
+    status: {
+      healthSummary: {
+        status: 'Unhealthy',
+        reason: 'InsufficientPods',
+      },
+    },
+  },
+  {
+    kind: 'Service',
+    apiVersion: 'v1',
+    metadata: {
+      name: 'probe-failure-nginx',
+      namespace: 'my-namespace',
+      uid: 'de9cdffc-6af8-43b2-9750-3ac764b25627',
+      labels: {
+        'app.kubernetes.io/name': 'nginx',
+      },
+    },
+    status: {
+      healthSummary: {
+        status: 'Healthy',
+        reason: 'Exists',
+      },
+    },
+  },
+];
+
+function renderResourcesTable(resources: GenericResource[]) {
+  const Wrapped = withTestQueryProvider(withTestRouter(ResourcesTable));
+  return render(<Wrapped resources={resources} />);
+}
+
+afterEach(() => {
+  cleanup();
+  vi.clearAllMocks();
+});
+
+describe('ResourcesTable', () => {
+  it('should show successful resources, including a link for the deployment and a message', () => {
+    renderResourcesTable(successResources);
+
+    // Check that the deployment is rendered with a link
+    const deploymentLink = screen.getByText(
+      'ingress-nginx-1743063493-controller2'
+    );
+    expect(deploymentLink).toBeInTheDocument();
+    expect(deploymentLink.closest('a')).toHaveTextContent(
+      'ingress-nginx-1743063493-controller2'
+    );
+
+    // Check that success badge is rendered
+    const successBadge = screen.getByText('MinimumReplicasAvailable');
+    expect(successBadge).toBeInTheDocument();
+    expect(successBadge.className).toContain('bg-success');
+  });
+
+  it('should show error badges for failed resources', () => {
+    renderResourcesTable(failedResources);
+    expect(screen.getByText('probe-failure-nginx-bad')).toBeInTheDocument();
+
+    // Check for the unhealthy status badge and make sure it has the error styling
+    const errorBadge = screen.getByText('InsufficientPods');
+    expect(errorBadge).toBeInTheDocument();
+    expect(errorBadge.className).toContain('bg-error');
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
new file mode 100644
index 000000000..c8922ca04
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
@@ -0,0 +1,38 @@
+import { Datatable } from '@@/datatables';
+import { createPersistedStore } from '@@/datatables/types';
+import { useTableState } from '@@/datatables/useTableState';
+import { Widget } from '@@/Widget';
+
+import { GenericResource } from '../../../types';
+
+import { columns } from './columns';
+import { useResourceRows } from './useResourceRows';
+
+type Props = {
+  resources: GenericResource[];
+};
+
+const storageKey = 'helm-resources';
+const settingsStore = createPersistedStore(storageKey, 'resourceType');
+
+export function ResourcesTable({ resources }: Props) {
+  const tableState = useTableState(settingsStore, storageKey);
+  const rows = useResourceRows(resources);
+
+  return (
+    <Widget>
+      <Datatable
+        // no widget to avoid extra padding from app/react/components/datatables/TableContainer.tsx
+        noWidget
+        dataset={rows}
+        columns={columns}
+        includeSearch
+        settingsManager={tableState}
+        emptyContentLabel="No resources found"
+        disableSelect
+        getRowId={(row) => row.id}
+        data-cy="helm-resources-datatable"
+      />
+    </Widget>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/actions.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/actions.tsx
new file mode 100644
index 000000000..434876342
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/actions.tsx
@@ -0,0 +1,46 @@
+import { useState } from 'react';
+import { CellContext } from '@tanstack/react-table';
+import { FileText } from 'lucide-react';
+
+import { Button } from '@@/buttons';
+import { Icon } from '@@/Icon';
+
+import { ResourceRow } from '../types';
+import { DescribeModal } from '../DescribeModal';
+
+import { columnHelper } from './helper';
+
+export const actions = columnHelper.accessor((row) => row.status.label, {
+  header: 'Actions',
+  id: 'actions',
+  cell: Cell,
+  enableSorting: false,
+});
+
+function Cell({ row }: CellContext<ResourceRow, string>) {
+  const { describe } = row.original;
+  const [modalOpen, setModalOpen] = useState(false);
+
+  return (
+    <>
+      <Button
+        color="link"
+        data-cy="helm-resource-describe"
+        onClick={() => setModalOpen(true)}
+        className="pl-0 !ml-0"
+      >
+        <Icon icon={FileText} />
+        Describe
+      </Button>
+
+      {modalOpen && (
+        <DescribeModal
+          name={describe.name}
+          resourceType={describe.resourceType}
+          namespace={describe.namespace}
+          onDismiss={() => setModalOpen(false)}
+        />
+      )}
+    </>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/helper.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/helper.ts
new file mode 100644
index 000000000..4ba26020e
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/helper.ts
@@ -0,0 +1,5 @@
+import { createColumnHelper } from '@tanstack/react-table';
+
+import { ResourceRow } from '../types';
+
+export const columnHelper = createColumnHelper<ResourceRow>();
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/index.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/index.ts
new file mode 100644
index 000000000..3f40e40c7
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/index.ts
@@ -0,0 +1,7 @@
+import { name } from './name';
+import { resourceType } from './resourceType';
+import { status } from './status';
+import { statusMessage } from './statusMessage';
+import { actions } from './actions';
+
+export const columns = [name, resourceType, status, statusMessage, actions];
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx
new file mode 100644
index 000000000..332e49f1c
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx
@@ -0,0 +1,33 @@
+import { CellContext } from '@tanstack/react-table';
+
+import { Link } from '@@/Link';
+
+import { ResourceRow } from '../types';
+
+import { columnHelper } from './helper';
+
+export const name = columnHelper.accessor((row) => row.name.label, {
+  header: 'Name',
+  cell: Cell,
+  id: 'name',
+});
+
+function Cell({ row }: CellContext<ResourceRow, string>) {
+  const { name } = row.original;
+
+  if (name.link && name.link.to) {
+    return (
+      <Link
+        to={name.link.to}
+        params={name.link.params}
+        title={name.label}
+        className="w-fit max-w-xs truncate xl:max-w-sm 2xl:max-w-md"
+        data-cy={`helm-resource-link-${name.label}`}
+      >
+        {name.label}
+      </Link>
+    );
+  }
+
+  return name.label;
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx
new file mode 100644
index 000000000..e1df5ffbb
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx
@@ -0,0 +1,6 @@
+import { columnHelper } from './helper';
+
+export const resourceType = columnHelper.accessor((row) => row.resourceType, {
+  header: 'Resource type',
+  id: 'resourceType',
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
new file mode 100644
index 000000000..b9ff43fff
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
@@ -0,0 +1,18 @@
+import { CellContext } from '@tanstack/react-table';
+
+import { StatusBadge } from '@@/StatusBadge';
+
+import { ResourceRow } from '../types';
+
+import { columnHelper } from './helper';
+
+export const status = columnHelper.accessor((row) => row.status.label, {
+  header: 'Status',
+  id: 'status',
+  cell: Cell,
+});
+
+function Cell({ row }: CellContext<ResourceRow, string>) {
+  const { status } = row.original;
+  return <StatusBadge color={status.type}>{status.label}</StatusBadge>;
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/statusMessage.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/statusMessage.tsx
new file mode 100644
index 000000000..5b5b8135e
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/statusMessage.tsx
@@ -0,0 +1,11 @@
+import { columnHelper } from './helper';
+
+export const statusMessage = columnHelper.accessor((row) => row.statusMessage, {
+  header: 'Status message',
+  id: 'statusMessage',
+  cell: ({ row }) => (
+    <div className="whitespace-pre-wrap">
+      <span>{row.original.statusMessage || '-'}</span>
+    </div>
+  ),
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/queries/useDescribeResource.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/queries/useDescribeResource.ts
new file mode 100644
index 000000000..da09a6224
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/queries/useDescribeResource.ts
@@ -0,0 +1,62 @@
+import { useQuery } from '@tanstack/react-query';
+
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { withGlobalError } from '@/react-tools/react-query';
+
+type DescribeAPIParams = {
+  name: string;
+  kind: string;
+  namespace?: string;
+};
+
+type DescribeResourceResponse = {
+  describe: string;
+};
+
+async function getDescribeResource(
+  environmentId: number,
+  name: string,
+  resourceType?: string,
+  namespace?: string
+) {
+  try {
+    // This should never happen, but to keep the linter happy...
+    if (!name || !resourceType) {
+      throw new Error('Name and kind are required');
+    }
+
+    const params: DescribeAPIParams = {
+      name,
+      namespace,
+      kind: resourceType,
+    };
+
+    const { data } = await axios.get<DescribeResourceResponse>(
+      `kubernetes/${environmentId}/describe`,
+      {
+        params,
+      }
+    );
+    return data;
+  } catch (err) {
+    throw parseAxiosError(err, 'Unable to retrieve resource details');
+  }
+}
+
+export function useDescribeResource(
+  name: string,
+  resourceType?: string,
+  namespace?: string
+) {
+  const environmentId = useEnvironmentId();
+
+  return useQuery(
+    [environmentId, 'kubernetes', 'describe', namespace, resourceType, name],
+    () => getDescribeResource(environmentId, name, resourceType, namespace),
+    {
+      enabled: !!environmentId && !!name && !!resourceType,
+      ...withGlobalError('Enable to retrieve data for resource'),
+    }
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/types.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/types.ts
new file mode 100644
index 000000000..ebc1bc10b
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/types.ts
@@ -0,0 +1,27 @@
+import { StatusBadgeType } from '@@/StatusBadge';
+
+export type ResourceLink = {
+  to?: string;
+  params?: Record<string, string>;
+};
+
+export type ResourceRow = {
+  // for the table row id
+  id: string;
+  // for the table row name (link to resource if available)
+  name: {
+    label: string;
+    link: ResourceLink | null;
+  };
+  resourceType: string;
+  describe: {
+    name: string;
+    resourceType?: string;
+    namespace?: string;
+  };
+  status: {
+    label: string;
+    type: StatusBadgeType;
+  };
+  statusMessage: string;
+};
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
new file mode 100644
index 000000000..e5301dc05
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
@@ -0,0 +1,93 @@
+import { useMemo } from 'react';
+
+import { StatusBadgeType } from '@@/StatusBadge';
+
+import { GenericResource } from '../../../types';
+
+import { ResourceLink, ResourceRow } from './types';
+
+// from defined routes in app/kubernetes/__module.js
+const kindToUrlMap = {
+  Deployment: 'kubernetes.applications.application',
+  DaemonSet: 'kubernetes.applications.application',
+  StatefulSet: 'kubernetes.applications.application',
+  Pod: 'kubernetes.applications.application',
+  Ingress: 'kubernetes.ingresses',
+  ConfigMap: 'kubernetes.configmaps.configmap',
+  Secret: 'kubernetes.secrets.secret',
+  PersistentVolumeClaim: 'kubernetes.volumes.volume',
+};
+
+const statusToColorMap: Record<string, StatusBadgeType> = {
+  Healthy: 'success',
+  Progressing: 'warning',
+  Degraded: 'danger',
+  Failed: 'danger',
+  Unhealthy: 'danger',
+  Unknown: 'mutedLite',
+};
+
+export function useResourceRows(resources: GenericResource[]): ResourceRow[] {
+  return useMemo(() => getResourceRows(resources), [resources]);
+}
+
+function getResourceRows(resources: GenericResource[]): ResourceRow[] {
+  return resources.map(getResourceRow);
+}
+
+function getResourceRow(resource: GenericResource): ResourceRow {
+  const {
+    reason = '',
+    status = '',
+    message = '',
+  } = resource.status.healthSummary || {};
+
+  return {
+    id: `${resource.kind}/${resource.metadata.name}/${resource.metadata.namespace}`,
+    name: {
+      label: resource.metadata.name,
+      link: getResourceLink(resource),
+    },
+    resourceType: resource.kind ?? '-',
+    describe: {
+      name: resource.metadata.name,
+      namespace: resource.metadata.namespace,
+      resourceType: resource.kind,
+    },
+    status: {
+      label: reason ?? 'Unknown',
+      type: statusToColorMap[status] ?? 'default',
+    },
+    statusMessage: message ?? '-',
+  };
+}
+
+function getResourceLink(resource: GenericResource): ResourceLink | null {
+  const { namespace, name } = resource.metadata;
+
+  const to = kindToUrlMap[resource.kind as keyof typeof kindToUrlMap];
+
+  // If the resource kind is not supported, return null
+  if (!to) {
+    return null;
+  }
+
+  // If the resource is not namespaced, return the link to the resource with the name only
+  if (!namespace) {
+    return {
+      to,
+      params: {
+        name,
+      },
+    };
+  }
+
+  // If the resource is namespaced, return the link to the resource with the namespace and name
+  return {
+    to,
+    params: {
+      namespace,
+      name,
+    },
+  };
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx
new file mode 100644
index 000000000..b1f32ca3f
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx
@@ -0,0 +1,44 @@
+import { Checkbox } from '@@/form-components/Checkbox';
+import { CodeEditor } from '@@/CodeEditor';
+
+import { Values } from '../../types';
+
+interface Props {
+  values?: Values;
+  isUserSupplied: boolean;
+  setIsUserSupplied: (isUserSupplied: boolean) => void;
+}
+
+const noValuesMessage = 'No values found';
+
+export function ValuesDetails({
+  values,
+  isUserSupplied,
+  setIsUserSupplied,
+}: Props) {
+  return (
+    <div className="relative">
+      {/* bring in line with the code editor copy button */}
+      <div className="absolute top-1 left-0">
+        <Checkbox
+          label="User defined only"
+          id="values-details-user-supplied"
+          checked={isUserSupplied}
+          onChange={() => setIsUserSupplied(!isUserSupplied)}
+          data-cy="values-details-user-supplied"
+        />
+      </div>
+      <CodeEditor
+        type="yaml"
+        id="values-details-code-editor"
+        data-cy="values-details-code-editor"
+        value={
+          isUserSupplied
+            ? values?.userSuppliedValues ?? noValuesMessage
+            : values?.computedValues ?? noValuesMessage
+        }
+        readonly
+      />
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
index b7cfcb91c..f503aec7f 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
@@ -2,55 +2,33 @@ import { useQuery } from '@tanstack/react-query';
 
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { withGlobalError } from '@/react-tools/react-query';
-import PortainerError from 'Portainer/error';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 
-interface HelmRelease {
-  name: string;
-  chart: string;
-  app_version: string;
-}
-/**
- * List all helm releases based on passed in options
- * @param environmentId - Environment ID
- * @param options - Options for filtering releases
- * @returns List of helm releases
- */
-export async function listReleases(
-  environmentId: EnvironmentId,
-  options: {
-    namespace?: string;
-    filter?: string;
-    selector?: string;
-    output?: string;
-  } = {}
-): Promise<HelmRelease[]> {
-  try {
-    const { namespace, filter, selector, output } = options;
-    const url = `endpoints/${environmentId}/kubernetes/helm`;
-    const { data } = await axios.get<HelmRelease[]>(url, {
-      params: { namespace, filter, selector, output },
-    });
-    return data;
-  } catch (e) {
-    throw parseAxiosError(e as Error, 'Unable to retrieve release list');
-  }
-}
+import { HelmRelease } from '../../types';
 
 /**
  * React hook to fetch a specific Helm release
  */
-export function useHelmRelease(
+export function useHelmRelease<T = HelmRelease>(
   environmentId: EnvironmentId,
   name: string,
-  namespace: string
+  namespace: string,
+  options: {
+    select?: (data: HelmRelease) => T;
+    showResources?: boolean;
+  } = {}
 ) {
   return useQuery(
-    [environmentId, 'helm', namespace, name],
-    () => getHelmRelease(environmentId, name, namespace),
+    [environmentId, 'helm', 'releases', namespace, name, options.showResources],
+    () =>
+      getHelmRelease(environmentId, name, {
+        namespace,
+        showResources: options.showResources,
+      }),
     {
-      enabled: !!environmentId,
+      enabled: !!environmentId && !!name && !!namespace,
       ...withGlobalError('Unable to retrieve helm application details'),
+      select: options.select,
     }
   );
 }
@@ -61,23 +39,20 @@ export function useHelmRelease(
 async function getHelmRelease(
   environmentId: EnvironmentId,
   name: string,
-  namespace: string
-): Promise<HelmRelease> {
+  params: {
+    namespace: string;
+    showResources?: boolean;
+  }
+) {
   try {
-    const releases = await listReleases(environmentId, {
-      filter: `^${name}$`,
-      namespace,
-    });
-
-    if (releases.length > 0) {
-      return releases[0];
-    }
-
-    throw new PortainerError(`Release ${name} not found`);
-  } catch (err) {
-    throw new PortainerError(
-      'Unable to retrieve helm application details',
-      err as Error
+    const { data } = await axios.get<HelmRelease>(
+      `endpoints/${environmentId}/kubernetes/helm/${name}`,
+      {
+        params,
+      }
     );
+    return data;
+  } catch (err) {
+    throw parseAxiosError(err, 'Unable to retrieve helm application details');
   }
 }
diff --git a/app/react/kubernetes/helm/types.ts b/app/react/kubernetes/helm/types.ts
index 8b043a080..49445fa30 100644
--- a/app/react/kubernetes/helm/types.ts
+++ b/app/react/kubernetes/helm/types.ts
@@ -1,3 +1,79 @@
+interface ResourceStatus {
+  phase?: string;
+  reason?: string;
+  message?: string;
+  healthSummary?: {
+    status: string;
+    reason: string;
+    message?: string;
+  };
+}
+
+// A resource has a bunch of common fields that are shared by all kubernetes resources, so can be used when we're unsure about the resource type we have
+export interface GenericResource {
+  apiVersion?: string;
+  kind?: string;
+  metadata: {
+    name: string;
+    namespace?: string;
+  };
+  status: ResourceStatus;
+}
+
+export interface HelmRelease {
+  /** The name of the release */
+  name: string;
+  /** Information about the release */
+  info?: {
+    status?: string;
+    notes?: string;
+    description?: string;
+    resources?: GenericResource[];
+  };
+  /** The chart that was released */
+  chart: HelmChart;
+  /** Extra values added to the chart that override the default values */
+  config?: Record<string, unknown>;
+  /** String representation of the rendered template */
+  manifest: string;
+  /** All hooks declared for this release */
+  hooks?: unknown[];
+  /** Integer representing the revision of the release */
+  version?: number;
+  /** Kubernetes namespace of the release */
+  namespace?: string;
+  /** Values of the release */
+  values?: Values;
+}
+
+export interface Values {
+  /** User supplied values */
+  userSuppliedValues?: string;
+  /** Computed values */
+  computedValues?: string;
+}
+
+export interface HelmChart {
+  /** Raw contents of the files originally contained in the chart archive. Only used in special cases like `helm show values` */
+  raw?: unknown[];
+  /** Contents of the Chartfile */
+  metadata?: {
+    name?: string;
+    version?: string;
+    appVersion?: string;
+  };
+  /** Contents of Chart.lock */
+  lock?: unknown;
+  /** Templates for this chart */
+  templates?: unknown[];
+  /** Default config for this chart */
+  values?: Record<string, unknown>;
+  /** Optional JSON schema for imposing structure on Values */
+  schema?: unknown;
+  /** Miscellaneous files in a chart archive (e.g. README, LICENSE) */
+  files?: unknown[];
+}
+
 export interface Chart extends HelmChartResponse {
   repo: string;
 }
diff --git a/go.mod b/go.mod
index 4a28e80a1..ad6c86799 100644
--- a/go.mod
+++ b/go.mod
@@ -54,11 +54,14 @@ require (
 	golang.org/x/oauth2 v0.23.0
 	golang.org/x/sync v0.11.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
+	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.17.1
 	k8s.io/api v0.32.1
 	k8s.io/apimachinery v0.32.1
+	k8s.io/cli-runtime v0.32.1
 	k8s.io/client-go v0.32.1
+	k8s.io/kubectl v0.32.1
 	k8s.io/metrics v0.32.1
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
@@ -129,6 +132,7 @@ require (
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
+	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsevents v0.2.0 // indirect
@@ -288,14 +292,11 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	k8s.io/apiextensions-apiserver v0.32.1 // indirect
 	k8s.io/apiserver v0.32.1 // indirect
-	k8s.io/cli-runtime v0.32.1 // indirect
 	k8s.io/component-base v0.32.1 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
-	k8s.io/kubectl v0.32.1 // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
 	oras.land/oras-go v1.2.5 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
diff --git a/go.sum b/go.sum
index 8fbb68613..110e5eb4b 100644
--- a/go.sum
+++ b/go.sum
@@ -229,6 +229,8 @@ github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lSh
 github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
+github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
+github.com/fatih/camelcase v1.0.0/go.mod h1:yN2Sb0lFhZJUdVvtELVWefmrXpuZESvPmqwoZc+/fpc=
 github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs=
 github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
@@ -451,6 +453,8 @@ github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhnIaL+V+BEER86oLrvS+kWobKpbJuye0=
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
+github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY=
+github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
 github.com/magiconair/properties v1.5.3 h1:C8fxWnhYyME3n0klPOhVM7PtYUB3eV1W3DeFmN3j53Y=
 github.com/magiconair/properties v1.5.3/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
diff --git a/package.json b/package.json
index b67cd56ff..e0cc82463 100644
--- a/package.json
+++ b/package.json
@@ -106,6 +106,7 @@
     "json-schema": "^0.4.0",
     "lodash": "^4.17.21",
     "lucide-react": "^0.468.0",
+    "markdown-to-jsx": "^7.7.4",
     "moment": "^2.29.1",
     "moment-timezone": "^0.5.40",
     "mustache": "^4.2.0",
diff --git a/pkg/libhelm/options/get_options.go b/pkg/libhelm/options/get_options.go
index a65cd75a7..fcac76ab9 100644
--- a/pkg/libhelm/options/get_options.go
+++ b/pkg/libhelm/options/get_options.go
@@ -1,21 +1,11 @@
 package options
 
-// releaseResource are the supported `helm get` sub-commands
-// to see all available sub-commands run `helm get --help`
-type releaseResource string
-
-const (
-	GetAll      releaseResource = "all"
-	GetHooks    releaseResource = "hooks"
-	GetManifest releaseResource = "manifest"
-	GetNotes    releaseResource = "notes"
-	GetValues   releaseResource = "values"
-)
-
 type GetOptions struct {
-	Name                    string
-	Namespace               string
-	ReleaseResource         releaseResource
+	Name      string
+	Namespace string
+	// ShowResources indicates whether to display the resources of the named release
+	ShowResources           bool
+	Revision                int
 	KubernetesClusterAccess *KubernetesClusterAccess
 
 	Env []string
diff --git a/pkg/libhelm/options/history_options.go b/pkg/libhelm/options/history_options.go
new file mode 100644
index 000000000..76bb02e47
--- /dev/null
+++ b/pkg/libhelm/options/history_options.go
@@ -0,0 +1,9 @@
+package options
+
+type HistoryOptions struct {
+	Name                    string
+	Namespace               string
+	KubernetesClusterAccess *KubernetesClusterAccess
+
+	Env []string
+}
diff --git a/pkg/libhelm/release/release.go b/pkg/libhelm/release/release.go
index bd1e32917..56888291c 100644
--- a/pkg/libhelm/release/release.go
+++ b/pkg/libhelm/release/release.go
@@ -1,6 +1,9 @@
 package release
 
-import "github.com/portainer/portainer/pkg/libhelm/time"
+import (
+	"github.com/portainer/portainer/pkg/libhelm/time"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
 
 // Release is the struct that holds the information for a helm release.
 // The struct definitions have been copied from the official Helm Golang client/library.
@@ -14,7 +17,7 @@ type ReleaseElement struct {
 	Updated    string `json:"updated"`
 	Status     string `json:"status"`
 	Chart      string `json:"chart"`
-	AppVersion string `json:"app_version"`
+	AppVersion string `json:"appVersion"`
 }
 
 // Release describes a deployment of a chart, together with the chart
@@ -23,7 +26,7 @@ type Release struct {
 	// Name is the name of the release
 	Name string `json:"name,omitempty"`
 	// Info provides information about a release
-	// Info *Info `json:"info,omitempty"`
+	Info *Info `json:"info,omitempty"`
 	// Chart is the chart that was released.
 	Chart Chart `json:"chart,omitempty"`
 	// Config is the set of extra Values added to the chart.
@@ -40,6 +43,13 @@ type Release struct {
 	// Labels of the release.
 	// Disabled encoding into Json cause labels are stored in storage driver metadata field.
 	Labels map[string]string `json:"-"`
+	// Values are the values used to deploy the chart.
+	Values Values `json:"values,omitempty"`
+}
+
+type Values struct {
+	UserSuppliedValues string `json:"userSuppliedValues,omitempty"`
+	ComputedValues     string `json:"computedValues,omitempty"`
 }
 
 // Chart is a helm package that contains metadata, a default config, zero or more
@@ -183,6 +193,8 @@ type Info struct {
 	Status Status `json:"status,omitempty"`
 	// Contains the rendered templates/NOTES.txt if available
 	Notes string `json:"notes,omitempty"`
+	// Resources is the list of resources that are part of the release
+	Resources []*unstructured.Unstructured `json:"resources,omitempty"`
 }
 
 // Status is the status of a release
diff --git a/pkg/libhelm/sdk/get.go b/pkg/libhelm/sdk/get.go
new file mode 100644
index 000000000..51a5c3bce
--- /dev/null
+++ b/pkg/libhelm/sdk/get.go
@@ -0,0 +1,100 @@
+package sdk
+
+import (
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	sdkrelease "helm.sh/helm/v3/pkg/release"
+)
+
+// Get implements the HelmPackageManager interface by using the Helm SDK to get a release.
+// It returns a Release.
+func (hspm *HelmSDKPackageManager) Get(getOptions options.GetOptions) (*release.Release, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("namespace", getOptions.Namespace).
+		Str("name", getOptions.Name).
+		Msg("Get Helm release")
+
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, getOptions.Namespace, getOptions.KubernetesClusterAccess)
+
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", getOptions.Namespace).
+			Err(err).Msg("Failed to initialise helm configuration")
+		return nil, err
+	}
+
+	statusClient, err := hspm.initStatusClient(actionConfig, getOptions)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", getOptions.Namespace).
+			Err(err).Msg("Failed to initialise helm status client")
+		return nil, err
+	}
+
+	release, err := statusClient.Run(getOptions.Name)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", getOptions.Namespace).
+			Err(err).Msg("Failed to query helm chart")
+		return nil, err
+	}
+
+	values, err := hspm.getValues(getOptions)
+	if err != nil {
+		// error is already logged in getValuesFromStatus
+		return nil, err
+	}
+
+	return convert(release, values), nil
+}
+
+// Helm status is just an extended helm get command with resources added on (when flagged), so use the status client with the optional show resources flag
+// https://github.com/helm/helm/blob/0199b748aaea3091852d16687c9f9f809061777c/pkg/action/get.go#L40-L47
+// https://github.com/helm/helm/blob/0199b748aaea3091852d16687c9f9f809061777c/pkg/action/status.go#L48-L82
+func (hspm *HelmSDKPackageManager) initStatusClient(actionConfig *action.Configuration, getOptions options.GetOptions) (*action.Status, error) {
+	statusClient := action.NewStatus(actionConfig)
+	statusClient.ShowResources = getOptions.ShowResources
+	if getOptions.Revision > 0 {
+		statusClient.Version = getOptions.Revision
+	}
+
+	return statusClient, nil
+}
+
+func convert(sdkRelease *sdkrelease.Release, values release.Values) *release.Release {
+	resources, err := parseResources(sdkRelease.Info.Resources)
+	if err != nil {
+		log.Warn().
+			Str("context", "HelmClient").
+			Str("namespace", sdkRelease.Namespace).
+			Str("name", sdkRelease.Name).
+			Err(err).Msg("Failed to parse resources")
+	}
+	return &release.Release{
+		Name:      sdkRelease.Name,
+		Namespace: sdkRelease.Namespace,
+		Version:   sdkRelease.Version,
+		Info: &release.Info{
+			Status:      release.Status(sdkRelease.Info.Status),
+			Notes:       sdkRelease.Info.Notes,
+			Resources:   resources,
+			Description: sdkRelease.Info.Description,
+		},
+		Manifest: sdkRelease.Manifest,
+		Chart: release.Chart{
+			Metadata: &release.Metadata{
+				Name:       sdkRelease.Chart.Metadata.Name,
+				Version:    sdkRelease.Chart.Metadata.Version,
+				AppVersion: sdkRelease.Chart.Metadata.AppVersion,
+			},
+		},
+		Values: values,
+	}
+}
diff --git a/pkg/libhelm/sdk/get_test.go b/pkg/libhelm/sdk/get_test.go
new file mode 100644
index 000000000..992f5f9fd
--- /dev/null
+++ b/pkg/libhelm/sdk/get_test.go
@@ -0,0 +1,39 @@
+package sdk
+
+import (
+	"testing"
+
+	libhelmrelease "github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/stretchr/testify/assert"
+	"helm.sh/helm/v3/pkg/chart"
+	sdkrelease "helm.sh/helm/v3/pkg/release"
+)
+
+func Test_Convert(t *testing.T) {
+	t.Run("successfully maps a sdk release to a release", func(t *testing.T) {
+		is := assert.New(t)
+
+		release := sdkrelease.Release{
+			Name:    "releaseName",
+			Version: 1,
+			Info: &sdkrelease.Info{
+				Status: "deployed",
+			},
+			Chart: &chart.Chart{
+				Metadata: &chart.Metadata{
+					Name:       "chartName",
+					Version:    "chartVersion",
+					AppVersion: "chartAppVersion",
+				},
+			},
+		}
+
+		values := libhelmrelease.Values{
+			UserSuppliedValues: `{"key": "value"}`,
+			ComputedValues:     `{"key": "value"}`,
+		}
+
+		result := convert(&release, values)
+		is.Equal(release.Name, result.Name)
+	})
+}
diff --git a/pkg/libhelm/sdk/history.go b/pkg/libhelm/sdk/history.go
new file mode 100644
index 000000000..ba6fa4d5d
--- /dev/null
+++ b/pkg/libhelm/sdk/history.go
@@ -0,0 +1,68 @@
+package sdk
+
+import (
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/time"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	sdkrelease "helm.sh/helm/v3/pkg/release"
+)
+
+// GetHistory implements the HelmPackageManager interface by using the Helm SDK to get a release.
+// It returns a Release.
+func (hspm *HelmSDKPackageManager) GetHistory(historyOptions options.HistoryOptions) ([]*release.Release, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("namespace", historyOptions.Namespace).
+		Str("name", historyOptions.Name).
+		Msg("Get Helm history")
+
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, historyOptions.Namespace, historyOptions.KubernetesClusterAccess)
+
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", historyOptions.Namespace).
+			Err(err).Msg("Failed to initialise helm configuration")
+		return nil, err
+	}
+
+	historyClient := action.NewHistory(actionConfig)
+	history, err := historyClient.Run(historyOptions.Name)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", historyOptions.Namespace).
+			Err(err).Msg("Failed to query helm release history")
+		return nil, err
+	}
+
+	var result []*release.Release
+	for _, r := range history {
+		result = append(result, convertHistory(r))
+	}
+
+	return result, nil
+}
+
+func convertHistory(sdkRelease *sdkrelease.Release) *release.Release {
+	return &release.Release{
+		Name:      sdkRelease.Name,
+		Namespace: sdkRelease.Namespace,
+		Version:   sdkRelease.Version,
+		Info: &release.Info{
+			Status:       release.Status(sdkRelease.Info.Status),
+			Notes:        sdkRelease.Info.Notes,
+			LastDeployed: time.Time(sdkRelease.Info.LastDeployed),
+		},
+		Chart: release.Chart{
+			Metadata: &release.Metadata{
+				Name:       sdkRelease.Chart.Metadata.Name,
+				Version:    sdkRelease.Chart.Metadata.Version,
+				AppVersion: sdkRelease.Chart.Metadata.AppVersion,
+			},
+		},
+	}
+}
diff --git a/pkg/libhelm/sdk/history_test.go b/pkg/libhelm/sdk/history_test.go
new file mode 100644
index 000000000..718911697
--- /dev/null
+++ b/pkg/libhelm/sdk/history_test.go
@@ -0,0 +1,33 @@
+package sdk
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"helm.sh/helm/v3/pkg/chart"
+	sdkrelease "helm.sh/helm/v3/pkg/release"
+)
+
+func Test_ConvertHistory(t *testing.T) {
+	t.Run("successfully maps a sdk release to a release", func(t *testing.T) {
+		is := assert.New(t)
+
+		release := sdkrelease.Release{
+			Name:    "releaseName",
+			Version: 1,
+			Info: &sdkrelease.Info{
+				Status: "deployed",
+			},
+			Chart: &chart.Chart{
+				Metadata: &chart.Metadata{
+					Name:       "chartName",
+					Version:    "chartVersion",
+					AppVersion: "chartAppVersion",
+				},
+			},
+		}
+
+		result := convertHistory(&release)
+		is.Equal(release.Name, result.Name)
+	})
+}
diff --git a/pkg/libhelm/sdk/resources.go b/pkg/libhelm/sdk/resources.go
new file mode 100644
index 000000000..0c1dce52a
--- /dev/null
+++ b/pkg/libhelm/sdk/resources.go
@@ -0,0 +1,291 @@
+package sdk
+
+import (
+	"time"
+
+	"github.com/segmentio/encoding/json"
+
+	"github.com/rs/zerolog/log"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+const (
+	Unknown     = "Unknown"
+	Healthy     = "Healthy"
+	Unhealthy   = "Unhealthy"
+	Progressing = "Progressing"
+)
+
+// ResourceStatus represents a generic status for any Kubernetes resource.
+type ResourceStatus struct {
+	// Phase is a simple, high-level summary of where the resource is in its lifecycle.
+	Phase string `json:"phase,omitempty"`
+
+	// HealthSummary represents the summarized health status of the resource
+	HealthSummary *HealthCondition `json:"healthSummary,omitempty"`
+
+	// Reason is a brief CamelCase string containing the reason for the resource's current status.
+	Reason string `json:"reason,omitempty"`
+
+	// Message is a human-readable description of the current status.
+	Message string `json:"message,omitempty"`
+}
+
+// HealthCondition represents a summarized health condition for a resource
+type HealthCondition struct {
+	Status  string `json:"status,omitempty"`
+	Reason  string `json:"reason,omitempty"`
+	Message string `json:"message,omitempty"`
+}
+
+// parseResources returns a list of resources with additional status information, in a consistent format.
+func parseResources(resourceTypesLists map[string][]runtime.Object) ([]*unstructured.Unstructured, error) {
+	flattenedResources := flattenResources(resourceTypesLists)
+
+	resourcesInfo := []*unstructured.Unstructured{}
+	for _, resource := range flattenedResources {
+		info, err := getResourceInfo(resource)
+		if err != nil {
+			return nil, err
+		}
+
+		resourcesInfo = append(resourcesInfo, info)
+	}
+
+	return resourcesInfo, nil
+}
+
+func getResourceInfo(obj runtime.Object) (*unstructured.Unstructured, error) {
+	data, err := json.Marshal(obj)
+	if err != nil {
+		return nil, err
+	}
+
+	res := &unstructured.Unstructured{}
+	err = json.Unmarshal(data, res)
+	if err != nil {
+		return nil, err
+	}
+
+	status, conditions, err := extractStatus(res)
+	if err == nil {
+		summarizeStatus(status, conditions, res.GetName(), res.GetNamespace(), err)
+		applyStatusToResource(res, status)
+	}
+
+	// only keep metadata, kind and status (other fields are not needed)
+	res.Object = map[string]any{
+		"metadata": res.Object["metadata"],
+		"kind":     res.Object["kind"],
+		"status":   res.Object["status"],
+	}
+
+	return res, nil
+}
+
+// extractStatus extracts the status from an unstructured resource
+func extractStatus(res *unstructured.Unstructured) (*ResourceStatus, []metav1.Condition, error) {
+	statusMap, found, err := unstructured.NestedMap(res.Object, "status")
+	if !found || err != nil {
+		return &ResourceStatus{}, nil, nil
+	}
+
+	// Extract basic status fields
+	phase, _, _ := unstructured.NestedString(statusMap, "phase")
+	reason, _, _ := unstructured.NestedString(statusMap, "reason")
+	message, _, _ := unstructured.NestedString(statusMap, "message")
+
+	// Extract conditions for analysis
+	conditions := []metav1.Condition{}
+	conditionsData, found, _ := unstructured.NestedSlice(statusMap, "conditions")
+	if found {
+		for _, condData := range conditionsData {
+			condMap, ok := condData.(map[string]any)
+			if !ok {
+				continue
+			}
+
+			cond := metav1.Condition{}
+			if typeStr, ok := condMap["type"].(string); ok {
+				cond.Type = typeStr
+			}
+			if statusStr, ok := condMap["status"].(string); ok {
+				cond.Status = metav1.ConditionStatus(statusStr)
+			}
+			if reasonStr, ok := condMap["reason"].(string); ok {
+				cond.Reason = reasonStr
+			}
+			if msgStr, ok := condMap["message"].(string); ok {
+				cond.Message = msgStr
+			}
+			if timeStr, ok := condMap["lastTransitionTime"].(string); ok {
+				t, _ := time.Parse(time.RFC3339, timeStr)
+				cond.LastTransitionTime = metav1.Time{Time: t}
+			}
+
+			conditions = append(conditions, cond)
+		}
+	}
+
+	return &ResourceStatus{
+		Phase:   phase,
+		Reason:  reason,
+		Message: message,
+	}, conditions, nil
+}
+
+// summarizeStatus creates a health summary based on resource status and conditions
+func summarizeStatus(status *ResourceStatus, conditions []metav1.Condition, name string, namespace string, err error) *ResourceStatus {
+	healthSummary := &HealthCondition{
+		Status:  Unknown,
+		Reason:  status.Reason,
+		Message: status.Message,
+	}
+
+	// Handle error case first
+	if err != nil {
+		healthSummary.Reason = "ErrorGettingStatus"
+		healthSummary.Message = err.Error()
+		status.HealthSummary = healthSummary
+		return status
+	}
+
+	// Handle phase-based status
+	switch status.Phase {
+	case "Error":
+		healthSummary.Status = Unhealthy
+		healthSummary.Reason = status.Phase
+	case "Running":
+		healthSummary.Status = Healthy
+		healthSummary.Reason = status.Phase
+	case "Pending":
+		healthSummary.Status = Progressing
+		healthSummary.Reason = status.Phase
+	case "Failed":
+		healthSummary.Status = Unhealthy
+		healthSummary.Reason = status.Phase
+	case "Available", "Active", "Established", "Bound", "Ready", "Succeeded":
+		healthSummary.Status = Healthy
+		healthSummary.Reason = status.Phase
+	case "":
+		// Empty phase - check conditions or default to "Exists"
+		if len(conditions) > 0 {
+			analyzeConditions(conditions, healthSummary)
+		} else {
+			healthSummary.Status = Healthy
+			healthSummary.Reason = "Exists"
+		}
+	default:
+		log.Warn().
+			Str("context", "HelmClient").
+			Str("namespace", namespace).
+			Str("name", name).
+			Str("phase", status.Phase).
+			Msg("Unhandled status")
+		healthSummary.Reason = status.Phase
+	}
+
+	// Set message from first condition if available
+	if len(conditions) > 0 && healthSummary.Message == "" {
+		healthSummary.Message = conditions[0].Message
+	}
+
+	status.HealthSummary = healthSummary
+	return status
+}
+
+// analyzeConditions determines resource health based on standard condition types
+func analyzeConditions(conditions []metav1.Condition, healthSummary *HealthCondition) {
+	for _, cond := range conditions {
+		switch cond.Type {
+		case "Progressing":
+			if cond.Status == "False" {
+				healthSummary.Status = Unhealthy
+				healthSummary.Reason = cond.Reason
+			} else if cond.Reason != "NewReplicaSetAvailable" {
+				healthSummary.Status = Unknown
+				healthSummary.Reason = cond.Reason
+			}
+		case "Available", "Ready", "DisruptionAllowed", "Established", "NamesAccepted":
+			if healthSummary.Status == Unknown ||
+				(cond.Type == "Established" && healthSummary.Status == Healthy) ||
+				(cond.Type == "NamesAccepted" && healthSummary.Status == Healthy) {
+				if cond.Status == "False" {
+					healthSummary.Status = Unhealthy
+				} else {
+					healthSummary.Status = Healthy
+				}
+				healthSummary.Reason = cond.Reason
+			}
+		case "ContainersReady":
+			if healthSummary.Status == Unknown && cond.Status == "False" {
+				healthSummary.Status = Unhealthy
+				healthSummary.Reason = cond.Reason
+			}
+		}
+	}
+}
+
+// applyStatusToResource applies the typed ResourceStatus back to the unstructured resource
+func applyStatusToResource(res *unstructured.Unstructured, status *ResourceStatus) {
+	statusMap := map[string]any{
+		"phase":   status.Phase,
+		"reason":  status.Reason,
+		"message": status.Message,
+	}
+
+	if status.HealthSummary != nil {
+		statusMap["healthSummary"] = map[string]any{
+			"status":  status.HealthSummary.Status,
+			"reason":  status.HealthSummary.Reason,
+			"message": status.HealthSummary.Message,
+		}
+	}
+
+	unstructured.SetNestedMap(res.Object, statusMap, "status")
+}
+
+// flattenResources extracts items from a list resource and convert them to runtime.Objects
+func flattenResources(resourceTypesLists map[string][]runtime.Object) []runtime.Object {
+	flattenedResources := []runtime.Object{}
+
+	for _, resourceTypeList := range resourceTypesLists {
+		for _, resourceItem := range resourceTypeList {
+			// if the resource item is a list, we need to flatten it too e.g. PodList
+			items := extractItemsIfList(resourceItem)
+			if items != nil {
+				flattenedResources = append(flattenedResources, items...)
+			} else {
+				flattenedResources = append(flattenedResources, resourceItem)
+			}
+		}
+	}
+
+	return flattenedResources
+}
+
+// extractItemsIfList extracts items if the resource is a list, or returns nil if not a list
+func extractItemsIfList(resource runtime.Object) []runtime.Object {
+	unstructuredObj, ok := resource.(runtime.Unstructured)
+	if !ok {
+		return nil
+	}
+
+	if !unstructuredObj.IsList() {
+		return nil
+	}
+
+	extractedItems := []runtime.Object{}
+	err := unstructuredObj.EachListItem(func(obj runtime.Object) error {
+		extractedItems = append(extractedItems, obj)
+		return nil
+	})
+
+	if err != nil {
+		return nil
+	}
+
+	return extractedItems
+}
diff --git a/pkg/libhelm/sdk/resources_test.go b/pkg/libhelm/sdk/resources_test.go
new file mode 100644
index 000000000..8bd3b8c21
--- /dev/null
+++ b/pkg/libhelm/sdk/resources_test.go
@@ -0,0 +1,143 @@
+package sdk
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
+)
+
+func TestParseResources(t *testing.T) {
+	t.Run("successfully parse single resource", func(t *testing.T) {
+		resourceTypesLists := map[string][]runtime.Object{
+			"v1/Pod(related)": {
+				&unstructured.Unstructured{
+					Object: map[string]any{
+						"apiVersion": "v1",
+						"kind":       "Pod",
+						"metadata": map[string]any{
+							"name":      "test-pod",
+							"namespace": "default",
+						},
+						"status": map[string]any{
+							"phase": "Available",
+						},
+					},
+				},
+			},
+		}
+
+		got, err := parseResources(resourceTypesLists)
+		assert.NoError(t, err)
+		assert.Equal(t, 1, len(got))
+
+		// Check resource metadata
+		assert.Equal(t, "test-pod", got[0].GetName())
+		assert.Equal(t, "default", got[0].GetNamespace())
+
+		// Check status and condition
+		statusMap, found, _ := unstructured.NestedMap(got[0].Object, "status")
+		assert.True(t, found)
+		assert.Equal(t, "Available", statusMap["phase"])
+
+		healthSummary, found, _ := unstructured.NestedMap(statusMap, "healthSummary")
+		assert.True(t, found)
+		assert.Equal(t, "Healthy", healthSummary["status"])
+		assert.Equal(t, "Available", healthSummary["reason"])
+	})
+
+	t.Run("successfully parse multiple resources", func(t *testing.T) {
+		resourceTypesLists := map[string][]runtime.Object{
+			"v1/Pod(related)": {
+				&unstructured.Unstructured{
+					Object: map[string]any{
+						"apiVersion": "v1",
+						"kind":       "Pod",
+						"metadata": map[string]any{
+							"name":      "test-pod-1",
+							"namespace": "default",
+						},
+						"status": map[string]any{
+							"phase": "Pending",
+						},
+					},
+				},
+				&unstructured.Unstructured{
+					Object: map[string]any{
+						"apiVersion": "v1",
+						"kind":       "Pod",
+						"metadata": map[string]any{
+							"name":      "test-pod-2",
+							"namespace": "default",
+						},
+						"status": map[string]any{
+							"phase": "Error",
+						},
+					},
+				},
+			},
+		}
+
+		got, err := parseResources(resourceTypesLists)
+		assert.NoError(t, err)
+		assert.Equal(t, 2, len(got))
+
+		// Check first resource
+		assert.Equal(t, "test-pod-1", got[0].GetName())
+		statusMap1, found, _ := unstructured.NestedMap(got[0].Object, "status")
+		assert.True(t, found)
+		assert.Equal(t, "Pending", statusMap1["phase"])
+
+		healthSummary1, found, _ := unstructured.NestedMap(statusMap1, "healthSummary")
+		assert.True(t, found)
+		assert.Equal(t, Progressing, healthSummary1["status"])
+		assert.Equal(t, "Pending", healthSummary1["reason"])
+
+		// Check second resource
+		assert.Equal(t, "test-pod-2", got[1].GetName())
+		statusMap2, found, _ := unstructured.NestedMap(got[1].Object, "status")
+		assert.True(t, found)
+		healthSummary2, found, _ := unstructured.NestedMap(statusMap2, "healthSummary")
+		assert.True(t, found)
+		assert.Equal(t, Unhealthy, healthSummary2["status"])
+		assert.Equal(t, "Error", healthSummary2["reason"])
+	})
+}
+
+func TestEnhanceStatus(t *testing.T) {
+	t.Run("healthy running pod", func(t *testing.T) {
+		// Create a ResourceStatus object
+		status := &ResourceStatus{
+			Phase: "Failed",
+		}
+
+		conditions := []metav1.Condition{}
+
+		result := summarizeStatus(status, conditions, "test-pod", "default", nil)
+
+		assert.Equal(t, Unhealthy, result.HealthSummary.Status)
+		assert.Equal(t, "Failed", result.HealthSummary.Reason)
+	})
+
+	t.Run("unhealthy pod with error", func(t *testing.T) {
+		// Create a ResourceStatus object
+		status := &ResourceStatus{
+			Phase: "Error",
+		}
+
+		conditions := []metav1.Condition{
+			{
+				Type:   "DisruptionAllowed",
+				Status: metav1.ConditionFalse,
+				Reason: "InsufficientPods",
+			},
+		}
+
+		result := summarizeStatus(status, conditions, "test-pod", "default", nil)
+
+		assert.Equal(t, Unhealthy, result.HealthSummary.Status)
+		assert.Equal(t, "Error", result.HealthSummary.Reason)
+	})
+}
diff --git a/pkg/libhelm/sdk/values.go b/pkg/libhelm/sdk/values.go
index 37ad46775..8818f998f 100644
--- a/pkg/libhelm/sdk/values.go
+++ b/pkg/libhelm/sdk/values.go
@@ -4,7 +4,11 @@ import (
 	"os"
 
 	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
 	"github.com/rs/zerolog/log"
+	"gopkg.in/yaml.v2"
+	"helm.sh/helm/v3/pkg/action"
 )
 
 // GetHelmValuesFromFile reads the values file and parses it into a map[string]any
@@ -40,3 +44,75 @@ func (hspm *HelmSDKPackageManager) GetHelmValuesFromFile(valuesFile string) (map
 
 	return vals, nil
 }
+
+func (hspm *HelmSDKPackageManager) getValues(getOpts options.GetOptions) (release.Values, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("namespace", getOpts.Namespace).
+		Str("name", getOpts.Name).
+		Msg("Getting values")
+
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, getOpts.Namespace, getOpts.KubernetesClusterAccess)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", getOpts.Namespace).
+			Err(err).Msg("Failed to initialise helm configuration")
+		return release.Values{}, err
+	}
+
+	// Create client for user supplied values
+	userValuesClient := action.NewGetValues(actionConfig)
+	userSuppliedValues, err := userValuesClient.Run(getOpts.Name)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", getOpts.Namespace).
+			Err(err).Msg("Failed to get user supplied values")
+		return release.Values{}, err
+	}
+
+	// Create separate client for computed values
+	computedValuesClient := action.NewGetValues(actionConfig)
+	computedValuesClient.AllValues = true
+	computedValues, err := computedValuesClient.Run(getOpts.Name)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("namespace", getOpts.Namespace).
+			Err(err).Msg("Failed to get computed values")
+		return release.Values{}, err
+	}
+
+	userSuppliedValuesByte, err := yaml.Marshal(userSuppliedValues)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).Msg("Failed to marshal user supplied values")
+		return release.Values{}, err
+	}
+
+	computedValuesByte, err := yaml.Marshal(computedValues)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).Msg("Failed to marshal computed values")
+		return release.Values{}, err
+	}
+
+	// Handle the case where the values are an empty object
+	userSuppliedValuesString := string(userSuppliedValuesByte)
+	if userSuppliedValuesString == "{}\n" {
+		userSuppliedValuesString = ""
+	}
+	computedValuesString := string(computedValuesByte)
+	if computedValuesString == "{}\n" {
+		computedValuesString = ""
+	}
+
+	return release.Values{
+		UserSuppliedValues: userSuppliedValuesString,
+		ComputedValues:     computedValuesString,
+	}, nil
+}
diff --git a/pkg/libhelm/test/mock.go b/pkg/libhelm/test/mock.go
index 58d53715c..518b53fbd 100644
--- a/pkg/libhelm/test/mock.go
+++ b/pkg/libhelm/test/mock.go
@@ -1,6 +1,7 @@
 package test
 
 import (
+	"slices"
 	"strings"
 
 	"github.com/portainer/portainer/pkg/libhelm/options"
@@ -91,29 +92,11 @@ func (hpm *helmMockPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 	return nil, nil
 }
 
-// Get release details - all, hooks, manifest, notes and values
-func (hpm *helmMockPackageManager) Get(getOpts options.GetOptions) ([]byte, error) {
-	switch getOpts.ReleaseResource {
-	case options.GetAll:
-		return []byte(strings.Join([]string{MockReleaseHooks, MockReleaseManifest, MockReleaseNotes, MockReleaseValues}, "---\n")), nil
-	case options.GetHooks:
-		return []byte(MockReleaseHooks), nil
-	case options.GetManifest:
-		return []byte(MockReleaseManifest), nil
-	case options.GetNotes:
-		return []byte(MockReleaseNotes), nil
-	case options.GetValues:
-		return []byte(MockReleaseValues), nil
-	default:
-		return nil, errors.New("invalid release resource")
-	}
-}
-
 // Uninstall a helm chart (not thread safe)
 func (hpm *helmMockPackageManager) Uninstall(uninstallOpts options.UninstallOptions) error {
 	for i, rel := range mockCharts {
 		if rel.Name == uninstallOpts.Name && rel.Namespace == uninstallOpts.Namespace {
-			mockCharts = append(mockCharts[:i], mockCharts[i+1:]...)
+			mockCharts = slices.Delete(mockCharts, i, i+1)
 		}
 	}
 	return nil
@@ -124,6 +107,25 @@ func (hpm *helmMockPackageManager) List(listOpts options.ListOptions) ([]release
 	return mockCharts, nil
 }
 
+// Get a helm release (not thread safe)
+func (hpm *helmMockPackageManager) Get(getOpts options.GetOptions) (*release.Release, error) {
+	index := slices.IndexFunc(mockCharts, func(re release.ReleaseElement) bool {
+		return re.Name == getOpts.Name && re.Namespace == getOpts.Namespace
+	})
+	return newMockRelease(&mockCharts[index]), nil
+}
+
+func (hpm *helmMockPackageManager) GetHistory(historyOpts options.HistoryOptions) ([]*release.Release, error) {
+	var result []*release.Release
+	for i, v := range mockCharts {
+		if v.Name == historyOpts.Name && v.Namespace == historyOpts.Namespace {
+			result = append(result, newMockRelease(&mockCharts[i]))
+		}
+	}
+
+	return result, nil
+}
+
 const mockPortainerIndex = `apiVersion: v1
 entries:
   portainer:
diff --git a/pkg/libhelm/types/types.go b/pkg/libhelm/types/types.go
index 8c0caa80b..7c78cbe88 100644
--- a/pkg/libhelm/types/types.go
+++ b/pkg/libhelm/types/types.go
@@ -14,6 +14,8 @@ type HelmPackageManager interface {
 	List(listOpts options.ListOptions) ([]release.ReleaseElement, error)
 	Upgrade(upgradeOpts options.InstallOptions) (*release.Release, error)
 	Uninstall(uninstallOpts options.UninstallOptions) error
+	Get(getOpts options.GetOptions) (*release.Release, error)
+	GetHistory(historyOpts options.HistoryOptions) ([]*release.Release, error)
 }
 
 type Repository interface {
diff --git a/pkg/libkubectl/client.go b/pkg/libkubectl/client.go
new file mode 100644
index 000000000..bfb86f172
--- /dev/null
+++ b/pkg/libkubectl/client.go
@@ -0,0 +1,63 @@
+package libkubectl
+
+import (
+	"bytes"
+	"errors"
+
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/cli-runtime/pkg/genericiooptions"
+	"k8s.io/kubectl/pkg/cmd/util"
+)
+
+type ClientAccess struct {
+	Token     string
+	ServerUrl string
+}
+
+type Client struct {
+	factory util.Factory
+	streams genericclioptions.IOStreams
+	out     *bytes.Buffer
+}
+
+// NewClient creates a new kubectl client
+func NewClient(libKubectlAccess *ClientAccess, namespace, kubeconfig string, insecure bool) (*Client, error) {
+	configFlags, err := generateConfigFlags(libKubectlAccess.Token, libKubectlAccess.ServerUrl, namespace, kubeconfig, insecure)
+	if err != nil {
+		return nil, err
+	}
+
+	streams, _, out, _ := genericiooptions.NewTestIOStreams()
+
+	return &Client{
+		factory: util.NewFactory(configFlags),
+		streams: streams,
+		out:     out,
+	}, nil
+}
+
+// generateConfigFlags generates the config flags for the kubectl client
+// If kubeconfigPath is provided, it will be used instead of server and token
+// If server and token are provided, they will be used to connect to the cluster
+// If neither kubeconfigPath or server and token are provided, an error will be returned
+func generateConfigFlags(token, server, namespace, kubeconfigPath string, insecure bool) (*genericclioptions.ConfigFlags, error) {
+	if kubeconfigPath == "" && (server == "" || token == "") {
+		return nil, errors.New("must provide either a kubeconfig path or a server and token")
+	}
+
+	configFlags := genericclioptions.NewConfigFlags(true)
+	if namespace != "" {
+		configFlags.Namespace = &namespace
+	}
+
+	if kubeconfigPath != "" {
+		configFlags.KubeConfig = &kubeconfigPath
+	} else {
+		configFlags.APIServer = &server
+		configFlags.BearerToken = &token
+	}
+
+	configFlags.Insecure = &insecure
+
+	return configFlags, nil
+}
diff --git a/pkg/libkubectl/client_test.go b/pkg/libkubectl/client_test.go
new file mode 100644
index 000000000..c2c7fd739
--- /dev/null
+++ b/pkg/libkubectl/client_test.go
@@ -0,0 +1,101 @@
+package libkubectl
+
+import (
+	"testing"
+)
+
+func TestNewClient(t *testing.T) {
+	tests := []struct {
+		name             string
+		libKubectlAccess ClientAccess
+		namespace        string
+		kubeconfig       string
+		insecure         bool
+		wantErr          bool
+		errContains      string
+	}{
+		{
+			name:             "valid client with token and server",
+			libKubectlAccess: ClientAccess{Token: "test-token", ServerUrl: "https://localhost:6443"},
+			namespace:        "default",
+			insecure:         true,
+			wantErr:          false,
+		},
+		{
+			name:       "valid client with kubeconfig",
+			kubeconfig: "/path/to/kubeconfig",
+			namespace:  "test-namespace",
+			insecure:   false,
+			wantErr:    false,
+		},
+		{
+			name:        "missing both token/server and kubeconfig",
+			namespace:   "default",
+			insecure:    false,
+			wantErr:     true,
+			errContains: "must provide either a kubeconfig path or a server and token",
+		},
+		{
+			name:             "missing token with server",
+			libKubectlAccess: ClientAccess{ServerUrl: "https://localhost:6443"},
+			namespace:        "default",
+			insecure:         false,
+			wantErr:          true,
+			errContains:      "must provide either a kubeconfig path or a server and token",
+		},
+		{
+			name:             "missing server with token",
+			libKubectlAccess: ClientAccess{Token: "test-token"},
+			namespace:        "default",
+			insecure:         false,
+			wantErr:          true,
+			errContains:      "must provide either a kubeconfig path or a server and token",
+		},
+		{
+			name:             "empty namespace is valid",
+			libKubectlAccess: ClientAccess{Token: "test-token", ServerUrl: "https://localhost:6443"},
+			namespace:        "",
+			insecure:         false,
+			wantErr:          false,
+		},
+		{
+			name:             "insecure true with valid credentials",
+			libKubectlAccess: ClientAccess{Token: "test-token", ServerUrl: "https://localhost:6443"},
+			namespace:        "default",
+			insecure:         true,
+			wantErr:          false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			client, err := NewClient(&tt.libKubectlAccess, tt.namespace, tt.kubeconfig, tt.insecure)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("NewClient() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+
+			if err != nil && tt.errContains != "" {
+				if got := err.Error(); got != tt.errContains {
+					t.Errorf("NewClient() error = %v, want error containing %v", got, tt.errContains)
+				}
+				return
+			}
+
+			if !tt.wantErr {
+				if client == nil {
+					t.Error("NewClient() returned nil client when no error was expected")
+					return
+				}
+
+				// Verify client fields are properly initialized
+				if client.factory == nil {
+					t.Error("NewClient() client.factory is nil")
+				}
+				if client.out == nil {
+					t.Error("NewClient() client.out is nil")
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/libkubectl/describe.go b/pkg/libkubectl/describe.go
new file mode 100644
index 000000000..19588f606
--- /dev/null
+++ b/pkg/libkubectl/describe.go
@@ -0,0 +1,40 @@
+package libkubectl
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/api/meta"
+	"k8s.io/cli-runtime/pkg/resource"
+	describecmd "k8s.io/kubectl/pkg/cmd/describe"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
+	"k8s.io/kubectl/pkg/describe"
+)
+
+// Describe returns the description of a resource
+// name is the name of the resource, kind is the kind of the resource, and namespace is the namespace of the resource
+// this is identical to running `kubectl describe <kind> <name> --namespace <namespace>`
+func (c *Client) Describe(namespace, name, kind string) (string, error) {
+	describeOptions := &describecmd.DescribeOptions{
+		BuilderArgs: []string{kind, name},
+		Describer: func(mapping *meta.RESTMapping) (describe.ResourceDescriber, error) {
+			return describe.DescriberFn(c.factory, mapping)
+		},
+		FilenameOptions: &resource.FilenameOptions{},
+		DescriberSettings: &describe.DescriberSettings{
+			ShowEvents: true,
+			ChunkSize:  cmdutil.DefaultChunkSize,
+		},
+		IOStreams:  c.streams,
+		NewBuilder: c.factory.NewBuilder,
+	}
+
+	if namespace != "" {
+		describeOptions.Namespace = namespace
+	}
+
+	if err := describeOptions.Run(); err != nil {
+		return "", fmt.Errorf("error describing resources: %w", err)
+	}
+
+	return c.out.String(), nil
+}
diff --git a/yarn.lock b/yarn.lock
index a041f9578..4f1b90b95 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -13148,6 +13148,11 @@ markdown-to-jsx@^7.1.8:
   resolved "https://registry.yarnpkg.com/markdown-to-jsx/-/markdown-to-jsx-7.2.0.tgz#e7b46b65955f6a04d48a753acd55874a14bdda4b"
   integrity sha512-3l4/Bigjm4bEqjCR6Xr+d4DtM1X6vvtGsMGSjJYyep8RjjIvcWtrXBS8Wbfe1/P+atKNMccpsraESIaWVplzVg==
 
+markdown-to-jsx@^7.7.4:
+  version "7.7.4"
+  resolved "https://registry.yarnpkg.com/markdown-to-jsx/-/markdown-to-jsx-7.7.4.tgz#507d17c15af72ddf970fca84a95f0243244fcfa9"
+  integrity sha512-1bSfXyBKi+EYS3YY+e0Csuxf8oZ3decdfhOav/Z7Wrk89tjudyL5FOmwZQUoy0/qVXGUl+6Q3s2SWtpDEWITfQ==
+  
 math-intrinsics@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz#a0dd74be81e2aa5c2f27e65ce283605ee4e2b7f9"

From 823f2a7991223ea57f2df4d763c8e2547faddb62 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Fri, 11 Apr 2025 08:26:11 +1200
Subject: [PATCH 084/212] fix(edge): missing env var in async agent docker
 snapshot [BE-11709] (#625)

---
 pkg/snapshot/docker.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/snapshot/docker.go b/pkg/snapshot/docker.go
index 49ae57c59..3ea4dc0d5 100644
--- a/pkg/snapshot/docker.go
+++ b/pkg/snapshot/docker.go
@@ -136,6 +136,7 @@ func dockerSnapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Cl
 	stacks := make(map[string]struct{})
 	gpuUseSet := make(map[string]struct{})
 	gpuUseAll := false
+	containerEnvs := make(map[string][]string)
 
 	for _, container := range containers {
 		for k, v := range container.Labels {
@@ -148,7 +149,7 @@ func dockerSnapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Cl
 			continue
 		}
 
-		// Snapshot GPUs
+		// Snapshot GPUs and Env
 		response, err := cli.ContainerInspect(context.Background(), container.ID)
 		if err != nil && !snapshot.Swarm {
 			return err
@@ -167,6 +168,8 @@ func dockerSnapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Cl
 			continue
 		}
 
+		containerEnvs[container.ID] = response.Config.Env
+
 		var gpuOptions *_container.DeviceRequest
 
 		for _, deviceRequest := range response.HostConfig.Resources.DeviceRequests {
@@ -206,7 +209,7 @@ func dockerSnapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Cl
 	snapshot.StackCount += len(stacks)
 
 	for _, container := range containers {
-		snapshot.SnapshotRaw.Containers = append(snapshot.SnapshotRaw.Containers, portainer.DockerContainerSnapshot{Container: container})
+		snapshot.SnapshotRaw.Containers = append(snapshot.SnapshotRaw.Containers, portainer.DockerContainerSnapshot{Container: container, Env: containerEnvs[container.ID]})
 	}
 
 	return nil

From d68fe429180182f07bb6ac9fe32fe6491764ecc5 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Fri, 11 Apr 2025 08:39:39 +1200
Subject: [PATCH 085/212] fix(apps): better align sub tables [r8s-255] (#617)

---
 .../ListView/ApplicationsDatatable/PublishedPorts.tsx         | 2 +-
 .../applications/ListView/ApplicationsDatatable/SubRow.tsx    | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/PublishedPorts.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/PublishedPorts.tsx
index 636504978..9bdb47f06 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/PublishedPorts.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/PublishedPorts.tsx
@@ -14,7 +14,7 @@ export function PublishedPorts({ item }: { item: Application }) {
   }
 
   return (
-    <div className="published-url-container pl-10 flex">
+    <div className="published-url-container flex">
       <div className="text-muted mr-12">Published URL(s)</div>
       <div className="flex flex-col">
         {urlsWithTypes.map(({ url, type }) => (
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx
index e6c1d8786..ce4b5d4ec 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx
@@ -19,11 +19,11 @@ export function SubRow({
   const {
     user: { Username: username },
   } = useCurrentUser();
-  const colSpan = hideStacks ? 8 : 9;
+  const colSpan = hideStacks ? 7 : 8;
 
   return (
     <tr className={clsx({ 'secondary-body': !item.KubernetesApplications })}>
-      <td />
+      <td colSpan={2} />
       <td colSpan={colSpan} className="datatable-padding-vertical">
         {item.KubernetesApplications ? (
           <InnerTable

From f82921d2a1de7324fb8669179db60bbad0686cd9 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Thu, 10 Apr 2025 20:12:27 -0300
Subject: [PATCH 086/212] fix(edgestacks): fix edge stack update when using Git
 BE-11766 (#629)

---
 api/http/handler/edgestacks/edgestack_update.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/api/http/handler/edgestacks/edgestack_update.go b/api/http/handler/edgestacks/edgestack_update.go
index 27a279fb3..a3d59abb8 100644
--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -145,11 +145,15 @@ func (handler *Handler) handleChangeEdgeGroups(tx dataservices.DataStoreTx, edge
 	relatedEnvironmentsToRemove := oldRelatedEnvironmentsSet.Difference(newRelatedEnvironmentsSet)
 
 	if len(relatedEnvironmentsToRemove) > 0 {
-		tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEnvironmentsToRemove.Keys(), edgeStackID)
+		if err := tx.EndpointRelation().RemoveEndpointRelationsForEdgeStack(relatedEnvironmentsToRemove.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to remove edge stack relations from the database")
+		}
 	}
 
 	if len(relatedEnvironmentsToAdd) > 0 {
-		tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEnvironmentsToAdd.Keys(), edgeStackID)
+		if err := tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEnvironmentsToAdd.Keys(), edgeStackID); err != nil {
+			return nil, nil, errors.WithMessage(err, "Unable to add edge stack relations to the database")
+		}
 	}
 
 	return newRelatedEnvironmentIDs, relatedEnvironmentsToAdd, nil

From ebc25e45d3c4271c582764446a77bb0d5f51e0e5 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Sat, 12 Apr 2025 10:24:23 +1200
Subject: [PATCH 087/212] fix(edge): redeploy edge stack doesn't apply to std
 agents [BE-11766] (#633)

---
 api/dataservices/endpointrelation/tx.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/api/dataservices/endpointrelation/tx.go b/api/dataservices/endpointrelation/tx.go
index 2b2d90280..bc58678fd 100644
--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -93,6 +93,10 @@ func (service ServiceTx) AddEndpointRelationsForEdgeStack(endpointIDs []portaine
 		}
 	}
 
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
 		edgeStack.NumDeployments += len(endpointIDs)
 	}); err != nil {
@@ -119,6 +123,10 @@ func (service ServiceTx) RemoveEndpointRelationsForEdgeStack(endpointIDs []porta
 		}
 	}
 
+	service.service.mu.Lock()
+	service.service.endpointRelationsCache = nil
+	service.service.mu.Unlock()
+
 	if err := service.service.updateStackFnTx(service.tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
 		edgeStack.NumDeployments -= len(endpointIDs)
 	}); err != nil {

From c331ada086e08576db68bfe2355fb9b56108c205 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Sun, 13 Apr 2025 23:05:48 +0200
Subject: [PATCH 088/212] feat(app): 1s staleTime to avoid sending repeated
 requests (#607)

---
 app/portainer/tags/queries.ts                               | 1 -
 app/portainer/users/queries/useLoadCurrentUser.ts           | 3 +--
 app/portainer/users/queries/useUser.ts                      | 6 +-----
 app/react-tools/react-query.ts                              | 1 +
 .../HelmRepositoryDatatable/helm-repositories.service.ts    | 1 -
 .../portainer/environments/environment-groups/queries.ts    | 1 -
 app/react/portainer/environments/queries/useEnvironment.ts  | 1 -
 .../registries/repositories/queries/useTagDetails.ts        | 2 +-
 .../portainer/settings/queries/useExperimentalSettings.ts   | 1 -
 app/react/portainer/settings/queries/useSettings.ts         | 1 -
 10 files changed, 4 insertions(+), 14 deletions(-)

diff --git a/app/portainer/tags/queries.ts b/app/portainer/tags/queries.ts
index fe4bac346..381de44b1 100644
--- a/app/portainer/tags/queries.ts
+++ b/app/portainer/tags/queries.ts
@@ -20,7 +20,6 @@ export function useTags<T = Tag[]>({
   enabled = true,
 }: { select?: (tags: Tag[]) => T; enabled?: boolean } = {}) {
   return useQuery(tagKeys.all, () => getTags(), {
-    staleTime: 50,
     select,
     enabled,
     ...withError('Failed to retrieve tags'),
diff --git a/app/portainer/users/queries/useLoadCurrentUser.ts b/app/portainer/users/queries/useLoadCurrentUser.ts
index bd47fbee9..324f27110 100644
--- a/app/portainer/users/queries/useLoadCurrentUser.ts
+++ b/app/portainer/users/queries/useLoadCurrentUser.ts
@@ -12,10 +12,9 @@ interface CurrentUserResponse extends User {
   forceChangePassword: boolean;
 }
 
-export function useLoadCurrentUser({ staleTime }: { staleTime?: number } = {}) {
+export function useLoadCurrentUser() {
   return useQuery(userQueryKeys.me(), () => getCurrentUser(), {
     ...withError('Unable to retrieve user details'),
-    staleTime,
   });
 }
 
diff --git a/app/portainer/users/queries/useUser.ts b/app/portainer/users/queries/useUser.ts
index 01e069829..640e22374 100644
--- a/app/portainer/users/queries/useUser.ts
+++ b/app/portainer/users/queries/useUser.ts
@@ -8,13 +8,9 @@ import { User, UserId } from '../types';
 
 import { userQueryKeys } from './queryKeys';
 
-export function useUser(
-  id: UserId,
-  { staleTime }: { staleTime?: number } = {}
-) {
+export function useUser(id: UserId) {
   return useQuery(userQueryKeys.user(id), () => getUser(id), {
     ...withError('Unable to retrieve user details'),
-    staleTime,
   });
 }
 
diff --git a/app/react-tools/react-query.ts b/app/react-tools/react-query.ts
index 336b72308..2ebedbd18 100644
--- a/app/react-tools/react-query.ts
+++ b/app/react-tools/react-query.ts
@@ -88,6 +88,7 @@ export function createQueryClient() {
     defaultOptions: {
       queries: {
         networkMode: 'offlineFirst',
+        staleTime: 1000, // 1s stale time by default
       },
     },
     mutationCache: new MutationCache({
diff --git a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
index c12ed9ffa..b4c5cc63b 100644
--- a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
+++ b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
@@ -83,7 +83,6 @@ export function useDeleteHelmRepositoriesMutation() {
 
 export function useHelmRepositories(userId: number) {
   return useQuery(['helmrepositories'], () => getHelmRepositories(userId), {
-    staleTime: 20,
     ...withError('Unable to retrieve Helm repositories'),
   });
 }
diff --git a/app/react/portainer/environments/environment-groups/queries.ts b/app/react/portainer/environments/environment-groups/queries.ts
index 74a588d24..9c93dde62 100644
--- a/app/react/portainer/environments/environment-groups/queries.ts
+++ b/app/react/portainer/environments/environment-groups/queries.ts
@@ -31,7 +31,6 @@ export function useGroup<T = EnvironmentGroup>(
       return getGroup(groupId);
     },
     {
-      staleTime: 50,
       select,
       enabled: groupId !== undefined,
       ...withGlobalError('Failed loading group'),
diff --git a/app/react/portainer/environments/queries/useEnvironment.ts b/app/react/portainer/environments/queries/useEnvironment.ts
index b2b8fd6bd..1843d00e6 100644
--- a/app/react/portainer/environments/queries/useEnvironment.ts
+++ b/app/react/portainer/environments/queries/useEnvironment.ts
@@ -27,7 +27,6 @@ export function useEnvironment<T = Environment>(
     {
       select,
       ...withError('Failed loading environment'),
-      staleTime: 50,
       enabled: !!environmentId,
       refetchInterval() {
         return options?.autoRefreshRate ?? false;
diff --git a/app/react/portainer/registries/repositories/queries/useTagDetails.ts b/app/react/portainer/registries/repositories/queries/useTagDetails.ts
index 89da912f7..6997a8eca 100644
--- a/app/react/portainer/registries/repositories/queries/useTagDetails.ts
+++ b/app/react/portainer/registries/repositories/queries/useTagDetails.ts
@@ -20,7 +20,7 @@ interface Params {
 export function useTagDetails<T = RepositoryTagViewModel>(
   params: Params,
   {
-    staleTime = 0,
+    staleTime,
     select,
   }: { select?: (model: RepositoryTagViewModel) => T; staleTime?: number } = {}
 ) {
diff --git a/app/react/portainer/settings/queries/useExperimentalSettings.ts b/app/react/portainer/settings/queries/useExperimentalSettings.ts
index dda159ca1..f67e95152 100644
--- a/app/react/portainer/settings/queries/useExperimentalSettings.ts
+++ b/app/react/portainer/settings/queries/useExperimentalSettings.ts
@@ -19,7 +19,6 @@ export function useExperimentalSettings<T = ExperimentalFeaturesSettings>(
   return useQuery(queryKeys.experimental(), getExperimentalSettings, {
     select,
     enabled,
-    staleTime: 50,
     ...withError('Unable to retrieve experimental settings'),
   });
 }
diff --git a/app/react/portainer/settings/queries/useSettings.ts b/app/react/portainer/settings/queries/useSettings.ts
index 04d7094c8..15a206e9a 100644
--- a/app/react/portainer/settings/queries/useSettings.ts
+++ b/app/react/portainer/settings/queries/useSettings.ts
@@ -22,7 +22,6 @@ export function useSettings<T = Settings>(
   return useQuery(queryKeys.base(), getSettings, {
     select,
     enabled,
-    staleTime: 50,
     ...withError('Unable to retrieve settings'),
   });
 }

From 7aa9f8b1c3f366df3d7c09f787d6cb7574bc2255 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Mon, 14 Apr 2025 01:12:11 +0200
Subject: [PATCH 089/212] Revert "feat(app): 1s staleTime to avoid sending
 repeated requests" (#639)

---
 app/portainer/tags/queries.ts                               | 1 +
 app/portainer/users/queries/useLoadCurrentUser.ts           | 3 ++-
 app/portainer/users/queries/useUser.ts                      | 6 +++++-
 app/react-tools/react-query.ts                              | 1 -
 .../HelmRepositoryDatatable/helm-repositories.service.ts    | 1 +
 .../portainer/environments/environment-groups/queries.ts    | 1 +
 app/react/portainer/environments/queries/useEnvironment.ts  | 1 +
 .../registries/repositories/queries/useTagDetails.ts        | 2 +-
 .../portainer/settings/queries/useExperimentalSettings.ts   | 1 +
 app/react/portainer/settings/queries/useSettings.ts         | 1 +
 10 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/app/portainer/tags/queries.ts b/app/portainer/tags/queries.ts
index 381de44b1..fe4bac346 100644
--- a/app/portainer/tags/queries.ts
+++ b/app/portainer/tags/queries.ts
@@ -20,6 +20,7 @@ export function useTags<T = Tag[]>({
   enabled = true,
 }: { select?: (tags: Tag[]) => T; enabled?: boolean } = {}) {
   return useQuery(tagKeys.all, () => getTags(), {
+    staleTime: 50,
     select,
     enabled,
     ...withError('Failed to retrieve tags'),
diff --git a/app/portainer/users/queries/useLoadCurrentUser.ts b/app/portainer/users/queries/useLoadCurrentUser.ts
index 324f27110..bd47fbee9 100644
--- a/app/portainer/users/queries/useLoadCurrentUser.ts
+++ b/app/portainer/users/queries/useLoadCurrentUser.ts
@@ -12,9 +12,10 @@ interface CurrentUserResponse extends User {
   forceChangePassword: boolean;
 }
 
-export function useLoadCurrentUser() {
+export function useLoadCurrentUser({ staleTime }: { staleTime?: number } = {}) {
   return useQuery(userQueryKeys.me(), () => getCurrentUser(), {
     ...withError('Unable to retrieve user details'),
+    staleTime,
   });
 }
 
diff --git a/app/portainer/users/queries/useUser.ts b/app/portainer/users/queries/useUser.ts
index 640e22374..01e069829 100644
--- a/app/portainer/users/queries/useUser.ts
+++ b/app/portainer/users/queries/useUser.ts
@@ -8,9 +8,13 @@ import { User, UserId } from '../types';
 
 import { userQueryKeys } from './queryKeys';
 
-export function useUser(id: UserId) {
+export function useUser(
+  id: UserId,
+  { staleTime }: { staleTime?: number } = {}
+) {
   return useQuery(userQueryKeys.user(id), () => getUser(id), {
     ...withError('Unable to retrieve user details'),
+    staleTime,
   });
 }
 
diff --git a/app/react-tools/react-query.ts b/app/react-tools/react-query.ts
index 2ebedbd18..336b72308 100644
--- a/app/react-tools/react-query.ts
+++ b/app/react-tools/react-query.ts
@@ -88,7 +88,6 @@ export function createQueryClient() {
     defaultOptions: {
       queries: {
         networkMode: 'offlineFirst',
-        staleTime: 1000, // 1s stale time by default
       },
     },
     mutationCache: new MutationCache({
diff --git a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
index b4c5cc63b..c12ed9ffa 100644
--- a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
+++ b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
@@ -83,6 +83,7 @@ export function useDeleteHelmRepositoriesMutation() {
 
 export function useHelmRepositories(userId: number) {
   return useQuery(['helmrepositories'], () => getHelmRepositories(userId), {
+    staleTime: 20,
     ...withError('Unable to retrieve Helm repositories'),
   });
 }
diff --git a/app/react/portainer/environments/environment-groups/queries.ts b/app/react/portainer/environments/environment-groups/queries.ts
index 9c93dde62..74a588d24 100644
--- a/app/react/portainer/environments/environment-groups/queries.ts
+++ b/app/react/portainer/environments/environment-groups/queries.ts
@@ -31,6 +31,7 @@ export function useGroup<T = EnvironmentGroup>(
       return getGroup(groupId);
     },
     {
+      staleTime: 50,
       select,
       enabled: groupId !== undefined,
       ...withGlobalError('Failed loading group'),
diff --git a/app/react/portainer/environments/queries/useEnvironment.ts b/app/react/portainer/environments/queries/useEnvironment.ts
index 1843d00e6..b2b8fd6bd 100644
--- a/app/react/portainer/environments/queries/useEnvironment.ts
+++ b/app/react/portainer/environments/queries/useEnvironment.ts
@@ -27,6 +27,7 @@ export function useEnvironment<T = Environment>(
     {
       select,
       ...withError('Failed loading environment'),
+      staleTime: 50,
       enabled: !!environmentId,
       refetchInterval() {
         return options?.autoRefreshRate ?? false;
diff --git a/app/react/portainer/registries/repositories/queries/useTagDetails.ts b/app/react/portainer/registries/repositories/queries/useTagDetails.ts
index 6997a8eca..89da912f7 100644
--- a/app/react/portainer/registries/repositories/queries/useTagDetails.ts
+++ b/app/react/portainer/registries/repositories/queries/useTagDetails.ts
@@ -20,7 +20,7 @@ interface Params {
 export function useTagDetails<T = RepositoryTagViewModel>(
   params: Params,
   {
-    staleTime,
+    staleTime = 0,
     select,
   }: { select?: (model: RepositoryTagViewModel) => T; staleTime?: number } = {}
 ) {
diff --git a/app/react/portainer/settings/queries/useExperimentalSettings.ts b/app/react/portainer/settings/queries/useExperimentalSettings.ts
index f67e95152..dda159ca1 100644
--- a/app/react/portainer/settings/queries/useExperimentalSettings.ts
+++ b/app/react/portainer/settings/queries/useExperimentalSettings.ts
@@ -19,6 +19,7 @@ export function useExperimentalSettings<T = ExperimentalFeaturesSettings>(
   return useQuery(queryKeys.experimental(), getExperimentalSettings, {
     select,
     enabled,
+    staleTime: 50,
     ...withError('Unable to retrieve experimental settings'),
   });
 }
diff --git a/app/react/portainer/settings/queries/useSettings.ts b/app/react/portainer/settings/queries/useSettings.ts
index 15a206e9a..04d7094c8 100644
--- a/app/react/portainer/settings/queries/useSettings.ts
+++ b/app/react/portainer/settings/queries/useSettings.ts
@@ -22,6 +22,7 @@ export function useSettings<T = Settings>(
   return useQuery(queryKeys.base(), getSettings, {
     select,
     enabled,
+    staleTime: 50,
     ...withError('Unable to retrieve settings'),
   });
 }

From 2c37f32fa6b707140144b6611e4708d2131532c7 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Mon, 14 Apr 2025 13:13:38 +1200
Subject: [PATCH 090/212] version: bump version to 2.29.0 (#637)

---
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/http/handler/handler.go                      | 2 +-
 api/portainer.go                                 | 2 +-
 package.json                                     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index dcbf37413..21f3f8630 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.28.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.29.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.28.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.29.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index d9ac7fbc6..42c555905 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.28.0
+// @version 2.29.0
 // @description.markdown api-description.md
 // @termsOfService
 
diff --git a/api/portainer.go b/api/portainer.go
index 0c8b92b08..1db7142d5 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1638,7 +1638,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.28.0"
+	APIVersion = "2.29.0"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "STS"
 	// Edition is what this edition of Portainer is called
diff --git a/package.json b/package.json
index e0cc82463..ff81a1bb0 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.28.0",
+  "version": "2.29.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"

From 730c1115ceecfa28c786ef032ebc55629dad37f6 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 14 Apr 2025 17:46:40 -0300
Subject: [PATCH 091/212] fix(proxy): remove code duplication BE-11627 (#644)

---
 api/http/proxy/factory/agent.go         | 5 ++---
 api/http/proxy/factory/azure.go         | 2 +-
 api/http/proxy/factory/docker.go        | 2 +-
 api/http/proxy/factory/gitlab.go        | 2 +-
 api/http/proxy/factory/kubernetes.go    | 6 +++---
 api/http/proxy/factory/reverse_proxy.go | 2 +-
 6 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/api/http/proxy/factory/agent.go b/api/http/proxy/factory/agent.go
index bd08efd6c..60323a195 100644
--- a/api/http/proxy/factory/agent.go
+++ b/api/http/proxy/factory/agent.go
@@ -52,7 +52,7 @@ func (factory *ProxyFactory) NewAgentProxy(endpoint *portainer.Endpoint) (*Proxy
 		endpointURL.Scheme = "https"
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(endpointURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(endpointURL)
 
 	proxy.Transport = agent.NewTransport(factory.signatureService, httpTransport)
 
@@ -63,8 +63,7 @@ func (factory *ProxyFactory) NewAgentProxy(endpoint *portainer.Endpoint) (*Proxy
 		Port: 0,
 	}
 
-	err = proxyServer.start()
-	if err != nil {
+	if err := proxyServer.start(); err != nil {
 		return nil, errors.Wrap(err, "failed starting proxy server")
 	}
 
diff --git a/api/http/proxy/factory/azure.go b/api/http/proxy/factory/azure.go
index eba2fbd6a..e210dec2a 100644
--- a/api/http/proxy/factory/azure.go
+++ b/api/http/proxy/factory/azure.go
@@ -15,7 +15,7 @@ func newAzureProxy(endpoint *portainer.Endpoint, dataStore dataservices.DataStor
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(remoteURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
 	proxy.Transport = azure.NewTransport(&endpoint.AzureCredentials, dataStore, endpoint)
 	return proxy, nil
 }
diff --git a/api/http/proxy/factory/docker.go b/api/http/proxy/factory/docker.go
index e558bebb9..31d183c9b 100644
--- a/api/http/proxy/factory/docker.go
+++ b/api/http/proxy/factory/docker.go
@@ -72,7 +72,7 @@ func (factory *ProxyFactory) newDockerHTTPProxy(endpoint *portainer.Endpoint) (h
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(endpointURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(endpointURL)
 	proxy.Transport = dockerTransport
 	return proxy, nil
 }
diff --git a/api/http/proxy/factory/gitlab.go b/api/http/proxy/factory/gitlab.go
index cbe28411c..7c1ae96e3 100644
--- a/api/http/proxy/factory/gitlab.go
+++ b/api/http/proxy/factory/gitlab.go
@@ -13,7 +13,7 @@ func newGitlabProxy(uri string) (http.Handler, error) {
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(url)
+	proxy := NewSingleHostReverseProxyWithHostHeader(url)
 	proxy.Transport = gitlab.NewTransport()
 	return proxy, nil
 }
diff --git a/api/http/proxy/factory/kubernetes.go b/api/http/proxy/factory/kubernetes.go
index 0a74fa3f2..eceee181a 100644
--- a/api/http/proxy/factory/kubernetes.go
+++ b/api/http/proxy/factory/kubernetes.go
@@ -43,7 +43,7 @@ func (factory *ProxyFactory) newKubernetesLocalProxy(endpoint *portainer.Endpoin
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(remoteURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
 	proxy.Transport = transport
 
 	return proxy, nil
@@ -73,7 +73,7 @@ func (factory *ProxyFactory) newKubernetesEdgeHTTPProxy(endpoint *portainer.Endp
 	}
 
 	endpointURL.Scheme = "http"
-	proxy := newSingleHostReverseProxyWithHostHeader(endpointURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(endpointURL)
 	proxy.Transport = kubernetes.NewEdgeTransport(factory.dataStore, factory.signatureService, factory.reverseTunnelService, endpoint, tokenManager, factory.kubernetesClientFactory)
 
 	return proxy, nil
@@ -104,7 +104,7 @@ func (factory *ProxyFactory) newKubernetesAgentHTTPSProxy(endpoint *portainer.En
 		return nil, err
 	}
 
-	proxy := newSingleHostReverseProxyWithHostHeader(remoteURL)
+	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
 	proxy.Transport = kubernetes.NewAgentTransport(factory.signatureService, tlsConfig, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore)
 
 	return proxy, nil
diff --git a/api/http/proxy/factory/reverse_proxy.go b/api/http/proxy/factory/reverse_proxy.go
index 93d22f94d..fdee70c4d 100644
--- a/api/http/proxy/factory/reverse_proxy.go
+++ b/api/http/proxy/factory/reverse_proxy.go
@@ -10,7 +10,7 @@ import (
 // newSingleHostReverseProxyWithHostHeader is based on NewSingleHostReverseProxy
 // from golang.org/src/net/http/httputil/reverseproxy.go and merely sets the Host
 // HTTP header, which NewSingleHostReverseProxy deliberately preserves.
-func newSingleHostReverseProxyWithHostHeader(target *url.URL) *httputil.ReverseProxy {
+func NewSingleHostReverseProxyWithHostHeader(target *url.URL) *httputil.ReverseProxy {
 	targetQuery := target.RawQuery
 	director := func(req *http.Request) {
 		req.URL.Scheme = target.Scheme

From 7de037029fea59150f0871f160eec92efeb56bec Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Tue, 15 Apr 2025 09:58:55 +1200
Subject: [PATCH 092/212] security: cve-2025-30204 and other low ones - develop
 [BE-11781] (#638)

---
 binary-version.json |  3 +-
 go.mod              | 36 +++++++++++------------
 go.sum              | 72 ++++++++++++++++++++++-----------------------
 3 files changed, 55 insertions(+), 56 deletions(-)

diff --git a/binary-version.json b/binary-version.json
index 8b37fa345..3f190e5d3 100644
--- a/binary-version.json
+++ b/binary-version.json
@@ -1,6 +1,5 @@
 {
   "docker": "v27.5.1",
-  "helm": "v3.17.2",
   "kubectl": "v1.32.2",
-  "mingit": "2.48.1.1"
+  "mingit": "2.49.0.1"
 }
diff --git a/go.mod b/go.mod
index ad6c86799..22ed99fa2 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/go-ldap/ldap/v3 v3.4.1
 	github.com/go-playground/validator/v10 v10.12.0
 	github.com/gofrs/uuid v4.2.0+incompatible
-	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
 	github.com/gorilla/csrf v1.7.2
 	github.com/gorilla/mux v1.8.1
@@ -48,21 +48,21 @@ require (
 	github.com/urfave/negroni v1.0.0
 	github.com/viney-shih/go-lock v1.1.1
 	go.etcd.io/bbolt v1.3.11
-	golang.org/x/crypto v0.35.0
+	golang.org/x/crypto v0.36.0
 	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0
 	golang.org/x/mod v0.21.0
-	golang.org/x/oauth2 v0.23.0
-	golang.org/x/sync v0.11.0
+	golang.org/x/oauth2 v0.27.0
+	golang.org/x/sync v0.12.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.17.1
-	k8s.io/api v0.32.1
-	k8s.io/apimachinery v0.32.1
-	k8s.io/cli-runtime v0.32.1
-	k8s.io/client-go v0.32.1
-	k8s.io/kubectl v0.32.1
-	k8s.io/metrics v0.32.1
+	helm.sh/helm/v3 v3.17.3
+	k8s.io/api v0.32.2
+	k8s.io/apimachinery v0.32.2
+	k8s.io/cli-runtime v0.32.2
+	k8s.io/client-go v0.32.2
+	k8s.io/kubectl v0.32.2
+	k8s.io/metrics v0.32.2
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
 
@@ -278,10 +278,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
-	golang.org/x/sys v0.30.0 // indirect
-	golang.org/x/term v0.29.0 // indirect
-	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
 	golang.org/x/time v0.7.0 // indirect
 	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
@@ -292,9 +292,9 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	k8s.io/apiextensions-apiserver v0.32.1 // indirect
-	k8s.io/apiserver v0.32.1 // indirect
-	k8s.io/component-base v0.32.1 // indirect
+	k8s.io/apiextensions-apiserver v0.32.2 // indirect
+	k8s.io/apiserver v0.32.2 // indirect
+	k8s.io/component-base v0.32.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
diff --git a/go.sum b/go.sum
index 110e5eb4b..2ca59e4f6 100644
--- a/go.sum
+++ b/go.sum
@@ -311,8 +311,8 @@ github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
-github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
+github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -782,8 +782,8 @@ golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
-golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
 golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
@@ -802,10 +802,10 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
-golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
-golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
-golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -814,8 +814,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.11.0 h1:GGz8+XQP4FvTTrjZPzNKTMFtSXH80RAzG+5ghFPgK9w=
-golang.org/x/sync v0.11.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -842,20 +842,20 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
-golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU=
-golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM=
-golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -915,30 +915,30 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
 gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
-helm.sh/helm/v3 v3.17.1 h1:gzVoAD+qVuoJU6KDMSAeo0xRJ6N1znRxz3wyuXRmJDk=
-helm.sh/helm/v3 v3.17.1/go.mod h1:nvreuhuR+j78NkQcLC3TYoprCKStLyw5P4T7E5itv2w=
-k8s.io/api v0.32.1 h1:f562zw9cy+GvXzXf0CKlVQ7yHJVYzLfL6JAS4kOAaOc=
-k8s.io/api v0.32.1/go.mod h1:/Yi/BqkuueW1BgpoePYBRdDYfjPF5sgTr5+YqDZra5k=
-k8s.io/apiextensions-apiserver v0.32.1 h1:hjkALhRUeCariC8DiVmb5jj0VjIc1N0DREP32+6UXZw=
-k8s.io/apiextensions-apiserver v0.32.1/go.mod h1:sxWIGuGiYov7Io1fAS2X06NjMIk5CbRHc2StSmbaQto=
-k8s.io/apimachinery v0.32.1 h1:683ENpaCBjma4CYqsmZyhEzrGz6cjn1MY/X2jB2hkZs=
-k8s.io/apimachinery v0.32.1/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/apiserver v0.32.1 h1:oo0OozRos66WFq87Zc5tclUX2r0mymoVHRq8JmR7Aak=
-k8s.io/apiserver v0.32.1/go.mod h1:UcB9tWjBY7aryeI5zAgzVJB/6k7E97bkr1RgqDz0jPw=
-k8s.io/cli-runtime v0.32.1 h1:19nwZPlYGJPUDbhAxDIS2/oydCikvKMHsxroKNGA2mM=
-k8s.io/cli-runtime v0.32.1/go.mod h1:NJPbeadVFnV2E7B7vF+FvU09mpwYlZCu8PqjzfuOnkY=
-k8s.io/client-go v0.32.1 h1:otM0AxdhdBIaQh7l1Q0jQpmo7WOFIk5FFa4bg6YMdUU=
-k8s.io/client-go v0.32.1/go.mod h1:aTTKZY7MdxUaJ/KiUs8D+GssR9zJZi77ZqtzcGXIiDg=
-k8s.io/component-base v0.32.1 h1:/5IfJ0dHIKBWysGV0yKTFfacZ5yNV1sulPh3ilJjRZk=
-k8s.io/component-base v0.32.1/go.mod h1:j1iMMHi/sqAHeG5z+O9BFNCF698a1u0186zkjMZQ28w=
+helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
+helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
+k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw=
+k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y=
+k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
+k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
+k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ=
+k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw=
+k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM=
+k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks=
+k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8=
+k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA=
+k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94=
+k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU=
+k8s.io/component-base v0.32.2/go.mod h1:PXJ61Vx9Lg+P5mS8TLd7bCIr+eMJRQTyXe8KvkrvJq0=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/kubectl v0.32.1 h1:/btLtXLQUU1rWx8AEvX9jrb9LaI6yeezt3sFALhB8M8=
-k8s.io/kubectl v0.32.1/go.mod h1:sezNuyWi1STk4ZNPVRIFfgjqMI6XMf+oCVLjZen/pFQ=
-k8s.io/metrics v0.32.1 h1:Ou4nrEtZS2vFf7OJCf9z3+2kr0A00kQzfoSwxg0gXps=
-k8s.io/metrics v0.32.1/go.mod h1:cLnai9XKYby1tNMX+xe8p9VLzTqrxYPcmqfCBoWObcM=
+k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us=
+k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8=
+k8s.io/metrics v0.32.2 h1:7t/rZzTHFrGa9f94XcgLlm3ToAuJtdlHANcJEHlYl9g=
+k8s.io/metrics v0.32.2/go.mod h1:VL3nJpzcgB6L5nSljkkzoE0nilZhVgcjCfNRgoylaIQ=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=

From 5a2318d01f89d9798e9af68b442cdf2cafe7ac7b Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Tue, 15 Apr 2025 02:50:14 +0100
Subject: [PATCH 093/212] Update bug report template for 2.27.4 (#646)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 76b2e0f69..435e22465 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -96,6 +96,7 @@ body:
       options:
         - '2.28.1'
         - '2.28.0'
+        - '2.27.4'
         - '2.27.3'
         - '2.27.2'
         - '2.27.1'

From bfa55f8c67c1f989adeeb5c8aeb9cfb17bae6392 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Tue, 15 Apr 2025 17:16:04 -0300
Subject: [PATCH 094/212] fix(logs): remove duplicated code BE-11821 (#653)

---
 api/cmd/portainer/main.go          | 9 +++++----
 api/{cmd/portainer => logs}/log.go | 8 ++++----
 2 files changed, 9 insertions(+), 8 deletions(-)
 rename api/{cmd/portainer => logs}/log.go (91%)

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index f16b3db0f..99f809c7c 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -39,6 +39,7 @@ import (
 	"github.com/portainer/portainer/api/kubernetes"
 	kubecli "github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/ldap"
+	"github.com/portainer/portainer/api/logs"
 	"github.com/portainer/portainer/api/oauth"
 	"github.com/portainer/portainer/api/pendingactions"
 	"github.com/portainer/portainer/api/pendingactions/actions"
@@ -581,13 +582,13 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 }
 
 func main() {
-	configureLogger()
-	setLoggingMode("PRETTY")
+	logs.ConfigureLogger()
+	logs.SetLoggingMode("PRETTY")
 
 	flags := initCLI()
 
-	setLoggingLevel(*flags.LogLevel)
-	setLoggingMode(*flags.LogMode)
+	logs.SetLoggingLevel(*flags.LogLevel)
+	logs.SetLoggingMode(*flags.LogMode)
 
 	for {
 		server := buildServer(flags)
diff --git a/api/cmd/portainer/log.go b/api/logs/log.go
similarity index 91%
rename from api/cmd/portainer/log.go
rename to api/logs/log.go
index b5b4121ea..b44e6dc8c 100644
--- a/api/cmd/portainer/log.go
+++ b/api/logs/log.go
@@ -1,4 +1,4 @@
-package main
+package logs
 
 import (
 	"fmt"
@@ -10,7 +10,7 @@ import (
 	"github.com/rs/zerolog/pkgerrors"
 )
 
-func configureLogger() {
+func ConfigureLogger() {
 	zerolog.ErrorStackFieldName = "stack_trace"
 	zerolog.ErrorStackMarshaler = pkgerrors.MarshalStack
 	zerolog.TimeFieldFormat = zerolog.TimeFormatUnix
@@ -21,7 +21,7 @@ func configureLogger() {
 	log.Logger = log.Logger.With().Caller().Stack().Logger()
 }
 
-func setLoggingLevel(level string) {
+func SetLoggingLevel(level string) {
 	switch level {
 	case "ERROR":
 		zerolog.SetGlobalLevel(zerolog.ErrorLevel)
@@ -34,7 +34,7 @@ func setLoggingLevel(level string) {
 	}
 }
 
-func setLoggingMode(mode string) {
+func SetLoggingMode(mode string) {
 	switch mode {
 	case "PRETTY":
 		log.Logger = log.Output(zerolog.ConsoleWriter{

From 66dee6fd065a80f1fd73dd90c8592bc5a3a9c477 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Tue, 15 Apr 2025 21:27:30 -0300
Subject: [PATCH 095/212] fix(codemirror): optimize the autocompletion
 performance R8S-294 (#650)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
---
 app/react/components/CodeEditor.tsx | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/react/components/CodeEditor.tsx b/app/react/components/CodeEditor.tsx
index 09cc9591a..e74a70ec9 100644
--- a/app/react/components/CodeEditor.tsx
+++ b/app/react/components/CodeEditor.tsx
@@ -122,6 +122,9 @@ function schemaValidationExtensions(schema: JSONSchema7) {
           if (Array.isArray(completions)) {
             return null;
           }
+
+          completions.validFor = /^\w*$/;
+
           return completions;
         },
       ],

From cf31700903a3f525805f8c2cc420974d13992e2f Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Wed, 16 Apr 2025 02:34:38 +0100
Subject: [PATCH 096/212] Update bug report template for 2.29.0 (#655)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 435e22465..58dc03d91 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.29.0'
         - '2.28.1'
         - '2.28.0'
         - '2.27.4'

From be3e8e3332010ac411433fff15c9d8dbd3501b7f Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Wed, 16 Apr 2025 15:30:56 +1200
Subject: [PATCH 097/212] fix(proxy): don't forward sensitive headers
 [BE-11819] (#654)

---
 api/http/proxy/factory/reverse_proxy.go      |  12 +-
 api/http/proxy/factory/reverse_proxy_test.go | 116 +++++++++++++++++++
 2 files changed, 126 insertions(+), 2 deletions(-)
 create mode 100644 api/http/proxy/factory/reverse_proxy_test.go

diff --git a/api/http/proxy/factory/reverse_proxy.go b/api/http/proxy/factory/reverse_proxy.go
index fdee70c4d..d583d75fe 100644
--- a/api/http/proxy/factory/reverse_proxy.go
+++ b/api/http/proxy/factory/reverse_proxy.go
@@ -11,8 +11,13 @@ import (
 // from golang.org/src/net/http/httputil/reverseproxy.go and merely sets the Host
 // HTTP header, which NewSingleHostReverseProxy deliberately preserves.
 func NewSingleHostReverseProxyWithHostHeader(target *url.URL) *httputil.ReverseProxy {
+	return &httputil.ReverseProxy{Director: createDirector(target)}
+}
+
+func createDirector(target *url.URL) func(*http.Request) {
+	sensitiveHeaders := []string{"Cookie", "X-Csrf-Token"}
 	targetQuery := target.RawQuery
-	director := func(req *http.Request) {
+	return func(req *http.Request) {
 		req.URL.Scheme = target.Scheme
 		req.URL.Host = target.Host
 		req.URL.Path = singleJoiningSlash(target.Path, req.URL.Path)
@@ -26,8 +31,11 @@ func NewSingleHostReverseProxyWithHostHeader(target *url.URL) *httputil.ReverseP
 			// explicitly disable User-Agent so it's not set to default value
 			req.Header.Set("User-Agent", "")
 		}
+
+		for _, header := range sensitiveHeaders {
+			delete(req.Header, header)
+		}
 	}
-	return &httputil.ReverseProxy{Director: director}
 }
 
 // singleJoiningSlash from golang.org/src/net/http/httputil/reverseproxy.go
diff --git a/api/http/proxy/factory/reverse_proxy_test.go b/api/http/proxy/factory/reverse_proxy_test.go
new file mode 100644
index 000000000..1a3d88ba0
--- /dev/null
+++ b/api/http/proxy/factory/reverse_proxy_test.go
@@ -0,0 +1,116 @@
+package factory
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func Test_createDirector(t *testing.T) {
+	testCases := []struct {
+		name        string
+		target      *url.URL
+		req         *http.Request
+		expectedReq *http.Request
+	}{
+		{
+			name:   "base case",
+			target: createURL(t, "https://portainer.io/api/docker?a=5&b=6"),
+			req: createRequest(
+				t,
+				"GET",
+				"https://agent-portainer.io/test?c=7",
+				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": "something"},
+			),
+			expectedReq: createRequest(
+				t,
+				"GET",
+				"https://portainer.io/api/docker/test?a=5&b=6&c=7",
+				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": "something"},
+			),
+		},
+		{
+			name:   "no User-Agent",
+			target: createURL(t, "https://portainer.io/api/docker?a=5&b=6"),
+			req: createRequest(
+				t,
+				"GET",
+				"https://agent-portainer.io/test?c=7",
+				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json"},
+			),
+			expectedReq: createRequest(
+				t,
+				"GET",
+				"https://portainer.io/api/docker/test?a=5&b=6&c=7",
+				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": ""},
+			),
+		},
+		{
+			name:   "Sensitive Headers",
+			target: createURL(t, "https://portainer.io/api/docker?a=5&b=6"),
+			req: createRequest(
+				t,
+				"GET",
+				"https://agent-portainer.io/test?c=7",
+				map[string]string{
+					"Accept-Encoding": "gzip",
+					"Accept":          "application/json",
+					"User-Agent":      "something",
+					"Cookie":          "junk",
+					"X-Csrf-Token":    "junk",
+				},
+			),
+			expectedReq: createRequest(
+				t,
+				"GET",
+				"https://portainer.io/api/docker/test?a=5&b=6&c=7",
+				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": "something"},
+			),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			director := createDirector(tc.target)
+			director(tc.req)
+
+			if diff := cmp.Diff(tc.req, tc.expectedReq, cmp.Comparer(compareRequests)); diff != "" {
+				t.Fatalf("requests are different: \n%s", diff)
+			}
+		})
+	}
+}
+
+func createURL(t *testing.T, urlString string) *url.URL {
+	parsedURL, err := url.Parse(urlString)
+	if err != nil {
+		t.Fatalf("Failed to create url: %s", err)
+	}
+
+	return parsedURL
+}
+
+func createRequest(t *testing.T, method, url string, headers map[string]string) *http.Request {
+	req, err := http.NewRequest(method, url, nil)
+	if err != nil {
+		t.Fatalf("Failed to create http request: %s", err)
+	} else {
+		for k, v := range headers {
+			req.Header.Add(k, v)
+		}
+	}
+
+	return req
+}
+
+func compareRequests(a, b *http.Request) bool {
+	methodEqual := a.Method == b.Method
+	urlEqual := cmp.Diff(a.URL, b.URL) == ""
+	hostEqual := a.Host == b.Host
+	protoEqual := a.Proto == b.Proto && a.ProtoMajor == b.ProtoMajor && a.ProtoMinor == b.ProtoMinor
+	headersEqual := cmp.Diff(a.Header, b.Header) == ""
+
+	return methodEqual && urlEqual && hostEqual && protoEqual && headersEqual
+}

From 01afe34df7ec2b92723c171e6e6e884172fb1e7a Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Thu, 17 Apr 2025 12:29:37 +1200
Subject: [PATCH 098/212] fix(namespaces): fix service not found error
 [r8s-296] (#664)

---
 app/react/kubernetes/services/useNamespaceServices.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/app/react/kubernetes/services/useNamespaceServices.ts b/app/react/kubernetes/services/useNamespaceServices.ts
index 5da0dcdd1..528fb2c35 100644
--- a/app/react/kubernetes/services/useNamespaceServices.ts
+++ b/app/react/kubernetes/services/useNamespaceServices.ts
@@ -32,6 +32,9 @@ export async function getServices(
   environmentId: EnvironmentId,
   namespace: string
 ) {
+  if (!namespace) {
+    return [];
+  }
   try {
     const { data: services } = await axios.get<Service[]>(
       `kubernetes/${environmentId}/namespaces/${namespace}/services`

From 6fcf1893d32e3afe3aa8d9560e49442b1de8f49a Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Fri, 18 Apr 2025 17:34:34 -0300
Subject: [PATCH 099/212] fix(code): remove duplicated code BE-11821 (#667)

---
 api/http/middlewares/withitem.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/http/middlewares/withitem.go b/api/http/middlewares/withitem.go
index 34e6a9ba2..fce95e86b 100644
--- a/api/http/middlewares/withitem.go
+++ b/api/http/middlewares/withitem.go
@@ -45,7 +45,7 @@ func WithItem[TId ~int, TObject any](getter ItemGetter[TId, TObject], idParam st
 	}
 }
 
-func FetchItem[T any](request *http.Request, contextKey string) (*T, error) {
+func FetchItem[T any](request *http.Request, contextKey ItemContextKey) (*T, error) {
 	contextData := request.Context().Value(contextKey)
 	if contextData == nil {
 		return nil, errors.New("unable to find item in request context")

From bbe94f55b64a1784098cfc58cec9d3aae3a0ac98 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Tue, 22 Apr 2025 09:52:52 +1200
Subject: [PATCH 100/212] feat(helm): uninstall helm app from details view
 [r8s-285] (#648)

---
 .../queries/useDeleteApplicationsMutation.ts  | 22 +++------
 .../ChartActions/ChartActions.tsx             | 30 ++++++++++++
 .../ChartActions/UninstallButton.tsx          | 47 +++++++++++++++++++
 .../HelmApplicationView.tsx                   | 13 ++++-
 .../queries/useUninstallHelmAppMutation.ts    | 39 +++++++++++++++
 5 files changed, 133 insertions(+), 18 deletions(-)
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation.ts

diff --git a/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts b/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts
index 047cf1a44..fcaf9df8f 100644
--- a/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts
+++ b/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts
@@ -7,6 +7,7 @@ import { getAllSettledItems } from '@/portainer/helpers/promise-utils';
 import { withGlobalError } from '@/react-tools/react-query';
 import { notifyError, notifySuccess } from '@/portainer/services/notifications';
 import { pluralize } from '@/portainer/helpers/strings';
+import { uninstallHelmApplication } from '@/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation';
 
 import { parseKubernetesAxiosError } from '../../axiosError';
 import { ApplicationRowData } from '../ListView/ApplicationsDatatable/types';
@@ -225,7 +226,11 @@ async function deleteApplication(
       await deletePodApplication(application, stacks, environmentId);
       break;
     case 'Helm':
-      await uninstallHelmApplication(application, environmentId);
+      await uninstallHelmApplication(
+        environmentId,
+        application.Name,
+        application.ResourcePool
+      );
       break;
     default:
       throw new Error(
@@ -266,21 +271,6 @@ async function deletePodApplication(
   }
 }
 
-async function uninstallHelmApplication(
-  application: ApplicationRowData,
-  environmentId: EnvironmentId
-) {
-  try {
-    await axios.delete(
-      `/endpoints/${environmentId}/kubernetes/helm/${application.Name}`,
-      { params: { namespace: application.ResourcePool } }
-    );
-  } catch (error) {
-    // parseAxiosError, because it's a regular portainer api error
-    throw parseAxiosError(error, 'Unable to remove application');
-  }
-}
-
 async function deleteHorizontalPodAutoscaler(
   hpa: HorizontalPodAutoscaler,
   environmentId: EnvironmentId
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
new file mode 100644
index 000000000..c67984952
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
@@ -0,0 +1,30 @@
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { useAuthorizations } from '@/react/hooks/useUser';
+
+import { UninstallButton } from './UninstallButton';
+
+export function ChartActions({
+  environmentId,
+  releaseName,
+  namespace,
+}: {
+  environmentId: EnvironmentId;
+  releaseName: string;
+  namespace?: string;
+}) {
+  const { authorized } = useAuthorizations('K8sApplicationsW');
+
+  if (!authorized) {
+    return null;
+  }
+
+  return (
+    <div className="inline-flex gap-x-2">
+      <UninstallButton
+        environmentId={environmentId}
+        releaseName={releaseName}
+        namespace={namespace}
+      />
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx
new file mode 100644
index 000000000..fc2c6d5c2
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx
@@ -0,0 +1,47 @@
+import { useRouter } from '@uirouter/react';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { notifySuccess } from '@/portainer/services/notifications';
+
+import { DeleteButton } from '@@/buttons/DeleteButton';
+
+import { useUninstallHelmAppMutation } from '../queries/useUninstallHelmAppMutation';
+
+export function UninstallButton({
+  environmentId,
+  releaseName,
+  namespace,
+}: {
+  environmentId: EnvironmentId;
+  releaseName: string;
+  namespace?: string;
+}) {
+  const uninstallHelmAppMutation = useUninstallHelmAppMutation(environmentId);
+  const router = useRouter();
+
+  return (
+    <DeleteButton
+      size="medium"
+      data-cy="k8sApp-removeHelmChartButton"
+      isLoading={uninstallHelmAppMutation.isLoading}
+      confirmMessage="Do you want to remove the selected Helm chart? This will delete all resources associated with the Helm chart."
+      onConfirmed={handleUninstall}
+    >
+      Uninstall
+    </DeleteButton>
+  );
+
+  function handleUninstall() {
+    uninstallHelmAppMutation.mutate(
+      { releaseName, namespace },
+      {
+        onSuccess: () => {
+          router.stateService.go('kubernetes.applications', {
+            endpointId: environmentId,
+          });
+          notifySuccess('Success', 'Helm chart uninstalled successfully');
+        },
+      }
+    );
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
index 2fc5fb601..6aec1d50a 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -12,6 +12,7 @@ import { Alert } from '@@/Alert';
 import { HelmSummary } from './HelmSummary';
 import { ReleaseTabs } from './ReleaseDetails/ReleaseTabs';
 import { useHelmRelease } from './queries/useHelmRelease';
+import { ChartActions } from './ChartActions/ChartActions';
 
 export function HelmApplicationView() {
   const environmentId = useEnvironmentId();
@@ -32,8 +33,16 @@ export function HelmApplicationView() {
       <div className="row">
         <div className="col-sm-12">
           <Widget>
-            {name && <WidgetTitle icon={helm} title={name} />}
-            <WidgetBody className="!pt-1">
+            {name && (
+              <WidgetTitle icon={helm} title={name}>
+                <ChartActions
+                  environmentId={environmentId}
+                  releaseName={name}
+                  namespace={namespace}
+                />
+              </WidgetTitle>
+            )}
+            <WidgetBody>
               <HelmDetails
                 name={name}
                 namespace={namespace}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation.ts
new file mode 100644
index 000000000..7daa5835c
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation.ts
@@ -0,0 +1,39 @@
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { withGlobalError, withInvalidate } from '@/react-tools/react-query';
+import { queryKeys as applicationsQueryKeys } from '@/react/kubernetes/applications/queries/query-keys';
+import { EnvironmentId } from '@/react/portainer/environments/types';
+
+export function useUninstallHelmAppMutation(environmentId: EnvironmentId) {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: ({
+      releaseName,
+      namespace,
+    }: {
+      releaseName: string;
+      namespace?: string;
+    }) => uninstallHelmApplication(environmentId, releaseName, namespace),
+    ...withInvalidate(queryClient, [
+      applicationsQueryKeys.applications(environmentId),
+    ]),
+    ...withGlobalError('Unable to uninstall helm application'),
+  });
+}
+
+export async function uninstallHelmApplication(
+  environmentId: EnvironmentId,
+  releaseName: string,
+  namespace?: string
+) {
+  try {
+    await axios.delete(
+      `/endpoints/${environmentId}/kubernetes/helm/${releaseName}`,
+      { params: { namespace } }
+    );
+  } catch (error) {
+    // parseAxiosError, because it's a regular portainer api error
+    throw parseAxiosError(error, 'Unable to remove application');
+  }
+}

From 342549b5460938855d897bb701f4507311fb9313 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 21 Apr 2025 18:59:51 -0300
Subject: [PATCH 101/212] fix(validate): remove dead code BE-11824 (#671)

---
 api/datastore/validate/validate.go          | 15 -----
 api/datastore/validate/validate_test.go     | 61 ---------------------
 api/datastore/validate/validationMethods.go | 17 ------
 go.mod                                      |  4 --
 go.sum                                      | 12 ----
 5 files changed, 109 deletions(-)
 delete mode 100644 api/datastore/validate/validate.go
 delete mode 100644 api/datastore/validate/validate_test.go
 delete mode 100644 api/datastore/validate/validationMethods.go

diff --git a/api/datastore/validate/validate.go b/api/datastore/validate/validate.go
deleted file mode 100644
index 2b37311fe..000000000
--- a/api/datastore/validate/validate.go
+++ /dev/null
@@ -1,15 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-	portainer "github.com/portainer/portainer/api"
-)
-
-var validate *validator.Validate
-
-func ValidateLDAPSettings(ldp *portainer.LDAPSettings) error {
-	validate = validator.New()
-	registerValidationMethods(validate)
-
-	return validate.Struct(ldp)
-}
diff --git a/api/datastore/validate/validate_test.go b/api/datastore/validate/validate_test.go
deleted file mode 100644
index 3fa7bd425..000000000
--- a/api/datastore/validate/validate_test.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package validate
-
-import (
-	"testing"
-
-	portainer "github.com/portainer/portainer/api"
-)
-
-func TestValidateLDAPSettings(t *testing.T) {
-
-	tests := []struct {
-		name    string
-		ldap    portainer.LDAPSettings
-		wantErr bool
-	}{
-		{
-			name:    "Empty LDAP Settings",
-			ldap:    portainer.LDAPSettings{},
-			wantErr: true,
-		},
-		{
-			name: "With URL",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "Validate URL and URLs",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: true,
-				URL:           "192.168.0.1:323",
-			},
-			wantErr: false,
-		},
-		{
-			name: "validate client ldap",
-			ldap: portainer.LDAPSettings{
-				AnonymousMode: false,
-				ReaderDN:      "CN=LDAP API Service Account",
-				Password:      "Qu**dfUUU**",
-				URL:           "aukdc15.pgc.co:389",
-				TLSConfig: portainer.TLSConfiguration{
-					TLS:           false,
-					TLSSkipVerify: false,
-				},
-			},
-			wantErr: false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			err := ValidateLDAPSettings(&tt.ldap)
-			if (err == nil) == tt.wantErr {
-				t.Errorf("No error expected but got %s", err)
-			}
-		})
-	}
-}
diff --git a/api/datastore/validate/validationMethods.go b/api/datastore/validate/validationMethods.go
deleted file mode 100644
index 36abe3a54..000000000
--- a/api/datastore/validate/validationMethods.go
+++ /dev/null
@@ -1,17 +0,0 @@
-package validate
-
-import (
-	"github.com/go-playground/validator/v10"
-)
-
-func registerValidationMethods(v *validator.Validate) {
-	v.RegisterValidation("validate_bool", ValidateBool)
-}
-
-/**
- * Validation methods below are being used for custom validation
- */
-func ValidateBool(fl validator.FieldLevel) bool {
-	_, ok := fl.Field().Interface().(bool)
-	return ok
-}
diff --git a/go.mod b/go.mod
index 22ed99fa2..d5bc8ab27 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,6 @@ require (
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
 	github.com/go-git/go-git/v5 v5.13.0
 	github.com/go-ldap/ldap/v3 v3.4.1
-	github.com/go-playground/validator/v10 v10.12.0
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
@@ -148,8 +147,6 @@ require (
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
-	github.com/go-playground/locales v0.14.1 // indirect
-	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
@@ -185,7 +182,6 @@ require (
 	github.com/klauspost/pgzip v1.2.6 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
-	github.com/leodido/go-urn v1.2.2 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
diff --git a/go.sum b/go.sum
index 2ca59e4f6..5fbd993f1 100644
--- a/go.sum
+++ b/go.sum
@@ -284,14 +284,6 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En
 github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
 github.com/go-openapi/swag v0.23.0 h1:vsEVJDUo2hPJ2tu0/Xc+4noaxyEffXNIs3cOULZ+GrE=
 github.com/go-openapi/swag v0.23.0/go.mod h1:esZ8ITTYEsH1V2trKHjAN8Ai7xHb8RV+YSZ577vPjgQ=
-github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
-github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
-github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/oXslEjJA=
-github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
-github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
-github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.12.0 h1:E4gtWgxWxp8YSxExrQFv5BpCahla0PVF2oTTEYaWQGI=
-github.com/go-playground/validator/v10 v10.12.0/go.mod h1:hCAPuzYvKdP33pxWa+2+6AIKXEKqjIUyqsNCtbsSJrA=
 github.com/go-sql-driver/mysql v1.3.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
@@ -446,8 +438,6 @@ github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq
 github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
 github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
 github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
-github.com/leodido/go-urn v1.2.2 h1:7z68G0FCGvDk646jz1AelTYNYWrTNm0bEcFAo147wt4=
-github.com/leodido/go-urn v1.2.2/go.mod h1:kUaIbLZWttglzwNuG0pgsh5vuV6u2YcGBYz1hIPjtOQ=
 github.com/lib/pq v0.0.0-20150723085316-0dad96c0b94f/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
@@ -622,7 +612,6 @@ github.com/rubenv/sql-migrate v1.7.1 h1:f/o0WgfO/GqNuVg+6801K/KW3WdDSupzSjDYODmi
 github.com/rubenv/sql-migrate v1.7.1/go.mod h1:Ob2Psprc0/3ggbM6wCzyYVFFuc6FyZrb2AS+ezLDFb4=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/rwtodd/Go.Sed v0.0.0-20210816025313-55464686f9ef/go.mod h1:8AEUvGVi2uQ5b24BIhcr0GCcpd/RNAFWaN2CJFrWIIQ=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0/go.mod h1:UH2VZVuJfCYR8WgMlCU1uFsOUU+KeyrTWcSS73NBOzU=
 github.com/segmentio/asm v1.1.3 h1:WM03sfUOENvvKexOLp+pCqgb/WDjsi7EK8gIsICtzhc=
@@ -678,7 +667,6 @@ github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 h1:kdXcSzyDtseVEc4yCz2qF8ZrQvIDBJLl4S1c3GCXmoI=

From e319a7a5aeba9512869768dc003fb9f9a2b9dd2a Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 21 Apr 2025 19:27:14 -0300
Subject: [PATCH 102/212] fix(linter): enable ineffassign BE-10204 (#669)

---
 .golangci.yaml                                |  1 +
 api/datastore/migrator/migrate_dbversion20.go | 26 ++++++++++++-------
 .../handler/kubernetes/deprecated_routes.go   |  7 +++--
 api/http/security/bouncer_test.go             |  3 +++
 4 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/.golangci.yaml b/.golangci.yaml
index 648df24d1..b3d9bbfe3 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -12,6 +12,7 @@ linters:
     - copyloopvar
     - intrange
     - perfsprint
+    - ineffassign
 
 linters-settings:
   depguard:
diff --git a/api/datastore/migrator/migrate_dbversion20.go b/api/datastore/migrator/migrate_dbversion20.go
index 1f02b8885..bad999c26 100644
--- a/api/datastore/migrator/migrate_dbversion20.go
+++ b/api/datastore/migrator/migrate_dbversion20.go
@@ -18,8 +18,7 @@ func (m *Migrator) updateResourceControlsToDBVersion22() error {
 	for _, resourceControl := range legacyResourceControls {
 		resourceControl.AdministratorsOnly = false
 
-		err := m.resourceControlService.Update(resourceControl.ID, &resourceControl)
-		if err != nil {
+		if err := m.resourceControlService.Update(resourceControl.ID, &resourceControl); err != nil {
 			return err
 		}
 	}
@@ -42,8 +41,8 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 
 	for _, user := range legacyUsers {
 		user.PortainerAuthorizations = authorization.DefaultPortainerAuthorizations()
-		err = m.userService.Update(user.ID, &user)
-		if err != nil {
+
+		if err := m.userService.Update(user.ID, &user); err != nil {
 			return err
 		}
 	}
@@ -52,38 +51,47 @@ func (m *Migrator) updateUsersAndRolesToDBVersion22() error {
 	if err != nil {
 		return err
 	}
+
 	endpointAdministratorRole.Priority = 1
 	endpointAdministratorRole.Authorizations = authorization.DefaultEndpointAuthorizationsForEndpointAdministratorRole()
 
-	err = m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole)
+	if err := m.roleService.Update(endpointAdministratorRole.ID, endpointAdministratorRole); err != nil {
+		return err
+	}
 
 	helpDeskRole, err := m.roleService.Read(portainer.RoleID(2))
 	if err != nil {
 		return err
 	}
+
 	helpDeskRole.Priority = 2
 	helpDeskRole.Authorizations = authorization.DefaultEndpointAuthorizationsForHelpDeskRole(settings.AllowVolumeBrowserForRegularUsers)
 
-	err = m.roleService.Update(helpDeskRole.ID, helpDeskRole)
+	if err := m.roleService.Update(helpDeskRole.ID, helpDeskRole); err != nil {
+		return err
+	}
 
 	standardUserRole, err := m.roleService.Read(portainer.RoleID(3))
 	if err != nil {
 		return err
 	}
+
 	standardUserRole.Priority = 3
 	standardUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForStandardUserRole(settings.AllowVolumeBrowserForRegularUsers)
 
-	err = m.roleService.Update(standardUserRole.ID, standardUserRole)
+	if err := m.roleService.Update(standardUserRole.ID, standardUserRole); err != nil {
+		return err
+	}
 
 	readOnlyUserRole, err := m.roleService.Read(portainer.RoleID(4))
 	if err != nil {
 		return err
 	}
+
 	readOnlyUserRole.Priority = 4
 	readOnlyUserRole.Authorizations = authorization.DefaultEndpointAuthorizationsForReadOnlyUserRole(settings.AllowVolumeBrowserForRegularUsers)
 
-	err = m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole)
-	if err != nil {
+	if err := m.roleService.Update(readOnlyUserRole.ID, readOnlyUserRole); err != nil {
 		return err
 	}
 
diff --git a/api/http/handler/kubernetes/deprecated_routes.go b/api/http/handler/kubernetes/deprecated_routes.go
index cc44d10e5..e471c2ecb 100644
--- a/api/http/handler/kubernetes/deprecated_routes.go
+++ b/api/http/handler/kubernetes/deprecated_routes.go
@@ -36,11 +36,14 @@ func deprecatedNamespaceParser(w http.ResponseWriter, r *http.Request) (string,
 
 	// Restore the original body for further use
 	bodyBytes, err := io.ReadAll(r.Body)
+	if err != nil {
+		return "", httperror.InternalServerError("Unable to read request body", err)
+	}
+
 	r.Body = io.NopCloser(bytes.NewBuffer(bodyBytes))
 
 	payload := models.K8sNamespaceDetails{}
-	err = request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
+	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
 		return "", httperror.BadRequest("Invalid request. Unable to parse namespace payload", err)
 	}
 	namespaceName := payload.Name
diff --git a/api/http/security/bouncer_test.go b/api/http/security/bouncer_test.go
index 9553b90c5..4d84dcfee 100644
--- a/api/http/security/bouncer_test.go
+++ b/api/http/security/bouncer_test.go
@@ -344,6 +344,7 @@ func Test_apiKeyLookup(t *testing.T) {
 		req.Header.Add("x-api-key", rawAPIKey)
 
 		token, err := bouncer.apiKeyLookup(req)
+		require.NoError(t, err)
 
 		expectedToken := &portainer.TokenData{ID: user.ID, Username: user.Username, Role: portainer.StandardUserRole}
 		is.Equal(expectedToken, token)
@@ -358,6 +359,7 @@ func Test_apiKeyLookup(t *testing.T) {
 		req.Header.Add("x-api-key", rawAPIKey)
 
 		token, err := bouncer.apiKeyLookup(req)
+		require.NoError(t, err)
 
 		expectedToken := &portainer.TokenData{ID: user.ID, Username: user.Username, Role: portainer.StandardUserRole}
 		is.Equal(expectedToken, token)
@@ -372,6 +374,7 @@ func Test_apiKeyLookup(t *testing.T) {
 		req.Header.Add("x-api-key", rawAPIKey)
 
 		token, err := bouncer.apiKeyLookup(req)
+		require.NoError(t, err)
 
 		expectedToken := &portainer.TokenData{ID: user.ID, Username: user.Username, Role: portainer.StandardUserRole}
 		is.Equal(expectedToken, token)

From 9a9373dd0f6ef66b6f0d9edcda5c2c75ad4350ea Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Tue, 22 Apr 2025 21:29:39 +1200
Subject: [PATCH 103/212] fix: cve-2025-22871 [BE-11825] (#678)

---
 go.mod | 6 +++---
 go.sum | 8 ++++----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/go.mod b/go.mod
index d5bc8ab27..64c594902 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/portainer/portainer
 
-go 1.23.5
+go 1.23.8
 
 require (
 	github.com/Masterminds/semver v1.5.0
@@ -26,7 +26,7 @@ require (
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
-	github.com/gorilla/csrf v1.7.2
+	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/go-version v1.7.0
@@ -274,7 +274,7 @@ require (
 	go.opentelemetry.io/otel/trace v1.28.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
 	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/net v0.38.0 // indirect
 	golang.org/x/sys v0.31.0 // indirect
 	golang.org/x/term v0.30.0 // indirect
 	golang.org/x/text v0.23.0 // indirect
diff --git a/go.sum b/go.sum
index 5fbd993f1..3f4be510b 100644
--- a/go.sum
+++ b/go.sum
@@ -338,8 +338,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
-github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
+github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
@@ -790,8 +790,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
-golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
+golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
+golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
 golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

From 61d6ac035d22e258007cbf070bbd87bff76b76c8 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Wed, 23 Apr 2025 08:58:21 +1200
Subject: [PATCH 104/212] feat(helm): auto refresh helm resources [r8s-298]
 (#672)

---
 .../components/datatables/Datatable.test.tsx  | 16 +++---
 app/react/components/datatables/types.ts      |  4 ++
 .../ListView/ConfigsDatatable/store.ts        | 17 +++---
 .../ApplicationsStacksDatatable/types.ts      | 12 -----
 .../ReleaseDetails/ReleaseTabs.tsx            |  2 +-
 .../ResourcesTable/ResourcesTable.test.tsx    | 38 +++++++++++++-
 .../ResourcesTable/ResourcesTable.tsx         | 52 +++++++++++++++----
 .../ResourcesTable/columns/name.tsx           | 14 +++--
 .../ResourcesTable/useResourceRows.ts         |  8 ++-
 .../queries/useHelmRelease.ts                 |  7 ++-
 10 files changed, 120 insertions(+), 50 deletions(-)

diff --git a/app/react/components/datatables/Datatable.test.tsx b/app/react/components/datatables/Datatable.test.tsx
index 67ff85f70..a40822848 100644
--- a/app/react/components/datatables/Datatable.test.tsx
+++ b/app/react/components/datatables/Datatable.test.tsx
@@ -9,10 +9,9 @@ import {
 
 import { Datatable, defaultGlobalFilterFn, Props } from './Datatable';
 import {
-  BasicTableSettings,
   createPersistedStore,
   refreshableSettings,
-  RefreshableTableSettings,
+  TableSettingsWithRefreshable,
 } from './types';
 import { useTableState } from './useTableState';
 
@@ -30,13 +29,14 @@ const mockColumns = [
 ];
 
 // mock table settings / state
-export interface TableSettings
-  extends BasicTableSettings,
-    RefreshableTableSettings {}
 function createStore(storageKey: string) {
-  return createPersistedStore<TableSettings>(storageKey, 'name', (set) => ({
-    ...refreshableSettings(set),
-  }));
+  return createPersistedStore<TableSettingsWithRefreshable>(
+    storageKey,
+    'name',
+    (set) => ({
+      ...refreshableSettings(set),
+    })
+  );
 }
 const storageKey = 'test-table';
 const settingsStore = createStore(storageKey);
diff --git a/app/react/components/datatables/types.ts b/app/react/components/datatables/types.ts
index 11dcac867..45264f337 100644
--- a/app/react/components/datatables/types.ts
+++ b/app/react/components/datatables/types.ts
@@ -99,6 +99,10 @@ export interface BasicTableSettings
   extends SortableTableSettings,
     PaginationTableSettings {}
 
+export interface TableSettingsWithRefreshable
+  extends BasicTableSettings,
+    RefreshableTableSettings {}
+
 export function createPersistedStore<T extends BasicTableSettings>(
   storageKey: string,
   initialSortBy?: string | { id: string; desc: boolean },
diff --git a/app/react/docker/configs/ListView/ConfigsDatatable/store.ts b/app/react/docker/configs/ListView/ConfigsDatatable/store.ts
index 66672630a..95a649f89 100644
--- a/app/react/docker/configs/ListView/ConfigsDatatable/store.ts
+++ b/app/react/docker/configs/ListView/ConfigsDatatable/store.ts
@@ -1,16 +1,15 @@
 import {
-  BasicTableSettings,
   createPersistedStore,
   refreshableSettings,
-  RefreshableTableSettings,
+  TableSettingsWithRefreshable,
 } from '@@/datatables/types';
 
-export interface TableSettings
-  extends BasicTableSettings,
-    RefreshableTableSettings {}
-
 export function createStore(storageKey: string) {
-  return createPersistedStore<TableSettings>(storageKey, 'name', (set) => ({
-    ...refreshableSettings(set),
-  }));
+  return createPersistedStore<TableSettingsWithRefreshable>(
+    storageKey,
+    'name',
+    (set) => ({
+      ...refreshableSettings(set),
+    })
+  );
 }
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/types.ts b/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/types.ts
index 5f6f4736b..75f0a882e 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/types.ts
+++ b/app/react/kubernetes/applications/ListView/ApplicationsStacksDatatable/types.ts
@@ -1,17 +1,5 @@
-import { SystemResourcesTableSettings } from '@/react/kubernetes/datatables/SystemResourcesSettings';
-
-import {
-  BasicTableSettings,
-  RefreshableTableSettings,
-} from '@@/datatables/types';
-
 import { Application } from '../ApplicationsDatatable/types';
 
-export interface TableSettings
-  extends BasicTableSettings,
-    RefreshableTableSettings,
-    SystemResourcesTableSettings {}
-
 export type Stack = {
   Name: string;
   ResourcePool: string;
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
index 6a954d1fc..efa36c0c2 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
@@ -25,7 +25,7 @@ function helmTabs(
     {
       label: 'Resources',
       id: 'resources',
-      children: <ResourcesTable resources={release.info?.resources ?? []} />,
+      children: <ResourcesTable />,
     },
     {
       label: 'Values',
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
index cf0dfde71..113776344 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
@@ -8,6 +8,24 @@ import { GenericResource } from '../../../types';
 
 import { ResourcesTable } from './ResourcesTable';
 
+// Mock the necessary hooks
+const mockUseCurrentStateAndParams = vi.fn();
+const mockUseEnvironmentId = vi.fn();
+const mockUseHelmRelease = vi.fn();
+
+vi.mock('@uirouter/react', async (importOriginal: () => Promise<object>) => ({
+  ...(await importOriginal()),
+  useCurrentStateAndParams: () => mockUseCurrentStateAndParams(),
+}));
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => mockUseEnvironmentId(),
+}));
+
+vi.mock('../../queries/useHelmRelease', () => ({
+  useHelmRelease: () => mockUseHelmRelease(),
+}));
+
 const successResources = [
   {
     kind: 'ValidatingWebhookConfiguration',
@@ -108,8 +126,26 @@ const failedResources = [
 ];
 
 function renderResourcesTable(resources: GenericResource[]) {
+  // Setup mock return values
+  mockUseEnvironmentId.mockReturnValue(3);
+  mockUseCurrentStateAndParams.mockReturnValue({
+    params: {
+      name: 'test-release',
+      namespace: 'default',
+    },
+  });
+  mockUseHelmRelease.mockReturnValue({
+    data: {
+      info: {
+        resources,
+      },
+    },
+    isLoading: false,
+    error: null,
+  });
+
   const Wrapped = withTestQueryProvider(withTestRouter(ResourcesTable));
-  return render(<Wrapped resources={resources} />);
+  return render(<Wrapped />);
 }
 
 afterEach(() => {
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
index c8922ca04..6a3b35674 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
@@ -1,23 +1,47 @@
-import { Datatable } from '@@/datatables';
-import { createPersistedStore } from '@@/datatables/types';
+import { useCurrentStateAndParams } from '@uirouter/react';
+
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+
+import { Datatable, TableSettingsMenu } from '@@/datatables';
+import {
+  createPersistedStore,
+  refreshableSettings,
+  TableSettingsWithRefreshable,
+} from '@@/datatables/types';
 import { useTableState } from '@@/datatables/useTableState';
 import { Widget } from '@@/Widget';
+import { TableSettingsMenuAutoRefresh } from '@@/datatables/TableSettingsMenuAutoRefresh';
 
-import { GenericResource } from '../../../types';
+import { useHelmRelease } from '../../queries/useHelmRelease';
 
 import { columns } from './columns';
 import { useResourceRows } from './useResourceRows';
 
-type Props = {
-  resources: GenericResource[];
-};
-
 const storageKey = 'helm-resources';
-const settingsStore = createPersistedStore(storageKey, 'resourceType');
 
-export function ResourcesTable({ resources }: Props) {
+export function createStore(storageKey: string) {
+  return createPersistedStore<TableSettingsWithRefreshable>(
+    storageKey,
+    'name',
+    (set) => ({
+      ...refreshableSettings(set),
+    })
+  );
+}
+
+const settingsStore = createStore('helm-resources');
+
+export function ResourcesTable() {
+  const environmentId = useEnvironmentId();
+  const { params } = useCurrentStateAndParams();
+  const { name, namespace } = params;
+
   const tableState = useTableState(settingsStore, storageKey);
-  const rows = useResourceRows(resources);
+  const helmReleaseQuery = useHelmRelease(environmentId, name, namespace, {
+    showResources: true,
+    refetchInterval: tableState.autoRefreshRate * 1000,
+  });
+  const rows = useResourceRows(helmReleaseQuery.data?.info?.resources);
 
   return (
     <Widget>
@@ -32,6 +56,14 @@ export function ResourcesTable({ resources }: Props) {
         disableSelect
         getRowId={(row) => row.id}
         data-cy="helm-resources-datatable"
+        renderTableSettings={() => (
+          <TableSettingsMenu>
+            <TableSettingsMenuAutoRefresh
+              value={tableState.autoRefreshRate}
+              onChange={(value) => tableState.setAutoRefreshRate(value)}
+            />
+          </TableSettingsMenu>
+        )}
       />
     </Widget>
   );
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx
index 332e49f1c..0b8c2aaae 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/name.tsx
@@ -6,11 +6,15 @@ import { ResourceRow } from '../types';
 
 import { columnHelper } from './helper';
 
-export const name = columnHelper.accessor((row) => row.name.label, {
-  header: 'Name',
-  cell: Cell,
-  id: 'name',
-});
+// `${row.name.label}/${row.resourceType}` reduces shuffling when the name is the same but the resourceType is different
+export const name = columnHelper.accessor(
+  (row) => `${row.name.label}/${row.resourceType}`,
+  {
+    header: 'Name',
+    cell: Cell,
+    id: 'name',
+  }
+);
 
 function Cell({ row }: CellContext<ResourceRow, string>) {
   const { name } = row.original;
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
index e5301dc05..ac90271f8 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
@@ -27,11 +27,15 @@ const statusToColorMap: Record<string, StatusBadgeType> = {
   Unknown: 'mutedLite',
 };
 
-export function useResourceRows(resources: GenericResource[]): ResourceRow[] {
+export function useResourceRows(resources?: GenericResource[]): ResourceRow[] {
   return useMemo(() => getResourceRows(resources), [resources]);
 }
 
-function getResourceRows(resources: GenericResource[]): ResourceRow[] {
+function getResourceRows(resources?: GenericResource[]): ResourceRow[] {
+  if (!resources) {
+    return [];
+  }
+
   return resources.map(getResourceRow);
 }
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
index f503aec7f..8d41e6544 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
@@ -16,19 +16,22 @@ export function useHelmRelease<T = HelmRelease>(
   options: {
     select?: (data: HelmRelease) => T;
     showResources?: boolean;
+    refetchInterval?: number;
   } = {}
 ) {
+  const { select, showResources, refetchInterval } = options;
   return useQuery(
     [environmentId, 'helm', 'releases', namespace, name, options.showResources],
     () =>
       getHelmRelease(environmentId, name, {
         namespace,
-        showResources: options.showResources,
+        showResources,
       }),
     {
       enabled: !!environmentId && !!name && !!namespace,
       ...withGlobalError('Unable to retrieve helm application details'),
-      select: options.select,
+      select,
+      refetchInterval,
     }
   );
 }

From c91c8a6467cbe16026cec465b832ef01e9b39b9e Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Wed, 23 Apr 2025 08:58:34 +1200
Subject: [PATCH 105/212] feat(helm): rollback helm chart [r8s-287] (#660)

---
 api/http/handler/helm/handler.go              |   4 +
 api/http/handler/helm/helm_rollback.go        | 105 +++++++++++
 .../ChartActions/ChartActions.tsx             |  18 +-
 .../ChartActions/RollbackButton.test.tsx      | 163 ++++++++++++++++++
 .../ChartActions/RollbackButton.tsx           |  71 ++++++++
 .../HelmApplicationView.tsx                   |  51 +++---
 .../queries/useHelmRollbackMutation.ts        |  61 +++++++
 pkg/libhelm/options/rollback_options.go       |  19 ++
 pkg/libhelm/sdk/rollback.go                   | 111 ++++++++++++
 pkg/libhelm/sdk/rollback_test.go              | 123 +++++++++++++
 pkg/libhelm/sdk/search_repo_test.go           |   1 -
 pkg/libhelm/test/mock.go                      |   5 +
 pkg/libhelm/types/types.go                    |   1 +
 13 files changed, 701 insertions(+), 32 deletions(-)
 create mode 100644 api/http/handler/helm/helm_rollback.go
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRollbackMutation.ts
 create mode 100644 pkg/libhelm/options/rollback_options.go
 create mode 100644 pkg/libhelm/sdk/rollback.go
 create mode 100644 pkg/libhelm/sdk/rollback_test.go

diff --git a/api/http/handler/helm/handler.go b/api/http/handler/helm/handler.go
index e87e98410..f7f14a1c1 100644
--- a/api/http/handler/helm/handler.go
+++ b/api/http/handler/helm/handler.go
@@ -62,6 +62,10 @@ func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStor
 	h.Handle("/{id}/kubernetes/helm/{release}/history",
 		httperror.LoggerHandler(h.helmGetHistory)).Methods(http.MethodGet)
 
+	// `helm rollback [RELEASE_NAME] [REVISION]`
+	h.Handle("/{id}/kubernetes/helm/{release}/rollback",
+		httperror.LoggerHandler(h.helmRollback)).Methods(http.MethodPost)
+
 	return h
 }
 
diff --git a/api/http/handler/helm/helm_rollback.go b/api/http/handler/helm/helm_rollback.go
new file mode 100644
index 000000000..d98f7a47a
--- /dev/null
+++ b/api/http/handler/helm/helm_rollback.go
@@ -0,0 +1,105 @@
+package helm
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	_ "github.com/portainer/portainer/pkg/libhelm/release"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+)
+
+// @id HelmRollback
+// @summary Rollback a helm release
+// @description Rollback a helm release to a previous revision
+// @description **Access policy**: authenticated
+// @tags helm
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment(Endpoint) identifier"
+// @param release path string true "Helm release name"
+// @param namespace query string false "specify an optional namespace"
+// @param revision query int false "specify the revision to rollback to (defaults to previous revision if not specified)"
+// @param wait query boolean false "wait for resources to be ready (default: false)"
+// @param waitForJobs query boolean false "wait for jobs to complete before marking the release as successful (default: false)"
+// @param recreate query boolean false "performs pods restart for the resource if applicable (default: true)"
+// @param force query boolean false "force resource update through delete/recreate if needed (default: false)"
+// @param timeout query int false "time to wait for any individual Kubernetes operation in seconds (default: 300)"
+// @success 200 {object} release.Release "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 404 "Unable to find an environment with the specified identifier or release name."
+// @failure 500 "Server error occurred while attempting to rollback the release."
+// @router /endpoints/{id}/kubernetes/helm/{release}/rollback [post]
+func (handler *Handler) helmRollback(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	release, err := request.RetrieveRouteVariableValue(r, "release")
+	if err != nil {
+		return httperror.BadRequest("No release specified", err)
+	}
+
+	clusterAccess, httperr := handler.getHelmClusterAccess(r)
+	if httperr != nil {
+		return httperr
+	}
+
+	// build the rollback options
+	rollbackOpts := options.RollbackOptions{
+		KubernetesClusterAccess: clusterAccess,
+		Name:                    release,
+		// Set default values
+		Recreate: true,            // Default to recreate pods (restart)
+		Timeout:  5 * time.Minute, // Default timeout of 5 minutes
+	}
+
+	namespace, _ := request.RetrieveQueryParameter(r, "namespace", true)
+	// optional namespace. The library defaults to "default"
+	if namespace != "" {
+		rollbackOpts.Namespace = namespace
+	}
+
+	revision, _ := request.RetrieveNumericQueryParameter(r, "revision", true)
+	// optional revision. If not specified, it will rollback to the previous revision
+	if revision > 0 {
+		rollbackOpts.Version = revision
+	}
+
+	// Default for wait is false, only set to true if explicitly requested
+	wait, err := request.RetrieveBooleanQueryParameter(r, "wait", true)
+	if err == nil {
+		rollbackOpts.Wait = wait
+	}
+
+	// Default for waitForJobs is false, only set to true if explicitly requested
+	waitForJobs, err := request.RetrieveBooleanQueryParameter(r, "waitForJobs", true)
+	if err == nil {
+		rollbackOpts.WaitForJobs = waitForJobs
+	}
+
+	// Default for recreate is true (set above), override if specified
+	recreate, err := request.RetrieveBooleanQueryParameter(r, "recreate", true)
+	if err == nil {
+		rollbackOpts.Recreate = recreate
+	}
+
+	// Default for force is false, only set to true if explicitly requested
+	force, err := request.RetrieveBooleanQueryParameter(r, "force", true)
+	if err == nil {
+		rollbackOpts.Force = force
+	}
+
+	timeout, _ := request.RetrieveNumericQueryParameter(r, "timeout", true)
+	// Override default timeout if specified
+	if timeout > 0 {
+		rollbackOpts.Timeout = time.Duration(timeout) * time.Second
+	}
+
+	releaseInfo, err := handler.helmPackageManager.Rollback(rollbackOpts)
+	if err != nil {
+		return httperror.InternalServerError("Failed to rollback helm release", err)
+	}
+
+	return response.JSON(w, releaseInfo)
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
index c67984952..59e0fd2dc 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
@@ -1,22 +1,20 @@
 import { EnvironmentId } from '@/react/portainer/environments/types';
-import { useAuthorizations } from '@/react/hooks/useUser';
 
+import { RollbackButton } from './RollbackButton';
 import { UninstallButton } from './UninstallButton';
 
 export function ChartActions({
   environmentId,
   releaseName,
   namespace,
+  currentRevision,
 }: {
   environmentId: EnvironmentId;
   releaseName: string;
   namespace?: string;
+  currentRevision?: number;
 }) {
-  const { authorized } = useAuthorizations('K8sApplicationsW');
-
-  if (!authorized) {
-    return null;
-  }
+  const hasPreviousRevision = currentRevision && currentRevision >= 2;
 
   return (
     <div className="inline-flex gap-x-2">
@@ -25,6 +23,14 @@ export function ChartActions({
         releaseName={releaseName}
         namespace={namespace}
       />
+      {hasPreviousRevision && (
+        <RollbackButton
+          latestRevision={currentRevision}
+          environmentId={environmentId}
+          releaseName={releaseName}
+          namespace={namespace}
+        />
+      )}
     </div>
   );
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx
new file mode 100644
index 000000000..1d7b3f340
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx
@@ -0,0 +1,163 @@
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { HttpResponse, http } from 'msw';
+import { vi, type Mock } from 'vitest';
+
+import { server } from '@/setup-tests/server';
+import { notifySuccess } from '@/portainer/services/notifications';
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+
+import { confirm } from '@@/modals/confirm';
+
+import { RollbackButton } from './RollbackButton';
+
+// Mock the confirm modal function
+vi.mock('@@/modals/confirm', () => ({
+  confirm: vi.fn(() => Promise.resolve(false)),
+  buildConfirmButton: vi.fn((label) => ({ label })),
+}));
+
+// Mock the notifications service
+vi.mock('@/portainer/services/notifications', () => ({
+  notifySuccess: vi.fn(),
+}));
+
+function renderButton(props = {}) {
+  const defaultProps = {
+    latestRevision: 3, // So we're rolling back to revision 2
+    environmentId: 1,
+    releaseName: 'test-release',
+    namespace: 'default',
+    ...props,
+  };
+
+  const Wrapped = withTestQueryProvider(RollbackButton);
+  return render(<Wrapped {...defaultProps} />);
+}
+
+describe('RollbackButton', () => {
+  test('should display the revision to rollback to', () => {
+    renderButton();
+
+    const button = screen.getByRole('button', { name: /Rollback to #2/i });
+    expect(button).toBeInTheDocument();
+  });
+
+  test('should be disabled when the rollback mutation is loading', async () => {
+    const resolveRequest = vi.fn();
+    const requestPromise = new Promise<void>((resolve) => {
+      resolveRequest.mockImplementation(() => resolve());
+    });
+
+    server.use(
+      http.post(
+        '/api/endpoints/1/kubernetes/helm/test-release/rollback',
+        () =>
+          new Promise((resolve) => {
+            // Keep request pending to simulate loading state
+            requestPromise
+              .then(() => {
+                resolve(HttpResponse.json({}));
+                return null;
+              })
+              .catch(() => {});
+          })
+      )
+    );
+
+    renderButton();
+
+    const user = userEvent.setup();
+    const button = screen.getByRole('button', { name: /Rollback to #2/i });
+
+    (confirm as Mock).mockResolvedValueOnce(true);
+    await user.click(button);
+
+    await waitFor(() => {
+      expect(screen.getByText('Rolling back...')).toBeInTheDocument();
+    });
+
+    resolveRequest();
+  });
+
+  test('should show a confirmation modal before executing the rollback', async () => {
+    renderButton();
+
+    const user = userEvent.setup();
+    const button = screen.getByRole('button', { name: /Rollback to #2/i });
+
+    await user.click(button);
+
+    expect(confirm).toHaveBeenCalledWith(
+      expect.objectContaining({
+        title: 'Are you sure?',
+        message: expect.stringContaining(
+          'Rolling back will restore the application to revision #2'
+        ),
+      })
+    );
+  });
+
+  test('should execute the rollback mutation with correct query params when confirmed', async () => {
+    let requestParams: Record<string, string> = {};
+
+    server.use(
+      http.post(
+        '/api/endpoints/1/kubernetes/helm/test-release/rollback',
+        ({ request }) => {
+          const url = new URL(request.url);
+          requestParams = Object.fromEntries(url.searchParams.entries());
+          return HttpResponse.json({});
+        }
+      )
+    );
+
+    renderButton();
+
+    const user = userEvent.setup();
+    const button = screen.getByRole('button', { name: /Rollback to #2/i });
+
+    (confirm as Mock).mockResolvedValueOnce(true);
+    await user.click(button);
+
+    await waitFor(() => {
+      expect(Object.keys(requestParams).length).toBeGreaterThan(0);
+    });
+
+    expect(requestParams.namespace).toBe('default');
+    expect(requestParams.revision).toBe('2');
+
+    expect(notifySuccess).toHaveBeenCalledWith(
+      'Success',
+      'Application rolled back to revision #2 successfully.'
+    );
+  });
+
+  test('should not execute the rollback if confirmation is cancelled', async () => {
+    let wasRequestMade = false;
+
+    server.use(
+      http.post(
+        '/api/endpoints/1/kubernetes/helm/test-release/rollback',
+        () => {
+          wasRequestMade = true;
+          return HttpResponse.json({});
+        }
+      )
+    );
+
+    renderButton();
+
+    const user = userEvent.setup();
+    const button = screen.getByRole('button', { name: /Rollback to #2/i });
+
+    (confirm as Mock).mockResolvedValueOnce(false);
+    await user.click(button);
+
+    await waitFor(() => {
+      expect(confirm).toHaveBeenCalled();
+    });
+
+    expect(wasRequestMade).toBe(false);
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
new file mode 100644
index 000000000..3d870d3a8
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
@@ -0,0 +1,71 @@
+import { RotateCcw } from 'lucide-react';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { notifySuccess } from '@/portainer/services/notifications';
+
+import { LoadingButton } from '@@/buttons';
+import { buildConfirmButton } from '@@/modals/utils';
+import { confirm } from '@@/modals/confirm';
+import { ModalType } from '@@/modals';
+
+import { useHelmRollbackMutation } from '../queries/useHelmRollbackMutation';
+
+type Props = {
+  latestRevision: number;
+  environmentId: EnvironmentId;
+  releaseName: string;
+  namespace?: string;
+};
+
+export function RollbackButton({
+  latestRevision,
+  environmentId,
+  releaseName,
+  namespace,
+}: Props) {
+  // the selectedRevision can be a prop when selecting a revision is implemented
+  const selectedRevision = latestRevision ? latestRevision - 1 : undefined;
+
+  const rollbackMutation = useHelmRollbackMutation(environmentId);
+
+  return (
+    <LoadingButton
+      onClick={handleClick}
+      isLoading={rollbackMutation.isLoading}
+      loadingText="Rolling back..."
+      data-cy="rollback-button"
+      icon={RotateCcw}
+      color="default"
+      size="medium"
+    >
+      Rollback to #{selectedRevision}
+    </LoadingButton>
+  );
+
+  async function handleClick() {
+    const confirmed = await confirm({
+      title: 'Are you sure?',
+      modalType: ModalType.Warn,
+      confirmButton: buildConfirmButton('Rollback'),
+      message: `Rolling back will restore the application to revision #${selectedRevision}, which will cause service interruption. Do you wish to continue?`,
+    });
+    if (!confirmed) {
+      return;
+    }
+
+    rollbackMutation.mutate(
+      {
+        releaseName,
+        params: { namespace, revision: selectedRevision },
+      },
+      {
+        onSuccess: () => {
+          notifySuccess(
+            'Success',
+            `Application rolled back to revision #${selectedRevision} successfully.`
+          );
+        },
+      }
+    );
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
index 6aec1d50a..164943223 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -3,12 +3,14 @@ import { useCurrentStateAndParams } from '@uirouter/react';
 import helm from '@/assets/ico/vendor/helm.svg?c';
 import { PageHeader } from '@/react/components/PageHeader';
 import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
-import { EnvironmentId } from '@/react/portainer/environments/types';
+import { Authorized } from '@/react/hooks/useUser';
 
 import { WidgetTitle, WidgetBody, Widget, Loading } from '@@/Widget';
 import { Card } from '@@/Card';
 import { Alert } from '@@/Alert';
 
+import { HelmRelease } from '../types';
+
 import { HelmSummary } from './HelmSummary';
 import { ReleaseTabs } from './ReleaseDetails/ReleaseTabs';
 import { useHelmRelease } from './queries/useHelmRelease';
@@ -19,6 +21,10 @@ export function HelmApplicationView() {
   const { params } = useCurrentStateAndParams();
   const { name, namespace } = params;
 
+  const helmReleaseQuery = useHelmRelease(environmentId, name, namespace, {
+    showResources: true,
+  });
+
   return (
     <>
       <PageHeader
@@ -35,18 +41,21 @@ export function HelmApplicationView() {
           <Widget>
             {name && (
               <WidgetTitle icon={helm} title={name}>
-                <ChartActions
-                  environmentId={environmentId}
-                  releaseName={name}
-                  namespace={namespace}
-                />
+                <Authorized authorizations="K8sApplicationsW">
+                  <ChartActions
+                    environmentId={environmentId}
+                    releaseName={name}
+                    namespace={namespace}
+                    currentRevision={helmReleaseQuery.data?.version}
+                  />
+                </Authorized>
               </WidgetTitle>
             )}
             <WidgetBody>
               <HelmDetails
-                name={name}
-                namespace={namespace}
-                environmentId={environmentId}
+                isLoading={helmReleaseQuery.isInitialLoading}
+                isError={helmReleaseQuery.isError}
+                release={helmReleaseQuery.data}
               />
             </WidgetBody>
           </Widget>
@@ -57,21 +66,13 @@ export function HelmApplicationView() {
 }
 
 type HelmDetailsProps = {
-  name: string;
-  namespace: string;
-  environmentId: EnvironmentId;
+  isLoading: boolean;
+  isError: boolean;
+  release: HelmRelease | undefined;
 };
 
-function HelmDetails({ name, namespace, environmentId }: HelmDetailsProps) {
-  const {
-    data: release,
-    isInitialLoading,
-    isError,
-  } = useHelmRelease(environmentId, name, namespace, {
-    showResources: true,
-  });
-
-  if (isInitialLoading) {
+function HelmDetails({ isLoading, isError, release: data }: HelmDetailsProps) {
+  if (isLoading) {
     return <Loading />;
   }
 
@@ -81,16 +82,16 @@ function HelmDetails({ name, namespace, environmentId }: HelmDetailsProps) {
     );
   }
 
-  if (!release) {
+  if (!data) {
     return <Alert color="error" title="No Helm application details found" />;
   }
 
   return (
     <>
-      <HelmSummary release={release} />
+      <HelmSummary release={data} />
       <div className="my-6 h-[1px] w-full bg-gray-5 th-dark:bg-gray-7 th-highcontrast:bg-white" />
       <Card className="bg-inherit">
-        <ReleaseTabs release={release} />
+        <ReleaseTabs release={data} />
       </Card>
     </>
   );
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRollbackMutation.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRollbackMutation.ts
new file mode 100644
index 000000000..6aea3ad29
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRollbackMutation.ts
@@ -0,0 +1,61 @@
+import { useMutation } from '@tanstack/react-query';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import {
+  queryClient,
+  withInvalidate,
+  withGlobalError,
+} from '@/react-tools/react-query';
+import axios from '@/portainer/services/axios';
+import { queryKeys } from '@/react/kubernetes/applications/queries/query-keys';
+
+/**
+ * Parameters for helm rollback operation
+ *
+ * @see https://helm.sh/docs/helm/helm_rollback/
+ */
+interface RollbackQueryParams {
+  /** Optional namespace for the release (defaults to "default" if not specified) */
+  namespace?: string;
+  /** Revision to rollback to (if omitted or set to 0, rolls back to the previous release) */
+  revision?: number;
+  /** If set, waits until resources are in a ready state before marking the release as successful (default: false) */
+  wait?: boolean;
+  /** If set and --wait enabled, waits until all Jobs have been completed before marking the release as successful (default: false) */
+  waitForJobs?: boolean;
+  /** Performs pods restart for the resources if applicable (default: true) */
+  recreate?: boolean;
+  /** Force resource update through delete/recreate if needed (default: false) */
+  force?: boolean;
+  /** Time to wait for any individual Kubernetes operation in seconds (default: 300) */
+  timeout?: number;
+}
+
+interface RollbackPayload {
+  releaseName: string;
+  params: RollbackQueryParams;
+}
+
+async function rollbackRelease({
+  releaseName,
+  params,
+  environmentId,
+}: RollbackPayload & { environmentId: EnvironmentId }) {
+  return axios.post<Record<string, unknown>>(
+    `/endpoints/${environmentId}/kubernetes/helm/${releaseName}/rollback`,
+    null,
+    { params }
+  );
+}
+
+export function useHelmRollbackMutation(environmentId: EnvironmentId) {
+  return useMutation({
+    mutationFn: ({ releaseName, params }: RollbackPayload) =>
+      rollbackRelease({ releaseName, params, environmentId }),
+    ...withGlobalError('Unable to rollback Helm release'),
+    ...withInvalidate(queryClient, [
+      [environmentId, 'helm', 'releases'],
+      queryKeys.applications(environmentId),
+    ]),
+  });
+}
diff --git a/pkg/libhelm/options/rollback_options.go b/pkg/libhelm/options/rollback_options.go
new file mode 100644
index 000000000..1c220f223
--- /dev/null
+++ b/pkg/libhelm/options/rollback_options.go
@@ -0,0 +1,19 @@
+package options
+
+import "time"
+
+// RollbackOptions defines options for rollback.
+type RollbackOptions struct {
+	// Required
+	Name                    string
+	Namespace               string
+	KubernetesClusterAccess *KubernetesClusterAccess
+
+	// Optional with defaults
+	Version     int           // Target revision to rollback to (0 means previous revision)
+	Timeout     time.Duration // Default: 5 minutes
+	Wait        bool          // Default: false
+	WaitForJobs bool          // Default: false
+	Recreate    bool          // Default: false - whether to recreate pods
+	Force       bool          // Default: false - whether to force recreation
+}
diff --git a/pkg/libhelm/sdk/rollback.go b/pkg/libhelm/sdk/rollback.go
new file mode 100644
index 000000000..9b5caac8e
--- /dev/null
+++ b/pkg/libhelm/sdk/rollback.go
@@ -0,0 +1,111 @@
+package sdk
+
+import (
+	"time"
+
+	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+)
+
+// Rollback would implement the HelmPackageManager interface by using the Helm SDK to rollback a release to a previous revision.
+func (hspm *HelmSDKPackageManager) Rollback(rollbackOpts options.RollbackOptions) (*release.Release, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("name", rollbackOpts.Name).
+		Str("namespace", rollbackOpts.Namespace).
+		Int("revision", rollbackOpts.Version).
+		Bool("wait", rollbackOpts.Wait).
+		Msg("Rolling back Helm release")
+
+	if rollbackOpts.Name == "" {
+		log.Error().
+			Str("context", "HelmClient").
+			Msg("Name is required for helm release rollback")
+		return nil, errors.New("name is required for helm release rollback")
+	}
+
+	// Initialize action configuration with kubernetes config
+	actionConfig := new(action.Configuration)
+	err := hspm.initActionConfig(actionConfig, rollbackOpts.Namespace, rollbackOpts.KubernetesClusterAccess)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to initialize helm configuration for helm release rollback")
+	}
+
+	rollbackClient := initRollbackClient(actionConfig, rollbackOpts)
+
+	// Run the rollback
+	err = rollbackClient.Run(rollbackOpts.Name)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("name", rollbackOpts.Name).
+			Str("namespace", rollbackOpts.Namespace).
+			Int("revision", rollbackOpts.Version).
+			Err(err).
+			Msg("Failed to rollback helm release")
+		return nil, errors.Wrap(err, "helm was not able to rollback the release")
+	}
+
+	// Get the release info after rollback
+	statusClient := action.NewStatus(actionConfig)
+	rel, err := statusClient.Run(rollbackOpts.Name)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("name", rollbackOpts.Name).
+			Str("namespace", rollbackOpts.Namespace).
+			Int("revision", rollbackOpts.Version).
+			Err(err).
+			Msg("Failed to get status after rollback")
+		return nil, errors.Wrap(err, "failed to get status after rollback")
+	}
+
+	return &release.Release{
+		Name:      rel.Name,
+		Namespace: rel.Namespace,
+		Version:   rel.Version,
+		Info: &release.Info{
+			Status:      release.Status(rel.Info.Status),
+			Notes:       rel.Info.Notes,
+			Description: rel.Info.Description,
+		},
+		Manifest: rel.Manifest,
+		Chart: release.Chart{
+			Metadata: &release.Metadata{
+				Name:       rel.Chart.Metadata.Name,
+				Version:    rel.Chart.Metadata.Version,
+				AppVersion: rel.Chart.Metadata.AppVersion,
+			},
+		},
+		Labels: rel.Labels,
+	}, nil
+}
+
+// initRollbackClient initializes the rollback client with the given options
+// and returns the rollback client.
+func initRollbackClient(actionConfig *action.Configuration, rollbackOpts options.RollbackOptions) *action.Rollback {
+	rollbackClient := action.NewRollback(actionConfig)
+
+	// Set version to rollback to (if specified)
+	if rollbackOpts.Version > 0 {
+		rollbackClient.Version = rollbackOpts.Version
+	}
+
+	rollbackClient.Wait = rollbackOpts.Wait
+	rollbackClient.WaitForJobs = rollbackOpts.WaitForJobs
+	rollbackClient.CleanupOnFail = true // Sane default to clean up on failure
+	rollbackClient.Recreate = rollbackOpts.Recreate
+	rollbackClient.Force = rollbackOpts.Force
+
+	// Set default values if not specified
+	if rollbackOpts.Timeout == 0 {
+		rollbackClient.Timeout = 5 * time.Minute // Sane default of 5 minutes
+	} else {
+		rollbackClient.Timeout = rollbackOpts.Timeout
+	}
+
+	return rollbackClient
+}
diff --git a/pkg/libhelm/sdk/rollback_test.go b/pkg/libhelm/sdk/rollback_test.go
new file mode 100644
index 000000000..31932ffc7
--- /dev/null
+++ b/pkg/libhelm/sdk/rollback_test.go
@@ -0,0 +1,123 @@
+package sdk
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRollback(t *testing.T) {
+	test.EnsureIntegrationTest(t)
+	is := assert.New(t)
+
+	// Create a new SDK package manager
+	hspm := NewHelmSDKPackageManager()
+
+	t.Run("should return error when name is not provided", func(t *testing.T) {
+		rollbackOpts := options.RollbackOptions{
+			Namespace: "default",
+		}
+
+		_, err := hspm.Rollback(rollbackOpts)
+
+		is.Error(err, "should return an error when name is not provided")
+		is.Equal("name is required for helm release rollback", err.Error(), "should return correct error message")
+	})
+
+	t.Run("should return error when release doesn't exist", func(t *testing.T) {
+		rollbackOpts := options.RollbackOptions{
+			Name:      "non-existent-release",
+			Namespace: "default",
+		}
+
+		_, err := hspm.Rollback(rollbackOpts)
+
+		is.Error(err, "should return an error when release doesn't exist")
+	})
+
+	t.Run("should successfully rollback to previous revision", func(t *testing.T) {
+		// First install a release
+		installOpts := options.InstallOptions{
+			Name:      "hello-world",
+			Chart:     "hello-world",
+			Namespace: "default",
+			Repo:      "https://helm.github.io/examples",
+		}
+
+		// Ensure the release doesn't exist before test
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		// Install first version
+		release, err := hspm.Upgrade(installOpts)
+		is.NoError(err, "should successfully install release")
+		is.Equal(1, release.Version, "first version should be 1")
+
+		// Upgrade to second version
+		_, err = hspm.Upgrade(installOpts)
+		is.NoError(err, "should successfully upgrade release")
+
+		// Rollback to first version
+		rollbackOpts := options.RollbackOptions{
+			Name:      installOpts.Name,
+			Namespace: "default",
+			Version:   0, // Previous revision
+		}
+
+		rolledBackRelease, err := hspm.Rollback(rollbackOpts)
+		defer hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		is.NoError(err, "should successfully rollback release")
+		is.NotNil(rolledBackRelease, "should return non-nil release")
+		is.Equal(3, rolledBackRelease.Version, "version should be incremented to 3")
+	})
+
+	t.Run("should successfully rollback to specific revision", func(t *testing.T) {
+		// First install a release
+		installOpts := options.InstallOptions{
+			Name:      "hello-world",
+			Chart:     "hello-world",
+			Namespace: "default",
+			Repo:      "https://helm.github.io/examples",
+		}
+
+		// Ensure the release doesn't exist before test
+		hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		// Install first version
+		release, err := hspm.Upgrade(installOpts)
+		is.NoError(err, "should successfully install release")
+		is.Equal(1, release.Version, "first version should be 1")
+
+		// Upgrade to second version
+		_, err = hspm.Upgrade(installOpts)
+		is.NoError(err, "should successfully upgrade release")
+
+		// Upgrade to third version
+		_, err = hspm.Upgrade(installOpts)
+		is.NoError(err, "should successfully upgrade release again")
+
+		// Rollback to first version
+		rollbackOpts := options.RollbackOptions{
+			Name:      installOpts.Name,
+			Namespace: "default",
+			Version:   1, // Specific revision
+		}
+
+		rolledBackRelease, err := hspm.Rollback(rollbackOpts)
+		defer hspm.Uninstall(options.UninstallOptions{
+			Name: installOpts.Name,
+		})
+
+		is.NoError(err, "should successfully rollback to specific revision")
+		is.NotNil(rolledBackRelease, "should return non-nil release")
+		is.Equal(4, rolledBackRelease.Version, "version should be incremented to 4")
+	})
+}
diff --git a/pkg/libhelm/sdk/search_repo_test.go b/pkg/libhelm/sdk/search_repo_test.go
index d4cfd9b46..bb30b8468 100644
--- a/pkg/libhelm/sdk/search_repo_test.go
+++ b/pkg/libhelm/sdk/search_repo_test.go
@@ -19,7 +19,6 @@ var tests = []testCase{
 	{"ingress helm repo", "https://kubernetes.github.io/ingress-nginx", false},
 	{"portainer helm repo", "https://portainer.github.io/k8s/", false},
 	{"elastic helm repo with trailing slash", "https://helm.elastic.co/", false},
-	{"lensesio helm repo without trailing slash", "https://lensesio.github.io/kafka-helm-charts", false},
 }
 
 func Test_SearchRepo(t *testing.T) {
diff --git a/pkg/libhelm/test/mock.go b/pkg/libhelm/test/mock.go
index 518b53fbd..cf8eefd17 100644
--- a/pkg/libhelm/test/mock.go
+++ b/pkg/libhelm/test/mock.go
@@ -79,6 +79,11 @@ func (hpm *helmMockPackageManager) Upgrade(upgradeOpts options.InstallOptions) (
 	return hpm.Install(upgradeOpts)
 }
 
+// Rollback a helm chart (not thread safe)
+func (hpm *helmMockPackageManager) Rollback(rollbackOpts options.RollbackOptions) (*release.Release, error) {
+	return hpm.Rollback(rollbackOpts)
+}
+
 // Show values/readme/chart etc
 func (hpm *helmMockPackageManager) Show(showOpts options.ShowOptions) ([]byte, error) {
 	switch showOpts.OutputFormat {
diff --git a/pkg/libhelm/types/types.go b/pkg/libhelm/types/types.go
index 7c78cbe88..4204dbb3d 100644
--- a/pkg/libhelm/types/types.go
+++ b/pkg/libhelm/types/types.go
@@ -16,6 +16,7 @@ type HelmPackageManager interface {
 	Uninstall(uninstallOpts options.UninstallOptions) error
 	Get(getOpts options.GetOptions) (*release.Release, error)
 	GetHistory(historyOpts options.HistoryOptions) ([]*release.Release, error)
+	Rollback(rollbackOpts options.RollbackOptions) (*release.Release, error)
 }
 
 type Repository interface {

From f25d31b92b36c14fc93cf3cbb47abef0a49db01c Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Tue, 22 Apr 2025 18:09:36 -0300
Subject: [PATCH 106/212] fix(code): remove dead code and reduce duplication
 BE-11826 (#680)

---
 api/archive/zip.go              | 55 +++------------------------------
 api/cli/pairlistbool.go         | 45 ---------------------------
 api/docker/client/client.go     | 13 --------
 api/docker/images/digest.go     | 11 +++----
 api/docker/images/image.go      | 21 ++++++++-----
 api/docker/images/image_test.go | 14 ++++-----
 api/docker/images/registry.go   |  4 +--
 api/kubernetes/cli/client.go    |  7 -----
 api/stacks/stackutils/util.go   |  5 ---
 9 files changed, 33 insertions(+), 142 deletions(-)
 delete mode 100644 api/cli/pairlistbool.go

diff --git a/api/archive/zip.go b/api/archive/zip.go
index 50328ef09..b7dbb9302 100644
--- a/api/archive/zip.go
+++ b/api/archive/zip.go
@@ -2,7 +2,6 @@ package archive
 
 import (
 	"archive/zip"
-	"bytes"
 	"fmt"
 	"io"
 	"os"
@@ -12,50 +11,6 @@ import (
 	"github.com/pkg/errors"
 )
 
-// UnzipArchive will unzip an archive from bytes into the dest destination folder on disk
-func UnzipArchive(archiveData []byte, dest string) error {
-	zipReader, err := zip.NewReader(bytes.NewReader(archiveData), int64(len(archiveData)))
-	if err != nil {
-		return err
-	}
-
-	for _, zipFile := range zipReader.File {
-		err := extractFileFromArchive(zipFile, dest)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
-}
-
-func extractFileFromArchive(file *zip.File, dest string) error {
-	f, err := file.Open()
-	if err != nil {
-		return err
-	}
-	defer f.Close()
-
-	data, err := io.ReadAll(f)
-	if err != nil {
-		return err
-	}
-
-	fpath := filepath.Join(dest, file.Name)
-
-	outFile, err := os.OpenFile(fpath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, file.Mode())
-	if err != nil {
-		return err
-	}
-
-	_, err = io.Copy(outFile, bytes.NewReader(data))
-	if err != nil {
-		return err
-	}
-
-	return outFile.Close()
-}
-
 // UnzipFile will decompress a zip archive, moving all files and folders
 // within the zip file (parameter 1) to an output directory (parameter 2).
 func UnzipFile(src string, dest string) error {
@@ -76,11 +31,11 @@ func UnzipFile(src string, dest string) error {
 		if f.FileInfo().IsDir() {
 			// Make Folder
 			os.MkdirAll(p, os.ModePerm)
+
 			continue
 		}
 
-		err = unzipFile(f, p)
-		if err != nil {
+		if err := unzipFile(f, p); err != nil {
 			return err
 		}
 	}
@@ -93,20 +48,20 @@ func unzipFile(f *zip.File, p string) error {
 	if err := os.MkdirAll(filepath.Dir(p), os.ModePerm); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't make a path %s", p)
 	}
+
 	outFile, err := os.OpenFile(p, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode())
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't create file %s", p)
 	}
 	defer outFile.Close()
+
 	rc, err := f.Open()
 	if err != nil {
 		return errors.Wrapf(err, "unzipFile: can't open zip file %s in the archive", f.Name)
 	}
 	defer rc.Close()
 
-	_, err = io.Copy(outFile, rc)
-
-	if err != nil {
+	if _, err = io.Copy(outFile, rc); err != nil {
 		return errors.Wrapf(err, "unzipFile: can't copy an archived file content")
 	}
 
diff --git a/api/cli/pairlistbool.go b/api/cli/pairlistbool.go
deleted file mode 100644
index 69e89b792..000000000
--- a/api/cli/pairlistbool.go
+++ /dev/null
@@ -1,45 +0,0 @@
-package cli
-
-import (
-	"strings"
-
-	portainer "github.com/portainer/portainer/api"
-
-	"gopkg.in/alecthomas/kingpin.v2"
-)
-
-type pairListBool []portainer.Pair
-
-// Set implementation for a list of portainer.Pair
-func (l *pairListBool) Set(value string) error {
-	p := new(portainer.Pair)
-
-	// default to true.  example setting=true is equivalent to setting
-	parts := strings.SplitN(value, "=", 2)
-	if len(parts) != 2 {
-		p.Name = parts[0]
-		p.Value = "true"
-	} else {
-		p.Name = parts[0]
-		p.Value = parts[1]
-	}
-
-	*l = append(*l, *p)
-	return nil
-}
-
-// String implementation for a list of pair
-func (l *pairListBool) String() string {
-	return ""
-}
-
-// IsCumulative implementation for a list of pair
-func (l *pairListBool) IsCumulative() bool {
-	return true
-}
-
-func BoolPairs(s kingpin.Settings) (target *[]portainer.Pair) {
-	target = new([]portainer.Pair)
-	s.SetValue((*pairListBool)(target))
-	return
-}
diff --git a/api/docker/client/client.go b/api/docker/client/client.go
index 1161c4995..d1a2a394a 100644
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -73,19 +73,6 @@ func createLocalClient(endpoint *portainer.Endpoint) (*client.Client, error) {
 	)
 }
 
-func CreateClientFromEnv() (*client.Client, error) {
-	return client.NewClientWithOpts(
-		client.FromEnv,
-		client.WithAPIVersionNegotiation(),
-	)
-}
-
-func CreateSimpleClient() (*client.Client, error) {
-	return client.NewClientWithOpts(
-		client.WithAPIVersionNegotiation(),
-	)
-}
-
 func createTCPClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*client.Client, error) {
 	httpCli, err := httpClient(endpoint, timeout)
 	if err != nil {
diff --git a/api/docker/images/digest.go b/api/docker/images/digest.go
index 591f94d1e..38638de56 100644
--- a/api/docker/images/digest.go
+++ b/api/docker/images/digest.go
@@ -38,10 +38,10 @@ func NewClientWithRegistry(registryClient *RegistryClient, clientFactory *docker
 func (c *DigestClient) RemoteDigest(image Image) (digest.Digest, error) {
 	ctx, cancel := c.timeoutContext()
 	defer cancel()
+
 	// Docker references with both a tag and digest are currently not supported
 	if image.Tag != "" && image.Digest != "" {
-		err := image.trimDigest()
-		if err != nil {
+		if err := image.TrimDigest(); err != nil {
 			return "", err
 		}
 	}
@@ -69,7 +69,7 @@ func (c *DigestClient) RemoteDigest(image Image) (digest.Digest, error) {
 	// Retrieve remote digest through HEAD request
 	rmDigest, err := docker.GetDigest(ctx, sysCtx, rmRef)
 	if err != nil {
-		// fallback to public registry for hub
+		// Fallback to public registry for hub
 		if image.HubLink != "" {
 			rmDigest, err = docker.GetDigest(ctx, c.sysCtx, rmRef)
 			if err == nil {
@@ -131,8 +131,7 @@ func ParseRepoDigests(repoDigests []string) []digest.Digest {
 func ParseRepoTags(repoTags []string) []*Image {
 	images := make([]*Image, 0)
 	for _, repoTag := range repoTags {
-		image := ParseRepoTag(repoTag)
-		if image != nil {
+		if image := ParseRepoTag(repoTag); image != nil {
 			images = append(images, image)
 		}
 	}
@@ -147,7 +146,7 @@ func ParseRepoDigest(repoDigest string) digest.Digest {
 
 	d, err := digest.Parse(strings.Split(repoDigest, "@")[1])
 	if err != nil {
-		log.Warn().Msgf("Skip invalid repo digest item: %s [error: %v]", repoDigest, err)
+		log.Warn().Err(err).Str("digest", repoDigest).Msg("skip invalid repo item")
 
 		return ""
 	}
diff --git a/api/docker/images/image.go b/api/docker/images/image.go
index 55e72aff0..6b0c6eb81 100644
--- a/api/docker/images/image.go
+++ b/api/docker/images/image.go
@@ -26,7 +26,7 @@ type Image struct {
 	Digest  digest.Digest
 	HubLink string
 	named   reference.Named
-	opts    ParseImageOptions
+	Opts    ParseImageOptions `json:"-"`
 }
 
 // ParseImageOptions holds image options for parsing.
@@ -43,9 +43,10 @@ func (i *Image) Name() string {
 // FullName return the real full name may include Tag or Digest of the image, Tag first.
 func (i *Image) FullName() string {
 	if i.Tag == "" {
-		return fmt.Sprintf("%s@%s", i.Name(), i.Digest)
+		return i.Name() + "@" + i.Digest.String()
 	}
-	return fmt.Sprintf("%s:%s", i.Name(), i.Tag)
+
+	return i.Name() + ":" + i.Tag
 }
 
 // String returns the string representation of an image, including Tag and Digest if existed.
@@ -66,22 +67,25 @@ func (i *Image) Reference() string {
 func (i *Image) WithDigest(digest digest.Digest) (err error) {
 	i.Digest = digest
 	i.named, err = reference.WithDigest(i.named, digest)
+
 	return err
 }
 
 func (i *Image) WithTag(tag string) (err error) {
 	i.Tag = tag
 	i.named, err = reference.WithTag(i.named, tag)
+
 	return err
 }
 
-func (i *Image) trimDigest() error {
+func (i *Image) TrimDigest() error {
 	i.Digest = ""
 	named, err := ParseImage(ParseImageOptions{Name: i.FullName()})
 	if err != nil {
 		return err
 	}
 	i.named = &named
+
 	return nil
 }
 
@@ -92,11 +96,12 @@ func ParseImage(parseOpts ParseImageOptions) (Image, error) {
 	if err != nil {
 		return Image{}, errors.Wrapf(err, "parsing image %s failed", parseOpts.Name)
 	}
+
 	// Add the latest lag if they did not provide one.
 	named = reference.TagNameOnly(named)
 
 	i := Image{
-		opts:   parseOpts,
+		Opts:   parseOpts,
 		named:  named,
 		Domain: reference.Domain(named),
 		Path:   reference.Path(named),
@@ -122,15 +127,16 @@ func ParseImage(parseOpts ParseImageOptions) (Image, error) {
 }
 
 func (i *Image) hubLink() (string, error) {
-	if i.opts.HubTpl != "" {
+	if i.Opts.HubTpl != "" {
 		var out bytes.Buffer
 		tmpl, err := template.New("tmpl").
 			Option("missingkey=error").
-			Parse(i.opts.HubTpl)
+			Parse(i.Opts.HubTpl)
 		if err != nil {
 			return "", err
 		}
 		err = tmpl.Execute(&out, i)
+
 		return out.String(), err
 	}
 
@@ -142,6 +148,7 @@ func (i *Image) hubLink() (string, error) {
 			prefix = "_"
 			path = strings.Replace(i.Path, "library/", "", 1)
 		}
+
 		return "https://hub.docker.com/" + prefix + "/" + path, nil
 	case "docker.bintray.io", "jfrog-docker-reg2.bintray.io":
 		return "https://bintray.com/jfrog/reg2/" + strings.ReplaceAll(i.Path, "/", "%3A"), nil
diff --git a/api/docker/images/image_test.go b/api/docker/images/image_test.go
index 2649e387c..713a67732 100644
--- a/api/docker/images/image_test.go
+++ b/api/docker/images/image_test.go
@@ -16,7 +16,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("docker.io/portainer/portainer-ee:latest", image.FullName())
-		is.Equal("portainer/portainer-ee", image.opts.Name)
+		is.Equal("portainer/portainer-ee", image.Opts.Name)
 		is.Equal("latest", image.Tag)
 		is.Equal("portainer/portainer-ee", image.Path)
 		is.Equal("docker.io", image.Domain)
@@ -32,7 +32,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -49,7 +49,7 @@ func TestImageParser(t *testing.T) {
 		})
 		is.NoError(err, "")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -71,7 +71,7 @@ func TestUpdateParsedImage(t *testing.T) {
 		is.NoError(err, "")
 		_ = image.WithTag("v0.0.31")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.31", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.31", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -89,7 +89,7 @@ func TestUpdateParsedImage(t *testing.T) {
 		is.NoError(err, "")
 		_ = image.WithDigest("sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b3")
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
@@ -105,9 +105,9 @@ func TestUpdateParsedImage(t *testing.T) {
 			Name: "gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2",
 		})
 		is.NoError(err, "")
-		_ = image.trimDigest()
+		_ = image.TrimDigest()
 		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30", image.FullName())
-		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.opts.Name)
+		is.Equal("gcr.io/k8s-minikube/kicbase:v0.0.30@sha256:02c921df998f95e849058af14de7045efc3954d90320967418a0d1f182bbc0b2", image.Opts.Name)
 		is.Equal("v0.0.30", image.Tag)
 		is.Equal("k8s-minikube/kicbase", image.Path)
 		is.Equal("gcr.io", image.Domain)
diff --git a/api/docker/images/registry.go b/api/docker/images/registry.go
index 10b4a6388..015385c2f 100644
--- a/api/docker/images/registry.go
+++ b/api/docker/images/registry.go
@@ -29,7 +29,7 @@ func (c *RegistryClient) RegistryAuth(image Image) (string, string, error) {
 		return "", "", err
 	}
 
-	registry, err := findBestMatchRegistry(image.opts.Name, registries)
+	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
 	if err != nil {
 		return "", "", err
 	}
@@ -59,7 +59,7 @@ func (c *RegistryClient) EncodedRegistryAuth(image Image) (string, error) {
 		return "", err
 	}
 
-	registry, err := findBestMatchRegistry(image.opts.Name, registries)
+	registry, err := findBestMatchRegistry(image.Opts.Name, registries)
 	if err != nil {
 		return "", err
 	}
diff --git a/api/kubernetes/cli/client.go b/api/kubernetes/cli/client.go
index ce76f725f..6d2cc437c 100644
--- a/api/kubernetes/cli/client.go
+++ b/api/kubernetes/cli/client.go
@@ -47,13 +47,6 @@ type (
 	}
 )
 
-func NewKubeClientFromClientset(cli *kubernetes.Clientset) *KubeClient {
-	return &KubeClient{
-		cli:        cli,
-		instanceID: "",
-	}
-}
-
 // NewClientFactory returns a new instance of a ClientFactory
 func NewClientFactory(signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, dataStore dataservices.DataStore, instanceID, addrHTTPS, userSessionTimeout string) (*ClientFactory, error) {
 	if userSessionTimeout == "" {
diff --git a/api/stacks/stackutils/util.go b/api/stacks/stackutils/util.go
index 5dd5bf4c5..9a4daeae3 100644
--- a/api/stacks/stackutils/util.go
+++ b/api/stacks/stackutils/util.go
@@ -45,11 +45,6 @@ func SanitizeLabel(value string) string {
 	return strings.Trim(onlyAllowedCharacterString, ".-_")
 }
 
-// IsGitStack checks if the stack is a git stack or not
-func IsGitStack(stack *portainer.Stack) bool {
-	return stack.GitConfig != nil && len(stack.GitConfig.URL) != 0
-}
-
 // IsRelativePathStack checks if the stack is a git stack or not
 func IsRelativePathStack(stack *portainer.Stack) bool {
 	// Always return false in CE

From 3edacee59b015522406cfff5f64845b5c7a5bbb2 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Wed, 23 Apr 2025 02:35:20 +0100
Subject: [PATCH 107/212] Update bug report template for 2.29.1 (#682)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 58dc03d91..6d8f816ea 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.29.1'
         - '2.29.0'
         - '2.28.1'
         - '2.28.0'

From 1a3df54c046e41ccbbc3af374baf56feb52a16fc Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Wed, 23 Apr 2025 13:59:51 +1200
Subject: [PATCH 108/212] fix(govalidator): replace govalidator dependency
 [BE-11574] (#673)

---
 api/git/update/validate.go                    |   4 +-
 api/git/validate.go                           |   6 +-
 .../customtemplates/customtemplate_create.go  |   4 +-
 .../customtemplates/customtemplate_update.go  |   5 +-
 api/http/handler/edgejobs/edgejob_create.go   |   7 +-
 api/http/handler/edgejobs/edgejob_update.go   |   5 +-
 .../edgestacks/edgestack_create_git.go        |   4 +-
 .../handler/gitops/git_repo_file_preview.go   |   5 +-
 api/http/handler/settings/settings_update.go  |   8 +-
 .../handler/stacks/create_compose_stack.go    |   4 +-
 .../handler/stacks/create_kubernetes_stack.go |   6 +-
 api/http/handler/stacks/create_swarm_stack.go |   4 +-
 .../handler/users/user_create_access_token.go |   7 +-
 api/http/handler/websocket/attach.go          |   4 +-
 api/http/handler/websocket/exec.go            |   4 +-
 go.mod                                        |   2 +-
 pkg/validate/validate.go                      | 111 +++++
 pkg/validate/validate_test.go                 | 424 ++++++++++++++++++
 18 files changed, 571 insertions(+), 43 deletions(-)
 create mode 100644 pkg/validate/validate.go
 create mode 100644 pkg/validate/validate_test.go

diff --git a/api/git/update/validate.go b/api/git/update/validate.go
index c1b7364ce..66805895d 100644
--- a/api/git/update/validate.go
+++ b/api/git/update/validate.go
@@ -3,9 +3,9 @@ package update
 import (
 	"time"
 
-	"github.com/asaskevich/govalidator"
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/pkg/validate"
 )
 
 func ValidateAutoUpdateSettings(autoUpdate *portainer.AutoUpdateSettings) error {
@@ -17,7 +17,7 @@ func ValidateAutoUpdateSettings(autoUpdate *portainer.AutoUpdateSettings) error
 		return httperrors.NewInvalidPayloadError("Webhook or Interval must be provided")
 	}
 
-	if autoUpdate.Webhook != "" && !govalidator.IsUUID(autoUpdate.Webhook) {
+	if autoUpdate.Webhook != "" && !validate.IsUUID(autoUpdate.Webhook) {
 		return httperrors.NewInvalidPayloadError("invalid Webhook format")
 	}
 
diff --git a/api/git/validate.go b/api/git/validate.go
index 8fc04abf6..1304494dd 100644
--- a/api/git/validate.go
+++ b/api/git/validate.go
@@ -1,19 +1,17 @@
 package git
 
 import (
-	"github.com/asaskevich/govalidator"
-
 	gittypes "github.com/portainer/portainer/api/git/types"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/pkg/validate"
 )
 
 func ValidateRepoConfig(repoConfig *gittypes.RepoConfig) error {
-	if len(repoConfig.URL) == 0 || !govalidator.IsURL(repoConfig.URL) {
+	if len(repoConfig.URL) == 0 || !validate.IsURL(repoConfig.URL) {
 		return httperrors.NewInvalidPayloadError("Invalid repository URL. Must correspond to a valid URL format")
 	}
 
 	return ValidateRepoAuthentication(repoConfig.Authentication)
-
 }
 
 func ValidateRepoAuthentication(auth *gittypes.GitAuthentication) error {
diff --git a/api/http/handler/customtemplates/customtemplate_create.go b/api/http/handler/customtemplates/customtemplate_create.go
index 0f9c8f1a3..104ea90a4 100644
--- a/api/http/handler/customtemplates/customtemplate_create.go
+++ b/api/http/handler/customtemplates/customtemplate_create.go
@@ -16,8 +16,8 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 )
@@ -228,7 +228,7 @@ func (payload *customTemplateFromGitRepositoryPayload) Validate(r *http.Request)
 	if len(payload.Description) == 0 {
 		return errors.New("Invalid custom template description")
 	}
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
 	}
 	if payload.RepositoryAuthentication && (len(payload.RepositoryUsername) == 0 || len(payload.RepositoryPassword) == 0) {
diff --git a/api/http/handler/customtemplates/customtemplate_update.go b/api/http/handler/customtemplates/customtemplate_update.go
index 80c42b6fa..f14d228f3 100644
--- a/api/http/handler/customtemplates/customtemplate_update.go
+++ b/api/http/handler/customtemplates/customtemplate_update.go
@@ -15,8 +15,7 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )
 
 type customTemplateUpdatePayload struct {
@@ -170,7 +169,7 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 	customTemplate.EdgeTemplate = payload.EdgeTemplate
 
 	if payload.RepositoryURL != "" {
-		if !govalidator.IsURL(payload.RepositoryURL) {
+		if !validate.IsURL(payload.RepositoryURL) {
 			return httperror.BadRequest("Invalid repository URL. Must correspond to a valid URL format", err)
 		}
 
diff --git a/api/http/handler/edgejobs/edgejob_create.go b/api/http/handler/edgejobs/edgejob_create.go
index 0f7bff73d..dd6b4d5df 100644
--- a/api/http/handler/edgejobs/edgejob_create.go
+++ b/api/http/handler/edgejobs/edgejob_create.go
@@ -15,8 +15,7 @@ import (
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )
 
 type edgeJobBasePayload struct {
@@ -53,7 +52,7 @@ func (payload *edgeJobCreateFromFileContentPayload) Validate(r *http.Request) er
 		return errors.New("invalid Edge job name")
 	}
 
-	if !govalidator.Matches(payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`) {
+	if !validate.Matches(payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]*$`) {
 		return errors.New("invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
 	}
 
@@ -136,7 +135,7 @@ func (payload *edgeJobCreateFromFilePayload) Validate(r *http.Request) error {
 		return errors.New("invalid Edge job name")
 	}
 
-	if !govalidator.Matches(name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
+	if !validate.Matches(name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
 		return errors.New("invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
 	}
 	payload.Name = name
diff --git a/api/http/handler/edgejobs/edgejob_update.go b/api/http/handler/edgejobs/edgejob_update.go
index 468fbb8b7..6f2b8e382 100644
--- a/api/http/handler/edgejobs/edgejob_update.go
+++ b/api/http/handler/edgejobs/edgejob_update.go
@@ -14,8 +14,7 @@ import (
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )
 
 type edgeJobUpdatePayload struct {
@@ -28,7 +27,7 @@ type edgeJobUpdatePayload struct {
 }
 
 func (payload *edgeJobUpdatePayload) Validate(r *http.Request) error {
-	if payload.Name != nil && !govalidator.Matches(*payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
+	if payload.Name != nil && !validate.Matches(*payload.Name, `^[a-zA-Z0-9][a-zA-Z0-9_.-]+$`) {
 		return errors.New("invalid Edge job name format. Allowed characters are: [a-zA-Z0-9_.-]")
 	}
 
diff --git a/api/http/handler/edgestacks/edgestack_create_git.go b/api/http/handler/edgestacks/edgestack_create_git.go
index 88e4bda79..2da816481 100644
--- a/api/http/handler/edgestacks/edgestack_create_git.go
+++ b/api/http/handler/edgestacks/edgestack_create_git.go
@@ -11,8 +11,8 @@ import (
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/pkg/edge"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 )
 
@@ -59,7 +59,7 @@ func (payload *edgeStackFromGitRepositoryPayload) Validate(r *http.Request) erro
 		return httperrors.NewInvalidPayloadError("Invalid stack name. Stack name must only consist of lowercase alpha characters, numbers, hyphens, or underscores as well as start with a lowercase character or number")
 	}
 
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return httperrors.NewInvalidPayloadError("Invalid repository URL. Must correspond to a valid URL format")
 	}
 
diff --git a/api/http/handler/gitops/git_repo_file_preview.go b/api/http/handler/gitops/git_repo_file_preview.go
index 28e8fafec..1eaa52716 100644
--- a/api/http/handler/gitops/git_repo_file_preview.go
+++ b/api/http/handler/gitops/git_repo_file_preview.go
@@ -9,8 +9,7 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )
 
 type fileResponse struct {
@@ -29,7 +28,7 @@ type repositoryFilePreviewPayload struct {
 }
 
 func (payload *repositoryFilePreviewPayload) Validate(r *http.Request) error {
-	if len(payload.Repository) == 0 || !govalidator.IsURL(payload.Repository) {
+	if len(payload.Repository) == 0 || !validate.IsURL(payload.Repository) {
 		return errors.New("invalid repository URL. Must correspond to a valid URL format")
 	}
 
diff --git a/api/http/handler/settings/settings_update.go b/api/http/handler/settings/settings_update.go
index 0b36dbc62..98da8da7d 100644
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -14,8 +14,8 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2"
 )
@@ -62,15 +62,15 @@ func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
 		return errors.New("Invalid authentication method value. Value must be one of: 1 (internal), 2 (LDAP/AD) or 3 (OAuth)")
 	}
 
-	if payload.LogoURL != nil && *payload.LogoURL != "" && !govalidator.IsURL(*payload.LogoURL) {
+	if payload.LogoURL != nil && *payload.LogoURL != "" && !validate.IsURL(*payload.LogoURL) {
 		return errors.New("Invalid logo URL. Must correspond to a valid URL format")
 	}
 
-	if payload.TemplatesURL != nil && *payload.TemplatesURL != "" && !govalidator.IsURL(*payload.TemplatesURL) {
+	if payload.TemplatesURL != nil && *payload.TemplatesURL != "" && !validate.IsURL(*payload.TemplatesURL) {
 		return errors.New("Invalid external templates URL. Must correspond to a valid URL format")
 	}
 
-	if payload.HelmRepositoryURL != nil && *payload.HelmRepositoryURL != "" && !govalidator.IsURL(*payload.HelmRepositoryURL) {
+	if payload.HelmRepositoryURL != nil && *payload.HelmRepositoryURL != "" && !validate.IsURL(*payload.HelmRepositoryURL) {
 		return errors.New("Invalid Helm repository URL. Must correspond to a valid URL format")
 	}
 
diff --git a/api/http/handler/stacks/create_compose_stack.go b/api/http/handler/stacks/create_compose_stack.go
index dce39337a..fc5bed1ff 100644
--- a/api/http/handler/stacks/create_compose_stack.go
+++ b/api/http/handler/stacks/create_compose_stack.go
@@ -14,8 +14,8 @@ import (
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )
@@ -205,7 +205,7 @@ func (payload *composeStackFromGitRepositoryPayload) Validate(r *http.Request) e
 	if len(payload.Name) == 0 {
 		return errors.New("Invalid stack name")
 	}
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
 	}
 	if payload.RepositoryAuthentication && len(payload.RepositoryPassword) == 0 {
diff --git a/api/http/handler/stacks/create_kubernetes_stack.go b/api/http/handler/stacks/create_kubernetes_stack.go
index 397ccfec2..f1a142e6b 100644
--- a/api/http/handler/stacks/create_kubernetes_stack.go
+++ b/api/http/handler/stacks/create_kubernetes_stack.go
@@ -15,8 +15,8 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 )
 
@@ -96,7 +96,7 @@ func (payload *kubernetesStringDeploymentPayload) Validate(r *http.Request) erro
 }
 
 func (payload *kubernetesGitDeploymentPayload) Validate(r *http.Request) error {
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !validate.IsURL(payload.RepositoryURL) {
 		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
 	}
 
@@ -112,7 +112,7 @@ func (payload *kubernetesGitDeploymentPayload) Validate(r *http.Request) error {
 }
 
 func (payload *kubernetesManifestURLDeploymentPayload) Validate(r *http.Request) error {
-	if len(payload.ManifestURL) == 0 || !govalidator.IsURL(payload.ManifestURL) {
+	if len(payload.ManifestURL) == 0 || !validate.IsURL(payload.ManifestURL) {
 		return errors.New("Invalid manifest URL")
 	}
 
diff --git a/api/http/handler/stacks/create_swarm_stack.go b/api/http/handler/stacks/create_swarm_stack.go
index 4603b6d6b..e10d23f2f 100644
--- a/api/http/handler/stacks/create_swarm_stack.go
+++ b/api/http/handler/stacks/create_swarm_stack.go
@@ -11,8 +11,8 @@ import (
 	"github.com/portainer/portainer/api/stacks/stackutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	valid "github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/pkg/errors"
 )
 
@@ -142,7 +142,7 @@ func (payload *swarmStackFromGitRepositoryPayload) Validate(r *http.Request) err
 	if len(payload.SwarmID) == 0 {
 		return errors.New("Invalid Swarm ID")
 	}
-	if len(payload.RepositoryURL) == 0 || !govalidator.IsURL(payload.RepositoryURL) {
+	if len(payload.RepositoryURL) == 0 || !valid.IsURL(payload.RepositoryURL) {
 		return errors.New("Invalid repository URL. Must correspond to a valid URL format")
 	}
 	if payload.RepositoryAuthentication && len(payload.RepositoryPassword) == 0 {
diff --git a/api/http/handler/users/user_create_access_token.go b/api/http/handler/users/user_create_access_token.go
index 673c0af76..aa10f6fe0 100644
--- a/api/http/handler/users/user_create_access_token.go
+++ b/api/http/handler/users/user_create_access_token.go
@@ -11,8 +11,7 @@ import (
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/asaskevich/govalidator"
+	"github.com/portainer/portainer/pkg/validate"
 )
 
 type userAccessTokenCreatePayload struct {
@@ -24,10 +23,10 @@ func (payload *userAccessTokenCreatePayload) Validate(r *http.Request) error {
 	if len(payload.Description) == 0 {
 		return errors.New("invalid description: cannot be empty")
 	}
-	if govalidator.HasWhitespaceOnly(payload.Description) {
+	if validate.HasWhitespaceOnly(payload.Description) {
 		return errors.New("invalid description: cannot contain only whitespaces")
 	}
-	if govalidator.MinStringLength(payload.Description, "128") {
+	if validate.MinStringLength(payload.Description, 128) {
 		return errors.New("invalid description: cannot be longer than 128 characters")
 	}
 	return nil
diff --git a/api/http/handler/websocket/attach.go b/api/http/handler/websocket/attach.go
index d0cb7746f..96e228418 100644
--- a/api/http/handler/websocket/attach.go
+++ b/api/http/handler/websocket/attach.go
@@ -9,8 +9,8 @@ import (
 	"github.com/portainer/portainer/api/ws"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/gorilla/websocket"
 )
 
@@ -38,7 +38,7 @@ func (handler *Handler) websocketAttach(w http.ResponseWriter, r *http.Request)
 	if err != nil {
 		return httperror.BadRequest("Invalid query parameter: id", err)
 	}
-	if !govalidator.IsHexadecimal(attachID) {
+	if !validate.IsHexadecimal(attachID) {
 		return httperror.BadRequest("Invalid query parameter: id (must be hexadecimal identifier)", err)
 	}
 
diff --git a/api/http/handler/websocket/exec.go b/api/http/handler/websocket/exec.go
index ab04b0702..aef5861c8 100644
--- a/api/http/handler/websocket/exec.go
+++ b/api/http/handler/websocket/exec.go
@@ -8,8 +8,8 @@ import (
 	"github.com/portainer/portainer/api/ws"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/validate"
 
-	"github.com/asaskevich/govalidator"
 	"github.com/gorilla/websocket"
 	"github.com/segmentio/encoding/json"
 )
@@ -42,7 +42,7 @@ func (handler *Handler) websocketExec(w http.ResponseWriter, r *http.Request) *h
 	if err != nil {
 		return httperror.BadRequest("Invalid query parameter: id", err)
 	}
-	if !govalidator.IsHexadecimal(execID) {
+	if !validate.IsHexadecimal(execID) {
 		return httperror.BadRequest("Invalid query parameter: id (must be hexadecimal identifier)", err)
 	}
 
diff --git a/go.mod b/go.mod
index 64c594902..45f0eb750 100644
--- a/go.mod
+++ b/go.mod
@@ -6,7 +6,6 @@ require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/VictoriaMetrics/fastcache v1.12.0
-	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2
 	github.com/aws/aws-sdk-go-v2 v1.24.1
 	github.com/aws/aws-sdk-go-v2/credentials v1.16.16
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.1
@@ -85,6 +84,7 @@ require (
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
 	github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 // indirect
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 // indirect
+	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
diff --git a/pkg/validate/validate.go b/pkg/validate/validate.go
new file mode 100644
index 000000000..3683941cf
--- /dev/null
+++ b/pkg/validate/validate.go
@@ -0,0 +1,111 @@
+package validate
+
+import (
+	"net"
+	"net/url"
+	"regexp"
+	"strings"
+	"unicode/utf8"
+)
+
+const (
+	minURLRuneCount = 3
+	maxURLRuneCount = 2083
+
+	ipPattern           = `(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))`
+	urlSchemaPattern    = `((ftp|tcp|udp|wss?|https?):\/\/)`
+	urlUsernamePattern  = `(\S+(:\S*)?@)`
+	urlPathPattern      = `((\/|\?|#)[^\s]*)`
+	urlPortPattern      = `(:(\d{1,5}))`
+	urlIPPattern        = `([1-9]\d?|1\d\d|2[01]\d|22[0-3]|24\d|25[0-5])(\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])){2}(?:\.([0-9]\d?|1\d\d|2[0-4]\d|25[0-5]))`
+	urlSubdomainPattern = `((www\.)|([a-zA-Z0-9]+([-_\.]?[a-zA-Z0-9])*[a-zA-Z0-9]\.[a-zA-Z0-9]+))`
+	urlPattern          = `^` + urlSchemaPattern + `?` + urlUsernamePattern + `?` + `((` + urlIPPattern + `|(\[` + ipPattern + `\])|(([a-zA-Z0-9]([a-zA-Z0-9-_]+)?[a-zA-Z0-9]([-\.][a-zA-Z0-9]+)*)|(` + urlSubdomainPattern + `?))?(([a-zA-Z\x{00a1}-\x{ffff}0-9]+-?-?)*[a-zA-Z\x{00a1}-\x{ffff}0-9]+)(?:\.([a-zA-Z\x{00a1}-\x{ffff}]{1,}))?))\.?` + urlPortPattern + `?` + urlPathPattern + `?$`
+)
+
+var (
+	urlRegex         = regexp.MustCompile(urlPattern)
+	uuidRegex        = regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`)
+	hexadecimalRegex = regexp.MustCompile(`^[0-9a-fA-F]+$`)
+	whitespaceRegex  = regexp.MustCompile(`^[[:space:]]+$`)
+	dnsNameRegex     = regexp.MustCompile(`^([a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62}){1}(\.[a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62})*[\._]?$`)
+)
+
+func IsURL(urlString string) bool {
+	if urlString == "" ||
+		utf8.RuneCountInString(urlString) >= maxURLRuneCount ||
+		len(urlString) <= minURLRuneCount ||
+		strings.HasPrefix(urlString, ".") {
+		return false
+	}
+
+	strTemp := urlString
+	if strings.Contains(urlString, ":") && !strings.Contains(urlString, "://") {
+		// support no indicated urlscheme but with colon for port number
+		// http:// is appended so url.Parse will succeed, strTemp used so it does not impact rxURL.MatchString
+		strTemp = "http://" + urlString
+	}
+
+	u, err := url.Parse(strTemp)
+	if err != nil {
+		return false
+	}
+
+	if strings.HasPrefix(u.Host, ".") {
+		return false
+	}
+	if u.Host == "" && (u.Path != "" && !strings.Contains(u.Path, ".")) {
+		return false
+	}
+
+	return urlRegex.MatchString(urlString)
+}
+
+func IsUUID(uuidString string) bool {
+	return uuidRegex.MatchString(uuidString)
+}
+
+func IsHexadecimal(hexString string) bool {
+	return hexadecimalRegex.MatchString(hexString)
+}
+
+func HasWhitespaceOnly(s string) bool {
+	return len(s) > 0 && whitespaceRegex.MatchString(s)
+}
+
+func MinStringLength(s string, len int) bool {
+	return utf8.RuneCountInString(s) >= len
+}
+
+func Matches(s, pattern string) bool {
+	match, err := regexp.MatchString(pattern, s)
+	return err == nil && match
+}
+
+func IsNonPositive(f float64) bool {
+	return f <= 0
+}
+
+func InRange(val, left, right float64) bool {
+	if left > right {
+		left, right = right, left
+	}
+
+	return val >= left && val <= right
+}
+
+func IsHost(s string) bool {
+	return IsIP(s) || IsDNSName(s)
+}
+
+func IsIP(s string) bool {
+	return net.ParseIP(s) != nil
+}
+
+func IsDNSName(s string) bool {
+	if s == "" || len(strings.ReplaceAll(s, ".", "")) > 255 {
+		// constraints already violated
+		return false
+	}
+
+	return !IsIP(s) && dnsNameRegex.MatchString(s)
+}
diff --git a/pkg/validate/validate_test.go b/pkg/validate/validate_test.go
new file mode 100644
index 000000000..e8b62288e
--- /dev/null
+++ b/pkg/validate/validate_test.go
@@ -0,0 +1,424 @@
+package validate
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_IsURL(t *testing.T) {
+	testCases := []struct {
+		name           string
+		url            string
+		expectedResult bool
+	}{
+		{
+			name:           "simple url",
+			url:            "https://google.com",
+			expectedResult: true,
+		},
+		{
+			name:           "no schema",
+			url:            "google.com",
+			expectedResult: true,
+		},
+		{
+			name:           "path",
+			url:            "https://google.com/some/thing",
+			expectedResult: true,
+		},
+		{
+			name:           "query params",
+			url:            "https://google.com/some/thing?a=5&b=6",
+			expectedResult: true,
+		},
+		{
+			name:           "invalid",
+			url:            "google",
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsURL(tc.url)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_IsUUID(t *testing.T) {
+	testCases := []struct {
+		name           string
+		uuid           string
+		expectedResult bool
+	}{
+		{
+			name:           "empty",
+			uuid:           "",
+			expectedResult: false,
+		},
+		{
+			name:           "version 3 UUID",
+			uuid:           "060507eb-3b9a-362e-b850-d5f065eea403",
+			expectedResult: true,
+		},
+		{
+			name:           "version 4 UUID",
+			uuid:           "63e695ee-48a9-498a-98b3-9472ff75e09f",
+			expectedResult: true,
+		},
+		{
+			name:           "version 5 UUID",
+			uuid:           "5daabcd8-f17e-568c-aa6f-da9d92c7032c",
+			expectedResult: true,
+		},
+		{
+			name:           "text",
+			uuid:           "something like this",
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsUUID(tc.uuid)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_IsHexadecimal(t *testing.T) {
+	testCases := []struct {
+		name           string
+		hex            string
+		expectedResult bool
+	}{
+		{
+			name:           "empty",
+			hex:            "",
+			expectedResult: false,
+		},
+		{
+			name:           "hex",
+			hex:            "48656C6C6F20736F6D657468696E67",
+			expectedResult: true,
+		},
+		{
+			name:           "text",
+			hex:            "something like this",
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsHexadecimal(tc.hex)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_HasWhitespaceOnly(t *testing.T) {
+	testCases := []struct {
+		name           string
+		s              string
+		expectedResult bool
+	}{
+		{
+			name:           "empty",
+			s:              "",
+			expectedResult: false,
+		},
+		{
+			name:           "space",
+			s:              " ",
+			expectedResult: true,
+		},
+		{
+			name:           "tab",
+			s:              "\t",
+			expectedResult: true,
+		},
+		{
+			name:           "text",
+			s:              "something like this",
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := HasWhitespaceOnly(tc.s)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_MinStringLength(t *testing.T) {
+	testCases := []struct {
+		name           string
+		s              string
+		len            int
+		expectedResult bool
+	}{
+		{
+			name:           "empty + zero len",
+			s:              "",
+			len:            0,
+			expectedResult: true,
+		},
+		{
+			name:           "empty + non zero len",
+			s:              "",
+			len:            10,
+			expectedResult: false,
+		},
+		{
+			name:           "long text + non zero len",
+			s:              "something else",
+			len:            10,
+			expectedResult: true,
+		},
+		{
+			name:           "multibyte characters - enough",
+			s:              "X生",
+			len:            2,
+			expectedResult: true,
+		},
+		{
+			name:           "multibyte characters - not enough",
+			s:              "X生",
+			len:            3,
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := MinStringLength(tc.s, tc.len)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_Matches(t *testing.T) {
+	testCases := []struct {
+		name           string
+		s              string
+		pattern        string
+		expectedResult bool
+	}{
+		{
+			name:           "empty",
+			s:              "",
+			pattern:        "",
+			expectedResult: true,
+		},
+		{
+			name:           "space",
+			s:              "something else",
+			pattern:        " ",
+			expectedResult: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := Matches(tc.s, tc.pattern)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_IsNonPositive(t *testing.T) {
+	testCases := []struct {
+		name           string
+		f              float64
+		expectedResult bool
+	}{
+		{
+			name:           "zero",
+			f:              0,
+			expectedResult: true,
+		},
+		{
+			name:           "positive",
+			f:              1,
+			expectedResult: false,
+		},
+		{
+			name:           "negative",
+			f:              -1,
+			expectedResult: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsNonPositive(tc.f)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_InRange(t *testing.T) {
+	testCases := []struct {
+		name           string
+		f              float64
+		left           float64
+		right          float64
+		expectedResult bool
+	}{
+		{
+			name:           "zero",
+			f:              0,
+			left:           0,
+			right:          0,
+			expectedResult: true,
+		},
+		{
+			name:           "equal left",
+			f:              1,
+			left:           1,
+			right:          2,
+			expectedResult: true,
+		},
+		{
+			name:           "equal right",
+			f:              2,
+			left:           1,
+			right:          2,
+			expectedResult: true,
+		},
+		{
+			name:           "above",
+			f:              3,
+			left:           1,
+			right:          2,
+			expectedResult: false,
+		},
+		{
+			name:           "below",
+			f:              0,
+			left:           1,
+			right:          2,
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := InRange(tc.f, tc.left, tc.right)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_IsHost(t *testing.T) {
+	testCases := []struct {
+		name           string
+		s              string
+		expectedResult bool
+	}{
+		{
+			name:           "empty",
+			s:              "",
+			expectedResult: false,
+		},
+		{
+			name:           "ip address",
+			s:              "192.168.1.1",
+			expectedResult: true,
+		},
+		{
+			name:           "hostname",
+			s:              "google.com",
+			expectedResult: true,
+		},
+		{
+			name:           "text",
+			s:              "Something like this",
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsHost(tc.s)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_IsIP(t *testing.T) {
+	testCases := []struct {
+		name           string
+		s              string
+		expectedResult bool
+	}{
+		{
+			name:           "empty",
+			s:              "",
+			expectedResult: false,
+		},
+		{
+			name:           "ip address",
+			s:              "192.168.1.1",
+			expectedResult: true,
+		},
+		{
+			name:           "hostname",
+			s:              "google.com",
+			expectedResult: false,
+		},
+		{
+			name:           "text",
+			s:              "Something like this",
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsIP(tc.s)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}
+
+func Test_IsDNSName(t *testing.T) {
+	testCases := []struct {
+		name           string
+		s              string
+		expectedResult bool
+	}{
+		{
+			name:           "empty",
+			s:              "",
+			expectedResult: false,
+		},
+		{
+			name:           "ip address",
+			s:              "192.168.1.1",
+			expectedResult: false,
+		},
+		{
+			name:           "hostname",
+			s:              "google.com",
+			expectedResult: true,
+		},
+		{
+			name:           "text",
+			s:              "Something like this",
+			expectedResult: false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsDNSName(tc.s)
+			require.Equal(t, tc.expectedResult, result)
+		})
+	}
+}

From 4e4fd5a4b43f9b665864733bd3ae850bbbd4cfc8 Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Thu, 24 Apr 2025 08:59:44 +1200
Subject: [PATCH 109/212] fix(validate): refactor validate functions [BE-11574]
 (#683)

---
 pkg/validate/validate.go      | 45 +++++++----------------------------
 pkg/validate/validate_test.go | 19 +++++++++++++--
 2 files changed, 25 insertions(+), 39 deletions(-)

diff --git a/pkg/validate/validate.go b/pkg/validate/validate.go
index 3683941cf..f647d1e17 100644
--- a/pkg/validate/validate.go
+++ b/pkg/validate/validate.go
@@ -6,62 +6,33 @@ import (
 	"regexp"
 	"strings"
 	"unicode/utf8"
-)
 
-const (
-	minURLRuneCount = 3
-	maxURLRuneCount = 2083
-
-	ipPattern           = `(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))`
-	urlSchemaPattern    = `((ftp|tcp|udp|wss?|https?):\/\/)`
-	urlUsernamePattern  = `(\S+(:\S*)?@)`
-	urlPathPattern      = `((\/|\?|#)[^\s]*)`
-	urlPortPattern      = `(:(\d{1,5}))`
-	urlIPPattern        = `([1-9]\d?|1\d\d|2[01]\d|22[0-3]|24\d|25[0-5])(\.(\d{1,2}|1\d\d|2[0-4]\d|25[0-5])){2}(?:\.([0-9]\d?|1\d\d|2[0-4]\d|25[0-5]))`
-	urlSubdomainPattern = `((www\.)|([a-zA-Z0-9]+([-_\.]?[a-zA-Z0-9])*[a-zA-Z0-9]\.[a-zA-Z0-9]+))`
-	urlPattern          = `^` + urlSchemaPattern + `?` + urlUsernamePattern + `?` + `((` + urlIPPattern + `|(\[` + ipPattern + `\])|(([a-zA-Z0-9]([a-zA-Z0-9-_]+)?[a-zA-Z0-9]([-\.][a-zA-Z0-9]+)*)|(` + urlSubdomainPattern + `?))?(([a-zA-Z\x{00a1}-\x{ffff}0-9]+-?-?)*[a-zA-Z\x{00a1}-\x{ffff}0-9]+)(?:\.([a-zA-Z\x{00a1}-\x{ffff}]{1,}))?))\.?` + urlPortPattern + `?` + urlPathPattern + `?$`
+	"github.com/google/uuid"
 )
 
 var (
-	urlRegex         = regexp.MustCompile(urlPattern)
-	uuidRegex        = regexp.MustCompile(`^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$`)
 	hexadecimalRegex = regexp.MustCompile(`^[0-9a-fA-F]+$`)
-	whitespaceRegex  = regexp.MustCompile(`^[[:space:]]+$`)
 	dnsNameRegex     = regexp.MustCompile(`^([a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62}){1}(\.[a-zA-Z0-9_]{1}[a-zA-Z0-9_-]{0,62})*[\._]?$`)
 )
 
 func IsURL(urlString string) bool {
-	if urlString == "" ||
-		utf8.RuneCountInString(urlString) >= maxURLRuneCount ||
-		len(urlString) <= minURLRuneCount ||
-		strings.HasPrefix(urlString, ".") {
+	if len(urlString) == 0 {
 		return false
 	}
 
 	strTemp := urlString
-	if strings.Contains(urlString, ":") && !strings.Contains(urlString, "://") {
-		// support no indicated urlscheme but with colon for port number
-		// http:// is appended so url.Parse will succeed, strTemp used so it does not impact rxURL.MatchString
+	if !strings.Contains(urlString, "://") {
+		// support no indicated urlscheme
+		// http:// is appended so url.Parse will succeed
 		strTemp = "http://" + urlString
 	}
 
 	u, err := url.Parse(strTemp)
-	if err != nil {
-		return false
-	}
-
-	if strings.HasPrefix(u.Host, ".") {
-		return false
-	}
-	if u.Host == "" && (u.Path != "" && !strings.Contains(u.Path, ".")) {
-		return false
-	}
-
-	return urlRegex.MatchString(urlString)
+	return err == nil && u.Host != ""
 }
 
 func IsUUID(uuidString string) bool {
-	return uuidRegex.MatchString(uuidString)
+	return uuid.Validate(uuidString) == nil
 }
 
 func IsHexadecimal(hexString string) bool {
@@ -69,7 +40,7 @@ func IsHexadecimal(hexString string) bool {
 }
 
 func HasWhitespaceOnly(s string) bool {
-	return len(s) > 0 && whitespaceRegex.MatchString(s)
+	return len(s) > 0 && strings.TrimSpace(s) == ""
 }
 
 func MinStringLength(s string, len int) bool {
diff --git a/pkg/validate/validate_test.go b/pkg/validate/validate_test.go
index e8b62288e..f3cb6a01c 100644
--- a/pkg/validate/validate_test.go
+++ b/pkg/validate/validate_test.go
@@ -17,6 +17,11 @@ func Test_IsURL(t *testing.T) {
 			url:            "https://google.com",
 			expectedResult: true,
 		},
+		{
+			name:           "empty",
+			url:            "",
+			expectedResult: false,
+		},
 		{
 			name:           "no schema",
 			url:            "google.com",
@@ -33,9 +38,14 @@ func Test_IsURL(t *testing.T) {
 			expectedResult: true,
 		},
 		{
-			name:           "invalid",
+			name:           "no top level domain",
 			url:            "google",
-			expectedResult: false,
+			expectedResult: true,
+		},
+		{
+			name:           "Unicode URL",
+			url:            "www.xn--exampe-7db.ai",
+			expectedResult: true,
 		},
 	}
 
@@ -145,6 +155,11 @@ func Test_HasWhitespaceOnly(t *testing.T) {
 			s:              "something like this",
 			expectedResult: false,
 		},
+		{
+			name:           "all whitespace",
+			s:              "\t\n\v\f\r ",
+			expectedResult: true,
+		},
 	}
 
 	for _, tc := range testCases {

From 24b3499c707f36462bb9fb727d14002164466387 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Thu, 24 Apr 2025 02:13:45 +0200
Subject: [PATCH 110/212] fix(dependencies): downgrade gorilla/csrf to v1.7.2
 (#684)

---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 45f0eb750..0432cec7a 100644
--- a/go.mod
+++ b/go.mod
@@ -25,7 +25,7 @@ require (
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
-	github.com/gorilla/csrf v1.7.3
+	github.com/gorilla/csrf v1.7.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/go-version v1.7.0
diff --git a/go.sum b/go.sum
index 3f4be510b..eed5e28b8 100644
--- a/go.sum
+++ b/go.sum
@@ -338,8 +338,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
-github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
+github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=

From 8cc28761d74f68eaf397a5b475aad2c27ad1dae8 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 24 Apr 2025 05:47:31 +0100
Subject: [PATCH 111/212] Update bug report template for 2.29.2 (#692)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 6d8f816ea..1bafbfd20 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.29.2'
         - '2.29.1'
         - '2.29.0'
         - '2.28.1'

From 4d4360b86b8e53196413d82426c994f01168d243 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Fri, 2 May 2025 02:14:39 +0100
Subject: [PATCH 112/212] Update bug report template for 2.27.5 (#705)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 1bafbfd20..bb0fe9553 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -99,6 +99,7 @@ body:
         - '2.29.0'
         - '2.28.1'
         - '2.28.0'
+        - '2.27.5'
         - '2.27.4'
         - '2.27.3'
         - '2.27.2'

From bc29419c17a77d80ac3801aaf15562a54865ca03 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Wed, 7 May 2025 20:40:38 +1200
Subject: [PATCH 113/212] refactor: replace the `kubectl` binary with the
 upstream sdk (#524)

---
 api/cmd/portainer/main.go             |   6 +-
 api/exec/exectest/kubernetes_mocks.go |  12 ++
 api/exec/kubernetes_deploy.go         |  71 +++++------
 api/exec/kubernetes_deploy_test.go    | 173 ++++++++++++++++++++++++++
 build/download_binaries.sh            |  14 +--
 build/download_kubectl_binary.sh      |  19 ---
 build/linux/Dockerfile                |   1 -
 build/linux/alpine.Dockerfile         |   1 -
 build/windows/Dockerfile              |   1 -
 go.mod                                |   4 +-
 pkg/libkubectl/apply.go               |  23 ++++
 pkg/libkubectl/client.go              |   4 +-
 pkg/libkubectl/client_test.go         | 101 ---------------
 pkg/libkubectl/delete.go              |  24 ++++
 pkg/libkubectl/manifest.go            |  11 ++
 pkg/libkubectl/manifest_test.go       |  48 +++++++
 pkg/libkubectl/restart.go             |  23 ++++
 17 files changed, 354 insertions(+), 182 deletions(-)
 create mode 100644 api/exec/kubernetes_deploy_test.go
 delete mode 100755 build/download_kubectl_binary.sh
 create mode 100644 pkg/libkubectl/apply.go
 delete mode 100644 pkg/libkubectl/client_test.go
 create mode 100644 pkg/libkubectl/delete.go
 create mode 100644 pkg/libkubectl/manifest.go
 create mode 100644 pkg/libkubectl/manifest_test.go
 create mode 100644 pkg/libkubectl/restart.go

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 99f809c7c..6261efbd9 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -167,8 +167,8 @@ func checkDBSchemaServerVersionMatch(dbStore dataservices.DataStore, serverVersi
 	return v.SchemaVersion == serverVersion && v.Edition == serverEdition
 }
 
-func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, assetsPath string) portainer.KubernetesDeployer {
-	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, assetsPath)
+func initKubernetesDeployer(kubernetesTokenCacheManager *kubeproxy.TokenCacheManager, kubernetesClientFactory *kubecli.ClientFactory, dataStore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager) portainer.KubernetesDeployer {
+	return exec.NewKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)
 }
 
 func initHelmPackageManager() (libhelmtypes.HelmPackageManager, error) {
@@ -423,7 +423,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		log.Fatal().Err(err).Msg("failed initializing swarm stack manager")
 	}
 
-	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager, *flags.Assets)
+	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, signatureService, proxyManager)
 
 	pendingActionsService := pendingactions.NewService(dataStore, kubernetesClientFactory)
 	pendingActionsService.RegisterHandler(actions.CleanNAPWithOverridePolicies, handlers.NewHandlerCleanNAPWithOverridePolicies(authorizationService, dataStore))
diff --git a/api/exec/exectest/kubernetes_mocks.go b/api/exec/exectest/kubernetes_mocks.go
index 894e52135..7d2afac73 100644
--- a/api/exec/exectest/kubernetes_mocks.go
+++ b/api/exec/exectest/kubernetes_mocks.go
@@ -12,3 +12,15 @@ type kubernetesMockDeployer struct {
 func NewKubernetesDeployer() *kubernetesMockDeployer {
 	return &kubernetesMockDeployer{}
 }
+
+func (deployer *kubernetesMockDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+	return "", nil
+}
+
+func (deployer *kubernetesMockDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+	return "", nil
+}
+
+func (deployer *kubernetesMockDeployer) Restart(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+	return "", nil
+}
diff --git a/api/exec/kubernetes_deploy.go b/api/exec/kubernetes_deploy.go
index 1941a6513..0bdd5caa2 100644
--- a/api/exec/kubernetes_deploy.go
+++ b/api/exec/kubernetes_deploy.go
@@ -1,13 +1,8 @@
 package exec
 
 import (
-	"bytes"
+	"context"
 	"fmt"
-	"os"
-	"os/exec"
-	"path"
-	"runtime"
-	"strings"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
@@ -15,13 +10,17 @@ import (
 	"github.com/portainer/portainer/api/http/proxy/factory"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/portainer/portainer/pkg/libkubectl"
 
 	"github.com/pkg/errors"
 )
 
+const (
+	defaultServerURL = "https://kubernetes.default.svc"
+)
+
 // KubernetesDeployer represents a service to deploy resources inside a Kubernetes environment(endpoint).
 type KubernetesDeployer struct {
-	binaryPath                  string
 	dataStore                   dataservices.DataStore
 	reverseTunnelService        portainer.ReverseTunnelService
 	signatureService            portainer.DigitalSignatureService
@@ -31,9 +30,8 @@ type KubernetesDeployer struct {
 }
 
 // NewKubernetesDeployer initializes a new KubernetesDeployer service.
-func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, kubernetesClientFactory *cli.ClientFactory, datastore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager, binaryPath string) *KubernetesDeployer {
+func NewKubernetesDeployer(kubernetesTokenCacheManager *kubernetes.TokenCacheManager, kubernetesClientFactory *cli.ClientFactory, datastore dataservices.DataStore, reverseTunnelService portainer.ReverseTunnelService, signatureService portainer.DigitalSignatureService, proxyManager *proxy.Manager) *KubernetesDeployer {
 	return &KubernetesDeployer{
-		binaryPath:                  binaryPath,
 		dataStore:                   datastore,
 		reverseTunnelService:        reverseTunnelService,
 		signatureService:            signatureService,
@@ -93,48 +91,41 @@ func (deployer *KubernetesDeployer) command(operation string, userID portainer.U
 		return "", errors.Wrap(err, "failed generating a user token")
 	}
 
-	command := path.Join(deployer.binaryPath, "kubectl")
-	if runtime.GOOS == "windows" {
-		command = path.Join(deployer.binaryPath, "kubectl.exe")
-	}
-
-	args := []string{"--token", token}
-	if namespace != "" {
-		args = append(args, "--namespace", namespace)
-	}
-
+	serverURL := defaultServerURL
 	if endpoint.Type == portainer.AgentOnKubernetesEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment {
 		url, proxy, err := deployer.getAgentURL(endpoint)
 		if err != nil {
 			return "", errors.WithMessage(err, "failed generating endpoint URL")
 		}
-
 		defer proxy.Close()
-		args = append(args, "--server", url)
-		args = append(args, "--insecure-skip-tls-verify")
+
+		serverURL = url
 	}
 
-	if operation == "delete" {
-		args = append(args, "--ignore-not-found=true")
-	}
-
-	args = append(args, operation)
-	for _, path := range manifestFiles {
-		args = append(args, "-f", strings.TrimSpace(path))
-	}
-
-	var stderr bytes.Buffer
-	cmd := exec.Command(command, args...)
-	cmd.Env = os.Environ()
-	cmd.Env = append(cmd.Env, "POD_NAMESPACE=default")
-	cmd.Stderr = &stderr
-
-	output, err := cmd.Output()
+	client, err := libkubectl.NewClient(&libkubectl.ClientAccess{
+		Token:     token,
+		ServerUrl: serverURL,
+	}, namespace, "", true)
 	if err != nil {
-		return "", errors.Wrapf(err, "failed to execute kubectl command: %q", stderr.String())
+		return "", errors.Wrap(err, "failed to create kubectl client")
 	}
 
-	return string(output), nil
+	operations := map[string]func(context.Context, []string) (string, error){
+		"apply":  client.Apply,
+		"delete": client.Delete,
+	}
+
+	operationFunc, ok := operations[operation]
+	if !ok {
+		return "", errors.Errorf("unsupported operation: %s", operation)
+	}
+
+	output, err := operationFunc(context.Background(), manifestFiles)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to execute kubectl %s command", operation)
+	}
+
+	return output, nil
 }
 
 func (deployer *KubernetesDeployer) getAgentURL(endpoint *portainer.Endpoint) (string, *factory.ProxyServer, error) {
diff --git a/api/exec/kubernetes_deploy_test.go b/api/exec/kubernetes_deploy_test.go
new file mode 100644
index 000000000..cd49a2b92
--- /dev/null
+++ b/api/exec/kubernetes_deploy_test.go
@@ -0,0 +1,173 @@
+package exec
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type mockKubectlClient struct {
+	applyFunc          func(ctx context.Context, files []string) error
+	deleteFunc         func(ctx context.Context, files []string) error
+	rolloutRestartFunc func(ctx context.Context, resources []string) error
+}
+
+func (m *mockKubectlClient) Apply(ctx context.Context, files []string) error {
+	if m.applyFunc != nil {
+		return m.applyFunc(ctx, files)
+	}
+	return nil
+}
+
+func (m *mockKubectlClient) Delete(ctx context.Context, files []string) error {
+	if m.deleteFunc != nil {
+		return m.deleteFunc(ctx, files)
+	}
+	return nil
+}
+
+func (m *mockKubectlClient) RolloutRestart(ctx context.Context, resources []string) error {
+	if m.rolloutRestartFunc != nil {
+		return m.rolloutRestartFunc(ctx, resources)
+	}
+	return nil
+}
+
+func testExecuteKubectlOperation(client *mockKubectlClient, operation string, manifestFiles []string) error {
+	operations := map[string]func(context.Context, []string) error{
+		"apply":           client.Apply,
+		"delete":          client.Delete,
+		"rollout-restart": client.RolloutRestart,
+	}
+
+	operationFunc, ok := operations[operation]
+	if !ok {
+		return fmt.Errorf("unsupported operation: %s", operation)
+	}
+
+	if err := operationFunc(context.Background(), manifestFiles); err != nil {
+		return fmt.Errorf("failed to execute kubectl %s command: %w", operation, err)
+	}
+
+	return nil
+}
+
+func TestExecuteKubectlOperation_Apply_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		applyFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"manifest1.yaml", "manifest2.yaml"}, files)
+			return nil
+		},
+	}
+
+	manifests := []string{"manifest1.yaml", "manifest2.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "apply", manifests)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Apply_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl apply failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		applyFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"error.yaml"}, files)
+			return expectedErr
+		},
+	}
+
+	manifests := []string{"error.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "apply", manifests)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Delete_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		deleteFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"manifest1.yaml"}, files)
+			return nil
+		},
+	}
+
+	manifests := []string{"manifest1.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "delete", manifests)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_Delete_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl delete failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		deleteFunc: func(ctx context.Context, files []string) error {
+			called = true
+			assert.Equal(t, []string{"error.yaml"}, files)
+			return expectedErr
+		},
+	}
+
+	manifests := []string{"error.yaml"}
+	err := testExecuteKubectlOperation(mockClient, "delete", manifests)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_RolloutRestart_Success(t *testing.T) {
+	called := false
+	mockClient := &mockKubectlClient{
+		rolloutRestartFunc: func(ctx context.Context, resources []string) error {
+			called = true
+			assert.Equal(t, []string{"deployment/nginx"}, resources)
+			return nil
+		},
+	}
+
+	resources := []string{"deployment/nginx"}
+	err := testExecuteKubectlOperation(mockClient, "rollout-restart", resources)
+
+	assert.NoError(t, err)
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_RolloutRestart_Error(t *testing.T) {
+	expectedErr := errors.New("kubectl rollout restart failed")
+	called := false
+	mockClient := &mockKubectlClient{
+		rolloutRestartFunc: func(ctx context.Context, resources []string) error {
+			called = true
+			assert.Equal(t, []string{"deployment/error"}, resources)
+			return expectedErr
+		},
+	}
+
+	resources := []string{"deployment/error"}
+	err := testExecuteKubectlOperation(mockClient, "rollout-restart", resources)
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), expectedErr.Error())
+	assert.True(t, called)
+}
+
+func TestExecuteKubectlOperation_UnsupportedOperation(t *testing.T) {
+	mockClient := &mockKubectlClient{}
+
+	err := testExecuteKubectlOperation(mockClient, "unsupported", []string{})
+
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "unsupported operation")
+}
diff --git a/build/download_binaries.sh b/build/download_binaries.sh
index 05c2c780b..7494d94d3 100755
--- a/build/download_binaries.sh
+++ b/build/download_binaries.sh
@@ -7,21 +7,17 @@ ARCH=${2:-"amd64"}
 BINARY_VERSION_FILE="./binary-version.json"
 
 dockerVersion=$(jq -r '.docker' < "${BINARY_VERSION_FILE}")
-helmVersion=$(jq -r '.helm' < "${BINARY_VERSION_FILE}")
-kubectlVersion=$(jq -r '.kubectl' < "${BINARY_VERSION_FILE}")
 mingitVersion=$(jq -r '.mingit' < "${BINARY_VERSION_FILE}")
 
 mkdir -p dist
 
-echo "Checking and downloading binaries for docker ${dockerVersion}, helm ${helmVersion}, kubectl ${kubectlVersion} and mingit ${mingitVersion} (Windows only)"
+echo "Checking and downloading binaries for docker ${dockerVersion}, and mingit ${mingitVersion} (Windows only)"
 
 # Determine the binary file names based on the platform
 dockerBinary="dist/docker"
-kubectlBinary="dist/kubectl"
 
 if [ "$PLATFORM" == "windows" ]; then
     dockerBinary="dist/docker.exe"
-    kubectlBinary="dist/kubectl.exe"
 fi
 
 # Check and download docker binary
@@ -32,14 +28,6 @@ else
     echo "Docker binary already exists, skipping download."
 fi
 
-# Check and download kubectl binary
-if [ ! -f "$kubectlBinary" ]; then
-    echo "Downloading kubectl binary..."
-    /usr/bin/env bash ./build/download_kubectl_binary.sh "$PLATFORM" "$ARCH" "$kubectlVersion"
-else
-    echo "Kubectl binary already exists, skipping download."
-fi
-
 # Check and download mingit binary only for Windows
 if [ "$PLATFORM" == "windows" ]; then
     if [ ! -f "dist/mingit" ]; then
diff --git a/build/download_kubectl_binary.sh b/build/download_kubectl_binary.sh
deleted file mode 100755
index 39c9c466b..000000000
--- a/build/download_kubectl_binary.sh
+++ /dev/null
@@ -1,19 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-if [[ $# -ne 3 ]]; then
-    echo "Illegal number of parameters" >&2
-    exit 1
-fi
-
-PLATFORM=$1
-ARCH=$2
-KUBECTL_VERSION=$3
-
-if [[ ${PLATFORM} == "windows" ]]; then
-  wget --tries=3 --waitretry=30 --quiet -O "dist/kubectl.exe" "https://dl.k8s.io/${KUBECTL_VERSION}/bin/windows/amd64/kubectl.exe"
-  chmod +x "dist/kubectl.exe"
-else
-  wget --tries=3 --waitretry=30 --quiet -O "dist/kubectl" "https://dl.k8s.io/${KUBECTL_VERSION}/bin/${PLATFORM}/${ARCH}/kubectl"
-  chmod +x "dist/kubectl"
-fi
diff --git a/build/linux/Dockerfile b/build/linux/Dockerfile
index eeded41c1..a79122a30 100644
--- a/build/linux/Dockerfile
+++ b/build/linux/Dockerfile
@@ -11,7 +11,6 @@ LABEL org.opencontainers.image.title="Portainer" \
   com.docker.extension.additional-urls="[{\"title\":\"Website\",\"url\":\"https://www.portainer.io?utm_campaign=DockerCon&utm_source=DockerDesktop\"},{\"title\":\"Documentation\",\"url\":\"https://docs.portainer.io\"},{\"title\":\"Support\",\"url\":\"https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA\"}]"
 
 COPY dist/docker /
-COPY dist/kubectl /
 COPY dist/mustache-templates /mustache-templates/
 COPY dist/portainer /
 COPY dist/public /public/
diff --git a/build/linux/alpine.Dockerfile b/build/linux/alpine.Dockerfile
index e2ced7d3e..f74748a42 100644
--- a/build/linux/alpine.Dockerfile
+++ b/build/linux/alpine.Dockerfile
@@ -11,7 +11,6 @@ LABEL org.opencontainers.image.title="Portainer" \
     com.docker.extension.additional-urls="[{\"title\":\"Website\",\"url\":\"https://www.portainer.io?utm_campaign=DockerCon&utm_source=DockerDesktop\"},{\"title\":\"Documentation\",\"url\":\"https://docs.portainer.io\"},{\"title\":\"Support\",\"url\":\"https://join.slack.com/t/portainer/shared_invite/zt-txh3ljab-52QHTyjCqbe5RibC2lcjKA\"}]"
 
 COPY dist/docker /
-COPY dist/kubectl /
 COPY dist/mustache-templates /mustache-templates/
 COPY dist/portainer /
 COPY dist/public /public/
diff --git a/build/windows/Dockerfile b/build/windows/Dockerfile
index 324e68f04..615744a83 100644
--- a/build/windows/Dockerfile
+++ b/build/windows/Dockerfile
@@ -10,7 +10,6 @@ USER ContainerAdministrator
 
 COPY dist/mingit/ mingit/
 COPY dist/docker.exe /
-COPY dist/kubectl.exe /
 COPY dist/mustache-templates /mustache-templates/
 COPY dist/portainer.exe /
 COPY dist/public /public/
diff --git a/go.mod b/go.mod
index 0432cec7a..19ebbfa60 100644
--- a/go.mod
+++ b/go.mod
@@ -25,6 +25,7 @@ require (
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
+	github.com/google/uuid v1.6.0
 	github.com/gorilla/csrf v1.7.2
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.0
@@ -158,7 +159,6 @@ require (
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
-	github.com/google/uuid v1.6.0 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
@@ -184,6 +184,7 @@ require (
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lib/pq v1.10.9 // indirect
 	github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de // indirect
+	github.com/lithammer/dedent v1.1.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.17 // indirect
@@ -242,6 +243,7 @@ require (
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/theupdateframework/notary v0.7.0 // indirect
 	github.com/tilt-dev/fsnotify v1.4.8-0.20220602155310-fff9c274a375 // indirect
diff --git a/pkg/libkubectl/apply.go b/pkg/libkubectl/apply.go
new file mode 100644
index 000000000..bf77f174f
--- /dev/null
+++ b/pkg/libkubectl/apply.go
@@ -0,0 +1,23 @@
+package libkubectl
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	"k8s.io/kubectl/pkg/cmd/apply"
+)
+
+func (c *Client) Apply(ctx context.Context, manifests []string) (string, error) {
+	buf := new(bytes.Buffer)
+
+	cmd := apply.NewCmdApply("kubectl", c.factory, c.streams)
+	cmd.SetArgs(manifestFilesToArgs(manifests))
+	cmd.SetOut(buf)
+
+	if err := cmd.ExecuteContext(ctx); err != nil {
+		return "", fmt.Errorf("error applying resources: %w", err)
+	}
+
+	return buf.String(), nil
+}
diff --git a/pkg/libkubectl/client.go b/pkg/libkubectl/client.go
index bfb86f172..f9d4137f6 100644
--- a/pkg/libkubectl/client.go
+++ b/pkg/libkubectl/client.go
@@ -41,8 +41,8 @@ func NewClient(libKubectlAccess *ClientAccess, namespace, kubeconfig string, ins
 // If server and token are provided, they will be used to connect to the cluster
 // If neither kubeconfigPath or server and token are provided, an error will be returned
 func generateConfigFlags(token, server, namespace, kubeconfigPath string, insecure bool) (*genericclioptions.ConfigFlags, error) {
-	if kubeconfigPath == "" && (server == "" || token == "") {
-		return nil, errors.New("must provide either a kubeconfig path or a server and token")
+	if kubeconfigPath == "" && server == "" {
+		return nil, errors.New("must provide either a kubeconfig path or a server")
 	}
 
 	configFlags := genericclioptions.NewConfigFlags(true)
diff --git a/pkg/libkubectl/client_test.go b/pkg/libkubectl/client_test.go
deleted file mode 100644
index c2c7fd739..000000000
--- a/pkg/libkubectl/client_test.go
+++ /dev/null
@@ -1,101 +0,0 @@
-package libkubectl
-
-import (
-	"testing"
-)
-
-func TestNewClient(t *testing.T) {
-	tests := []struct {
-		name             string
-		libKubectlAccess ClientAccess
-		namespace        string
-		kubeconfig       string
-		insecure         bool
-		wantErr          bool
-		errContains      string
-	}{
-		{
-			name:             "valid client with token and server",
-			libKubectlAccess: ClientAccess{Token: "test-token", ServerUrl: "https://localhost:6443"},
-			namespace:        "default",
-			insecure:         true,
-			wantErr:          false,
-		},
-		{
-			name:       "valid client with kubeconfig",
-			kubeconfig: "/path/to/kubeconfig",
-			namespace:  "test-namespace",
-			insecure:   false,
-			wantErr:    false,
-		},
-		{
-			name:        "missing both token/server and kubeconfig",
-			namespace:   "default",
-			insecure:    false,
-			wantErr:     true,
-			errContains: "must provide either a kubeconfig path or a server and token",
-		},
-		{
-			name:             "missing token with server",
-			libKubectlAccess: ClientAccess{ServerUrl: "https://localhost:6443"},
-			namespace:        "default",
-			insecure:         false,
-			wantErr:          true,
-			errContains:      "must provide either a kubeconfig path or a server and token",
-		},
-		{
-			name:             "missing server with token",
-			libKubectlAccess: ClientAccess{Token: "test-token"},
-			namespace:        "default",
-			insecure:         false,
-			wantErr:          true,
-			errContains:      "must provide either a kubeconfig path or a server and token",
-		},
-		{
-			name:             "empty namespace is valid",
-			libKubectlAccess: ClientAccess{Token: "test-token", ServerUrl: "https://localhost:6443"},
-			namespace:        "",
-			insecure:         false,
-			wantErr:          false,
-		},
-		{
-			name:             "insecure true with valid credentials",
-			libKubectlAccess: ClientAccess{Token: "test-token", ServerUrl: "https://localhost:6443"},
-			namespace:        "default",
-			insecure:         true,
-			wantErr:          false,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			client, err := NewClient(&tt.libKubectlAccess, tt.namespace, tt.kubeconfig, tt.insecure)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("NewClient() error = %v, wantErr %v", err, tt.wantErr)
-				return
-			}
-
-			if err != nil && tt.errContains != "" {
-				if got := err.Error(); got != tt.errContains {
-					t.Errorf("NewClient() error = %v, want error containing %v", got, tt.errContains)
-				}
-				return
-			}
-
-			if !tt.wantErr {
-				if client == nil {
-					t.Error("NewClient() returned nil client when no error was expected")
-					return
-				}
-
-				// Verify client fields are properly initialized
-				if client.factory == nil {
-					t.Error("NewClient() client.factory is nil")
-				}
-				if client.out == nil {
-					t.Error("NewClient() client.out is nil")
-				}
-			}
-		})
-	}
-}
diff --git a/pkg/libkubectl/delete.go b/pkg/libkubectl/delete.go
new file mode 100644
index 000000000..f8326a9f0
--- /dev/null
+++ b/pkg/libkubectl/delete.go
@@ -0,0 +1,24 @@
+package libkubectl
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	"k8s.io/kubectl/pkg/cmd/delete"
+)
+
+func (c *Client) Delete(ctx context.Context, manifests []string) (string, error) {
+	buf := new(bytes.Buffer)
+
+	cmd := delete.NewCmdDelete(c.factory, c.streams)
+	cmd.SetArgs(manifestFilesToArgs(manifests))
+	cmd.Flags().Set("ignore-not-found", "true")
+	cmd.SetOut(buf)
+
+	if err := cmd.ExecuteContext(ctx); err != nil {
+		return "", fmt.Errorf("error deleting resources: %w", err)
+	}
+
+	return buf.String(), nil
+}
diff --git a/pkg/libkubectl/manifest.go b/pkg/libkubectl/manifest.go
new file mode 100644
index 000000000..cc63b5883
--- /dev/null
+++ b/pkg/libkubectl/manifest.go
@@ -0,0 +1,11 @@
+package libkubectl
+
+import "strings"
+
+func manifestFilesToArgs(manifestFiles []string) []string {
+	args := []string{}
+	for _, path := range manifestFiles {
+		args = append(args, "-f", strings.TrimSpace(path))
+	}
+	return args
+}
diff --git a/pkg/libkubectl/manifest_test.go b/pkg/libkubectl/manifest_test.go
new file mode 100644
index 000000000..9261c65ee
--- /dev/null
+++ b/pkg/libkubectl/manifest_test.go
@@ -0,0 +1,48 @@
+package libkubectl
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestManifestFilesToArgsHelper(t *testing.T) {
+	tests := []struct {
+		name          string
+		manifestFiles []string
+		expectedArgs  []string
+	}{
+		{
+			name:          "empty list",
+			manifestFiles: []string{},
+			expectedArgs:  []string{},
+		},
+		{
+			name:          "single manifest",
+			manifestFiles: []string{"manifest.yaml"},
+			expectedArgs:  []string{"-f", "manifest.yaml"},
+		},
+		{
+			name:          "multiple manifests",
+			manifestFiles: []string{"manifest1.yaml", "manifest2.yaml"},
+			expectedArgs:  []string{"-f", "manifest1.yaml", "-f", "manifest2.yaml"},
+		},
+		{
+			name:          "manifests with whitespace",
+			manifestFiles: []string{" manifest1.yaml ", "  manifest2.yaml"},
+			expectedArgs:  []string{"-f", "manifest1.yaml", "-f", "manifest2.yaml"},
+		},
+		{
+			name:          "kubernetes resource definitions",
+			manifestFiles: []string{"deployment/nginx", "service/web"},
+			expectedArgs:  []string{"-f", "deployment/nginx", "-f", "service/web"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args := manifestFilesToArgs(tt.manifestFiles)
+			assert.Equal(t, tt.expectedArgs, args)
+		})
+	}
+}
diff --git a/pkg/libkubectl/restart.go b/pkg/libkubectl/restart.go
new file mode 100644
index 000000000..4f7083787
--- /dev/null
+++ b/pkg/libkubectl/restart.go
@@ -0,0 +1,23 @@
+package libkubectl
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+
+	"k8s.io/kubectl/pkg/cmd/rollout"
+)
+
+func (c *Client) RolloutRestart(ctx context.Context, manifests []string) (string, error) {
+	buf := new(bytes.Buffer)
+
+	cmd := rollout.NewCmdRollout(c.factory, c.streams)
+	cmd.SetArgs(manifestFilesToArgs(manifests))
+	cmd.SetOut(buf)
+
+	if err := cmd.ExecuteContext(ctx); err != nil {
+		return "", fmt.Errorf("error restarting resources: %w", err)
+	}
+
+	return buf.String(), nil
+}

From 3b05505527aa9eadde78a3d2d783a99624a96734 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Thu, 8 May 2025 10:24:20 +0200
Subject: [PATCH 114/212] fix(update-schedules): display enriched error logs
 for agent updates [BE-11756] (#693)

---
 pkg/libstack/compose/status.go | 77 ++++++++++++++++++++++++++++------
 1 file changed, 65 insertions(+), 12 deletions(-)

diff --git a/pkg/libstack/compose/status.go b/pkg/libstack/compose/status.go
index b6ad44ebf..d2fadff2c 100644
--- a/pkg/libstack/compose/status.go
+++ b/pkg/libstack/compose/status.go
@@ -1,14 +1,19 @@
 package compose
 
 import (
+	"bytes"
 	"context"
 	"fmt"
+	"io"
 	"time"
 
 	"github.com/portainer/portainer/pkg/libstack"
 
 	"github.com/compose-spec/compose-go/v2/types"
+	"github.com/docker/cli/cli/command"
 	"github.com/docker/compose/v2/pkg/api"
+	"github.com/docker/docker/api/types/container"
+	"github.com/pkg/errors"
 	"github.com/rs/zerolog/log"
 )
 
@@ -35,7 +40,7 @@ type service struct {
 }
 
 // docker container state can be one of "created", "running", "paused", "restarting", "removing", "exited", or "dead"
-func getServiceStatus(service service) (libstack.Status, string) {
+func getServiceStatus(ctx context.Context, service service) (libstack.Status, string) {
 	log.Debug().
 		Str("service", service.Name).
 		Str("state", service.State).
@@ -50,22 +55,70 @@ func getServiceStatus(service service) (libstack.Status, string) {
 	case "removing":
 		return libstack.StatusRemoving, ""
 	case "exited":
-		if service.ExitCode != 0 {
-			return libstack.StatusError, fmt.Sprintf("service %s exited with code %d", service.Name, service.ExitCode)
-		}
-		return libstack.StatusCompleted, ""
-	case "dead":
-		if service.ExitCode != 0 {
-			return libstack.StatusError, fmt.Sprintf("service %s exited with code %d", service.Name, service.ExitCode)
+		if service.ExitCode == 0 {
+			return libstack.StatusCompleted, ""
 		}
 
-		return libstack.StatusRemoved, ""
+		errorMessage, err := getContainerLogsTail(ctx, service)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Str("service", service.Name).
+				Msg("failed to get logs from container")
+			errorMessage = fmt.Sprintf("service %s exited with code %d", service.Name, service.ExitCode)
+		}
+
+		return libstack.StatusError, errorMessage
+	case "dead":
+		if service.ExitCode == 0 {
+			return libstack.StatusRemoved, ""
+		}
+
+		errorMessage, err := getContainerLogsTail(ctx, service)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Str("service", service.Name).
+				Msg("failed to get logs from container")
+			errorMessage = fmt.Sprintf("service %s exited with code %d", service.Name, service.ExitCode)
+		}
+
+		return libstack.StatusError, errorMessage
 	default:
 		return libstack.StatusUnknown, ""
 	}
 }
 
-func aggregateStatuses(services []service) (libstack.Status, string) {
+func getContainerLogsTail(ctx context.Context, service service) (string, error) {
+	var combinedOutput bytes.Buffer
+
+	if err := withCli(ctx, libstack.Options{ProjectName: service.Project}, func(ctx context.Context, cli *command.DockerCli) error {
+		out, err := cli.Client().ContainerLogs(ctx, service.Name, container.LogsOptions{
+			ShowStdout: true,
+			ShowStderr: true,
+			Timestamps: true,
+			Follow:     false,
+			Tail:       "20",
+		})
+		if err != nil {
+			return errors.Wrap(err, "unable to get logs from container")
+		}
+		defer out.Close()
+
+		_, err = io.Copy(&combinedOutput, out)
+		if err != nil {
+			return errors.Wrap(err, "unable to read container logs")
+		}
+
+		return nil
+	}); err != nil {
+		return "", errors.Wrap(err, "unable to get logs from container")
+	}
+
+	return combinedOutput.String(), nil
+}
+
+func aggregateStatuses(ctx context.Context, services []service) (libstack.Status, string) {
 	servicesCount := len(services)
 
 	if servicesCount == 0 {
@@ -78,7 +131,7 @@ func aggregateStatuses(services []service) (libstack.Status, string) {
 	statusCounts := make(map[libstack.Status]int)
 	errorMessage := ""
 	for _, service := range services {
-		status, serviceError := getServiceStatus(service)
+		status, serviceError := getServiceStatus(ctx, service)
 		if serviceError != "" {
 			errorMessage = serviceError
 		}
@@ -148,7 +201,7 @@ func (c *ComposeDeployer) WaitForStatus(ctx context.Context, name string, status
 			return waitResult
 		}
 
-		aggregateStatus, errorMessage := aggregateStatuses(services)
+		aggregateStatus, errorMessage := aggregateStatuses(ctx, services)
 		if aggregateStatus == status {
 			return waitResult
 		}

From b9b734ceda3332a29aebeb6608a20f5a9cabbf4a Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Fri, 9 May 2025 03:39:15 +0100
Subject: [PATCH 115/212] Update bug report template for 2.27.6 (#721)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index bb0fe9553..b83e3792a 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -99,6 +99,7 @@ body:
         - '2.29.0'
         - '2.28.1'
         - '2.28.0'
+        - '2.27.6'
         - '2.27.5'
         - '2.27.4'
         - '2.27.3'

From 9fdc535d6bcc5ba561fdc9910e66c17e88429208 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Thu, 8 May 2025 23:39:29 -0300
Subject: [PATCH 116/212] fix(csrf): skip the trusted origins check for
 plain-text HTTP requests BE-11832 (#710)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
Co-authored-by: oscarzhou <oscar.zhou@portainer.io>
---
 .../middlewares/plaintext_http_request.go     | 36 +++++++++++++++++++
 api/http/server.go                            |  2 +-
 go.mod                                        |  3 +-
 go.sum                                        |  4 +--
 4 files changed, 40 insertions(+), 5 deletions(-)
 create mode 100644 api/http/middlewares/plaintext_http_request.go

diff --git a/api/http/middlewares/plaintext_http_request.go b/api/http/middlewares/plaintext_http_request.go
new file mode 100644
index 000000000..668346098
--- /dev/null
+++ b/api/http/middlewares/plaintext_http_request.go
@@ -0,0 +1,36 @@
+package middlewares
+
+import (
+	"net/http"
+	"slices"
+
+	"github.com/gorilla/csrf"
+)
+
+var (
+	// Idempotent (safe) methods as defined by RFC7231 section 4.2.2.
+	safeMethods = []string{"GET", "HEAD", "OPTIONS", "TRACE"}
+)
+
+type plainTextHTTPRequestHandler struct {
+	next http.Handler
+}
+
+func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	if slices.Contains(safeMethods, r.Method) {
+		h.next.ServeHTTP(w, r)
+		return
+	}
+
+	req := r
+	// If original request was HTTPS (via proxy), keep CSRF checks.
+	if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" {
+		req = csrf.PlaintextHTTPRequest(r)
+	}
+
+	h.next.ServeHTTP(w, req)
+}
+
+func PlaintextHTTPRequest(next http.Handler) http.Handler {
+	return &plainTextHTTPRequestHandler{next: next}
+}
diff --git a/api/http/server.go b/api/http/server.go
index 3b3fff77d..183a78c04 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -349,7 +349,7 @@ func (server *Server) Start() error {
 			log.Info().Str("bind_address", server.BindAddress).Msg("starting HTTP server")
 			httpServer := &http.Server{
 				Addr:     server.BindAddress,
-				Handler:  handler,
+				Handler:  middlewares.PlaintextHTTPRequest(handler),
 				ErrorLog: errorLogger,
 			}
 
diff --git a/go.mod b/go.mod
index 19ebbfa60..3193c560c 100644
--- a/go.mod
+++ b/go.mod
@@ -26,7 +26,7 @@ require (
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/go-cmp v0.6.0
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/csrf v1.7.2
+	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/mux v1.8.1
 	github.com/gorilla/websocket v1.5.0
 	github.com/hashicorp/go-version v1.7.0
@@ -243,7 +243,6 @@ require (
 	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/cobra v1.8.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/theupdateframework/notary v0.7.0 // indirect
 	github.com/tilt-dev/fsnotify v1.4.8-0.20220602155310-fff9c274a375 // indirect
diff --git a/go.sum b/go.sum
index eed5e28b8..3f4be510b 100644
--- a/go.sum
+++ b/go.sum
@@ -338,8 +338,8 @@ github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaU
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
-github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
+github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
 github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=

From 1abdf42f991a8e867cbc1f9c4bd779eb3de686bb Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Mon, 12 May 2025 11:18:04 +1200
Subject: [PATCH 117/212] feat(libstack): expose env vars with PORTAINER_
 prefix [BE-11661] (#687)

---
 .../EdgeScriptSettingsFieldset.tsx            |   5 +
 pkg/libstack/compose/composeplugin.go         |  11 +
 pkg/libstack/compose/composeplugin_test.go    | 216 ++++++++++++++++++
 3 files changed, 232 insertions(+)

diff --git a/app/react/edge/components/EdgeScriptForm/EdgeScriptSettingsFieldset.tsx b/app/react/edge/components/EdgeScriptForm/EdgeScriptSettingsFieldset.tsx
index 226886efa..cab25a0af 100644
--- a/app/react/edge/components/EdgeScriptForm/EdgeScriptSettingsFieldset.tsx
+++ b/app/react/edge/components/EdgeScriptForm/EdgeScriptSettingsFieldset.tsx
@@ -87,6 +87,11 @@ export function EdgeScriptSettingsFieldset({
         />
       </FormControl>
 
+      <TextTip color="orange" className="mb-2 icon-orange">
+        For security purposes, only environment variables prefixed with
+        &apos;PORTAINER_&apos; will be accessible.
+      </TextTip>
+
       <div className="form-group">
         <div className="col-sm-12">
           <SwitchField
diff --git a/pkg/libstack/compose/composeplugin.go b/pkg/libstack/compose/composeplugin.go
index 07fed9dbe..01a5134ea 100644
--- a/pkg/libstack/compose/composeplugin.go
+++ b/pkg/libstack/compose/composeplugin.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"maps"
+	"os"
 	"path/filepath"
 	"slices"
 	"strconv"
@@ -29,6 +30,8 @@ import (
 
 const PortainerEdgeStackLabel = "io.portainer.edge_stack_id"
 
+const portainerEnvVarsPrefix = "PORTAINER_"
+
 var mu sync.Mutex
 
 func init() {
@@ -322,11 +325,19 @@ func createProject(ctx context.Context, configFilepaths []string, options libsta
 		envFiles = append(envFiles, options.EnvFilePath)
 	}
 
+	var osPortainerEnvVars []string
+	for _, ev := range os.Environ() {
+		if strings.HasPrefix(ev, portainerEnvVarsPrefix) {
+			osPortainerEnvVars = append(osPortainerEnvVars, ev)
+		}
+	}
+
 	projectOptions, err := cli.NewProjectOptions(configFilepaths,
 		cli.WithWorkingDirectory(workingDir),
 		cli.WithName(options.ProjectName),
 		cli.WithoutEnvironmentResolution,
 		cli.WithResolvedPaths(!slices.Contains(options.ConfigOptions, "--no-path-resolution")),
+		cli.WithEnv(osPortainerEnvVars),
 		cli.WithEnv(options.Env),
 		cli.WithEnvFiles(envFiles...),
 		func(o *cli.ProjectOptions) error {
diff --git a/pkg/libstack/compose/composeplugin_test.go b/pkg/libstack/compose/composeplugin_test.go
index a7121eadf..6f5ed0948 100644
--- a/pkg/libstack/compose/composeplugin_test.go
+++ b/pkg/libstack/compose/composeplugin_test.go
@@ -719,6 +719,7 @@ func Test_createProject(t *testing.T) {
 		filesToCreate   map[string]string
 		configFilepaths []string
 		options         libstack.Options
+		osEnv           map[string]string
 		expectedProject *types.Project
 	}{
 		{
@@ -1049,6 +1050,217 @@ func Test_createProject(t *testing.T) {
 			},
 			expectedProject: expectedSimpleComposeProject("/project-dir", nil),
 		},
+		{
+			name: "OS Env Vars",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": testSimpleComposeConfig,
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectName: projectName,
+			},
+			osEnv: map[string]string{
+				"PORTAINER_WEB_FOLDER": "html-1",
+				"other_var":            "something",
+			},
+			expectedProject: expectedSimpleComposeProject("", map[string]string{"PORTAINER_WEB_FOLDER": "html-1"}),
+		},
+		{
+			name: "Env Vars in compose file, compose env file, env, os, and env_file",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest
+    env_file: ` + dir + `/compose-stack.env
+    environment:
+        PORTAINER_VAR: compose_file_environment`,
+				"stack.env":         "PORTAINER_VAR=env_file",
+				"compose-stack.env": "PORTAINER_VAR=compose_env_file",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectName: projectName,
+				Env:         []string{"PORTAINER_VAR=env"},
+				EnvFilePath: dir + "/stack.env",
+			},
+			osEnv: map[string]string{
+				"PORTAINER_VAR": "os",
+			},
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.NewMappingWithEquals([]string{"PORTAINER_VAR=compose_file_environment"}),
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose.yml",
+				},
+				Environment:      map[string]string{"COMPOSE_PROJECT_NAME": "create-project-test", "PORTAINER_VAR": "env"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "Env Vars in compose env file, env, os, and env_file",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest
+    env_file: ` + dir + `/compose-stack.env`,
+				"stack.env":         "PORTAINER_VAR=env_file",
+				"compose-stack.env": "PORTAINER_VAR=compose_env_file",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectName: projectName,
+				Env:         []string{"PORTAINER_VAR=env"},
+				EnvFilePath: dir + "/stack.env",
+			},
+			osEnv: map[string]string{
+				"PORTAINER_VAR": "os",
+			},
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.NewMappingWithEquals([]string{"PORTAINER_VAR=compose_env_file"}),
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose.yml",
+				},
+				Environment:      map[string]string{"COMPOSE_PROJECT_NAME": "create-project-test", "PORTAINER_VAR": "env"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "Env Vars in env, os, and env_file",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest`,
+				"stack.env": "PORTAINER_VAR=env_file",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectName: projectName,
+				Env:         []string{"PORTAINER_VAR=env"},
+				EnvFilePath: dir + "/stack.env",
+			},
+			osEnv: map[string]string{
+				"PORTAINER_VAR": "os",
+			},
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose.yml",
+				},
+				Environment:      map[string]string{"COMPOSE_PROJECT_NAME": "create-project-test", "PORTAINER_VAR": "env"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "Env Vars in os and env_file",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest`,
+				"stack.env": "PORTAINER_VAR=env_file",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectName: projectName,
+				EnvFilePath: dir + "/stack.env",
+			},
+			osEnv: map[string]string{
+				"PORTAINER_VAR": "os",
+			},
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose.yml",
+				},
+				Environment:      map[string]string{"COMPOSE_PROJECT_NAME": "create-project-test", "PORTAINER_VAR": "os"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
+		{
+			name: "Env Vars in env_file",
+			filesToCreate: map[string]string{
+				"docker-compose.yml": `services:
+  nginx:
+    container_name: nginx
+    image: nginx:latest`,
+				"stack.env": "PORTAINER_VAR=env_file",
+			},
+			configFilepaths: []string{dir + "/docker-compose.yml"},
+			options: libstack.Options{
+				ProjectName: projectName,
+				EnvFilePath: dir + "/stack.env",
+			},
+			expectedProject: &types.Project{
+				Name:       projectName,
+				WorkingDir: dir,
+				Services: types.Services{
+					"nginx": {
+						Name:          "nginx",
+						ContainerName: "nginx",
+						Environment:   types.MappingWithEquals{},
+						Image:         "nginx:latest",
+						Networks:      map[string]*types.ServiceNetworkConfig{"default": nil},
+					},
+				},
+				Networks: types.Networks{"default": {Name: "create-project-test_default"}},
+				ComposeFiles: []string{
+					dir + "/docker-compose.yml",
+				},
+				Environment:      map[string]string{"COMPOSE_PROJECT_NAME": "create-project-test", "PORTAINER_VAR": "env_file"},
+				DisabledServices: types.Services{},
+				Profiles:         []string{""},
+			},
+		},
 	}
 
 	for _, tc := range testcases {
@@ -1070,6 +1282,10 @@ func Test_createProject(t *testing.T) {
 				}
 			}()
 
+			for k, v := range tc.osEnv {
+				t.Setenv(k, v)
+			}
+
 			gotProject, err := createProject(ctx, tc.configFilepaths, tc.options)
 			if err != nil {
 				t.Fatalf("Failed to create new project: %v", err)

From 3b313b9308b0be0cd415f148aab6f7d7c1efd873 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Tue, 13 May 2025 11:35:44 +1200
Subject: [PATCH 118/212] fix(kubectl): rollout restart [r8s-322] (#729)

---
 api/exec/kubernetes_deploy.go   | 12 ++++----
 pkg/libkubectl/apply.go         |  2 +-
 pkg/libkubectl/delete.go        |  2 +-
 pkg/libkubectl/manifest.go      | 11 -------
 pkg/libkubectl/manifest_test.go | 48 -----------------------------
 pkg/libkubectl/resource.go      | 20 +++++++++++++
 pkg/libkubectl/resource_test.go | 53 +++++++++++++++++++++++++++++++++
 pkg/libkubectl/restart.go       |  5 +++-
 8 files changed, 85 insertions(+), 68 deletions(-)
 delete mode 100644 pkg/libkubectl/manifest.go
 delete mode 100644 pkg/libkubectl/manifest_test.go
 create mode 100644 pkg/libkubectl/resource.go
 create mode 100644 pkg/libkubectl/resource_test.go

diff --git a/api/exec/kubernetes_deploy.go b/api/exec/kubernetes_deploy.go
index 0bdd5caa2..940276929 100644
--- a/api/exec/kubernetes_deploy.go
+++ b/api/exec/kubernetes_deploy.go
@@ -76,16 +76,16 @@ func (deployer *KubernetesDeployer) getToken(userID portainer.UserID, endpoint *
 }
 
 // Deploy upserts Kubernetes resources defined in manifest(s)
-func (deployer *KubernetesDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return deployer.command("apply", userID, endpoint, manifestFiles, namespace)
+func (deployer *KubernetesDeployer) Deploy(userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
+	return deployer.command("apply", userID, endpoint, resources, namespace)
 }
 
 // Remove deletes Kubernetes resources defined in manifest(s)
-func (deployer *KubernetesDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
-	return deployer.command("delete", userID, endpoint, manifestFiles, namespace)
+func (deployer *KubernetesDeployer) Remove(userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
+	return deployer.command("delete", userID, endpoint, resources, namespace)
 }
 
-func (deployer *KubernetesDeployer) command(operation string, userID portainer.UserID, endpoint *portainer.Endpoint, manifestFiles []string, namespace string) (string, error) {
+func (deployer *KubernetesDeployer) command(operation string, userID portainer.UserID, endpoint *portainer.Endpoint, resources []string, namespace string) (string, error) {
 	token, err := deployer.getToken(userID, endpoint, endpoint.Type == portainer.KubernetesLocalEnvironment)
 	if err != nil {
 		return "", errors.Wrap(err, "failed generating a user token")
@@ -120,7 +120,7 @@ func (deployer *KubernetesDeployer) command(operation string, userID portainer.U
 		return "", errors.Errorf("unsupported operation: %s", operation)
 	}
 
-	output, err := operationFunc(context.Background(), manifestFiles)
+	output, err := operationFunc(context.Background(), resources)
 	if err != nil {
 		return "", errors.Wrapf(err, "failed to execute kubectl %s command", operation)
 	}
diff --git a/pkg/libkubectl/apply.go b/pkg/libkubectl/apply.go
index bf77f174f..5dad5adc5 100644
--- a/pkg/libkubectl/apply.go
+++ b/pkg/libkubectl/apply.go
@@ -12,7 +12,7 @@ func (c *Client) Apply(ctx context.Context, manifests []string) (string, error)
 	buf := new(bytes.Buffer)
 
 	cmd := apply.NewCmdApply("kubectl", c.factory, c.streams)
-	cmd.SetArgs(manifestFilesToArgs(manifests))
+	cmd.SetArgs(resourcesToArgs(manifests))
 	cmd.SetOut(buf)
 
 	if err := cmd.ExecuteContext(ctx); err != nil {
diff --git a/pkg/libkubectl/delete.go b/pkg/libkubectl/delete.go
index f8326a9f0..bb093ab4d 100644
--- a/pkg/libkubectl/delete.go
+++ b/pkg/libkubectl/delete.go
@@ -12,7 +12,7 @@ func (c *Client) Delete(ctx context.Context, manifests []string) (string, error)
 	buf := new(bytes.Buffer)
 
 	cmd := delete.NewCmdDelete(c.factory, c.streams)
-	cmd.SetArgs(manifestFilesToArgs(manifests))
+	cmd.SetArgs(resourcesToArgs(manifests))
 	cmd.Flags().Set("ignore-not-found", "true")
 	cmd.SetOut(buf)
 
diff --git a/pkg/libkubectl/manifest.go b/pkg/libkubectl/manifest.go
deleted file mode 100644
index cc63b5883..000000000
--- a/pkg/libkubectl/manifest.go
+++ /dev/null
@@ -1,11 +0,0 @@
-package libkubectl
-
-import "strings"
-
-func manifestFilesToArgs(manifestFiles []string) []string {
-	args := []string{}
-	for _, path := range manifestFiles {
-		args = append(args, "-f", strings.TrimSpace(path))
-	}
-	return args
-}
diff --git a/pkg/libkubectl/manifest_test.go b/pkg/libkubectl/manifest_test.go
deleted file mode 100644
index 9261c65ee..000000000
--- a/pkg/libkubectl/manifest_test.go
+++ /dev/null
@@ -1,48 +0,0 @@
-package libkubectl
-
-import (
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-func TestManifestFilesToArgsHelper(t *testing.T) {
-	tests := []struct {
-		name          string
-		manifestFiles []string
-		expectedArgs  []string
-	}{
-		{
-			name:          "empty list",
-			manifestFiles: []string{},
-			expectedArgs:  []string{},
-		},
-		{
-			name:          "single manifest",
-			manifestFiles: []string{"manifest.yaml"},
-			expectedArgs:  []string{"-f", "manifest.yaml"},
-		},
-		{
-			name:          "multiple manifests",
-			manifestFiles: []string{"manifest1.yaml", "manifest2.yaml"},
-			expectedArgs:  []string{"-f", "manifest1.yaml", "-f", "manifest2.yaml"},
-		},
-		{
-			name:          "manifests with whitespace",
-			manifestFiles: []string{" manifest1.yaml ", "  manifest2.yaml"},
-			expectedArgs:  []string{"-f", "manifest1.yaml", "-f", "manifest2.yaml"},
-		},
-		{
-			name:          "kubernetes resource definitions",
-			manifestFiles: []string{"deployment/nginx", "service/web"},
-			expectedArgs:  []string{"-f", "deployment/nginx", "-f", "service/web"},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			args := manifestFilesToArgs(tt.manifestFiles)
-			assert.Equal(t, tt.expectedArgs, args)
-		})
-	}
-}
diff --git a/pkg/libkubectl/resource.go b/pkg/libkubectl/resource.go
new file mode 100644
index 000000000..705560513
--- /dev/null
+++ b/pkg/libkubectl/resource.go
@@ -0,0 +1,20 @@
+package libkubectl
+
+import "strings"
+
+func isManifestFile(resource string) bool {
+	trimmedResource := strings.TrimSpace(resource)
+	return strings.HasSuffix(trimmedResource, ".yaml") || strings.HasSuffix(trimmedResource, ".yml")
+}
+
+func resourcesToArgs(resources []string) []string {
+	args := []string{}
+	for _, resource := range resources {
+		if isManifestFile(resource) {
+			args = append(args, "-f", strings.TrimSpace(resource))
+		} else {
+			args = append(args, resource)
+		}
+	}
+	return args
+}
diff --git a/pkg/libkubectl/resource_test.go b/pkg/libkubectl/resource_test.go
new file mode 100644
index 000000000..47016f4d4
--- /dev/null
+++ b/pkg/libkubectl/resource_test.go
@@ -0,0 +1,53 @@
+package libkubectl
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestResourcesToArgsHelper(t *testing.T) {
+	tests := []struct {
+		name         string
+		resources    []string
+		expectedArgs []string
+	}{
+		{
+			name:         "empty list",
+			resources:    []string{},
+			expectedArgs: []string{},
+		},
+		{
+			name:         "single manifest file",
+			resources:    []string{"manifest.yaml"},
+			expectedArgs: []string{"-f", "manifest.yaml"},
+		},
+		{
+			name:         "multiple manifest files",
+			resources:    []string{"manifest1.yaml", "manifest2.yaml"},
+			expectedArgs: []string{"-f", "manifest1.yaml", "-f", "manifest2.yaml"},
+		},
+		{
+			name:         "manifests with whitespace",
+			resources:    []string{" manifest1.yaml ", "  manifest2.yaml"},
+			expectedArgs: []string{"-f", "manifest1.yaml", "-f", "manifest2.yaml"},
+		},
+		{
+			name:         "kubernetes resource definitions",
+			resources:    []string{"deployment/nginx", "service/web"},
+			expectedArgs: []string{"deployment/nginx", "service/web"},
+		},
+		{
+			name:         "rollout restart",
+			resources:    []string{"deployment/nginx", "service/web"},
+			expectedArgs: []string{"deployment/nginx", "service/web"},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			args := resourcesToArgs(tt.resources)
+			assert.Equal(t, tt.expectedArgs, args)
+		})
+	}
+}
diff --git a/pkg/libkubectl/restart.go b/pkg/libkubectl/restart.go
index 4f7083787..fcfa7fd15 100644
--- a/pkg/libkubectl/restart.go
+++ b/pkg/libkubectl/restart.go
@@ -12,7 +12,10 @@ func (c *Client) RolloutRestart(ctx context.Context, manifests []string) (string
 	buf := new(bytes.Buffer)
 
 	cmd := rollout.NewCmdRollout(c.factory, c.streams)
-	cmd.SetArgs(manifestFilesToArgs(manifests))
+	args := []string{"restart"}
+	args = append(args, resourcesToArgs(manifests)...)
+
+	cmd.SetArgs(args)
 	cmd.SetOut(buf)
 
 	if err := cmd.ExecuteContext(ctx); err != nil {

From 0b6972917354144c11816fa92c1f670ed699dcc4 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Tue, 13 May 2025 14:28:42 +1200
Subject: [PATCH 119/212] chrore(microk8s): add deprecation notice [r8s-320]
 (#728)

---
 app/react/components/Alert/Alert.tsx          | 36 +++++++++++--------
 .../FormSection/FormSection.tsx               |  5 +--
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/app/react/components/Alert/Alert.tsx b/app/react/components/Alert/Alert.tsx
index 02c6e995e..a61e62c98 100644
--- a/app/react/components/Alert/Alert.tsx
+++ b/app/react/components/Alert/Alert.tsx
@@ -6,36 +6,36 @@ import { Icon } from '@@/Icon';
 
 type AlertType = 'success' | 'error' | 'info' | 'warn';
 
-const alertSettings: Record<
+export const alertSettings: Record<
   AlertType,
   { container: string; header: string; body: string; icon: ReactNode }
 > = {
   success: {
     container:
-      'border-green-4 bg-green-2 th-dark:bg-green-3 th-dark:border-green-5',
-    header: 'text-green-8',
-    body: 'text-green-7',
+      'border-green-4 bg-green-2 th-dark:bg-green-10 th-dark:border-green-8 th-highcontrast:bg-green-10 th-highcontrast:border-green-8',
+    header: 'text-green-8 th-dark:text-white th-highcontrast:text-white',
+    body: 'text-green-7 th-dark:text-white th-highcontrast:text-white',
     icon: CheckCircle,
   },
   error: {
     container:
-      'border-error-4 bg-error-2 th-dark:bg-error-3 th-dark:border-error-5',
-    header: 'text-error-8',
-    body: 'text-error-7',
+      'border-error-4 bg-error-2 th-dark:bg-error-10 th-dark:border-error-8 th-highcontrast:bg-error-10 th-highcontrast:border-error-8',
+    header: 'text-error-8 th-dark:text-white th-highcontrast:text-white',
+    body: 'text-error-7 th-dark:text-white th-highcontrast:text-white',
     icon: XCircle,
   },
   info: {
     container:
-      'border-blue-4 bg-blue-2 th-dark:bg-blue-3 th-dark:border-blue-5',
-    header: 'text-blue-8',
-    body: 'text-blue-7',
+      'border-blue-4 bg-blue-2 th-dark:bg-blue-10 th-dark:border-blue-8 th-highcontrast:bg-blue-10 th-highcontrast:border-blue-8',
+    header: 'text-blue-8 th-dark:text-white th-highcontrast:text-white',
+    body: 'text-blue-7 th-dark:text-white th-highcontrast:text-white',
     icon: AlertCircle,
   },
   warn: {
     container:
-      'border-warning-4 bg-warning-2 th-dark:bg-warning-3 th-dark:border-warning-5',
-    header: 'text-warning-8',
-    body: 'text-warning-7',
+      'border-warning-4 bg-warning-2 th-dark:bg-warning-10 th-dark:border-warning-8 th-highcontrast:bg-warning-10 th-highcontrast:border-warning-8',
+    header: 'text-warning-8 th-dark:text-white th-highcontrast:text-white',
+    body: 'text-warning-7 th-dark:text-white th-highcontrast:text-white',
     icon: AlertTriangle,
   },
 };
@@ -76,12 +76,18 @@ export function Alert({
   );
 }
 
-function AlertContainer({
+export function AlertContainer({
   className,
   children,
 }: PropsWithChildren<{ className?: string }>) {
   return (
-    <div className={clsx('rounded-md border-2 border-solid', 'p-3', className)}>
+    <div
+      className={clsx(
+        'border rounded-lg border-solid [&_ul]:ps-8',
+        'p-3',
+        className
+      )}
+    >
       {children}
     </div>
   );
diff --git a/app/react/components/form-components/FormSection/FormSection.tsx b/app/react/components/form-components/FormSection/FormSection.tsx
index 05bb9ddbf..6ea747762 100644
--- a/app/react/components/form-components/FormSection/FormSection.tsx
+++ b/app/react/components/form-components/FormSection/FormSection.tsx
@@ -45,8 +45,9 @@ export function FormSection({
 
         {title}
       </FormSectionTitle>
-
-      {isExpanded && children}
+      {/* col-sm-12 in the title has a 'float: left' style - 'clear-both' makes sure it doesn't get in the way of the next div */}
+      {/* https://stackoverflow.com/questions/7759837/put-divs-below-floatleft-divs */}
+      {isExpanded && <div className="clear-both">{children}</div>}
     </div>
   );
 }

From dfa32b6755ede817a690236f2d24070e3b287ce5 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Tue, 13 May 2025 16:33:14 +1200
Subject: [PATCH 120/212] chore: add KaaS deprecation notice (#727)

Co-authored-by: testA113 <aliharriss1995@gmail.com>
---
 .../EnvironmentTypeSelectView/environment-types.ts |  2 +-
 .../EnvironmentsCreationView.tsx                   | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/app/react/portainer/environments/wizard/EnvironmentTypeSelectView/environment-types.ts b/app/react/portainer/environments/wizard/EnvironmentTypeSelectView/environment-types.ts
index 695feb53e..9c590687c 100644
--- a/app/react/portainer/environments/wizard/EnvironmentTypeSelectView/environment-types.ts
+++ b/app/react/portainer/environments/wizard/EnvironmentTypeSelectView/environment-types.ts
@@ -69,7 +69,7 @@ export const newEnvironmentTypes: EnvironmentOption[] = [
   {
     id: 'kaas',
     value: 'kaas',
-    label: 'Provision KaaS Cluster',
+    label: 'Provision KaaS Cluster (Deprecated)',
     description:
       "Provision a Kubernetes cluster via a cloud provider's Kubernetes as a Service",
     icon: KaaS,
diff --git a/app/react/portainer/environments/wizard/EnvironmentsCreationView/EnvironmentsCreationView.tsx b/app/react/portainer/environments/wizard/EnvironmentsCreationView/EnvironmentsCreationView.tsx
index a56095bfc..666193743 100644
--- a/app/react/portainer/environments/wizard/EnvironmentsCreationView/EnvironmentsCreationView.tsx
+++ b/app/react/portainer/environments/wizard/EnvironmentsCreationView/EnvironmentsCreationView.tsx
@@ -17,6 +17,7 @@ import { PageHeader } from '@@/PageHeader';
 import { Button } from '@@/buttons';
 import { FormSection } from '@@/form-components/FormSection';
 import { Icon } from '@@/Icon';
+import { Alert } from '@@/Alert';
 
 import {
   EnvironmentOptionValue,
@@ -84,6 +85,19 @@ export function EnvironmentCreationView() {
 
             <div className="mt-12">
               <FormSection title={formTitles[currentStep.id]}>
+                {currentStep.id === 'kaas' && (
+                  <Alert
+                    color="warn"
+                    title="Deprecated Feature"
+                    className="mb-2"
+                  >
+                    Provisioning a KaaS environment from Portainer is deprecated
+                    and will be removed in a future release. You will still be
+                    able to use any Kubernetes clusters provisioned using this
+                    method but will no longer have access to any of the
+                    KaaS-specific management functionality.
+                  </Alert>
+                )}
                 <Component
                   onCreate={handleCreateEnvironment}
                   isDockerStandalone={isDockerStandalone}

From 4ee349bd6b68f47e54898e5684bbfc3ce8f01b79 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Tue, 13 May 2025 22:15:04 +1200
Subject: [PATCH 121/212] feat(helm): helm actions [r8s-259] (#715)

Co-authored-by: James Player <james.player@portainer.io>
Co-authored-by: Cara Ryan <cara.ryan@portainer.io>
Co-authored-by: stevensbkang <skan070@gmail.com>
---
 api/http/handler/helm/helm_install.go         |   4 +-
 app/assets/css/app.css                        |   6 +-
 app/assets/css/bootstrap-override.css         |   4 +-
 app/assets/css/theme.css                      |   4 +-
 .../views/configs/create/createconfig.html    |   2 +-
 app/docker/views/images/build/buildimage.html |   2 +-
 app/kubernetes/__module.js                    |   2 +-
 .../kubernetesConfigurationData.html          |   2 +-
 .../components/code-editor/code-editor.html   |   2 +-
 .../components/code-editor/code-editor.js     |   2 +-
 .../form-components/web-editor-form/index.js  |   2 +-
 .../web-editor-form/web-editor-form.html      |   2 +-
 app/portainer/react/components/index.ts       |   4 +-
 .../views/stacks/create/createstack.html      |   2 +-
 app/portainer/views/stacks/edit/stack.html    |   2 +-
 app/react/common/date-utils.ts                |  16 +
 app/react/components/Badge/Badge.stories.tsx  |   2 +
 app/react/components/Badge/Badge.tsx          |   8 +-
 .../Blocklist/BlocklistItem.stories.tsx       |  75 +++++
 app/react/components/Card/Card.tsx            |   2 +-
 app/react/components/CodeEditor.tsx           | 228 -------------
 .../{ => CodeEditor}/CodeEditor.module.css    |  46 ++-
 .../{ => CodeEditor}/CodeEditor.test.tsx      |  29 +-
 .../components/CodeEditor/CodeEditor.tsx      | 158 +++++++++
 .../components/CodeEditor/DiffViewer.test.tsx | 101 ++++++
 .../components/CodeEditor/DiffViewer.tsx      | 138 ++++++++
 .../components/CodeEditor/FileNameHeader.tsx  |  71 ++++
 app/react/components/CodeEditor/index.ts      |   1 +
 .../CodeEditor/useCodeEditorExtensions.ts     |  91 +++++
 .../components/InlineLoader/InlineLoader.tsx  |  10 +-
 .../components/RadioGroup/RadioGroup.tsx      |  23 +-
 app/react/components/Sheet.tsx                | 159 +++++++++
 app/react/components/WebEditorForm.tsx        |   2 +
 app/react/components/Widget/WidgetIcon.tsx    |  11 +
 app/react/components/Widget/WidgetTitle.tsx   |  12 +-
 .../buttons/CopyButton/CopyButton.stories.tsx |   4 +-
 app/react/components/datatables/Datatable.tsx |  32 +-
 .../components/datatables/DatatableHeader.tsx |   4 +-
 .../components/datatables/TableContainer.tsx  |   4 +-
 .../components/datatables/TableTitle.tsx      |   2 +-
 .../AdvancedMode.tsx                          |   2 +-
 .../components/modals/Modal/Modal.module.css  |   6 -
 app/react/components/modals/Modal/Modal.tsx   |  10 +-
 .../CreateView/CreateEdgeJobForm.tsx          |   2 +-
 .../UpdateEdgeJobForm/UpdateEdgeJobForm.tsx   |   2 +-
 .../CreateView/DockerContentField.tsx         |   2 +-
 .../CreateView/KubeManifestForm.tsx           |   2 +-
 .../EditEdgeStackForm/ComposeForm.tsx         |   2 +-
 .../EditEdgeStackForm/KubernetesForm.tsx      |   2 +-
 app/react/hooks/useDebounce.ts                |  12 +-
 .../ApplicationEventsDatatable.tsx            |  31 +-
 .../ApplicationsDatatable.tsx                 |   1 +
 .../ListView/ApplicationsDatatable/SubRow.tsx |   5 +-
 .../components/EditYamlFormSection.tsx        |   2 +-
 .../EventsDatatable/EventsDatatable.tsx       |   9 +-
 .../EventsDatatable/columns/eventType.tsx     |  12 +
 .../EventsDatatable/columns/index.ts          |   3 +-
 .../EventsDatatable/columns/kind.tsx          |  13 +
 .../EventsDatatable/columns/name.tsx          |  16 +
 .../kubernetes/components/YAMLInspector.tsx   |   2 +-
 .../ChartActions/ChartActions.tsx             |  44 ++-
 .../ChartActions/RollbackButton.test.tsx      |   8 +-
 .../ChartActions/RollbackButton.tsx           |  25 +-
 .../ChartActions/UpgradeButton.test.tsx       | 182 ++++++++++
 .../ChartActions/UpgradeButton.tsx            | 167 +++++++++
 .../ChartActions/UpgradeHelmModal.tsx         | 151 +++++++++
 .../HelmApplicationView.test.tsx              | 316 +++++++++++++-----
 .../HelmApplicationView.tsx                   | 103 ++++--
 .../HelmRevisionItem.test.tsx                 | 116 +++++++
 .../HelmApplicationView/HelmRevisionItem.tsx  |  49 +++
 .../HelmApplicationView/HelmRevisionList.tsx  |  43 +++
 .../HelmRevisionListSheet.tsx                 |  40 +++
 .../helm/HelmApplicationView/HelmSummary.tsx  |  70 +---
 .../ReleaseDetails/DiffControl.test.tsx       | 193 +++++++++++
 .../ReleaseDetails/DiffControl.tsx            | 146 ++++++++
 .../ReleaseDetails/DiffViewSection.tsx        |  55 +++
 .../HelmEventsDatatable.test.tsx              | 242 ++++++++++++++
 .../ReleaseDetails/HelmEventsDatatable.tsx    |  77 +++++
 .../ReleaseDetails/ManifestDetails.tsx        |  58 +++-
 .../ReleaseDetails/NotesDetails.tsx           |  43 ++-
 .../ReleaseDetails/ReleaseTabs.tsx            | 252 ++++++++++++--
 .../ResourcesTable/DescribeModal.test.tsx     |  12 +-
 .../ResourcesTable/ResourcesTable.tsx         |  11 +-
 .../ResourcesTable/columns/status.tsx         |   4 +
 .../ReleaseDetails/ValuesDetails.tsx          |  84 +++--
 .../ReleaseDetails/types.ts                   |  26 ++
 .../ReleaseDetails/useHelmReleaseToCompare.ts |  60 ++++
 .../queries/useHelmHistory.ts                 |  44 +++
 .../queries/useHelmRelease.ts                 |  46 ++-
 .../queries/useHelmRepositories.ts            |  99 ++++++
 .../queries/useUpdateHelmReleaseMutation.ts   |  44 +++
 .../helm/HelmTemplates/HelmTemplates.tsx      |  15 +-
 .../HelmTemplates/HelmTemplatesList.test.tsx  |   6 +-
 .../helm/HelmTemplates/HelmTemplatesList.tsx  |  23 +-
 .../HelmTemplatesSelectedItem.test.tsx        |   5 +-
 .../HelmTemplatesSelectedItem.tsx             |   9 +-
 .../HelmTemplates/queries/useHelmChartList.ts |  79 -----
 .../kubernetes/helm/helm-status-utils.ts      |  48 +++
 .../helm/queries/useHelmChartList.ts          | 105 ++++++
 app/react/kubernetes/helm/types.ts            |   6 +-
 app/react/kubernetes/queries/useEvents.ts     |  20 +-
 .../HelmRepositoryDatatable.tsx               |   1 +
 .../custom-templates/CreateView/InnerForm.tsx |   2 +-
 .../custom-templates/EditView/InnerForm.tsx   |   2 +-
 .../DeployForm.tsx                            |   2 +-
 app/setup-tests/mock-codemirror.tsx           |  15 +
 app/setup-tests/mock-localizeDate.ts          |  18 +
 package.json                                  |   4 +
 pkg/libhelm/options/install_options.go        |   1 +
 pkg/libhelm/sdk/common.go                     |   3 +-
 pkg/libhelm/sdk/get.go                        |  10 +-
 pkg/libhelm/sdk/history.go                    |   7 +
 pkg/libhelm/sdk/install.go                    |   3 +-
 pkg/libhelm/sdk/upgrade.go                    |   2 +-
 pkg/libhelm/sdk/values.go                     |  11 +-
 tailwind.config.js                            |   1 +
 yarn.lock                                     | 242 +++++++++++++-
 117 files changed, 4161 insertions(+), 696 deletions(-)
 create mode 100644 app/react/common/date-utils.ts
 create mode 100644 app/react/components/Blocklist/BlocklistItem.stories.tsx
 delete mode 100644 app/react/components/CodeEditor.tsx
 rename app/react/components/{ => CodeEditor}/CodeEditor.module.css (78%)
 rename app/react/components/{ => CodeEditor}/CodeEditor.test.tsx (78%)
 create mode 100644 app/react/components/CodeEditor/CodeEditor.tsx
 create mode 100644 app/react/components/CodeEditor/DiffViewer.test.tsx
 create mode 100644 app/react/components/CodeEditor/DiffViewer.tsx
 create mode 100644 app/react/components/CodeEditor/FileNameHeader.tsx
 create mode 100644 app/react/components/CodeEditor/index.ts
 create mode 100644 app/react/components/CodeEditor/useCodeEditorExtensions.ts
 create mode 100644 app/react/components/Sheet.tsx
 create mode 100644 app/react/components/Widget/WidgetIcon.tsx
 create mode 100644 app/react/kubernetes/components/EventsDatatable/columns/name.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmRevisionList.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/HelmRevisionListSheet.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffViewSection.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/types.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/queries/useHelmHistory.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
 create mode 100644 app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
 delete mode 100644 app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts
 create mode 100644 app/react/kubernetes/helm/helm-status-utils.ts
 create mode 100644 app/react/kubernetes/helm/queries/useHelmChartList.ts
 create mode 100644 app/setup-tests/mock-localizeDate.ts

diff --git a/api/http/handler/helm/helm_install.go b/api/http/handler/helm/helm_install.go
index d7254c1f4..cd4985770 100644
--- a/api/http/handler/helm/helm_install.go
+++ b/api/http/handler/helm/helm_install.go
@@ -26,6 +26,7 @@ type installChartPayload struct {
 	Chart     string `json:"chart"`
 	Repo      string `json:"repo"`
 	Values    string `json:"values"`
+	Version   string `json:"version"`
 }
 
 var errChartNameInvalid = errors.New("invalid chart name. " +
@@ -101,6 +102,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 	installOpts := options.InstallOptions{
 		Name:                    p.Name,
 		Chart:                   p.Chart,
+		Version:                 p.Version,
 		Namespace:               p.Namespace,
 		Repo:                    p.Repo,
 		KubernetesClusterAccess: clusterAccess,
@@ -192,7 +194,7 @@ func (handler *Handler) updateHelmAppManifest(r *http.Request, manifest []byte,
 	g := new(errgroup.Group)
 	for _, resource := range yamlResources {
 		g.Go(func() error {
-			tmpfile, err := os.CreateTemp("", "helm-manifest-*")
+			tmpfile, err := os.CreateTemp("", "helm-manifest-*.yaml")
 			if err != nil {
 				return errors.Wrap(err, "failed to create a tmp helm manifest file")
 			}
diff --git a/app/assets/css/app.css b/app/assets/css/app.css
index afcf49470..85d8fbca5 100644
--- a/app/assets/css/app.css
+++ b/app/assets/css/app.css
@@ -32,6 +32,10 @@ body {
   color: var(--text-body-color) !important;
 }
 
+.bg-widget-color {
+  background: var(--bg-widget-color);
+}
+
 html,
 body,
 #page-wrapper,
@@ -224,7 +228,7 @@ input[type='checkbox'] {
 
 .blocklist-item--selected {
   background-color: var(--bg-blocklist-item-selected-color);
-  border: 2px solid var(--border-blocklist-item-selected-color);
+  border-color: var(--border-blocklist-item-selected-color);
   color: var(--text-blocklist-item-selected-color);
 }
 
diff --git a/app/assets/css/bootstrap-override.css b/app/assets/css/bootstrap-override.css
index 19e63397d..cbded5622 100644
--- a/app/assets/css/bootstrap-override.css
+++ b/app/assets/css/bootstrap-override.css
@@ -20,9 +20,7 @@
 }
 
 .vertical-center {
-  display: inline-flex;
-  align-items: center;
-  gap: 5px;
+  @apply inline-flex items-center gap-1;
 }
 
 .flex-center {
diff --git a/app/assets/css/theme.css b/app/assets/css/theme.css
index f104f3e7b..eb2d36882 100644
--- a/app/assets/css/theme.css
+++ b/app/assets/css/theme.css
@@ -268,7 +268,7 @@
   --bg-body-color: var(--grey-2);
   --bg-btn-default-color: var(--grey-3);
   --bg-blocklist-hover-color: var(--ui-gray-iron-10);
-  --bg-blocklist-item-selected-color: var(--grey-3);
+  --bg-blocklist-item-selected-color: var(--ui-gray-iron-10);
   --bg-card-color: var(--grey-1);
   --bg-checkbox-border-color: var(--grey-8);
   --bg-code-color: var(--grey-2);
@@ -388,7 +388,7 @@
   --border-navtabs-color: var(--grey-38);
   --border-pre-color: var(--grey-3);
   --border-blocklist: var(--ui-gray-9);
-  --border-blocklist-item-selected-color: var(--grey-38);
+  --border-blocklist-item-selected-color: var(--grey-31);
   --border-pagination-span-color: var(--grey-1);
   --border-pagination-hover-color: var(--grey-3);
   --border-panel-color: var(--grey-2);
diff --git a/app/docker/views/configs/create/createconfig.html b/app/docker/views/configs/create/createconfig.html
index 945330c06..6ac0bef06 100644
--- a/app/docker/views/configs/create/createconfig.html
+++ b/app/docker/views/configs/create/createconfig.html
@@ -18,7 +18,7 @@
             <div class="col-sm-12" ng-if="ctrl.formValues.displayCodeEditor">
               <web-editor-form
                 identifier="config-creation-editor"
-                placeholder="Define or paste the content of your config here"
+                text-tip="Define or paste the content of your config here"
                 yml="false"
                 on-change="(ctrl.editorUpdate)"
                 value="ctrl.formValues.ConfigContent"
diff --git a/app/docker/views/images/build/buildimage.html b/app/docker/views/images/build/buildimage.html
index 6d5446944..20c5773dc 100644
--- a/app/docker/views/images/build/buildimage.html
+++ b/app/docker/views/images/build/buildimage.html
@@ -94,7 +94,7 @@
                   <div class="col-sm-12">
                     <code-editor
                       identifier="image-build-editor"
-                      placeholder="Define or paste the content of your Dockerfile here"
+                      text-tip="Define or paste the content of your Dockerfile here"
                       docker-file="true"
                       on-change="(editorUpdate)"
                     ></code-editor>
diff --git a/app/kubernetes/__module.js b/app/kubernetes/__module.js
index 98607e569..adb937cce 100644
--- a/app/kubernetes/__module.js
+++ b/app/kubernetes/__module.js
@@ -145,7 +145,7 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
 
     const helmApplication = {
       name: 'kubernetes.helm',
-      url: '/helm/:namespace/:name',
+      url: '/helm/:namespace/:name?revision&tab',
       views: {
         'content@': {
           component: 'kubernetesHelmApplicationView',
diff --git a/app/kubernetes/components/kubernetes-configuration-data/kubernetesConfigurationData.html b/app/kubernetes/components/kubernetes-configuration-data/kubernetesConfigurationData.html
index ca2caebef..193ce8be0 100644
--- a/app/kubernetes/components/kubernetes-configuration-data/kubernetesConfigurationData.html
+++ b/app/kubernetes/components/kubernetes-configuration-data/kubernetesConfigurationData.html
@@ -165,7 +165,7 @@
       value="$ctrl.formValues.DataYaml"
       on-change="($ctrl.editorUpdate)"
       yml="true"
-      placeholder="Define or paste key-value pairs, one pair per line"
+      text-tip="Define or paste key-value pairs, one pair per line"
     >
     </web-editor-form>
   </div>
diff --git a/app/portainer/components/code-editor/code-editor.html b/app/portainer/components/code-editor/code-editor.html
index 2cf42b272..446da5dab 100644
--- a/app/portainer/components/code-editor/code-editor.html
+++ b/app/portainer/components/code-editor/code-editor.html
@@ -1,6 +1,6 @@
 <react-code-editor
   id="$ctrl.identifier"
-  placeholder="$ctrl.placeholder"
+  text-tip="$ctrl.textTip"
   type="$ctrl.type"
   readonly="$ctrl.readOnly"
   on-change="($ctrl.handleChange)"
diff --git a/app/portainer/components/code-editor/code-editor.js b/app/portainer/components/code-editor/code-editor.js
index db6a4fbaf..25a77c3c9 100644
--- a/app/portainer/components/code-editor/code-editor.js
+++ b/app/portainer/components/code-editor/code-editor.js
@@ -5,7 +5,7 @@ angular.module('portainer.app').component('codeEditor', {
   controller,
   bindings: {
     identifier: '@',
-    placeholder: '@',
+    textTip: '@',
     yml: '<',
     dockerFile: '<',
     shell: '<',
diff --git a/app/portainer/components/form-components/web-editor-form/index.js b/app/portainer/components/form-components/web-editor-form/index.js
index 45301f683..804966f10 100644
--- a/app/portainer/components/form-components/web-editor-form/index.js
+++ b/app/portainer/components/form-components/web-editor-form/index.js
@@ -6,7 +6,7 @@ export const webEditorForm = {
 
   bindings: {
     identifier: '@',
-    placeholder: '@',
+    textTip: '@',
     yml: '<',
     value: '<',
     readOnly: '<',
diff --git a/app/portainer/components/form-components/web-editor-form/web-editor-form.html b/app/portainer/components/form-components/web-editor-form/web-editor-form.html
index 1727cc893..336da3bce 100644
--- a/app/portainer/components/form-components/web-editor-form/web-editor-form.html
+++ b/app/portainer/components/form-components/web-editor-form/web-editor-form.html
@@ -42,7 +42,7 @@
       <div class="col-sm-12 col-lg-12">
         <code-editor
           identifier="{{ $ctrl.identifier }}"
-          placeholder="{{ $ctrl.placeholder }}"
+          text-tip="{{ $ctrl.textTip }}"
           read-only="$ctrl.readOnly"
           yml="$ctrl.yml"
           value="$ctrl.value"
diff --git a/app/portainer/react/components/index.ts b/app/portainer/react/components/index.ts
index 535032fae..8a9c1f589 100644
--- a/app/portainer/react/components/index.ts
+++ b/app/portainer/react/components/index.ts
@@ -223,7 +223,7 @@ export const ngModule = angular
     'reactCodeEditor',
     r2a(CodeEditor, [
       'id',
-      'placeholder',
+      'textTip',
       'type',
       'readonly',
       'onChange',
@@ -233,6 +233,8 @@ export const ngModule = angular
       'versions',
       'onVersionChange',
       'schema',
+      'fileName',
+      'placeholder',
     ])
   )
   .component(
diff --git a/app/portainer/views/stacks/create/createstack.html b/app/portainer/views/stacks/create/createstack.html
index 406686f8a..25773d35a 100644
--- a/app/portainer/views/stacks/create/createstack.html
+++ b/app/portainer/views/stacks/create/createstack.html
@@ -128,7 +128,7 @@
             on-change="(onChangeFileContent)"
             ng-required="true"
             yml="true"
-            placeholder="Define or paste the content of your docker compose file here"
+            text-tip="Define or paste the content of your docker compose file here"
             read-only="state.isEditorReadOnly"
             schema="dockerComposeSchema"
           >
diff --git a/app/portainer/views/stacks/edit/stack.html b/app/portainer/views/stacks/edit/stack.html
index 14c5c8628..8ecf54e06 100644
--- a/app/portainer/views/stacks/edit/stack.html
+++ b/app/portainer/views/stacks/edit/stack.html
@@ -160,7 +160,7 @@
                   <code-editor
                     read-only="orphaned"
                     identifier="stack-editor"
-                    placeholder="Define or paste the content of your docker compose file here"
+                    text-tip="Define or paste the content of your docker compose file here"
                     yml="true"
                     on-change="(editorUpdate)"
                     value="stackFileContent"
diff --git a/app/react/common/date-utils.ts b/app/react/common/date-utils.ts
new file mode 100644
index 000000000..608400ac8
--- /dev/null
+++ b/app/react/common/date-utils.ts
@@ -0,0 +1,16 @@
+/**
+ * Format a date to a human-readable string based on the user's locale.
+ */
+export function localizeDate(date: Date) {
+  return date
+    .toLocaleString(undefined, {
+      year: 'numeric',
+      month: 'short',
+      day: 'numeric',
+      hour: 'numeric',
+      minute: '2-digit',
+      hour12: true,
+    })
+    .replace('am', 'AM')
+    .replace('pm', 'PM');
+}
diff --git a/app/react/components/Badge/Badge.stories.tsx b/app/react/components/Badge/Badge.stories.tsx
index 41f42cbc8..c7b958502 100644
--- a/app/react/components/Badge/Badge.stories.tsx
+++ b/app/react/components/Badge/Badge.stories.tsx
@@ -18,6 +18,7 @@ export default {
           'dangerSecondary',
           'warnSecondary',
           'infoSecondary',
+          'muted',
         ],
       },
     },
@@ -35,6 +36,7 @@ function Template({ type = 'success' }: Props) {
     dangerSecondary: 'dangerSecondary badge',
     warnSecondary: 'warnSecondary badge',
     infoSecondary: 'infoSecondary badge',
+    muted: 'muted badge',
   };
   return <Badge type={type}>{message[type]}</Badge>;
 }
diff --git a/app/react/components/Badge/Badge.tsx b/app/react/components/Badge/Badge.tsx
index e31e3b122..5babb5733 100644
--- a/app/react/components/Badge/Badge.tsx
+++ b/app/react/components/Badge/Badge.tsx
@@ -9,7 +9,8 @@ export type BadgeType =
   | 'successSecondary'
   | 'dangerSecondary'
   | 'warnSecondary'
-  | 'infoSecondary';
+  | 'infoSecondary'
+  | 'muted';
 
 // the classes are typed in full because tailwind doesn't render the interpolated classes
 const typeClasses: Record<BadgeType, string> = {
@@ -54,6 +55,11 @@ const typeClasses: Record<BadgeType, string> = {
     'th-dark:text-blue-3 th-dark:bg-blue-9',
     'th-highcontrast:text-blue-3 th-highcontrast:bg-blue-9'
   ),
+  muted: clsx(
+    'text-gray-9 bg-gray-3',
+    'th-dark:text-gray-3 th-dark:bg-gray-9',
+    'th-highcontrast:text-gray-3 th-highcontrast:bg-gray-9'
+  ),
 };
 
 export interface Props {
diff --git a/app/react/components/Blocklist/BlocklistItem.stories.tsx b/app/react/components/Blocklist/BlocklistItem.stories.tsx
new file mode 100644
index 000000000..e38d1933e
--- /dev/null
+++ b/app/react/components/Blocklist/BlocklistItem.stories.tsx
@@ -0,0 +1,75 @@
+import type { Meta, StoryObj } from '@storybook/react';
+
+import { localizeDate } from '@/react/common/date-utils';
+
+import { Badge } from '@@/Badge';
+
+import { BlocklistItem } from './BlocklistItem';
+
+const meta: Meta<typeof BlocklistItem> = {
+  title: 'Components/Blocklist/BlocklistItem',
+  component: BlocklistItem,
+  parameters: {
+    layout: 'centered',
+  },
+  tags: ['autodocs'],
+  decorators: [
+    (Story) => (
+      <div className="blocklist">
+        <Story />
+      </div>
+    ),
+  ],
+};
+
+export default meta;
+type Story = StoryObj<typeof BlocklistItem>;
+
+export const Default: Story = {
+  args: {
+    children: 'Default Blocklist Item',
+  },
+};
+
+export const Selected: Story = {
+  args: {
+    children: 'Selected Blocklist Item',
+    isSelected: true,
+  },
+};
+
+export const AsDiv: Story = {
+  args: {
+    children: 'Blocklist Item as div',
+    as: 'div',
+  },
+};
+
+export const WithCustomContent: Story = {
+  args: {
+    children: (
+      <div className="flex flex-col gap-2 w-full">
+        <div className="flex flex-wrap gap-1 justify-between">
+          <Badge type="success">Deployed</Badge>
+          <span className="text-xs text-muted">Revision #4</span>
+        </div>
+        <div className="flex flex-wrap gap-1 justify-between">
+          <span className="text-xs text-muted">my-app-1.0.0</span>
+          <span className="text-xs text-muted">
+            {localizeDate(new Date('2000-01-01'))}
+          </span>
+        </div>
+      </div>
+    ),
+  },
+};
+
+export const MultipleItems: Story = {
+  render: () => (
+    <div className="blocklist">
+      <BlocklistItem>First Item</BlocklistItem>
+      <BlocklistItem isSelected>Second Item (Selected)</BlocklistItem>
+      <BlocklistItem>Third Item</BlocklistItem>
+    </div>
+  ),
+};
diff --git a/app/react/components/Card/Card.tsx b/app/react/components/Card/Card.tsx
index 1839f649e..b5e8bf5f1 100644
--- a/app/react/components/Card/Card.tsx
+++ b/app/react/components/Card/Card.tsx
@@ -10,7 +10,7 @@ export function Card({ className, children }: PropsWithChildren<Props>) {
     <div
       className={clsx(
         className,
-        'rounded border border-solid border-gray-5 bg-gray-neutral-3 p-5 th-highcontrast:border-white th-highcontrast:bg-black th-dark:border-legacy-grey-3 th-dark:bg-gray-iron-11'
+        'rounded-lg border border-solid border-gray-5 bg-gray-neutral-3 p-5 th-highcontrast:border-white th-highcontrast:bg-black th-dark:border-legacy-grey-3 th-dark:bg-gray-iron-11'
       )}
     >
       {children}
diff --git a/app/react/components/CodeEditor.tsx b/app/react/components/CodeEditor.tsx
deleted file mode 100644
index e74a70ec9..000000000
--- a/app/react/components/CodeEditor.tsx
+++ /dev/null
@@ -1,228 +0,0 @@
-import CodeMirror, {
-  keymap,
-  oneDarkHighlightStyle,
-} from '@uiw/react-codemirror';
-import {
-  StreamLanguage,
-  LanguageSupport,
-  syntaxHighlighting,
-  indentService,
-} from '@codemirror/language';
-import { yaml } from '@codemirror/legacy-modes/mode/yaml';
-import { dockerFile } from '@codemirror/legacy-modes/mode/dockerfile';
-import { shell } from '@codemirror/legacy-modes/mode/shell';
-import { useCallback, useMemo, useState } from 'react';
-import { createTheme } from '@uiw/codemirror-themes';
-import { tags as highlightTags } from '@lezer/highlight';
-import type { JSONSchema7 } from 'json-schema';
-import { lintKeymap, lintGutter } from '@codemirror/lint';
-import { defaultKeymap } from '@codemirror/commands';
-import { autocompletion, completionKeymap } from '@codemirror/autocomplete';
-import { yamlCompletion, yamlSchema } from 'yaml-schema';
-
-import { AutomationTestingProps } from '@/types';
-
-import { CopyButton } from '@@/buttons/CopyButton';
-
-import { useDebounce } from '../hooks/useDebounce';
-
-import styles from './CodeEditor.module.css';
-import { TextTip } from './Tip/TextTip';
-import { StackVersionSelector } from './StackVersionSelector';
-
-type Type = 'yaml' | 'shell' | 'dockerfile';
-interface Props extends AutomationTestingProps {
-  id: string;
-  placeholder?: string;
-  type?: Type;
-  readonly?: boolean;
-  onChange?: (value: string) => void;
-  value: string;
-  height?: string;
-  versions?: number[];
-  onVersionChange?: (version: number) => void;
-  schema?: JSONSchema7;
-}
-
-const theme = createTheme({
-  theme: 'light',
-  settings: {
-    background: 'var(--bg-codemirror-color)',
-    foreground: 'var(--text-codemirror-color)',
-    caret: 'var(--border-codemirror-cursor-color)',
-    selection: 'var(--bg-codemirror-selected-color)',
-    selectionMatch: 'var(--bg-codemirror-selected-color)',
-    gutterBackground: 'var(--bg-codemirror-gutters-color)',
-  },
-  styles: [
-    { tag: highlightTags.atom, color: 'var(--text-cm-default-color)' },
-    { tag: highlightTags.meta, color: 'var(--text-cm-meta-color)' },
-    {
-      tag: [highlightTags.string, highlightTags.special(highlightTags.brace)],
-      color: 'var(--text-cm-string-color)',
-    },
-    { tag: highlightTags.number, color: 'var(--text-cm-number-color)' },
-    { tag: highlightTags.keyword, color: 'var(--text-cm-keyword-color)' },
-    { tag: highlightTags.comment, color: 'var(--text-cm-comment-color)' },
-    {
-      tag: highlightTags.variableName,
-      color: 'var(--text-cm-variable-name-color)',
-    },
-  ],
-});
-
-// Custom indentation service for YAML
-const yamlIndentExtension = indentService.of((context, pos) => {
-  const prevLine = context.lineAt(pos, -1);
-
-  // Default to same as previous line
-  const prevIndent = /^\s*/.exec(prevLine.text)?.[0].length || 0;
-
-  // If previous line ends with a colon, increase indent
-  if (/:\s*$/.test(prevLine.text)) {
-    return prevIndent + 2; // Indent 2 spaces after a colon
-  }
-
-  return prevIndent;
-});
-
-// Create enhanced YAML language with custom indentation (from @codemirror/legacy-modes/mode/yaml)
-const yamlLanguageLegacy = new LanguageSupport(StreamLanguage.define(yaml), [
-  yamlIndentExtension,
-  syntaxHighlighting(oneDarkHighlightStyle),
-]);
-
-const dockerFileLanguage = new LanguageSupport(
-  StreamLanguage.define(dockerFile)
-);
-const shellLanguage = new LanguageSupport(StreamLanguage.define(shell));
-
-const docTypeExtensionMap: Record<Type, LanguageSupport> = {
-  yaml: yamlLanguageLegacy,
-  dockerfile: dockerFileLanguage,
-  shell: shellLanguage,
-};
-
-function schemaValidationExtensions(schema: JSONSchema7) {
-  // skip the hover extension because fields like 'networks' display as 'null' with no description when using the default hover
-  // skip the completion extension in favor of custom completion
-  const [yaml, linter, , , stateExtensions] = yamlSchema(schema);
-  return [
-    yaml,
-    linter,
-    autocompletion({
-      icons: false,
-      activateOnTypingDelay: 300,
-      selectOnOpen: true,
-      activateOnTyping: true,
-      override: [
-        (ctx) => {
-          const getCompletions = yamlCompletion();
-          const completions = getCompletions(ctx);
-          if (Array.isArray(completions)) {
-            return null;
-          }
-
-          completions.validFor = /^\w*$/;
-
-          return completions;
-        },
-      ],
-    }),
-    stateExtensions,
-    yamlIndentExtension,
-    syntaxHighlighting(oneDarkHighlightStyle),
-    lintGutter(),
-    keymap.of([...defaultKeymap, ...completionKeymap, ...lintKeymap]),
-  ];
-}
-
-export function CodeEditor({
-  id,
-  onChange = () => {},
-  placeholder,
-  readonly,
-  value,
-  versions,
-  onVersionChange,
-  height = '500px',
-  type,
-  schema,
-  'data-cy': dataCy,
-}: Props) {
-  const [isRollback, setIsRollback] = useState(false);
-
-  const extensions = useMemo(() => {
-    if (!type || !docTypeExtensionMap[type]) {
-      return [];
-    }
-    // YAML-specific schema validation
-    if (schema && type === 'yaml') {
-      return schemaValidationExtensions(schema);
-    }
-    // Default language support
-    return [docTypeExtensionMap[type]];
-  }, [type, schema]);
-
-  const handleVersionChange = useCallback(
-    (version: number) => {
-      if (versions && versions.length > 1) {
-        setIsRollback(version < versions[0]);
-      }
-      onVersionChange?.(version);
-    },
-    [onVersionChange, versions]
-  );
-
-  const [debouncedValue, debouncedOnChange] = useDebounce(value, onChange);
-
-  return (
-    <>
-      <div className="mb-2 flex flex-col">
-        <div className="flex items-center justify-between">
-          <div className="flex items-center">
-            {!!placeholder && <TextTip color="blue">{placeholder}</TextTip>}
-          </div>
-
-          <div className="flex-2 ml-auto mr-2 flex items-center gap-x-2">
-            <CopyButton
-              data-cy={`copy-code-button-${id}`}
-              fadeDelay={2500}
-              copyText={value}
-              color="link"
-              className="!pr-0 !text-sm !font-medium hover:no-underline focus:no-underline"
-              indicatorPosition="left"
-            >
-              Copy to clipboard
-            </CopyButton>
-          </div>
-        </div>
-        {versions && (
-          <div className="mt-2 flex">
-            <div className="ml-auto mr-2">
-              <StackVersionSelector
-                versions={versions}
-                onChange={handleVersionChange}
-              />
-            </div>
-          </div>
-        )}
-      </div>
-      <CodeMirror
-        className={styles.root}
-        theme={theme}
-        value={debouncedValue}
-        onChange={debouncedOnChange}
-        readOnly={readonly || isRollback}
-        id={id}
-        extensions={extensions}
-        height={height}
-        basicSetup={{
-          highlightSelectionMatches: false,
-          autocompletion: !!schema,
-        }}
-        data-cy={dataCy}
-      />
-    </>
-  );
-}
diff --git a/app/react/components/CodeEditor.module.css b/app/react/components/CodeEditor/CodeEditor.module.css
similarity index 78%
rename from app/react/components/CodeEditor.module.css
rename to app/react/components/CodeEditor/CodeEditor.module.css
index 4936a56e4..2bf9cae88 100644
--- a/app/react/components/CodeEditor.module.css
+++ b/app/react/components/CodeEditor/CodeEditor.module.css
@@ -47,17 +47,33 @@
 
 .root :global(.cm-editor .cm-gutters) {
   border-right: 0px;
+  @apply bg-gray-2 th-dark:bg-gray-10 th-highcontrast:bg-black;
+}
+
+.root :global(.cm-merge-b) {
+  @apply border-0 border-l border-solid border-l-gray-5 th-dark:border-l-gray-7 th-highcontrast:border-l-gray-2;
 }
 
 .root :global(.cm-editor .cm-gutters .cm-lineNumbers .cm-gutterElement) {
   text-align: left;
 }
 
-.root :global(.cm-editor),
-.root :global(.cm-editor .cm-scroller) {
+.codeEditor :global(.cm-editor),
+.codeEditor :global(.cm-editor .cm-scroller) {
   border-radius: 8px;
 }
 
+/* code mirror merge side-by-side editor */
+.root :global(.cm-merge-a),
+.root :global(.cm-merge-a .cm-scroller) {
+  @apply !rounded-r-none;
+}
+
+.root :global(.cm-merge-b),
+.root :global(.cm-merge-b .cm-scroller) {
+  @apply !rounded-l-none;
+}
+
 /*  Search Panel  */
 /* Ideally we would use a react component for that, but this is the easy solution for onw */
 
@@ -162,3 +178,29 @@
 .root :global(.cm-activeLineGutter) {
   @apply bg-inherit;
 }
+
+/* Collapsed lines gutter styles for all themes */
+.root :global(.cm-editor .cm-collapsedLines) {
+  /* inherit bg, instead of using styles from library */
+  background: inherit;
+  @apply bg-blue-2 th-dark:bg-blue-10 th-highcontrast:bg-white th-dark:text-white th-highcontrast:text-black;
+}
+.root :global(.cm-editor .cm-collapsedLines):hover {
+  @apply bg-blue-3 th-dark:bg-blue-9 th-highcontrast:bg-white th-dark:text-white th-highcontrast:text-black;
+}
+
+.root :global(.cm-editor .cm-collapsedLines:before) {
+  content: '↧ Expand all';
+  background: var(--bg-tooltip-color);
+  color: var(--text-tooltip-color);
+  padding: 4px 8px;
+  border-radius: 4px;
+  font-size: 12px;
+  white-space: nowrap;
+  z-index: 1000;
+  margin-left: 4px;
+}
+/* override the default content */
+.root :global(.cm-editor .cm-collapsedLines:after) {
+  content: '';
+}
diff --git a/app/react/components/CodeEditor.test.tsx b/app/react/components/CodeEditor/CodeEditor.test.tsx
similarity index 78%
rename from app/react/components/CodeEditor.test.tsx
rename to app/react/components/CodeEditor/CodeEditor.test.tsx
index 1d1a3ae85..7b100b0e3 100644
--- a/app/react/components/CodeEditor.test.tsx
+++ b/app/react/components/CodeEditor/CodeEditor.test.tsx
@@ -1,9 +1,21 @@
 import { render, screen } from '@testing-library/react';
 import userEvent from '@testing-library/user-event';
+import { Extension } from '@codemirror/state';
 
 import { CodeEditor } from './CodeEditor';
 
-vi.mock('yaml-schema', () => ({}));
+const mockExtension: Extension = { extension: [] };
+vi.mock('yaml-schema', () => ({
+  // yamlSchema has 5 return values (all extensions)
+  yamlSchema: () => [
+    mockExtension,
+    mockExtension,
+    mockExtension,
+    mockExtension,
+    mockExtension,
+  ],
+  yamlCompletion: () => () => ({}),
+}));
 
 const defaultProps = {
   id: 'test-editor',
@@ -24,7 +36,7 @@ test('should render with basic props', () => {
 test('should display placeholder when provided', async () => {
   const placeholder = 'Enter your code here';
   const { findByText } = render(
-    <CodeEditor {...defaultProps} placeholder={placeholder} />
+    <CodeEditor {...defaultProps} textTip={placeholder} />
   );
 
   const placeholderText = await findByText(placeholder);
@@ -44,7 +56,7 @@ test('should show copy button and copy content', async () => {
     clipboard: mockClipboard,
   });
 
-  const copyButton = await findByText('Copy to clipboard');
+  const copyButton = await findByText('Copy');
   expect(copyButton).toBeVisible();
 
   await userEvent.click(copyButton);
@@ -113,3 +125,14 @@ test('should apply custom height', async () => {
   const editor = (await findByRole('textbox')).parentElement?.parentElement;
   expect(editor).toHaveStyle({ height: customHeight });
 });
+
+test('should render with file name header when provided', async () => {
+  const fileName = 'example.yaml';
+  const testValue = 'file content';
+  const { findByText } = render(
+    <CodeEditor {...defaultProps} fileName={fileName} value={testValue} />
+  );
+
+  expect(await findByText(fileName)).toBeInTheDocument();
+  expect(await findByText(testValue)).toBeInTheDocument();
+});
diff --git a/app/react/components/CodeEditor/CodeEditor.tsx b/app/react/components/CodeEditor/CodeEditor.tsx
new file mode 100644
index 000000000..3df9f4193
--- /dev/null
+++ b/app/react/components/CodeEditor/CodeEditor.tsx
@@ -0,0 +1,158 @@
+import CodeMirror from '@uiw/react-codemirror';
+import { useCallback, useState } from 'react';
+import { createTheme } from '@uiw/codemirror-themes';
+import { tags as highlightTags } from '@lezer/highlight';
+import type { JSONSchema7 } from 'json-schema';
+import clsx from 'clsx';
+
+import { AutomationTestingProps } from '@/types';
+
+import { CopyButton } from '@@/buttons/CopyButton';
+
+import { useDebounce } from '../../hooks/useDebounce';
+import { TextTip } from '../Tip/TextTip';
+import { StackVersionSelector } from '../StackVersionSelector';
+
+import styles from './CodeEditor.module.css';
+import {
+  useCodeEditorExtensions,
+  CodeEditorType,
+} from './useCodeEditorExtensions';
+import { FileNameHeader, FileNameHeaderRow } from './FileNameHeader';
+
+interface Props extends AutomationTestingProps {
+  id: string;
+  textTip?: string;
+  type?: CodeEditorType;
+  readonly?: boolean;
+  onChange?: (value: string) => void;
+  value: string;
+  height?: string;
+  versions?: number[];
+  onVersionChange?: (version: number) => void;
+  schema?: JSONSchema7;
+  fileName?: string;
+  placeholder?: string;
+}
+
+export const theme = createTheme({
+  theme: 'light',
+  settings: {
+    background: 'var(--bg-codemirror-color)',
+    foreground: 'var(--text-codemirror-color)',
+    caret: 'var(--border-codemirror-cursor-color)',
+    selection: 'var(--bg-codemirror-selected-color)',
+    selectionMatch: 'var(--bg-codemirror-selected-color)',
+  },
+  styles: [
+    { tag: highlightTags.atom, color: 'var(--text-cm-default-color)' },
+    { tag: highlightTags.meta, color: 'var(--text-cm-meta-color)' },
+    {
+      tag: [highlightTags.string, highlightTags.special(highlightTags.brace)],
+      color: 'var(--text-cm-string-color)',
+    },
+    { tag: highlightTags.number, color: 'var(--text-cm-number-color)' },
+    { tag: highlightTags.keyword, color: 'var(--text-cm-keyword-color)' },
+    { tag: highlightTags.comment, color: 'var(--text-cm-comment-color)' },
+    {
+      tag: highlightTags.variableName,
+      color: 'var(--text-cm-variable-name-color)',
+    },
+  ],
+});
+
+export function CodeEditor({
+  id,
+  onChange = () => {},
+  textTip,
+  readonly,
+  value,
+  versions,
+  onVersionChange,
+  height = '500px',
+  type,
+  schema,
+  'data-cy': dataCy,
+  fileName,
+  placeholder,
+}: Props) {
+  const [isRollback, setIsRollback] = useState(false);
+
+  const extensions = useCodeEditorExtensions(type, schema);
+
+  const handleVersionChange = useCallback(
+    (version: number) => {
+      if (versions && versions.length > 1) {
+        setIsRollback(version < versions[0]);
+      }
+      onVersionChange?.(version);
+    },
+    [onVersionChange, versions]
+  );
+
+  const [debouncedValue, debouncedOnChange] = useDebounce(value, onChange);
+
+  return (
+    <>
+      <div className="mb-2 flex flex-col">
+        <div className="flex items-center justify-between">
+          <div className="flex items-center">
+            {!!textTip && <TextTip color="blue">{textTip}</TextTip>}
+          </div>
+          {/* the copy button is in the file name header, when fileName is provided */}
+          {!fileName && (
+            <div className="flex-2 ml-auto mr-2 flex items-center gap-x-2">
+              <CopyButton
+                data-cy={`copy-code-button-${id}`}
+                fadeDelay={2500}
+                copyText={value}
+                color="link"
+                className="!pr-0 !text-sm !font-medium hover:no-underline focus:no-underline"
+                indicatorPosition="left"
+              >
+                Copy
+              </CopyButton>
+            </div>
+          )}
+        </div>
+        {versions && (
+          <div className="mt-2 flex">
+            <div className="ml-auto mr-2">
+              <StackVersionSelector
+                versions={versions}
+                onChange={handleVersionChange}
+              />
+            </div>
+          </div>
+        )}
+      </div>
+      <div className="overflow-hidden rounded-lg border border-solid border-gray-5 th-dark:border-gray-7 th-highcontrast:border-gray-2">
+        {fileName && (
+          <FileNameHeaderRow>
+            <FileNameHeader
+              fileName={fileName}
+              copyText={value}
+              data-cy={`copy-code-button-${id}`}
+            />
+          </FileNameHeaderRow>
+        )}
+        <CodeMirror
+          className={clsx(styles.root, styles.codeEditor)}
+          theme={theme}
+          value={debouncedValue}
+          onChange={debouncedOnChange}
+          readOnly={readonly || isRollback}
+          id={id}
+          extensions={extensions}
+          height={height}
+          basicSetup={{
+            highlightSelectionMatches: false,
+            autocompletion: !!schema,
+          }}
+          data-cy={dataCy}
+          placeholder={placeholder}
+        />
+      </div>
+    </>
+  );
+}
diff --git a/app/react/components/CodeEditor/DiffViewer.test.tsx b/app/react/components/CodeEditor/DiffViewer.test.tsx
new file mode 100644
index 000000000..9e8b1b8ec
--- /dev/null
+++ b/app/react/components/CodeEditor/DiffViewer.test.tsx
@@ -0,0 +1,101 @@
+import { render } from '@testing-library/react';
+import { vi, describe, it, expect, beforeEach } from 'vitest';
+
+import { DiffViewer } from './DiffViewer';
+
+// Mock CodeMirror
+vi.mock('@uiw/react-codemirror', () => ({
+  __esModule: true,
+  default: () => <div data-cy="mock-editor" />,
+  oneDarkHighlightStyle: {},
+  keymap: {
+    of: () => ({}),
+  },
+}));
+
+// Mock react-codemirror-merge
+vi.mock('react-codemirror-merge', () => {
+  function CodeMirrorMerge({ children }: { children: React.ReactNode }) {
+    return <div data-cy="mock-code-mirror-merge">{children}</div>;
+  }
+  function Original({ value }: { value: string }) {
+    return <div data-cy="mock-original">{value}</div>;
+  }
+  function Modified({ value }: { value: string }) {
+    return <div data-cy="mock-modified">{value}</div>;
+  }
+
+  CodeMirrorMerge.Original = Original;
+  CodeMirrorMerge.Modified = Modified;
+
+  return {
+    __esModule: true,
+    default: CodeMirrorMerge,
+    CodeMirrorMerge,
+  };
+});
+
+describe('DiffViewer', () => {
+  beforeEach(() => {
+    // Clear any mocks or state before each test
+    vi.clearAllMocks();
+  });
+
+  it('should render with basic props', () => {
+    const { getByText } = render(
+      <DiffViewer
+        originalCode="Original text"
+        newCode="New text"
+        id="test-diff-viewer"
+        data-cy="test-diff-viewer"
+      />
+    );
+
+    // Check if the component renders with the expected content
+    expect(getByText('Original text')).toBeInTheDocument();
+    expect(getByText('New text')).toBeInTheDocument();
+  });
+
+  it('should render with file name headers when provided', () => {
+    const { getByText } = render(
+      <DiffViewer
+        originalCode="Original text"
+        newCode="New text"
+        id="test-diff-viewer"
+        data-cy="test-diff-viewer"
+        fileNames={{
+          original: 'Original File',
+          modified: 'Modified File',
+        }}
+      />
+    );
+
+    // Look for elements with the expected class structure
+    const headerOriginal = getByText('Original File');
+    const headerModified = getByText('Modified File');
+    expect(headerOriginal).toBeInTheDocument();
+    expect(headerModified).toBeInTheDocument();
+  });
+
+  it('should apply custom height when provided', () => {
+    const customHeight = '800px';
+    const { container } = render(
+      <DiffViewer
+        originalCode="Original text"
+        newCode="New text"
+        id="test-diff-viewer"
+        data-cy="test-diff-viewer"
+        height={customHeight}
+      />
+    );
+
+    // Find the element with the style containing the height
+    const divWithStyle = container.querySelector('[style*="height"]');
+    expect(divWithStyle).toBeInTheDocument();
+
+    // Check that the style contains the expected height
+    expect(divWithStyle?.getAttribute('style')).toContain(
+      `height: ${customHeight}`
+    );
+  });
+});
diff --git a/app/react/components/CodeEditor/DiffViewer.tsx b/app/react/components/CodeEditor/DiffViewer.tsx
new file mode 100644
index 000000000..9a66407af
--- /dev/null
+++ b/app/react/components/CodeEditor/DiffViewer.tsx
@@ -0,0 +1,138 @@
+import CodeMirrorMerge from 'react-codemirror-merge';
+import clsx from 'clsx';
+
+import { AutomationTestingProps } from '@/types';
+
+import { FileNameHeader, FileNameHeaderRow } from './FileNameHeader';
+import styles from './CodeEditor.module.css';
+import {
+  CodeEditorType,
+  useCodeEditorExtensions,
+} from './useCodeEditorExtensions';
+import { theme } from './CodeEditor';
+
+const { Original } = CodeMirrorMerge;
+const { Modified } = CodeMirrorMerge;
+
+type Props = {
+  originalCode: string;
+  newCode: string;
+  id: string;
+  type?: CodeEditorType;
+  placeholder?: string;
+  height?: string;
+  fileNames?: {
+    original: string;
+    modified: string;
+  };
+  className?: string;
+} & AutomationTestingProps;
+
+const defaultCollapseUnchanged = {
+  margin: 10,
+  minSize: 10,
+};
+
+export function DiffViewer({
+  originalCode,
+  newCode,
+  id,
+  'data-cy': dataCy,
+  type,
+  placeholder = 'No values found',
+
+  height = '500px',
+  fileNames,
+  className,
+}: Props) {
+  const extensions = useCodeEditorExtensions(type);
+  const hasFileNames = !!fileNames?.original && !!fileNames?.modified;
+  return (
+    <div
+      className={clsx(
+        'overflow-hidden rounded-lg border border-solid border-gray-5 th-dark:border-gray-7 th-highcontrast:border-gray-2',
+        className
+      )}
+    >
+      {hasFileNames && (
+        <DiffFileNameHeaders
+          originalCopyText={originalCode}
+          modifiedCopyText={newCode}
+          originalFileName={fileNames.original}
+          modifiedFileName={fileNames.modified}
+        />
+      )}
+      {/* additional div, so that the scroll gutter doesn't overlap with the rounded border, and always show scrollbar, so that the file name headers align */}
+      <div
+        style={
+          {
+            // tailwind doesn't like dynamic class names, so use a custom css variable for the height
+            // https://v3.tailwindcss.com/docs/content-configuration#dynamic-class-names
+            '--editor-min-height': height,
+            height,
+          } as React.CSSProperties
+        }
+        className="h-full [scrollbar-gutter:stable] overflow-y-scroll"
+      >
+        <CodeMirrorMerge
+          theme={theme}
+          className={clsx(
+            styles.root,
+            // to give similar sizing to CodeEditor
+            '[&_.cm-content]:!min-h-[var(--editor-min-height)] [&_.cm-gutters]:!min-h-[var(--editor-min-height)] [&_.cm-editor>.cm-scroller]:!min-h-[var(--editor-min-height)]'
+          )}
+          id={id}
+          data-cy={dataCy}
+          collapseUnchanged={defaultCollapseUnchanged}
+        >
+          <Original
+            value={originalCode}
+            extensions={extensions}
+            readOnly
+            editable={false}
+            placeholder={placeholder}
+          />
+          <Modified
+            value={newCode}
+            extensions={extensions}
+            readOnly
+            editable={false}
+            placeholder={placeholder}
+          />
+        </CodeMirrorMerge>
+      </div>
+    </div>
+  );
+}
+
+function DiffFileNameHeaders({
+  originalCopyText,
+  modifiedCopyText,
+  originalFileName,
+  modifiedFileName,
+}: {
+  originalCopyText: string;
+  modifiedCopyText: string;
+  originalFileName: string;
+  modifiedFileName: string;
+}) {
+  return (
+    <FileNameHeaderRow>
+      <div className="w-1/2">
+        <FileNameHeader
+          fileName={originalFileName}
+          copyText={originalCopyText}
+          data-cy="original"
+        />
+      </div>
+      <div className="w-px bg-gray-5 th-dark:bg-gray-7 th-highcontrast:bg-gray-2" />
+      <div className="flex-1">
+        <FileNameHeader
+          fileName={modifiedFileName}
+          copyText={modifiedCopyText}
+          data-cy="modified"
+        />
+      </div>
+    </FileNameHeaderRow>
+  );
+}
diff --git a/app/react/components/CodeEditor/FileNameHeader.tsx b/app/react/components/CodeEditor/FileNameHeader.tsx
new file mode 100644
index 000000000..eb3418f2a
--- /dev/null
+++ b/app/react/components/CodeEditor/FileNameHeader.tsx
@@ -0,0 +1,71 @@
+import clsx from 'clsx';
+
+import { AutomationTestingProps } from '@/types';
+
+import { CopyButton } from '@@/buttons/CopyButton';
+
+type FileNameHeaderProps = {
+  fileName: string;
+  copyText: string;
+  className?: string;
+  style?: React.CSSProperties;
+} & AutomationTestingProps;
+
+/**
+ * FileNameHeaderRow: Outer container for file name headers (single or multiple columns).
+ * Use this to wrap one or more <FileNameHeader> components (and optional dividers).
+ */
+export function FileNameHeaderRow({
+  children,
+  className,
+  style,
+}: {
+  children: React.ReactNode;
+  className?: string;
+  style?: React.CSSProperties;
+}) {
+  return (
+    <div
+      className={clsx(
+        'flex w-full text-sm text-muted border-0 border-b border-solid border-b-gray-5 th-dark:border-b-gray-7 th-highcontrast:border-b-gray-2 bg-gray-2 th-dark:bg-gray-10 th-highcontrast:bg-black [scrollbar-gutter:stable] overflow-auto',
+        className
+      )}
+      style={style}
+    >
+      {children}
+    </div>
+  );
+}
+
+/**
+ * FileNameHeader: Renders a file name with a copy button, styled for use above a code editor or diff viewer.
+ * Should be used inside FileNameHeaderRow.
+ */
+export function FileNameHeader({
+  fileName,
+  copyText,
+  className = '',
+  style,
+  'data-cy': dataCy,
+}: FileNameHeaderProps) {
+  return (
+    <div
+      className={clsx(
+        'w-full overflow-auto flex justify-between items-center gap-x-2 px-4 py-1 text-sm text-muted',
+        className
+      )}
+      style={style}
+    >
+      {fileName}
+      <CopyButton
+        data-cy={dataCy}
+        copyText={copyText}
+        color="link"
+        className="!pr-0 !text-sm !font-medium hover:no-underline focus:no-underline"
+        indicatorPosition="left"
+      >
+        Copy
+      </CopyButton>
+    </div>
+  );
+}
diff --git a/app/react/components/CodeEditor/index.ts b/app/react/components/CodeEditor/index.ts
new file mode 100644
index 000000000..aa4b20325
--- /dev/null
+++ b/app/react/components/CodeEditor/index.ts
@@ -0,0 +1 @@
+export * from './CodeEditor';
diff --git a/app/react/components/CodeEditor/useCodeEditorExtensions.ts b/app/react/components/CodeEditor/useCodeEditorExtensions.ts
new file mode 100644
index 000000000..3b46a543e
--- /dev/null
+++ b/app/react/components/CodeEditor/useCodeEditorExtensions.ts
@@ -0,0 +1,91 @@
+import { useMemo } from 'react';
+import {
+  StreamLanguage,
+  LanguageSupport,
+  syntaxHighlighting,
+  indentService,
+} from '@codemirror/language';
+import { dockerFile } from '@codemirror/legacy-modes/mode/dockerfile';
+import { shell } from '@codemirror/legacy-modes/mode/shell';
+import {
+  oneDarkHighlightStyle,
+  keymap,
+  Extension,
+} from '@uiw/react-codemirror';
+import type { JSONSchema7 } from 'json-schema';
+import { lintKeymap, lintGutter } from '@codemirror/lint';
+import { defaultKeymap } from '@codemirror/commands';
+import { autocompletion, completionKeymap } from '@codemirror/autocomplete';
+import { yamlCompletion, yamlSchema } from 'yaml-schema';
+import { compact } from 'lodash';
+import { lineNumbers } from '@codemirror/view';
+
+export type CodeEditorType = 'yaml' | 'shell' | 'dockerfile';
+
+// Custom indentation service for YAML
+const yamlIndentExtension = indentService.of((context, pos) => {
+  const prevLine = context.lineAt(pos, -1);
+  const prevIndent = /^\s*/.exec(prevLine.text)?.[0].length || 0;
+  if (/:\s*$/.test(prevLine.text)) {
+    return prevIndent + 2;
+  }
+  return prevIndent;
+});
+
+const dockerFileLanguage = new LanguageSupport(
+  StreamLanguage.define(dockerFile)
+);
+const shellLanguage = new LanguageSupport(StreamLanguage.define(shell));
+
+function yamlLanguage(schema?: JSONSchema7) {
+  const [yaml, linter, , , stateExtensions] = yamlSchema(schema);
+
+  return compact([
+    yaml,
+    linter,
+    stateExtensions,
+    yamlIndentExtension,
+    syntaxHighlighting(oneDarkHighlightStyle),
+    // explicitly setting lineNumbers() as an extension ensures that the gutter order is the same between the diff viewer and the code editor
+    lineNumbers(),
+    lintGutter(),
+    keymap.of([...defaultKeymap, ...completionKeymap, ...lintKeymap]),
+    // only show completions when a schema is provided
+    !!schema &&
+      autocompletion({
+        icons: false,
+        activateOnTypingDelay: 300,
+        selectOnOpen: true,
+        activateOnTyping: true,
+        override: [
+          (ctx) => {
+            const getCompletions = yamlCompletion();
+            const completions = getCompletions(ctx);
+            if (Array.isArray(completions)) {
+              return null;
+            }
+            completions.validFor = /^\w*$/;
+            return completions;
+          },
+        ],
+      }),
+  ]);
+}
+
+export function useCodeEditorExtensions(
+  type?: CodeEditorType,
+  schema?: JSONSchema7
+): Extension[] {
+  return useMemo(() => {
+    switch (type) {
+      case 'dockerfile':
+        return [dockerFileLanguage];
+      case 'shell':
+        return [shellLanguage];
+      case 'yaml':
+        return yamlLanguage(schema);
+      default:
+        return [];
+    }
+  }, [type, schema]);
+}
diff --git a/app/react/components/InlineLoader/InlineLoader.tsx b/app/react/components/InlineLoader/InlineLoader.tsx
index b5d75eae6..d91354de7 100644
--- a/app/react/components/InlineLoader/InlineLoader.tsx
+++ b/app/react/components/InlineLoader/InlineLoader.tsx
@@ -13,21 +13,21 @@ export type Props = {
 };
 
 const sizeStyles: Record<Size, string> = {
-  xs: 'text-xs',
-  sm: 'text-sm',
-  md: 'text-md',
+  xs: 'text-xs gap-1',
+  sm: 'text-sm gap-2',
+  md: 'text-md gap-2',
 };
 
 export function InlineLoader({ children, className, size = 'sm' }: Props) {
   return (
     <div
       className={clsx(
-        'text-muted flex items-center gap-2',
+        'text-muted flex items-center',
         className,
         sizeStyles[size]
       )}
     >
-      <Icon icon={Loader2} className="animate-spin-slow" />
+      <Icon icon={Loader2} className="animate-spin-slow flex-none" />
       {children}
     </div>
   );
diff --git a/app/react/components/RadioGroup/RadioGroup.tsx b/app/react/components/RadioGroup/RadioGroup.tsx
index 4380d1d9c..5aacf03c0 100644
--- a/app/react/components/RadioGroup/RadioGroup.tsx
+++ b/app/react/components/RadioGroup/RadioGroup.tsx
@@ -1,10 +1,19 @@
-import { Option } from '@@/form-components/PortainerSelect';
+import { ReactNode } from 'react';
+
+// allow custom labels
+export interface RadioGroupOption<TValue> {
+  value: TValue;
+  label: ReactNode;
+  disabled?: boolean;
+}
 
 interface Props<T extends string | number> {
-  options: Array<Option<T>> | ReadonlyArray<Option<T>>;
+  options: Array<RadioGroupOption<T>> | ReadonlyArray<RadioGroupOption<T>>;
   selectedOption: T;
   name: string;
   onOptionChange: (value: T) => void;
+  groupClassName?: string;
+  itemClassName?: string;
 }
 
 export function RadioGroup<T extends string | number = string>({
@@ -12,13 +21,18 @@ export function RadioGroup<T extends string | number = string>({
   selectedOption,
   name,
   onOptionChange,
+  groupClassName,
+  itemClassName,
 }: Props<T>) {
   return (
-    <div className="flex flex-wrap gap-x-2 gap-y-1">
+    <div className={groupClassName ?? 'flex flex-wrap gap-x-2 gap-y-1'}>
       {options.map((option) => (
         <label
           key={option.value}
-          className="col-sm-3 col-lg-2 control-label !p-0 text-left font-normal"
+          className={
+            itemClassName ??
+            'col-sm-3 col-lg-2 control-label !p-0 text-left font-normal'
+          }
         >
           <input
             type="radio"
@@ -28,6 +42,7 @@ export function RadioGroup<T extends string | number = string>({
             onChange={() => onOptionChange(option.value)}
             style={{ margin: '0 4px 0 0' }}
             data-cy={`radio-${option.value}`}
+            disabled={option.disabled}
           />
           {option.label}
         </label>
diff --git a/app/react/components/Sheet.tsx b/app/react/components/Sheet.tsx
new file mode 100644
index 000000000..3d5983877
--- /dev/null
+++ b/app/react/components/Sheet.tsx
@@ -0,0 +1,159 @@
+import {
+  ComponentPropsWithoutRef,
+  forwardRef,
+  ElementRef,
+  PropsWithChildren,
+} from 'react';
+import * as SheetPrimitive from '@radix-ui/react-dialog';
+import { cva, type VariantProps } from 'class-variance-authority';
+import clsx from 'clsx';
+import { RefreshCw, X } from 'lucide-react';
+
+import { Button } from './buttons';
+
+// modified from shadcn sheet component
+const Sheet = SheetPrimitive.Root;
+
+const SheetTrigger = SheetPrimitive.Trigger;
+
+const SheetClose = SheetPrimitive.Close;
+
+const SheetPortal = SheetPrimitive.Portal;
+
+const SheetDescription = SheetPrimitive.Description;
+
+type SheetTitleProps = {
+  title: string;
+  onReload?(): Promise<void> | void;
+};
+
+// similar to the PageHeader component with simplified props and no breadcrumbs
+function SheetHeader({
+  onReload,
+  title,
+  children,
+}: PropsWithChildren<SheetTitleProps>) {
+  return (
+    <div className="row">
+      <div className="col-sm-12 pt-3 flex gap-2 justify-between">
+        <div className="flex items-center gap-2">
+          <SheetPrimitive.DialogTitle className="m-0 text-2xl font-medium text-gray-11 th-highcontrast:text-white th-dark:text-white">
+            {title}
+          </SheetPrimitive.DialogTitle>
+          {onReload ? (
+            <Button
+              color="none"
+              size="large"
+              onClick={onReload}
+              className="m-0 p-0 focus:text-inherit"
+              title="Refresh drawer content"
+              data-cy="sheet-refreshButton"
+            >
+              <RefreshCw className="icon" />
+            </Button>
+          ) : null}
+        </div>
+        {children}
+      </div>
+    </div>
+  );
+}
+
+const SheetOverlay = forwardRef<
+  ElementRef<typeof SheetPrimitive.Overlay>,
+  ComponentPropsWithoutRef<typeof SheetPrimitive.Overlay>
+>(({ className, ...props }, ref) => (
+  <SheetPrimitive.Overlay
+    className={clsx(
+      'fixed inset-0 bg-black/80 data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0',
+      className
+    )}
+    // eslint-disable-next-line react/jsx-props-no-spreading
+    {...props}
+    ref={ref}
+  />
+));
+SheetOverlay.displayName = SheetPrimitive.Overlay.displayName;
+
+const sheetVariants = cva(
+  'fixed gap-4 bg-widget-color p-5 shadow-lg transition ease-in-out data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:duration-300 data-[state=open]:duration-500',
+  {
+    variants: {
+      side: {
+        top: 'inset-x-0 top-0 border-b data-[state=closed]:slide-out-to-top data-[state=open]:slide-in-from-top',
+        bottom:
+          'inset-x-0 bottom-0 border-t data-[state=closed]:slide-out-to-bottom data-[state=open]:slide-in-from-bottom',
+        left: 'inset-y-0 left-0 h-full w-[70vw] lg:w-[50vw] border-r data-[state=closed]:slide-out-to-left data-[state=open]:slide-in-from-left max-w-2xl',
+        right:
+          'inset-y-0 right-0 h-full w-[70vw] lg:w-[50vw] border-l data-[state=closed]:slide-out-to-right data-[state=open]:slide-in-from-right max-w-2xl',
+      },
+    },
+    defaultVariants: {
+      side: 'right',
+    },
+  }
+);
+
+interface SheetContentProps
+  extends ComponentPropsWithoutRef<typeof SheetPrimitive.Content>,
+    VariantProps<typeof sheetVariants> {
+  showCloseButton?: boolean;
+}
+
+const SheetContent = forwardRef<
+  ElementRef<typeof SheetPrimitive.Content>,
+  SheetContentProps
+>(
+  (
+    {
+      side = 'right',
+      className,
+      children,
+      title,
+      showCloseButton = true,
+      ...props
+    },
+    ref
+  ) => (
+    <SheetPortal>
+      <SheetOverlay />
+      <SheetPrimitive.Content
+        ref={ref}
+        className={clsx(sheetVariants({ side }), className)}
+        // eslint-disable-next-line react/jsx-props-no-spreading
+        {...props}
+      >
+        {title ? <SheetHeader title={title} /> : null}
+        {children}
+        {showCloseButton && (
+          <SheetPrimitive.Close
+            asChild
+            className="absolute close-button right-9 top-8 disabled:pointer-events-none"
+          >
+            <Button
+              icon={X}
+              color="none"
+              className="btn-only-icon"
+              size="medium"
+              data-cy="sheet-closeButton"
+            >
+              <span className="sr-only">Close</span>
+            </Button>
+          </SheetPrimitive.Close>
+        )}
+      </SheetPrimitive.Content>
+    </SheetPortal>
+  )
+);
+SheetContent.displayName = SheetPrimitive.Content.displayName;
+
+export {
+  Sheet,
+  SheetPortal,
+  SheetOverlay,
+  SheetTrigger,
+  SheetClose,
+  SheetContent,
+  SheetDescription,
+  SheetHeader,
+};
diff --git a/app/react/components/WebEditorForm.tsx b/app/react/components/WebEditorForm.tsx
index 222a4552f..75031a454 100644
--- a/app/react/components/WebEditorForm.tsx
+++ b/app/react/components/WebEditorForm.tsx
@@ -74,6 +74,7 @@ export function WebEditorForm({
   children,
   error,
   schema,
+  textTip,
   ...props
 }: PropsWithChildren<Props>) {
   return (
@@ -99,6 +100,7 @@ export function WebEditorForm({
               id={id}
               type="yaml"
               schema={schema as JSONSchema7}
+              textTip={textTip}
               // eslint-disable-next-line react/jsx-props-no-spreading
               {...props}
             />
diff --git a/app/react/components/Widget/WidgetIcon.tsx b/app/react/components/Widget/WidgetIcon.tsx
new file mode 100644
index 000000000..0309d185e
--- /dev/null
+++ b/app/react/components/Widget/WidgetIcon.tsx
@@ -0,0 +1,11 @@
+import { ReactNode } from 'react';
+
+import { Icon } from '@@/Icon';
+
+export function WidgetIcon({ icon }: { icon: ReactNode }) {
+  return (
+    <div className="text-lg inline-flex items-center rounded-full bg-blue-3 text-blue-8 th-dark:bg-gray-9 th-dark:text-blue-3 p-2">
+      <Icon icon={icon} />
+    </div>
+  );
+}
diff --git a/app/react/components/Widget/WidgetTitle.tsx b/app/react/components/Widget/WidgetTitle.tsx
index 2623c374c..3ed390e33 100644
--- a/app/react/components/Widget/WidgetTitle.tsx
+++ b/app/react/components/Widget/WidgetTitle.tsx
@@ -1,9 +1,7 @@
 import clsx from 'clsx';
 import { PropsWithChildren, ReactNode } from 'react';
 
-import { Icon } from '@/react/components/Icon';
-
-import { useWidgetContext } from './Widget';
+import { WidgetIcon } from './WidgetIcon';
 
 interface Props {
   title: ReactNode;
@@ -17,16 +15,12 @@ export function WidgetTitle({
   className,
   children,
 }: PropsWithChildren<Props>) {
-  useWidgetContext();
-
   return (
     <div className="widget-header">
       <div className="row">
         <span className={clsx('pull-left vertical-center', className)}>
-          <div className="widget-icon">
-            <Icon icon={icon} className="space-right" />
-          </div>
-          <h2 className="text-base m-0">{title}</h2>
+          <WidgetIcon icon={icon} />
+          <h2 className="text-base m-0 ml-1">{title}</h2>
         </span>
         <span className={clsx('pull-right', className)}>{children}</span>
       </div>
diff --git a/app/react/components/buttons/CopyButton/CopyButton.stories.tsx b/app/react/components/buttons/CopyButton/CopyButton.stories.tsx
index 42368f9b0..2a3df593b 100644
--- a/app/react/components/buttons/CopyButton/CopyButton.stories.tsx
+++ b/app/react/components/buttons/CopyButton/CopyButton.stories.tsx
@@ -26,13 +26,13 @@ function Template({
 
 export const Primary: Story<PropsWithChildren<Props>> = Template.bind({});
 Primary.args = {
-  children: 'Copy to clipboard',
+  children: 'Copy',
   copyText: 'this will be copied to clipboard',
 };
 
 export const NoCopyText: Story<PropsWithChildren<Props>> = Template.bind({});
 NoCopyText.args = {
-  children: 'Copy to clipboard without copied text',
+  children: 'Copy without copied text',
   copyText: 'clipboard override',
   displayText: '',
 };
diff --git a/app/react/components/datatables/Datatable.tsx b/app/react/components/datatables/Datatable.tsx
index 2d0b2dfa8..dff56aaf6 100644
--- a/app/react/components/datatables/Datatable.tsx
+++ b/app/react/components/datatables/Datatable.tsx
@@ -58,7 +58,7 @@ export interface Props<D extends DefaultType> extends AutomationTestingProps {
   getRowId?(row: D): string;
   isRowSelectable?(row: Row<D>): boolean;
   emptyContentLabel?: string;
-  title?: string;
+  title?: React.ReactNode;
   titleIcon?: IconProps['icon'];
   titleId?: string;
   initialTableState?: Partial<TableState>;
@@ -71,6 +71,8 @@ export interface Props<D extends DefaultType> extends AutomationTestingProps {
   noWidget?: boolean;
   extendTableOptions?: (options: TableOptions<D>) => TableOptions<D>;
   includeSearch?: boolean;
+  ariaLabel?: string;
+  id?: string;
 }
 
 export function Datatable<D extends DefaultType>({
@@ -100,6 +102,8 @@ export function Datatable<D extends DefaultType>({
   isServerSidePagination = false,
   extendTableOptions = (value) => value,
   includeSearch,
+  ariaLabel,
+  id,
 }: Props<D> & PaginationProps) {
   const pageCount = useMemo(
     () => Math.ceil(totalCount / settings.pageSize),
@@ -181,9 +185,14 @@ export function Datatable<D extends DefaultType>({
     () => _.difference(selectedItems, filteredItems),
     [selectedItems, filteredItems]
   );
+  const { titleAriaLabel, contentAriaLabel } = getAriaLabels(
+    ariaLabel,
+    title,
+    titleId
+  );
 
   return (
-    <Table.Container noWidget={noWidget} aria-label={title}>
+    <Table.Container noWidget={noWidget} aria-label={titleAriaLabel} id={id}>
       <DatatableHeader
         onSearchChange={handleSearchBarChange}
         searchValue={settings.search}
@@ -204,7 +213,7 @@ export function Datatable<D extends DefaultType>({
         isLoading={isLoading}
         onSortChange={handleSortChange}
         data-cy={dataCy}
-        aria-label={`${title} table`}
+        aria-label={contentAriaLabel}
       />
 
       <DatatableFooter
@@ -239,6 +248,23 @@ export function Datatable<D extends DefaultType>({
   }
 }
 
+function getAriaLabels(
+  titleAriaLabel?: string,
+  title?: ReactNode,
+  titleId?: string
+) {
+  if (titleAriaLabel) {
+    return { titleAriaLabel, contentAriaLabel: `${titleAriaLabel} table` };
+  }
+  if (typeof title === 'string') {
+    return { titleAriaLabel: title, contentAriaLabel: `${title} table` };
+  }
+  if (titleId) {
+    return { titleAriaLabel: titleId, contentAriaLabel: `${titleId} table` };
+  }
+  return { titleAriaLabel: 'table', contentAriaLabel: 'table' };
+}
+
 function defaultRenderRow<D extends DefaultType>(
   row: Row<D>,
   highlightedItemId?: string
diff --git a/app/react/components/datatables/DatatableHeader.tsx b/app/react/components/datatables/DatatableHeader.tsx
index 810f13c7a..bc0f56763 100644
--- a/app/react/components/datatables/DatatableHeader.tsx
+++ b/app/react/components/datatables/DatatableHeader.tsx
@@ -8,7 +8,7 @@ import { SearchBar } from './SearchBar';
 import { Table } from './Table';
 
 type Props = {
-  title?: string;
+  title?: React.ReactNode;
   titleIcon?: IconProps['icon'];
   searchValue: string;
   onSearchChange(value: string): void;
@@ -52,7 +52,7 @@ export function DatatableHeader({
   return (
     <Table.Title
       id={titleId}
-      label={title ?? ''}
+      label={title}
       icon={titleIcon}
       description={description}
       data-cy={dataCy}
diff --git a/app/react/components/datatables/TableContainer.tsx b/app/react/components/datatables/TableContainer.tsx
index d764e225a..537bd6f39 100644
--- a/app/react/components/datatables/TableContainer.tsx
+++ b/app/react/components/datatables/TableContainer.tsx
@@ -6,12 +6,14 @@ interface Props {
   // workaround to remove the widget, ideally we should have a different component to wrap the table with a widget
   noWidget?: boolean;
   'aria-label'?: string;
+  id?: string;
 }
 
 export function TableContainer({
   children,
   noWidget = false,
   'aria-label': ariaLabel,
+  id,
 }: PropsWithChildren<Props>) {
   if (noWidget) {
     return (
@@ -25,7 +27,7 @@ export function TableContainer({
     <div className="row">
       <div className="col-sm-12">
         <div className="datatable">
-          <Widget aria-label={ariaLabel}>
+          <Widget aria-label={ariaLabel} id={id}>
             <WidgetBody className="no-padding">{children}</WidgetBody>
           </Widget>
         </div>
diff --git a/app/react/components/datatables/TableTitle.tsx b/app/react/components/datatables/TableTitle.tsx
index e253a8b66..feaf529bb 100644
--- a/app/react/components/datatables/TableTitle.tsx
+++ b/app/react/components/datatables/TableTitle.tsx
@@ -5,7 +5,7 @@ import { Icon } from '@@/Icon';
 
 interface Props {
   icon?: ReactNode | ComponentType<unknown>;
-  label: string;
+  label: React.ReactNode;
   description?: ReactNode;
   className?: string;
   id?: string;
diff --git a/app/react/components/form-components/EnvironmentVariablesFieldset/AdvancedMode.tsx b/app/react/components/form-components/EnvironmentVariablesFieldset/AdvancedMode.tsx
index 7deac19ee..54bc3e691 100644
--- a/app/react/components/form-components/EnvironmentVariablesFieldset/AdvancedMode.tsx
+++ b/app/react/components/form-components/EnvironmentVariablesFieldset/AdvancedMode.tsx
@@ -43,7 +43,7 @@ export function AdvancedMode({
         id="environment-variables-editor"
         value={editorValue}
         onChange={handleEditorChange}
-        placeholder="e.g. key=value"
+        textTip="e.g. key=value"
         data-cy={dataCy}
       />
     </>
diff --git a/app/react/components/modals/Modal/Modal.module.css b/app/react/components/modals/Modal/Modal.module.css
index f6ab6bb4b..73bf935d7 100644
--- a/app/react/components/modals/Modal/Modal.module.css
+++ b/app/react/components/modals/Modal/Modal.module.css
@@ -10,14 +10,8 @@
 
 .modal-content {
   background-color: var(--bg-modal-content-color);
-  padding: 20px;
-
-  position: relative;
 
   border: 1px solid rgba(0, 0, 0, 0.2);
-  border-radius: 6px;
-
-  outline: 0;
 
   box-shadow: 0 5px 15px rgb(0 0 0 / 50%);
 }
diff --git a/app/react/components/modals/Modal/Modal.tsx b/app/react/components/modals/Modal/Modal.tsx
index 1f2cb729b..0d1b0319c 100644
--- a/app/react/components/modals/Modal/Modal.tsx
+++ b/app/react/components/modals/Modal/Modal.tsx
@@ -39,7 +39,7 @@ export function Modal({
         isOpen
         className={clsx(
           styles.overlay,
-          'z-50 flex items-center justify-center'
+          'flex items-center justify-center z-50'
         )}
         onDismiss={onDismiss}
         role="dialog"
@@ -56,7 +56,13 @@ export function Modal({
             }
           )}
         >
-          <div className={clsx(styles.modalContent, 'relative', className)}>
+          <div
+            className={clsx(
+              styles.modalContent,
+              'relative overflow-y-auto p-5 rounded-lg',
+              className
+            )}
+          >
             {children}
             {onDismiss && <CloseButton onClose={onDismiss} />}
           </div>
diff --git a/app/react/edge/edge-jobs/CreateView/CreateEdgeJobForm.tsx b/app/react/edge/edge-jobs/CreateView/CreateEdgeJobForm.tsx
index 3fad4a8da..e871d197d 100644
--- a/app/react/edge/edge-jobs/CreateView/CreateEdgeJobForm.tsx
+++ b/app/react/edge/edge-jobs/CreateView/CreateEdgeJobForm.tsx
@@ -86,7 +86,7 @@ function InnerForm({ isLoading }: { isLoading: boolean }) {
           id="edge-job-editor"
           onChange={(value) => setFieldValue('fileContent', value)}
           value={values.fileContent}
-          placeholder="Define or paste the content of your script file here"
+          textTip="Define or paste the content of your script file here"
           type="shell"
           error={errors.fileContent}
         />
diff --git a/app/react/edge/edge-jobs/ItemView/UpdateEdgeJobForm/UpdateEdgeJobForm.tsx b/app/react/edge/edge-jobs/ItemView/UpdateEdgeJobForm/UpdateEdgeJobForm.tsx
index e25684b97..54ae5dc60 100644
--- a/app/react/edge/edge-jobs/ItemView/UpdateEdgeJobForm/UpdateEdgeJobForm.tsx
+++ b/app/react/edge/edge-jobs/ItemView/UpdateEdgeJobForm/UpdateEdgeJobForm.tsx
@@ -82,7 +82,7 @@ function InnerForm({ isLoading }: { isLoading: boolean }) {
         id="edge-job-editor"
         onChange={(value) => setFieldValue('fileContent', value)}
         value={values.fileContent}
-        placeholder="Define or paste the content of your script file here"
+        textTip="Define or paste the content of your script file here"
         type="shell"
         error={errors.fileContent}
       />
diff --git a/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx b/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx
index 2f24354bb..7758b353a 100644
--- a/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx
+++ b/app/react/edge/edge-stacks/CreateView/DockerContentField.tsx
@@ -28,7 +28,7 @@ export function DockerContentField({
       value={value}
       onChange={onChange}
       type="yaml"
-      placeholder="Define or paste the content of your docker compose file here"
+      textTip="Define or paste the content of your docker compose file here"
       error={error}
       readonly={readonly}
       schema={dockerComposeSchemaQuery.data}
diff --git a/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx b/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx
index 1c516d86e..4b2d3504f 100644
--- a/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx
+++ b/app/react/edge/edge-stacks/CreateView/KubeManifestForm.tsx
@@ -74,7 +74,7 @@ export function KubeManifestForm({
           value={values.fileContent}
           onChange={(value) => handleChange({ fileContent: value })}
           type="yaml"
-          placeholder="Define or paste the content of your manifest file here"
+          textTip="Define or paste the content of your manifest file here"
           error={errors?.fileContent}
           data-cy="stack-creation-editor"
         >
diff --git a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx
index 806d793ab..8d3fb22d8 100644
--- a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx
+++ b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/ComposeForm.tsx
@@ -66,7 +66,7 @@ export function ComposeForm({
         type="yaml"
         schema={dockerComposeSchema}
         id="compose-editor"
-        placeholder="Define or paste the content of your docker compose file here"
+        textTip="Define or paste the content of your docker compose file here"
         onChange={(value) => handleContentChange(DeploymentType.Compose, value)}
         error={errors.content}
         readonly={hasKubeEndpoint}
diff --git a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/KubernetesForm.tsx b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/KubernetesForm.tsx
index e84acade5..a493ef131 100644
--- a/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/KubernetesForm.tsx
+++ b/app/react/edge/edge-stacks/ItemView/EditEdgeStackForm/KubernetesForm.tsx
@@ -37,7 +37,7 @@ export function KubernetesForm({
         value={values.content}
         type="yaml"
         id="kube-manifest-editor"
-        placeholder="Define or paste the content of your manifest here"
+        textTip="Define or paste the content of your manifest here"
         onChange={(value) =>
           handleContentChange(DeploymentType.Kubernetes, value)
         }
diff --git a/app/react/hooks/useDebounce.ts b/app/react/hooks/useDebounce.ts
index 271b0158c..4125df8ff 100644
--- a/app/react/hooks/useDebounce.ts
+++ b/app/react/hooks/useDebounce.ts
@@ -34,19 +34,23 @@ import { useState, useRef, useCallback, useEffect } from 'react';
 //
 //   return (<Input value={debouncedValue} onChange={(e) => handleChange(e.target.value)} />)
 // }
-export function useDebounce(value: string, onChange: (value: string) => void) {
+export function useDebounce<T = string>(
+  value: T,
+  onChange: (value: T) => void,
+  delay = 300
+) {
   const [debouncedValue, setDebouncedValue] = useState(value);
 
   // Do not change. See notes above
   const onChangeDebouncer = useRef(
     debounce(
-      (value: string, onChangeFunc: (v: string) => void) => onChangeFunc(value),
-      300
+      (value: T, onChangeFunc: (v: T) => void) => onChangeFunc(value),
+      delay
     )
   );
 
   const handleChange = useCallback(
-    (value: string) => {
+    (value: T) => {
       setDebouncedValue(value);
       onChangeDebouncer.current(value, onChange);
     },
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationEventsDatatable.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationEventsDatatable.tsx
index f578dc355..8f4289f74 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationEventsDatatable.tsx
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationEventsDatatable.tsx
@@ -1,5 +1,6 @@
 import { useCurrentStateAndParams } from '@uirouter/react';
 import { useMemo } from 'react';
+import { compact } from 'lodash';
 
 import { createStore } from '@/react/kubernetes/datatables/default-kube-datatable-store';
 import { EnvironmentId } from '@/react/portainer/environments/types';
@@ -74,36 +75,32 @@ export function useApplicationEvents(
     application
   );
 
+  // related events are events that have the application id, or the id of a service or pod from the application
+  const relatedUids = useMemo(() => {
+    const serviceIds = compact(
+      servicesQuery.data?.map((service) => service?.metadata?.uid)
+    );
+    const podIds = compact(podsQuery.data?.map((pod) => pod?.metadata?.uid));
+    return [application?.metadata?.uid, ...serviceIds, ...podIds];
+  }, [application?.metadata?.uid, podsQuery.data, servicesQuery.data]);
+
+  const relatedUidsSet = useMemo(() => new Set(relatedUids), [relatedUids]);
   const { data: events, ...eventsQuery } = useEvents(environmentId, {
     namespace,
     queryOptions: {
       autoRefreshRate: options?.autoRefreshRate
         ? options.autoRefreshRate * 1000
         : undefined,
+      select: (data) =>
+        data.filter((event) => relatedUidsSet.has(event.involvedObject.uid)),
     },
   });
 
-  // related events are events that have the application id, or the id of a service or pod from the application
-  const relatedEvents = useMemo(() => {
-    const serviceIds = servicesQuery.data?.map(
-      (service) => service?.metadata?.uid
-    );
-    const podIds = podsQuery.data?.map((pod) => pod?.metadata?.uid);
-    return (
-      events?.filter(
-        (event) =>
-          event.involvedObject.uid === application?.metadata?.uid ||
-          serviceIds?.includes(event.involvedObject.uid) ||
-          podIds?.includes(event.involvedObject.uid)
-      ) || []
-    );
-  }, [application?.metadata?.uid, events, podsQuery.data, servicesQuery.data]);
-
   const isInitialLoading =
     applicationQuery.isInitialLoading ||
     servicesQuery.isInitialLoading ||
     podsQuery.isInitialLoading ||
     eventsQuery.isInitialLoading;
 
-  return { relatedEvents, isInitialLoading };
+  return { relatedEvents: events || [], isInitialLoading };
 }
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx
index 4e6712939..091e2f97e 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/ApplicationsDatatable.tsx
@@ -96,6 +96,7 @@ export function ApplicationsDatatable({
           item={row.original}
           hideStacks={hideStacks}
           areSecretsRestricted={!!restrictSecretsQuery.data}
+          selectDisabled={!hasWriteAuth}
         />
       )}
       renderTableActions={(selectedItems) =>
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx
index ce4b5d4ec..6a32865b0 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/SubRow.tsx
@@ -11,19 +11,22 @@ export function SubRow({
   item,
   hideStacks,
   areSecretsRestricted,
+  selectDisabled,
 }: {
   item: ApplicationRowData;
   hideStacks: boolean;
   areSecretsRestricted: boolean;
+  selectDisabled: boolean;
 }) {
   const {
     user: { Username: username },
   } = useCurrentUser();
   const colSpan = hideStacks ? 7 : 8;
+  const alignColSpan = selectDisabled ? 1 : 2;
 
   return (
     <tr className={clsx({ 'secondary-body': !item.KubernetesApplications })}>
-      <td colSpan={2} />
+      <td colSpan={alignColSpan} />
       <td colSpan={colSpan} className="datatable-padding-vertical">
         {item.KubernetesApplications ? (
           <InnerTable
diff --git a/app/react/kubernetes/applications/components/EditYamlFormSection.tsx b/app/react/kubernetes/applications/components/EditYamlFormSection.tsx
index bb38e70d1..aeb3b9755 100644
--- a/app/react/kubernetes/applications/components/EditYamlFormSection.tsx
+++ b/app/react/kubernetes/applications/components/EditYamlFormSection.tsx
@@ -35,7 +35,7 @@ export function EditYamlFormSection({
         titleContent={<TitleContent isComposeFormat={isComposeFormat} />}
         onChange={(values) => onChange(values)}
         id={formId}
-        placeholder="Define or paste the content of your manifest file here"
+        textTip="Define or paste the content of your manifest file here"
         type="yaml"
       />
     </div>
diff --git a/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx b/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx
index d2f705c5f..ffb92e7bd 100644
--- a/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx
+++ b/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx
@@ -1,5 +1,6 @@
 import { Event } from 'kubernetes-types/core/v1';
 import { History } from 'lucide-react';
+import { ReactNode } from 'react';
 
 import { IndexOptional } from '@/react/kubernetes/configs/types';
 import { TableSettings } from '@/react/kubernetes/datatables/DefaultDatatableSettings';
@@ -16,6 +17,8 @@ type Props = {
   isLoading: boolean;
   'data-cy': string;
   noWidget?: boolean;
+  title?: ReactNode;
+  titleIcon?: ReactNode;
 };
 
 export function EventsDatatable({
@@ -24,6 +27,8 @@ export function EventsDatatable({
   isLoading,
   'data-cy': dataCy,
   noWidget,
+  title = 'Events',
+  titleIcon = History,
 }: Props) {
   return (
     <Datatable<IndexOptional<Event>>
@@ -31,8 +36,8 @@ export function EventsDatatable({
       columns={columns}
       settingsManager={tableState}
       isLoading={isLoading}
-      title="Events"
-      titleIcon={History}
+      title={title}
+      titleIcon={titleIcon}
       getRowId={(row) => row.metadata?.uid || ''}
       disableSelect
       renderTableSettings={() => (
diff --git a/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx b/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx
index 47b15a544..0d381d682 100644
--- a/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx
+++ b/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx
@@ -1,4 +1,8 @@
+import { Row } from '@tanstack/react-table';
+import { Event } from 'kubernetes-types/core/v1';
+
 import { Badge, BadgeType } from '@@/Badge';
+import { filterHOC } from '@@/datatables/Filter';
 
 import { columnHelper } from './helper';
 
@@ -7,6 +11,14 @@ export const eventType = columnHelper.accessor('type', {
   cell: ({ getValue }) => (
     <Badge type={getBadgeColor(getValue())}>{getValue()}</Badge>
   ),
+
+  meta: {
+    filter: filterHOC('Filter by event type'),
+  },
+  enableColumnFilter: true,
+  filterFn: (row: Row<Event>, _: string, filterValue: string[]) =>
+    filterValue.length === 0 ||
+    (!!row.original.type && filterValue.includes(row.original.type)),
 });
 
 function getBadgeColor(status?: string): BadgeType {
diff --git a/app/react/kubernetes/components/EventsDatatable/columns/index.ts b/app/react/kubernetes/components/EventsDatatable/columns/index.ts
index 05ae483d5..f49658090 100644
--- a/app/react/kubernetes/components/EventsDatatable/columns/index.ts
+++ b/app/react/kubernetes/components/EventsDatatable/columns/index.ts
@@ -2,5 +2,6 @@ import { date } from './date';
 import { kind } from './kind';
 import { eventType } from './eventType';
 import { message } from './message';
+import { name } from './name';
 
-export const columns = [date, kind, eventType, message];
+export const columns = [date, name, kind, eventType, message];
diff --git a/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx b/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx
index 856d6bf8b..641662291 100644
--- a/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx
+++ b/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx
@@ -1,8 +1,21 @@
+import { Row } from '@tanstack/react-table';
+import { Event } from 'kubernetes-types/core/v1';
+
+import { filterHOC } from '@@/datatables/Filter';
+
 import { columnHelper } from './helper';
 
 export const kind = columnHelper.accessor(
   (event) => event.involvedObject.kind,
   {
     header: 'Kind',
+    meta: {
+      filter: filterHOC('Filter by kind'),
+    },
+    enableColumnFilter: true,
+    filterFn: (row: Row<Event>, _: string, filterValue: string[]) =>
+      filterValue.length === 0 ||
+      (!!row.original.involvedObject.kind &&
+        filterValue.includes(row.original.involvedObject.kind)),
   }
 );
diff --git a/app/react/kubernetes/components/EventsDatatable/columns/name.tsx b/app/react/kubernetes/components/EventsDatatable/columns/name.tsx
new file mode 100644
index 000000000..26bc0c8db
--- /dev/null
+++ b/app/react/kubernetes/components/EventsDatatable/columns/name.tsx
@@ -0,0 +1,16 @@
+import { columnHelper } from './helper';
+
+export const name = columnHelper.accessor(
+  (event) => event.involvedObject.name ?? '-',
+  {
+    header: 'Name',
+    cell: ({ getValue }) => {
+      const name = getValue();
+      return (
+        <span title={name} className="ellipsis max-w-sm">
+          {name}
+        </span>
+      );
+    },
+  }
+);
diff --git a/app/react/kubernetes/components/YAMLInspector.tsx b/app/react/kubernetes/components/YAMLInspector.tsx
index 5baadf3a7..9e678e9f5 100644
--- a/app/react/kubernetes/components/YAMLInspector.tsx
+++ b/app/react/kubernetes/components/YAMLInspector.tsx
@@ -29,7 +29,7 @@ export function YAMLInspector({
       <WebEditorForm
         data-cy={dataCy}
         value={yaml}
-        placeholder={
+        textTip={
           hideMessage
             ? undefined
             : 'Define or paste the content of your manifest here'
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
index 59e0fd2dc..161034f6d 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
@@ -1,31 +1,53 @@
 import { EnvironmentId } from '@/react/portainer/environments/types';
 
+import { HelmRelease } from '../../types';
+
 import { RollbackButton } from './RollbackButton';
 import { UninstallButton } from './UninstallButton';
+import { UpgradeButton } from './UpgradeButton';
+
+type Props = {
+  environmentId: EnvironmentId;
+  releaseName: string;
+  namespace: string;
+  latestRevision?: number;
+  earlistRevision?: number;
+  selectedRevision?: number;
+  release?: HelmRelease;
+  updateRelease: (release: HelmRelease) => void;
+};
 
 export function ChartActions({
   environmentId,
   releaseName,
   namespace,
-  currentRevision,
-}: {
-  environmentId: EnvironmentId;
-  releaseName: string;
-  namespace?: string;
-  currentRevision?: number;
-}) {
-  const hasPreviousRevision = currentRevision && currentRevision >= 2;
+  latestRevision,
+  earlistRevision,
+  selectedRevision,
+  release,
+  updateRelease,
+}: Props) {
+  const showRollbackButton =
+    latestRevision && earlistRevision && latestRevision > earlistRevision;
 
   return (
-    <div className="inline-flex gap-x-2">
+    <div className="inline-flex gap-2 flex-wrap">
+      <UpgradeButton
+        environmentId={environmentId}
+        releaseName={releaseName}
+        namespace={namespace}
+        release={release}
+        updateRelease={updateRelease}
+      />
       <UninstallButton
         environmentId={environmentId}
         releaseName={releaseName}
         namespace={namespace}
       />
-      {hasPreviousRevision && (
+      {showRollbackButton && (
         <RollbackButton
-          latestRevision={currentRevision}
+          latestRevision={latestRevision}
+          selectedRevision={selectedRevision}
           environmentId={environmentId}
           releaseName={releaseName}
           namespace={namespace}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx
index 1d7b3f340..e7bd95b52 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.test.tsx
@@ -6,6 +6,7 @@ import { vi, type Mock } from 'vitest';
 import { server } from '@/setup-tests/server';
 import { notifySuccess } from '@/portainer/services/notifications';
 import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withTestRouter } from '@/react/test-utils/withRouter';
 
 import { confirm } from '@@/modals/confirm';
 
@@ -25,13 +26,18 @@ vi.mock('@/portainer/services/notifications', () => ({
 function renderButton(props = {}) {
   const defaultProps = {
     latestRevision: 3, // So we're rolling back to revision 2
+    selectedRevision: 3, // This simulates the selectedRevision from URL params
     environmentId: 1,
     releaseName: 'test-release',
     namespace: 'default',
     ...props,
   };
 
-  const Wrapped = withTestQueryProvider(RollbackButton);
+  const Wrapped = withTestQueryProvider(
+    withTestRouter(RollbackButton, {
+      route: '/?revision=3',
+    })
+  );
   return render(<Wrapped {...defaultProps} />);
 }
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
index 3d870d3a8..ea8a79bac 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
@@ -1,4 +1,5 @@
 import { RotateCcw } from 'lucide-react';
+import { useRouter } from '@uirouter/react';
 
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { notifySuccess } from '@/portainer/services/notifications';
@@ -12,6 +13,7 @@ import { useHelmRollbackMutation } from '../queries/useHelmRollbackMutation';
 
 type Props = {
   latestRevision: number;
+  selectedRevision?: number;
   environmentId: EnvironmentId;
   releaseName: string;
   namespace?: string;
@@ -19,13 +21,16 @@ type Props = {
 
 export function RollbackButton({
   latestRevision,
+  selectedRevision,
   environmentId,
   releaseName,
   namespace,
 }: Props) {
-  // the selectedRevision can be a prop when selecting a revision is implemented
-  const selectedRevision = latestRevision ? latestRevision - 1 : undefined;
-
+  // when the latest revision is selected, rollback to the previous revision
+  // otherwise, rollback to the selected revision
+  const rollbackRevision =
+    selectedRevision === latestRevision ? latestRevision - 1 : selectedRevision;
+  const router = useRouter();
   const rollbackMutation = useHelmRollbackMutation(environmentId);
 
   return (
@@ -38,7 +43,7 @@ export function RollbackButton({
       color="default"
       size="medium"
     >
-      Rollback to #{selectedRevision}
+      Rollback to #{rollbackRevision}
     </LoadingButton>
   );
 
@@ -47,7 +52,7 @@ export function RollbackButton({
       title: 'Are you sure?',
       modalType: ModalType.Warn,
       confirmButton: buildConfirmButton('Rollback'),
-      message: `Rolling back will restore the application to revision #${selectedRevision}, which will cause service interruption. Do you wish to continue?`,
+      message: `Rolling back will restore the application to revision #${rollbackRevision}, which could cause service interruption. Do you wish to continue?`,
     });
     if (!confirmed) {
       return;
@@ -56,14 +61,20 @@ export function RollbackButton({
     rollbackMutation.mutate(
       {
         releaseName,
-        params: { namespace, revision: selectedRevision },
+        params: { namespace, revision: rollbackRevision },
       },
       {
         onSuccess: () => {
           notifySuccess(
             'Success',
-            `Application rolled back to revision #${selectedRevision} successfully.`
+            `Application rolled back to revision #${rollbackRevision} successfully.`
           );
+          // set the revision url param to undefined to refresh the page at the latest revision
+          router.stateService.go('kubernetes.helm', {
+            namespace,
+            name: releaseName,
+            revision: undefined,
+          });
         },
       }
     );
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
new file mode 100644
index 000000000..4bea0bf47
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -0,0 +1,182 @@
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi } from 'vitest';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+
+import {
+  useHelmRepoVersions,
+  ChartVersion,
+} from '../queries/useHelmRepositories';
+import { HelmRelease } from '../../types';
+
+import { openUpgradeHelmModal } from './UpgradeHelmModal';
+import { UpgradeButton } from './UpgradeButton';
+
+// Mock the upgrade modal function
+vi.mock('./UpgradeHelmModal', () => ({
+  openUpgradeHelmModal: vi.fn(() => Promise.resolve(undefined)),
+}));
+
+// Mock the notifications service
+vi.mock('@/portainer/services/notifications', () => ({
+  notifySuccess: vi.fn(),
+}));
+
+// Mock the useHelmRepoVersions and useHelmRepositories hooks
+vi.mock('../queries/useHelmRepositories', () => ({
+  useHelmRepoVersions: vi.fn(() => ({
+    data: [
+      { Version: '1.0.0', Repo: 'stable' },
+      { Version: '1.1.0', Repo: 'stable' },
+    ],
+    isInitialLoading: false,
+    isError: false,
+  })),
+  useHelmRepositories: vi.fn(() => ({
+    data: ['repo1', 'repo2'],
+    isInitialLoading: false,
+    isError: false,
+  })),
+}));
+
+function renderButton(props = {}) {
+  const defaultProps = {
+    environmentId: 1,
+    releaseName: 'test-release',
+    namespace: 'default',
+    release: {
+      name: 'test-release',
+      chart: {
+        metadata: {
+          name: 'test-chart',
+          version: '1.0.0',
+        },
+      },
+      values: {
+        userSuppliedValues: '{}',
+      },
+      manifest: '',
+    } as HelmRelease,
+    updateRelease: vi.fn(),
+    ...props,
+  };
+
+  const Wrapped = withTestQueryProvider(withTestRouter(UpgradeButton));
+  return render(<Wrapped {...defaultProps} />);
+}
+
+describe('UpgradeButton', () => {
+  test('should display the upgrade button', () => {
+    renderButton();
+
+    const button = screen.getByRole('button', { name: /Upgrade/i });
+    expect(button).toBeInTheDocument();
+  });
+
+  test('should be disabled when no versions are available', () => {
+    const data: ChartVersion[] = [];
+    vi.mocked(useHelmRepoVersions).mockReturnValue({
+      data,
+      isInitialLoading: false,
+      isError: false,
+    });
+
+    renderButton();
+
+    const button = screen.getByRole('button', { name: /Upgrade/i });
+    expect(button).toBeDisabled();
+  });
+
+  test('should show loading state when checking for versions', () => {
+    vi.mocked(useHelmRepoVersions).mockReturnValue({
+      data: [],
+      isInitialLoading: true,
+      isError: false,
+    });
+
+    renderButton();
+
+    expect(
+      screen.getByText('Checking for new versions...')
+    ).toBeInTheDocument();
+  });
+
+  test('should show "No versions available" when no versions are found', () => {
+    const data: ChartVersion[] = [];
+    vi.mocked(useHelmRepoVersions).mockReturnValue({
+      data,
+      isInitialLoading: false,
+      isError: false,
+    });
+
+    renderButton();
+
+    expect(screen.getByText('No versions available')).toBeInTheDocument();
+  });
+
+  test('should open upgrade modal when clicked', async () => {
+    const user = userEvent.setup();
+    const mockRelease = {
+      name: 'test-release',
+      chart: {
+        metadata: {
+          name: 'test-chart',
+          version: '1.0.0',
+        },
+      },
+      values: {
+        userSuppliedValues: '{}',
+      },
+      manifest: '',
+    } as HelmRelease;
+
+    vi.mocked(useHelmRepoVersions).mockReturnValue({
+      data: [
+        { Version: '1.0.0', Repo: 'stable' },
+        { Version: '1.1.0', Repo: 'stable' },
+      ],
+      isInitialLoading: false,
+      isError: false,
+    });
+
+    renderButton({ release: mockRelease });
+
+    const button = screen.getByRole('button', { name: /Upgrade/i });
+    await user.click(button);
+
+    await waitFor(() => {
+      expect(openUpgradeHelmModal).toHaveBeenCalledWith(
+        expect.objectContaining({
+          name: 'test-release',
+          chart: 'test-chart',
+          namespace: 'default',
+          values: '{}',
+          version: '1.0.0',
+        }),
+        expect.arrayContaining([
+          { Version: '1.0.0', Repo: 'stable' },
+          { Version: '1.1.0', Repo: 'stable' },
+        ])
+      );
+    });
+  });
+
+  test('should not execute the upgrade if modal is cancelled', async () => {
+    const mockUpdateRelease = vi.fn();
+    vi.mocked(openUpgradeHelmModal).mockResolvedValueOnce(undefined);
+
+    const user = userEvent.setup();
+    renderButton({ updateRelease: mockUpdateRelease });
+
+    const button = screen.getByRole('button', { name: /Upgrade/i });
+    await user.click(button);
+
+    await waitFor(() => {
+      expect(openUpgradeHelmModal).toHaveBeenCalled();
+    });
+
+    expect(mockUpdateRelease).not.toHaveBeenCalled();
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
new file mode 100644
index 000000000..4c385c388
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -0,0 +1,167 @@
+import { ArrowUp } from 'lucide-react';
+import { useRouter } from '@uirouter/react';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { notifySuccess } from '@/portainer/services/notifications';
+import { semverCompare } from '@/react/common/semver-utils';
+
+import { LoadingButton } from '@@/buttons';
+import { InlineLoader } from '@@/InlineLoader';
+import { Tooltip } from '@@/Tip/Tooltip';
+import { Link } from '@@/Link';
+
+import { HelmRelease } from '../../types';
+import {
+  useUpdateHelmReleaseMutation,
+  UpdateHelmReleasePayload,
+} from '../queries/useUpdateHelmReleaseMutation';
+import {
+  ChartVersion,
+  useHelmRepoVersions,
+  useHelmRepositories,
+} from '../queries/useHelmRepositories';
+import { useHelmRelease } from '../queries/useHelmRelease';
+
+import { openUpgradeHelmModal } from './UpgradeHelmModal';
+
+export function UpgradeButton({
+  environmentId,
+  releaseName,
+  namespace,
+  release,
+  updateRelease,
+}: {
+  environmentId: EnvironmentId;
+  releaseName: string;
+  namespace: string;
+  release?: HelmRelease;
+  updateRelease: (release: HelmRelease) => void;
+}) {
+  const router = useRouter();
+  const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
+
+  const repositoriesQuery = useHelmRepositories();
+  const helmRepoVersionsQuery = useHelmRepoVersions(
+    release?.chart.metadata?.name || '',
+    60 * 60 * 1000, // 1 hour
+    repositoriesQuery.data
+  );
+  const versions = helmRepoVersionsQuery.data;
+
+  // Combined loading state
+  const isInitialLoading =
+    repositoriesQuery.isInitialLoading ||
+    helmRepoVersionsQuery.isInitialLoading;
+  const isError = repositoriesQuery.isError || helmRepoVersionsQuery.isError;
+
+  const latestVersion = useHelmRelease(environmentId, releaseName, namespace, {
+    select: (data) => data.chart.metadata?.version,
+  });
+  const latestVersionAvailable = versions[0]?.Version ?? '';
+  const isNewVersionAvailable =
+    latestVersion?.data &&
+    semverCompare(latestVersionAvailable, latestVersion?.data) === 1;
+
+  const editableHelmRelease: UpdateHelmReleasePayload = {
+    name: releaseName,
+    namespace: namespace || '',
+    values: release?.values?.userSuppliedValues,
+    chart: release?.chart.metadata?.name || '',
+    version: release?.chart.metadata?.version,
+  };
+
+  return (
+    <div className="relative">
+      <LoadingButton
+        color="secondary"
+        data-cy="k8sApp-upgradeHelmChartButton"
+        onClick={() => openUpgradeForm(versions, release)}
+        disabled={
+          versions.length === 0 ||
+          isInitialLoading ||
+          isError ||
+          release?.info?.status?.startsWith('pending')
+        }
+        loadingText="Upgrading..."
+        isLoading={updateHelmReleaseMutation.isLoading}
+        icon={ArrowUp}
+        size="medium"
+      >
+        Upgrade
+      </LoadingButton>
+      {versions.length === 0 && isInitialLoading && (
+        <InlineLoader
+          size="xs"
+          className="absolute -bottom-5 left-0 right-0 whitespace-nowrap"
+        >
+          Checking for new versions...
+        </InlineLoader>
+      )}
+      {versions.length === 0 && !isInitialLoading && !isError && (
+        <span className="absolute flex items-center -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
+          No versions available
+          <Tooltip
+            message={
+              <div>
+                Portainer is unable to find any versions for this chart in the
+                repositories saved. Try adding a new repository which contains
+                the chart in the{' '}
+                <Link
+                  to="portainer.account"
+                  params={{ '#': 'helm-repositories' }}
+                  data-cy="user-settings-link"
+                >
+                  Helm repositories settings
+                </Link>
+              </div>
+            }
+          />
+        </span>
+      )}
+      {isNewVersionAvailable && (
+        <span className="absolute -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
+          New version available ({latestVersionAvailable})
+        </span>
+      )}
+    </div>
+  );
+
+  async function openUpgradeForm(
+    versions: ChartVersion[],
+    release?: HelmRelease
+  ) {
+    const result = await openUpgradeHelmModal(editableHelmRelease, versions);
+
+    if (result) {
+      handleUpgrade(result, release);
+    }
+  }
+
+  function handleUpgrade(
+    payload: UpdateHelmReleasePayload,
+    release?: HelmRelease
+  ) {
+    if (release?.info) {
+      const updatedRelease = {
+        ...release,
+        info: {
+          ...release.info,
+          status: 'pending-upgrade',
+          description: 'Preparing upgrade',
+        },
+      };
+      updateRelease(updatedRelease);
+    }
+    updateHelmReleaseMutation.mutate(payload, {
+      onSuccess: () => {
+        notifySuccess('Success', 'Helm chart upgraded successfully');
+        // set the revision url param to undefined to refresh the page at the latest revision
+        router.stateService.go('kubernetes.helm', {
+          namespace,
+          name: releaseName,
+          revision: undefined,
+        });
+      },
+    });
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
new file mode 100644
index 000000000..bb71f28c5
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
@@ -0,0 +1,151 @@
+import { useState } from 'react';
+import { ArrowUp } from 'lucide-react';
+
+import { withReactQuery } from '@/react-tools/withReactQuery';
+import { withCurrentUser } from '@/react-tools/withCurrentUser';
+
+import { Modal, OnSubmit, openModal } from '@@/modals';
+import { Button } from '@@/buttons';
+import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
+import { Input } from '@@/form-components/Input';
+import { CodeEditor } from '@@/CodeEditor';
+import { FormControl } from '@@/form-components/FormControl';
+import { WidgetTitle } from '@@/Widget';
+
+import { UpdateHelmReleasePayload } from '../queries/useUpdateHelmReleaseMutation';
+import { ChartVersion } from '../queries/useHelmRepositories';
+
+interface Props {
+  onSubmit: OnSubmit<UpdateHelmReleasePayload>;
+  values: UpdateHelmReleasePayload;
+  versions: ChartVersion[];
+}
+
+export function UpgradeHelmModal({ values, versions, onSubmit }: Props) {
+  const versionOptions: Option<ChartVersion>[] = versions.map((version) => {
+    const isCurrentVersion = version.Version === values.version;
+    const label = `${version.Repo}@${version.Version}${
+      isCurrentVersion ? ' (current)' : ''
+    }`;
+    return {
+      label,
+      value: version,
+    };
+  });
+  const defaultVersion =
+    versionOptions.find((v) => v.value.Version === values.version)?.value ||
+    versionOptions[0]?.value;
+  const [version, setVersion] = useState<ChartVersion>(defaultVersion);
+  const [userValues, setUserValues] = useState<string>(values.values || '');
+
+  return (
+    <Modal
+      onDismiss={() => onSubmit()}
+      size="lg"
+      className="flex flex-col h-[80vh] px-0"
+      aria-label="upgrade-helm"
+    >
+      <Modal.Header
+        title={<WidgetTitle className="px-5" title="Upgrade" icon={ArrowUp} />}
+      />
+      <div className="flex-1 overflow-y-auto px-5">
+        <Modal.Body>
+          <FormControl label="Version" inputId="version-input" size="vertical">
+            <PortainerSelect<ChartVersion>
+              value={version}
+              options={versionOptions}
+              onChange={(version) => {
+                if (version) {
+                  setVersion(version);
+                }
+              }}
+              data-cy="helm-version-input"
+            />
+          </FormControl>
+          <FormControl
+            label="Release name"
+            inputId="release-name-input"
+            size="vertical"
+          >
+            <Input
+              id="release-name-input"
+              value={values.name}
+              readOnly
+              disabled
+              data-cy="helm-release-name-input"
+            />
+          </FormControl>
+          <FormControl
+            label="Namespace"
+            inputId="namespace-input"
+            size="vertical"
+          >
+            <Input
+              id="namespace-input"
+              value={values.namespace}
+              readOnly
+              disabled
+              data-cy="helm-namespace-input"
+            />
+          </FormControl>
+          <FormControl
+            label="User-defined values"
+            inputId="user-values-editor"
+            size="vertical"
+          >
+            <CodeEditor
+              id="user-values-editor"
+              value={userValues}
+              onChange={(value) => setUserValues(value)}
+              height="50vh"
+              type="yaml"
+              data-cy="helm-user-values-editor"
+              placeholder="Define or paste the content of your values yaml file here"
+            />
+          </FormControl>
+        </Modal.Body>
+      </div>
+      <div className="px-5 border-solid border-0 border-t border-gray-5 th-dark:border-gray-7 th-highcontrast:border-white">
+        <Modal.Footer>
+          <Button
+            onClick={() => onSubmit()}
+            color="secondary"
+            key="cancel-button"
+            size="medium"
+            data-cy="cancel-button-cy"
+          >
+            Cancel
+          </Button>
+          <Button
+            onClick={() =>
+              onSubmit({
+                name: values.name,
+                values: userValues,
+                namespace: values.namespace,
+                chart: values.chart,
+                repo: version.Repo,
+                version: version.Version,
+              })
+            }
+            color="primary"
+            key="update-button"
+            size="medium"
+            data-cy="update-button-cy"
+          >
+            Upgrade
+          </Button>
+        </Modal.Footer>
+      </div>
+    </Modal>
+  );
+}
+
+export async function openUpgradeHelmModal(
+  values: UpdateHelmReleasePayload,
+  versions: ChartVersion[]
+) {
+  return openModal(withReactQuery(withCurrentUser(UpgradeHelmModal)), {
+    values,
+    versions,
+  });
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
index c0e6b8d71..89f522d3a 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
@@ -1,4 +1,4 @@
-import { render, screen } from '@testing-library/react';
+import { render, screen, waitFor } from '@testing-library/react';
 import { HttpResponse } from 'msw';
 
 import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
@@ -7,12 +7,14 @@ import { withTestRouter } from '@/react/test-utils/withRouter';
 import { UserViewModel } from '@/portainer/models/user';
 import { withUserProvider } from '@/react/test-utils/withUserProvider';
 import { mockCodeMirror } from '@/setup-tests/mock-codemirror';
+import { mockLocalizeDate } from '@/setup-tests/mock-localizeDate';
 
 import { HelmApplicationView } from './HelmApplicationView';
 
 // Mock the necessary hooks and dependencies
 const mockUseCurrentStateAndParams = vi.fn();
 const mockUseEnvironmentId = vi.fn();
+mockLocalizeDate();
 
 vi.mock('@uirouter/react', async (importOriginal: () => Promise<object>) => ({
   ...(await importOriginal()),
@@ -32,32 +34,109 @@ const minimalHelmRelease = {
   chart: {
     metadata: {
       name: 'test-chart',
-      // appVersion: '1.0.0', // can be missing for a minimal release
       version: '2.2.2',
     },
   },
   info: {
     status: 'deployed',
+    last_deployed: '2021-01-01T00:00:00Z',
     // notes: 'This is a test note', // can be missing for a minimal release
   },
   manifest: 'This is a test manifest',
 };
 
-const helmReleaseWithAdditionalDetails = {
-  ...minimalHelmRelease,
-  info: {
-    ...minimalHelmRelease.info,
-    notes: 'This is a test note',
-  },
+// Create a more complete helm release object for testing
+const completeHelmRelease = {
+  name: 'test-release',
+  version: '1',
+  namespace: 'default',
   chart: {
-    ...minimalHelmRelease.chart,
     metadata: {
-      ...minimalHelmRelease.chart.metadata,
+      name: 'test-chart',
       appVersion: '1.0.0',
+      version: '2.2.2',
     },
   },
+  info: {
+    status: 'deployed',
+    notes: 'This is a test note',
+    resources: [
+      {
+        kind: 'Deployment',
+        name: 'test-deployment',
+        namespace: 'default',
+        uid: 'test-deployment-uid',
+        status: {
+          healthSummary: {
+            status: 'Healthy',
+            reason: 'Running',
+            message: 'All replicas are ready',
+          },
+        },
+        metadata: {
+          name: 'test-deployment',
+          namespace: 'default',
+        },
+      },
+      {
+        kind: 'Service',
+        name: 'test-service',
+        namespace: 'default',
+        uid: 'test-service-uid',
+        status: {
+          healthSummary: {
+            status: 'Healthy',
+            reason: 'Available',
+            message: 'Service is available',
+          },
+        },
+        metadata: {
+          name: 'test-service',
+          namespace: 'default',
+        },
+      },
+    ],
+  },
+  manifest: 'This is a test manifest',
+  values: {
+    // Add some values to ensure the Values tab is present
+    replicaCount: 1,
+    image: {
+      repository: 'nginx',
+      tag: 'latest',
+    },
+  },
+  resources: [
+    {
+      kind: 'Deployment',
+      name: 'test-deployment',
+      namespace: 'default',
+      status: {
+        healthSummary: {
+          status: 'Healthy',
+          reason: 'Running',
+          message: 'All replicas are ready',
+        },
+      },
+      metadata: {
+        name: 'test-deployment',
+        namespace: 'default',
+      },
+    },
+  ],
 };
 
+const helmReleaseHistory = [
+  {
+    version: 1,
+    updated: '2023-06-01T12:00:00Z',
+    status: 'deployed',
+    chart: 'test-chart-1.0.0',
+    app_version: '1.0.0',
+    description: 'Install complete',
+  },
+];
+
 function renderComponent() {
   const user = new UserViewModel({ Username: 'user' });
   const Wrapped = withTestQueryProvider(
@@ -66,92 +145,171 @@ function renderComponent() {
   return render(<Wrapped />);
 }
 
-describe('HelmApplicationView', () => {
-  beforeEach(() => {
-    // Set up default mock values
-    mockUseEnvironmentId.mockReturnValue(3);
-    mockUseCurrentStateAndParams.mockReturnValue({
-      params: {
-        name: 'test-release',
-        namespace: 'default',
-      },
+describe(
+  'HelmApplicationView',
+  () => {
+    beforeEach(() => {
+      // Set up default mock values
+      mockUseEnvironmentId.mockReturnValue(3);
+      mockUseCurrentStateAndParams.mockReturnValue({
+        params: {
+          name: 'test-release',
+          namespace: 'default',
+        },
+      });
     });
-  });
 
-  it('should display helm release details for minimal release when data is loaded', async () => {
-    vi.spyOn(console, 'error').mockImplementation(() => {});
+    it('should display helm release details for minimal release when data is loaded', async () => {
+      vi.spyOn(console, 'error').mockImplementation(() => {});
 
-    server.use(
-      http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
-        HttpResponse.json(minimalHelmRelease)
-      )
-    );
+      server.use(
+        http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
+          HttpResponse.json(minimalHelmRelease)
+        ),
+        http.get('/api/users/undefined/helm/repositories', () =>
+          HttpResponse.json({
+            GlobalRepository: 'https://charts.helm.sh/stable',
+            UserRepositories: [
+              { Id: '1', URL: 'https://charts.helm.sh/stable' },
+            ],
+          })
+        ),
+        http.get('/api/templates/helm', () =>
+          HttpResponse.json({
+            entries: {
+              'test-chart': [{ version: '1.0.0' }],
+            },
+          })
+        ),
+        http.get('/api/endpoints/3/kubernetes/helm/test-release/history', () =>
+          HttpResponse.json(helmReleaseHistory)
+        ),
+        http.get(
+          '/api/endpoints/3/kubernetes/api/v1/namespaces/default/events',
+          () =>
+            HttpResponse.json({
+              kind: 'EventList',
+              apiVersion: 'v1',
+              metadata: { resourceVersion: '12345' },
+              items: [],
+            })
+        )
+      );
 
-    const { findByText, findAllByText } = renderComponent();
+      const { findByText, findAllByText } = renderComponent();
 
-    // Check for the page header
-    expect(await findByText('Helm details')).toBeInTheDocument();
+      // Check for the page header
+      expect(await findByText('Helm details')).toBeInTheDocument();
 
-    // Check for the badge content
-    expect(await findByText(/Namespace/)).toBeInTheDocument();
-    expect(await findByText(/Chart version:/)).toBeInTheDocument();
-    expect(await findByText(/Chart:/)).toBeInTheDocument();
-    expect(await findByText(/Revision/)).toBeInTheDocument();
+      // Check for the badge content
+      expect(await findByText(/Namespace: default/)).toBeInTheDocument();
+      expect(
+        await findByText(/Chart version: test-chart-2.2.2/)
+      ).toBeInTheDocument();
+      expect(await findByText(/Chart: test-chart/)).toBeInTheDocument();
+      expect(await findByText(/Revision: #1/)).toBeInTheDocument();
+      expect(
+        await findByText(/Last deployed: Jan 1, 2021, 12:00 AM/)
+      ).toBeInTheDocument();
+      // Check for the actual values
+      expect(await findAllByText(/test-release/)).toHaveLength(2); // title and badge
+      expect(await findAllByText(/test-chart/)).toHaveLength(2); // title and badge (not checking revision list item)
 
-    // Check for the actual values
-    expect(await findAllByText(/test-release/)).toHaveLength(2); // title and badge
-    expect(await findAllByText(/test-chart/)).toHaveLength(2);
+      // There shouldn't be a notes tab when there are no notes
+      expect(screen.queryByText(/Notes/)).not.toBeInTheDocument();
 
-    // There shouldn't be a notes tab when there are no notes
-    expect(screen.queryByText(/Notes/)).not.toBeInTheDocument();
+      // There shouldn't be an app version badge when it's missing
+      expect(screen.queryByText(/App version/)).not.toBeInTheDocument();
 
-    // There shouldn't be an app version badge when it's missing
-    expect(screen.queryByText(/App version/)).not.toBeInTheDocument();
+      // Ensure there are no console errors
+      // eslint-disable-next-line no-console
+      expect(console.error).not.toHaveBeenCalled();
 
-    // Ensure there are no console errors
-    // eslint-disable-next-line no-console
-    expect(console.error).not.toHaveBeenCalled();
+      // Restore console.error
+      vi.spyOn(console, 'error').mockRestore();
+    });
 
-    // Restore console.error
-    vi.spyOn(console, 'error').mockRestore();
-  });
+    it('should display error message when API request fails', async () => {
+      // Mock API failure
+      server.use(
+        http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
+          HttpResponse.error()
+        ),
+        // Add mock for events endpoint
+        http.get(
+          '/api/endpoints/3/kubernetes/api/v1/namespaces/default/events',
+          () =>
+            HttpResponse.json({
+              kind: 'EventList',
+              apiVersion: 'v1',
+              metadata: { resourceVersion: '12345' },
+              items: [],
+            })
+        )
+      );
 
-  it('should display error message when API request fails', async () => {
-    // Mock API failure
-    server.use(
-      http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
-        HttpResponse.error()
-      )
-    );
+      // Mock console.error to prevent test output pollution
+      vi.spyOn(console, 'error').mockImplementation(() => {});
 
-    // Mock console.error to prevent test output pollution
-    vi.spyOn(console, 'error').mockImplementation(() => {});
+      renderComponent();
 
-    renderComponent();
+      // Wait for the error message to appear
+      expect(
+        await screen.findByText(
+          'Failed to load Helm application details',
+          {},
+          { timeout: 6500 }
+        )
+      ).toBeInTheDocument();
 
-    // Wait for the error message to appear
-    expect(
-      await screen.findByText('Failed to load Helm application details')
-    ).toBeInTheDocument();
+      // Restore console.error
+      vi.spyOn(console, 'error').mockRestore();
+    });
 
-    // Restore console.error
-    vi.spyOn(console, 'error').mockRestore();
-  });
+    it('should display additional details when available in helm release', async () => {
+      server.use(
+        http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
+          HttpResponse.json(completeHelmRelease)
+        ),
+        http.get('/api/endpoints/3/kubernetes/helm/test-release/history', () =>
+          HttpResponse.json(helmReleaseHistory)
+        ),
+        http.get(
+          '/api/endpoints/3/kubernetes/api/v1/namespaces/default/events',
+          () =>
+            HttpResponse.json({
+              kind: 'EventList',
+              apiVersion: 'v1',
+              metadata: { resourceVersion: '12345' },
+              items: [],
+            })
+        )
+      );
 
-  it('should display additional details when available in helm release', async () => {
-    server.use(
-      http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
-        HttpResponse.json(helmReleaseWithAdditionalDetails)
-      )
-    );
+      const { findByText } = renderComponent();
 
-    const { findByText } = renderComponent();
+      expect(await findByText('Helm details')).toBeInTheDocument();
 
-    // Check for the notes tab when notes are available
-    expect(await findByText(/Notes/)).toBeInTheDocument();
+      // Check for the app version badge when it's available
+      await waitFor(() => {
+        expect(
+          screen.getByText(/App version/, { exact: false })
+        ).toBeInTheDocument();
+      });
 
-    // Check for the app version badge when it's available
-    expect(await findByText(/App version/)).toBeInTheDocument();
-    expect(await findByText('1.0.0', { exact: false })).toBeInTheDocument();
-  });
-});
+      await waitFor(() => {
+        // Look for specific tab text
+        expect(screen.getByText('Resources')).toBeInTheDocument();
+        expect(screen.getByText('Values')).toBeInTheDocument();
+        expect(screen.getByText('Manifest')).toBeInTheDocument();
+        expect(screen.getByText('Notes')).toBeInTheDocument();
+        expect(screen.getByText('Events')).toBeInTheDocument();
+      });
+
+      expect(await findByText(/App version: 1.0.0/)).toBeInTheDocument();
+    });
+  },
+  {
+    timeout: 7000,
+  }
+);
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
index 164943223..625bb55fe 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -1,4 +1,5 @@
 import { useCurrentStateAndParams } from '@uirouter/react';
+import { useQueryClient } from '@tanstack/react-query';
 
 import helm from '@/assets/ico/vendor/helm.svg?c';
 import { PageHeader } from '@/react/components/PageHeader';
@@ -15,14 +16,25 @@ import { HelmSummary } from './HelmSummary';
 import { ReleaseTabs } from './ReleaseDetails/ReleaseTabs';
 import { useHelmRelease } from './queries/useHelmRelease';
 import { ChartActions } from './ChartActions/ChartActions';
+import { HelmRevisionList } from './HelmRevisionList';
+import { HelmRevisionListSheet } from './HelmRevisionListSheet';
+import { useHelmHistory } from './queries/useHelmHistory';
 
 export function HelmApplicationView() {
   const environmentId = useEnvironmentId();
+  const queryClient = useQueryClient();
   const { params } = useCurrentStateAndParams();
-  const { name, namespace } = params;
+  const { name, namespace, revision } = params;
+  const helmHistoryQuery = useHelmHistory(environmentId, name, namespace);
+  const latestRevision = helmHistoryQuery.data?.[0]?.version;
+  const earlistRevision =
+    helmHistoryQuery.data?.[helmHistoryQuery.data.length - 1]?.version;
+  // when loading the page fresh, the revision is undefined, so use the latest revision
+  const selectedRevision = revision ? parseInt(revision, 10) : latestRevision;
 
   const helmReleaseQuery = useHelmRelease(environmentId, name, namespace, {
     showResources: true,
+    revision: selectedRevision,
   });
 
   return (
@@ -38,26 +50,61 @@ export function HelmApplicationView() {
 
       <div className="row">
         <div className="col-sm-12">
-          <Widget>
-            {name && (
-              <WidgetTitle icon={helm} title={name}>
-                <Authorized authorizations="K8sApplicationsW">
-                  <ChartActions
-                    environmentId={environmentId}
-                    releaseName={name}
-                    namespace={namespace}
-                    currentRevision={helmReleaseQuery.data?.version}
+          <Widget className="overflow-hidden">
+            <div className="flex">
+              <div className="flex-1 min-w-0">
+                {name && (
+                  <WidgetTitle icon={helm} title={name}>
+                    <div className="flex gap-2 flex-wrap">
+                      <div className="2xl:hidden">
+                        <HelmRevisionListSheet
+                          currentRevision={helmReleaseQuery.data?.version}
+                          history={helmHistoryQuery.data}
+                        />
+                      </div>
+                      <Authorized authorizations="K8sApplicationsW">
+                        <ChartActions
+                          environmentId={environmentId}
+                          releaseName={String(name)}
+                          namespace={String(namespace)}
+                          latestRevision={latestRevision ?? 1}
+                          earlistRevision={earlistRevision}
+                          selectedRevision={selectedRevision}
+                          release={helmReleaseQuery.data}
+                          updateRelease={(updatedRelease: HelmRelease) => {
+                            queryClient.setQueryData(
+                              [
+                                environmentId,
+                                'helm',
+                                'releases',
+                                namespace,
+                                name,
+                                true,
+                              ],
+                              updatedRelease
+                            );
+                          }}
+                        />
+                      </Authorized>
+                    </div>
+                  </WidgetTitle>
+                )}
+                <WidgetBody className="!pt-2.5">
+                  <HelmDetails
+                    isLoading={helmReleaseQuery.isInitialLoading}
+                    isError={helmReleaseQuery.isError}
+                    release={helmReleaseQuery.data}
+                    selectedRevision={selectedRevision}
                   />
-                </Authorized>
-              </WidgetTitle>
-            )}
-            <WidgetBody>
-              <HelmDetails
-                isLoading={helmReleaseQuery.isInitialLoading}
-                isError={helmReleaseQuery.isError}
-                release={helmReleaseQuery.data}
-              />
-            </WidgetBody>
+                </WidgetBody>
+              </div>
+              <div className="w-80 hidden 2xl:!block">
+                <HelmRevisionList
+                  currentRevision={helmReleaseQuery.data?.version}
+                  history={helmHistoryQuery.data}
+                />
+              </div>
+            </div>
           </Widget>
         </div>
       </div>
@@ -68,10 +115,16 @@ export function HelmApplicationView() {
 type HelmDetailsProps = {
   isLoading: boolean;
   isError: boolean;
-  release: HelmRelease | undefined;
+  selectedRevision?: number;
+  release?: HelmRelease;
 };
 
-function HelmDetails({ isLoading, isError, release: data }: HelmDetailsProps) {
+function HelmDetails({
+  isLoading,
+  isError,
+  release,
+  selectedRevision,
+}: HelmDetailsProps) {
   if (isLoading) {
     return <Loading />;
   }
@@ -82,16 +135,16 @@ function HelmDetails({ isLoading, isError, release: data }: HelmDetailsProps) {
     );
   }
 
-  if (!data) {
+  if (!release || !selectedRevision) {
     return <Alert color="error" title="No Helm application details found" />;
   }
 
   return (
     <>
-      <HelmSummary release={data} />
+      <HelmSummary release={release} />
       <div className="my-6 h-[1px] w-full bg-gray-5 th-dark:bg-gray-7 th-highcontrast:bg-white" />
       <Card className="bg-inherit">
-        <ReleaseTabs release={data} />
+        <ReleaseTabs release={release} selectedRevision={selectedRevision} />
       </Card>
     </>
   );
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.test.tsx
new file mode 100644
index 000000000..638197ae0
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.test.tsx
@@ -0,0 +1,116 @@
+import { render, screen } from '@testing-library/react';
+import { describe, expect, it } from 'vitest';
+
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { mockLocalizeDate } from '@/setup-tests/mock-localizeDate';
+
+import { HelmRelease } from '../types';
+
+import { HelmRevisionItem } from './HelmRevisionItem';
+
+const mockHelmRelease: HelmRelease = {
+  name: 'my-release',
+  version: 1,
+  info: {
+    status: 'deployed',
+    last_deployed: '2024-01-01T00:00:00Z',
+  },
+  chart: {
+    metadata: {
+      name: 'my-app',
+      version: '1.0.0',
+    },
+  },
+  manifest: 'apiVersion: v1\nkind: Service\nmetadata:\n  name: my-service',
+};
+
+mockLocalizeDate();
+
+vi.mock('@uirouter/react', () => ({
+  useCurrentStateAndParams: () => ({
+    params: {
+      namespace: 'default',
+      name: 'my-release',
+    },
+  }),
+}));
+
+const mockUseCurrentStateAndParams = vi.fn();
+
+vi.mock('@uirouter/react', async (importOriginal: () => Promise<object>) => ({
+  ...(await importOriginal()),
+  useCurrentStateAndParams: () => mockUseCurrentStateAndParams(),
+}));
+
+function getTestComponent() {
+  return withTestRouter(HelmRevisionItem);
+}
+
+describe('HelmRevisionItem', () => {
+  it('should display correct revision details', () => {
+    const TestComponent = getTestComponent();
+    render(
+      <TestComponent
+        item={mockHelmRelease}
+        namespace="default"
+        name="my-release"
+      />
+    );
+
+    // Check status badge
+    expect(screen.getByText('Deployed')).toBeInTheDocument();
+
+    // Check revision number
+    expect(screen.getByText('Revision #1')).toBeInTheDocument();
+
+    // Check chart name and version
+    expect(screen.getByText('my-app-1.0.0')).toBeInTheDocument();
+
+    // Check deployment date
+    expect(screen.getByText('Jan 1, 2024, 12:00 AM')).toBeInTheDocument();
+  });
+
+  it('should have selected class when currentRevision matches item version', () => {
+    const TestComponent = getTestComponent();
+    const { container } = render(
+      <TestComponent
+        item={mockHelmRelease}
+        currentRevision={1}
+        namespace="default"
+        name="my-release"
+      />
+    );
+
+    const blocklistItem = container.querySelector('.blocklist-item');
+    expect(blocklistItem).toHaveClass('blocklist-item--selected');
+  });
+
+  it('should not have selected class when currentRevision does not match item version', () => {
+    const TestComponent = getTestComponent();
+    const { container } = render(
+      <TestComponent
+        item={mockHelmRelease}
+        currentRevision={2}
+        namespace="default"
+        name="my-release"
+      />
+    );
+
+    const blocklistItem = container.querySelector('.blocklist-item');
+    expect(blocklistItem).not.toHaveClass('blocklist-item--selected');
+  });
+
+  it('should not have selected class when currentRevision is undefined', () => {
+    const TestComponent = getTestComponent();
+    const { container } = render(
+      <TestComponent
+        item={mockHelmRelease}
+        namespace="default"
+        name="my-release"
+      />
+    );
+
+    const blocklistItem = container.querySelector('.blocklist-item');
+    expect(blocklistItem).not.toHaveClass('blocklist-item--selected');
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.tsx
new file mode 100644
index 000000000..73a29107f
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionItem.tsx
@@ -0,0 +1,49 @@
+import { localizeDate } from '@/react/common/date-utils';
+
+import { BlocklistItem } from '@@/Blocklist/BlocklistItem';
+import { Link } from '@@/Link';
+import { Badge } from '@@/Badge';
+
+import { HelmRelease } from '../types';
+import { getStatusColor, getStatusText } from '../helm-status-utils';
+
+export function HelmRevisionItem({
+  item,
+  currentRevision,
+  namespace,
+  name,
+}: {
+  item: HelmRelease;
+  currentRevision?: number;
+  namespace: string;
+  name: string;
+}) {
+  return (
+    <BlocklistItem
+      data-cy="helm-history-item"
+      isSelected={item.version === currentRevision}
+      as={Link}
+      to="kubernetes.helm"
+      params={{ namespace, name, revision: item.version }}
+    >
+      <div className="flex flex-col gap-2 w-full">
+        <div className="flex flex-wrap gap-1 justify-between">
+          <Badge type={getStatusColor(item.info?.status)}>
+            {getStatusText(item.info?.status)}
+          </Badge>
+          <span className="text-xs text-muted">Revision #{item.version}</span>
+        </div>
+        <div className="flex flex-wrap gap-1 justify-between">
+          <span className="text-xs text-muted">
+            {item.chart.metadata?.name}-{item.chart.metadata?.version}
+          </span>
+          {item.info?.last_deployed && (
+            <span className="text-xs text-muted">
+              {localizeDate(new Date(item.info.last_deployed))}
+            </span>
+          )}
+        </div>
+      </div>
+    </BlocklistItem>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionList.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionList.tsx
new file mode 100644
index 000000000..07ed2a8b2
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionList.tsx
@@ -0,0 +1,43 @@
+import { useCurrentStateAndParams } from '@uirouter/react';
+import { History } from 'lucide-react';
+
+import { WidgetIcon } from '@@/Widget/WidgetIcon';
+
+import { HelmRelease } from '../types';
+
+import { HelmRevisionItem } from './HelmRevisionItem';
+
+export function HelmRevisionList({
+  currentRevision,
+  history,
+}: {
+  currentRevision?: number;
+  history: HelmRelease[] | undefined;
+}) {
+  const { params } = useCurrentStateAndParams();
+  const { name, namespace } = params;
+
+  if (!history) {
+    return null;
+  }
+
+  return (
+    <div className="h-0 min-h-full overflow-y-auto [scrollbar-gutter:stable]">
+      <div className="p-5 pb-2.5">
+        <span className="vertical-center mb-5">
+          <WidgetIcon icon={History} />
+          <h2 className="text-base m-0 ml-1">Revisions</h2>
+        </span>
+        {history?.map((historyItem) => (
+          <HelmRevisionItem
+            key={historyItem.version}
+            item={historyItem}
+            namespace={namespace}
+            name={name}
+            currentRevision={currentRevision}
+          />
+        ))}
+      </div>
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionListSheet.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionListSheet.tsx
new file mode 100644
index 000000000..95016f080
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmRevisionListSheet.tsx
@@ -0,0 +1,40 @@
+import { Eye } from 'lucide-react';
+
+import { Icon } from '@@/Icon';
+import {
+  Sheet,
+  SheetContent,
+  SheetDescription,
+  SheetHeader,
+  SheetTrigger,
+} from '@@/Sheet';
+
+import { HelmRelease } from '../types';
+
+import { HelmRevisionList } from './HelmRevisionList';
+
+export function HelmRevisionListSheet({
+  currentRevision,
+  history,
+}: {
+  currentRevision: number | undefined;
+  history: HelmRelease[] | undefined;
+}) {
+  return (
+    <Sheet>
+      <SheetTrigger className="btn btn-link">
+        <Icon icon={Eye} />
+        View revisions
+      </SheetTrigger>
+      <SheetContent className="!w-80 !p-0 !pt-1 overflow-auto">
+        <div className="sr-only">
+          <SheetHeader title="Revisions" />
+          <SheetDescription>
+            View the history of this Helm application.
+          </SheetDescription>
+        </div>
+        <HelmRevisionList currentRevision={currentRevision} history={history} />
+      </SheetContent>
+    </Sheet>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx
index 29f9e07d8..a7e32b247 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmSummary.tsx
@@ -1,24 +1,19 @@
 import { Badge } from '@/react/components/Badge';
+import { localizeDate } from '@/react/common/date-utils';
 
 import { Alert } from '@@/Alert';
 
 import { HelmRelease } from '../types';
+import {
+  DeploymentStatus,
+  getStatusColor,
+  getStatusText,
+} from '../helm-status-utils';
 
 interface Props {
   release: HelmRelease;
 }
 
-export enum DeploymentStatus {
-  DEPLOYED = 'deployed',
-  FAILED = 'failed',
-  PENDING = 'pending-install',
-  PENDINGUPGRADE = 'pending-upgrade',
-  PENDINGROLLBACK = 'pending-rollback',
-  SUPERSEDED = 'superseded',
-  UNINSTALLED = 'uninstalled',
-  UNINSTALLING = 'uninstalling',
-}
-
 export function HelmSummary({ release }: Props) {
   const isSuccess =
     release.info?.status === DeploymentStatus.DEPLOYED ||
@@ -29,9 +24,14 @@ export function HelmSummary({ release }: Props) {
       <div className="flex flex-col gap-y-4">
         <div>
           <Badge type={getStatusColor(release.info?.status)}>
-            {getText(release.info?.status)}
+            {getStatusText(release.info?.status)}
           </Badge>
         </div>
+        {!!release.info?.description && !isSuccess && (
+          <Alert color={getAlertColor(release.info?.status)}>
+            {release.info?.description}
+          </Alert>
+        )}
         <div className="flex flex-wrap gap-2">
           {!!release.namespace && <Badge>Namespace: {release.namespace}</Badge>}
           {!!release.version && <Badge>Revision: #{release.version}</Badge>}
@@ -47,12 +47,13 @@ export function HelmSummary({ release }: Props) {
               {release.chart.metadata.version}
             </Badge>
           )}
+          {!!release.info?.last_deployed && (
+            <Badge>
+              Last deployed:{' '}
+              {localizeDate(new Date(release.info.last_deployed))}
+            </Badge>
+          )}
         </div>
-        {!!release.info?.description && !isSuccess && (
-          <Alert color={getAlertColor(release.info?.status)}>
-            {release.info?.description}
-          </Alert>
-        )}
       </div>
     </div>
   );
@@ -74,38 +75,3 @@ function getAlertColor(status?: string) {
       return 'info';
   }
 }
-
-function getStatusColor(status?: string) {
-  switch (status?.toLowerCase()) {
-    case DeploymentStatus.DEPLOYED:
-      return 'success';
-    case DeploymentStatus.FAILED:
-      return 'danger';
-    case DeploymentStatus.PENDING:
-    case DeploymentStatus.PENDINGUPGRADE:
-    case DeploymentStatus.PENDINGROLLBACK:
-    case DeploymentStatus.UNINSTALLING:
-      return 'warn';
-    case DeploymentStatus.SUPERSEDED:
-    default:
-      return 'info';
-  }
-}
-
-function getText(status?: string) {
-  switch (status?.toLowerCase()) {
-    case DeploymentStatus.DEPLOYED:
-      return 'Deployed';
-    case DeploymentStatus.FAILED:
-      return 'Failed';
-    case DeploymentStatus.PENDING:
-    case DeploymentStatus.PENDINGUPGRADE:
-    case DeploymentStatus.PENDINGROLLBACK:
-    case DeploymentStatus.UNINSTALLING:
-      return 'Pending';
-    case DeploymentStatus.SUPERSEDED:
-      return 'Superseded';
-    default:
-      return 'Unknown';
-  }
-}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.test.tsx
new file mode 100644
index 000000000..109d98299
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.test.tsx
@@ -0,0 +1,193 @@
+import { fireEvent, render } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi } from 'vitest';
+
+import { DiffControl, DiffViewMode } from './DiffControl';
+
+// Create a mock for useDebounce that directly passes the setter function
+vi.mock('@/react/hooks/useDebounce', () => ({
+  useDebounce: (initialValue: number, setter: (value: number) => void) =>
+    // Return the initial value and a function that directly calls the setter
+    [initialValue, setter],
+}));
+
+function renderComponent({
+  selectedRevisionNumber = 5,
+  latestRevisionNumber = 10,
+  compareRevisionNumber = 4,
+  setCompareRevisionNumber = vi.fn(),
+  earliestRevisionNumber = 1,
+  diffViewMode = 'view' as DiffViewMode,
+  setDiffViewMode = vi.fn(),
+  isUserSupplied = false,
+  setIsUserSupplied = vi.fn(),
+  showUserSuppliedCheckbox = false,
+} = {}) {
+  return render(
+    <DiffControl
+      selectedRevisionNumber={selectedRevisionNumber}
+      latestRevisionNumber={latestRevisionNumber}
+      compareRevisionNumber={compareRevisionNumber}
+      setCompareRevisionNumber={setCompareRevisionNumber}
+      earliestRevisionNumber={earliestRevisionNumber}
+      diffViewMode={diffViewMode}
+      setDiffViewMode={setDiffViewMode}
+      isUserSupplied={isUserSupplied}
+      setIsUserSupplied={setIsUserSupplied}
+      showUserSuppliedCheckbox={showUserSuppliedCheckbox}
+    />
+  );
+}
+
+describe('DiffControl', () => {
+  it('should only render the user supplied checkbox when latestRevisionNumber is 1 and showUserSuppliedCheckbox is true', () => {
+    const { queryByLabelText } = renderComponent({
+      latestRevisionNumber: 1,
+      showUserSuppliedCheckbox: true,
+      setIsUserSupplied: vi.fn(),
+    });
+    expect(queryByLabelText('View')).toBeNull();
+    expect(queryByLabelText('Diff with previous')).toBeNull();
+    expect(queryByLabelText('Diff with specific revision:')).toBeNull();
+    expect(queryByLabelText('User defined only')).toBeInTheDocument();
+  });
+
+  it('should not render any controls when latestRevisionNumber is 1 and showUserSuppliedCheckbox is false', () => {
+    const { queryByLabelText } = renderComponent({
+      latestRevisionNumber: 1,
+      showUserSuppliedCheckbox: false,
+    });
+    expect(queryByLabelText('Diff with previous')).toBeNull();
+    expect(queryByLabelText('Diff with specific revision:')).toBeNull();
+    expect(queryByLabelText('View')).toBeNull();
+    expect(queryByLabelText('User defined only')).toBeNull();
+  });
+
+  it('should render view option', () => {
+    const { getByLabelText } = renderComponent();
+    expect(getByLabelText('View')).toBeInTheDocument();
+  });
+
+  it('should render "Diff with previous" option when earliestRevisionNumber < selectedRevisionNumber', () => {
+    const { getByLabelText } = renderComponent({
+      earliestRevisionNumber: 3,
+      selectedRevisionNumber: 5,
+    });
+    expect(getByLabelText('Diff with previous')).toBeInTheDocument();
+  });
+
+  it('should render "Diff with previous" option as disabled when earliestRevisionNumber >= selectedRevisionNumber', () => {
+    const { getByLabelText } = renderComponent({
+      earliestRevisionNumber: 5,
+      selectedRevisionNumber: 5,
+    });
+
+    expect(getByLabelText('View')).toBeInTheDocument();
+    expect(getByLabelText('Diff with specific revision:')).toBeInTheDocument();
+    // 'Diff with previous' should exist and be disabled
+    const diffWithPreviousOption = getByLabelText('Diff with previous');
+    expect(diffWithPreviousOption).toBeInTheDocument();
+    expect(diffWithPreviousOption).toBeDisabled();
+  });
+
+  it('should render "Diff with specific revision" option', () => {
+    const { getByLabelText } = renderComponent();
+    expect(getByLabelText('Diff with specific revision:')).toBeInTheDocument();
+  });
+
+  it('should render user supplied checkbox when showUserSuppliedCheckbox is true', () => {
+    const { getByLabelText } = renderComponent({
+      showUserSuppliedCheckbox: true,
+    });
+    expect(getByLabelText('User defined only')).toBeInTheDocument();
+  });
+
+  it('should not render user supplied checkbox when showUserSuppliedCheckbox is false', () => {
+    const { queryByLabelText } = renderComponent({
+      showUserSuppliedCheckbox: false,
+    });
+    expect(queryByLabelText('User defined only')).not.toBeInTheDocument();
+  });
+
+  it('should call setDiffViewMode when a radio option is selected', async () => {
+    const user = userEvent.setup();
+    const setDiffViewMode = vi.fn();
+
+    const { getByLabelText } = renderComponent({
+      setDiffViewMode,
+      diffViewMode: 'view',
+    });
+
+    await user.click(getByLabelText('Diff with specific revision:'));
+    expect(setDiffViewMode).toHaveBeenCalledWith('specific');
+  });
+
+  it('should call setIsUserSupplied when checkbox is clicked', async () => {
+    const user = userEvent.setup();
+    const setIsUserSupplied = vi.fn();
+
+    const { getByLabelText } = renderComponent({
+      setIsUserSupplied,
+      isUserSupplied: false,
+      showUserSuppliedCheckbox: true,
+    });
+
+    await user.click(getByLabelText('User defined only'));
+    expect(setIsUserSupplied).toHaveBeenCalledWith(true);
+  });
+});
+
+describe('DiffWithSpecificRevision', () => {
+  it('should display input with compareRevisionNumber value when not NaN', () => {
+    const compareRevisionNumber = 3;
+    const { getByRole } = renderComponent({
+      diffViewMode: 'specific',
+      compareRevisionNumber,
+    });
+
+    const input = getByRole('spinbutton');
+    expect(input).toHaveValue(compareRevisionNumber);
+  });
+
+  it('should handle input values and constraints properly', () => {
+    const setCompareRevisionNumber = vi.fn();
+    const earliestRevisionNumber = 2;
+    const latestRevisionNumber = 10;
+
+    const { getByRole } = renderComponent({
+      diffViewMode: 'specific',
+      earliestRevisionNumber,
+      latestRevisionNumber,
+      setCompareRevisionNumber,
+      compareRevisionNumber: 4,
+    });
+
+    // Check that input has the right min/max attributes
+    const input = getByRole('spinbutton');
+    expect(input).toHaveAttribute('min', earliestRevisionNumber.toString());
+    expect(input).toHaveAttribute('max', latestRevisionNumber.toString());
+
+    fireEvent.change(input, { target: { valueAsNumber: 11 } });
+    expect(setCompareRevisionNumber).toHaveBeenLastCalledWith(
+      latestRevisionNumber
+    );
+
+    fireEvent.change(input, { target: { valueAsNumber: 1 } });
+    expect(setCompareRevisionNumber).toHaveBeenLastCalledWith(
+      earliestRevisionNumber
+    );
+
+    fireEvent.change(input, { target: { valueAsNumber: 5 } });
+    expect(setCompareRevisionNumber).toHaveBeenLastCalledWith(5);
+  });
+
+  it('should handle NaN values in the input as empty string', () => {
+    const { getByRole } = renderComponent({
+      diffViewMode: 'specific',
+      compareRevisionNumber: NaN,
+    });
+
+    const input = getByRole('spinbutton') as HTMLInputElement;
+    expect(input.value).toBe('');
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.tsx
new file mode 100644
index 000000000..62698c40f
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffControl.tsx
@@ -0,0 +1,146 @@
+import { ChangeEvent } from 'react';
+
+import { useDebounce } from '@/react/hooks/useDebounce';
+
+import { RadioGroup, RadioGroupOption } from '@@/RadioGroup/RadioGroup';
+import { Input } from '@@/form-components/Input';
+import { Checkbox } from '@@/form-components/Checkbox';
+
+import {
+  LatestRevisionNumber,
+  EarliestRevisionNumber,
+  CompareRevisionNumber,
+  SelectedRevisionNumber,
+} from './types';
+
+export type DiffViewMode = 'view' | 'previous' | 'specific';
+
+type Props = {
+  selectedRevisionNumber: SelectedRevisionNumber;
+  latestRevisionNumber: LatestRevisionNumber;
+  compareRevisionNumber: CompareRevisionNumber;
+  setCompareRevisionNumber: (
+    compareRevisionNumber: CompareRevisionNumber
+  ) => void;
+  earliestRevisionNumber: EarliestRevisionNumber;
+  diffViewMode: DiffViewMode;
+  setDiffViewMode: (diffViewMode: DiffViewMode) => void;
+  isUserSupplied?: boolean;
+  setIsUserSupplied?: (isUserSupplied: boolean) => void;
+  showUserSuppliedCheckbox?: boolean;
+};
+
+export function DiffControl({
+  selectedRevisionNumber,
+  latestRevisionNumber,
+  compareRevisionNumber,
+  setCompareRevisionNumber,
+  earliestRevisionNumber,
+  diffViewMode,
+  setDiffViewMode,
+  isUserSupplied,
+  setIsUserSupplied,
+  showUserSuppliedCheckbox,
+}: Props) {
+  // If there is a different version to compare, show view option radio group
+  const showViewOptions = latestRevisionNumber > earliestRevisionNumber;
+
+  // to show the previous option, the earliest revision number available must be less than the selected revision number. (compare is still allowed, because we can still compare with a later revision)
+  const disabledPreviousOption =
+    earliestRevisionNumber >= selectedRevisionNumber;
+
+  const options: Array<RadioGroupOption<DiffViewMode>> = [
+    { label: 'View', value: 'view' },
+    {
+      label: 'Diff with previous',
+      value: 'previous',
+      disabled: disabledPreviousOption,
+    },
+    {
+      label: (
+        <DiffWithSpecificRevision
+          latestRevisionNumber={latestRevisionNumber}
+          earliestRevisionNumber={earliestRevisionNumber}
+          compareRevisionNumber={compareRevisionNumber}
+          setCompareRevisionNumber={setCompareRevisionNumber}
+        />
+      ),
+      value: 'specific',
+    },
+  ];
+
+  return (
+    <div className="flex flex-wrap gap-x-16 gap-y-1 items-center">
+      {showViewOptions && (
+        <RadioGroup
+          options={options}
+          selectedOption={diffViewMode}
+          name="diffControl"
+          onOptionChange={setDiffViewMode}
+          groupClassName="inline-flex flex-wrap gap-x-16 gap-y-1"
+          itemClassName="control-label !p-0 text-left font-normal"
+        />
+      )}
+      {!!showUserSuppliedCheckbox && !!setIsUserSupplied && (
+        <Checkbox
+          label="User defined only"
+          id="values-details-user-supplied"
+          checked={isUserSupplied}
+          onChange={() => setIsUserSupplied(!isUserSupplied)}
+          data-cy="values-details-user-supplied"
+          className="font-normal control-label"
+          bold={false}
+        />
+      )}
+    </div>
+  );
+}
+
+function DiffWithSpecificRevision({
+  latestRevisionNumber,
+  earliestRevisionNumber,
+  compareRevisionNumber,
+  setCompareRevisionNumber,
+}: {
+  latestRevisionNumber: LatestRevisionNumber;
+  earliestRevisionNumber: EarliestRevisionNumber;
+  compareRevisionNumber: CompareRevisionNumber;
+  setCompareRevisionNumber: (
+    compareRevisionNumber: CompareRevisionNumber
+  ) => void;
+}) {
+  // the revision number is debounced to avoid too many requests to the backend
+  const [
+    debouncedSetCompareRevisionNumber,
+    setDebouncedSetCompareRevisionNumber,
+  ] = useDebounce(compareRevisionNumber, setCompareRevisionNumber, 500);
+
+  return (
+    <>
+      <span>Diff with specific revision:</span>
+      <Input
+        type="number"
+        min={earliestRevisionNumber}
+        max={latestRevisionNumber}
+        value={debouncedSetCompareRevisionNumber}
+        onChange={handleSpecificRevisionChange}
+        className="w-20 ml-2"
+        data-cy="revision-specific-input"
+      />
+    </>
+  );
+
+  function handleSpecificRevisionChange(e: ChangeEvent<HTMLInputElement>) {
+    const inputNumber = e.target.valueAsNumber;
+    // handle out of range values
+    if (inputNumber > latestRevisionNumber) {
+      setCompareRevisionNumber(latestRevisionNumber);
+      return;
+    }
+    if (inputNumber < earliestRevisionNumber) {
+      setCompareRevisionNumber(earliestRevisionNumber);
+      return;
+    }
+    setDebouncedSetCompareRevisionNumber(inputNumber);
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffViewSection.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffViewSection.tsx
new file mode 100644
index 000000000..7871cbfa3
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/DiffViewSection.tsx
@@ -0,0 +1,55 @@
+import { AutomationTestingProps } from '@/types';
+
+import { DiffViewer } from '@@/CodeEditor/DiffViewer';
+import { Loading } from '@@/Widget';
+import { Alert } from '@@/Alert';
+
+import { CompareRevisionNumberFetched, SelectedRevisionNumber } from './types';
+
+interface Props extends AutomationTestingProps {
+  isCompareReleaseLoading: boolean;
+  isCompareReleaseError: boolean;
+  compareRevisionNumberFetched?: CompareRevisionNumberFetched;
+  selectedRevisionNumber: SelectedRevisionNumber;
+  newText: string;
+  originalText: string;
+  id: string;
+}
+
+export function DiffViewSection({
+  isCompareReleaseLoading,
+  isCompareReleaseError,
+  compareRevisionNumberFetched,
+  selectedRevisionNumber,
+  newText,
+  originalText,
+  id,
+  'data-cy': dataCy,
+}: Props) {
+  if (isCompareReleaseLoading) {
+    return <Loading />;
+  }
+
+  if (isCompareReleaseError) {
+    return <Alert color="error">Error loading compare values</Alert>;
+  }
+
+  return (
+    <DiffViewer
+      newCode={newText}
+      originalCode={originalText}
+      id={id}
+      data-cy={dataCy}
+      placeholder="No values found"
+      fileNames={{
+        original: compareRevisionNumberFetched
+          ? `Revision #${compareRevisionNumberFetched}`
+          : 'No revision selected',
+        modified: `Revision #${selectedRevisionNumber}`,
+      }}
+      className="mt-2"
+      type="yaml"
+      height="60vh"
+    />
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
new file mode 100644
index 000000000..772774fe3
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
@@ -0,0 +1,242 @@
+import { render, screen, waitFor } from '@testing-library/react';
+import { HttpResponse } from 'msw';
+import { Event, EventList } from 'kubernetes-types/core/v1';
+
+import { server, http } from '@/setup-tests/server';
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { mockLocalizeDate } from '@/setup-tests/mock-localizeDate';
+
+import { GenericResource } from '../../types';
+
+import {
+  HelmEventsDatatable,
+  filterRelatedEvents,
+} from './HelmEventsDatatable';
+
+const mockUseEnvironmentId = vi.fn();
+mockLocalizeDate();
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => mockUseEnvironmentId(),
+}));
+
+const testResources: GenericResource[] = [
+  {
+    kind: 'Deployment',
+    status: {
+      healthSummary: {
+        status: 'Healthy',
+        reason: 'Running',
+        message: 'All replicas are ready',
+      },
+    },
+    metadata: {
+      name: 'test-deployment',
+      namespace: 'default',
+      uid: 'test-deployment-uid',
+    },
+  },
+  {
+    kind: 'Service',
+    status: {
+      healthSummary: {
+        status: 'Healthy',
+        reason: 'Available',
+        message: 'Service is available',
+      },
+    },
+    metadata: {
+      name: 'test-service',
+      namespace: 'default',
+      uid: 'test-service-uid',
+    },
+  },
+];
+
+const mockEventsResponse: EventList = {
+  kind: 'EventList',
+  apiVersion: 'v1',
+  metadata: {
+    resourceVersion: '12345',
+  },
+  items: [
+    {
+      metadata: {
+        name: 'test-deployment-123456',
+        namespace: 'default',
+        uid: 'event-uid-1',
+        resourceVersion: '1000',
+        creationTimestamp: '2023-01-01T00:00:00Z',
+      },
+      involvedObject: {
+        kind: 'Deployment',
+        namespace: 'default',
+        name: 'test-deployment',
+        uid: 'test-deployment-uid',
+        apiVersion: 'apps/v1',
+        resourceVersion: '2000',
+      },
+      reason: 'ScalingReplicaSet',
+      message: 'Scaled up replica set test-deployment-abc123 to 1',
+      source: {
+        component: 'deployment-controller',
+      },
+      firstTimestamp: '2023-01-01T00:00:00Z',
+      lastTimestamp: '2023-01-01T00:00:00Z',
+      count: 1,
+      type: 'Normal',
+      reportingComponent: 'deployment-controller',
+      reportingInstance: '',
+    },
+    {
+      metadata: {
+        name: 'test-service-123456',
+        namespace: 'default',
+        uid: 'event-uid-2',
+        resourceVersion: '1001',
+        creationTimestamp: '2023-01-01T00:00:00Z',
+      },
+      involvedObject: {
+        kind: 'Service',
+        namespace: 'default',
+        name: 'test-service',
+        uid: 'test-service-uid',
+        apiVersion: 'v1',
+        resourceVersion: '2001',
+      },
+      reason: 'CreatedLoadBalancer',
+      message: 'Created load balancer',
+      source: {
+        component: 'service-controller',
+      },
+      firstTimestamp: '2023-01-01T00:00:00Z',
+      lastTimestamp: '2023-01-01T00:00:00Z',
+      count: 1,
+      type: 'Normal',
+      reportingComponent: 'service-controller',
+      reportingInstance: '',
+    },
+  ],
+};
+
+const mixedEventsResponse: EventList = {
+  kind: 'EventList',
+  apiVersion: 'v1',
+  metadata: {
+    resourceVersion: '12345',
+  },
+  items: [
+    {
+      metadata: {
+        name: 'test-deployment-123456',
+        namespace: 'default',
+        uid: 'event-uid-1',
+        resourceVersion: '1000',
+        creationTimestamp: '2023-01-01T00:00:00Z',
+      },
+      involvedObject: {
+        kind: 'Deployment',
+        namespace: 'default',
+        name: 'test-deployment',
+        uid: 'test-deployment-uid', // This matches a resource UID
+        apiVersion: 'apps/v1',
+        resourceVersion: '2000',
+      },
+      reason: 'ScalingReplicaSet',
+      message: 'Scaled up replica set test-deployment-abc123 to 1',
+      source: {
+        component: 'deployment-controller',
+      },
+      firstTimestamp: '2023-01-01T00:00:00Z',
+      lastTimestamp: '2023-01-01T00:00:00Z',
+      count: 1,
+      type: 'Normal',
+      reportingComponent: 'deployment-controller',
+      reportingInstance: '',
+    },
+    {
+      metadata: {
+        name: 'unrelated-pod-123456',
+        namespace: 'default',
+        uid: 'event-uid-3',
+        resourceVersion: '1002',
+        creationTimestamp: '2023-01-01T00:00:00Z',
+      },
+      involvedObject: {
+        kind: 'Pod',
+        namespace: 'default',
+        name: 'unrelated-pod',
+        uid: 'unrelated-pod-uid', // This does NOT match any resource UIDs
+        apiVersion: 'v1',
+        resourceVersion: '2002',
+      },
+      reason: 'Scheduled',
+      message: 'Successfully assigned unrelated-pod to node',
+      source: {
+        component: 'default-scheduler',
+      },
+      firstTimestamp: '2023-01-01T00:00:00Z',
+      lastTimestamp: '2023-01-01T00:00:00Z',
+      count: 1,
+      reportingComponent: 'scheduler',
+      reportingInstance: '',
+    },
+  ],
+};
+
+function renderComponent() {
+  const user = new UserViewModel({ Username: 'user' });
+  mockUseEnvironmentId.mockReturnValue(3);
+
+  const HelmEventsDatatableWithProviders = withTestQueryProvider(
+    withUserProvider(withTestRouter(HelmEventsDatatable), user)
+  );
+
+  return render(
+    <HelmEventsDatatableWithProviders
+      namespace="default"
+      releaseResources={testResources}
+    />
+  );
+}
+
+describe('HelmEventsDatatable', () => {
+  beforeEach(() => {
+    server.use(
+      http.get(
+        '/api/endpoints/3/kubernetes/api/v1/namespaces/default/events',
+        () => HttpResponse.json(mockEventsResponse)
+      )
+    );
+  });
+
+  it('should render events datatable with correct title', async () => {
+    renderComponent();
+
+    await waitFor(() => {
+      expect(
+        screen.getByText('Events reflect the latest revision only.')
+      ).toBeInTheDocument();
+    });
+
+    expect(screen.getByRole('table')).toBeInTheDocument();
+  });
+
+  it('should correctly filter related events using the filterRelatedEvents function', () => {
+    const filteredEvents = filterRelatedEvents(
+      mixedEventsResponse.items as Event[],
+      testResources
+    );
+
+    expect(filteredEvents.length).toBe(1);
+    expect(filteredEvents[0].involvedObject.uid).toBe('test-deployment-uid');
+
+    const unrelatedEvents = filteredEvents.filter(
+      (e) => e.involvedObject.uid === 'unrelated-pod-uid'
+    );
+    expect(unrelatedEvents.length).toBe(0);
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
new file mode 100644
index 000000000..d02423d82
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
@@ -0,0 +1,77 @@
+import { compact } from 'lodash';
+import { Event } from 'kubernetes-types/core/v1';
+
+import { createStore } from '@/react/kubernetes/datatables/default-kube-datatable-store';
+import { EventsDatatable } from '@/react/kubernetes/components/EventsDatatable';
+import { useEvents } from '@/react/kubernetes/queries/useEvents';
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+
+import { useTableState } from '@@/datatables/useTableState';
+import { Widget } from '@@/Widget';
+import { TextTip } from '@@/Tip/TextTip';
+
+import { GenericResource } from '../../types';
+
+export const storageKey = 'k8sHelmEventsDatatable';
+export const settingsStore = createStore(storageKey, {
+  id: 'Date',
+  desc: true,
+});
+
+export function HelmEventsDatatable({
+  namespace,
+  releaseResources,
+}: {
+  namespace: string;
+  releaseResources: GenericResource[];
+}) {
+  const environmentId = useEnvironmentId();
+  const tableState = useTableState(settingsStore, storageKey);
+
+  const eventsQuery = useEvents(environmentId, {
+    namespace,
+    queryOptions: {
+      autoRefreshRate: tableState.autoRefreshRate * 1000,
+      select: (data) => filterRelatedEvents(data, releaseResources),
+    },
+  });
+
+  return (
+    <Widget>
+      <EventsDatatable
+        dataset={eventsQuery.data || []}
+        title={
+          <TextTip inline color="blue" className="!text-xs">
+            Events reflect the latest revision only.
+          </TextTip>
+        }
+        titleIcon={null}
+        tableState={tableState}
+        isLoading={eventsQuery.isInitialLoading}
+        data-cy="k8sAppDetail-eventsTable"
+        // no widget to avoid extra padding from app/react/components/datatables/TableContainer.tsx
+        noWidget
+      />
+    </Widget>
+  );
+}
+
+export function useHelmEventsTableState() {
+  return useTableState(settingsStore, storageKey);
+}
+
+export function filterRelatedEvents(
+  events: Event[],
+  resources: GenericResource[]
+) {
+  const relatedUids = getReleaseUids(resources);
+  const relatedUidsSet = new Set(relatedUids);
+  return events.filter(
+    (event) =>
+      event.involvedObject.uid && relatedUidsSet.has(event.involvedObject.uid)
+  );
+}
+
+function getReleaseUids(resources: GenericResource[]) {
+  return compact(resources.map((resource) => resource.metadata.uid));
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx
index c95886d3f..c87ad17a3 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ManifestDetails.tsx
@@ -1,18 +1,58 @@
+import { ReactNode } from 'react';
+
 import { CodeEditor } from '@@/CodeEditor';
 
+import { DiffViewMode } from './DiffControl';
+import { DiffViewSection } from './DiffViewSection';
+import { SelectedRevisionNumber, CompareRevisionNumberFetched } from './types';
+
 type Props = {
   manifest: string;
+  selectedRevisionNumber: SelectedRevisionNumber;
+  diffViewMode: DiffViewMode;
+  compareManifest?: string;
+  compareRevisionNumberFetched?: CompareRevisionNumberFetched;
+  isCompareReleaseLoading: boolean;
+  isCompareReleaseError: boolean;
+  diffControl: ReactNode;
 };
 
-export function ManifestDetails({ manifest }: Props) {
+export function ManifestDetails({
+  manifest,
+  selectedRevisionNumber,
+  diffViewMode,
+  compareManifest,
+  compareRevisionNumberFetched,
+  isCompareReleaseLoading,
+  isCompareReleaseError,
+  diffControl,
+}: Props) {
   return (
-    <CodeEditor
-      id="helm-manifest"
-      type="yaml"
-      data-cy="helm-manifest"
-      value={manifest}
-      height="600px"
-      readonly
-    />
+    <>
+      {diffControl}
+      {diffViewMode === 'view' ? (
+        <CodeEditor
+          id="helm-manifest"
+          type="yaml"
+          data-cy="helm-manifest"
+          value={manifest}
+          readonly
+          fileName={`Revision #${selectedRevisionNumber}`}
+          placeholder="No manifest found"
+          height="60vh"
+        />
+      ) : (
+        <DiffViewSection
+          isCompareReleaseLoading={isCompareReleaseLoading}
+          isCompareReleaseError={isCompareReleaseError}
+          compareRevisionNumberFetched={compareRevisionNumberFetched}
+          selectedRevisionNumber={selectedRevisionNumber}
+          newText={manifest}
+          originalText={compareManifest ?? ''}
+          id="helm-manifest-diff-viewer"
+          data-cy="helm-manifest-diff-viewer"
+        />
+      )}
+    </>
   );
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx
index 74a6135bd..be5feb0ca 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/NotesDetails.tsx
@@ -1,9 +1,48 @@
 import Markdown from 'markdown-to-jsx';
+import { ReactNode } from 'react';
+
+import { DiffViewMode } from './DiffControl';
+import { DiffViewSection } from './DiffViewSection';
+import { SelectedRevisionNumber, CompareRevisionNumberFetched } from './types';
 
 type Props = {
   notes: string;
+  selectedRevisionNumber: SelectedRevisionNumber;
+  diffViewMode: DiffViewMode;
+  compareNotes?: string;
+  compareRevisionNumberFetched?: CompareRevisionNumberFetched;
+  isCompareReleaseLoading: boolean;
+  isCompareReleaseError: boolean;
+  diffControl: ReactNode;
 };
 
-export function NotesDetails({ notes }: Props) {
-  return <Markdown className="list-inside mt-6">{notes}</Markdown>;
+export function NotesDetails({
+  notes,
+  selectedRevisionNumber,
+  diffViewMode,
+  compareNotes,
+  compareRevisionNumberFetched,
+  isCompareReleaseLoading,
+  isCompareReleaseError,
+  diffControl,
+}: Props) {
+  return (
+    <>
+      {diffControl}
+      {diffViewMode === 'view' ? (
+        <Markdown className="list-inside mt-6">{notes}</Markdown>
+      ) : (
+        <DiffViewSection
+          isCompareReleaseLoading={isCompareReleaseLoading}
+          isCompareReleaseError={isCompareReleaseError}
+          compareRevisionNumberFetched={compareRevisionNumberFetched}
+          selectedRevisionNumber={selectedRevisionNumber}
+          newText={notes}
+          originalText={compareNotes ?? ''}
+          id="helm-notes-diff-viewer"
+          data-cy="helm-notes-diff-viewer"
+        />
+      )}
+    </>
+  );
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
index efa36c0c2..0aa05960c 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
@@ -1,32 +1,184 @@
 import { useState } from 'react';
 import { compact } from 'lodash';
+import { useCurrentStateAndParams, useRouter } from '@uirouter/react';
+import { AlertTriangle } from 'lucide-react';
+
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+import { useEvents } from '@/react/kubernetes/queries/useEvents';
 
 import { NavTabs, Option } from '@@/NavTabs';
+import { Badge } from '@@/Badge';
+import { Icon } from '@@/Icon';
 
 import { HelmRelease } from '../../types';
+import { useHelmHistory } from '../queries/useHelmHistory';
 
 import { ManifestDetails } from './ManifestDetails';
 import { NotesDetails } from './NotesDetails';
 import { ValuesDetails } from './ValuesDetails';
 import { ResourcesTable } from './ResourcesTable/ResourcesTable';
+import { DiffControl, DiffViewMode } from './DiffControl';
+import { useHelmReleaseToCompare } from './useHelmReleaseToCompare';
+import {
+  filterRelatedEvents,
+  HelmEventsDatatable,
+  useHelmEventsTableState,
+} from './HelmEventsDatatable';
 
 type Props = {
   release: HelmRelease;
+  selectedRevision: number;
 };
 
-type Tab = 'values' | 'notes' | 'manifest' | 'resources';
+type Tab = 'values' | 'notes' | 'manifest' | 'resources' | 'events';
+
+export function ReleaseTabs({ release, selectedRevision }: Props) {
+  const {
+    params: { tab },
+  } = useCurrentStateAndParams();
+  const router = useRouter();
+  const environmentId = useEnvironmentId();
+  // state is here so that the state isn't lost when the tab changes
+  const [isUserSupplied, setIsUserSupplied] = useState(true);
+  // start with NaN so that the input is empty (see <Input /> for more details)
+  const [selectedCompareRevisionNumber, setSelectedCompareRevisionNumber] =
+    useState(NaN);
+  const [diffViewMode, setDiffViewMode] = useState<DiffViewMode>('view');
+
+  const historyQuery = useHelmHistory(
+    environmentId,
+    release.name,
+    release.namespace ?? ''
+  );
+  const earliestRevisionNumber =
+    historyQuery.data?.[historyQuery.data.length - 1]?.version ??
+    release.version ??
+    1;
+  const latestRevisionNumber =
+    historyQuery.data?.[0]?.version ?? release.version ?? 1;
+  const { compareRelease, isCompareReleaseLoading, isCompareReleaseError } =
+    useHelmReleaseToCompare(
+      release,
+      earliestRevisionNumber,
+      latestRevisionNumber,
+      diffViewMode,
+      selectedRevision,
+      selectedCompareRevisionNumber
+    );
+
+  const { autoRefreshRate } = useHelmEventsTableState();
+  const { data: eventWarningCount } = useEvents(environmentId, {
+    namespace: release.namespace ?? '',
+    queryOptions: {
+      autoRefreshRate: autoRefreshRate * 1000,
+      select: (data) => {
+        const relatedEvents = filterRelatedEvents(
+          data,
+          release.info?.resources ?? []
+        );
+        return relatedEvents.filter((e) => e.type === 'Warning').length;
+      },
+    },
+  });
+
+  return (
+    <NavTabs<Tab>
+      onSelect={setTab}
+      selectedId={parseValidTab(tab, !!release.info?.notes)}
+      type="pills"
+      justified
+      options={helmTabs(
+        release,
+        isUserSupplied,
+        setIsUserSupplied,
+        earliestRevisionNumber,
+        latestRevisionNumber,
+        selectedRevision,
+        selectedCompareRevisionNumber,
+        setSelectedCompareRevisionNumber,
+        diffViewMode,
+        handleDiffViewChange,
+        isCompareReleaseLoading,
+        isCompareReleaseError,
+        eventWarningCount ?? 0,
+        compareRelease
+      )}
+    />
+  );
+
+  function handleDiffViewChange(diffViewMode: DiffViewMode) {
+    setDiffViewMode(diffViewMode);
+
+    if (latestRevisionNumber === earliestRevisionNumber) {
+      return;
+    }
+
+    // if the input for compare revision number is NaN, set it to the previous revision number
+    if (
+      Number.isNaN(selectedCompareRevisionNumber) &&
+      diffViewMode === 'specific'
+    ) {
+      if (selectedRevision > earliestRevisionNumber) {
+        setSelectedCompareRevisionNumber(selectedRevision - 1);
+        return;
+      }
+      // it could be useful to compare to the latest revision number if the selected revision number is the earliest revision number
+      setSelectedCompareRevisionNumber(latestRevisionNumber);
+    }
+  }
+
+  function setTab(tab: Tab) {
+    router.stateService.go('kubernetes.helm', {
+      tab,
+    });
+  }
+}
 
 function helmTabs(
   release: HelmRelease,
   isUserSupplied: boolean,
-  setIsUserSupplied: (isUserSupplied: boolean) => void
+  setIsUserSupplied: (isUserSupplied: boolean) => void,
+  earliestRevisionNumber: number,
+  latestRevisionNumber: number,
+  selectedRevisionNumber: number,
+  compareRevisionNumber: number,
+  setCompareRevisionNumber: (compareRevisionNumber: number) => void,
+  diffViewMode: DiffViewMode,
+  setDiffViewMode: (diffViewMode: DiffViewMode) => void,
+  isCompareReleaseLoading: boolean,
+  isCompareReleaseError: boolean,
+  eventWarningCount: number,
+  compareRelease?: HelmRelease
 ): Option<Tab>[] {
+  // as long as the latest revision number is greater than the earliest revision number, there are changes to compare
+  const showDiffControl = latestRevisionNumber > earliestRevisionNumber;
+
   return compact([
     {
       label: 'Resources',
       id: 'resources',
       children: <ResourcesTable />,
     },
+    {
+      label: (
+        <>
+          Events
+          {eventWarningCount >= 1 && (
+            <Badge type="warnSecondary">
+              <Icon icon={AlertTriangle} className="!mr-1" />
+              {eventWarningCount}
+            </Badge>
+          )}
+        </>
+      ),
+      id: 'events',
+      children: (
+        <HelmEventsDatatable
+          namespace={release.namespace ?? ''}
+          releaseResources={release.info?.resources ?? []}
+        />
+      ),
+    },
     {
       label: 'Values',
       id: 'values',
@@ -34,35 +186,97 @@ function helmTabs(
         <ValuesDetails
           values={release.values}
           isUserSupplied={isUserSupplied}
-          setIsUserSupplied={setIsUserSupplied}
+          selectedRevisionNumber={selectedRevisionNumber}
+          diffViewMode={diffViewMode}
+          compareValues={compareRelease?.values}
+          compareRevisionNumberFetched={compareRelease?.version}
+          isCompareReleaseLoading={isCompareReleaseLoading}
+          isCompareReleaseError={isCompareReleaseError}
+          diffControl={
+            <DiffControl
+              selectedRevisionNumber={selectedRevisionNumber}
+              latestRevisionNumber={latestRevisionNumber}
+              earliestRevisionNumber={earliestRevisionNumber}
+              compareRevisionNumber={compareRevisionNumber}
+              setCompareRevisionNumber={setCompareRevisionNumber}
+              diffViewMode={diffViewMode}
+              setDiffViewMode={setDiffViewMode}
+              isUserSupplied={isUserSupplied}
+              setIsUserSupplied={setIsUserSupplied}
+              showUserSuppliedCheckbox
+            />
+          }
         />
       ),
     },
     {
       label: 'Manifest',
       id: 'manifest',
-      children: <ManifestDetails manifest={release.manifest} />,
+      children: (
+        <ManifestDetails
+          manifest={release.manifest}
+          selectedRevisionNumber={selectedRevisionNumber}
+          diffViewMode={diffViewMode}
+          compareManifest={compareRelease?.manifest}
+          compareRevisionNumberFetched={compareRelease?.version}
+          isCompareReleaseLoading={isCompareReleaseLoading}
+          isCompareReleaseError={isCompareReleaseError}
+          diffControl={
+            showDiffControl && (
+              <DiffControl
+                selectedRevisionNumber={selectedRevisionNumber}
+                latestRevisionNumber={latestRevisionNumber}
+                earliestRevisionNumber={earliestRevisionNumber}
+                compareRevisionNumber={compareRevisionNumber}
+                setCompareRevisionNumber={setCompareRevisionNumber}
+                diffViewMode={diffViewMode}
+                setDiffViewMode={setDiffViewMode}
+              />
+            )
+          }
+        />
+      ),
     },
     !!release.info?.notes && {
       label: 'Notes',
       id: 'notes',
-      children: <NotesDetails notes={release.info.notes} />,
+      children: (
+        <NotesDetails
+          notes={release.info.notes}
+          selectedRevisionNumber={selectedRevisionNumber}
+          diffViewMode={diffViewMode}
+          compareNotes={compareRelease?.info?.notes}
+          compareRevisionNumberFetched={compareRelease?.version}
+          isCompareReleaseLoading={isCompareReleaseLoading}
+          isCompareReleaseError={isCompareReleaseError}
+          diffControl={
+            showDiffControl && (
+              <DiffControl
+                selectedRevisionNumber={selectedRevisionNumber}
+                latestRevisionNumber={latestRevisionNumber}
+                earliestRevisionNumber={earliestRevisionNumber}
+                compareRevisionNumber={compareRevisionNumber}
+                setCompareRevisionNumber={setCompareRevisionNumber}
+                diffViewMode={diffViewMode}
+                setDiffViewMode={setDiffViewMode}
+              />
+            )
+          }
+        />
+      ),
     },
   ]);
 }
 
-export function ReleaseTabs({ release }: Props) {
-  const [tab, setTab] = useState<Tab>('resources');
-  // state is here so that the state isn't lost when the tab changes
-  const [isUserSupplied, setIsUserSupplied] = useState(true);
-
-  return (
-    <NavTabs<Tab>
-      onSelect={setTab}
-      selectedId={tab}
-      type="pills"
-      justified
-      options={helmTabs(release, isUserSupplied, setIsUserSupplied)}
-    />
-  );
+function parseValidTab(tab: string, hasNotes: boolean): Tab {
+  if (
+    tab === 'values' ||
+    (tab === 'notes' && hasNotes) ||
+    tab === 'manifest' ||
+    tab === 'resources' ||
+    tab === 'events'
+  ) {
+    return tab;
+  }
+  return 'resources';
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx
index a1510aef8..4442ca871 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/DescribeModal.test.tsx
@@ -6,7 +6,17 @@ import { DescribeModal } from './DescribeModal';
 
 const mockUseDescribeResource = vi.fn();
 
-vi.mock('yaml-schema', () => ({}));
+// Mock the CodeEditor component instead of yaml-schema
+vi.mock('@@/CodeEditor', () => ({
+  CodeEditor: ({
+    value,
+    'data-cy': dataCy,
+  }: {
+    value: string;
+    'data-cy'?: string;
+  }) => <div data-cy={dataCy}>{value}</div>,
+}));
+
 vi.mock('./queries/useDescribeResource', () => ({
   useDescribeResource: (...args: unknown[]) => mockUseDescribeResource(...args),
 }));
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
index 6a3b35674..8469e38fe 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
@@ -11,6 +11,7 @@ import {
 import { useTableState } from '@@/datatables/useTableState';
 import { Widget } from '@@/Widget';
 import { TableSettingsMenuAutoRefresh } from '@@/datatables/TableSettingsMenuAutoRefresh';
+import { TextTip } from '@@/Tip/TextTip';
 
 import { useHelmRelease } from '../../queries/useHelmRelease';
 
@@ -34,12 +35,14 @@ const settingsStore = createStore('helm-resources');
 export function ResourcesTable() {
   const environmentId = useEnvironmentId();
   const { params } = useCurrentStateAndParams();
-  const { name, namespace } = params;
+  const { name, namespace, revision } = params;
+  const revisionNumber = revision ? parseInt(revision, 10) : undefined;
 
   const tableState = useTableState(settingsStore, storageKey);
   const helmReleaseQuery = useHelmRelease(environmentId, name, namespace, {
     showResources: true,
     refetchInterval: tableState.autoRefreshRate * 1000,
+    revision: revisionNumber,
   });
   const rows = useResourceRows(helmReleaseQuery.data?.info?.resources);
 
@@ -48,11 +51,17 @@ export function ResourcesTable() {
       <Datatable
         // no widget to avoid extra padding from app/react/components/datatables/TableContainer.tsx
         noWidget
+        isLoading={helmReleaseQuery.isLoading}
         dataset={rows}
         columns={columns}
         includeSearch
         settingsManager={tableState}
         emptyContentLabel="No resources found"
+        title={
+          <TextTip inline color="blue" className="!text-xs">
+            Resources reflect the latest revision only.
+          </TextTip>
+        }
         disableSelect
         getRowId={(row) => row.id}
         data-cy="helm-resources-datatable"
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
index b9ff43fff..cded59796 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
@@ -14,5 +14,9 @@ export const status = columnHelper.accessor((row) => row.status.label, {
 
 function Cell({ row }: CellContext<ResourceRow, string>) {
   const { status } = row.original;
+  if (!status.label) {
+    return '-';
+  }
+
   return <StatusBadge color={status.type}>{status.label}</StatusBadge>;
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx
index b1f32ca3f..7a480660c 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ValuesDetails.tsx
@@ -1,44 +1,74 @@
-import { Checkbox } from '@@/form-components/Checkbox';
+import { ReactNode } from 'react';
+
 import { CodeEditor } from '@@/CodeEditor';
 
 import { Values } from '../../types';
 
+import { DiffViewMode } from './DiffControl';
+import { DiffViewSection } from './DiffViewSection';
+import { SelectedRevisionNumber, CompareRevisionNumberFetched } from './types';
+
 interface Props {
   values?: Values;
   isUserSupplied: boolean;
-  setIsUserSupplied: (isUserSupplied: boolean) => void;
+  selectedRevisionNumber: SelectedRevisionNumber;
+  diffViewMode: DiffViewMode;
+  compareValues?: Values;
+  compareRevisionNumberFetched?: CompareRevisionNumberFetched;
+  isCompareReleaseLoading: boolean;
+  isCompareReleaseError: boolean;
+  diffControl: ReactNode;
 }
 
-const noValuesMessage = 'No values found';
-
 export function ValuesDetails({
   values,
   isUserSupplied,
-  setIsUserSupplied,
+  selectedRevisionNumber,
+  diffViewMode,
+  compareValues,
+  compareRevisionNumberFetched,
+  isCompareReleaseLoading,
+  isCompareReleaseError,
+  diffControl,
 }: Props) {
   return (
-    <div className="relative">
-      {/* bring in line with the code editor copy button */}
-      <div className="absolute top-1 left-0">
-        <Checkbox
-          label="User defined only"
-          id="values-details-user-supplied"
-          checked={isUserSupplied}
-          onChange={() => setIsUserSupplied(!isUserSupplied)}
-          data-cy="values-details-user-supplied"
+    <>
+      {diffControl}
+      {diffViewMode === 'view' ? (
+        <CodeEditor
+          type="yaml"
+          id="values-details-code-editor"
+          data-cy="values-details-code-editor"
+          value={
+            isUserSupplied
+              ? values?.userSuppliedValues ?? ''
+              : values?.computedValues ?? ''
+          }
+          readonly
+          fileName={`Revision #${selectedRevisionNumber}`}
+          placeholder="No values found"
+          height="60vh"
         />
-      </div>
-      <CodeEditor
-        type="yaml"
-        id="values-details-code-editor"
-        data-cy="values-details-code-editor"
-        value={
-          isUserSupplied
-            ? values?.userSuppliedValues ?? noValuesMessage
-            : values?.computedValues ?? noValuesMessage
-        }
-        readonly
-      />
-    </div>
+      ) : (
+        <DiffViewSection
+          isCompareReleaseLoading={isCompareReleaseLoading}
+          isCompareReleaseError={isCompareReleaseError}
+          compareRevisionNumberFetched={compareRevisionNumberFetched}
+          selectedRevisionNumber={selectedRevisionNumber}
+          newText={
+            isUserSupplied
+              ? values?.userSuppliedValues ?? ''
+              : values?.computedValues ?? ''
+          }
+          originalText={
+            isUserSupplied
+              ? compareValues?.userSuppliedValues ?? ''
+              : compareValues?.computedValues ?? ''
+          }
+          id="values-details-diff-viewer"
+          data-cy="values-details-diff-viewer"
+        />
+      )}
+    </>
   );
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/types.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/types.ts
new file mode 100644
index 000000000..0b038a0f5
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/types.ts
@@ -0,0 +1,26 @@
+// exporting as types here allows the JSDocs to be reused, improving readability
+
+/**
+ * The revision number of the latest release.
+ */
+export type LatestRevisionNumber = number;
+
+/**
+ * The revision number selected in the UI.
+ */
+export type SelectedRevisionNumber = number;
+
+/**
+ * The revision number to compare with.
+ */
+export type CompareRevisionNumber = number;
+
+/**
+ * The earliest revision number available for the chart.
+ */
+export type EarliestRevisionNumber = number;
+
+/**
+ * The revision number that's being fetched (instead of the form state).
+ */
+export type CompareRevisionNumberFetched = number;
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts
new file mode 100644
index 000000000..814f03a6a
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts
@@ -0,0 +1,60 @@
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+
+import { HelmRelease } from '../../types';
+import { useHelmRelease } from '../queries/useHelmRelease';
+
+import { DiffViewMode } from './DiffControl';
+
+/** useHelmReleaseToCompare is a hook that returns the release to compare to based on the diffViewMode, selectedRevisionNumber and selectedCompareRevisionNumber */
+export function useHelmReleaseToCompare(
+  release: HelmRelease,
+  earliestRevisionNumber: number,
+  latestRevisionNumber: number,
+  diffViewMode: DiffViewMode,
+  selectedRevisionNumber: number,
+  selectedCompareRevisionNumber: number
+) {
+  const environmentId = useEnvironmentId();
+  // the selectedCompareRevisionNumber is the number selected in the input field, but the compareRevisionNumber is the revision number of the release to compare to
+  const compareRevisionNumber = getCompareReleaseVersion(
+    diffViewMode,
+    selectedRevisionNumber,
+    selectedCompareRevisionNumber
+  );
+  const enabled =
+    compareRevisionNumber <= latestRevisionNumber &&
+    compareRevisionNumber >= earliestRevisionNumber;
+
+  // a 1 hour stale time is nice because past releases are not likely to change
+  const compareReleaseQuery = useHelmRelease(
+    environmentId,
+    release.name,
+    release.namespace ?? '',
+    {
+      showResources: false,
+      enabled,
+      staleTime: 60 * 60 * 1000,
+      revision: compareRevisionNumber,
+    }
+  );
+  return {
+    compareRelease: compareReleaseQuery.data,
+    isCompareReleaseLoading: compareReleaseQuery.isInitialLoading,
+    isCompareReleaseError: compareReleaseQuery.isError,
+  };
+}
+
+// getCompareReleaseVersion is a helper function that returns the revision number that should be fetched based on the diffViewMode, selectedRevisionNumber and selectedCompareRevisionNumber
+function getCompareReleaseVersion(
+  diffViewMode: DiffViewMode,
+  selectedRevisionNumber: number,
+  selectedCompareRevisionNumber: number
+) {
+  if (diffViewMode === 'previous') {
+    return selectedRevisionNumber - 1;
+  }
+  if (diffViewMode === 'specific') {
+    return selectedCompareRevisionNumber;
+  }
+  return selectedRevisionNumber;
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmHistory.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmHistory.ts
new file mode 100644
index 000000000..41d6ab375
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmHistory.ts
@@ -0,0 +1,44 @@
+import { useQuery } from '@tanstack/react-query';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { withGlobalError } from '@/react-tools/react-query';
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+
+import { HelmRelease } from '../../types';
+
+export function useHelmHistory(
+  environmentId: EnvironmentId,
+  name: string,
+  namespace: string
+) {
+  return useQuery(
+    [environmentId, 'helm', 'releases', namespace, name, 'history'],
+    () => getHelmHistory(environmentId, name, namespace),
+    {
+      enabled: !!environmentId && !!name && !!namespace,
+      ...withGlobalError('Unable to retrieve helm application history'),
+      retry: 3,
+      // occasionally the application shows before the release is created, take some more time to refetch
+      retryDelay: 2000,
+    }
+  );
+}
+
+async function getHelmHistory(
+  environmentId: EnvironmentId,
+  name: string,
+  namespace: string
+) {
+  try {
+    const response = await axios.get<HelmRelease[]>(
+      `endpoints/${environmentId}/kubernetes/helm/${name}/history`,
+      {
+        params: { namespace },
+      }
+    );
+
+    return response.data;
+  } catch (error) {
+    throw parseAxiosError(error, 'Unable to retrieve helm application history');
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
index 8d41e6544..cdf465c16 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
@@ -6,6 +6,15 @@ import axios, { parseAxiosError } from '@/portainer/services/axios';
 
 import { HelmRelease } from '../../types';
 
+type Options<T> = {
+  select?: (data: HelmRelease) => T;
+  showResources?: boolean;
+  refetchInterval?: number;
+  enabled?: boolean;
+  staleTime?: number;
+  /** when the revision is undefined, the latest revision is fetched */
+  revision?: number;
+};
 /**
  * React hook to fetch a specific Helm release
  */
@@ -13,39 +22,52 @@ export function useHelmRelease<T = HelmRelease>(
   environmentId: EnvironmentId,
   name: string,
   namespace: string,
-  options: {
-    select?: (data: HelmRelease) => T;
-    showResources?: boolean;
-    refetchInterval?: number;
-  } = {}
+  options: Options<T> = {}
 ) {
-  const { select, showResources, refetchInterval } = options;
+  const { select, showResources, refetchInterval, revision, staleTime } =
+    options;
   return useQuery(
-    [environmentId, 'helm', 'releases', namespace, name, options.showResources],
+    [
+      environmentId,
+      'helm',
+      'releases',
+      namespace,
+      name,
+      revision,
+      showResources,
+    ],
     () =>
       getHelmRelease(environmentId, name, {
         namespace,
         showResources,
+        revision,
       }),
     {
-      enabled: !!environmentId && !!name && !!namespace,
+      enabled: !!environmentId && !!name && !!namespace && options.enabled,
       ...withGlobalError('Unable to retrieve helm application details'),
+      retry: 3,
+      // occasionally the application shows before the release is created, take some more time to refetch
+      retryDelay: 2000,
       select,
       refetchInterval,
+      staleTime,
     }
   );
 }
 
+type Params = {
+  namespace: string;
+  showResources?: boolean;
+  revision?: number;
+};
+
 /**
  * Get a specific Helm release
  */
 async function getHelmRelease(
   environmentId: EnvironmentId,
   name: string,
-  params: {
-    namespace: string;
-    showResources?: boolean;
-  }
+  params: Params
 ) {
   try {
     const { data } = await axios.get<HelmRelease>(
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
new file mode 100644
index 000000000..733b79dea
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
@@ -0,0 +1,99 @@
+import { useQuery, useQueries } from '@tanstack/react-query';
+import { useMemo } from 'react';
+import { compact, flatMap } from 'lodash';
+
+import { withGlobalError } from '@/react-tools/react-query';
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { useCurrentUser } from '@/react/hooks/useUser';
+
+import { getHelmRepositories } from '../../queries/useHelmChartList';
+
+interface HelmSearch {
+  entries: Entries;
+}
+
+interface Entries {
+  [key: string]: { version: string }[];
+}
+
+export interface ChartVersion {
+  Repo: string;
+  Version: string;
+}
+
+/**
+ * Hook to fetch all Helm repositories for the current user
+ */
+export function useHelmRepositories() {
+  const { user } = useCurrentUser();
+  return useQuery(
+    ['helm', 'repositories'],
+    async () => getHelmRepositories(user.Id),
+    {
+      enabled: !!user.Id,
+      ...withGlobalError('Unable to retrieve helm repositories'),
+    }
+  );
+}
+
+/**
+ * React hook to get a list of available versions for a chart from specified repositories
+ *
+ * @param chart The chart name to get versions for
+ * @param repositories Array of repository URLs to search in
+ */
+export function useHelmRepoVersions(
+  chart: string,
+  staleTime: number,
+  repositories: string[] = []
+) {
+  // Fetch versions from each repository in parallel as separate queries
+  const versionQueries = useQueries({
+    queries: useMemo(
+      () =>
+        repositories.map((repo) => ({
+          queryKey: ['helm', 'repositories', chart, repo],
+          queryFn: () => getSearchHelmRepo(repo, chart),
+          enabled: !!chart && repositories.length > 0,
+          staleTime,
+          ...withGlobalError(`Unable to retrieve versions from ${repo}`),
+        })),
+      [repositories, chart, staleTime]
+    ),
+  });
+
+  // Combine the results from all repositories for easier consumption
+  const allVersions = useMemo(() => {
+    const successfulResults = compact(versionQueries.map((q) => q.data));
+    return flatMap(successfulResults);
+  }, [versionQueries]);
+
+  return {
+    data: allVersions,
+    isInitialLoading: versionQueries.some((q) => q.isLoading),
+    isError: versionQueries.some((q) => q.isError),
+  };
+}
+
+/**
+ * Get Helm repositories for user
+ */
+async function getSearchHelmRepo(
+  repo: string,
+  chart: string
+): Promise<ChartVersion[]> {
+  try {
+    const { data } = await axios.get<HelmSearch>(`templates/helm`, {
+      params: { repo, chart },
+    });
+    const versions = data.entries[chart];
+    return (
+      versions?.map((v) => ({
+        Repo: repo,
+        Version: v.version,
+      })) ?? []
+    );
+  } catch (err) {
+    throw parseAxiosError(err, 'Unable to retrieve helm repositories for user');
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
new file mode 100644
index 000000000..00e9f8131
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
@@ -0,0 +1,44 @@
+import { useQueryClient, useMutation } from '@tanstack/react-query';
+
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { withGlobalError, withInvalidate } from '@/react-tools/react-query';
+import { queryKeys as applicationsQueryKeys } from '@/react/kubernetes/applications/queries/query-keys';
+import { EnvironmentId } from '@/react/portainer/environments/types';
+
+import { HelmRelease } from '../../types';
+
+export interface UpdateHelmReleasePayload {
+  namespace: string;
+  values?: string;
+  repo?: string;
+  name: string;
+  chart: string;
+  version?: string;
+}
+export function useUpdateHelmReleaseMutation(environmentId: EnvironmentId) {
+  const queryClient = useQueryClient();
+  return useMutation({
+    mutationFn: (payload: UpdateHelmReleasePayload) =>
+      updateHelmRelease(environmentId, payload),
+    ...withInvalidate(queryClient, [
+      [environmentId, 'helm', 'releases'],
+      applicationsQueryKeys.applications(environmentId),
+    ]),
+    ...withGlobalError('Unable to uninstall helm application'),
+  });
+}
+
+async function updateHelmRelease(
+  environmentId: EnvironmentId,
+  payload: UpdateHelmReleasePayload
+) {
+  try {
+    const { data } = await axios.post<HelmRelease>(
+      `endpoints/${environmentId}/kubernetes/helm`,
+      payload
+    );
+    return data;
+  } catch (err) {
+    throw parseAxiosError(err, 'Unable to update helm release');
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
index c8def2077..5fb88d64c 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
@@ -3,8 +3,11 @@ import { useState } from 'react';
 import { useCurrentUser } from '@/react/hooks/useUser';
 
 import { Chart } from '../types';
+import {
+  useHelmChartList,
+  useHelmRepositories,
+} from '../queries/useHelmChartList';
 
-import { useHelmChartList } from './queries/useHelmChartList';
 import { HelmTemplatesList } from './HelmTemplatesList';
 import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
 
@@ -18,10 +21,8 @@ export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
   const [selectedChart, setSelectedChart] = useState<Chart | null>(null);
 
   const { user } = useCurrentUser();
-  const { data: charts = [], isLoading: chartsLoading } = useHelmChartList(
-    user.Id
-  );
-
+  const helmReposQuery = useHelmRepositories(user.Id);
+  const chartListQuery = useHelmChartList(user.Id, helmReposQuery.data ?? []);
   function clearHelmChart() {
     setSelectedChart(null);
     onSelectHelmChart('');
@@ -44,9 +45,9 @@ export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
           />
         ) : (
           <HelmTemplatesList
-            charts={charts}
+            charts={chartListQuery.data}
             selectAction={handleChartSelection}
-            loading={chartsLoading}
+            isLoading={chartListQuery.isInitialLoading}
           />
         )}
       </div>
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
index 3c080d077..f02d83131 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
@@ -50,7 +50,7 @@ function renderComponent({
     withUserProvider(
       withTestRouter(() => (
         <HelmTemplatesList
-          loading={loading}
+          isLoading={loading}
           charts={charts}
           selectAction={selectAction}
         />
@@ -137,10 +137,10 @@ describe('HelmTemplatesList', () => {
   });
 
   it('should show loading message when loading prop is true', async () => {
-    renderComponent({ loading: true });
+    renderComponent({ loading: true, charts: [] });
 
     // Check for loading message
-    expect(screen.getByText('Loading...')).toBeInTheDocument();
+    expect(screen.getByText('Loading helm charts...')).toBeInTheDocument();
     expect(
       screen.getByText('Initial download of Helm charts can take a few minutes')
     ).toBeInTheDocument();
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
index 3d9034f4c..c41b0acbb 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
@@ -5,13 +5,14 @@ import { Link } from '@/react/components/Link';
 
 import { InsightsBox } from '@@/InsightsBox';
 import { SearchBar } from '@@/datatables/SearchBar';
+import { InlineLoader } from '@@/InlineLoader';
 
 import { Chart } from '../types';
 
 import { HelmTemplatesListItem } from './HelmTemplatesListItem';
 
 interface Props {
-  loading: boolean;
+  isLoading: boolean;
   charts?: Chart[];
   selectAction: (chart: Chart) => void;
 }
@@ -70,7 +71,7 @@ function getFilteredCharts(
 }
 
 export function HelmTemplatesList({
-  loading,
+  isLoading,
   charts = [],
   selectAction,
 }: Props) {
@@ -159,16 +160,20 @@ export function HelmTemplatesList({
           <div className="text-muted small mt-4">No Helm charts found</div>
         )}
 
-        {loading && (
-          <div className="text-muted text-center">
-            Loading...
-            <div className="text-muted text-center">
-              Initial download of Helm charts can take a few minutes
-            </div>
+        {isLoading && (
+          <div className="flex flex-col">
+            <InlineLoader className="justify-center">
+              Loading helm charts...
+            </InlineLoader>
+            {charts.length === 0 && (
+              <div className="text-muted text-center">
+                Initial download of Helm charts can take a few minutes
+              </div>
+            )}
           </div>
         )}
 
-        {!loading && charts.length === 0 && (
+        {!isLoading && charts.length === 0 && (
           <div className="text-muted text-center">
             No helm charts available.
           </div>
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
index 655b1d928..215838ff8 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
@@ -106,10 +106,7 @@ describe('HelmTemplatesSelectedItem', () => {
     renderComponent();
     const user = userEvent.setup();
 
-    // First show the editor
-    await user.click(await screen.findByText('Custom values'));
-
-    // Verify editor is visible
+    // Verify editor is visible by default
     expect(screen.getByTestId('helm-app-creation-editor')).toBeInTheDocument();
 
     // Now hide the editor
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
index 088c0c69a..baffb9655 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
@@ -143,7 +143,12 @@ export function HelmTemplatesSelectedItem({
         {({ values, setFieldValue }) => (
           <Form className="form-horizontal">
             <div className="form-group !m-0">
-              <FormSection title="Custom values" isFoldable className="mt-4">
+              <FormSection
+                title="Custom values"
+                isFoldable
+                defaultFolded={false}
+                className="mt-4"
+              >
                 {loadingValues && (
                   <div className="col-sm-12 p-0">
                     <InlineLoader>Loading values.yaml...</InlineLoader>
@@ -156,7 +161,7 @@ export function HelmTemplatesSelectedItem({
                     onChange={(value) => setFieldValue('values', value)}
                     type="yaml"
                     data-cy="helm-app-creation-editor"
-                    placeholder="Define or paste the content of your values yaml file here"
+                    textTip="Define or paste the content of your values yaml file here"
                   >
                     You can get more information about Helm values file format
                     in the{' '}
diff --git a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts
deleted file mode 100644
index 60791fe59..000000000
--- a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartList.ts
+++ /dev/null
@@ -1,79 +0,0 @@
-import { useQuery } from '@tanstack/react-query';
-import { compact } from 'lodash';
-
-import axios, { parseAxiosError } from '@/portainer/services/axios';
-import { withGlobalError } from '@/react-tools/react-query';
-
-import {
-  Chart,
-  HelmChartsResponse,
-  HelmRepositoriesResponse,
-} from '../../types';
-
-async function getHelmRepositories(userId: number): Promise<string[]> {
-  try {
-    const response = await axios.get<HelmRepositoriesResponse>(
-      `users/${userId}/helm/repositories`
-    );
-    const { GlobalRepository, UserRepositories } = response.data;
-
-    // Extract URLs from user repositories
-    const userHelmReposUrls = UserRepositories.map((repo) => repo.URL);
-
-    // Combine global and user repositories, remove duplicates and empty values
-    const uniqueHelmRepos = [
-      ...new Set([GlobalRepository, ...userHelmReposUrls]),
-    ]
-      .map((url) => url.toLowerCase())
-      .filter((url) => url);
-
-    return uniqueHelmRepos;
-  } catch (err) {
-    throw parseAxiosError(err, 'Failed to fetch Helm repositories');
-  }
-}
-
-async function getChartsFromRepo(repo: string): Promise<Chart[]> {
-  try {
-    // Construct the URL with required repo parameter
-    const response = await axios.get<HelmChartsResponse>('templates/helm', {
-      params: { repo },
-    });
-
-    return compact(
-      Object.values(response.data.entries).map((versions) =>
-        versions[0] ? { ...versions[0], repo } : null
-      )
-    );
-  } catch (error) {
-    // Ignore errors from chart repositories as some may error but others may not
-    return [];
-  }
-}
-
-async function getCharts(userId: number): Promise<Chart[]> {
-  try {
-    // First, get all the helm repositories
-    const repos = await getHelmRepositories(userId);
-
-    // Then fetch charts from each repository in parallel
-    const chartsPromises = repos.map((repo) => getChartsFromRepo(repo));
-    const chartsArrays = await Promise.all(chartsPromises);
-
-    // Flatten the arrays of charts into a single array
-    return chartsArrays.flat();
-  } catch (err) {
-    throw parseAxiosError(err, 'Failed to fetch Helm charts');
-  }
-}
-
-/**
- * React hook to fetch helm charts from all accessible repositories
- * @param userId User ID
- */
-export function useHelmChartList(userId: number) {
-  return useQuery([userId, 'helm-charts'], () => getCharts(userId), {
-    enabled: !!userId,
-    ...withGlobalError('Unable to retrieve Helm charts'),
-  });
-}
diff --git a/app/react/kubernetes/helm/helm-status-utils.ts b/app/react/kubernetes/helm/helm-status-utils.ts
new file mode 100644
index 000000000..60fd83e86
--- /dev/null
+++ b/app/react/kubernetes/helm/helm-status-utils.ts
@@ -0,0 +1,48 @@
+export enum DeploymentStatus {
+  DEPLOYED = 'deployed',
+  FAILED = 'failed',
+  PENDING = 'pending-install',
+  PENDINGUPGRADE = 'pending-upgrade',
+  PENDINGROLLBACK = 'pending-rollback',
+  SUPERSEDED = 'superseded',
+  UNINSTALLED = 'uninstalled',
+  UNINSTALLING = 'uninstalling',
+}
+
+export function getStatusColor(status?: string) {
+  switch (status?.toLowerCase()) {
+    case DeploymentStatus.DEPLOYED:
+      return 'success';
+    case DeploymentStatus.FAILED:
+      return 'danger';
+    case DeploymentStatus.PENDING:
+    case DeploymentStatus.PENDINGUPGRADE:
+    case DeploymentStatus.PENDINGROLLBACK:
+    case DeploymentStatus.UNINSTALLING:
+      return 'warn';
+    case DeploymentStatus.SUPERSEDED:
+    default:
+      return 'muted';
+  }
+}
+
+export function getStatusText(status?: string) {
+  switch (status?.toLowerCase()) {
+    case DeploymentStatus.DEPLOYED:
+      return 'Deployed';
+    case DeploymentStatus.FAILED:
+      return 'Failed';
+    case DeploymentStatus.PENDING:
+      return 'Pending install';
+    case DeploymentStatus.PENDINGUPGRADE:
+      return 'Pending upgrade';
+    case DeploymentStatus.PENDINGROLLBACK:
+      return 'Pending rollback';
+    case DeploymentStatus.UNINSTALLING:
+      return 'Uninstalling';
+    case DeploymentStatus.SUPERSEDED:
+      return 'Superseded';
+    default:
+      return 'Unknown';
+  }
+}
diff --git a/app/react/kubernetes/helm/queries/useHelmChartList.ts b/app/react/kubernetes/helm/queries/useHelmChartList.ts
new file mode 100644
index 000000000..068588c42
--- /dev/null
+++ b/app/react/kubernetes/helm/queries/useHelmChartList.ts
@@ -0,0 +1,105 @@
+import { useQuery, useQueries } from '@tanstack/react-query';
+import { compact, flatMap } from 'lodash';
+import { useMemo } from 'react';
+
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { withGlobalError } from '@/react-tools/react-query';
+import { UserId } from '@/portainer/users/types';
+
+import { Chart, HelmChartsResponse, HelmRepositoriesResponse } from '../types';
+
+/**
+ * Get Helm repositories for user
+ */
+export async function getHelmRepositories(userId: UserId) {
+  try {
+    const { data } = await axios.get<HelmRepositoriesResponse>(
+      `users/${userId}/helm/repositories`
+    );
+    const repos = compact([
+      // compact will remove the global repository if it's empty
+      data.GlobalRepository.toLowerCase(),
+      ...data.UserRepositories.map((repo) => repo.URL.toLowerCase()),
+    ]);
+    return [...new Set(repos)];
+  } catch (err) {
+    throw parseAxiosError(err, 'Unable to retrieve helm repositories for user');
+  }
+}
+
+async function getChartsFromRepo(repo: string): Promise<Chart[]> {
+  try {
+    // Construct the URL with required repo parameter
+    const response = await axios.get<HelmChartsResponse>('templates/helm', {
+      params: { repo },
+    });
+
+    return compact(
+      Object.values(response.data.entries).map((versions) =>
+        versions[0] ? { ...versions[0], repo } : null
+      )
+    );
+  } catch (error) {
+    // Ignore errors from chart repositories as some may error but others may not
+    return [];
+  }
+}
+
+/**
+ * Hook to fetch all accessible Helm repositories for a user
+ *
+ * @param userId User ID
+ * @returns Query result with list of repository URLs
+ */
+export function useHelmRepositories(userId: number) {
+  return useQuery(
+    [userId, 'helm-repositories'],
+    () => getHelmRepositories(userId),
+    {
+      enabled: !!userId,
+      ...withGlobalError('Unable to retrieve Helm repositories'),
+    }
+  );
+}
+
+/**
+ * React hook to fetch helm charts from the provided repositories
+ * Charts from each repository are loaded independently, allowing the UI
+ * to show charts as they become available instead of waiting for all
+ * repositories to load
+ *
+ * @param userId User ID
+ * @param repositories List of repository URLs to fetch charts from
+ */
+export function useHelmChartList(userId: number, repositories: string[] = []) {
+  // Fetch charts from each repository in parallel as separate queries
+  const chartQueries = useQueries({
+    queries: useMemo(
+      () =>
+        repositories.map((repo) => ({
+          queryKey: [userId, repo, 'helm-charts'],
+          queryFn: () => getChartsFromRepo(repo),
+          enabled: !!userId && repositories.length > 0,
+          // one request takes a long time, so fail early to get feedback to the user faster
+          retries: false,
+          ...withGlobalError(`Unable to retrieve Helm charts from ${repo}`),
+        })),
+      [repositories, userId]
+    ),
+  });
+
+  // Combine the results for easier consumption by components
+  const allCharts = useMemo(
+    () => flatMap(compact(chartQueries.map((q) => q.data))),
+    [chartQueries]
+  );
+
+  return {
+    // Data from all repositories that have loaded so far
+    data: allCharts,
+    // Overall loading state
+    isInitialLoading: chartQueries.some((q) => q.isInitialLoading),
+    // Overall error state
+    isError: chartQueries.some((q) => q.isError),
+  };
+}
diff --git a/app/react/kubernetes/helm/types.ts b/app/react/kubernetes/helm/types.ts
index 49445fa30..94f8a3a8e 100644
--- a/app/react/kubernetes/helm/types.ts
+++ b/app/react/kubernetes/helm/types.ts
@@ -16,6 +16,7 @@ export interface GenericResource {
   metadata: {
     name: string;
     namespace?: string;
+    uid?: string;
   };
   status: ResourceStatus;
 }
@@ -29,6 +30,7 @@ export interface HelmRelease {
     notes?: string;
     description?: string;
     resources?: GenericResource[];
+    last_deployed: string;
   };
   /** The chart that was released */
   chart: HelmChart;
@@ -104,10 +106,10 @@ export interface HelmChartsResponse {
   generated: string;
 }
 
-export type InstallChartPayload = {
+export interface InstallChartPayload {
   Name: string;
   Repo: string;
   Chart: string;
   Values: string;
   Namespace: string;
-};
+}
diff --git a/app/react/kubernetes/queries/useEvents.ts b/app/react/kubernetes/queries/useEvents.ts
index 87d38eb94..f25c255db 100644
--- a/app/react/kubernetes/queries/useEvents.ts
+++ b/app/react/kubernetes/queries/useEvents.ts
@@ -1,4 +1,4 @@
-import { EventList } from 'kubernetes-types/core/v1';
+import { EventList, Event } from 'kubernetes-types/core/v1';
 import { useQuery } from '@tanstack/react-query';
 
 import { EnvironmentId } from '@/react/portainer/environments/types';
@@ -41,7 +41,7 @@ const queryKeys = {
 async function getEvents(
   environmentId: EnvironmentId,
   options?: RequestOptions
-) {
+): Promise<Event[]> {
   const { namespace, params } = options ?? {};
   try {
     const { data } = await axios.get<EventList>(
@@ -56,15 +56,16 @@ async function getEvents(
   }
 }
 
-type QueryOptions = {
+type QueryOptions<T> = {
   queryOptions?: {
     autoRefreshRate?: number;
+    select?: (data: Event[]) => T;
   };
 } & RequestOptions;
 
-export function useEvents(
+export function useEvents<T = Event[]>(
   environmentId: EnvironmentId,
-  options?: QueryOptions
+  options?: QueryOptions<T>
 ) {
   const { queryOptions, params, namespace } = options ?? {};
   return useQuery(
@@ -75,6 +76,7 @@ export function useEvents(
       refetchInterval() {
         return queryOptions?.autoRefreshRate ?? false;
       },
+      select: queryOptions?.select,
     }
   );
 }
@@ -83,11 +85,13 @@ export function useEventWarningsCount(
   environmentId: EnvironmentId,
   namespace?: string
 ) {
-  const resourceEventsQuery = useEvents(environmentId, {
+  const resourceEventsQuery = useEvents<number>(environmentId, {
     namespace,
+    queryOptions: {
+      select: (data) => data.filter((e) => e.type === 'Warning').length,
+    },
   });
-  const events = resourceEventsQuery.data || [];
-  return events.filter((e) => e.type === 'Warning').length;
+  return resourceEventsQuery.data || 0;
 }
 
 function buildUrl(environmentId: EnvironmentId, namespace?: string) {
diff --git a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx
index 727c4f034..7ed2f4651 100644
--- a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx
+++ b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx
@@ -59,6 +59,7 @@ export function HelmRepositoryDatatable() {
 
   return (
     <Datatable
+      id="helm-repositories"
       getRowId={(row) => String(row.Id)}
       dataset={helmRepos}
       description={<HelmDatatableDescription isAdmin={isAdminUser} />}
diff --git a/app/react/portainer/templates/custom-templates/CreateView/InnerForm.tsx b/app/react/portainer/templates/custom-templates/CreateView/InnerForm.tsx
index 7d7729c64..c14b35e23 100644
--- a/app/react/portainer/templates/custom-templates/CreateView/InnerForm.tsx
+++ b/app/react/portainer/templates/custom-templates/CreateView/InnerForm.tsx
@@ -101,7 +101,7 @@ export function InnerForm({
           value={values.FileContent}
           onChange={handleChangeFileContent}
           type="yaml"
-          placeholder={texts.editor.placeholder}
+          textTip={texts.editor.placeholder}
           error={errors.FileContent}
         >
           {texts.editor.description}
diff --git a/app/react/portainer/templates/custom-templates/EditView/InnerForm.tsx b/app/react/portainer/templates/custom-templates/EditView/InnerForm.tsx
index 9a78821f0..d96f9fe1f 100644
--- a/app/react/portainer/templates/custom-templates/EditView/InnerForm.tsx
+++ b/app/react/portainer/templates/custom-templates/EditView/InnerForm.tsx
@@ -93,7 +93,7 @@ export function InnerForm({
         value={gitFileContent || values.FileContent}
         onChange={handleChangeFileContent}
         type="yaml"
-        placeholder={
+        textTip={
           gitFileContent
             ? 'Preview of the file from git repository'
             : texts.editor.placeholder
diff --git a/app/react/portainer/templates/custom-templates/ListView/StackFromCustomTemplateFormWidget/DeployForm.tsx b/app/react/portainer/templates/custom-templates/ListView/StackFromCustomTemplateFormWidget/DeployForm.tsx
index fb0f214cc..fb9ebb6bc 100644
--- a/app/react/portainer/templates/custom-templates/ListView/StackFromCustomTemplateFormWidget/DeployForm.tsx
+++ b/app/react/portainer/templates/custom-templates/ListView/StackFromCustomTemplateFormWidget/DeployForm.tsx
@@ -121,7 +121,7 @@ export function DeployForm({
               }}
               type="yaml"
               error={errors.fileContent}
-              placeholder="Define or paste the content of your docker compose file here"
+              textTip="Define or paste the content of your docker compose file here"
               readonly={isGit}
               data-cy="custom-template-creation-editor"
             >
diff --git a/app/setup-tests/mock-codemirror.tsx b/app/setup-tests/mock-codemirror.tsx
index a6ffc8eda..5c96025b8 100644
--- a/app/setup-tests/mock-codemirror.tsx
+++ b/app/setup-tests/mock-codemirror.tsx
@@ -7,6 +7,21 @@ export function mockCodeMirror() {
       of: () => ({}),
     },
   }));
+
+  vi.mock('react-codemirror-merge', () => {
+    const components = {
+      MergeView: () => <div />,
+      Original: () => <div />,
+      Modified: () => <div />,
+    };
+
+    return {
+      __esModule: true,
+      default: components,
+      ...components,
+    };
+  });
+
   vi.mock('yaml-schema', () => ({
     yamlSchema: () => [],
     validation: () => ({
diff --git a/app/setup-tests/mock-localizeDate.ts b/app/setup-tests/mock-localizeDate.ts
new file mode 100644
index 000000000..5463006b8
--- /dev/null
+++ b/app/setup-tests/mock-localizeDate.ts
@@ -0,0 +1,18 @@
+export function mockLocalizeDate() {
+  // Mock localizeDate to always use en-US and UTC
+  vi.mock('@/react/common/date-utils', () => ({
+    localizeDate: (date: Date) =>
+      date
+        .toLocaleString('en-US', {
+          timeZone: 'UTC',
+          year: 'numeric',
+          month: 'short',
+          day: 'numeric',
+          hour: 'numeric',
+          minute: '2-digit',
+          hour12: true,
+        })
+        .replace('am', 'AM')
+        .replace('pm', 'PM'),
+  }));
+}
diff --git a/package.json b/package.json
index ff81a1bb0..7d1c72b83 100644
--- a/package.json
+++ b/package.json
@@ -47,6 +47,7 @@
     "@lezer/highlight": "^1.1.3",
     "@nxmix/tokenize-ansi": "^3.0.0",
     "@open-amt-cloud-toolkit/ui-toolkit-react": "2.0.0",
+    "@radix-ui/react-dialog": "^1.1.1",
     "@reach/combobox": "^0.18.0",
     "@reach/dialog": "^0.17.0",
     "@reach/menu-button": "^0.16.1",
@@ -85,6 +86,7 @@
     "c8": "^9.1.0",
     "chardet": "^1.4.0",
     "chart.js": "^2.7.0",
+    "class-variance-authority": "^0.7.0",
     "clsx": "^1.1.1",
     "codemirror": "^6.0.1",
     "codemirror-json-schema": "^0.8.0",
@@ -116,6 +118,7 @@
     "rc-slider": "^10.0.0",
     "react": "^17.0.2",
     "react-calendar": "^4.8.0",
+    "react-codemirror-merge": "^4.23.11",
     "react-datetime-picker": "^5.6.0",
     "react-dom": "^17.0.2",
     "react-i18next": "^11.12.0",
@@ -125,6 +128,7 @@
     "sanitize-html": "^2.8.1",
     "spinkit": "^2.0.1",
     "strip-ansi": "^6.0.0",
+    "tailwindcss-animate": "^1.0.7",
     "tippy.js": "^6.3.7",
     "toastr": "^2.1.4",
     "ts-xor": "^1.1.0",
diff --git a/pkg/libhelm/options/install_options.go b/pkg/libhelm/options/install_options.go
index 943f28041..0028c6c0c 100644
--- a/pkg/libhelm/options/install_options.go
+++ b/pkg/libhelm/options/install_options.go
@@ -5,6 +5,7 @@ import "time"
 type InstallOptions struct {
 	Name                    string
 	Chart                   string
+	Version                 string
 	Namespace               string
 	Repo                    string
 	Wait                    bool
diff --git a/pkg/libhelm/sdk/common.go b/pkg/libhelm/sdk/common.go
index b1d218cae..2a51c7f8b 100644
--- a/pkg/libhelm/sdk/common.go
+++ b/pkg/libhelm/sdk/common.go
@@ -15,9 +15,10 @@ import (
 // loadAndValidateChartWithPathOptions locates and loads the chart, and validates it.
 // it also checks for chart dependencies and updates them if necessary.
 // it returns the chart information.
-func (hspm *HelmSDKPackageManager) loadAndValidateChartWithPathOptions(chartPathOptions *action.ChartPathOptions, chartName, repoURL string, dependencyUpdate bool, operation string) (*chart.Chart, error) {
+func (hspm *HelmSDKPackageManager) loadAndValidateChartWithPathOptions(chartPathOptions *action.ChartPathOptions, chartName, version string, repoURL string, dependencyUpdate bool, operation string) (*chart.Chart, error) {
 	// Locate and load the chart
 	chartPathOptions.RepoURL = repoURL
+	chartPathOptions.Version = version
 	chartPath, err := chartPathOptions.LocateChart(chartName, hspm.settings)
 	if err != nil {
 		log.Error().
diff --git a/pkg/libhelm/sdk/get.go b/pkg/libhelm/sdk/get.go
index 51a5c3bce..c15b65715 100644
--- a/pkg/libhelm/sdk/get.go
+++ b/pkg/libhelm/sdk/get.go
@@ -3,6 +3,7 @@ package sdk
 import (
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
+	"github.com/portainer/portainer/pkg/libhelm/time"
 	"github.com/rs/zerolog/log"
 	"helm.sh/helm/v3/pkg/action"
 	sdkrelease "helm.sh/helm/v3/pkg/release"
@@ -82,10 +83,11 @@ func convert(sdkRelease *sdkrelease.Release, values release.Values) *release.Rel
 		Namespace: sdkRelease.Namespace,
 		Version:   sdkRelease.Version,
 		Info: &release.Info{
-			Status:      release.Status(sdkRelease.Info.Status),
-			Notes:       sdkRelease.Info.Notes,
-			Resources:   resources,
-			Description: sdkRelease.Info.Description,
+			Status:       release.Status(sdkRelease.Info.Status),
+			Notes:        sdkRelease.Info.Notes,
+			Resources:    resources,
+			Description:  sdkRelease.Info.Description,
+			LastDeployed: time.Time(sdkRelease.Info.LastDeployed),
 		},
 		Manifest: sdkRelease.Manifest,
 		Chart: release.Chart{
diff --git a/pkg/libhelm/sdk/history.go b/pkg/libhelm/sdk/history.go
index ba6fa4d5d..109ab68aa 100644
--- a/pkg/libhelm/sdk/history.go
+++ b/pkg/libhelm/sdk/history.go
@@ -1,6 +1,8 @@
 package sdk
 
 import (
+	"sort"
+
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
 	"github.com/portainer/portainer/pkg/libhelm/time"
@@ -44,6 +46,11 @@ func (hspm *HelmSDKPackageManager) GetHistory(historyOptions options.HistoryOpti
 		result = append(result, convertHistory(r))
 	}
 
+	// sort the result by version (latest first)
+	sort.Slice(result, func(i, j int) bool {
+		return result[i].Version > result[j].Version
+	})
+
 	return result, nil
 }
 
diff --git a/pkg/libhelm/sdk/install.go b/pkg/libhelm/sdk/install.go
index 29f578806..ca904dcca 100644
--- a/pkg/libhelm/sdk/install.go
+++ b/pkg/libhelm/sdk/install.go
@@ -60,7 +60,7 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to get Helm values from file for helm release installation")
 	}
 
-	chart, err := hspm.loadAndValidateChartWithPathOptions(&installClient.ChartPathOptions, installOpts.Chart, installOpts.Repo, installClient.DependencyUpdate, "release installation")
+	chart, err := hspm.loadAndValidateChartWithPathOptions(&installClient.ChartPathOptions, installOpts.Chart, installOpts.Version, installOpts.Repo, installClient.DependencyUpdate, "release installation")
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -109,7 +109,6 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 // and return the install client.
 func initInstallClient(actionConfig *action.Configuration, installOpts options.InstallOptions) (*action.Install, error) {
 	installClient := action.NewInstall(actionConfig)
-	installClient.CreateNamespace = true
 	installClient.DependencyUpdate = true
 	installClient.ReleaseName = installOpts.Name
 	installClient.ChartPathOptions.RepoURL = installOpts.Repo
diff --git a/pkg/libhelm/sdk/upgrade.go b/pkg/libhelm/sdk/upgrade.go
index cc284cf31..cf5124370 100644
--- a/pkg/libhelm/sdk/upgrade.go
+++ b/pkg/libhelm/sdk/upgrade.go
@@ -84,7 +84,7 @@ func (hspm *HelmSDKPackageManager) Upgrade(upgradeOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to get Helm values from file for helm release upgrade")
 	}
 
-	chart, err := hspm.loadAndValidateChartWithPathOptions(&upgradeClient.ChartPathOptions, upgradeOpts.Chart, upgradeOpts.Repo, upgradeClient.DependencyUpdate, "release upgrade")
+	chart, err := hspm.loadAndValidateChartWithPathOptions(&upgradeClient.ChartPathOptions, upgradeOpts.Chart, upgradeOpts.Version, upgradeOpts.Repo, upgradeClient.DependencyUpdate, "release upgrade")
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
diff --git a/pkg/libhelm/sdk/values.go b/pkg/libhelm/sdk/values.go
index 8818f998f..8dc6325a3 100644
--- a/pkg/libhelm/sdk/values.go
+++ b/pkg/libhelm/sdk/values.go
@@ -62,8 +62,7 @@ func (hspm *HelmSDKPackageManager) getValues(getOpts options.GetOptions) (releas
 		return release.Values{}, err
 	}
 
-	// Create client for user supplied values
-	userValuesClient := action.NewGetValues(actionConfig)
+	userValuesClient := hspm.initValuesClient(actionConfig, getOpts)
 	userSuppliedValues, err := userValuesClient.Run(getOpts.Name)
 	if err != nil {
 		log.Error().
@@ -116,3 +115,11 @@ func (hspm *HelmSDKPackageManager) getValues(getOpts options.GetOptions) (releas
 		ComputedValues:     computedValuesString,
 	}, nil
 }
+
+func (hspm *HelmSDKPackageManager) initValuesClient(actionConfig *action.Configuration, getOpts options.GetOptions) *action.GetValues {
+	valuesClient := action.NewGetValues(actionConfig)
+	if getOpts.Revision > 0 {
+		valuesClient.Version = getOpts.Revision
+	}
+	return valuesClient
+}
diff --git a/tailwind.config.js b/tailwind.config.js
index 490546a7b..69ed9c0dd 100644
--- a/tailwind.config.js
+++ b/tailwind.config.js
@@ -38,5 +38,6 @@ module.exports = {
     plugin(function ({ addVariant }) {
       addVariant('progress-filled', ['&::-webkit-progress-value', '&::-moz-progress-bar']);
     }),
+    require('tailwindcss-animate'),
   ],
 };
diff --git a/yarn.lock b/yarn.lock
index 4f1b90b95..3bdc96e8a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -3235,6 +3235,17 @@
     "@codemirror/view" "^6.35.0"
     crelt "^1.0.5"
 
+"@codemirror/merge@^6.1.2":
+  version "6.10.0"
+  resolved "https://registry.yarnpkg.com/@codemirror/merge/-/merge-6.10.0.tgz#0a1be2a4561594f6adc1b1adcf6e7ac23d767b85"
+  integrity sha512-Omn0gU6MM5cKQGqgKoIhFjUqCNWH/nukCMLXzu/1jOdtiHsxAu3GdENBf1QYkoIC3FSgkF7X/ClOqYeUATQ4Sw==
+  dependencies:
+    "@codemirror/language" "^6.0.0"
+    "@codemirror/state" "^6.0.0"
+    "@codemirror/view" "^6.17.0"
+    "@lezer/highlight" "^1.0.0"
+    style-mod "^4.1.0"
+
 "@codemirror/search@^6.0.0", "@codemirror/search@^6.2.3":
   version "6.5.8"
   resolved "https://registry.yarnpkg.com/@codemirror/search/-/search-6.5.8.tgz#b59b3659b46184cc75d6108d7c050a4ca344c3a0"
@@ -4132,6 +4143,11 @@
   dependencies:
     "@babel/runtime" "^7.13.10"
 
+"@radix-ui/primitive@1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@radix-ui/primitive/-/primitive-1.1.2.tgz#83f415c4425f21e3d27914c12b3272a32e3dae65"
+  integrity sha512-XnbHrrprsNqZKQhStrSwgRUQzoCI1glLzdw79xiZPoofhGICeZRSQ3dIxAKH1gb3OHfNf4d6f+vAv3kil2eggA==
+
 "@radix-ui/react-arrow@1.0.3":
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-arrow/-/react-arrow-1.0.3.tgz#c24f7968996ed934d57fe6cde5d6ec7266e1d25d"
@@ -4158,6 +4174,11 @@
   dependencies:
     "@babel/runtime" "^7.13.10"
 
+"@radix-ui/react-compose-refs@1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-compose-refs/-/react-compose-refs-1.1.2.tgz#a2c4c47af6337048ee78ff6dc0d090b390d2bb30"
+  integrity sha512-z4eqJvfiNnFMHIIvXP3CY57y2WJs5g2v3X0zm9mEJkrkNv4rDxu+sg9Jh8EkXyeqBkB7SOcboo9dMVqhyrACIg==
+
 "@radix-ui/react-context@1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-context/-/react-context-1.0.1.tgz#fe46e67c96b240de59187dcb7a1a50ce3e2ec00c"
@@ -4165,6 +4186,31 @@
   dependencies:
     "@babel/runtime" "^7.13.10"
 
+"@radix-ui/react-context@1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-context/-/react-context-1.1.2.tgz#61628ef269a433382c364f6f1e3788a6dc213a36"
+  integrity sha512-jCi/QKUM2r1Ju5a3J64TH2A5SpKAgh0LpknyqdQ4m6DCV0xJ2HG1xARRwNGPQfi1SLdLWZ1OJz6F4OMBBNiGJA==
+
+"@radix-ui/react-dialog@^1.1.1":
+  version "1.1.11"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-dialog/-/react-dialog-1.1.11.tgz#1144609cbc9f8b36bcc288beb880f6b72cbd85ee"
+  integrity sha512-yI7S1ipkP5/+99qhSI6nthfo/tR6bL6Zgxi/+1UO6qPa6UeM6nlafWcQ65vB4rU2XjgjMfMhI3k9Y5MztA62VQ==
+  dependencies:
+    "@radix-ui/primitive" "1.1.2"
+    "@radix-ui/react-compose-refs" "1.1.2"
+    "@radix-ui/react-context" "1.1.2"
+    "@radix-ui/react-dismissable-layer" "1.1.7"
+    "@radix-ui/react-focus-guards" "1.1.2"
+    "@radix-ui/react-focus-scope" "1.1.4"
+    "@radix-ui/react-id" "1.1.1"
+    "@radix-ui/react-portal" "1.1.6"
+    "@radix-ui/react-presence" "1.1.4"
+    "@radix-ui/react-primitive" "2.1.0"
+    "@radix-ui/react-slot" "1.2.0"
+    "@radix-ui/react-use-controllable-state" "1.2.2"
+    aria-hidden "^1.2.4"
+    react-remove-scroll "^2.6.3"
+
 "@radix-ui/react-direction@1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-direction/-/react-direction-1.0.1.tgz#9cb61bf2ccf568f3421422d182637b7f47596c9b"
@@ -4184,6 +4230,17 @@
     "@radix-ui/react-use-callback-ref" "1.0.1"
     "@radix-ui/react-use-escape-keydown" "1.0.3"
 
+"@radix-ui/react-dismissable-layer@1.1.7":
+  version "1.1.7"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-dismissable-layer/-/react-dismissable-layer-1.1.7.tgz#80b5c23a0d29cfe56850399210c603376c27091f"
+  integrity sha512-j5+WBUdhccJsmH5/H0K6RncjDtoALSEr6jbkaZu+bjw6hOPOhHycr6vEUujl+HBK8kjUfWcoCJXxP6e4lUlMZw==
+  dependencies:
+    "@radix-ui/primitive" "1.1.2"
+    "@radix-ui/react-compose-refs" "1.1.2"
+    "@radix-ui/react-primitive" "2.1.0"
+    "@radix-ui/react-use-callback-ref" "1.1.1"
+    "@radix-ui/react-use-escape-keydown" "1.1.1"
+
 "@radix-ui/react-focus-guards@1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-focus-guards/-/react-focus-guards-1.0.1.tgz#1ea7e32092216b946397866199d892f71f7f98ad"
@@ -4191,6 +4248,11 @@
   dependencies:
     "@babel/runtime" "^7.13.10"
 
+"@radix-ui/react-focus-guards@1.1.2":
+  version "1.1.2"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-focus-guards/-/react-focus-guards-1.1.2.tgz#4ec9a7e50925f7fb661394460045b46212a33bed"
+  integrity sha512-fyjAACV62oPV925xFCrH8DR5xWhg9KYtJT4s3u54jxp+L/hbpTY2kIeEFFbFe+a/HCE94zGQMZLIpVTPVZDhaA==
+
 "@radix-ui/react-focus-scope@1.0.3":
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-focus-scope/-/react-focus-scope-1.0.3.tgz#9c2e8d4ed1189a1d419ee61edd5c1828726472f9"
@@ -4201,6 +4263,15 @@
     "@radix-ui/react-primitive" "1.0.3"
     "@radix-ui/react-use-callback-ref" "1.0.1"
 
+"@radix-ui/react-focus-scope@1.1.4":
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-focus-scope/-/react-focus-scope-1.1.4.tgz#dbe9ed31b36ff9aadadf4b59aa733a4e91799d15"
+  integrity sha512-r2annK27lIW5w9Ho5NyQgqs0MmgZSTIKXWpVCJaLC1q2kZrZkcqnmHkCHMEmv8XLvsLlurKMPT+kbKkRkm/xVA==
+  dependencies:
+    "@radix-ui/react-compose-refs" "1.1.2"
+    "@radix-ui/react-primitive" "2.1.0"
+    "@radix-ui/react-use-callback-ref" "1.1.1"
+
 "@radix-ui/react-id@1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-id/-/react-id-1.0.1.tgz#73cdc181f650e4df24f0b6a5b7aa426b912c88c0"
@@ -4209,6 +4280,13 @@
     "@babel/runtime" "^7.13.10"
     "@radix-ui/react-use-layout-effect" "1.0.1"
 
+"@radix-ui/react-id@1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-id/-/react-id-1.1.1.tgz#1404002e79a03fe062b7e3864aa01e24bd1471f7"
+  integrity sha512-kGkGegYIdQsOb4XjsfM97rXsiHaBwco+hFI66oO4s9LU+PLAC5oJ7khdOVFxkhsmlbpUqDAvXw11CluXP+jkHg==
+  dependencies:
+    "@radix-ui/react-use-layout-effect" "1.1.1"
+
 "@radix-ui/react-popper@1.1.2":
   version "1.1.2"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-popper/-/react-popper-1.1.2.tgz#4c0b96fcd188dc1f334e02dba2d538973ad842e9"
@@ -4234,6 +4312,22 @@
     "@babel/runtime" "^7.13.10"
     "@radix-ui/react-primitive" "1.0.3"
 
+"@radix-ui/react-portal@1.1.6":
+  version "1.1.6"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-portal/-/react-portal-1.1.6.tgz#4202e1bb34afdac612e4e982eca8efd36cbc611f"
+  integrity sha512-XmsIl2z1n/TsYFLIdYam2rmFwf9OC/Sh2avkbmVMDuBZIe7hSpM0cYnWPAo7nHOVx8zTuwDZGByfcqLdnzp3Vw==
+  dependencies:
+    "@radix-ui/react-primitive" "2.1.0"
+    "@radix-ui/react-use-layout-effect" "1.1.1"
+
+"@radix-ui/react-presence@1.1.4":
+  version "1.1.4"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-presence/-/react-presence-1.1.4.tgz#253ac0ad4946c5b4a9c66878335f5cf07c967ced"
+  integrity sha512-ueDqRbdc4/bkaQT3GIpLQssRlFgWaL/U2z/S31qRwwLWoxHLgry3SIfCwhxeQNbirEUXFa+lq3RL3oBYXtcmIA==
+  dependencies:
+    "@radix-ui/react-compose-refs" "1.1.2"
+    "@radix-ui/react-use-layout-effect" "1.1.1"
+
 "@radix-ui/react-primitive@1.0.3":
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-primitive/-/react-primitive-1.0.3.tgz#d49ea0f3f0b2fe3ab1cb5667eb03e8b843b914d0"
@@ -4242,6 +4336,13 @@
     "@babel/runtime" "^7.13.10"
     "@radix-ui/react-slot" "1.0.2"
 
+"@radix-ui/react-primitive@2.1.0":
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-primitive/-/react-primitive-2.1.0.tgz#9233e17a22d0010195086f8b5eb1808ebbca8437"
+  integrity sha512-/J/FhLdK0zVcILOwt5g+dH4KnkonCtkVJsa2G6JmvbbtZfBEI1gMsO3QMjseL4F/SwfAMt1Vc/0XKYKq+xJ1sw==
+  dependencies:
+    "@radix-ui/react-slot" "1.2.0"
+
 "@radix-ui/react-roving-focus@1.0.4":
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-roving-focus/-/react-roving-focus-1.0.4.tgz#e90c4a6a5f6ac09d3b8c1f5b5e81aab2f0db1974"
@@ -4302,6 +4403,13 @@
     "@babel/runtime" "^7.13.10"
     "@radix-ui/react-compose-refs" "1.0.1"
 
+"@radix-ui/react-slot@1.2.0":
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-slot/-/react-slot-1.2.0.tgz#57727fc186ddb40724ccfbe294e1a351d92462ba"
+  integrity sha512-ujc+V6r0HNDviYqIK3rW4ffgYiZ8g5DEHrGJVk4x7kTlLXRDILnKX9vAUYeIsLOoDpDJ0ujpqMkjH4w2ofuo6w==
+  dependencies:
+    "@radix-ui/react-compose-refs" "1.1.2"
+
 "@radix-ui/react-toggle-group@1.0.4":
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-toggle-group/-/react-toggle-group-1.0.4.tgz#f5b5c8c477831b013bec3580c55e20a68179d6ec"
@@ -4347,6 +4455,11 @@
   dependencies:
     "@babel/runtime" "^7.13.10"
 
+"@radix-ui/react-use-callback-ref@1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-use-callback-ref/-/react-use-callback-ref-1.1.1.tgz#62a4dba8b3255fdc5cc7787faeac1c6e4cc58d40"
+  integrity sha512-FkBMwD+qbGQeMu1cOHnuGB6x4yzPjho8ap5WtbEJ26umhgqVXbhekKUQO+hZEL1vU92a3wHwdp0HAcqAUF5iDg==
+
 "@radix-ui/react-use-controllable-state@1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-use-controllable-state/-/react-use-controllable-state-1.0.1.tgz#ecd2ced34e6330caf89a82854aa2f77e07440286"
@@ -4355,6 +4468,21 @@
     "@babel/runtime" "^7.13.10"
     "@radix-ui/react-use-callback-ref" "1.0.1"
 
+"@radix-ui/react-use-controllable-state@1.2.2":
+  version "1.2.2"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-use-controllable-state/-/react-use-controllable-state-1.2.2.tgz#905793405de57d61a439f4afebbb17d0645f3190"
+  integrity sha512-BjasUjixPFdS+NKkypcyyN5Pmg83Olst0+c6vGov0diwTEo6mgdqVR6hxcEgFuh4QrAs7Rc+9KuGJ9TVCj0Zzg==
+  dependencies:
+    "@radix-ui/react-use-effect-event" "0.0.2"
+    "@radix-ui/react-use-layout-effect" "1.1.1"
+
+"@radix-ui/react-use-effect-event@0.0.2":
+  version "0.0.2"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-use-effect-event/-/react-use-effect-event-0.0.2.tgz#090cf30d00a4c7632a15548512e9152217593907"
+  integrity sha512-Qp8WbZOBe+blgpuUT+lw2xheLP8q0oatc9UpmiemEICxGvFLYmHm9QowVZGHtJlGbS6A6yJ3iViad/2cVjnOiA==
+  dependencies:
+    "@radix-ui/react-use-layout-effect" "1.1.1"
+
 "@radix-ui/react-use-escape-keydown@1.0.3":
   version "1.0.3"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-use-escape-keydown/-/react-use-escape-keydown-1.0.3.tgz#217b840c250541609c66f67ed7bab2b733620755"
@@ -4363,6 +4491,13 @@
     "@babel/runtime" "^7.13.10"
     "@radix-ui/react-use-callback-ref" "1.0.1"
 
+"@radix-ui/react-use-escape-keydown@1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-use-escape-keydown/-/react-use-escape-keydown-1.1.1.tgz#b3fed9bbea366a118f40427ac40500aa1423cc29"
+  integrity sha512-Il0+boE7w/XebUHyBjroE+DbByORGR9KKmITzbR7MyQ4akpORYP/ZmbhAr0DG7RmmBqoOnZdy2QlvajJ2QA59g==
+  dependencies:
+    "@radix-ui/react-use-callback-ref" "1.1.1"
+
 "@radix-ui/react-use-layout-effect@1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-use-layout-effect/-/react-use-layout-effect-1.0.1.tgz#be8c7bc809b0c8934acf6657b577daf948a75399"
@@ -4370,6 +4505,11 @@
   dependencies:
     "@babel/runtime" "^7.13.10"
 
+"@radix-ui/react-use-layout-effect@1.1.1":
+  version "1.1.1"
+  resolved "https://registry.yarnpkg.com/@radix-ui/react-use-layout-effect/-/react-use-layout-effect-1.1.1.tgz#0c4230a9eed49d4589c967e2d9c0d9d60a23971e"
+  integrity sha512-RbJRS4UWQFkzHTTwVymMTUv8EqYhOp8dOOviLj2ugtTiXRaRQS7GLGxZTLL1jWhMeoSCf5zmcZkqTl9IiYfXcQ==
+
 "@radix-ui/react-use-previous@1.0.1":
   version "1.0.1"
   resolved "https://registry.yarnpkg.com/@radix-ui/react-use-previous/-/react-use-previous-1.0.1.tgz#b595c087b07317a4f143696c6a01de43b0d0ec66"
@@ -6711,6 +6851,19 @@
     classnames "^2.3.1"
     prop-types "^15.6.1"
 
+"@uiw/codemirror-extensions-basic-setup@4.23.11":
+  version "4.23.11"
+  resolved "https://registry.yarnpkg.com/@uiw/codemirror-extensions-basic-setup/-/codemirror-extensions-basic-setup-4.23.11.tgz#80a1d287c2231c00b0bed595e65e1761b813f5d1"
+  integrity sha512-U31s5LEqEKFU4SPz1tldfrPohKddxC02z1kTnWe50k+K0CYK+PtISD5ufH/PVC0EgGL+c0TydTx72nRMwaeC4A==
+  dependencies:
+    "@codemirror/autocomplete" "^6.0.0"
+    "@codemirror/commands" "^6.0.0"
+    "@codemirror/language" "^6.0.0"
+    "@codemirror/lint" "^6.0.0"
+    "@codemirror/search" "^6.0.0"
+    "@codemirror/state" "^6.0.0"
+    "@codemirror/view" "^6.0.0"
+
 "@uiw/codemirror-extensions-basic-setup@4.23.7":
   version "4.23.7"
   resolved "https://registry.yarnpkg.com/@uiw/codemirror-extensions-basic-setup/-/codemirror-extensions-basic-setup-4.23.7.tgz#8fce5d6190a755c889805d2edc5b85d7f29cd322"
@@ -6733,6 +6886,18 @@
     "@codemirror/state" "^6.0.0"
     "@codemirror/view" "^6.0.0"
 
+"@uiw/react-codemirror@4.23.11":
+  version "4.23.11"
+  resolved "https://registry.yarnpkg.com/@uiw/react-codemirror/-/react-codemirror-4.23.11.tgz#a0e5091ab5f7bc4514a1ccee53280468a169f470"
+  integrity sha512-oMUXl/yu/a8qKy7w7q769kH2TPlvPln6IpvkjXQX90ziD8GHRFLDz+Ij51D2RRwB3glrkPnhCN9YC+PDlnmhqA==
+  dependencies:
+    "@babel/runtime" "^7.18.6"
+    "@codemirror/commands" "^6.1.0"
+    "@codemirror/state" "^6.1.1"
+    "@codemirror/theme-one-dark" "^6.0.0"
+    "@uiw/codemirror-extensions-basic-setup" "4.23.11"
+    codemirror "^6.0.0"
+
 "@uiw/react-codemirror@^4.19.5":
   version "4.23.7"
   resolved "https://registry.yarnpkg.com/@uiw/react-codemirror/-/react-codemirror-4.23.7.tgz#b7fe2085936c593514f5e238865989bfef65e504"
@@ -7352,6 +7517,13 @@ aria-hidden@^1.1.1:
   dependencies:
     tslib "^2.0.0"
 
+aria-hidden@^1.2.4:
+  version "1.2.4"
+  resolved "https://registry.yarnpkg.com/aria-hidden/-/aria-hidden-1.2.4.tgz#b78e383fdbc04d05762c78b4a25a501e736c4522"
+  integrity sha512-y+CcFFwelSXpLZk/7fMB2mUbGtX9lKycf1MWJ7CaTIERyitVlyQx6C+sxcROU2BAJ24OiZyK+8wj2i8AlBoS3A==
+  dependencies:
+    tslib "^2.0.0"
+
 aria-query@5.1.3, aria-query@^5.1.3:
   version "5.1.3"
   resolved "https://registry.yarnpkg.com/aria-query/-/aria-query-5.1.3.tgz#19db27cd101152773631396f7a95a3b58c22c35e"
@@ -8321,6 +8493,13 @@ ci-info@^3.2.0:
   resolved "https://registry.yarnpkg.com/ci-info/-/ci-info-3.3.0.tgz#b4ed1fb6818dea4803a55c623041f9165d2066b2"
   integrity sha512-riT/3vI5YpVH6/qomlDnJow6TBee2PBKSEpx3O32EGPYbWGIRsIlGRms3Sm74wYE1JMo8RnO04Hb12+v1J5ICw==
 
+class-variance-authority@^0.7.0:
+  version "0.7.1"
+  resolved "https://registry.yarnpkg.com/class-variance-authority/-/class-variance-authority-0.7.1.tgz#4008a798a0e4553a781a57ac5177c9fb5d043787"
+  integrity sha512-Ka+9Trutv7G8M6WT6SeiRWz792K5qEqIGEGzXKhAE6xOWAY6pPH8U+9IY3oCMv6kqTmLsv7Xh/2w2RigkePMsg==
+  dependencies:
+    clsx "^2.1.1"
+
 classnames@^2.2.5, classnames@^2.3.1:
   version "2.3.1"
   resolved "https://registry.yarnpkg.com/classnames/-/classnames-2.3.1.tgz#dfcfa3891e306ec1dad105d0e88f4417b8535e8e"
@@ -8461,6 +8640,11 @@ clsx@^2.0.0:
   resolved "https://registry.yarnpkg.com/clsx/-/clsx-2.1.0.tgz#e851283bcb5c80ee7608db18487433f7b23f77cb"
   integrity sha512-m3iNNWpd9rl3jvvcBnu70ylMdrXt8Vlq4HYadnU5fwcOtvkSQWPmj7amUcDT2qYI7risszBjI5AUIUox9D16pg==
 
+clsx@^2.1.1:
+  version "2.1.1"
+  resolved "https://registry.yarnpkg.com/clsx/-/clsx-2.1.1.tgz#eed397c9fd8bd882bfb18deab7102049a2f32999"
+  integrity sha512-eYm0QWBtUrBWZWG0d386OGAw16Z995PiOVo2B7bjWSbHedGl5e0ZWaq65kOGgUSNesEIDkB9ISbTg/JK9dhCZA==
+
 codemirror-json-schema@^0.8.0:
   version "0.8.0"
   resolved "https://registry.yarnpkg.com/codemirror-json-schema/-/codemirror-json-schema-0.8.0.tgz#3e8b39a038148645c23a006e505becce68397602"
@@ -13152,7 +13336,7 @@ markdown-to-jsx@^7.7.4:
   version "7.7.4"
   resolved "https://registry.yarnpkg.com/markdown-to-jsx/-/markdown-to-jsx-7.7.4.tgz#507d17c15af72ddf970fca84a95f0243244fcfa9"
   integrity sha512-1bSfXyBKi+EYS3YY+e0Csuxf8oZ3decdfhOav/Z7Wrk89tjudyL5FOmwZQUoy0/qVXGUl+6Q3s2SWtpDEWITfQ==
-  
+
 math-intrinsics@^1.1.0:
   version "1.1.0"
   resolved "https://registry.yarnpkg.com/math-intrinsics/-/math-intrinsics-1.1.0.tgz#a0dd74be81e2aa5c2f27e65ce283605ee4e2b7f9"
@@ -15109,6 +15293,15 @@ react-clock@^4.5.0:
     get-user-locale "^2.2.1"
     prop-types "^15.6.0"
 
+react-codemirror-merge@^4.23.11:
+  version "4.23.11"
+  resolved "https://registry.yarnpkg.com/react-codemirror-merge/-/react-codemirror-merge-4.23.11.tgz#84d23df93520057efcbfdd7755dc40828eafa182"
+  integrity sha512-QimYLcFNKInmJhGUsIkQyTc893RGndj79Na+r4QOCfJk8TVA+ejTdc6ofB5tP5osvoxh6OIBBmeIj1vB6co/Aw==
+  dependencies:
+    "@babel/runtime" "^7.18.6"
+    "@codemirror/merge" "^6.1.2"
+    "@uiw/react-codemirror" "4.23.11"
+
 react-colorful@^5.1.2:
   version "5.6.1"
   resolved "https://registry.yarnpkg.com/react-colorful/-/react-colorful-5.6.1.tgz#7dc2aed2d7c72fac89694e834d179e32f3da563b"
@@ -15280,6 +15473,14 @@ react-remove-scroll-bar@^2.3.3:
     react-style-singleton "^2.2.1"
     tslib "^2.0.0"
 
+react-remove-scroll-bar@^2.3.7:
+  version "2.3.8"
+  resolved "https://registry.yarnpkg.com/react-remove-scroll-bar/-/react-remove-scroll-bar-2.3.8.tgz#99c20f908ee467b385b68a3469b4a3e750012223"
+  integrity sha512-9r+yi9+mgU33AKcj6IbT9oRCO78WriSj6t/cF8DWBZJ9aOGPOTEDvdUDz1FwKim7QXWwmHqtdHnRJfhAxEG46Q==
+  dependencies:
+    react-style-singleton "^2.2.2"
+    tslib "^2.0.0"
+
 react-remove-scroll@2.5.5:
   version "2.5.5"
   resolved "https://registry.yarnpkg.com/react-remove-scroll/-/react-remove-scroll-2.5.5.tgz#1e31a1260df08887a8a0e46d09271b52b3a37e77"
@@ -15302,6 +15503,17 @@ react-remove-scroll@^2.4.3:
     use-callback-ref "^1.3.0"
     use-sidecar "^1.1.2"
 
+react-remove-scroll@^2.6.3:
+  version "2.6.3"
+  resolved "https://registry.yarnpkg.com/react-remove-scroll/-/react-remove-scroll-2.6.3.tgz#df02cde56d5f2731e058531f8ffd7f9adec91ac2"
+  integrity sha512-pnAi91oOk8g8ABQKGF5/M9qxmmOPxaAnopyTHYfqYEwJhyFrbbBtHuSgtKEoH0jpcxx5o3hXqH1mNd9/Oi+8iQ==
+  dependencies:
+    react-remove-scroll-bar "^2.3.7"
+    react-style-singleton "^2.2.3"
+    tslib "^2.1.0"
+    use-callback-ref "^1.3.3"
+    use-sidecar "^1.1.3"
+
 react-select@^5.2.1:
   version "5.2.1"
   resolved "https://registry.yarnpkg.com/react-select/-/react-select-5.2.1.tgz#416c25c6b79b94687702374e019c4f2ed9d159d6"
@@ -15333,6 +15545,14 @@ react-style-singleton@^2.2.1:
     invariant "^2.2.4"
     tslib "^2.0.0"
 
+react-style-singleton@^2.2.2, react-style-singleton@^2.2.3:
+  version "2.2.3"
+  resolved "https://registry.yarnpkg.com/react-style-singleton/-/react-style-singleton-2.2.3.tgz#4265608be69a4d70cfe3047f2c6c88b2c3ace388"
+  integrity sha512-b6jSvxvVnyptAiLjbkWLE/lOnR4lfTtDAl+eUC7RZy+QQWc6wRzIV2CE6xBuMmDxc2qIihtDCZD5NPOFl7fRBQ==
+  dependencies:
+    get-nonce "^1.0.0"
+    tslib "^2.0.0"
+
 react-time-picker@^6.5.0:
   version "6.6.0"
   resolved "https://registry.yarnpkg.com/react-time-picker/-/react-time-picker-6.6.0.tgz#5c5264d053dff22cbed9ad0ba927b1ea786c3a49"
@@ -16901,6 +17121,11 @@ tabbable@^5.3.3:
   resolved "https://registry.yarnpkg.com/tabbable/-/tabbable-5.3.3.tgz#aac0ff88c73b22d6c3c5a50b1586310006b47fbf"
   integrity sha512-QD9qKY3StfbZqWOPLp0++pOrAVb/HbUi5xCc8cUo4XjP19808oaMiDzn0leBY5mCespIBM0CIZePzZjgzR83kA==
 
+tailwindcss-animate@^1.0.7:
+  version "1.0.7"
+  resolved "https://registry.yarnpkg.com/tailwindcss-animate/-/tailwindcss-animate-1.0.7.tgz#318b692c4c42676cc9e67b19b78775742388bef4"
+  integrity sha512-bl6mpH3T7I3UFxuvDEXLxy/VuFxBk5bbzplh7tXI68mwMokNYd1t9qPBHlnyTwfa4JGC4zP516I1hYYtQ/vspA==
+
 tailwindcss@3.3.3:
   version "3.3.3"
   resolved "https://registry.yarnpkg.com/tailwindcss/-/tailwindcss-3.3.3.tgz#90da807393a2859189e48e9e7000e6880a736daf"
@@ -17676,6 +17901,13 @@ use-callback-ref@^1.3.0:
   dependencies:
     tslib "^2.0.0"
 
+use-callback-ref@^1.3.3:
+  version "1.3.3"
+  resolved "https://registry.yarnpkg.com/use-callback-ref/-/use-callback-ref-1.3.3.tgz#98d9fab067075841c5b2c6852090d5d0feabe2bf"
+  integrity sha512-jQL3lRnocaFtu3V00JToYz/4QkNWswxijDaCVNZRiRTO3HQDLsdu1ZtmIUvV4yPp+rvWm5j0y0TG/S61cuijTg==
+  dependencies:
+    tslib "^2.0.0"
+
 use-resize-observer@^9.1.0:
   version "9.1.0"
   resolved "https://registry.yarnpkg.com/use-resize-observer/-/use-resize-observer-9.1.0.tgz#14735235cf3268569c1ea468f8a90c5789fc5c6c"
@@ -17691,6 +17923,14 @@ use-sidecar@^1.1.2:
     detect-node-es "^1.1.0"
     tslib "^2.0.0"
 
+use-sidecar@^1.1.3:
+  version "1.1.3"
+  resolved "https://registry.yarnpkg.com/use-sidecar/-/use-sidecar-1.1.3.tgz#10e7fd897d130b896e2c546c63a5e8233d00efdb"
+  integrity sha512-Fedw0aZvkhynoPYlA5WXrMCAMm+nSWdZt6lzJQ7Ok8S6Q+VsHmHpRWndVRJ8Be0ZbkfPc5LRYH+5XrzXcEeLRQ==
+  dependencies:
+    detect-node-es "^1.1.0"
+    tslib "^2.0.0"
+
 use-sync-external-store@1.2.0, use-sync-external-store@^1.2.0:
   version "1.2.0"
   resolved "https://registry.yarnpkg.com/use-sync-external-store/-/use-sync-external-store-1.2.0.tgz#7dbefd6ef3fe4e767a0cf5d7287aacfb5846928a"

From d49fcd8f3eb111a72dbed1892b120c558d8ec60e Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Wed, 14 May 2025 16:31:42 +1200
Subject: [PATCH 122/212] feat(helm): make the atomic flag optional [r8s-314]
 (#733)

---
 api/http/handler/helm/helm_install.go          |  2 ++
 .../ChartActions/UpgradeHelmModal.tsx          | 18 +++++++++++++++++-
 .../HelmEventsDatatable.test.tsx               |  4 +++-
 .../ReleaseDetails/HelmEventsDatatable.tsx     |  3 ++-
 .../ResourcesTable/ResourcesTable.test.tsx     | 16 ++++++++++++----
 .../ResourcesTable/ResourcesTable.tsx          |  2 +-
 .../ResourcesTable/columns/resourceType.tsx    | 14 ++++++++++++++
 .../ResourcesTable/columns/status.tsx          | 18 +++++++++++++++++-
 .../queries/useUpdateHelmReleaseMutation.ts    |  1 +
 pkg/libhelm/options/install_options.go         |  1 +
 pkg/libhelm/sdk/upgrade.go                     |  2 +-
 11 files changed, 71 insertions(+), 10 deletions(-)

diff --git a/api/http/handler/helm/helm_install.go b/api/http/handler/helm/helm_install.go
index cd4985770..83ae0db51 100644
--- a/api/http/handler/helm/helm_install.go
+++ b/api/http/handler/helm/helm_install.go
@@ -27,6 +27,7 @@ type installChartPayload struct {
 	Repo      string `json:"repo"`
 	Values    string `json:"values"`
 	Version   string `json:"version"`
+	Atomic    bool   `json:"atomic"`
 }
 
 var errChartNameInvalid = errors.New("invalid chart name. " +
@@ -105,6 +106,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		Version:                 p.Version,
 		Namespace:               p.Namespace,
 		Repo:                    p.Repo,
+		Atomic:                  p.Atomic,
 		KubernetesClusterAccess: clusterAccess,
 	}
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
index bb71f28c5..8dba31e38 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
@@ -11,6 +11,7 @@ import { Input } from '@@/form-components/Input';
 import { CodeEditor } from '@@/CodeEditor';
 import { FormControl } from '@@/form-components/FormControl';
 import { WidgetTitle } from '@@/Widget';
+import { Checkbox } from '@@/form-components/Checkbox';
 
 import { UpdateHelmReleasePayload } from '../queries/useUpdateHelmReleaseMutation';
 import { ChartVersion } from '../queries/useHelmRepositories';
@@ -37,7 +38,7 @@ export function UpgradeHelmModal({ values, versions, onSubmit }: Props) {
     versionOptions[0]?.value;
   const [version, setVersion] = useState<ChartVersion>(defaultVersion);
   const [userValues, setUserValues] = useState<string>(values.values || '');
-
+  const [atomic, setAtomic] = useState<boolean>(false);
   return (
     <Modal
       onDismiss={() => onSubmit()}
@@ -88,6 +89,20 @@ export function UpgradeHelmModal({ values, versions, onSubmit }: Props) {
               data-cy="helm-namespace-input"
             />
           </FormControl>
+          <FormControl
+            label="Rollback on failure"
+            tooltip="Enables automatic rollback on failure (equivalent to the helm --atomic flag). It may increase the time to upgrade."
+            inputId="atomic-input"
+            className="[&>label]:!pl-0"
+            size="medium"
+          >
+            <Checkbox
+              id="atomic-input"
+              checked={atomic}
+              data-cy="atomic-checkbox"
+              onChange={(e) => setAtomic(e.target.checked)}
+            />
+          </FormControl>
           <FormControl
             label="User-defined values"
             inputId="user-values-editor"
@@ -125,6 +140,7 @@ export function UpgradeHelmModal({ values, versions, onSubmit }: Props) {
                 chart: values.chart,
                 repo: version.Repo,
                 version: version.Version,
+                atomic,
               })
             }
             color="primary"
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
index 772774fe3..08c48488a 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
@@ -218,7 +218,9 @@ describe('HelmEventsDatatable', () => {
 
     await waitFor(() => {
       expect(
-        screen.getByText('Events reflect the latest revision only.')
+        screen.getByText(
+          'Only events for resources currently in the cluster will be displayed.'
+        )
       ).toBeInTheDocument();
     });
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
index d02423d82..ced859f54 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
@@ -42,7 +42,8 @@ export function HelmEventsDatatable({
         dataset={eventsQuery.data || []}
         title={
           <TextTip inline color="blue" className="!text-xs">
-            Events reflect the latest revision only.
+            Only events for resources currently in the cluster will be
+            displayed.
           </TextTip>
         }
         titleIcon={null}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
index 113776344..1bae99912 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
@@ -167,9 +167,13 @@ describe('ResourcesTable', () => {
     );
 
     // Check that success badge is rendered
-    const successBadge = screen.getByText('MinimumReplicasAvailable');
+    const successBadge = screen.getByText(
+      (content, element) =>
+        content.includes('MinimumReplicasAvailable') &&
+        element !== null &&
+        element.className.includes('bg-success')
+    );
     expect(successBadge).toBeInTheDocument();
-    expect(successBadge.className).toContain('bg-success');
   });
 
   it('should show error badges for failed resources', () => {
@@ -177,8 +181,12 @@ describe('ResourcesTable', () => {
     expect(screen.getByText('probe-failure-nginx-bad')).toBeInTheDocument();
 
     // Check for the unhealthy status badge and make sure it has the error styling
-    const errorBadge = screen.getByText('InsufficientPods');
+    const errorBadge = screen.getByText(
+      (content, element) =>
+        content.includes('InsufficientPods') &&
+        element !== null &&
+        element.className.includes('bg-error')
+    );
     expect(errorBadge).toBeInTheDocument();
-    expect(errorBadge.className).toContain('bg-error');
   });
 });
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
index 8469e38fe..1757535ba 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
@@ -59,7 +59,7 @@ export function ResourcesTable() {
         emptyContentLabel="No resources found"
         title={
           <TextTip inline color="blue" className="!text-xs">
-            Resources reflect the latest revision only.
+            Only resources currently in the cluster will be displayed.
           </TextTip>
         }
         disableSelect
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx
index e1df5ffbb..aec7783d1 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/resourceType.tsx
@@ -1,6 +1,20 @@
+import { Row } from '@tanstack/react-table';
+
+import { filterHOC } from '@@/datatables/Filter';
+
+import { ResourceRow } from '../types';
+
 import { columnHelper } from './helper';
 
 export const resourceType = columnHelper.accessor((row) => row.resourceType, {
   header: 'Resource type',
   id: 'resourceType',
+  meta: {
+    filter: filterHOC('Filter by resource type'),
+  },
+  enableColumnFilter: true,
+  filterFn: (row: Row<ResourceRow>, _: string, filterValue: string[]) =>
+    filterValue.length === 0 ||
+    (!!row.original.resourceType &&
+      filterValue.includes(row.original.resourceType)),
 });
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
index cded59796..1e7bbb8f2 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/columns/status.tsx
@@ -1,6 +1,7 @@
-import { CellContext } from '@tanstack/react-table';
+import { CellContext, Row } from '@tanstack/react-table';
 
 import { StatusBadge } from '@@/StatusBadge';
+import { filterHOC } from '@@/datatables/Filter';
 
 import { ResourceRow } from '../types';
 
@@ -10,6 +11,21 @@ export const status = columnHelper.accessor((row) => row.status.label, {
   header: 'Status',
   id: 'status',
   cell: Cell,
+  meta: {
+    filter: filterHOC(
+      'Filter by status',
+      // don't include empty values in the filter options
+      (rows: Row<ResourceRow>[]) =>
+        Array.from(
+          new Set(rows.map((row) => row.original.status.label).filter(Boolean))
+        )
+    ),
+  },
+  enableColumnFilter: true,
+  filterFn: (row: Row<ResourceRow>, _: string, filterValue: string[]) =>
+    filterValue.length === 0 ||
+    (!!row.original.status.label &&
+      filterValue.includes(row.original.status.label)),
 });
 
 function Cell({ row }: CellContext<ResourceRow, string>) {
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
index 00e9f8131..4c60faafb 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
@@ -14,6 +14,7 @@ export interface UpdateHelmReleasePayload {
   name: string;
   chart: string;
   version?: string;
+  atomic?: boolean;
 }
 export function useUpdateHelmReleaseMutation(environmentId: EnvironmentId) {
   const queryClient = useQueryClient();
diff --git a/pkg/libhelm/options/install_options.go b/pkg/libhelm/options/install_options.go
index 0028c6c0c..807862683 100644
--- a/pkg/libhelm/options/install_options.go
+++ b/pkg/libhelm/options/install_options.go
@@ -11,6 +11,7 @@ type InstallOptions struct {
 	Wait                    bool
 	ValuesFile              string
 	PostRenderer            string
+	Atomic                  bool
 	Timeout                 time.Duration
 	KubernetesClusterAccess *KubernetesClusterAccess
 
diff --git a/pkg/libhelm/sdk/upgrade.go b/pkg/libhelm/sdk/upgrade.go
index cf5124370..b47a439a9 100644
--- a/pkg/libhelm/sdk/upgrade.go
+++ b/pkg/libhelm/sdk/upgrade.go
@@ -133,7 +133,7 @@ func (hspm *HelmSDKPackageManager) Upgrade(upgradeOpts options.InstallOptions) (
 func initUpgradeClient(actionConfig *action.Configuration, upgradeOpts options.InstallOptions) (*action.Upgrade, error) {
 	upgradeClient := action.NewUpgrade(actionConfig)
 	upgradeClient.DependencyUpdate = true
-	upgradeClient.Atomic = true
+	upgradeClient.Atomic = upgradeOpts.Atomic
 	upgradeClient.ChartPathOptions.RepoURL = upgradeOpts.Repo
 	upgradeClient.Wait = upgradeOpts.Wait
 

From ee65223ee7fe444b22110874ac326eb7713f9b02 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Wed, 14 May 2025 17:35:05 +1200
Subject: [PATCH 123/212] chore: bump version to 2.30.0 (#735)

---
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/http/handler/handler.go                      | 2 +-
 api/portainer.go                                 | 2 +-
 package.json                                     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 21f3f8630..b0078c326 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -610,7 +610,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.29.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.30.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -943,7 +943,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.29.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.30.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 42c555905..72c7f7669 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.29.0
+// @version 2.30.0
 // @description.markdown api-description.md
 // @termsOfService
 
diff --git a/api/portainer.go b/api/portainer.go
index 1db7142d5..935def1f1 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1638,7 +1638,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.29.0"
+	APIVersion = "2.30.0"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "STS"
 	// Edition is what this edition of Portainer is called
diff --git a/package.json b/package.json
index 7d1c72b83..28859ab3e 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.29.0",
+  "version": "2.30.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"

From 44daab04ac5c2d1469228ea5ce4a77fc3e7b91d6 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Thu, 15 May 2025 09:54:35 +1200
Subject: [PATCH 124/212] fix(libclient): option to disable external http
 request [BE-11696] (#719)

---
 api/http/handler/motd/motd.go                 |  8 +++++++
 api/http/handler/system/version.go            |  7 +++++-
 .../templates/utils_fetch_templates.go        | 11 +++++++++-
 api/portainer.go                              |  5 +++++
 pkg/libhttp/client/client.go                  | 22 +++++++++++++++++++
 5 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 pkg/libhttp/client/client.go

diff --git a/api/http/handler/motd/motd.go b/api/http/handler/motd/motd.go
index dd2112c16..4117de830 100644
--- a/api/http/handler/motd/motd.go
+++ b/api/http/handler/motd/motd.go
@@ -7,7 +7,9 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/pkg/libcrypto"
+	libclient "github.com/portainer/portainer/pkg/libhttp/client"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/rs/zerolog/log"
 
 	"github.com/segmentio/encoding/json"
 )
@@ -37,6 +39,12 @@ type motdData struct {
 // @success 200 {object} motdResponse
 // @router /motd [get]
 func (handler *Handler) motd(w http.ResponseWriter, r *http.Request) {
+	if err := libclient.ExternalRequestDisabled(portainer.MessageOfTheDayURL); err != nil {
+		log.Debug().Err(err).Msg("External request disabled: MOTD")
+		response.JSON(w, &motdResponse{Message: ""})
+		return
+	}
+
 	motd, err := client.Get(portainer.MessageOfTheDayURL, 0)
 	if err != nil {
 		response.JSON(w, &motdResponse{Message: ""})
diff --git a/api/http/handler/system/version.go b/api/http/handler/system/version.go
index 9d80b88a9..52af5879c 100644
--- a/api/http/handler/system/version.go
+++ b/api/http/handler/system/version.go
@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/http/client"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/pkg/build"
+	libclient "github.com/portainer/portainer/pkg/libhttp/client"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/response"
 
@@ -69,10 +70,14 @@ func (handler *Handler) version(w http.ResponseWriter, r *http.Request) *httperr
 }
 
 func GetLatestVersion() string {
+	if err := libclient.ExternalRequestDisabled(portainer.VersionCheckURL); err != nil {
+		log.Debug().Err(err).Msg("External request disabled: Version check")
+		return ""
+	}
+
 	motd, err := client.Get(portainer.VersionCheckURL, 5)
 	if err != nil {
 		log.Debug().Err(err).Msg("couldn't fetch latest Portainer release version")
-
 		return ""
 	}
 
diff --git a/api/http/handler/templates/utils_fetch_templates.go b/api/http/handler/templates/utils_fetch_templates.go
index 6feb9edeb..73f9bad56 100644
--- a/api/http/handler/templates/utils_fetch_templates.go
+++ b/api/http/handler/templates/utils_fetch_templates.go
@@ -4,7 +4,9 @@ import (
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
+	libclient "github.com/portainer/portainer/pkg/libhttp/client"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
 )
 
@@ -24,13 +26,20 @@ func (handler *Handler) fetchTemplates() (*listResponse, *httperror.HandlerError
 		templatesURL = portainer.DefaultTemplatesURL
 	}
 
+	var body *listResponse
+	if err := libclient.ExternalRequestDisabled(templatesURL); err != nil {
+		if templatesURL == portainer.DefaultTemplatesURL {
+			log.Debug().Err(err).Msg("External request disabled: Default templates")
+			return body, nil
+		}
+	}
+
 	resp, err := http.Get(templatesURL)
 	if err != nil {
 		return nil, httperror.InternalServerError("Unable to retrieve templates via the network", err)
 	}
 	defer resp.Body.Close()
 
-	var body *listResponse
 	err = json.NewDecoder(resp.Body).Decode(&body)
 	if err != nil {
 		return nil, httperror.InternalServerError("Unable to parse template file", err)
diff --git a/api/portainer.go b/api/portainer.go
index 935def1f1..60e5c7a1f 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1692,6 +1692,11 @@ const (
 	KubectlShellImageEnvVar = "KUBECTL_SHELL_IMAGE"
 	// PullLimitCheckDisabledEnvVar is the environment variable used to disable the pull limit check
 	PullLimitCheckDisabledEnvVar = "PULL_LIMIT_CHECK_DISABLED"
+	// LicenseServerBaseURL represents the base URL of the API used to validate
+	// an extension license.
+	LicenseServerBaseURL = "https://api.portainer.io"
+	// URL to validate licenses along with system metadata.
+	LicenseCheckInURL = LicenseServerBaseURL + "/licenses/checkin"
 )
 
 // List of supported features
diff --git a/pkg/libhttp/client/client.go b/pkg/libhttp/client/client.go
new file mode 100644
index 000000000..1e1f094a1
--- /dev/null
+++ b/pkg/libhttp/client/client.go
@@ -0,0 +1,22 @@
+package client
+
+import (
+	"errors"
+
+	"github.com/portainer/portainer/pkg/featureflags"
+)
+
+var (
+	ErrExternalRequestsBlocked = errors.New("external requests are blocked by feature flag")
+)
+
+// DisableExternalRequest is the feature flag name for blocking outbound requests
+const DisableExternalRequests = "disable-external-requests"
+
+func ExternalRequestDisabled(url string) error {
+	if featureflags.IsEnabled(DisableExternalRequests) {
+		return ErrExternalRequestsBlocked
+	}
+
+	return nil
+}

From b540709e03781c689da17675afc56728685d03cc Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 15 May 2025 01:09:28 +0100
Subject: [PATCH 125/212] Update bug report template for 2.30.0 (#737)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index b83e3792a..0c6416fef 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.30.0'
         - '2.29.2'
         - '2.29.1'
         - '2.29.0'

From 799325d9f8d51aef4fb11ba10ffdd39c00a4c4d8 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Tue, 20 May 2025 03:40:43 +0100
Subject: [PATCH 126/212] Update bug report template for 2.30.1 (#749)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 0c6416fef..4324bf5a8 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.30.1'
         - '2.30.0'
         - '2.29.2'
         - '2.29.1'

From 1bc91d0c7c29cbb69183b6b038a5f2f171cd2e49 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Tue, 20 May 2025 08:28:40 +0200
Subject: [PATCH 127/212] fix(edge-update): set edge stack status to
 EdgeStackStatusError to avoid redeployment of portainer-updater [BE-11855]
 (#714)

---
 pkg/libstack/compose/composeplugin.go | 5 +++--
 pkg/libstack/libstack.go              | 5 +++--
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/pkg/libstack/compose/composeplugin.go b/pkg/libstack/compose/composeplugin.go
index 01a5134ea..394de356e 100644
--- a/pkg/libstack/compose/composeplugin.go
+++ b/pkg/libstack/compose/composeplugin.go
@@ -270,8 +270,9 @@ func (c *ComposeDeployer) GetExistingEdgeStacks(ctx context.Context) ([]libstack
 					}
 
 					m[id] = libstack.EdgeStack{
-						ID:   id,
-						Name: cs.Labels[api.ProjectLabel],
+						ID:       id,
+						Name:     cs.Labels[api.ProjectLabel],
+						ExitCode: cs.ExitCode,
 					}
 				}
 			}
diff --git a/pkg/libstack/libstack.go b/pkg/libstack/libstack.go
index 4e7b184ea..e4125d3ca 100644
--- a/pkg/libstack/libstack.go
+++ b/pkg/libstack/libstack.go
@@ -88,6 +88,7 @@ type RemoveOptions struct {
 }
 
 type EdgeStack struct {
-	ID   int
-	Name string
+	ID       int
+	Name     string
+	ExitCode int
 }

From 45471ce86dbe3342c57fb99274e0a2e3b1c1f260 Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Thu, 22 May 2025 14:27:14 +1200
Subject: [PATCH 128/212] fix(docker): check len of device capabilities
 [BE-11898] (#750)

---
 .../containers/edit/containerController.js    |  2 +-
 pkg/snapshot/docker.go                        | 20 +++++++++++--------
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/app/docker/views/containers/edit/containerController.js b/app/docker/views/containers/edit/containerController.js
index 78f153e27..f1ff8f27c 100644
--- a/app/docker/views/containers/edit/containerController.js
+++ b/app/docker/views/containers/edit/containerController.js
@@ -54,7 +54,7 @@ angular.module('portainer.docker').controller('ContainerController', [
 
     $scope.computeDockerGPUCommand = () => {
       const gpuOptions = _.find($scope.container.HostConfig.DeviceRequests, function (o) {
-        return o.Driver === 'nvidia' || o.Capabilities[0][0] === 'gpu';
+        return o.Driver === 'nvidia' || (o.Capabilities && o.Capabilities.length > 0 && o.Capabilities[0] > 0 && o.Capabilities[0][0] === 'gpu');
       });
       if (!gpuOptions) {
         return 'No GPU config found';
diff --git a/pkg/snapshot/docker.go b/pkg/snapshot/docker.go
index 3ea4dc0d5..810dbeaa9 100644
--- a/pkg/snapshot/docker.go
+++ b/pkg/snapshot/docker.go
@@ -14,8 +14,7 @@ import (
 	networkingutils "github.com/portainer/portainer/pkg/networking"
 
 	"github.com/docker/docker/api/types"
-	"github.com/docker/docker/api/types/container"
-	_container "github.com/docker/docker/api/types/container"
+	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/volume"
 	"github.com/docker/docker/client"
@@ -128,7 +127,7 @@ func dockerSnapshotSwarmServices(snapshot *portainer.DockerSnapshot, cli *client
 }
 
 func dockerSnapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	containers, err := cli.ContainerList(context.Background(), container.ListOptions{All: true})
+	containers, err := cli.ContainerList(context.Background(), dockercontainer.ListOptions{All: true})
 	if err != nil {
 		return err
 	}
@@ -170,11 +169,16 @@ func dockerSnapshotContainers(snapshot *portainer.DockerSnapshot, cli *client.Cl
 
 		containerEnvs[container.ID] = response.Config.Env
 
-		var gpuOptions *_container.DeviceRequest
+		var gpuOptions *dockercontainer.DeviceRequest
 
-		for _, deviceRequest := range response.HostConfig.Resources.DeviceRequests {
-			if deviceRequest.Driver == "nvidia" || deviceRequest.Capabilities[0][0] == "gpu" {
-				gpuOptions = &deviceRequest
+		if response.HostConfig != nil {
+			for _, deviceRequest := range response.HostConfig.DeviceRequests {
+				if deviceRequest.Driver == "nvidia" ||
+					(len(deviceRequest.Capabilities) > 0 &&
+						len(deviceRequest.Capabilities[0]) > 0 &&
+						deviceRequest.Capabilities[0][0] == "gpu") {
+					gpuOptions = &deviceRequest
+				}
 			}
 		}
 
@@ -298,7 +302,7 @@ func dockerSnapshotContainerErrorLogs(snapshot *portainer.DockerSnapshot, cli *c
 		return nil
 	}
 
-	rd, err := cli.ContainerLogs(context.Background(), containerId, container.LogsOptions{
+	rd, err := cli.ContainerLogs(context.Background(), containerId, dockercontainer.LogsOptions{
 		ShowStdout: false,
 		ShowStderr: true,
 		Tail:       "5",

From b96328e098c37c8c04647d430c510e7e5fb18298 Mon Sep 17 00:00:00 2001
From: Malcolm Lockyer <segfault88@users.noreply.github.com>
Date: Fri, 23 May 2025 12:42:45 +1200
Subject: [PATCH 129/212] fix(async-perf): In async poll snapshot handling,
 reduce redundant json marshal [be-11861] (#726)

---
 api/dataservices/snapshot/snapshot.go | 17 +++++++++++++++++
 api/dataservices/snapshot/tx.go       | 16 ++++++++++++++++
 api/portainer.go                      |  7 +++++++
 3 files changed, 40 insertions(+)

diff --git a/api/dataservices/snapshot/snapshot.go b/api/dataservices/snapshot/snapshot.go
index 155077677..c0066317d 100644
--- a/api/dataservices/snapshot/snapshot.go
+++ b/api/dataservices/snapshot/snapshot.go
@@ -51,3 +51,20 @@ func (service *Service) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*portai
 
 	return snapshot, err
 }
+
+func (service *Service) ReadRawMessage(ID portainer.EndpointID) (*portainer.SnapshotRawMessage, error) {
+	var snapshot *portainer.SnapshotRawMessage
+
+	err := service.Connection.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		snapshot, err = service.Tx(tx).ReadRawMessage(ID)
+
+		return err
+	})
+
+	return snapshot, err
+}
+
+func (service *Service) CreateRawMessage(snapshot *portainer.SnapshotRawMessage) error {
+	return service.Connection.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
+}
diff --git a/api/dataservices/snapshot/tx.go b/api/dataservices/snapshot/tx.go
index 8a8dcc1c2..45d1df9fc 100644
--- a/api/dataservices/snapshot/tx.go
+++ b/api/dataservices/snapshot/tx.go
@@ -35,3 +35,19 @@ func (service ServiceTx) ReadWithoutSnapshotRaw(ID portainer.EndpointID) (*porta
 
 	return &snapshot.Snapshot, nil
 }
+
+func (service ServiceTx) ReadRawMessage(ID portainer.EndpointID) (*portainer.SnapshotRawMessage, error) {
+	var snapshot = portainer.SnapshotRawMessage{}
+
+	identifier := service.Connection.ConvertToKey(int(ID))
+
+	if err := service.Tx.GetObject(service.Bucket, identifier, &snapshot); err != nil {
+		return nil, err
+	}
+
+	return &snapshot, nil
+}
+
+func (service ServiceTx) CreateRawMessage(snapshot *portainer.SnapshotRawMessage) error {
+	return service.Tx.CreateObjectWithId(BucketName, int(snapshot.EndpointID), snapshot)
+}
diff --git a/api/portainer.go b/api/portainer.go
index 60e5c7a1f..f61bb1af2 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -13,6 +13,7 @@ import (
 	gittypes "github.com/portainer/portainer/api/git/types"
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/portainer/portainer/pkg/featureflags"
+	"github.com/segmentio/encoding/json"
 
 	"golang.org/x/oauth2"
 	corev1 "k8s.io/api/core/v1"
@@ -1374,6 +1375,12 @@ type (
 		Kubernetes *KubernetesSnapshot `json:"Kubernetes"`
 	}
 
+	SnapshotRawMessage struct {
+		EndpointID EndpointID      `json:"EndpointId"`
+		Docker     json.RawMessage `json:"Docker"`
+		Kubernetes json.RawMessage `json:"Kubernetes"`
+	}
+
 	// CLIService represents a service for managing CLI
 	CLIService interface {
 		ParseFlags(version string) (*CLIFlags, error)

From a80b185e1050cb811d722132db18f9df5409396a Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Mon, 26 May 2025 14:10:38 +1200
Subject: [PATCH 130/212] feat(helm): filter on chart versions at API level
 [R8S-324] (#747)

---
 api/http/handler/helm/helm_repo_search.go     |  8 +-
 .../ChartActions/UpgradeButton.test.tsx       | 10 +++
 .../ChartActions/UpgradeButton.tsx            | 87 +++++++++++++------
 .../queries/useHelmRepositories.ts            | 16 ++--
 pkg/libhelm/options/search_repo_options.go    |  6 +-
 pkg/libhelm/sdk/search_repo.go                | 77 ++++++++++++----
 6 files changed, 153 insertions(+), 51 deletions(-)

diff --git a/api/http/handler/helm/helm_repo_search.go b/api/http/handler/helm/helm_repo_search.go
index aab9c523d..976558b9b 100644
--- a/api/http/handler/helm/helm_repo_search.go
+++ b/api/http/handler/helm/helm_repo_search.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
 
 	"github.com/pkg/errors"
 )
@@ -32,13 +33,18 @@ func (handler *Handler) helmRepoSearch(w http.ResponseWriter, r *http.Request) *
 		return httperror.BadRequest("Bad request", errors.New("missing `repo` query parameter"))
 	}
 
+	chart, _ := request.RetrieveQueryParameter(r, "chart", false)
+	useCache, _ := request.RetrieveBooleanQueryParameter(r, "useCache", false)
+
 	_, err := url.ParseRequestURI(repo)
 	if err != nil {
 		return httperror.BadRequest("Bad request", errors.Wrap(err, fmt.Sprintf("provided URL %q is not valid", repo)))
 	}
 
 	searchOpts := options.SearchRepoOptions{
-		Repo: repo,
+		Repo:     repo,
+		Chart:    chart,
+		UseCache: useCache,
 	}
 
 	result, err := handler.helmPackageManager.SearchRepo(searchOpts)
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
index 4bea0bf47..b45a54e79 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -33,6 +33,8 @@ vi.mock('../queries/useHelmRepositories', () => ({
     ],
     isInitialLoading: false,
     isError: false,
+    isFetching: false,
+    refetch: vi.fn(() => Promise.resolve([])),
   })),
   useHelmRepositories: vi.fn(() => ({
     data: ['repo1', 'repo2'],
@@ -81,6 +83,8 @@ describe('UpgradeButton', () => {
       data,
       isInitialLoading: false,
       isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -94,6 +98,8 @@ describe('UpgradeButton', () => {
       data: [],
       isInitialLoading: true,
       isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -109,6 +115,8 @@ describe('UpgradeButton', () => {
       data,
       isInitialLoading: false,
       isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -139,6 +147,8 @@ describe('UpgradeButton', () => {
       ],
       isInitialLoading: false,
       isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton({ release: mockRelease });
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 4c385c388..7376877e4 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -1,5 +1,6 @@
 import { ArrowUp } from 'lucide-react';
 import { useRouter } from '@uirouter/react';
+import { useState } from 'react';
 
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { notifySuccess } from '@/portainer/services/notifications';
@@ -41,16 +42,19 @@ export function UpgradeButton({
   const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
 
   const repositoriesQuery = useHelmRepositories();
+  const [useCache, setUseCache] = useState(true);
   const helmRepoVersionsQuery = useHelmRepoVersions(
     release?.chart.metadata?.name || '',
     60 * 60 * 1000, // 1 hour
-    repositoriesQuery.data
+    repositoriesQuery.data,
+    useCache
   );
   const versions = helmRepoVersionsQuery.data;
 
   // Combined loading state
   const isInitialLoading =
     repositoriesQuery.isInitialLoading ||
+    helmRepoVersionsQuery.isFetching ||
     helmRepoVersionsQuery.isInitialLoading;
   const isError = repositoriesQuery.isError || helmRepoVersionsQuery.isError;
 
@@ -58,9 +62,10 @@ export function UpgradeButton({
     select: (data) => data.chart.metadata?.version,
   });
   const latestVersionAvailable = versions[0]?.Version ?? '';
-  const isNewVersionAvailable =
+  const isNewVersionAvailable = Boolean(
     latestVersion?.data &&
-    semverCompare(latestVersionAvailable, latestVersion?.data) === 1;
+      semverCompare(latestVersionAvailable, latestVersion?.data) === 1
+  );
 
   const editableHelmRelease: UpdateHelmReleasePayload = {
     name: releaseName,
@@ -70,6 +75,14 @@ export function UpgradeButton({
     version: release?.chart.metadata?.version,
   };
 
+  function handleRefreshVersions() {
+    if (useCache === false) {
+      helmRepoVersionsQuery.refetch();
+    } else {
+      setUseCache(false);
+    }
+  }
+
   return (
     <div className="relative">
       <LoadingButton
@@ -97,30 +110,38 @@ export function UpgradeButton({
           Checking for new versions...
         </InlineLoader>
       )}
-      {versions.length === 0 && !isInitialLoading && !isError && (
+      {!isInitialLoading && !isError && (
         <span className="absolute flex items-center -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
-          No versions available
-          <Tooltip
-            message={
-              <div>
-                Portainer is unable to find any versions for this chart in the
-                repositories saved. Try adding a new repository which contains
-                the chart in the{' '}
-                <Link
-                  to="portainer.account"
-                  params={{ '#': 'helm-repositories' }}
-                  data-cy="user-settings-link"
-                >
-                  Helm repositories settings
-                </Link>
-              </div>
-            }
-          />
-        </span>
-      )}
-      {isNewVersionAvailable && (
-        <span className="absolute -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
-          New version available ({latestVersionAvailable})
+          {getStatusMessage(
+            versions.length === 0,
+            latestVersionAvailable,
+            isNewVersionAvailable
+          )}
+          {versions.length === 0 && (
+            <Tooltip
+              message={
+                <div>
+                  Portainer is unable to find any versions for this chart in the
+                  repositories saved. Try adding a new repository which contains
+                  the chart in the{' '}
+                  <Link
+                    to="portainer.account"
+                    params={{ '#': 'helm-repositories' }}
+                    data-cy="user-settings-link"
+                  >
+                    Helm repositories settings
+                  </Link>
+                </div>
+              }
+            />
+          )}
+          <button
+            onClick={handleRefreshVersions}
+            className="text-primary hover:text-primary-light cursor-pointer bg-transparent border-0 pl-1 p-0"
+            type="button"
+          >
+            Refresh versions
+          </button>
         </span>
       )}
     </div>
@@ -164,4 +185,18 @@ export function UpgradeButton({
       },
     });
   }
+
+  function getStatusMessage(
+    hasNoAvailableVersions: boolean,
+    latestVersionAvailable: string,
+    isNewVersionAvailable: boolean
+  ): string {
+    if (hasNoAvailableVersions) {
+      return 'No versions available ';
+    }
+    if (isNewVersionAvailable) {
+      return `New version available (${latestVersionAvailable}) `;
+    }
+    return '';
+  }
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
index 733b79dea..bf11eadb1 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
@@ -45,20 +45,21 @@ export function useHelmRepositories() {
 export function useHelmRepoVersions(
   chart: string,
   staleTime: number,
-  repositories: string[] = []
+  repositories: string[] = [],
+  useCache: boolean = true
 ) {
   // Fetch versions from each repository in parallel as separate queries
   const versionQueries = useQueries({
     queries: useMemo(
       () =>
         repositories.map((repo) => ({
-          queryKey: ['helm', 'repositories', chart, repo],
-          queryFn: () => getSearchHelmRepo(repo, chart),
+          queryKey: ['helm', 'repositories', chart, repo, useCache],
+          queryFn: () => getSearchHelmRepo(repo, chart, useCache),
           enabled: !!chart && repositories.length > 0,
           staleTime,
           ...withGlobalError(`Unable to retrieve versions from ${repo}`),
         })),
-      [repositories, chart, staleTime]
+      [repositories, chart, staleTime, useCache]
     ),
   });
 
@@ -72,6 +73,8 @@ export function useHelmRepoVersions(
     data: allVersions,
     isInitialLoading: versionQueries.some((q) => q.isLoading),
     isError: versionQueries.some((q) => q.isError),
+    isFetching: versionQueries.some((q) => q.isFetching),
+    refetch: () => Promise.all(versionQueries.map((q) => q.refetch())),
   };
 }
 
@@ -80,11 +83,12 @@ export function useHelmRepoVersions(
  */
 async function getSearchHelmRepo(
   repo: string,
-  chart: string
+  chart: string,
+  useCache: boolean = true
 ): Promise<ChartVersion[]> {
   try {
     const { data } = await axios.get<HelmSearch>(`templates/helm`, {
-      params: { repo, chart },
+      params: { repo, chart, useCache },
     });
     const versions = data.entries[chart];
     return (
diff --git a/pkg/libhelm/options/search_repo_options.go b/pkg/libhelm/options/search_repo_options.go
index 73acc5709..0b35c0bbd 100644
--- a/pkg/libhelm/options/search_repo_options.go
+++ b/pkg/libhelm/options/search_repo_options.go
@@ -3,6 +3,8 @@ package options
 import "net/http"
 
 type SearchRepoOptions struct {
-	Repo   string       `example:"https://charts.gitlab.io/"`
-	Client *http.Client `example:"&http.Client{Timeout: time.Second * 10}"`
+	Repo     string       `example:"https://charts.gitlab.io/"`
+	Client   *http.Client `example:"&http.Client{Timeout: time.Second * 10}"`
+	Chart    string       `example:"my-chart"`
+	UseCache bool         `example:"false"`
 }
diff --git a/pkg/libhelm/sdk/search_repo.go b/pkg/libhelm/sdk/search_repo.go
index 90dd98529..63015330c 100644
--- a/pkg/libhelm/sdk/search_repo.go
+++ b/pkg/libhelm/sdk/search_repo.go
@@ -4,6 +4,8 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"sync"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/portainer/portainer/pkg/libhelm/options"
@@ -25,6 +27,17 @@ type RepoIndex struct {
 	Generated  string                 `json:"generated"`
 }
 
+type RepoIndexCache struct {
+	Index     *repo.IndexFile
+	Timestamp time.Time
+}
+
+var (
+	indexCache    = make(map[string]RepoIndexCache)
+	cacheMutex    sync.RWMutex
+	cacheDuration = 60 * time.Minute
+)
+
 // SearchRepo downloads the `index.yaml` file for specified repo, parses it and returns JSON to caller.
 func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error) {
 	// Validate input options
@@ -53,6 +66,18 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, err
 	}
 
+	// Check cache first
+	if searchRepoOpts.UseCache {
+		cacheMutex.RLock()
+		if cached, exists := indexCache[repoURL.String()]; exists {
+			if time.Since(cached.Timestamp) < cacheDuration {
+				cacheMutex.RUnlock()
+				return convertAndMarshalIndex(cached.Index, searchRepoOpts.Chart)
+			}
+		}
+		cacheMutex.RUnlock()
+	}
+
 	// Set up Helm CLI environment
 	repoSettings := cli.New()
 
@@ -92,23 +117,21 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, err
 	}
 
-	// Convert the index file to our response format
-	result, err := convertIndexToResponse(indexFile)
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Err(err).
-			Msg("Failed to convert index to response format")
-		return nil, errors.Wrap(err, "failed to convert index to response format")
+	// Update cache and remove old entries
+	cacheMutex.Lock()
+	indexCache[searchRepoOpts.Repo] = RepoIndexCache{
+		Index:     indexFile,
+		Timestamp: time.Now(),
+	}
+	for key, index := range indexCache {
+		if time.Since(index.Timestamp) > cacheDuration {
+			delete(indexCache, key)
+		}
 	}
 
-	log.Debug().
-		Str("context", "HelmClient").
-		Str("repo", searchRepoOpts.Repo).
-		Int("entries_count", len(indexFile.Entries)).
-		Msg("Successfully searched repository")
+	cacheMutex.Unlock()
 
-	return json.Marshal(result)
+	return convertAndMarshalIndex(indexFile, searchRepoOpts.Chart)
 }
 
 // validateSearchRepoOptions validates the required search repository options.
@@ -216,7 +239,7 @@ func loadIndexFile(indexPath string) (*repo.IndexFile, error) {
 }
 
 // convertIndexToResponse converts the Helm index file to our response format.
-func convertIndexToResponse(indexFile *repo.IndexFile) (RepoIndex, error) {
+func convertIndexToResponse(indexFile *repo.IndexFile, chartName string) (RepoIndex, error) {
 	result := RepoIndex{
 		APIVersion: indexFile.APIVersion,
 		Entries:    make(map[string][]ChartInfo),
@@ -225,7 +248,9 @@ func convertIndexToResponse(indexFile *repo.IndexFile) (RepoIndex, error) {
 
 	// Convert Helm SDK types to our response types
 	for name, charts := range indexFile.Entries {
-		result.Entries[name] = convertChartsToChartInfo(charts)
+		if chartName == "" || name == chartName {
+			result.Entries[name] = convertChartsToChartInfo(charts)
+		}
 	}
 
 	return result, nil
@@ -349,3 +374,23 @@ func ensureHelmDirectoriesExist(settings *cli.EnvSettings) error {
 
 	return nil
 }
+
+func convertAndMarshalIndex(indexFile *repo.IndexFile, chartName string) ([]byte, error) {
+	// Convert the index file to our response format
+	result, err := convertIndexToResponse(indexFile, chartName)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to convert index to response format")
+		return nil, errors.Wrap(err, "failed to convert index to response format")
+	}
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("repo", chartName).
+		Int("entries_count", len(indexFile.Entries)).
+		Msg("Successfully searched repository")
+
+	return json.Marshal(result)
+}

From 32ef20827825f895a92f7340ff05d68a9a48d8e2 Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Mon, 26 May 2025 16:58:53 +1200
Subject: [PATCH 131/212] Revert "feat(helm): filter on chart versions at API
 level [R8S-324]" (#753)

---
 api/http/handler/helm/helm_repo_search.go     |  8 +-
 .../ChartActions/UpgradeButton.test.tsx       | 10 ---
 .../ChartActions/UpgradeButton.tsx            | 87 ++++++-------------
 .../queries/useHelmRepositories.ts            | 16 ++--
 pkg/libhelm/options/search_repo_options.go    |  6 +-
 pkg/libhelm/sdk/search_repo.go                | 77 ++++------------
 6 files changed, 51 insertions(+), 153 deletions(-)

diff --git a/api/http/handler/helm/helm_repo_search.go b/api/http/handler/helm/helm_repo_search.go
index 976558b9b..aab9c523d 100644
--- a/api/http/handler/helm/helm_repo_search.go
+++ b/api/http/handler/helm/helm_repo_search.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
-	"github.com/portainer/portainer/pkg/libhttp/request"
 
 	"github.com/pkg/errors"
 )
@@ -33,18 +32,13 @@ func (handler *Handler) helmRepoSearch(w http.ResponseWriter, r *http.Request) *
 		return httperror.BadRequest("Bad request", errors.New("missing `repo` query parameter"))
 	}
 
-	chart, _ := request.RetrieveQueryParameter(r, "chart", false)
-	useCache, _ := request.RetrieveBooleanQueryParameter(r, "useCache", false)
-
 	_, err := url.ParseRequestURI(repo)
 	if err != nil {
 		return httperror.BadRequest("Bad request", errors.Wrap(err, fmt.Sprintf("provided URL %q is not valid", repo)))
 	}
 
 	searchOpts := options.SearchRepoOptions{
-		Repo:     repo,
-		Chart:    chart,
-		UseCache: useCache,
+		Repo: repo,
 	}
 
 	result, err := handler.helmPackageManager.SearchRepo(searchOpts)
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
index b45a54e79..4bea0bf47 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -33,8 +33,6 @@ vi.mock('../queries/useHelmRepositories', () => ({
     ],
     isInitialLoading: false,
     isError: false,
-    isFetching: false,
-    refetch: vi.fn(() => Promise.resolve([])),
   })),
   useHelmRepositories: vi.fn(() => ({
     data: ['repo1', 'repo2'],
@@ -83,8 +81,6 @@ describe('UpgradeButton', () => {
       data,
       isInitialLoading: false,
       isError: false,
-      isFetching: false,
-      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -98,8 +94,6 @@ describe('UpgradeButton', () => {
       data: [],
       isInitialLoading: true,
       isError: false,
-      isFetching: false,
-      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -115,8 +109,6 @@ describe('UpgradeButton', () => {
       data,
       isInitialLoading: false,
       isError: false,
-      isFetching: false,
-      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -147,8 +139,6 @@ describe('UpgradeButton', () => {
       ],
       isInitialLoading: false,
       isError: false,
-      isFetching: false,
-      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton({ release: mockRelease });
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 7376877e4..4c385c388 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -1,6 +1,5 @@
 import { ArrowUp } from 'lucide-react';
 import { useRouter } from '@uirouter/react';
-import { useState } from 'react';
 
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { notifySuccess } from '@/portainer/services/notifications';
@@ -42,19 +41,16 @@ export function UpgradeButton({
   const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
 
   const repositoriesQuery = useHelmRepositories();
-  const [useCache, setUseCache] = useState(true);
   const helmRepoVersionsQuery = useHelmRepoVersions(
     release?.chart.metadata?.name || '',
     60 * 60 * 1000, // 1 hour
-    repositoriesQuery.data,
-    useCache
+    repositoriesQuery.data
   );
   const versions = helmRepoVersionsQuery.data;
 
   // Combined loading state
   const isInitialLoading =
     repositoriesQuery.isInitialLoading ||
-    helmRepoVersionsQuery.isFetching ||
     helmRepoVersionsQuery.isInitialLoading;
   const isError = repositoriesQuery.isError || helmRepoVersionsQuery.isError;
 
@@ -62,10 +58,9 @@ export function UpgradeButton({
     select: (data) => data.chart.metadata?.version,
   });
   const latestVersionAvailable = versions[0]?.Version ?? '';
-  const isNewVersionAvailable = Boolean(
+  const isNewVersionAvailable =
     latestVersion?.data &&
-      semverCompare(latestVersionAvailable, latestVersion?.data) === 1
-  );
+    semverCompare(latestVersionAvailable, latestVersion?.data) === 1;
 
   const editableHelmRelease: UpdateHelmReleasePayload = {
     name: releaseName,
@@ -75,14 +70,6 @@ export function UpgradeButton({
     version: release?.chart.metadata?.version,
   };
 
-  function handleRefreshVersions() {
-    if (useCache === false) {
-      helmRepoVersionsQuery.refetch();
-    } else {
-      setUseCache(false);
-    }
-  }
-
   return (
     <div className="relative">
       <LoadingButton
@@ -110,38 +97,30 @@ export function UpgradeButton({
           Checking for new versions...
         </InlineLoader>
       )}
-      {!isInitialLoading && !isError && (
+      {versions.length === 0 && !isInitialLoading && !isError && (
         <span className="absolute flex items-center -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
-          {getStatusMessage(
-            versions.length === 0,
-            latestVersionAvailable,
-            isNewVersionAvailable
-          )}
-          {versions.length === 0 && (
-            <Tooltip
-              message={
-                <div>
-                  Portainer is unable to find any versions for this chart in the
-                  repositories saved. Try adding a new repository which contains
-                  the chart in the{' '}
-                  <Link
-                    to="portainer.account"
-                    params={{ '#': 'helm-repositories' }}
-                    data-cy="user-settings-link"
-                  >
-                    Helm repositories settings
-                  </Link>
-                </div>
-              }
-            />
-          )}
-          <button
-            onClick={handleRefreshVersions}
-            className="text-primary hover:text-primary-light cursor-pointer bg-transparent border-0 pl-1 p-0"
-            type="button"
-          >
-            Refresh versions
-          </button>
+          No versions available
+          <Tooltip
+            message={
+              <div>
+                Portainer is unable to find any versions for this chart in the
+                repositories saved. Try adding a new repository which contains
+                the chart in the{' '}
+                <Link
+                  to="portainer.account"
+                  params={{ '#': 'helm-repositories' }}
+                  data-cy="user-settings-link"
+                >
+                  Helm repositories settings
+                </Link>
+              </div>
+            }
+          />
+        </span>
+      )}
+      {isNewVersionAvailable && (
+        <span className="absolute -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
+          New version available ({latestVersionAvailable})
         </span>
       )}
     </div>
@@ -185,18 +164,4 @@ export function UpgradeButton({
       },
     });
   }
-
-  function getStatusMessage(
-    hasNoAvailableVersions: boolean,
-    latestVersionAvailable: string,
-    isNewVersionAvailable: boolean
-  ): string {
-    if (hasNoAvailableVersions) {
-      return 'No versions available ';
-    }
-    if (isNewVersionAvailable) {
-      return `New version available (${latestVersionAvailable}) `;
-    }
-    return '';
-  }
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
index bf11eadb1..733b79dea 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
@@ -45,21 +45,20 @@ export function useHelmRepositories() {
 export function useHelmRepoVersions(
   chart: string,
   staleTime: number,
-  repositories: string[] = [],
-  useCache: boolean = true
+  repositories: string[] = []
 ) {
   // Fetch versions from each repository in parallel as separate queries
   const versionQueries = useQueries({
     queries: useMemo(
       () =>
         repositories.map((repo) => ({
-          queryKey: ['helm', 'repositories', chart, repo, useCache],
-          queryFn: () => getSearchHelmRepo(repo, chart, useCache),
+          queryKey: ['helm', 'repositories', chart, repo],
+          queryFn: () => getSearchHelmRepo(repo, chart),
           enabled: !!chart && repositories.length > 0,
           staleTime,
           ...withGlobalError(`Unable to retrieve versions from ${repo}`),
         })),
-      [repositories, chart, staleTime, useCache]
+      [repositories, chart, staleTime]
     ),
   });
 
@@ -73,8 +72,6 @@ export function useHelmRepoVersions(
     data: allVersions,
     isInitialLoading: versionQueries.some((q) => q.isLoading),
     isError: versionQueries.some((q) => q.isError),
-    isFetching: versionQueries.some((q) => q.isFetching),
-    refetch: () => Promise.all(versionQueries.map((q) => q.refetch())),
   };
 }
 
@@ -83,12 +80,11 @@ export function useHelmRepoVersions(
  */
 async function getSearchHelmRepo(
   repo: string,
-  chart: string,
-  useCache: boolean = true
+  chart: string
 ): Promise<ChartVersion[]> {
   try {
     const { data } = await axios.get<HelmSearch>(`templates/helm`, {
-      params: { repo, chart, useCache },
+      params: { repo, chart },
     });
     const versions = data.entries[chart];
     return (
diff --git a/pkg/libhelm/options/search_repo_options.go b/pkg/libhelm/options/search_repo_options.go
index 0b35c0bbd..73acc5709 100644
--- a/pkg/libhelm/options/search_repo_options.go
+++ b/pkg/libhelm/options/search_repo_options.go
@@ -3,8 +3,6 @@ package options
 import "net/http"
 
 type SearchRepoOptions struct {
-	Repo     string       `example:"https://charts.gitlab.io/"`
-	Client   *http.Client `example:"&http.Client{Timeout: time.Second * 10}"`
-	Chart    string       `example:"my-chart"`
-	UseCache bool         `example:"false"`
+	Repo   string       `example:"https://charts.gitlab.io/"`
+	Client *http.Client `example:"&http.Client{Timeout: time.Second * 10}"`
 }
diff --git a/pkg/libhelm/sdk/search_repo.go b/pkg/libhelm/sdk/search_repo.go
index 63015330c..90dd98529 100644
--- a/pkg/libhelm/sdk/search_repo.go
+++ b/pkg/libhelm/sdk/search_repo.go
@@ -4,8 +4,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"sync"
-	"time"
 
 	"github.com/pkg/errors"
 	"github.com/portainer/portainer/pkg/libhelm/options"
@@ -27,17 +25,6 @@ type RepoIndex struct {
 	Generated  string                 `json:"generated"`
 }
 
-type RepoIndexCache struct {
-	Index     *repo.IndexFile
-	Timestamp time.Time
-}
-
-var (
-	indexCache    = make(map[string]RepoIndexCache)
-	cacheMutex    sync.RWMutex
-	cacheDuration = 60 * time.Minute
-)
-
 // SearchRepo downloads the `index.yaml` file for specified repo, parses it and returns JSON to caller.
 func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error) {
 	// Validate input options
@@ -66,18 +53,6 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, err
 	}
 
-	// Check cache first
-	if searchRepoOpts.UseCache {
-		cacheMutex.RLock()
-		if cached, exists := indexCache[repoURL.String()]; exists {
-			if time.Since(cached.Timestamp) < cacheDuration {
-				cacheMutex.RUnlock()
-				return convertAndMarshalIndex(cached.Index, searchRepoOpts.Chart)
-			}
-		}
-		cacheMutex.RUnlock()
-	}
-
 	// Set up Helm CLI environment
 	repoSettings := cli.New()
 
@@ -117,21 +92,23 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, err
 	}
 
-	// Update cache and remove old entries
-	cacheMutex.Lock()
-	indexCache[searchRepoOpts.Repo] = RepoIndexCache{
-		Index:     indexFile,
-		Timestamp: time.Now(),
-	}
-	for key, index := range indexCache {
-		if time.Since(index.Timestamp) > cacheDuration {
-			delete(indexCache, key)
-		}
+	// Convert the index file to our response format
+	result, err := convertIndexToResponse(indexFile)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to convert index to response format")
+		return nil, errors.Wrap(err, "failed to convert index to response format")
 	}
 
-	cacheMutex.Unlock()
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("repo", searchRepoOpts.Repo).
+		Int("entries_count", len(indexFile.Entries)).
+		Msg("Successfully searched repository")
 
-	return convertAndMarshalIndex(indexFile, searchRepoOpts.Chart)
+	return json.Marshal(result)
 }
 
 // validateSearchRepoOptions validates the required search repository options.
@@ -239,7 +216,7 @@ func loadIndexFile(indexPath string) (*repo.IndexFile, error) {
 }
 
 // convertIndexToResponse converts the Helm index file to our response format.
-func convertIndexToResponse(indexFile *repo.IndexFile, chartName string) (RepoIndex, error) {
+func convertIndexToResponse(indexFile *repo.IndexFile) (RepoIndex, error) {
 	result := RepoIndex{
 		APIVersion: indexFile.APIVersion,
 		Entries:    make(map[string][]ChartInfo),
@@ -248,9 +225,7 @@ func convertIndexToResponse(indexFile *repo.IndexFile, chartName string) (RepoIn
 
 	// Convert Helm SDK types to our response types
 	for name, charts := range indexFile.Entries {
-		if chartName == "" || name == chartName {
-			result.Entries[name] = convertChartsToChartInfo(charts)
-		}
+		result.Entries[name] = convertChartsToChartInfo(charts)
 	}
 
 	return result, nil
@@ -374,23 +349,3 @@ func ensureHelmDirectoriesExist(settings *cli.EnvSettings) error {
 
 	return nil
 }
-
-func convertAndMarshalIndex(indexFile *repo.IndexFile, chartName string) ([]byte, error) {
-	// Convert the index file to our response format
-	result, err := convertIndexToResponse(indexFile, chartName)
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Err(err).
-			Msg("Failed to convert index to response format")
-		return nil, errors.Wrap(err, "failed to convert index to response format")
-	}
-
-	log.Debug().
-		Str("context", "HelmClient").
-		Str("repo", chartName).
-		Int("entries_count", len(indexFile.Entries)).
-		Msg("Successfully searched repository")
-
-	return json.Marshal(result)
-}

From 07dfd981a21279518f3dbae2429c4e0f091e1648 Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Tue, 27 May 2025 13:55:31 +1200
Subject: [PATCH 132/212] fix(kubernetes): events api to call the backend
 [R8S-243] (#563)

---
 api/http/handler/kubernetes/client.go         |   4 +-
 .../kubernetes/cluster_role_bindings.go       |   2 +-
 api/http/handler/kubernetes/cluster_roles.go  |   2 +-
 api/http/handler/kubernetes/event.go          | 102 +++++++++
 api/http/handler/kubernetes/event_test.go     |  60 ++++++
 api/http/handler/kubernetes/handler.go        |   6 +-
 api/http/models/kubernetes/event.go           |  25 +++
 api/internal/testhelpers/kube_client.go       |  19 ++
 api/kubernetes/cli/access.go                  |  20 ++
 api/kubernetes/cli/client.go                  |   4 +
 api/kubernetes/cli/event.go                   |  93 ++++++++
 api/kubernetes/cli/event_test.go              | 108 ++++++++++
 api/portainer.go                              | 147 +++++++++----
 .../configmap/edit/configMap.html             |   2 +-
 .../configurations/secret/edit/secret.html    |   2 +-
 .../EventsDatatable/EventsDatatable.test.tsx  |  83 +++++++
 .../EventsDatatable/EventsDatatable.tsx       |   4 +-
 .../ResourceEventsDatatable.tsx               |   4 +-
 .../EventsDatatable/columns/eventType.tsx     |   3 +-
 .../EventsDatatable/columns/helper.ts         |   3 +-
 .../EventsDatatable/columns/kind.tsx          |   3 +-
 .../HelmApplicationView.test.tsx              |  33 +--
 .../HelmEventsDatatable.test.tsx              | 202 +++++++-----------
 .../ReleaseDetails/HelmEventsDatatable.tsx    |   2 +-
 app/react/kubernetes/queries/types.ts         |  19 ++
 app/react/kubernetes/queries/useEvents.ts     |  15 +-
 26 files changed, 750 insertions(+), 217 deletions(-)
 create mode 100644 api/http/handler/kubernetes/event.go
 create mode 100644 api/http/handler/kubernetes/event_test.go
 create mode 100644 api/http/models/kubernetes/event.go
 create mode 100644 api/internal/testhelpers/kube_client.go
 create mode 100644 api/kubernetes/cli/event.go
 create mode 100644 api/kubernetes/cli/event_test.go
 create mode 100644 app/react/kubernetes/components/EventsDatatable/EventsDatatable.test.tsx
 create mode 100644 app/react/kubernetes/queries/types.ts

diff --git a/api/http/handler/kubernetes/client.go b/api/http/handler/kubernetes/client.go
index a85f2cff9..6612ab7f4 100644
--- a/api/http/handler/kubernetes/client.go
+++ b/api/http/handler/kubernetes/client.go
@@ -30,8 +30,8 @@ func (handler *Handler) prepareKubeClient(r *http.Request) (*cli.KubeClient, *ht
 		log.Error().Err(err).Str("context", "prepareKubeClient").Msg("Unable to get a privileged Kubernetes client for the user.")
 		return nil, httperror.InternalServerError("Unable to get a privileged Kubernetes client for the user.", err)
 	}
-	pcli.IsKubeAdmin = cli.IsKubeAdmin
-	pcli.NonAdminNamespaces = cli.NonAdminNamespaces
+	pcli.SetIsKubeAdmin(cli.GetIsKubeAdmin())
+	pcli.SetClientNonAdminNamespaces(cli.GetClientNonAdminNamespaces())
 
 	return pcli, nil
 }
diff --git a/api/http/handler/kubernetes/cluster_role_bindings.go b/api/http/handler/kubernetes/cluster_role_bindings.go
index a5050c947..83621a900 100644
--- a/api/http/handler/kubernetes/cluster_role_bindings.go
+++ b/api/http/handler/kubernetes/cluster_role_bindings.go
@@ -32,7 +32,7 @@ func (handler *Handler) getAllKubernetesClusterRoleBindings(w http.ResponseWrite
 		return httperror.Forbidden("User is not authorized to fetch cluster role bindings from the Kubernetes cluster.", httpErr)
 	}
 
-	if !cli.IsKubeAdmin {
+	if !cli.GetIsKubeAdmin() {
 		log.Error().Str("context", "getAllKubernetesClusterRoleBindings").Msg("user is not authorized to fetch cluster role bindings from the Kubernetes cluster.")
 		return httperror.Forbidden("User is not authorized to fetch cluster role bindings from the Kubernetes cluster.", nil)
 	}
diff --git a/api/http/handler/kubernetes/cluster_roles.go b/api/http/handler/kubernetes/cluster_roles.go
index 3fd2ca8aa..6d5d028be 100644
--- a/api/http/handler/kubernetes/cluster_roles.go
+++ b/api/http/handler/kubernetes/cluster_roles.go
@@ -32,7 +32,7 @@ func (handler *Handler) getAllKubernetesClusterRoles(w http.ResponseWriter, r *h
 		return httperror.Forbidden("User is not authorized to fetch cluster roles from the Kubernetes cluster.", httpErr)
 	}
 
-	if !cli.IsKubeAdmin {
+	if !cli.GetIsKubeAdmin() {
 		log.Error().Str("context", "getAllKubernetesClusterRoles").Msg("user is not authorized to fetch cluster roles from the Kubernetes cluster.")
 		return httperror.Forbidden("User is not authorized to fetch cluster roles from the Kubernetes cluster.", nil)
 	}
diff --git a/api/http/handler/kubernetes/event.go b/api/http/handler/kubernetes/event.go
new file mode 100644
index 000000000..0e226d5ec
--- /dev/null
+++ b/api/http/handler/kubernetes/event.go
@@ -0,0 +1,102 @@
+package kubernetes
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
+	"github.com/portainer/portainer/pkg/libhttp/response"
+	"github.com/rs/zerolog/log"
+	k8serrors "k8s.io/apimachinery/pkg/api/errors"
+)
+
+// @id getKubernetesEventsForNamespace
+// @summary Gets kubernetes events for namespace
+// @description Get events by optional query param resourceId for a given namespace.
+// @description **Access policy**: Authenticated user.
+// @tags kubernetes
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment identifier"
+// @param namespace path string true "The namespace name the events are associated to"
+// @param resourceId query string false "The resource id of the involved kubernetes object" example:"e5b021b6-4bce-4c06-bd3b-6cca906797aa"
+// @success 200 {object} models.Event[] "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 500 "Server error occurred while attempting to retrieve the events within the specified namespace."
+// @router /kubernetes/{id}/namespaces/{namespace}/events [get]
+func (handler *Handler) getKubernetesEventsForNamespace(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	namespace, err := request.RetrieveRouteVariableValue(r, "namespace")
+	if err != nil {
+		log.Error().Err(err).Str("context", "getKubernetesEvents").Str("namespace", namespace).Msg("Unable to retrieve namespace identifier route variable")
+		return httperror.BadRequest("Unable to retrieve namespace identifier route variable", err)
+	}
+
+	resourceId, err := request.RetrieveQueryParameter(r, "resourceId", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "getKubernetesEvents").Msg("Unable to retrieve resourceId query parameter")
+		return httperror.BadRequest("Unable to retrieve resourceId query parameter", err)
+	}
+
+	cli, httpErr := handler.getProxyKubeClient(r)
+	if httpErr != nil {
+		log.Error().Err(httpErr).Str("context", "getKubernetesEvents").Str("resourceId", resourceId).Msg("Unable to get a Kubernetes client for the user")
+		return httperror.InternalServerError("Unable to get a Kubernetes client for the user", httpErr)
+	}
+
+	events, err := cli.GetEvents(namespace, resourceId)
+	if err != nil {
+		if k8serrors.IsUnauthorized(err) || k8serrors.IsForbidden(err) {
+			log.Error().Err(err).Str("context", "getKubernetesEvents").Msg("Unauthorized access to the Kubernetes API")
+			return httperror.Forbidden("Unauthorized access to the Kubernetes API", err)
+		}
+
+		log.Error().Err(err).Str("context", "getKubernetesEvents").Msg("Unable to retrieve events")
+		return httperror.InternalServerError("Unable to retrieve events", err)
+	}
+
+	return response.JSON(w, events)
+}
+
+// @id getAllKubernetesEvents
+// @summary Gets kubernetes events
+// @description Get events by query param resourceId
+// @description **Access policy**: Authenticated user.
+// @tags kubernetes
+// @security ApiKeyAuth || jwt
+// @produce json
+// @param id path int true "Environment identifier"
+// @param resourceId query string false "The resource id of the involved kubernetes object"  example:"e5b021b6-4bce-4c06-bd3b-6cca906797aa"
+// @success 200 {object} models.Event[] "Success"
+// @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
+// @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
+// @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
+// @failure 500 "Server error occurred while attempting to retrieve the events."
+// @router /kubernetes/{id}/events [get]
+func (handler *Handler) getAllKubernetesEvents(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	resourceId, err := request.RetrieveQueryParameter(r, "resourceId", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "getKubernetesEvents").Msg("Unable to retrieve resourceId query parameter")
+		return httperror.BadRequest("Unable to retrieve resourceId query parameter", err)
+	}
+
+	cli, httpErr := handler.getProxyKubeClient(r)
+	if httpErr != nil {
+		log.Error().Err(httpErr).Str("context", "getKubernetesEvents").Str("resourceId", resourceId).Msg("Unable to get a Kubernetes client for the user")
+		return httperror.InternalServerError("Unable to get a Kubernetes client for the user", httpErr)
+	}
+
+	events, err := cli.GetEvents("", resourceId)
+	if err != nil {
+		if k8serrors.IsUnauthorized(err) || k8serrors.IsForbidden(err) {
+			log.Error().Err(err).Str("context", "getKubernetesEvents").Msg("Unauthorized access to the Kubernetes API")
+			return httperror.Forbidden("Unauthorized access to the Kubernetes API", err)
+		}
+
+		log.Error().Err(err).Str("context", "getKubernetesEvents").Msg("Unable to retrieve events")
+		return httperror.InternalServerError("Unable to retrieve events", err)
+	}
+
+	return response.JSON(w, events)
+}
diff --git a/api/http/handler/kubernetes/event_test.go b/api/http/handler/kubernetes/event_test.go
new file mode 100644
index 000000000..77f38c511
--- /dev/null
+++ b/api/http/handler/kubernetes/event_test.go
@@ -0,0 +1,60 @@
+package kubernetes
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/authorization"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/kubernetes"
+	kubeClient "github.com/portainer/portainer/api/kubernetes/cli"
+	"github.com/stretchr/testify/assert"
+)
+
+// Currently this test just tests the HTTP Handler is setup correctly, in the future we should move the ClientFactory to a mock in order
+// test the logic in event.go
+func TestGetKubernetesEvents(t *testing.T) {
+	is := assert.New(t)
+
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	err := store.Endpoint().Create(&portainer.Endpoint{
+		ID:   1,
+		Type: portainer.AgentOnKubernetesEnvironment,
+	},
+	)
+	is.NoError(err, "error creating environment")
+
+	err = store.User().Create(&portainer.User{Username: "admin", Role: portainer.AdministratorRole})
+	is.NoError(err, "error creating a user")
+
+	jwtService, err := jwt.NewService("1h", store)
+	is.NoError(err, "Error initiating jwt service")
+
+	tk, _, _ := jwtService.GenerateToken(&portainer.TokenData{ID: 1, Username: "admin", Role: portainer.AdministratorRole})
+
+	kubeClusterAccessService := kubernetes.NewKubeClusterAccessService("", "", "")
+
+	cli := testhelpers.NewKubernetesClient()
+	factory, _ := kubeClient.NewClientFactory(nil, nil, store, "", "", "")
+
+	authorizationService := authorization.NewService(store)
+	handler := NewHandler(testhelpers.NewTestRequestBouncer(), authorizationService, store, jwtService, kubeClusterAccessService,
+		factory, cli)
+	is.NotNil(handler, "Handler should not fail")
+
+	req := httptest.NewRequest(http.MethodGet, "/kubernetes/1/events?resourceId=8", nil)
+	ctx := security.StoreTokenData(req, &portainer.TokenData{ID: 1, Username: "admin", Role: 1})
+	req = req.WithContext(ctx)
+	testhelpers.AddTestSecurityCookie(req, tk)
+
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	is.Equal(http.StatusOK, rr.Code, "Status should be 200")
+}
diff --git a/api/http/handler/kubernetes/handler.go b/api/http/handler/kubernetes/handler.go
index cc068e4a4..07f6bdf3f 100644
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@@ -58,6 +58,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	endpointRouter.Handle("/configmaps/count", httperror.LoggerHandler(h.getAllKubernetesConfigMapsCount)).Methods(http.MethodGet)
 	endpointRouter.Handle("/cron_jobs", httperror.LoggerHandler(h.getAllKubernetesCronJobs)).Methods(http.MethodGet)
 	endpointRouter.Handle("/cron_jobs/delete", httperror.LoggerHandler(h.deleteKubernetesCronJobs)).Methods(http.MethodPost)
+	endpointRouter.Handle("/events", httperror.LoggerHandler(h.getAllKubernetesEvents)).Methods(http.MethodGet)
 	endpointRouter.Handle("/jobs", httperror.LoggerHandler(h.getAllKubernetesJobs)).Methods(http.MethodGet)
 	endpointRouter.Handle("/jobs/delete", httperror.LoggerHandler(h.deleteKubernetesJobs)).Methods(http.MethodPost)
 	endpointRouter.Handle("/cluster_roles", httperror.LoggerHandler(h.getAllKubernetesClusterRoles)).Methods(http.MethodGet)
@@ -110,6 +111,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 	// to keep it simple, we've decided to leave it like this.
 	namespaceRouter := endpointRouter.PathPrefix("/namespaces/{namespace}").Subrouter()
 	namespaceRouter.Handle("/configmaps/{configmap}", httperror.LoggerHandler(h.getKubernetesConfigMap)).Methods(http.MethodGet)
+	namespaceRouter.Handle("/events", httperror.LoggerHandler(h.getKubernetesEventsForNamespace)).Methods(http.MethodGet)
 	namespaceRouter.Handle("/system", bouncer.RestrictedAccess(httperror.LoggerHandler(h.namespacesToggleSystem))).Methods(http.MethodPut)
 	namespaceRouter.Handle("/ingresscontrollers", httperror.LoggerHandler(h.getKubernetesIngressControllersByNamespace)).Methods(http.MethodGet)
 	namespaceRouter.Handle("/ingresscontrollers", httperror.LoggerHandler(h.updateKubernetesIngressControllersByNamespace)).Methods(http.MethodPut)
@@ -133,7 +135,7 @@ func NewHandler(bouncer security.BouncerService, authorizationService *authoriza
 // getProxyKubeClient gets a kubeclient for the user.  It's generally what you want as it retrieves the kubeclient
 // from the Authorization token of the currently logged in user.  The kubeclient that is not from the proxy is actually using
 // admin permissions.  If you're unsure which one to use, use this.
-func (h *Handler) getProxyKubeClient(r *http.Request) (*cli.KubeClient, *httperror.HandlerError) {
+func (h *Handler) getProxyKubeClient(r *http.Request) (portainer.KubeClient, *httperror.HandlerError) {
 	endpointID, err := request.RetrieveNumericRouteVariableValue(r, "id")
 	if err != nil {
 		return nil, httperror.BadRequest(fmt.Sprintf("an error occurred during the getProxyKubeClient operation, the environment identifier route variable is invalid for /api/kubernetes/%d. Error: ", endpointID), err)
@@ -253,7 +255,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}
 		serverURL.Scheme = "https"
-		serverURL.Host = "localhost" + handler.KubernetesClientFactory.AddrHTTPS
+		serverURL.Host = "localhost" + handler.KubernetesClientFactory.GetAddrHTTPS()
 		config.Clusters[0].Cluster.Server = serverURL.String()
 
 		yaml, err := cli.GenerateYAML(config)
diff --git a/api/http/models/kubernetes/event.go b/api/http/models/kubernetes/event.go
new file mode 100644
index 000000000..be447b554
--- /dev/null
+++ b/api/http/models/kubernetes/event.go
@@ -0,0 +1,25 @@
+package kubernetes
+
+import "time"
+
+type K8sEvent struct {
+	Type               string                 `json:"type"`
+	Name               string                 `json:"name"`
+	Reason             string                 `json:"reason"`
+	Message            string                 `json:"message"`
+	Namespace          string                 `json:"namespace"`
+	EventTime          time.Time              `json:"eventTime"`
+	Kind               string                 `json:"kind,omitempty"`
+	Count              int32                  `json:"count"`
+	FirstTimestamp     *time.Time             `json:"firstTimestamp,omitempty"`
+	LastTimestamp      *time.Time             `json:"lastTimestamp,omitempty"`
+	UID                string                 `json:"uid"`
+	InvolvedObjectKind K8sEventInvolvedObject `json:"involvedObject"`
+}
+
+type K8sEventInvolvedObject struct {
+	Kind      string `json:"kind,omitempty"`
+	UID       string `json:"uid"`
+	Name      string `json:"name"`
+	Namespace string `json:"namespace"`
+}
diff --git a/api/internal/testhelpers/kube_client.go b/api/internal/testhelpers/kube_client.go
new file mode 100644
index 000000000..550e7ce92
--- /dev/null
+++ b/api/internal/testhelpers/kube_client.go
@@ -0,0 +1,19 @@
+package testhelpers
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
+)
+
+type testKubeClient struct {
+	portainer.KubeClient
+}
+
+func NewKubernetesClient() portainer.KubeClient {
+	return &testKubeClient{}
+}
+
+// Event
+func (kcl *testKubeClient) GetEvents(namespace string, resourceId string) ([]models.K8sEvent, error) {
+	return nil, nil
+}
diff --git a/api/kubernetes/cli/access.go b/api/kubernetes/cli/access.go
index 73f8d50af..6f254c296 100644
--- a/api/kubernetes/cli/access.go
+++ b/api/kubernetes/cli/access.go
@@ -143,3 +143,23 @@ func (kcl *KubeClient) GetNonAdminNamespaces(userID int, teamIDs []int, isRestri
 
 	return nonAdminNamespaces, nil
 }
+
+// GetIsKubeAdmin retrieves true if client is admin
+func (client *KubeClient) GetIsKubeAdmin() bool {
+	return client.IsKubeAdmin
+}
+
+// UpdateIsKubeAdmin sets whether the kube client is admin
+func (client *KubeClient) SetIsKubeAdmin(isKubeAdmin bool) {
+	client.IsKubeAdmin = isKubeAdmin
+}
+
+// GetClientNonAdminNamespaces retrieves non-admin namespaces
+func (client *KubeClient) GetClientNonAdminNamespaces() []string {
+	return client.NonAdminNamespaces
+}
+
+// UpdateClientNonAdminNamespaces sets the client non admin namespace list
+func (client *KubeClient) SetClientNonAdminNamespaces(nonAdminNamespaces []string) {
+	client.NonAdminNamespaces = nonAdminNamespaces
+}
diff --git a/api/kubernetes/cli/client.go b/api/kubernetes/cli/client.go
index 6d2cc437c..a40a865f1 100644
--- a/api/kubernetes/cli/client.go
+++ b/api/kubernetes/cli/client.go
@@ -82,6 +82,10 @@ func (factory *ClientFactory) RemoveKubeClient(endpointID portainer.EndpointID)
 	factory.endpointProxyClients.Delete(strconv.Itoa(int(endpointID)))
 }
 
+func (factory *ClientFactory) GetAddrHTTPS() string {
+	return factory.AddrHTTPS
+}
+
 // GetPrivilegedKubeClient checks if an existing client is already registered for the environment(endpoint) and returns it if one is found.
 // If no client is registered, it will create a new client, register it, and returns it.
 func (factory *ClientFactory) GetPrivilegedKubeClient(endpoint *portainer.Endpoint) (*KubeClient, error) {
diff --git a/api/kubernetes/cli/event.go b/api/kubernetes/cli/event.go
new file mode 100644
index 000000000..03472fca6
--- /dev/null
+++ b/api/kubernetes/cli/event.go
@@ -0,0 +1,93 @@
+package cli
+
+import (
+	"context"
+
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// GetEvents gets all the Events for a given namespace and resource
+// If the user is a kube admin, it returns all events in the namespace
+// Otherwise, it returns only the events in the non-admin namespaces
+func (kcl *KubeClient) GetEvents(namespace string, resourceId string) ([]models.K8sEvent, error) {
+	if kcl.IsKubeAdmin {
+		return kcl.fetchAllEvents(namespace, resourceId)
+	}
+
+	return kcl.fetchEventsForNonAdmin(namespace, resourceId)
+}
+
+// fetchEventsForNonAdmin returns all events in the given namespace and resource
+// It returns only the events in the non-admin namespaces
+func (kcl *KubeClient) fetchEventsForNonAdmin(namespace string, resourceId string) ([]models.K8sEvent, error) {
+	if len(kcl.NonAdminNamespaces) == 0 {
+		return nil, nil
+	}
+
+	events, err := kcl.fetchAllEvents(namespace, resourceId)
+	if err != nil {
+		return nil, err
+	}
+
+	nonAdminNamespaceSet := kcl.buildNonAdminNamespacesMap()
+	results := make([]models.K8sEvent, 0)
+	for _, event := range events {
+		if _, ok := nonAdminNamespaceSet[event.Namespace]; ok {
+			results = append(results, event)
+		}
+	}
+
+	return results, nil
+}
+
+// fetchEventsForNonAdmin returns all events in the given namespace and resource
+// It returns all events in the namespace and resource
+func (kcl *KubeClient) fetchAllEvents(namespace string, resourceId string) ([]models.K8sEvent, error) {
+	options := metav1.ListOptions{}
+	if resourceId != "" {
+		options.FieldSelector = "involvedObject.uid=" + resourceId
+	}
+
+	list, err := kcl.cli.CoreV1().Events(namespace).List(context.TODO(), options)
+	if err != nil {
+		return nil, err
+	}
+
+	results := make([]models.K8sEvent, 0)
+	for _, event := range list.Items {
+		results = append(results, parseEvent(&event))
+	}
+
+	return results, nil
+}
+
+func parseEvent(event *corev1.Event) models.K8sEvent {
+	result := models.K8sEvent{
+		Type:      event.Type,
+		Name:      event.Name,
+		Message:   event.Message,
+		Reason:    event.Reason,
+		Namespace: event.Namespace,
+		EventTime: event.EventTime.UTC(),
+		Kind:      event.Kind,
+		Count:     event.Count,
+		UID:       string(event.ObjectMeta.GetUID()),
+		InvolvedObjectKind: models.K8sEventInvolvedObject{
+			Kind:      event.InvolvedObject.Kind,
+			UID:       string(event.InvolvedObject.UID),
+			Name:      event.InvolvedObject.Name,
+			Namespace: event.InvolvedObject.Namespace,
+		},
+	}
+
+	if !event.LastTimestamp.Time.IsZero() {
+		result.LastTimestamp = &event.LastTimestamp.Time
+	}
+	if !event.FirstTimestamp.Time.IsZero() {
+		result.FirstTimestamp = &event.FirstTimestamp.Time
+	}
+
+	return result
+}
diff --git a/api/kubernetes/cli/event_test.go b/api/kubernetes/cli/event_test.go
new file mode 100644
index 000000000..926928317
--- /dev/null
+++ b/api/kubernetes/cli/event_test.go
@@ -0,0 +1,108 @@
+package cli
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kfake "k8s.io/client-go/kubernetes/fake"
+)
+
+// TestGetEvents tests the GetEvents method
+// It creates a fake Kubernetes client and passes it to the GetEvents method
+// It then logs the fetched events and validated the data returned
+func TestGetEvents(t *testing.T) {
+	t.Run("can get events for resource id when admin", func(t *testing.T) {
+		kcl := &KubeClient{
+			cli:         kfake.NewSimpleClientset(),
+			instanceID:  "instance",
+			IsKubeAdmin: true,
+		}
+		event := corev1.Event{
+			InvolvedObject: corev1.ObjectReference{UID: "resourceId"},
+			Action:         "something",
+			ObjectMeta:     metav1.ObjectMeta{Namespace: "default", Name: "myEvent"},
+			EventTime:      metav1.NowMicro(),
+			Type:           "warning",
+			Message:        "This event has a very serious warning",
+		}
+		_, err := kcl.cli.CoreV1().Events("default").Create(context.TODO(), &event, metav1.CreateOptions{})
+		if err != nil {
+			t.Fatalf("Failed to create Event: %v", err)
+		}
+
+		events, err := kcl.GetEvents("default", "resourceId")
+
+		if err != nil {
+			t.Fatalf("Failed to fetch Cron Jobs: %v", err)
+		}
+		t.Logf("Fetched Events: %v", events)
+		require.Equal(t, 1, len(events), "Expected to return 1 event")
+		assert.Equal(t, event.Message, events[0].Message, "Expected Message to be equal to event message created")
+		assert.Equal(t, event.Type, events[0].Type, "Expected Type to be equal to event type created")
+		assert.Equal(t, event.EventTime.UTC(), events[0].EventTime, "Expected EventTime to be saved as a string from event time created")
+	})
+	t.Run("can get kubernetes events for non admin namespace when non admin", func(t *testing.T) {
+		kcl := &KubeClient{
+			cli:                kfake.NewSimpleClientset(),
+			instanceID:         "instance",
+			IsKubeAdmin:        false,
+			NonAdminNamespaces: []string{"nonAdmin"},
+		}
+		event := corev1.Event{
+			InvolvedObject: corev1.ObjectReference{UID: "resourceId"},
+			Action:         "something",
+			ObjectMeta:     metav1.ObjectMeta{Namespace: "nonAdmin", Name: "myEvent"},
+			EventTime:      metav1.NowMicro(),
+			Type:           "warning",
+			Message:        "This event has a very serious warning",
+		}
+		_, err := kcl.cli.CoreV1().Events("nonAdmin").Create(context.TODO(), &event, metav1.CreateOptions{})
+		if err != nil {
+			t.Fatalf("Failed to create Event: %v", err)
+		}
+
+		events, err := kcl.GetEvents("nonAdmin", "resourceId")
+
+		if err != nil {
+			t.Fatalf("Failed to fetch Cron Jobs: %v", err)
+		}
+		t.Logf("Fetched Events: %v", events)
+		require.Equal(t, 1, len(events), "Expected to return 1 event")
+		assert.Equal(t, event.Message, events[0].Message, "Expected Message to be equal to event message created")
+		assert.Equal(t, event.Type, events[0].Type, "Expected Type to be equal to event type created")
+		assert.Equal(t, event.EventTime.UTC(), events[0].EventTime, "Expected EventTime to be saved as a string from event time created")
+	})
+
+	t.Run("cannot get kubernetes events for admin namespace when non admin", func(t *testing.T) {
+		kcl := &KubeClient{
+			cli:                kfake.NewSimpleClientset(),
+			instanceID:         "instance",
+			IsKubeAdmin:        false,
+			NonAdminNamespaces: []string{"nonAdmin"},
+		}
+		event := corev1.Event{
+			InvolvedObject: corev1.ObjectReference{UID: "resourceId"},
+			Action:         "something",
+			ObjectMeta:     metav1.ObjectMeta{Namespace: "admin", Name: "myEvent"},
+			EventTime:      metav1.NowMicro(),
+			Type:           "warning",
+			Message:        "This event has a very serious warning",
+		}
+		_, err := kcl.cli.CoreV1().Events("admin").Create(context.TODO(), &event, metav1.CreateOptions{})
+		if err != nil {
+			t.Fatalf("Failed to create Event: %v", err)
+		}
+
+		events, err := kcl.GetEvents("admin", "resourceId")
+
+		if err != nil {
+			t.Fatalf("Failed to fetch Cron Jobs: %v", err)
+		}
+		t.Logf("Fetched Events: %v", events)
+		assert.Equal(t, 0, len(events), "Expected to return 0 events")
+	})
+}
diff --git a/api/portainer.go b/api/portainer.go
index f61bb1af2..f63d04ddb 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"net/http"
 	"time"
 
 	"github.com/docker/docker/api/types"
@@ -13,6 +14,7 @@ import (
 	gittypes "github.com/portainer/portainer/api/git/types"
 	models "github.com/portainer/portainer/api/http/models/kubernetes"
 	"github.com/portainer/portainer/pkg/featureflags"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/segmentio/encoding/json"
 
 	"golang.org/x/oauth2"
@@ -1531,56 +1533,127 @@ type (
 
 	// KubeClient represents a service used to query a Kubernetes environment(endpoint)
 	KubeClient interface {
-		ServerVersion() (*version.Info, error)
+		// Access
+		GetIsKubeAdmin() bool
+		SetIsKubeAdmin(isKubeAdmin bool)
+		GetClientNonAdminNamespaces() []string
+		SetClientNonAdminNamespaces([]string)
+		NamespaceAccessPoliciesDeleteNamespace(ns string) error
+		UpdateNamespaceAccessPolicies(accessPolicies map[string]K8sNamespaceAccessPolicy) error
+		GetNamespaceAccessPolicies() (map[string]K8sNamespaceAccessPolicy, error)
+		GetNonAdminNamespaces(userID int, teamIDs []int, isRestrictDefaultNamespace bool) ([]string, error)
 
-		SetupUserServiceAccount(userID int, teamIDs []int, restrictDefaultNamespace bool) error
-		IsRBACEnabled() (bool, error)
-		GetPortainerUserServiceAccount(tokendata *TokenData) (*corev1.ServiceAccount, error)
-		GetServiceAccounts(namespace string) ([]models.K8sServiceAccount, error)
-		DeleteServiceAccounts(reqs models.K8sServiceAccountDeleteRequests) error
-		GetServiceAccountBearerToken(userID int) (string, error)
-		CreateUserShellPod(ctx context.Context, serviceAccountName, shellPodImage string) (*KubernetesShellPod, error)
+		// Applications
+		GetApplications(namespace, nodeName string) ([]models.K8sApplication, error)
+		GetApplicationsResource(namespace, node string) (models.K8sApplicationResource, error)
+
+		// ClusterRole
+		GetClusterRoles() ([]models.K8sClusterRole, error)
+		DeleteClusterRoles(req models.K8sClusterRoleDeleteRequests) error
+
+		// ConfigMap
+		GetConfigMap(namespace, configMapName string) (models.K8sConfigMap, error)
+		CombineConfigMapWithApplications(configMap models.K8sConfigMap) (models.K8sConfigMap, error)
+
+		// CronJob
+		GetCronJobs(namespace string) ([]models.K8sCronJob, error)
+		DeleteCronJobs(payload models.K8sCronJobDeleteRequests) error
+
+		// Event
+		GetEvents(namespace string, resourceId string) ([]models.K8sEvent, error)
+
+		// Exec
 		StartExecProcess(token string, useAdminToken bool, namespace, podName, containerName string, command []string, stdin io.Reader, stdout io.Writer, errChan chan error)
 
+		// ClusterRoleBinding
+		GetClusterRoleBindings() ([]models.K8sClusterRoleBinding, error)
+		DeleteClusterRoleBindings(reqs models.K8sClusterRoleBindingDeleteRequests) error
+
+		// Dashboard
+		GetDashboard() (models.K8sDashboard, error)
+
+		// Deployment
 		HasStackName(namespace string, stackName string) (bool, error)
-		NamespaceAccessPoliciesDeleteNamespace(namespace string) error
-		CreateNamespace(info models.K8sNamespaceDetails) (*corev1.Namespace, error)
-		UpdateNamespace(info models.K8sNamespaceDetails) (*corev1.Namespace, error)
-		GetNamespaces() (map[string]K8sNamespaceInfo, error)
-		GetNamespace(string) (K8sNamespaceInfo, error)
-		DeleteNamespace(namespace string) (*corev1.Namespace, error)
-		GetConfigMaps(namespace string) ([]models.K8sConfigMap, error)
-		GetSecrets(namespace string) ([]models.K8sSecret, error)
+
+		// Ingress
 		GetIngressControllers() (models.K8sIngressControllers, error)
-		GetApplications(namespace, nodename string) ([]models.K8sApplication, error)
-		GetMetrics() (models.K8sMetrics, error)
-		GetStorage() ([]KubernetesStorageClassConfig, error)
-		CreateIngress(namespace string, info models.K8sIngressInfo, owner string) error
-		UpdateIngress(namespace string, info models.K8sIngressInfo) error
+		GetIngress(namespace, ingressName string) (models.K8sIngressInfo, error)
 		GetIngresses(namespace string) ([]models.K8sIngressInfo, error)
+		CreateIngress(namespace string, info models.K8sIngressInfo, owner string) error
 		DeleteIngresses(reqs models.K8sIngressDeleteRequests) error
-		CreateService(namespace string, service models.K8sServiceInfo) error
-		UpdateService(namespace string, service models.K8sServiceInfo) error
-		GetServices(namespace string) ([]models.K8sServiceInfo, error)
-		DeleteServices(reqs models.K8sServiceDeleteRequests) error
+		UpdateIngress(namespace string, info models.K8sIngressInfo) error
+		CombineIngressWithService(ingress models.K8sIngressInfo) (models.K8sIngressInfo, error)
+		CombineIngressesWithServices(ingresses []models.K8sIngressInfo) ([]models.K8sIngressInfo, error)
+
+		// Job
+		GetJobs(namespace string, includeCronJobChildren bool) ([]models.K8sJob, error)
+		DeleteJobs(payload models.K8sJobDeleteRequests) error
+
+		// Metrics
+		GetMetrics() (models.K8sMetrics, error)
+
+		// Namespace
+		ToggleSystemState(namespaceName string, isSystem bool) error
+		UpdateNamespace(info models.K8sNamespaceDetails) (*corev1.Namespace, error)
+		GetNamespace(name string) (K8sNamespaceInfo, error)
+		CreateNamespace(info models.K8sNamespaceDetails) (*corev1.Namespace, error)
+		GetNamespaces() (map[string]K8sNamespaceInfo, error)
+		CombineNamespaceWithResourceQuota(namespace K8sNamespaceInfo, w http.ResponseWriter) *httperror.HandlerError
+		DeleteNamespace(namespaceName string) (*corev1.Namespace, error)
+		CombineNamespacesWithResourceQuotas(namespaces map[string]K8sNamespaceInfo, w http.ResponseWriter) *httperror.HandlerError
+		ConvertNamespaceMapToSlice(namespaces map[string]K8sNamespaceInfo) []K8sNamespaceInfo
+
+		// NodeLimits
 		GetNodesLimits() (K8sNodesLimits, error)
-		GetMaxResourceLimits(name string, overCommitEnabled bool, resourceOverCommitPercent int) (K8sNodeLimits, error)
-		GetNamespaceAccessPolicies() (map[string]K8sNamespaceAccessPolicy, error)
-		UpdateNamespaceAccessPolicies(accessPolicies map[string]K8sNamespaceAccessPolicy) error
+		GetMaxResourceLimits(skipNamespace string, overCommitEnabled bool, resourceOverCommitPercent int) (K8sNodeLimits, error)
+
+		// Pod
+		CreateUserShellPod(ctx context.Context, serviceAccountName, shellPodImage string) (*KubernetesShellPod, error)
+
+		// RBAC
+		IsRBACEnabled() (bool, error)
+
+		// Registries
 		DeleteRegistrySecret(registry RegistryID, namespace string) error
 		CreateRegistrySecret(registry *Registry, namespace string) error
 		IsRegistrySecret(namespace, secretName string) (bool, error)
-		ToggleSystemState(namespace string, isSystem bool) error
 
-		GetClusterRoles() ([]models.K8sClusterRole, error)
-		DeleteClusterRoles(models.K8sClusterRoleDeleteRequests) error
-		GetClusterRoleBindings() ([]models.K8sClusterRoleBinding, error)
-		DeleteClusterRoleBindings(models.K8sClusterRoleBindingDeleteRequests) error
-
-		GetRoles(namespace string) ([]models.K8sRole, error)
-		DeleteRoles(models.K8sRoleDeleteRequests) error
+		// RoleBinding
 		GetRoleBindings(namespace string) ([]models.K8sRoleBinding, error)
-		DeleteRoleBindings(models.K8sRoleBindingDeleteRequests) error
+		DeleteRoleBindings(reqs models.K8sRoleBindingDeleteRequests) error
+
+		// Role
+		DeleteRoles(reqs models.K8sRoleDeleteRequests) error
+
+		// Secret
+		GetSecrets(namespace string) ([]models.K8sSecret, error)
+		GetSecret(namespace string, secretName string) (models.K8sSecret, error)
+		CombineSecretWithApplications(secret models.K8sSecret) (models.K8sSecret, error)
+
+		// ServiceAccount
+		GetServiceAccounts(namespace string) ([]models.K8sServiceAccount, error)
+		DeleteServiceAccounts(reqs models.K8sServiceAccountDeleteRequests) error
+		SetupUserServiceAccount(int, []int, bool) error
+		GetPortainerUserServiceAccount(tokendata *TokenData) (*corev1.ServiceAccount, error)
+		GetServiceAccountBearerToken(userID int) (string, error)
+
+		// Service
+		GetServices(namespace string) ([]models.K8sServiceInfo, error)
+		CombineServicesWithApplications(services []models.K8sServiceInfo) ([]models.K8sServiceInfo, error)
+		CreateService(namespace string, info models.K8sServiceInfo) error
+		DeleteServices(reqs models.K8sServiceDeleteRequests) error
+		UpdateService(namespace string, info models.K8sServiceInfo) error
+
+		// ServerVersion
+		ServerVersion() (*version.Info, error)
+
+		// Storage
+		GetStorage() ([]KubernetesStorageClassConfig, error)
+
+		// Volumes
+		GetVolumes(namespace string) ([]models.K8sVolumeInfo, error)
+		GetVolume(namespace, volumeName string) (*models.K8sVolumeInfo, error)
+		CombineVolumesWithApplications(volumes *[]models.K8sVolumeInfo) (*[]models.K8sVolumeInfo, error)
 	}
 
 	// KubernetesDeployer represents a service to deploy a manifest inside a Kubernetes environment(endpoint)
diff --git a/app/kubernetes/views/configurations/configmap/edit/configMap.html b/app/kubernetes/views/configurations/configmap/edit/configMap.html
index 89e1c38c5..70a2d4f1a 100644
--- a/app/kubernetes/views/configurations/configmap/edit/configMap.html
+++ b/app/kubernetes/views/configurations/configmap/edit/configMap.html
@@ -58,7 +58,7 @@
               <resource-events-datatable
                 resource-id="ctrl.configuration.Id"
                 storage-key="'kubernetes.configmap.events'"
-                namespace="ctrl.formValues.ResourcePool.Namespace.Name"
+                namespace="ctrl.configuration.Namespace"
               ></resource-events-datatable>
             </uib-tab>
             <uib-tab index="2" ng-if="ctrl.configuration.Yaml" classes="btn-sm" select="ctrl.showEditor()" data-cy="k8sConfigDetail-yamlTab">
diff --git a/app/kubernetes/views/configurations/secret/edit/secret.html b/app/kubernetes/views/configurations/secret/edit/secret.html
index 0309d356c..2e939c87e 100644
--- a/app/kubernetes/views/configurations/secret/edit/secret.html
+++ b/app/kubernetes/views/configurations/secret/edit/secret.html
@@ -65,7 +65,7 @@
               <resource-events-datatable
                 resource-id="ctrl.configuration.Id"
                 storage-key="'kubernetes.secret.events'"
-                namespace="ctrl.formValues.ResourcePool.Namespace.Name"
+                namespace="ctrl.configuration.Namespace"
               ></resource-events-datatable>
             </uib-tab>
             <uib-tab index="2" ng-if="ctrl.configuration.Yaml" classes="btn-sm" select="ctrl.showEditor()" data-cy="k8sConfigDetail-yamlTab">
diff --git a/app/react/kubernetes/components/EventsDatatable/EventsDatatable.test.tsx b/app/react/kubernetes/components/EventsDatatable/EventsDatatable.test.tsx
new file mode 100644
index 000000000..c5dc49c16
--- /dev/null
+++ b/app/react/kubernetes/components/EventsDatatable/EventsDatatable.test.tsx
@@ -0,0 +1,83 @@
+import { render, screen } from '@testing-library/react';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { TableSettings } from '@/react/kubernetes/datatables/DefaultDatatableSettings';
+
+import { TableState } from '@@/datatables/useTableState';
+
+import { Event } from '../../queries/types';
+
+import { EventsDatatable } from './EventsDatatable';
+
+// Mock the necessary hooks and dependencies
+const mockTableState: TableState<TableSettings> = {
+  sortBy: { id: 'Date', desc: true },
+  pageSize: 10,
+  search: '',
+  autoRefreshRate: 0,
+  showSystemResources: false,
+  setSortBy: vi.fn(),
+  setPageSize: vi.fn(),
+  setSearch: vi.fn(),
+  setAutoRefreshRate: vi.fn(),
+  setShowSystemResources: vi.fn(),
+};
+
+vi.mock('../../datatables/default-kube-datatable-store', () => ({
+  useKubeStore: () => mockTableState,
+}));
+
+function renderComponent() {
+  const user = new UserViewModel({ Username: 'user' });
+
+  const events: Event[] = [
+    {
+      type: 'Warning',
+      name: 'name',
+      message: 'not sure if this what you want to do',
+      namespace: 'default',
+      reason: 'unknown',
+      count: 1,
+      eventTime: new Date('2025-01-02T15:04:05Z'),
+      uid: '4500fc9c-0cc8-4695-b4c4-989ac021d1d6',
+      involvedObject: {
+        kind: 'configMap',
+        uid: '35',
+        name: 'name',
+        namespace: 'default',
+      },
+    },
+  ];
+
+  const Wrapped = withTestQueryProvider(
+    withUserProvider(
+      withTestRouter(() => (
+        <EventsDatatable
+          dataset={events}
+          tableState={mockTableState}
+          isLoading={false}
+          data-cy="k8sNodeDetail-eventsTable"
+          noWidget
+        />
+      )),
+      user
+    )
+  );
+  return { ...render(<Wrapped />), events };
+}
+
+describe('EventsDatatable', () => {
+  it('should display events when data is loaded', async () => {
+    const { events } = renderComponent();
+    const event = events[0];
+
+    expect(screen.getByText(event.message || '')).toBeInTheDocument();
+    expect(screen.getAllByText(event.type || '')).toHaveLength(2);
+    expect(screen.getAllByText(event.involvedObject.kind || '')).toHaveLength(
+      2
+    );
+  });
+});
diff --git a/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx b/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx
index ffb92e7bd..fd063535a 100644
--- a/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx
+++ b/app/react/kubernetes/components/EventsDatatable/EventsDatatable.tsx
@@ -1,7 +1,7 @@
-import { Event } from 'kubernetes-types/core/v1';
 import { History } from 'lucide-react';
 import { ReactNode } from 'react';
 
+import { Event } from '@/react/kubernetes/queries/types';
 import { IndexOptional } from '@/react/kubernetes/configs/types';
 import { TableSettings } from '@/react/kubernetes/datatables/DefaultDatatableSettings';
 
@@ -38,7 +38,7 @@ export function EventsDatatable({
       isLoading={isLoading}
       title={title}
       titleIcon={titleIcon}
-      getRowId={(row) => row.metadata?.uid || ''}
+      getRowId={(row) => row.uid || ''}
       disableSelect
       renderTableSettings={() => (
         <TableSettingsMenu>
diff --git a/app/react/kubernetes/components/EventsDatatable/ResourceEventsDatatable.tsx b/app/react/kubernetes/components/EventsDatatable/ResourceEventsDatatable.tsx
index f763043c9..bf04d00d9 100644
--- a/app/react/kubernetes/components/EventsDatatable/ResourceEventsDatatable.tsx
+++ b/app/react/kubernetes/components/EventsDatatable/ResourceEventsDatatable.tsx
@@ -29,9 +29,7 @@ export function ResourceEventsDatatable({
     params: { endpointId },
   } = useCurrentStateAndParams();
 
-  const params = resourceId
-    ? { fieldSelector: `involvedObject.uid=${resourceId}` }
-    : {};
+  const params = resourceId ? { resourceId: `${resourceId}` } : {};
   const resourceEventsQuery = useEvents(endpointId, {
     namespace,
     params,
diff --git a/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx b/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx
index 0d381d682..d2f24e3ab 100644
--- a/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx
+++ b/app/react/kubernetes/components/EventsDatatable/columns/eventType.tsx
@@ -1,5 +1,6 @@
 import { Row } from '@tanstack/react-table';
-import { Event } from 'kubernetes-types/core/v1';
+
+import { Event } from '@/react/kubernetes/queries/types';
 
 import { Badge, BadgeType } from '@@/Badge';
 import { filterHOC } from '@@/datatables/Filter';
diff --git a/app/react/kubernetes/components/EventsDatatable/columns/helper.ts b/app/react/kubernetes/components/EventsDatatable/columns/helper.ts
index 23a453238..dbb2a57d5 100644
--- a/app/react/kubernetes/components/EventsDatatable/columns/helper.ts
+++ b/app/react/kubernetes/components/EventsDatatable/columns/helper.ts
@@ -1,4 +1,5 @@
 import { createColumnHelper } from '@tanstack/react-table';
-import { Event } from 'kubernetes-types/core/v1';
+
+import { Event } from '@/react/kubernetes/queries/types';
 
 export const columnHelper = createColumnHelper<Event>();
diff --git a/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx b/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx
index 641662291..efc69fe4e 100644
--- a/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx
+++ b/app/react/kubernetes/components/EventsDatatable/columns/kind.tsx
@@ -1,5 +1,6 @@
 import { Row } from '@tanstack/react-table';
-import { Event } from 'kubernetes-types/core/v1';
+
+import { Event } from '@/react/kubernetes/queries/types';
 
 import { filterHOC } from '@@/datatables/Filter';
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
index 89f522d3a..9cad1d046 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
@@ -184,15 +184,8 @@ describe(
         http.get('/api/endpoints/3/kubernetes/helm/test-release/history', () =>
           HttpResponse.json(helmReleaseHistory)
         ),
-        http.get(
-          '/api/endpoints/3/kubernetes/api/v1/namespaces/default/events',
-          () =>
-            HttpResponse.json({
-              kind: 'EventList',
-              apiVersion: 'v1',
-              metadata: { resourceVersion: '12345' },
-              items: [],
-            })
+        http.get('/api/kubernetes/3/namespaces/default/events', () =>
+          HttpResponse.json([])
         )
       );
 
@@ -236,15 +229,8 @@ describe(
           HttpResponse.error()
         ),
         // Add mock for events endpoint
-        http.get(
-          '/api/endpoints/3/kubernetes/api/v1/namespaces/default/events',
-          () =>
-            HttpResponse.json({
-              kind: 'EventList',
-              apiVersion: 'v1',
-              metadata: { resourceVersion: '12345' },
-              items: [],
-            })
+        http.get('/api/kubernetes/3/namespaces/default/events', () =>
+          HttpResponse.json([])
         )
       );
 
@@ -274,15 +260,8 @@ describe(
         http.get('/api/endpoints/3/kubernetes/helm/test-release/history', () =>
           HttpResponse.json(helmReleaseHistory)
         ),
-        http.get(
-          '/api/endpoints/3/kubernetes/api/v1/namespaces/default/events',
-          () =>
-            HttpResponse.json({
-              kind: 'EventList',
-              apiVersion: 'v1',
-              metadata: { resourceVersion: '12345' },
-              items: [],
-            })
+        http.get('/api/kubernetes/3/namespaces/default/events', () =>
+          HttpResponse.json([])
         )
       );
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
index 08c48488a..67ff7d10b 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.test.tsx
@@ -1,7 +1,7 @@
 import { render, screen, waitFor } from '@testing-library/react';
 import { HttpResponse } from 'msw';
-import { Event, EventList } from 'kubernetes-types/core/v1';
 
+import { Event } from '@/react/kubernetes/queries/types';
 import { server, http } from '@/setup-tests/server';
 import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
 import { withTestRouter } from '@/react/test-utils/withRouter';
@@ -56,136 +56,84 @@ const testResources: GenericResource[] = [
   },
 ];
 
-const mockEventsResponse: EventList = {
-  kind: 'EventList',
-  apiVersion: 'v1',
-  metadata: {
-    resourceVersion: '12345',
+const mockEventsResponse: Event[] = [
+  {
+    name: 'test-deployment-123456',
+    namespace: 'default',
+    reason: 'CreatedLoadBalancer',
+    eventTime: new Date('2023-01-01T00:00:00Z'),
+    uid: 'event-uid-1',
+    involvedObject: {
+      kind: 'Deployment',
+      name: 'test-deployment',
+      uid: 'test-deployment-uid',
+      namespace: 'default',
+    },
+    message: 'Scaled up replica set test-deployment-abc123 to 1',
+    firstTimestamp: new Date('2023-01-01T00:00:00Z'),
+    lastTimestamp: new Date('2023-01-01T00:00:00Z'),
+    count: 1,
+    type: 'Normal',
   },
-  items: [
-    {
-      metadata: {
-        name: 'test-deployment-123456',
-        namespace: 'default',
-        uid: 'event-uid-1',
-        resourceVersion: '1000',
-        creationTimestamp: '2023-01-01T00:00:00Z',
-      },
-      involvedObject: {
-        kind: 'Deployment',
-        namespace: 'default',
-        name: 'test-deployment',
-        uid: 'test-deployment-uid',
-        apiVersion: 'apps/v1',
-        resourceVersion: '2000',
-      },
-      reason: 'ScalingReplicaSet',
-      message: 'Scaled up replica set test-deployment-abc123 to 1',
-      source: {
-        component: 'deployment-controller',
-      },
-      firstTimestamp: '2023-01-01T00:00:00Z',
-      lastTimestamp: '2023-01-01T00:00:00Z',
-      count: 1,
-      type: 'Normal',
-      reportingComponent: 'deployment-controller',
-      reportingInstance: '',
+  {
+    name: 'test-service-123456',
+    namespace: 'default',
+    uid: 'event-uid-2',
+    eventTime: new Date('2023-01-01T00:00:00Z'),
+    involvedObject: {
+      kind: 'Service',
+      namespace: 'default',
+      name: 'test-service',
+      uid: 'test-service-uid',
     },
-    {
-      metadata: {
-        name: 'test-service-123456',
-        namespace: 'default',
-        uid: 'event-uid-2',
-        resourceVersion: '1001',
-        creationTimestamp: '2023-01-01T00:00:00Z',
-      },
-      involvedObject: {
-        kind: 'Service',
-        namespace: 'default',
-        name: 'test-service',
-        uid: 'test-service-uid',
-        apiVersion: 'v1',
-        resourceVersion: '2001',
-      },
-      reason: 'CreatedLoadBalancer',
-      message: 'Created load balancer',
-      source: {
-        component: 'service-controller',
-      },
-      firstTimestamp: '2023-01-01T00:00:00Z',
-      lastTimestamp: '2023-01-01T00:00:00Z',
-      count: 1,
-      type: 'Normal',
-      reportingComponent: 'service-controller',
-      reportingInstance: '',
-    },
-  ],
-};
+    reason: 'CreatedLoadBalancer',
+    message: 'Created load balancer',
+    firstTimestamp: new Date('2023-01-01T00:00:00Z'),
+    lastTimestamp: new Date('2023-01-01T00:00:00Z'),
+    count: 1,
+    type: 'Normal',
+  },
+];
 
-const mixedEventsResponse: EventList = {
-  kind: 'EventList',
-  apiVersion: 'v1',
-  metadata: {
-    resourceVersion: '12345',
+const mixedEventsResponse: Event[] = [
+  {
+    name: 'test-deployment-123456',
+    namespace: 'default',
+    uid: 'event-uid-1',
+    eventTime: new Date('2023-01-01T00:00:00Z'),
+    involvedObject: {
+      kind: 'Deployment',
+      namespace: 'default',
+      name: 'test-deployment',
+      uid: 'test-deployment-uid', // This matches a resource UID
+    },
+    reason: 'ScalingReplicaSet',
+    message: 'Scaled up replica set test-deployment-abc123 to 1',
+
+    firstTimestamp: new Date('2023-01-01T00:00:00Z'),
+    lastTimestamp: new Date('2023-01-01T00:00:00Z'),
+    count: 1,
+    type: 'Normal',
   },
-  items: [
-    {
-      metadata: {
-        name: 'test-deployment-123456',
-        namespace: 'default',
-        uid: 'event-uid-1',
-        resourceVersion: '1000',
-        creationTimestamp: '2023-01-01T00:00:00Z',
-      },
-      involvedObject: {
-        kind: 'Deployment',
-        namespace: 'default',
-        name: 'test-deployment',
-        uid: 'test-deployment-uid', // This matches a resource UID
-        apiVersion: 'apps/v1',
-        resourceVersion: '2000',
-      },
-      reason: 'ScalingReplicaSet',
-      message: 'Scaled up replica set test-deployment-abc123 to 1',
-      source: {
-        component: 'deployment-controller',
-      },
-      firstTimestamp: '2023-01-01T00:00:00Z',
-      lastTimestamp: '2023-01-01T00:00:00Z',
-      count: 1,
-      type: 'Normal',
-      reportingComponent: 'deployment-controller',
-      reportingInstance: '',
+  {
+    name: 'unrelated-pod-123456',
+    namespace: 'default',
+    uid: 'event-uid-3',
+    eventTime: new Date('2023-01-01T00:00:00Z'),
+    involvedObject: {
+      kind: 'Pod',
+      namespace: 'default',
+      name: 'unrelated-pod',
+      uid: 'unrelated-pod-uid', // This does NOT match any resource UIDs
     },
-    {
-      metadata: {
-        name: 'unrelated-pod-123456',
-        namespace: 'default',
-        uid: 'event-uid-3',
-        resourceVersion: '1002',
-        creationTimestamp: '2023-01-01T00:00:00Z',
-      },
-      involvedObject: {
-        kind: 'Pod',
-        namespace: 'default',
-        name: 'unrelated-pod',
-        uid: 'unrelated-pod-uid', // This does NOT match any resource UIDs
-        apiVersion: 'v1',
-        resourceVersion: '2002',
-      },
-      reason: 'Scheduled',
-      message: 'Successfully assigned unrelated-pod to node',
-      source: {
-        component: 'default-scheduler',
-      },
-      firstTimestamp: '2023-01-01T00:00:00Z',
-      lastTimestamp: '2023-01-01T00:00:00Z',
-      count: 1,
-      reportingComponent: 'scheduler',
-      reportingInstance: '',
-    },
-  ],
-};
+    reason: 'Scheduled',
+    message: 'Successfully assigned unrelated-pod to node',
+    type: 'Normal',
+    firstTimestamp: new Date('2023-01-01T00:00:00Z'),
+    lastTimestamp: new Date('2023-01-01T00:00:00Z'),
+    count: 1,
+  },
+];
 
 function renderComponent() {
   const user = new UserViewModel({ Username: 'user' });
@@ -229,7 +177,7 @@ describe('HelmEventsDatatable', () => {
 
   it('should correctly filter related events using the filterRelatedEvents function', () => {
     const filteredEvents = filterRelatedEvents(
-      mixedEventsResponse.items as Event[],
+      mixedEventsResponse as Event[],
       testResources
     );
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
index ced859f54..9dd161f5b 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/HelmEventsDatatable.tsx
@@ -1,6 +1,6 @@
 import { compact } from 'lodash';
-import { Event } from 'kubernetes-types/core/v1';
 
+import { Event } from '@/react/kubernetes/queries/types';
 import { createStore } from '@/react/kubernetes/datatables/default-kube-datatable-store';
 import { EventsDatatable } from '@/react/kubernetes/components/EventsDatatable';
 import { useEvents } from '@/react/kubernetes/queries/useEvents';
diff --git a/app/react/kubernetes/queries/types.ts b/app/react/kubernetes/queries/types.ts
new file mode 100644
index 000000000..4c8269c28
--- /dev/null
+++ b/app/react/kubernetes/queries/types.ts
@@ -0,0 +1,19 @@
+export type Event = {
+  type: string;
+  name: string;
+  reason: string;
+  message: string;
+  namespace: string;
+  eventTime: Date;
+  kind?: string;
+  count: number;
+  lastTimestamp?: Date;
+  firstTimestamp?: Date;
+  uid: string;
+  involvedObject: {
+    uid: string;
+    kind?: string;
+    name: string;
+    namespace: string;
+  };
+};
diff --git a/app/react/kubernetes/queries/useEvents.ts b/app/react/kubernetes/queries/useEvents.ts
index f25c255db..47ea5c2c5 100644
--- a/app/react/kubernetes/queries/useEvents.ts
+++ b/app/react/kubernetes/queries/useEvents.ts
@@ -1,6 +1,6 @@
-import { EventList, Event } from 'kubernetes-types/core/v1';
 import { useQuery } from '@tanstack/react-query';
 
+import { Event } from '@/react/kubernetes/queries/types';
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import axios from '@/portainer/services/axios';
 import { withGlobalError } from '@/react-tools/react-query';
@@ -13,10 +13,7 @@ type RequestOptions = {
   /** if undefined, events are fetched at the cluster scope */
   namespace?: string;
   params?: {
-    /** https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors */
-    labelSelector?: string;
-    /** https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors */
-    fieldSelector?: string;
+    resourceId?: string;
   };
 };
 
@@ -44,13 +41,13 @@ async function getEvents(
 ): Promise<Event[]> {
   const { namespace, params } = options ?? {};
   try {
-    const { data } = await axios.get<EventList>(
+    const { data } = await axios.get<Event[]>(
       buildUrl(environmentId, namespace),
       {
         params,
       }
     );
-    return data.items;
+    return data;
   } catch (e) {
     throw parseKubernetesAxiosError(e, 'Unable to retrieve events');
   }
@@ -96,6 +93,6 @@ export function useEventWarningsCount(
 
 function buildUrl(environmentId: EnvironmentId, namespace?: string) {
   return namespace
-    ? `/endpoints/${environmentId}/kubernetes/api/v1/namespaces/${namespace}/events`
-    : `/endpoints/${environmentId}/kubernetes/api/v1/events`;
+    ? `/kubernetes/${environmentId}/namespaces/${namespace}/events`
+    : `/kubernetes/${environmentId}/events`;
 }

From 731afbee4697ef4eb55c075b6b851f5ab9414fa6 Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Tue, 27 May 2025 15:20:28 +1200
Subject: [PATCH 133/212] feat(helm): filter on chart versions at API level
 [R8S-324] (#754)

---
 api/http/handler/helm/helm_repo_search.go     | 11 ++-
 .../ChartActions/UpgradeButton.test.tsx       | 10 ++
 .../ChartActions/UpgradeButton.tsx            | 95 +++++++++++++------
 .../queries/useHelmRepositories.ts            | 16 ++--
 pkg/libhelm/options/search_repo_options.go    |  6 +-
 pkg/libhelm/sdk/search_repo.go                | 77 +++++++++++----
 6 files changed, 159 insertions(+), 56 deletions(-)

diff --git a/api/http/handler/helm/helm_repo_search.go b/api/http/handler/helm/helm_repo_search.go
index aab9c523d..c29423fa9 100644
--- a/api/http/handler/helm/helm_repo_search.go
+++ b/api/http/handler/helm/helm_repo_search.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
 
 	"github.com/pkg/errors"
 )
@@ -17,6 +18,8 @@ import (
 // @description **Access policy**: authenticated
 // @tags helm
 // @param repo query string true "Helm repository URL"
+// @param chart query string false "Helm chart name"
+// @param useCache query string false "If true will use cache to search"
 // @security ApiKeyAuth
 // @security jwt
 // @produce json
@@ -32,13 +35,19 @@ func (handler *Handler) helmRepoSearch(w http.ResponseWriter, r *http.Request) *
 		return httperror.BadRequest("Bad request", errors.New("missing `repo` query parameter"))
 	}
 
+	chart, _ := request.RetrieveQueryParameter(r, "chart", false)
+	// If true will useCache to search, will always add to cache after
+	useCache, _ := request.RetrieveBooleanQueryParameter(r, "useCache", false)
+
 	_, err := url.ParseRequestURI(repo)
 	if err != nil {
 		return httperror.BadRequest("Bad request", errors.Wrap(err, fmt.Sprintf("provided URL %q is not valid", repo)))
 	}
 
 	searchOpts := options.SearchRepoOptions{
-		Repo: repo,
+		Repo:     repo,
+		Chart:    chart,
+		UseCache: useCache,
 	}
 
 	result, err := handler.helmPackageManager.SearchRepo(searchOpts)
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
index 4bea0bf47..190fef7b1 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -33,6 +33,8 @@ vi.mock('../queries/useHelmRepositories', () => ({
     ],
     isInitialLoading: false,
     isError: false,
+    isFetching: false,
+    refetch: vi.fn(() => Promise.resolve([])),
   })),
   useHelmRepositories: vi.fn(() => ({
     data: ['repo1', 'repo2'],
@@ -81,6 +83,8 @@ describe('UpgradeButton', () => {
       data,
       isInitialLoading: false,
       isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -94,6 +98,8 @@ describe('UpgradeButton', () => {
       data: [],
       isInitialLoading: true,
       isError: false,
+      isFetching: true,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -109,6 +115,8 @@ describe('UpgradeButton', () => {
       data,
       isInitialLoading: false,
       isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton();
@@ -139,6 +147,8 @@ describe('UpgradeButton', () => {
       ],
       isInitialLoading: false,
       isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
     });
 
     renderButton({ release: mockRelease });
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 4c385c388..2c32fb69d 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -1,5 +1,6 @@
 import { ArrowUp } from 'lucide-react';
 import { useRouter } from '@uirouter/react';
+import { useState } from 'react';
 
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { notifySuccess } from '@/portainer/services/notifications';
@@ -41,26 +42,28 @@ export function UpgradeButton({
   const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
 
   const repositoriesQuery = useHelmRepositories();
+  const [useCache, setUseCache] = useState(true);
   const helmRepoVersionsQuery = useHelmRepoVersions(
     release?.chart.metadata?.name || '',
     60 * 60 * 1000, // 1 hour
-    repositoriesQuery.data
+    repositoriesQuery.data,
+    useCache
   );
   const versions = helmRepoVersionsQuery.data;
 
   // Combined loading state
-  const isInitialLoading =
-    repositoriesQuery.isInitialLoading ||
-    helmRepoVersionsQuery.isInitialLoading;
+  const isLoading =
+    repositoriesQuery.isInitialLoading || helmRepoVersionsQuery.isFetching;
   const isError = repositoriesQuery.isError || helmRepoVersionsQuery.isError;
 
   const latestVersion = useHelmRelease(environmentId, releaseName, namespace, {
     select: (data) => data.chart.metadata?.version,
   });
   const latestVersionAvailable = versions[0]?.Version ?? '';
-  const isNewVersionAvailable =
+  const isNewVersionAvailable = Boolean(
     latestVersion?.data &&
-    semverCompare(latestVersionAvailable, latestVersion?.data) === 1;
+      semverCompare(latestVersionAvailable, latestVersion?.data) === 1
+  );
 
   const editableHelmRelease: UpdateHelmReleasePayload = {
     name: releaseName,
@@ -70,6 +73,14 @@ export function UpgradeButton({
     version: release?.chart.metadata?.version,
   };
 
+  function handleRefreshVersions() {
+    if (!useCache) {
+      helmRepoVersionsQuery.refetch();
+    } else {
+      setUseCache(false);
+    }
+  }
+
   return (
     <div className="relative">
       <LoadingButton
@@ -78,7 +89,7 @@ export function UpgradeButton({
         onClick={() => openUpgradeForm(versions, release)}
         disabled={
           versions.length === 0 ||
-          isInitialLoading ||
+          isLoading ||
           isError ||
           release?.info?.status?.startsWith('pending')
         }
@@ -89,7 +100,7 @@ export function UpgradeButton({
       >
         Upgrade
       </LoadingButton>
-      {versions.length === 0 && isInitialLoading && (
+      {isLoading && (
         <InlineLoader
           size="xs"
           className="absolute -bottom-5 left-0 right-0 whitespace-nowrap"
@@ -97,30 +108,38 @@ export function UpgradeButton({
           Checking for new versions...
         </InlineLoader>
       )}
-      {versions.length === 0 && !isInitialLoading && !isError && (
+      {!isLoading && !isError && (
         <span className="absolute flex items-center -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
-          No versions available
-          <Tooltip
-            message={
-              <div>
-                Portainer is unable to find any versions for this chart in the
-                repositories saved. Try adding a new repository which contains
-                the chart in the{' '}
-                <Link
-                  to="portainer.account"
-                  params={{ '#': 'helm-repositories' }}
-                  data-cy="user-settings-link"
-                >
-                  Helm repositories settings
-                </Link>
-              </div>
-            }
-          />
-        </span>
-      )}
-      {isNewVersionAvailable && (
-        <span className="absolute -bottom-5 left-0 right-0 text-xs text-muted text-center whitespace-nowrap">
-          New version available ({latestVersionAvailable})
+          {getStatusMessage(
+            versions.length === 0,
+            latestVersionAvailable,
+            isNewVersionAvailable
+          )}
+          {versions.length === 0 && (
+            <Tooltip
+              message={
+                <div>
+                  Portainer is unable to find any versions for this chart in the
+                  repositories saved. Try adding a new repository which contains
+                  the chart in the{' '}
+                  <Link
+                    to="portainer.account"
+                    params={{ '#': 'helm-repositories' }}
+                    data-cy="user-settings-link"
+                  >
+                    Helm repositories settings
+                  </Link>
+                </div>
+              }
+            />
+          )}
+          <button
+            onClick={handleRefreshVersions}
+            className="text-primary hover:text-primary-light cursor-pointer bg-transparent border-0 pl-1 p-0"
+            type="button"
+          >
+            Refresh versions
+          </button>
         </span>
       )}
     </div>
@@ -164,4 +183,18 @@ export function UpgradeButton({
       },
     });
   }
+
+  function getStatusMessage(
+    hasNoAvailableVersions: boolean,
+    latestVersionAvailable: string,
+    isNewVersionAvailable: boolean
+  ): string {
+    if (hasNoAvailableVersions) {
+      return 'No versions available ';
+    }
+    if (isNewVersionAvailable) {
+      return `New version available (${latestVersionAvailable}) `;
+    }
+    return '';
+  }
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
index 733b79dea..bf11eadb1 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
@@ -45,20 +45,21 @@ export function useHelmRepositories() {
 export function useHelmRepoVersions(
   chart: string,
   staleTime: number,
-  repositories: string[] = []
+  repositories: string[] = [],
+  useCache: boolean = true
 ) {
   // Fetch versions from each repository in parallel as separate queries
   const versionQueries = useQueries({
     queries: useMemo(
       () =>
         repositories.map((repo) => ({
-          queryKey: ['helm', 'repositories', chart, repo],
-          queryFn: () => getSearchHelmRepo(repo, chart),
+          queryKey: ['helm', 'repositories', chart, repo, useCache],
+          queryFn: () => getSearchHelmRepo(repo, chart, useCache),
           enabled: !!chart && repositories.length > 0,
           staleTime,
           ...withGlobalError(`Unable to retrieve versions from ${repo}`),
         })),
-      [repositories, chart, staleTime]
+      [repositories, chart, staleTime, useCache]
     ),
   });
 
@@ -72,6 +73,8 @@ export function useHelmRepoVersions(
     data: allVersions,
     isInitialLoading: versionQueries.some((q) => q.isLoading),
     isError: versionQueries.some((q) => q.isError),
+    isFetching: versionQueries.some((q) => q.isFetching),
+    refetch: () => Promise.all(versionQueries.map((q) => q.refetch())),
   };
 }
 
@@ -80,11 +83,12 @@ export function useHelmRepoVersions(
  */
 async function getSearchHelmRepo(
   repo: string,
-  chart: string
+  chart: string,
+  useCache: boolean = true
 ): Promise<ChartVersion[]> {
   try {
     const { data } = await axios.get<HelmSearch>(`templates/helm`, {
-      params: { repo, chart },
+      params: { repo, chart, useCache },
     });
     const versions = data.entries[chart];
     return (
diff --git a/pkg/libhelm/options/search_repo_options.go b/pkg/libhelm/options/search_repo_options.go
index 73acc5709..0b35c0bbd 100644
--- a/pkg/libhelm/options/search_repo_options.go
+++ b/pkg/libhelm/options/search_repo_options.go
@@ -3,6 +3,8 @@ package options
 import "net/http"
 
 type SearchRepoOptions struct {
-	Repo   string       `example:"https://charts.gitlab.io/"`
-	Client *http.Client `example:"&http.Client{Timeout: time.Second * 10}"`
+	Repo     string       `example:"https://charts.gitlab.io/"`
+	Client   *http.Client `example:"&http.Client{Timeout: time.Second * 10}"`
+	Chart    string       `example:"my-chart"`
+	UseCache bool         `example:"false"`
 }
diff --git a/pkg/libhelm/sdk/search_repo.go b/pkg/libhelm/sdk/search_repo.go
index 90dd98529..63015330c 100644
--- a/pkg/libhelm/sdk/search_repo.go
+++ b/pkg/libhelm/sdk/search_repo.go
@@ -4,6 +4,8 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"sync"
+	"time"
 
 	"github.com/pkg/errors"
 	"github.com/portainer/portainer/pkg/libhelm/options"
@@ -25,6 +27,17 @@ type RepoIndex struct {
 	Generated  string                 `json:"generated"`
 }
 
+type RepoIndexCache struct {
+	Index     *repo.IndexFile
+	Timestamp time.Time
+}
+
+var (
+	indexCache    = make(map[string]RepoIndexCache)
+	cacheMutex    sync.RWMutex
+	cacheDuration = 60 * time.Minute
+)
+
 // SearchRepo downloads the `index.yaml` file for specified repo, parses it and returns JSON to caller.
 func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error) {
 	// Validate input options
@@ -53,6 +66,18 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, err
 	}
 
+	// Check cache first
+	if searchRepoOpts.UseCache {
+		cacheMutex.RLock()
+		if cached, exists := indexCache[repoURL.String()]; exists {
+			if time.Since(cached.Timestamp) < cacheDuration {
+				cacheMutex.RUnlock()
+				return convertAndMarshalIndex(cached.Index, searchRepoOpts.Chart)
+			}
+		}
+		cacheMutex.RUnlock()
+	}
+
 	// Set up Helm CLI environment
 	repoSettings := cli.New()
 
@@ -92,23 +117,21 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, err
 	}
 
-	// Convert the index file to our response format
-	result, err := convertIndexToResponse(indexFile)
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Err(err).
-			Msg("Failed to convert index to response format")
-		return nil, errors.Wrap(err, "failed to convert index to response format")
+	// Update cache and remove old entries
+	cacheMutex.Lock()
+	indexCache[searchRepoOpts.Repo] = RepoIndexCache{
+		Index:     indexFile,
+		Timestamp: time.Now(),
+	}
+	for key, index := range indexCache {
+		if time.Since(index.Timestamp) > cacheDuration {
+			delete(indexCache, key)
+		}
 	}
 
-	log.Debug().
-		Str("context", "HelmClient").
-		Str("repo", searchRepoOpts.Repo).
-		Int("entries_count", len(indexFile.Entries)).
-		Msg("Successfully searched repository")
+	cacheMutex.Unlock()
 
-	return json.Marshal(result)
+	return convertAndMarshalIndex(indexFile, searchRepoOpts.Chart)
 }
 
 // validateSearchRepoOptions validates the required search repository options.
@@ -216,7 +239,7 @@ func loadIndexFile(indexPath string) (*repo.IndexFile, error) {
 }
 
 // convertIndexToResponse converts the Helm index file to our response format.
-func convertIndexToResponse(indexFile *repo.IndexFile) (RepoIndex, error) {
+func convertIndexToResponse(indexFile *repo.IndexFile, chartName string) (RepoIndex, error) {
 	result := RepoIndex{
 		APIVersion: indexFile.APIVersion,
 		Entries:    make(map[string][]ChartInfo),
@@ -225,7 +248,9 @@ func convertIndexToResponse(indexFile *repo.IndexFile) (RepoIndex, error) {
 
 	// Convert Helm SDK types to our response types
 	for name, charts := range indexFile.Entries {
-		result.Entries[name] = convertChartsToChartInfo(charts)
+		if chartName == "" || name == chartName {
+			result.Entries[name] = convertChartsToChartInfo(charts)
+		}
 	}
 
 	return result, nil
@@ -349,3 +374,23 @@ func ensureHelmDirectoriesExist(settings *cli.EnvSettings) error {
 
 	return nil
 }
+
+func convertAndMarshalIndex(indexFile *repo.IndexFile, chartName string) ([]byte, error) {
+	// Convert the index file to our response format
+	result, err := convertIndexToResponse(indexFile, chartName)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to convert index to response format")
+		return nil, errors.Wrap(err, "failed to convert index to response format")
+	}
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("repo", chartName).
+		Int("entries_count", len(indexFile.Entries)).
+		Msg("Successfully searched repository")
+
+	return json.Marshal(result)
+}

From b767dcb27ed253b423facd2e04ef971985950fd3 Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Fri, 30 May 2025 11:49:23 +1200
Subject: [PATCH 134/212] fix(proxy): whitelist headers for proxy to forward
 [BE-11819] (#665)

---
 api/http/proxy/factory/reverse_proxy.go      | 23 ++++-
 api/http/proxy/factory/reverse_proxy_test.go | 90 ++++++++++++++++++--
 2 files changed, 102 insertions(+), 11 deletions(-)

diff --git a/api/http/proxy/factory/reverse_proxy.go b/api/http/proxy/factory/reverse_proxy.go
index d583d75fe..c40e6c485 100644
--- a/api/http/proxy/factory/reverse_proxy.go
+++ b/api/http/proxy/factory/reverse_proxy.go
@@ -7,6 +7,21 @@ import (
 	"strings"
 )
 
+// Note that we discard any non-canonical headers by design
+var allowedHeaders = map[string]struct{}{
+	"Accept":                  {},
+	"Accept-Encoding":         {},
+	"Accept-Language":         {},
+	"Cache-Control":           {},
+	"Content-Length":          {},
+	"Content-Type":            {},
+	"Private-Token":           {},
+	"User-Agent":              {},
+	"X-Portaineragent-Target": {},
+	"X-Portainer-Volumename":  {},
+	"X-Registry-Auth":         {},
+}
+
 // newSingleHostReverseProxyWithHostHeader is based on NewSingleHostReverseProxy
 // from golang.org/src/net/http/httputil/reverseproxy.go and merely sets the Host
 // HTTP header, which NewSingleHostReverseProxy deliberately preserves.
@@ -15,7 +30,6 @@ func NewSingleHostReverseProxyWithHostHeader(target *url.URL) *httputil.ReverseP
 }
 
 func createDirector(target *url.URL) func(*http.Request) {
-	sensitiveHeaders := []string{"Cookie", "X-Csrf-Token"}
 	targetQuery := target.RawQuery
 	return func(req *http.Request) {
 		req.URL.Scheme = target.Scheme
@@ -32,8 +46,11 @@ func createDirector(target *url.URL) func(*http.Request) {
 			req.Header.Set("User-Agent", "")
 		}
 
-		for _, header := range sensitiveHeaders {
-			delete(req.Header, header)
+		for k := range req.Header {
+			if _, ok := allowedHeaders[k]; !ok {
+				// We use delete here instead of req.Header.Del because we want to delete non canonical headers.
+				delete(req.Header, k)
+			}
 		}
 	}
 }
diff --git a/api/http/proxy/factory/reverse_proxy_test.go b/api/http/proxy/factory/reverse_proxy_test.go
index 1a3d88ba0..6f23d75ec 100644
--- a/api/http/proxy/factory/reverse_proxy_test.go
+++ b/api/http/proxy/factory/reverse_proxy_test.go
@@ -6,6 +6,7 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	portainer "github.com/portainer/portainer/api"
 )
 
 func Test_createDirector(t *testing.T) {
@@ -23,12 +24,14 @@ func Test_createDirector(t *testing.T) {
 				"GET",
 				"https://agent-portainer.io/test?c=7",
 				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": "something"},
+				true,
 			),
 			expectedReq: createRequest(
 				t,
 				"GET",
 				"https://portainer.io/api/docker/test?a=5&b=6&c=7",
 				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": "something"},
+				true,
 			),
 		},
 		{
@@ -39,12 +42,14 @@ func Test_createDirector(t *testing.T) {
 				"GET",
 				"https://agent-portainer.io/test?c=7",
 				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json"},
+				true,
 			),
 			expectedReq: createRequest(
 				t,
 				"GET",
 				"https://portainer.io/api/docker/test?a=5&b=6&c=7",
 				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": ""},
+				true,
 			),
 		},
 		{
@@ -55,18 +60,83 @@ func Test_createDirector(t *testing.T) {
 				"GET",
 				"https://agent-portainer.io/test?c=7",
 				map[string]string{
-					"Accept-Encoding": "gzip",
-					"Accept":          "application/json",
-					"User-Agent":      "something",
-					"Cookie":          "junk",
-					"X-Csrf-Token":    "junk",
+					"Authorization":           "secret",
+					"Proxy-Authorization":     "secret",
+					"Cookie":                  "secret",
+					"X-Csrf-Token":            "secret",
+					"X-Api-Key":               "secret",
+					"Accept":                  "application/json",
+					"Accept-Encoding":         "gzip",
+					"Accept-Language":         "en-GB",
+					"Cache-Control":           "None",
+					"Content-Length":          "100",
+					"Content-Type":            "application/json",
+					"Private-Token":           "test-private-token",
+					"User-Agent":              "test-user-agent",
+					"X-Portaineragent-Target": "test-agent-1",
+					"X-Portainer-Volumename":  "test-volume-1",
+					"X-Registry-Auth":         "test-registry-auth",
 				},
+				true,
 			),
 			expectedReq: createRequest(
 				t,
 				"GET",
 				"https://portainer.io/api/docker/test?a=5&b=6&c=7",
-				map[string]string{"Accept-Encoding": "gzip", "Accept": "application/json", "User-Agent": "something"},
+				map[string]string{
+					"Accept":                  "application/json",
+					"Accept-Encoding":         "gzip",
+					"Accept-Language":         "en-GB",
+					"Cache-Control":           "None",
+					"Content-Length":          "100",
+					"Content-Type":            "application/json",
+					"Private-Token":           "test-private-token",
+					"User-Agent":              "test-user-agent",
+					"X-Portaineragent-Target": "test-agent-1",
+					"X-Portainer-Volumename":  "test-volume-1",
+					"X-Registry-Auth":         "test-registry-auth",
+				},
+				true,
+			),
+		},
+		{
+			name:   "Non canonical Headers",
+			target: createURL(t, "https://portainer.io/api/docker?a=5&b=6"),
+			req: createRequest(
+				t,
+				"GET",
+				"https://agent-portainer.io/test?c=7",
+				map[string]string{
+					"Accept":                             "application/json",
+					"Accept-Encoding":                    "gzip",
+					"Accept-Language":                    "en-GB",
+					"Cache-Control":                      "None",
+					"Content-Length":                     "100",
+					"Content-Type":                       "application/json",
+					"Private-Token":                      "test-private-token",
+					"User-Agent":                         "test-user-agent",
+					portainer.PortainerAgentTargetHeader: "test-agent-1",
+					"X-Portainer-VolumeName":             "test-volume-1",
+					"X-Registry-Auth":                    "test-registry-auth",
+				},
+				false,
+			),
+			expectedReq: createRequest(
+				t,
+				"GET",
+				"https://portainer.io/api/docker/test?a=5&b=6&c=7",
+				map[string]string{
+					"Accept":          "application/json",
+					"Accept-Encoding": "gzip",
+					"Accept-Language": "en-GB",
+					"Cache-Control":   "None",
+					"Content-Length":  "100",
+					"Content-Type":    "application/json",
+					"Private-Token":   "test-private-token",
+					"User-Agent":      "test-user-agent",
+					"X-Registry-Auth": "test-registry-auth",
+				},
+				true,
 			),
 		},
 	}
@@ -92,13 +162,17 @@ func createURL(t *testing.T, urlString string) *url.URL {
 	return parsedURL
 }
 
-func createRequest(t *testing.T, method, url string, headers map[string]string) *http.Request {
+func createRequest(t *testing.T, method, url string, headers map[string]string, canonicalHeaders bool) *http.Request {
 	req, err := http.NewRequest(method, url, nil)
 	if err != nil {
 		t.Fatalf("Failed to create http request: %s", err)
 	} else {
 		for k, v := range headers {
-			req.Header.Add(k, v)
+			if canonicalHeaders {
+				req.Header.Add(k, v)
+			} else {
+				req.Header[k] = []string{v}
+			}
 		}
 	}
 

From 24ff7a79112712e80ca2dedebc55f46f64510e16 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Fri, 30 May 2025 09:12:27 +0200
Subject: [PATCH 135/212] chore(deps): upgrade docker/cli to v28.2.1 |
 docker/docker to v28.2.1 | docker/compose to v2.36.2 (#758)

---
 .../test_data/output_24_to_latest.json        |   5 -
 api/http/handler/docker/dashboard.go          |   5 +-
 api/http/proxy/factory/docker/networks.go     |   4 +-
 api/portainer.go                              |   3 +-
 go.mod                                        | 183 ++++----
 go.sum                                        | 417 +++++++++---------
 pkg/snapshot/docker.go                        |   3 +-
 7 files changed, 324 insertions(+), 296 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index b0078c326..40971c519 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -678,14 +678,11 @@
           "Images": null,
           "Info": {
             "Architecture": "",
-            "BridgeNfIp6tables": false,
-            "BridgeNfIptables": false,
             "CDISpecDirs": null,
             "CPUSet": false,
             "CPUShares": false,
             "CgroupDriver": "",
             "ContainerdCommit": {
-              "Expected": "",
               "ID": ""
             },
             "Containers": 0,
@@ -709,7 +706,6 @@
             "IndexServerAddress": "",
             "InitBinary": "",
             "InitCommit": {
-              "Expected": "",
               "ID": ""
             },
             "Isolation": "",
@@ -738,7 +734,6 @@
             },
             "RegistryConfig": null,
             "RuncCommit": {
-              "Expected": "",
               "ID": ""
             },
             "Runtimes": null,
diff --git a/api/http/handler/docker/dashboard.go b/api/http/handler/docker/dashboard.go
index ad0399569..97d40e069 100644
--- a/api/http/handler/docker/dashboard.go
+++ b/api/http/handler/docker/dashboard.go
@@ -6,6 +6,7 @@ import (
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/swarm"
 	"github.com/docker/docker/api/types/volume"
 	portainer "github.com/portainer/portainer/api"
@@ -116,12 +117,12 @@ func (h *Handler) dashboard(w http.ResponseWriter, r *http.Request) *httperror.H
 			return err
 		}
 
-		networks, err := cli.NetworkList(r.Context(), types.NetworkListOptions{})
+		networks, err := cli.NetworkList(r.Context(), network.ListOptions{})
 		if err != nil {
 			return httperror.InternalServerError("Unable to retrieve Docker networks", err)
 		}
 
-		networks, err = utils.FilterByResourceControl(tx, networks, portainer.NetworkResourceControl, context, func(c types.NetworkResource) string {
+		networks, err = utils.FilterByResourceControl(tx, networks, portainer.NetworkResourceControl, context, func(c network.Summary) string {
 			return c.Name
 		})
 		if err != nil {
diff --git a/api/http/proxy/factory/docker/networks.go b/api/http/proxy/factory/docker/networks.go
index 95c96df81..cd94478d2 100644
--- a/api/http/proxy/factory/docker/networks.go
+++ b/api/http/proxy/factory/docker/networks.go
@@ -6,7 +6,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/network"
 
 	"github.com/docker/docker/client"
 
@@ -20,7 +20,7 @@ const (
 )
 
 func getInheritedResourceControlFromNetworkLabels(dockerClient *client.Client, endpointID portainer.EndpointID, networkID string, resourceControls []portainer.ResourceControl) (*portainer.ResourceControl, error) {
-	network, err := dockerClient.NetworkInspect(context.Background(), networkID, types.NetworkInspectOptions{})
+	network, err := dockerClient.NetworkInspect(context.Background(), networkID, network.InspectOptions{})
 	if err != nil {
 		return nil, err
 	}
diff --git a/api/portainer.go b/api/portainer.go
index f63d04ddb..bb383e44c 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -9,6 +9,7 @@ import (
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/system"
 	"github.com/docker/docker/api/types/volume"
 	gittypes "github.com/portainer/portainer/api/git/types"
@@ -245,7 +246,7 @@ type (
 	DockerSnapshotRaw struct {
 		Containers []DockerContainerSnapshot `json:"Containers" swaggerignore:"true"`
 		Volumes    volume.ListResponse       `json:"Volumes" swaggerignore:"true"`
-		Networks   []types.NetworkResource   `json:"Networks" swaggerignore:"true"`
+		Networks   []network.Summary         `json:"Networks" swaggerignore:"true"`
 		Images     []image.Summary           `json:"Images" swaggerignore:"true"`
 		Info       system.Info               `json:"Info" swaggerignore:"true"`
 		Version    types.Version             `json:"Version" swaggerignore:"true"`
diff --git a/go.mod b/go.mod
index 3193c560c..3a2ba0bf5 100644
--- a/go.mod
+++ b/go.mod
@@ -6,25 +6,25 @@ require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/VictoriaMetrics/fastcache v1.12.0
-	github.com/aws/aws-sdk-go-v2 v1.24.1
-	github.com/aws/aws-sdk-go-v2/credentials v1.16.16
+	github.com/aws/aws-sdk-go-v2 v1.30.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.27
 	github.com/aws/aws-sdk-go-v2/service/ecr v1.24.1
-	github.com/aws/smithy-go v1.19.0
+	github.com/aws/smithy-go v1.20.3
 	github.com/cbroglie/mustache v1.4.0
-	github.com/compose-spec/compose-go/v2 v2.4.5
+	github.com/compose-spec/compose-go/v2 v2.6.4
 	github.com/containers/image/v5 v5.30.1
 	github.com/coreos/go-semver v0.3.1
 	github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5
-	github.com/docker/cli v27.4.0+incompatible
-	github.com/docker/compose/v2 v2.31.0
-	github.com/docker/docker v27.4.0+incompatible
+	github.com/docker/cli v28.2.1+incompatible
+	github.com/docker/compose/v2 v2.36.2
+	github.com/docker/docker v28.2.1+incompatible
 	github.com/fvbommel/sortorder v1.1.0
 	github.com/g07cha/defender v0.0.0-20180505193036-5665c627c814
 	github.com/go-git/go-git/v5 v5.13.0
 	github.com/go-ldap/ldap/v3 v3.4.1
 	github.com/gofrs/uuid v4.2.0+incompatible
 	github.com/golang-jwt/jwt/v4 v4.5.2
-	github.com/google/go-cmp v0.6.0
+	github.com/google/go-cmp v0.7.0
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/mux v1.8.1
@@ -33,7 +33,7 @@ require (
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/joho/godotenv v1.4.0
 	github.com/jpillora/chisel v1.10.0
-	github.com/klauspost/compress v1.17.11
+	github.com/klauspost/compress v1.18.0
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
 	github.com/opencontainers/go-digest v1.0.0
 	github.com/orcaman/concurrent-map v1.0.0
@@ -46,20 +46,20 @@ require (
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/negroni v1.0.0
 	github.com/viney-shih/go-lock v1.1.1
-	go.etcd.io/bbolt v1.3.11
-	golang.org/x/crypto v0.36.0
-	golang.org/x/exp v0.0.0-20240909161429-701f63a606c0
-	golang.org/x/mod v0.21.0
-	golang.org/x/oauth2 v0.27.0
-	golang.org/x/sync v0.12.0
+	go.etcd.io/bbolt v1.4.0
+	golang.org/x/crypto v0.37.0
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
+	golang.org/x/mod v0.24.0
+	golang.org/x/oauth2 v0.29.0
+	golang.org/x/sync v0.14.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	helm.sh/helm/v3 v3.17.3
-	k8s.io/api v0.32.2
-	k8s.io/apimachinery v0.32.2
+	k8s.io/api v0.32.3
+	k8s.io/apimachinery v0.32.3
 	k8s.io/cli-runtime v0.32.2
-	k8s.io/client-go v0.32.2
+	k8s.io/client-go v0.32.3
 	k8s.io/kubectl v0.32.2
 	k8s.io/metrics v0.32.2
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
@@ -69,11 +69,12 @@ require github.com/gorilla/securecookie v1.1.2 // indirect
 
 require (
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
+	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
 	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
-	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
+	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/DefangLabs/secret-detector v0.0.0-20250403165618-22662109213e // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.3.0 // indirect
@@ -84,18 +85,19 @@ require (
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
 	github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
-	github.com/aws/aws-sdk-go-v2/config v1.26.6 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
@@ -106,23 +108,25 @@ require (
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/console v1.0.4 // indirect
 	github.com/containerd/containerd v1.7.24 // indirect
-	github.com/containerd/containerd/api v1.7.19 // indirect
-	github.com/containerd/continuity v0.4.4 // indirect
-	github.com/containerd/errdefs v0.3.0 // indirect
+	github.com/containerd/containerd/api v1.9.0 // indirect
+	github.com/containerd/containerd/v2 v2.1.1 // indirect
+	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
-	github.com/containerd/platforms v0.2.1 // indirect
-	github.com/containerd/ttrpc v1.2.5 // indirect
-	github.com/containerd/typeurl/v2 v2.2.0 // indirect
+	github.com/containerd/platforms v1.0.0-rc.1 // indirect
+	github.com/containerd/ttrpc v1.2.7 // indirect
+	github.com/containerd/typeurl/v2 v2.2.3 // indirect
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
-	github.com/containers/ocicrypt v1.1.10 // indirect
+	github.com/containers/ocicrypt v1.2.1 // indirect
 	github.com/containers/storage v1.53.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/buildx v0.18.0 // indirect
-	github.com/docker/cli-docs-tool v0.8.0 // indirect
+	github.com/docker/buildx v0.24.0 // indirect
+	github.com/docker/cli-docs-tool v0.9.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
-	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/docker-credential-helpers v0.9.3 // indirect
 	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
@@ -136,7 +140,7 @@ require (
 	github.com/fatih/color v1.15.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsevents v0.2.0 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.1 // indirect
 	github.com/go-errors/errors v1.4.2 // indirect
@@ -152,6 +156,7 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
@@ -161,17 +166,18 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/in-toto/in-toto-golang v0.9.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jmoiron/sqlx v1.4.0 // indirect
-	github.com/jonboulle/clockwork v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.5.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/jpillora/ansi v1.0.3 // indirect
 	github.com/jpillora/requestlog v1.0.0 // indirect
@@ -187,8 +193,8 @@ require (
 	github.com/lithammer/dedent v1.1.0 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.17 // indirect
-	github.com/mattn/go-runewidth v0.0.15 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
 	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
 	github.com/miekg/pkcs11 v1.1.1 // indirect
@@ -198,37 +204,38 @@ require (
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/moby/buildkit v0.17.2 // indirect
+	github.com/moby/buildkit v0.22.0 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
+	github.com/moby/go-archive v0.1.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
 	github.com/moby/patternmatcher v0.6.0 // indirect
 	github.com/moby/spdystream v0.5.0 // indirect
+	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/sys/capability v0.4.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/signal v0.7.1 // indirect
 	github.com/moby/sys/symlink v0.3.0 // indirect
-	github.com/moby/sys/user v0.3.0 // indirect
+	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
-	github.com/moby/term v0.5.0 // indirect
+	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/opencontainers/runtime-spec v1.2.0 // indirect
+	github.com/opencontainers/image-spec v1.1.1 // indirect
+	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_golang v1.19.1 // indirect
+	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.55.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
-	github.com/r3labs/sse v0.0.0-20210224172625-26fe804710bc // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
 	github.com/rubenv/sql-migrate v1.7.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -241,57 +248,59 @@ require (
 	github.com/skeema/knownhosts v1.3.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
 	github.com/spf13/cast v1.7.0 // indirect
-	github.com/spf13/cobra v1.8.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/theupdateframework/notary v0.7.0 // indirect
 	github.com/tilt-dev/fsnotify v1.4.8-0.20220602155310-fff9c274a375 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
-	github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205 // indirect
-	github.com/tonistiigi/fsutil v0.0.0-20241028165955-397af5306b5c // indirect
+	github.com/tonistiigi/dchapes-mode v0.0.0-20250318174251-73d941a28323 // indirect
+	github.com/tonistiigi/fsutil v0.0.0-20250417144416-3f76f8130144 // indirect
 	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/ulikunitz/xz v0.5.11 // indirect
-	github.com/vbatts/tar-split v0.11.5 // indirect
+	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect
-	go.opentelemetry.io/otel v1.28.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0 // indirect
-	go.opentelemetry.io/otel/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.28.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.28.0 // indirect
-	go.opentelemetry.io/otel/trace v1.28.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.3.1 // indirect
-	go.uber.org/mock v0.5.0 // indirect
-	golang.org/x/net v0.38.0 // indirect
-	golang.org/x/sys v0.31.0 // indirect
-	golang.org/x/term v0.30.0 // indirect
-	golang.org/x/text v0.23.0 // indirect
-	golang.org/x/time v0.7.0 // indirect
-	google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 // indirect
-	google.golang.org/grpc v1.68.0 // indirect
-	google.golang.org/protobuf v1.35.1 // indirect
-	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect
+	github.com/zclconf/go-cty v1.16.2 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
+	go.opentelemetry.io/otel/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.35.0 // indirect
+	go.opentelemetry.io/otel/trace v1.35.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.uber.org/mock v0.5.2 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.11.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
+	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	k8s.io/apiextensions-apiserver v0.32.2 // indirect
-	k8s.io/apiserver v0.32.2 // indirect
-	k8s.io/component-base v0.32.2 // indirect
+	k8s.io/apiserver v0.32.3 // indirect
+	k8s.io/component-base v0.32.3 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
@@ -301,5 +310,5 @@ require (
 	sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
-	tags.cncf.io/container-device-interface v0.8.0 // indirect
+	tags.cncf.io/container-device-interface v1.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index 3f4be510b..b79c1d644 100644
--- a/go.sum
+++ b/go.sum
@@ -2,14 +2,12 @@ dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 h1:bvDV9vkmnHYOMsOr4WLk+Vo07yKIzd94sVoIqshQ4bU=
-github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
-github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 h1:59MxjQVfjXsBpLy+dbd2/ELV5ofnUkUZBvWSC85sheA=
-github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0/go.mod h1:OahwfttHWG6eJ0clwcfBAHoDI6X/LV/15hx/wlMZSrU=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 h1:He8afgbRMd7mFxO99hRNu+6tazq8nFF9lIwo9JFroBk=
+github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6/go.mod h1:8o94RPi1/7XTJvwPpRSzSUedZrtlirdB3r9Z20bi2f8=
 github.com/AlecAivazis/survey/v2 v2.3.7 h1:6I/u8FvytdGsgonrYsVn2t8t4QiRnh6QSTqkkhIiSjQ=
 github.com/AlecAivazis/survey/v2 v2.3.7/go.mod h1:xUTIdE4KCOIjsBAE1JYsUPoCqYdZ1reCfTwbto0Fduo=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
-github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEKWjV8V+WSxDXJ4NFATAsZjh8iIbsQIg=
+github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
@@ -17,6 +15,8 @@ github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
 github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
+github.com/DefangLabs/secret-detector v0.0.0-20250403165618-22662109213e h1:rd4bOvKmDIx0WeTv9Qz+hghsgyjikFiPrseXHlKepO0=
+github.com/DefangLabs/secret-detector v0.0.0-20250403165618-22662109213e/go.mod h1:blbwPQh4DTlCZEfk1BLU4oMIhLda2U+A840Uag9DsZw=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
@@ -32,8 +32,8 @@ github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA4
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/Microsoft/hcsshim v0.12.5 h1:bpTInLlDy/nDRWFVcefDZZ1+U8tS+rz3MxjKgu9boo0=
-github.com/Microsoft/hcsshim v0.12.5/go.mod h1:tIUGego4G1EN5Hb6KC90aDYiUI2dqLSTTOCjVNpOgZ8=
+github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWSeaA=
+github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
@@ -59,38 +59,40 @@ github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2 h1:axBiC50cNZ
 github.com/andrew-d/go-termutil v0.0.0-20150726205930-009166a695a2/go.mod h1:jnzFpU88PccN/tPPhCpnNU8mZphvKxYM9lLNkd8e+os=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
+github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
+github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
 github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
-github.com/aws/aws-sdk-go-v2 v1.24.1 h1:xAojnj+ktS95YZlDf0zxWBkbFtymPeDP+rvUQIH3uAU=
-github.com/aws/aws-sdk-go-v2 v1.24.1/go.mod h1:LNh45Br1YAkEKaAqvmE1m8FUx6a5b/V0oAKV7of29b4=
-github.com/aws/aws-sdk-go-v2/config v1.26.6 h1:Z/7w9bUqlRI0FFQpetVuFYEsjzE3h7fpU6HuGmfPL/o=
-github.com/aws/aws-sdk-go-v2/config v1.26.6/go.mod h1:uKU6cnDmYCvJ+pxO9S4cWDb2yWWIH5hra+32hVh1MI4=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.16 h1:8q6Rliyv0aUFAVtzaldUEcS+T5gbadPbWdV1WcAddK8=
-github.com/aws/aws-sdk-go-v2/credentials v1.16.16/go.mod h1:UHVZrdUsv63hPXFo1H7c5fEneoVo9UXiz36QG1GEPi0=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 h1:c5I5iH+DZcH3xOIMlz3/tCKJDaHFwYEmxvlh2fAcFo8=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11/go.mod h1:cRrYDYAMUohBJUtUnOhydaMHtiK/1NZ0Otc9lIb6O0Y=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 h1:vF+Zgd9s+H4vOXd5BMaPWykta2a6Ih0AKLq/X6NYKn4=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10/go.mod h1:6BkRjejp/GR4411UGqkX8+wFMbFbqsUIimfK4XjOKR4=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 h1:nYPe006ktcqUji8S2mqXf9c/7NdiKriOwMvWQHgYztw=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10/go.mod h1:6UV4SZkVvmODfXKql4LCbaZUpF7HO2BX38FgBf9ZOLw=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3 h1:n3GDfwqF2tzEkXlv5cuy4iy7LpKDtqDMcNLfZDu9rls=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.7.3/go.mod h1:6fQQgfuGmw8Al/3M2IgIllycxV7ZW7WCdVSqfBeUiCY=
+github.com/aws/aws-sdk-go-v2 v1.30.3 h1:jUeBtG0Ih+ZIFH0F4UkmL9w3cSpaMv9tYYDbzILP8dY=
+github.com/aws/aws-sdk-go-v2 v1.30.3/go.mod h1:nIQjQVp5sfpQcTc9mPSr1B0PaWK5ByX9MOoDadSN4lc=
+github.com/aws/aws-sdk-go-v2/config v1.27.27 h1:HdqgGt1OAP0HkEDDShEl0oSYa9ZZBSOmKpdpsDMdO90=
+github.com/aws/aws-sdk-go-v2/config v1.27.27/go.mod h1:MVYamCg76dFNINkZFu4n4RjDixhVr51HLj4ErWzrVwg=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.27 h1:2raNba6gr2IfA0eqqiP2XiQ0UVOpGPgDSi0I9iAP+UI=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.27/go.mod h1:gniiwbGahQByxan6YjQUMcW4Aov6bLC3m+evgcoN4r4=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 h1:KreluoV8FZDEtI6Co2xuNk/UqI9iwMrOx/87PBNIKqw=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11/go.mod h1:SeSUYBLsMYFoRvHE0Tjvn7kbxaUhl75CJi1sbfhMxkU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 h1:SoNJ4RlFEQEbtDcCEt+QG56MY4fm4W8rYirAmq+/DdU=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15/go.mod h1:U9ke74k1n2bf+RIgoX1SXFed1HLs51OgUSs+Ph0KJP8=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 h1:C6WHdGnTDIYETAm5iErQUiVNsclNx9qbJVPIt03B6bI=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15/go.mod h1:ZQLZqhcu+JhSrA9/NXRm8SkDvsycE+JkV3WGY41e+IM=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.24.1 h1:zqXEIhuR7RcHob2gxB/Xf1X4XuMS0vapn7xr+wCPrpg=
 github.com/aws/aws-sdk-go-v2/service/ecr v1.24.1/go.mod h1:+rWYJfms9p+D/wUN599tx3FtWvxoXCP25b8Porlrxcc=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 h1:/b31bi3YVNlkzkBrm9LfpaKoaYZUxIAj4sHfOTmLfqw=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4/go.mod h1:2aGXHFmbInwgP9ZfpmdIfOELL79zhdNYNmReK8qDfdQ=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 h1:DBYTXwIGQSGs9w4jKm60F5dmCQ3EEruxdc0MFh+3EY4=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10/go.mod h1:wohMUQiFdzo0NtxbBg0mSRGZ4vL3n0dKjLTINdcIino=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.7 h1:eajuO3nykDPdYicLlP3AGgOyVN3MOlFmZv7WGTuJPow=
-github.com/aws/aws-sdk-go-v2/service/sso v1.18.7/go.mod h1:+mJNDdF+qiUlNKNC3fxn74WWNN+sOiGOEImje+3ScPM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7 h1:QPMJf+Jw8E1l7zqhZmMlFw6w1NmfkfiSK8mS4zOx3BA=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.7/go.mod h1:ykf3COxYI0UJmxcfcxcVuz7b6uADi1FkiUz6Eb7AgM8=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 h1:NzO4Vrau795RkUdSHKEwiR01FaGzGOH1EETJ+5QHnm0=
-github.com/aws/aws-sdk-go-v2/service/sts v1.26.7/go.mod h1:6h2YuIoxaMSCFf5fi1EgZAwdfkGMgDY+DVfa61uLe4U=
-github.com/aws/smithy-go v1.19.0 h1:KWFKQV80DpP3vJrrA9sVAHQ5gc2z8i4EzrLhLlWXcBM=
-github.com/aws/smithy-go v1.19.0/go.mod h1:NukqUGpCZIILqqiV0NIjeFh24kd/FAa4beRb6nbIUPE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 h1:dT3MqvGhSoaIhRseqw2I0yH81l7wiR2vjs57O51EAm8=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3/go.mod h1:GlAeCkHwugxdHaueRr4nhPuY+WW+gR8UjlcqzPr1SPI=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 h1:HGErhhrxZlQ044RiM+WdoZxp0p+EGM62y3L6pwA4olE=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17/go.mod h1:RkZEx4l0EHYDJpWppMJ3nD9wZJAa8/0lq9aVC+r2UII=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 h1:BXx0ZIxvrJdSgSvKTZ+yRBeSqqgPM89VPlulEcl37tM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.22.4/go.mod h1:ooyCOXjvJEsUw7x+ZDHeISPMhtwI3ZCB7ggFMcFfWLU=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 h1:yiwVzJW2ZxZTurVbYWA7QOrAaCYQR72t0wrSBfoesUE=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4/go.mod h1:0oxfLkpz3rQ/CHlx5hB7H69YUpFiI1tql6Q6Ne+1bCw=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 h1:ZsDKRLXGWHk8WdtyYMoGNO7bTudrvuKpDKgMVRlepGE=
+github.com/aws/aws-sdk-go-v2/service/sts v1.30.3/go.mod h1:zwySh8fpFyXp9yOr/KVzxOl8SRqgf/IDw5aUt9UKFcQ=
+github.com/aws/smithy-go v1.20.3 h1:ryHwveWzPV5BIof6fyDvor6V3iUL7nTfiTKXHiW05nE=
+github.com/aws/smithy-go v1.20.3/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
 github.com/beorn7/perks v0.0.0-20150223135152-b965b613227f/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
 github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@@ -127,52 +129,58 @@ github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vc
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb/go.mod h1:ZjrT6AXHbDs86ZSdt/osfBi5qfexBrKUdONk989Wnk4=
-github.com/compose-spec/compose-go/v2 v2.4.5 h1:p4ih4Jb6VgGPLPxh3fSFVKAjFHtZd+7HVLCSFzcFx9Y=
-github.com/compose-spec/compose-go/v2 v2.4.5/go.mod h1:lFN0DrMxIncJGYAXTfWuajfwj5haBJqrBkarHcnjJKc=
+github.com/compose-spec/compose-go/v2 v2.6.4 h1:Gjv6x8eAhqwwWvoXIo0oZ4bDQBh0OMwdU7LUL9PDLiM=
+github.com/compose-spec/compose-go/v2 v2.6.4/go.mod h1:vPlkN0i+0LjLf9rv52lodNMUTJF5YHVfHVGLLIP67NA=
 github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM=
-github.com/containerd/cgroups/v3 v3.0.2 h1:f5WFqIVSgo5IZmtTT3qVBo6TzI1ON6sycSBKkymb9L0=
-github.com/containerd/cgroups/v3 v3.0.2/go.mod h1:JUgITrzdFqp42uI2ryGA+ge0ap/nxzYgkGmIcetmErE=
+github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJHo6Bzo=
+github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
 github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA=
 github.com/containerd/containerd v1.7.24/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw=
-github.com/containerd/containerd/api v1.7.19 h1:VWbJL+8Ap4Ju2mx9c9qS1uFSB1OVYr5JJrW2yT5vFoA=
-github.com/containerd/containerd/api v1.7.19/go.mod h1:fwGavl3LNwAV5ilJ0sbrABL44AQxmNjDRcwheXDb6Ig=
-github.com/containerd/continuity v0.4.4 h1:/fNVfTJ7wIl/YPMHjf+5H32uFhl63JucB34PlCpMKII=
-github.com/containerd/continuity v0.4.4/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
-github.com/containerd/errdefs v0.3.0 h1:FSZgGOeK4yuT/+DnF07/Olde/q4KBoMsaamhXxIMDp4=
-github.com/containerd/errdefs v0.3.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0=
+github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI=
+github.com/containerd/containerd/v2 v2.1.1 h1:znnkm7Ajz8lg8BcIPMhc/9yjBRN3B+OkNKqKisKfwwM=
+github.com/containerd/containerd/v2 v2.1.1/go.mod h1:zIfkQj4RIodclYQkX7GSSswSwgP8d/XxDOtOAoSDIGU=
+github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
+github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY=
 github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
-github.com/containerd/nydus-snapshotter v0.14.0 h1:6/eAi6d7MjaeLLuMO8Udfe5GVsDudmrDNO4SGETMBco=
-github.com/containerd/nydus-snapshotter v0.14.0/go.mod h1:TT4jv2SnIDxEBu4H2YOvWQHPOap031ydTaHTuvc5VQk=
-github.com/containerd/platforms v0.2.1 h1:zvwtM3rz2YHPQsF2CHYM8+KtB5dvhISiXh5ZpSBQv6A=
-github.com/containerd/platforms v0.2.1/go.mod h1:XHCb+2/hzowdiut9rkudds9bE5yJ7npe7dG/wG+uFPw=
-github.com/containerd/stargz-snapshotter v0.15.1 h1:fpsP4kf/Z4n2EYnU0WT8ZCE3eiKDwikDhL6VwxIlgeA=
-github.com/containerd/stargz-snapshotter/estargz v0.15.1 h1:eXJjw9RbkLFgioVaTG+G/ZW/0kEe2oEKCdS/ZxIyoCU=
-github.com/containerd/stargz-snapshotter/estargz v0.15.1/go.mod h1:gr2RNwukQ/S9Nv33Lt6UC7xEx58C+LHRdoqbEKjz1Kk=
-github.com/containerd/ttrpc v1.2.5 h1:IFckT1EFQoFBMG4c3sMdT8EP3/aKfumK1msY+Ze4oLU=
-github.com/containerd/ttrpc v1.2.5/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
-github.com/containerd/typeurl/v2 v2.2.0 h1:6NBDbQzr7I5LHgp34xAXYF5DOTQDn05X58lsPEmzLso=
-github.com/containerd/typeurl/v2 v2.2.0/go.mod h1:8XOOxnyatxSWuG8OfsZXVnAF4iZfedjS/8UHSPJnX4g=
+github.com/containerd/nydus-snapshotter v0.15.0 h1:RqZRs1GPeM6T3wmuxJV9u+2Rg4YETVMwTmiDeX+iWC8=
+github.com/containerd/nydus-snapshotter v0.15.0/go.mod h1:biq0ijpeZe0I5yZFSJyHzFSjjRZQ7P7y/OuHyd7hYOw=
+github.com/containerd/platforms v1.0.0-rc.1 h1:83KIq4yy1erSRgOVHNk1HYdPvzdJ5CnsWaRoJX4C41E=
+github.com/containerd/platforms v1.0.0-rc.1/go.mod h1:J71L7B+aiM5SdIEqmd9wp6THLVRzJGXfNuWCZCllLA4=
+github.com/containerd/plugin v1.0.0 h1:c8Kf1TNl6+e2TtMHZt+39yAPDbouRH9WAToRjex483Y=
+github.com/containerd/plugin v1.0.0/go.mod h1:hQfJe5nmWfImiqT1q8Si3jLv3ynMUIBB47bQ+KexvO8=
+github.com/containerd/stargz-snapshotter v0.16.3 h1:zbQMm8dRuPHEOD4OqAYGajJJUwCeUzt4j7w9Iaw58u4=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3 h1:7evrXtoh1mSbGj/pfRccTampEyKpjpOnS3CyiV1Ebr8=
+github.com/containerd/stargz-snapshotter/estargz v0.16.3/go.mod h1:uyr4BfYfOj3G9WBVE8cOlQmXAbPN9VEQpBBeJIuOipU=
+github.com/containerd/ttrpc v1.2.7 h1:qIrroQvuOL9HQ1X6KHe2ohc7p+HP/0VE6XPU7elJRqQ=
+github.com/containerd/ttrpc v1.2.7/go.mod h1:YCXHsb32f+Sq5/72xHubdiJRQY9inL4a4ZQrAbN1q9o=
+github.com/containerd/typeurl/v2 v2.2.3 h1:yNA/94zxWdvYACdYO8zofhrTVuQY73fFU1y++dYSw40=
+github.com/containerd/typeurl/v2 v2.2.3/go.mod h1:95ljDnPfD3bAbDJRugOiShd/DlAAsxGtUBhJxIn7SCk=
 github.com/containers/image/v5 v5.30.1 h1:AKrQMgOKI1oKx5FW5eoU2xoNyzACajHGx1O3qxobvFM=
 github.com/containers/image/v5 v5.30.1/go.mod h1:gSD8MVOyqBspc0ynLsuiMR9qmt8UQ4jpVImjmK0uXfk=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 h1:Qzk5C6cYglewc+UyGf6lc8Mj2UaPTHy/iF2De0/77CA=
 github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01/go.mod h1:9rfv8iPl1ZP7aqh9YA68wnZv2NUDbXdcdPHVz0pFbPY=
-github.com/containers/ocicrypt v1.1.10 h1:r7UR6o8+lyhkEywetubUUgcKFjOWOaWz8cEBrCPX0ic=
-github.com/containers/ocicrypt v1.1.10/go.mod h1:YfzSSr06PTHQwSTUKqDSjish9BeW1E4HUmreluQcMd8=
+github.com/containers/ocicrypt v1.2.1 h1:0qIOTT9DoYwcKmxSt8QJt+VzMY18onl9jUXsxpVhSmM=
+github.com/containers/ocicrypt v1.2.1/go.mod h1:aD0AAqfMp0MtwqWgHM1bUwe1anx0VazI108CRrSKINQ=
 github.com/containers/storage v1.53.0 h1:VSES3C/u1pxjTJIXvLrSmyP7OBtDky04oGu07UvdTEA=
 github.com/containers/storage v1.53.0/go.mod h1:pujcoOSc+upx15Jirdkebhtd8uJiLwbSd/mYT6zDJK8=
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
-github.com/creack/pty v1.1.21 h1:1/QdRyBaHHJP61QkWMXlOIBfsgdDeeKfK8SYVUWJKf0=
-github.com/creack/pty v1.1.21/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
+github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
+github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
 github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -186,21 +194,21 @@ github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aB
 github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/buildx v0.18.0 h1:rSauXHeJt90NvtXrLK5J992Eb0UPJZs2vV3u1zTf1nE=
-github.com/docker/buildx v0.18.0/go.mod h1:JGNSshOhHs5FhG3u51jXUf4lLOeD2QBIlJ2vaRB67p4=
-github.com/docker/cli v27.4.0+incompatible h1:/nJzWkcI1MDMN+U+px/YXnQWJqnu4J+QKGTfD6ptiTc=
-github.com/docker/cli v27.4.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli-docs-tool v0.8.0 h1:YcDWl7rQJC3lJ7WVZRwSs3bc9nka97QLWfyJQli8yJU=
-github.com/docker/cli-docs-tool v0.8.0/go.mod h1:8TQQ3E7mOXoYUs811LiPdUnAhXrcVsBIrW21a5pUbdk=
-github.com/docker/compose/v2 v2.31.0 h1:8Sm0c4MjIhksguxIA5koYMXoTJDAp/CaZ1cdZrMvMdw=
-github.com/docker/compose/v2 v2.31.0/go.mod h1:oQq3UDEdsnB3AUO72AxaoeLbkCgmUu1+8tLzvmphmXA=
+github.com/docker/buildx v0.24.0 h1:qiD+xktY+Fs3R79oz8M+7pbhip78qGLx6LBuVmyb+64=
+github.com/docker/buildx v0.24.0/go.mod h1:vYkdBUBjFo/i5vUE0mkajGlk03gE0T/HaGXXhgIxo8E=
+github.com/docker/cli v28.2.1+incompatible h1:AYyTcuwvhl9dXdyCiXlOGXiIqSNYzTmaDNpxIISPGsM=
+github.com/docker/cli v28.2.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli-docs-tool v0.9.0 h1:CVwQbE+ZziwlPqrJ7LRyUF6GvCA+6gj7MTCsayaK9t0=
+github.com/docker/cli-docs-tool v0.9.0/go.mod h1:ClrwlNW+UioiRyH9GiAOe1o3J/TsY3Tr1ipoypjAUtc=
+github.com/docker/compose/v2 v2.36.2 h1:rxk1PUUbhbAS6HkGsYo9xUmMBpKtVwFMNCQjE4+i5fk=
+github.com/docker/compose/v2 v2.36.2/go.mod h1:mZygkne+MAMu/e1B28PBFmG0Z0WefbxZ/IpcjSFdrw8=
 github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v27.4.0+incompatible h1:I9z7sQ5qyzO0BfAb9IMOawRkAGxhYsidKiTMcm0DU+A=
-github.com/docker/docker v27.4.0+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=
-github.com/docker/docker-credential-helpers v0.8.2/go.mod h1:P3ci7E3lwkZg6XiHdRKft1KckHiO9a2rNtyFbZ/ry9M=
+github.com/docker/docker v28.2.1+incompatible h1:aTSWVTDStpHbnRu0xBcGoJEjRf5EQKt6nik6Vif8sWw=
+github.com/docker/docker v28.2.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker-credential-helpers v0.9.3 h1:gAm/VtF9wgqJMoxzT3Gj5p4AqIjCBS4wrsOh9yRqcz8=
+github.com/docker/docker-credential-helpers v0.9.3/go.mod h1:x+4Gbw9aGmChi3qTLZj8Dfn0TD20M/fuWy0E5+WDeCo=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c h1:lzqkGL9b3znc+ZUgi7FlLnqjQhcXxkNM/quxIjBVMD0=
 github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c/go.mod h1:CADgU4DSXK5QUlFslkQu2yW2TKzFZcXq/leZfM0UH5Q=
 github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec=
@@ -242,8 +250,8 @@ github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7z
 github.com/fsnotify/fsevents v0.2.0 h1:BRlvlqjvNTfogHfeBOFvSC9N0Ddy+wzQCQukyoD7o/c=
 github.com/fsnotify/fsevents v0.2.0/go.mod h1:B3eEk39i4hz8y1zaWS/wPrAP4O6wkIl7HQwKBr1qH/w=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/fvbommel/sortorder v1.1.0 h1:fUmoe+HLsBTctBDoaBwpQo5N+nrCp8g/BjKb/6ZQmYw=
 github.com/fvbommel/sortorder v1.1.0/go.mod h1:uk88iVf1ovNn1iLfgUVU2F9o5eO30ui720w+kxuqRs0=
 github.com/fxamacker/cbor/v2 v2.7.0 h1:iM5WgngdRBanHcxugY4JySA0nk1wZorNOpTgCMedv5E=
@@ -305,6 +313,8 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -327,8 +337,8 @@ github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvR
 github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -353,8 +363,8 @@ github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
 github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 h1:bkypFPDjIYGfCYD5mRBvpqxfYX1YCS1PXdKYWi8FsN0=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0/go.mod h1:P+Lt/0by1T8bfcF3z737NnSbmxQAppXMRziHUxPOC8k=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 h1:e9Rjr40Z98/clHv5Yg79Is0NtosR5LXRvdr7o/6NwbA=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1/go.mod h1:tIxuGz/9mpox++sgp9fJjHO0+q1X9/UOWd798aAm22M=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -378,6 +388,8 @@ github.com/in-toto/in-toto-golang v0.9.0/go.mod h1:xsBVrVsHNsB61++S6Dy2vWosKhuA3
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf h1:FtEj8sfIcaaBfAKrE1Cwb61YDtYq9JxChK1c7AKce7s=
+github.com/inhies/go-bytesize v0.0.0-20220417184213-4913239db9cf/go.mod h1:yrqSXGoD/4EKfF26AOGzscPOgTTJcyAwM2rpixWT+t4=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/jinzhu/gorm v0.0.0-20170222002820-5409931a1bb8 h1:CZkYfurY6KGhVtlalI4QwQ6T0Cu6iuY3e0x5RLu96WE=
@@ -393,8 +405,8 @@ github.com/jmoiron/sqlx v1.4.0 h1:1PLqN7S1UYp5t4SrVVnt4nUVNemrDAtxlulVe+Qgm3o=
 github.com/jmoiron/sqlx v1.4.0/go.mod h1:ZrZ7UsYB/weZdl2Bxg6jCRO9c3YHl8r3ahlKmRT4JLY=
 github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
 github.com/joho/godotenv v1.4.0/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
-github.com/jonboulle/clockwork v0.4.0 h1:p4Cf1aMWXnXAUh8lVfewRBx1zaTSYKrKMF2g3ST4RZ4=
-github.com/jonboulle/clockwork v0.4.0/go.mod h1:xgRqUGwRcjKCO1vbZUEtSLrqKoPSsUpK7fnezOII0kc=
+github.com/jonboulle/clockwork v0.5.0 h1:Hyh9A8u51kptdkR+cqRpT1EebBwTn1oK9YfGYbdFz6I=
+github.com/jonboulle/clockwork v0.5.0/go.mod h1:3mZlmanh0g2NDKO5TWZVJAfofYk64M7XN3SzBPjZF60=
 github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
 github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
 github.com/jpillora/ansi v1.0.3 h1:nn4Jzti0EmRfDxm7JtEs5LzCbNwd5sv+0aE+LdS9/ZQ=
@@ -417,8 +429,8 @@ github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
-github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
 github.com/klauspost/pgzip v1.2.6 h1:8RXeL5crjEUFnR2/Sn6GJNWtSQ3Dk8pq4CL3jvdDyjU=
 github.com/klauspost/pgzip v1.2.6/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c h1:N7A4JCA2G+j5fuFxCsJqjFU/sZe0mj8H0sSoSwbaikw=
@@ -434,6 +446,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
+github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
 github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
 github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
@@ -445,8 +459,9 @@ github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de h1:9TO3cAIGXtEhn
 github.com/liggitt/tabwriter v0.0.0-20181228230101-89fcab3d43de/go.mod h1:zAbeS9B/r2mtpb6U+EI2rYA5OAXxsYw6wTamcNW+zcE=
 github.com/lithammer/dedent v1.1.0 h1:VNzHMVCBNG1j0fh3OrsFRkVUwStdDArbgBWoPAffktY=
 github.com/lithammer/dedent v1.1.0/go.mod h1:jrXYCQtgg0nJiN+StA2KgR7w6CiQNv9Fd/Z9BP0jIOc=
-github.com/magiconair/properties v1.5.3 h1:C8fxWnhYyME3n0klPOhVM7PtYUB3eV1W3DeFmN3j53Y=
 github.com/magiconair/properties v1.5.3/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
+github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
+github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
 github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
@@ -456,10 +471,10 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27kJ6hsGG94=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng=
-github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
-github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
-github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-shellwords v1.0.12 h1:M2zGm7EW6UQJvDeQxo4T51eKPurbeFbe8WtebGE2xrk=
 github.com/mattn/go-shellwords v1.0.12/go.mod h1:EZzvwXDESEeg03EKmM+RmDnNOPKG4lLtQsUlTZDWQ8Y=
 github.com/mattn/go-sqlite3 v1.6.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
@@ -486,16 +501,20 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
-github.com/moby/buildkit v0.17.2 h1:/jgk/MuXbA7jeXMkknOpHYB+Ct4aNvQHkBB7SxD3D4U=
-github.com/moby/buildkit v0.17.2/go.mod h1:vr5vltV8wt4F2jThbNOChfbAklJ0DOW11w36v210hOg=
+github.com/moby/buildkit v0.22.0 h1:aWN06w1YGSVN1XfeZbj2ZbgY+zi5xDAjEFI8Cy9fTjA=
+github.com/moby/buildkit v0.22.0/go.mod h1:j4pP5hxiTWcz7xuTK2cyxQislHl/N2WWHzOy43DlLJw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/go-archive v0.1.0 h1:Kk/5rdW/g+H8NHdJW2gsXyZ7UnzvJNOy6VKJqueWdcQ=
+github.com/moby/go-archive v0.1.0/go.mod h1:G9B+YoujNohJmrIYFBpSd54GTUB4lt9S+xVQvsJyFuo=
 github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg=
 github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc=
 github.com/moby/patternmatcher v0.6.0 h1:GmP9lR19aU5GqSSFko+5pRqHi+Ohk1O69aFiKkVGiPk=
 github.com/moby/patternmatcher v0.6.0/go.mod h1:hDPoyOpDY7OrrMDLaYoY3hf52gNCR/YOUYxkhApJIxc=
 github.com/moby/spdystream v0.5.0 h1:7r0J1Si3QO/kjRitvSLVVFUjxMEb/YLj6S9FF62JBCU=
 github.com/moby/spdystream v0.5.0/go.mod h1:xBAYlnt/ay+11ShkdFKNAG7LsyK/tmNBVvVOwrfMgdI=
+github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
+github.com/moby/sys/atomicwriter v0.1.0/go.mod h1:Ul8oqv2ZMNHOceF643P6FKPXeCmYtlQMvpizfsSoaWs=
 github.com/moby/sys/capability v0.4.0 h1:4D4mI6KlNtWMCM1Z/K0i7RV1FkX+DBDHKVJpCndZoHk=
 github.com/moby/sys/capability v0.4.0/go.mod h1:4g9IK291rVkms3LKCDOoYlnV8xKwoDTpIrNEE35Wq0I=
 github.com/moby/sys/mountinfo v0.7.2 h1:1shs6aH5s4o5H2zQLn796ADW1wMrIwHsyJ2v9KouLrg=
@@ -506,12 +525,12 @@ github.com/moby/sys/signal v0.7.1 h1:PrQxdvxcGijdo6UXXo/lU/TvHUWyPhj7UOpSo8tuvk0
 github.com/moby/sys/signal v0.7.1/go.mod h1:Se1VGehYokAkrSQwL4tDzHvETwUZlnY7S5XtQ50mQp8=
 github.com/moby/sys/symlink v0.3.0 h1:GZX89mEZ9u53f97npBy4Rc3vJKj7JBDj/PN2I22GrNU=
 github.com/moby/sys/symlink v0.3.0/go.mod h1:3eNdhduHmYPcgsJtZXW1W4XUJdZGBIkttZ8xKqPUJq0=
-github.com/moby/sys/user v0.3.0 h1:9ni5DlcW5an3SvRSx4MouotOygvzaXbaSrc/wGDFWPo=
-github.com/moby/sys/user v0.3.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
+github.com/moby/sys/user v0.4.0 h1:jhcMKit7SA80hivmFJcbB1vqmw//wU61Zdui2eQXuMs=
+github.com/moby/sys/user v0.4.0/go.mod h1:bG+tYYYJgaMtRKgEmuueC0hJEAZWwtIbZTB+85uoHjs=
 github.com/moby/sys/userns v0.1.0 h1:tVLXkFOxVu9A64/yh59slHVv9ahO9UIev4JZusOLG/g=
 github.com/moby/sys/userns v0.1.0/go.mod h1:IHUYgu/kao6N8YZlp9Cf444ySSvCmDlmzUcYfDHOl28=
-github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
-github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
+github.com/moby/term v0.5.2 h1:6qk3FJAFDs6i/q3W/pQ97SX192qKfZgGjCQqfCJkgzQ=
+github.com/moby/term v0.5.2/go.mod h1:d3djjFCrjnB+fl8NJux+EJzu0msscUP+f8it8hPkFLc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -542,12 +561,12 @@ github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.1/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
-github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/opencontainers/runtime-spec v1.2.0 h1:z97+pHb3uELt/yiAWD691HNHQIF07bE7dzrbT927iTk=
-github.com/opencontainers/runtime-spec v1.2.0/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
-github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
-github.com/opencontainers/selinux v1.11.0/go.mod h1:E5dMC3VPuVvVHDYmi78qvhJp8+M586T4DlDRYpFkyec=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU8lpJfSlR0xww=
+github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
+github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
+github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
 github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
@@ -578,8 +597,8 @@ github.com/prometheus/client_golang v0.9.0-pre1.0.20180209125602-c332b6f63c06/go
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.1.0/go.mod h1:I1FGZT9+L76gKKOs5djB6ezCbFQP1xR9D75/vuwEF3g=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
+github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
 github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@@ -588,23 +607,21 @@ github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQy
 github.com/prometheus/common v0.0.0-20180110214958-89604d197083/go.mod h1:daVV7qP5qjZbuso7PdcryaAu0sAZbrN9i7WWcTMWvro=
 github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y86RQel1bk4=
 github.com/prometheus/common v0.6.0/go.mod h1:eBmuwkDJBwy6iBfxCBob6t6dR6ENT/y+J+Zk0j9GMYc=
-github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G1dc=
-github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
+github.com/prometheus/common v0.62.0 h1:xasJaQlnWAeyHdUBeGjXmutelfJHWMRr+Fg4QszZ2Io=
+github.com/prometheus/common v0.62.0/go.mod h1:vyBcEuLSvWos9B1+CyL7JZ2up+uFzXhkqml0W5zIY1I=
 github.com/prometheus/procfs v0.0.0-20180125133057-cb4147076ac7/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/r3labs/sse v0.0.0-20210224172625-26fe804710bc h1:zAsgcP8MhzAbhMnB1QQ2O7ZhWYVGYSR2iVcjzQuPV+o=
-github.com/r3labs/sse v0.0.0-20210224172625-26fe804710bc/go.mod h1:S8xSOnV3CgpNrWd0GQ/OoQfMtlg2uPRSuTzcSGrzwK8=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/robfig/cron/v3 v3.0.1 h1:WdRxkvbJztn8LMz/QEvLN5sBU+xKpSqwwUO1Pjr4qDs=
 github.com/robfig/cron/v3 v3.0.1/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w=
 github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
@@ -642,13 +659,13 @@ github.com/spf13/cast v0.0.0-20150508191742-4d07383ffe94/go.mod h1:r2rcYCSwa1IEx
 github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
 github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v0.0.1/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431 h1:XTHrT015sxHyJ5FnQ0AeemSspZWaDq7DoTRW0EVsDCE=
 github.com/spf13/jwalterweatherman v0.0.0-20141219030609-3d60171a6431/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v1.0.0/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c h1:2EejZtjFjKJGk71ANb+wtFK5EjUzUkEM3R0xnp559xg=
 github.com/spf13/viper v0.0.0-20150530192845-be5ff3e4840c/go.mod h1:A8kyI5cUJhb8N+3pkfONlcEcZbueH6nhAm0Fq7SrnBM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -677,10 +694,10 @@ github.com/tilt-dev/fsnotify v1.4.8-0.20220602155310-fff9c274a375 h1:QB54BJwA6x8
 github.com/tilt-dev/fsnotify v1.4.8-0.20220602155310-fff9c274a375/go.mod h1:xRroudyp5iVtxKqZCrA6n2TLFRBf8bmnjr1UD4x+z7g=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce h1:fb190+cK2Xz/dvi9Hv8eCYJYvIGUTN2/KLq1pT6CjEc=
 github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce/go.mod h1:o8v6yHRoik09Xen7gje4m9ERNah1d1PPsVq1VEx9vE4=
-github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205 h1:eUk79E1w8yMtXeHSzjKorxuC8qJOnyXQnLaJehxpJaI=
-github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205/go.mod h1:3Iuxbr0P7D3zUzBMAZB+ois3h/et0shEz0qApgHYGpY=
-github.com/tonistiigi/fsutil v0.0.0-20241028165955-397af5306b5c h1:bQLsfX+uEPZUjyR2qmoJs5F8Z57bPVmF3IsUf22Xo9Y=
-github.com/tonistiigi/fsutil v0.0.0-20241028165955-397af5306b5c/go.mod h1:Dl/9oEjK7IqnjAm21Okx/XIxUCFJzvh+XdVHUlBwXTw=
+github.com/tonistiigi/dchapes-mode v0.0.0-20250318174251-73d941a28323 h1:r0p7fK56l8WPequOaR3i9LBqfPtEdXIQbUTzT55iqT4=
+github.com/tonistiigi/dchapes-mode v0.0.0-20250318174251-73d941a28323/go.mod h1:3Iuxbr0P7D3zUzBMAZB+ois3h/et0shEz0qApgHYGpY=
+github.com/tonistiigi/fsutil v0.0.0-20250417144416-3f76f8130144 h1:k9tdF32oJYwtjzMx+D26M6eYiCaAPdJ7tyN7tF1oU5Q=
+github.com/tonistiigi/fsutil v0.0.0-20250417144416-3f76f8130144/go.mod h1:BKdcez7BiVtBvIcef90ZPc6ebqIWr4JWD7+EvLm6J98=
 github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4 h1:7I5c2Ig/5FgqkYOh/N87NzoyI9U15qUPXhDD8uCupv8=
 github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4/go.mod h1:278M4p8WsNh3n4a1eqiFcV2FGk7wE5fwUpUom9mK9lE=
 github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea h1:SXhTLE6pb6eld/v/cCndK0AMpt1wiVFb/YYmqB3/QG0=
@@ -691,8 +708,8 @@ github.com/ulikunitz/xz v0.5.11 h1:kpFauv27b6ynzBNT/Xy+1k+fK4WswhN/6PN5WhFAGw8=
 github.com/ulikunitz/xz v0.5.11/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/urfave/negroni v1.0.0 h1:kIimOitoypq34K7TG7DUaJ9kq/N4Ofuwi1sjz0KipXc=
 github.com/urfave/negroni v1.0.0/go.mod h1:Meg73S6kFm/4PpbYdq35yYWoCZ9mS/YSx+lKnmiohz4=
-github.com/vbatts/tar-split v0.11.5 h1:3bHCTIheBm1qFTcgh9oPu+nNBtX+XJIupG/vacinCts=
-github.com/vbatts/tar-split v0.11.5/go.mod h1:yZbwRsSeGjusneWgA781EKej9HF8vme8okylkAeNKLk=
+github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnnbo=
+github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/viney-shih/go-lock v1.1.1 h1:SwzDPPAiHpcwGCr5k8xD15d2gQSo8d4roRYd7TDV2eI=
 github.com/viney-shih/go-lock v1.1.1/go.mod h1:Yijm78Ljteb3kRiJrbLAxVntkUukGu5uzSxq/xV7OO8=
 github.com/weppos/publicsuffix-go v0.15.1-0.20210511084619-b1f36a2d6c0b h1:FsyNrX12e5BkplJq7wKOLk0+C6LZ+KGXvuEcKUYm5ss=
@@ -708,6 +725,8 @@ github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHo
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
 github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+github.com/xhit/go-str2duration/v2 v2.1.0 h1:lxklc02Drh6ynqX+DdPyp5pCKLUQpRT8bp8Ydu2Bstc=
+github.com/xhit/go-str2duration/v2 v2.1.0/go.mod h1:ohY8p+0f07DiV6Em5LKB0s2YpLtXVyJfNt1+BlmyAsU=
 github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
 github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
@@ -719,46 +738,50 @@ github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMzt
 github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY=
 github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
+github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
+github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 github.com/zmap/zcrypto v0.0.0-20210511125630-18f1e0152cfc h1:zkGwegkOW709y0oiAraH/3D8njopUR/pARHv4tZZ6pw=
 github.com/zmap/zcrypto v0.0.0-20210511125630-18f1e0152cfc/go.mod h1:FM4U1E3NzlNMRnSUTU3P1UdukWhYGifqEsjk9fn7BCk=
 github.com/zmap/zlint/v3 v3.1.0 h1:WjVytZo79m/L1+/Mlphl09WBob6YTGljN5IGWZFpAv0=
 github.com/zmap/zlint/v3 v3.1.0/go.mod h1:L7t8s3sEKkb0A2BxGy1IWrxt1ZATa1R4QfJZaQOD3zU=
-go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
-go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
+go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
+go.etcd.io/bbolt v1.4.0/go.mod h1:AsD+OCi/qPN1giOX1aiLAha3o1U8rAz65bvN4j0sRuk=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 h1:9G6E0TXzGFVfTnawRzrPl83iHOAV7L8NJiR8RSGYV1g=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0/go.mod h1:azvtTADFQJA8mX80jIH/akaE7h+dbm/sVuaHqN13w74=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1 h1:gbhw/u49SS3gkPWiYweQNJGm/uJN5GkI/FrosxSHT7A=
-go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.46.1/go.mod h1:GnOaBaFQ2we3b9AGWJpsBa7v1S5RlQzlC3O7dRMxZhM=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 h1:4K4tsIXefpVJtvA/8srF4V4y0akAoPHkIslgAkjixJA=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0/go.mod h1:jjdQuTGVsXV4vSs+CJ2qYDeDPf9yIJV23qlIzBm73Vg=
-go.opentelemetry.io/otel v1.28.0 h1:/SqNcYk+idO0CxKEUOtKQClMK/MimZihKYMruSMViUo=
-go.opentelemetry.io/otel v1.28.0/go.mod h1:q68ijF8Fc8CnMHKyzqL6akLO46ePnjkgfIMIjUIX9z4=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0 h1:jd0+5t/YynESZqsSyPz+7PAFdEop0dlN0+PkyHYo8oI=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v0.44.0/go.mod h1:U707O40ee1FpQGyhvqnzmCJm1Wh6OX6GGBVn0E6Uyyk=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0 h1:bflGWrfYyuulcdxf14V6n9+CoQcu5SAAdHmDPAJnlps=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v0.44.0/go.mod h1:qcTO4xHAxZLaLxPd60TdE88rxtItPHgHWqOhOGRr0as=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 h1:3Q/xZUyC1BBkualc9ROb4G8qkH90LXEIICcs5zv1OYY=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0/go.mod h1:s75jGIWA9OfCMzF0xr+ZgfrB5FEbbV7UuYo32ahUiFI=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0 h1:qFffATk0X+HD+f1Z8lswGiOQYKHRlzfmdJm0wEaVrFA=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.27.0/go.mod h1:MOiCmryaYtc+V0Ei+Tx9o5S1ZjA7kzLucuVuyzBZloQ=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0 h1:Mbi5PKN7u322woPa85d7ebZ+SOvEoPvoiBu+ryHWgfA=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.25.0/go.mod h1:e7ciERRhZaOZXVjx5MiL8TK5+Xv7G5Gv5PA2ZDEJdL8=
-go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q=
-go.opentelemetry.io/otel/metric v1.28.0/go.mod h1:Fb1eVBFZmLVTMb6PPohq3TO9IIhUisDsbJoL/+uQW4s=
-go.opentelemetry.io/otel/sdk v1.28.0 h1:b9d7hIry8yZsgtbmM0DKyPWMMUMlK9NEKuIG4aBqWyE=
-go.opentelemetry.io/otel/sdk v1.28.0/go.mod h1:oYj7ClPUA7Iw3m+r7GeEjz0qckQRJK2B8zjcZEfu7Pg=
-go.opentelemetry.io/otel/sdk/metric v1.28.0 h1:OkuaKgKrgAbYrrY0t92c+cC+2F6hsFNnCQArXCKlg08=
-go.opentelemetry.io/otel/sdk/metric v1.28.0/go.mod h1:cWPjykihLAPvXKi4iZc1dpER3Jdq2Z0YLse3moQUCpg=
-go.opentelemetry.io/otel/trace v1.28.0 h1:GhQ9cUuQGmNDd5BTCP2dAvv75RdMxEfTmYejp+lkx9g=
-go.opentelemetry.io/otel/trace v1.28.0/go.mod h1:jPyXzNPg6da9+38HEwElrQiHlVMTnVfM3/yv2OlIHaI=
-go.opentelemetry.io/proto/otlp v1.3.1 h1:TrMUixzpM0yuc/znrFTP9MMRh8trP93mkCiDVeXrui0=
-go.opentelemetry.io/proto/otlp v1.3.1/go.mod h1:0X1WI4de4ZsLrrJNLAQbFeLCm3T7yBkR0XqQ7niQU+8=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 h1:4BZHA+B1wXEQoGNHxW8mURaLhcdGwvRnmhGbm+odRbc=
+go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0/go.mod h1:3qi2EEwMgB4xnKgPLqsDP3j9qxnHDZeHsnAxfjQqTko=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRNDSWJOTobXh5HyQKjq6wUC5tNybqjIqDpAY4CU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 h1:FZ6ei8GFW7kyPYdxJaV2rgI6M+4tvZzhYsQ2wgyVC08=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0/go.mod h1:MdEu/mC6j3D+tTEfvI15b5Ci2Fn7NneJ71YMoiS3tpI=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 h1:ZsXq73BERAiNuuFXYqP4MR5hBrjXfMGSO+Cx7qoOZiM=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0/go.mod h1:hg1zaDMpyZJuUzjFxFsRYBoccE86tM9Uf4IqNMUxvrY=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
+go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
+go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
+go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -770,30 +793,29 @@ golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
-golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0 h1:e66Fs6Z+fZTbFBAxKfP3PALWBtpfqks2bwGcexMxgtk=
-golang.org/x/exp v0.0.0-20240909161429-701f63a606c0/go.mod h1:2TbTHSBQa924w8M6Xs1QcRcFwyucIwBGpK1p2f1YFFY=
+golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
+golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
+golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.21.0 h1:vvrHzRwRfVKSiLrG+d4FMl/Qi4ukBCE6kZlTUkDYRT0=
-golang.org/x/mod v0.21.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20191116160921-f9c825593386/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
-golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
-golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
-golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
+golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
+golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
+golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -802,8 +824,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -830,49 +852,46 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
-golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
-golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
+golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
+golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
-golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
-golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
-golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
+golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
+golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
-golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de h1:F6qOa9AZTYJXOUEr4jDysRDLrm4PHePlge4v4TGAlxY=
-google.golang.org/genproto v0.0.0-20240227224415-6ceb2ff114de/go.mod h1:VUhTRKeHn9wwcdrk73nvdC9gF178Tzhmt/qyaFcPLSo=
-google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1 h1:hjSy6tcFQZ171igDaN5QHOw2n6vx40juYbC/x67CEhc=
-google.golang.org/genproto/googleapis/api v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:qpvKtACPCQhAdu3PyQgV4l3LMXZEtft7y8QcarRsp9I=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1 h1:pPJltXNxVzT4pK9yD8vR9X75DaWYYmLGMsEvBfFQZzQ=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240903143218-8af14fe29dc1/go.mod h1:UqMtugtsSgubUsoxbuAoiCXvqvErP7Gf0so0mK9tHxU=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.mod h1:uRxBH1mhmO8PGhU89cMcHaXKZqO+OfakD8QQO0oYwlQ=
 google.golang.org/grpc v1.0.5/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
-google.golang.org/grpc v1.68.0 h1:aHQeeJbo8zAkAa3pRzrVjZlbz6uSfeOXlJNQM0RAbz0=
-google.golang.org/grpc v1.68.0/go.mod h1:fmSPC5AsjSBCK54MyHRx48kpOti1/jRfOlwEWywNjWA=
-google.golang.org/protobuf v1.35.1 h1:m3LfL6/Ca+fqnjnlqQXNpFPABW1UD7mjh8KO2mKFytA=
-google.golang.org/protobuf v1.35.1/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
+google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
+google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
-gopkg.in/cenkalti/backoff.v1 v1.1.0 h1:Arh75ttbsvlpVA7WtVpH4u9h6Zl46xuptxqLxPiSo4Y=
-gopkg.in/cenkalti/backoff.v1 v1.1.0/go.mod h1:J6Vskwqd+OMVJl8C33mmtxTBs2gyzfv7UDAkHu8BrjI=
 gopkg.in/cenkalti/backoff.v2 v2.2.1 h1:eJ9UAg01/HIHG987TwxvnzK2MgxXq97YY6rYDpY9aII=
 gopkg.in/cenkalti/backoff.v2 v2.2.1/go.mod h1:S0QdOvT2AlerfSBkp0O+dk+bbIMaNbEmVk876gPCthU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -886,6 +905,8 @@ gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMy
 gopkg.in/gemnasium/logrus-airbrake-hook.v2 v2.1.2/go.mod h1:Xk6kEKp8OKb+X14hQBKWaSkCsqBpgog8nAV2xsGOxlo=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
+gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.1 h1:d4KQkxAaAiRY2h5Zqis161Pv91A37uZyJOx73duwUwM=
 gopkg.in/rethinkdb/rethinkdb-go.v6 v6.2.1/go.mod h1:WbjuEoo1oadwzQ4apSDU+JTvmllEHtsNHS6y7vFc7iw=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
@@ -901,24 +922,24 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
-gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU=
-gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU=
+gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
+gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
 helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
 helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
-k8s.io/api v0.32.2 h1:bZrMLEkgizC24G9eViHGOPbW+aRo9duEISRIJKfdJuw=
-k8s.io/api v0.32.2/go.mod h1:hKlhk4x1sJyYnHENsrdCWw31FEmCijNGPJO5WzHiJ6Y=
+k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
+k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
 k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
 k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
-k8s.io/apimachinery v0.32.2 h1:yoQBR9ZGkA6Rgmhbp/yuT9/g+4lxtsGYwW6dR6BDPLQ=
-k8s.io/apimachinery v0.32.2/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/apiserver v0.32.2 h1:WzyxAu4mvLkQxwD9hGa4ZfExo3yZZaYzoYvvVDlM6vw=
-k8s.io/apiserver v0.32.2/go.mod h1:PEwREHiHNU2oFdte7BjzA1ZyjWjuckORLIK/wLV5goM=
+k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
+k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/apiserver v0.32.3 h1:kOw2KBuHOA+wetX1MkmrxgBr648ksz653j26ESuWNY8=
+k8s.io/apiserver v0.32.3/go.mod h1:q1x9B8E/WzShF49wh3ADOh6muSfpmFL0I2t+TG0Zdgc=
 k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks=
 k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8=
-k8s.io/client-go v0.32.2 h1:4dYCD4Nz+9RApM2b/3BtVvBHw54QjMFUl1OLcJG5yOA=
-k8s.io/client-go v0.32.2/go.mod h1:fpZ4oJXclZ3r2nDOv+Ux3XcJutfrwjKTCHz2H3sww94=
-k8s.io/component-base v0.32.2 h1:1aUL5Vdmu7qNo4ZsE+569PV5zFatM9hl+lb3dEea2zU=
-k8s.io/component-base v0.32.2/go.mod h1:PXJ61Vx9Lg+P5mS8TLd7bCIr+eMJRQTyXe8KvkrvJq0=
+k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
+k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
+k8s.io/component-base v0.32.3 h1:98WJvvMs3QZ2LYHBzvltFSeJjEx7t5+8s71P7M74u8k=
+k8s.io/component-base v0.32.3/go.mod h1:LWi9cR+yPAv7cu2X9rZanTiFKB2kHA+JjmhkKjCZRpI=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
@@ -943,5 +964,5 @@ sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78/go.mod h1:B7Wf0Ya4DHF9Yw+qfZuJijQYkWicqDa+79Ytmmq3Kjg=
-tags.cncf.io/container-device-interface v0.8.0 h1:8bCFo/g9WODjWx3m6EYl3GfUG31eKJbaggyBDxEldRc=
-tags.cncf.io/container-device-interface v0.8.0/go.mod h1:Apb7N4VdILW0EVdEMRYXIDVRZfNJZ+kmEUss2kRRQ6Y=
+tags.cncf.io/container-device-interface v1.0.1 h1:KqQDr4vIlxwfYh0Ed/uJGVgX+CHAkahrgabg6Q8GYxc=
+tags.cncf.io/container-device-interface v1.0.1/go.mod h1:JojJIOeW3hNbcnOH2q0NrWNha/JuHoDZcmYxAZwb2i0=
diff --git a/pkg/snapshot/docker.go b/pkg/snapshot/docker.go
index 810dbeaa9..deaabdb08 100644
--- a/pkg/snapshot/docker.go
+++ b/pkg/snapshot/docker.go
@@ -16,6 +16,7 @@ import (
 	"github.com/docker/docker/api/types"
 	dockercontainer "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/api/types/image"
+	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/volume"
 	"github.com/docker/docker/client"
 	"github.com/docker/docker/pkg/stdcopy"
@@ -244,7 +245,7 @@ func dockerSnapshotVolumes(snapshot *portainer.DockerSnapshot, cli *client.Clien
 }
 
 func dockerSnapshotNetworks(snapshot *portainer.DockerSnapshot, cli *client.Client) error {
-	networks, err := cli.NetworkList(context.Background(), types.NetworkListOptions{})
+	networks, err := cli.NetworkList(context.Background(), network.ListOptions{})
 	if err != nil {
 		return err
 	}

From caac45b834db853fc42cdf0517b0ee674f5ba08e Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Thu, 5 Jun 2025 10:14:39 +1200
Subject: [PATCH 136/212] feat(UI): Add repository url to Helm chart
 installation list items (#769)

---
 .../HelmTemplates/HelmTemplatesListItem.tsx   | 15 ++++---------
 .../HelmTemplatesSelectedItem.test.tsx        |  2 +-
 .../HelmTemplatesSelectedItem.tsx             | 22 +++++--------------
 3 files changed, 11 insertions(+), 28 deletions(-)

diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
index de8272bcb..a1ee6a444 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesListItem.tsx
@@ -2,8 +2,6 @@ import React from 'react';
 
 import { FallbackImage } from '@/react/components/FallbackImage';
 
-import Svg from '@@/Svg';
-
 import { Chart } from '../types';
 
 import { HelmIcon } from './HelmIcon';
@@ -40,15 +38,10 @@ export function HelmTemplatesListItem(props: HelmTemplatesListItemProps) {
 
         <div className="col-sm-12 flex flex-wrap justify-between gap-2">
           <div className="blocklist-item-line">
-            <span>
-              <span className="blocklist-item-title">{model.name}</span>
-              <span className="space-left blocklist-item-subtitle">
-                <span className="vertical-center">
-                  <Svg icon="helm" className="icon icon-primary" />
-                </span>
-                <span> Helm </span>
-              </span>
-            </span>
+            <div>
+              <div className="blocklist-item-title">{model.name}</div>
+              <div className="small text-muted mt-1">{model.repo}</div>
+            </div>
           </div>
 
           <span className="blocklist-item-actions">{actions}</span>
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
index 215838ff8..f7328cc4d 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
@@ -99,7 +99,7 @@ describe('HelmTemplatesSelectedItem', () => {
     expect(screen.getByText('test-chart')).toBeInTheDocument();
     expect(screen.getByText('Test Chart Description')).toBeInTheDocument();
     expect(screen.getByText('Clear selection')).toBeInTheDocument();
-    expect(screen.getByText('Helm')).toBeInTheDocument();
+    expect(screen.getByText('https://example.com')).toBeInTheDocument();
   });
 
   it('should toggle custom values editor', async () => {
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
index baffb9655..837659fcd 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
@@ -10,7 +10,6 @@ import { useCanExit } from '@/react/hooks/useCanExit';
 import { Widget } from '@@/Widget';
 import { Button } from '@@/buttons/Button';
 import { FallbackImage } from '@@/FallbackImage';
-import Svg from '@@/Svg';
 import { Icon } from '@@/Icon';
 import { WebEditorForm } from '@@/WebEditorForm';
 import { confirmGenericDiscard } from '@@/modals/confirm';
@@ -100,22 +99,13 @@ export function HelmTemplatesSelectedItem({
                 className="h-16 w-16"
               />
               <div className="col-sm-12">
-                <div className="flex justify-between">
-                  <span>
-                    <span className="text-2xl font-bold">
-                      {selectedChart.name}
-                    </span>
-                    <span className="space-left pr-2 text-xs">
-                      <span className="vertical-center">
-                        <Svg icon="helm" className="icon icon-primary" />
-                      </span>{' '}
-                      <span>Helm</span>
-                    </span>
-                  </span>
-                </div>
-                <div className="text-muted text-xs">
-                  {selectedChart.description}
+                <div>
+                  <div className="text-2xl font-bold">{selectedChart.name}</div>
+                  <div className="small text-muted mt-1">
+                    {selectedChart.repo}
+                  </div>
                 </div>
+                <div className="text-xs mt-2">{selectedChart.description}</div>
               </div>
             </div>
           </div>

From a9061e525892b981013c1d0f85680374aa71f471 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Thu, 5 Jun 2025 13:13:45 +1200
Subject: [PATCH 137/212] feat(helm): enhance helm chart install [r8s-341]
 (#766)

---
 api/http/handler/helm/helm_show.go            |   7 +
 app/kubernetes/views/deploy/deploy.html       |  10 +-
 .../custom-template-selector.html             |   4 +-
 app/portainer/react/components/index.ts       |   1 +
 .../CodeEditor/CodeEditor.module.css          |   8 +-
 .../components/CodeEditor/CodeEditor.tsx      |  60 +++---
 .../CodeEditor/ShortcutsTooltip.tsx           |  52 +++++
 app/react/components/ExternalLink.tsx         |  32 +++
 app/react/components/WebEditorForm.tsx        |  60 +-----
 app/react/components/modals/Modal/Modal.tsx   |   3 +-
 .../DeployView/StackName/StackName.tsx        |   2 +-
 .../ChartActions/UpgradeButton.test.tsx       |  49 +++--
 .../ChartActions/UpgradeButton.tsx            | 154 ++++++++-------
 .../ChartActions/UpgradeHelmModal.tsx         | 156 ++++++++-------
 .../HelmTemplates/HelmInstallForm.test.tsx    | 174 ++++++++++++++++
 .../helm/HelmTemplates/HelmInstallForm.tsx    | 106 ++++++++++
 .../HelmTemplates/HelmInstallInnerForm.tsx    |  86 ++++++++
 .../helm/HelmTemplates/HelmTemplates.tsx      |  18 +-
 .../HelmTemplatesSelectedItem.test.tsx        |  86 +-------
 .../HelmTemplatesSelectedItem.tsx             | 185 +++---------------
 .../queries/useHelmChartInstall.ts            |  40 ----
 .../kubernetes/helm/HelmTemplates/types.ts    |   4 +
 .../helm/components/HelmValuesInput.tsx       |  80 ++++++++
 .../queries/useHelmChartValues.ts             |  22 ++-
 .../queries/useHelmRepositories.ts            |   2 +-
 .../queries/useUpdateHelmReleaseMutation.ts   |  11 +-
 app/react/kubernetes/helm/types.ts            |  11 ++
 pkg/libhelm/options/show_options.go           |   1 +
 pkg/libhelm/sdk/show.go                       |   2 +-
 29 files changed, 864 insertions(+), 562 deletions(-)
 create mode 100644 app/react/components/CodeEditor/ShortcutsTooltip.tsx
 create mode 100644 app/react/components/ExternalLink.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
 delete mode 100644 app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts
 create mode 100644 app/react/kubernetes/helm/HelmTemplates/types.ts
 create mode 100644 app/react/kubernetes/helm/components/HelmValuesInput.tsx
 rename app/react/kubernetes/helm/{HelmTemplates => }/queries/useHelmChartValues.ts (54%)
 rename app/react/kubernetes/helm/{HelmApplicationView => }/queries/useHelmRepositories.ts (97%)
 rename app/react/kubernetes/helm/{HelmApplicationView => }/queries/useUpdateHelmReleaseMutation.ts (84%)

diff --git a/api/http/handler/helm/helm_show.go b/api/http/handler/helm/helm_show.go
index 591c57922..f139827b8 100644
--- a/api/http/handler/helm/helm_show.go
+++ b/api/http/handler/helm/helm_show.go
@@ -20,6 +20,7 @@ import (
 // @tags helm
 // @param repo query string true "Helm repository URL"
 // @param chart query string true "Chart name"
+// @param version query string true "Chart version"
 // @param command path string true "chart/values/readme"
 // @security ApiKeyAuth
 // @security jwt
@@ -45,6 +46,11 @@ func (handler *Handler) helmShow(w http.ResponseWriter, r *http.Request) *httper
 		return httperror.BadRequest("Bad request", errors.New("missing `chart` query parameter"))
 	}
 
+	version, err := request.RetrieveQueryParameter(r, "version", true)
+	if err != nil {
+		return httperror.BadRequest("Bad request", errors.Wrap(err, fmt.Sprintf("provided version %q is not valid", version)))
+	}
+
 	cmd, err := request.RetrieveRouteVariableValue(r, "command")
 	if err != nil {
 		cmd = "all"
@@ -55,6 +61,7 @@ func (handler *Handler) helmShow(w http.ResponseWriter, r *http.Request) *httper
 		OutputFormat: options.ShowOutputFormat(cmd),
 		Chart:        chart,
 		Repo:         repo,
+		Version:      version,
 	}
 	result, err := handler.helmPackageManager.Show(showOptions)
 	if err != nil {
diff --git a/app/kubernetes/views/deploy/deploy.html b/app/kubernetes/views/deploy/deploy.html
index 5eda2d3a7..d57d0caa7 100644
--- a/app/kubernetes/views/deploy/deploy.html
+++ b/app/kubernetes/views/deploy/deploy.html
@@ -31,7 +31,7 @@
                     <portainer-tooltip message="'If you have defined namespaces in your deployment file turning this on will enforce the use of those only in the deployment'">
                     </portainer-tooltip>
                   </label>
-                  <div class="col-sm-8 vertical-center pt-1">
+                  <div class="col-sm-9 col-lg-10 vertical-center pt-1">
                     <label class="switch">
                       <input type="checkbox" name="toggle_logo" ng-model="ctrl.formValues.namespace_toggle" data-cy="use-namespce-from-menifest" />
                       <span class="slider round"></span>
@@ -41,7 +41,7 @@
 
                 <div class="form-group" ng-if="ctrl.formValues.Namespace">
                   <label for="target_node" class="col-lg-2 col-sm-3 control-label text-left">Namespace</label>
-                  <div class="col-sm-8">
+                  <div class="col-sm-9 col-lg-10">
                     <select
                       ng-if="!ctrl.formValues.namespace_toggle || ctrl.state.BuildMethod === ctrl.BuildMethods.HELM"
                       data-cy="namespace-select"
@@ -66,10 +66,10 @@
 
                 <div class="form-group">
                   <label for="name" class="col-lg-2 col-sm-3 control-label text-left" ng-class="{ required: ctrl.state.BuildMethod === ctrl.BuildMethods.HELM }">Name</label>
-                  <div class="col-sm-8 small text-muted pt-[7px]" ng-if="ctrl.state.BuildMethod !== ctrl.BuildMethods.HELM">
+                  <div class="col-sm-9 col-lg-10 small text-muted pt-[7px]" ng-if="ctrl.state.BuildMethod !== ctrl.BuildMethods.HELM">
                     Resource names specified in the manifest will be used
                   </div>
-                  <div class="col-sm-8" ng-if="ctrl.state.BuildMethod === ctrl.BuildMethods.HELM">
+                  <div class="col-sm-9 col-lg-10" ng-if="ctrl.state.BuildMethod === ctrl.BuildMethods.HELM">
                     <input
                       type="text"
                       data-cy="name-input"
@@ -170,7 +170,7 @@
                   </div>
                   <div class="form-group">
                     <label for="manifest_url" class="col-sm-3 col-lg-2 control-label required text-left">URL</label>
-                    <div class="col-sm-8">
+                    <div class="col-sm-9 col-lg-10">
                       <input
                         type="text"
                         data-cy="k8sAppDeploy-urlFileUrl"
diff --git a/app/portainer/components/custom-template-selector/custom-template-selector.html b/app/portainer/components/custom-template-selector/custom-template-selector.html
index ce05aa1ce..cde665d49 100644
--- a/app/portainer/components/custom-template-selector/custom-template-selector.html
+++ b/app/portainer/components/custom-template-selector/custom-template-selector.html
@@ -1,7 +1,7 @@
 <div>
   <div class="form-group pt-3">
     <label for="stack_template" class="col-sm-3 col-lg-2 control-label text-left"> Template </label>
-    <div class="col-sm-8 col-sm-8 flex flex-col gap-y-1">
+    <div class="col-sm-9 col-lg-10 flex flex-col gap-y-1">
       <select
         ng-if="$ctrl.templates.length"
         data-cy="custom-template-selector"
@@ -10,7 +10,7 @@
         ng-options="template.Id as template.label for template in $ctrl.templates"
         ng-change="$ctrl.handleChangeTemplate($ctrl.value)"
       >
-        <option value="" label="Select a Custom template" disabled selected="selected"> </option>
+        <option value="" label="Select a Custom Template" disabled selected="selected"> </option>
       </select>
       <span ng-if="$ctrl.isLoadFailed">
         <p class="text-warning mb-5 !inline-flex gap-1 !align-top text-xs" ng-if="ctrl.currentUser.isAdmin || ctrl.currentUser.id === ctrl.state.template.CreatedByUserId">
diff --git a/app/portainer/react/components/index.ts b/app/portainer/react/components/index.ts
index 8a9c1f589..4b1c03608 100644
--- a/app/portainer/react/components/index.ts
+++ b/app/portainer/react/components/index.ts
@@ -235,6 +235,7 @@ export const ngModule = angular
       'schema',
       'fileName',
       'placeholder',
+      'showToolbar',
     ])
   )
   .component(
diff --git a/app/react/components/CodeEditor/CodeEditor.module.css b/app/react/components/CodeEditor/CodeEditor.module.css
index 2bf9cae88..6a02d3ed5 100644
--- a/app/react/components/CodeEditor/CodeEditor.module.css
+++ b/app/react/components/CodeEditor/CodeEditor.module.css
@@ -141,9 +141,11 @@
 }
 
 .root :global(.cm-content[aria-readonly='true']) {
-  @apply bg-gray-3;
-  @apply th-dark:bg-gray-iron-10;
-  @apply th-highcontrast:bg-black;
+  /* make sure the bg has transparency, so that the selected text is visible */
+  /* https://discuss.codemirror.net/t/how-do-i-get-selected-text-to-highlight/7115/2 */
+  @apply bg-gray-3/50;
+  @apply th-dark:bg-gray-iron-10/50;
+  @apply th-highcontrast:bg-black/50;
 }
 
 .root :global(.cm-textfield) {
diff --git a/app/react/components/CodeEditor/CodeEditor.tsx b/app/react/components/CodeEditor/CodeEditor.tsx
index 3df9f4193..d841400f0 100644
--- a/app/react/components/CodeEditor/CodeEditor.tsx
+++ b/app/react/components/CodeEditor/CodeEditor.tsx
@@ -33,6 +33,7 @@ interface Props extends AutomationTestingProps {
   schema?: JSONSchema7;
   fileName?: string;
   placeholder?: string;
+  showToolbar?: boolean;
 }
 
 export const theme = createTheme({
@@ -75,6 +76,7 @@ export function CodeEditor({
   'data-cy': dataCy,
   fileName,
   placeholder,
+  showToolbar = true,
 }: Props) {
   const [isRollback, setIsRollback] = useState(false);
 
@@ -94,38 +96,40 @@ export function CodeEditor({
 
   return (
     <>
-      <div className="mb-2 flex flex-col">
-        <div className="flex items-center justify-between">
-          <div className="flex items-center">
-            {!!textTip && <TextTip color="blue">{textTip}</TextTip>}
+      {showToolbar && (
+        <div className="mb-2 flex flex-col">
+          <div className="flex items-center justify-between">
+            <div className="flex items-center">
+              {!!textTip && <TextTip color="blue">{textTip}</TextTip>}
+            </div>
+            {/* the copy button is in the file name header, when fileName is provided */}
+            {!fileName && (
+              <div className="flex-2 ml-auto mr-2 flex items-center gap-x-2">
+                <CopyButton
+                  data-cy={`copy-code-button-${id}`}
+                  fadeDelay={2500}
+                  copyText={value}
+                  color="link"
+                  className="!pr-0 !text-sm !font-medium hover:no-underline focus:no-underline"
+                  indicatorPosition="left"
+                >
+                  Copy
+                </CopyButton>
+              </div>
+            )}
           </div>
-          {/* the copy button is in the file name header, when fileName is provided */}
-          {!fileName && (
-            <div className="flex-2 ml-auto mr-2 flex items-center gap-x-2">
-              <CopyButton
-                data-cy={`copy-code-button-${id}`}
-                fadeDelay={2500}
-                copyText={value}
-                color="link"
-                className="!pr-0 !text-sm !font-medium hover:no-underline focus:no-underline"
-                indicatorPosition="left"
-              >
-                Copy
-              </CopyButton>
+          {versions && (
+            <div className="mt-2 flex">
+              <div className="ml-auto mr-2">
+                <StackVersionSelector
+                  versions={versions}
+                  onChange={handleVersionChange}
+                />
+              </div>
             </div>
           )}
         </div>
-        {versions && (
-          <div className="mt-2 flex">
-            <div className="ml-auto mr-2">
-              <StackVersionSelector
-                versions={versions}
-                onChange={handleVersionChange}
-              />
-            </div>
-          </div>
-        )}
-      </div>
+      )}
       <div className="overflow-hidden rounded-lg border border-solid border-gray-5 th-dark:border-gray-7 th-highcontrast:border-gray-2">
         {fileName && (
           <FileNameHeaderRow>
diff --git a/app/react/components/CodeEditor/ShortcutsTooltip.tsx b/app/react/components/CodeEditor/ShortcutsTooltip.tsx
new file mode 100644
index 000000000..e04cda2c8
--- /dev/null
+++ b/app/react/components/CodeEditor/ShortcutsTooltip.tsx
@@ -0,0 +1,52 @@
+import { BROWSER_OS_PLATFORM } from '@/react/constants';
+
+import { Tooltip } from '@@/Tip/Tooltip';
+
+const otherEditorConfig = {
+  tooltip: (
+    <>
+      <div>Ctrl+F - Start searching</div>
+      <div>Ctrl+G - Find next</div>
+      <div>Ctrl+Shift+G - Find previous</div>
+      <div>Ctrl+Shift+F - Replace</div>
+      <div>Ctrl+Shift+R - Replace all</div>
+      <div>Alt+G - Jump to line</div>
+      <div>Persistent search:</div>
+      <div className="ml-5">Enter - Find next</div>
+      <div className="ml-5">Shift+Enter - Find previous</div>
+    </>
+  ),
+  searchCmdLabel: 'Ctrl+F for search',
+} as const;
+
+export const editorConfig = {
+  mac: {
+    tooltip: (
+      <>
+        <div>Cmd+F - Start searching</div>
+        <div>Cmd+G - Find next</div>
+        <div>Cmd+Shift+G - Find previous</div>
+        <div>Cmd+Option+F - Replace</div>
+        <div>Cmd+Option+R - Replace all</div>
+        <div>Option+G - Jump to line</div>
+        <div>Persistent search:</div>
+        <div className="ml-5">Enter - Find next</div>
+        <div className="ml-5">Shift+Enter - Find previous</div>
+      </>
+    ),
+    searchCmdLabel: 'Cmd+F for search',
+  },
+
+  lin: otherEditorConfig,
+  win: otherEditorConfig,
+} as const;
+
+export function ShortcutsTooltip() {
+  return (
+    <div className="text-muted small vertical-center ml-auto">
+      {editorConfig[BROWSER_OS_PLATFORM].searchCmdLabel}
+
+      <Tooltip message={editorConfig[BROWSER_OS_PLATFORM].tooltip} />
+    </div>
+  );
+}
diff --git a/app/react/components/ExternalLink.tsx b/app/react/components/ExternalLink.tsx
new file mode 100644
index 000000000..ef16dcb66
--- /dev/null
+++ b/app/react/components/ExternalLink.tsx
@@ -0,0 +1,32 @@
+import { ExternalLink as ExternalLinkIcon } from 'lucide-react';
+import { PropsWithChildren } from 'react';
+import clsx from 'clsx';
+
+import { AutomationTestingProps } from '@/types';
+
+import { Icon } from '@@/Icon';
+
+interface Props {
+  to: string;
+  className?: string;
+}
+
+export function ExternalLink({
+  to,
+  className,
+  children,
+  'data-cy': dataCy,
+}: PropsWithChildren<Props & AutomationTestingProps>) {
+  return (
+    <a
+      href={to}
+      target="_blank"
+      rel="noreferrer"
+      data-cy={dataCy}
+      className={clsx('inline-flex items-center gap-1', className)}
+    >
+      <Icon icon={ExternalLinkIcon} />
+      <span>{children}</span>
+    </a>
+  );
+}
diff --git a/app/react/components/WebEditorForm.tsx b/app/react/components/WebEditorForm.tsx
index 75031a454..84c37c0df 100644
--- a/app/react/components/WebEditorForm.tsx
+++ b/app/react/components/WebEditorForm.tsx
@@ -8,55 +8,14 @@ import {
 import { useTransitionHook } from '@uirouter/react';
 import { JSONSchema7 } from 'json-schema';
 
-import { BROWSER_OS_PLATFORM } from '@/react/constants';
-
 import { CodeEditor } from '@@/CodeEditor';
-import { Tooltip } from '@@/Tip/Tooltip';
 
 import { FormSectionTitle } from './form-components/FormSectionTitle';
 import { FormError } from './form-components/FormError';
 import { confirm } from './modals/confirm';
 import { ModalType } from './modals';
 import { buildConfirmButton } from './modals/utils';
-
-const otherEditorConfig = {
-  tooltip: (
-    <>
-      <div>Ctrl+F - Start searching</div>
-      <div>Ctrl+G - Find next</div>
-      <div>Ctrl+Shift+G - Find previous</div>
-      <div>Ctrl+Shift+F - Replace</div>
-      <div>Ctrl+Shift+R - Replace all</div>
-      <div>Alt+G - Jump to line</div>
-      <div>Persistent search:</div>
-      <div className="ml-5">Enter - Find next</div>
-      <div className="ml-5">Shift+Enter - Find previous</div>
-    </>
-  ),
-  searchCmdLabel: 'Ctrl+F for search',
-} as const;
-
-export const editorConfig = {
-  mac: {
-    tooltip: (
-      <>
-        <div>Cmd+F - Start searching</div>
-        <div>Cmd+G - Find next</div>
-        <div>Cmd+Shift+G - Find previous</div>
-        <div>Cmd+Option+F - Replace</div>
-        <div>Cmd+Option+R - Replace all</div>
-        <div>Option+G - Jump to line</div>
-        <div>Persistent search:</div>
-        <div className="ml-5">Enter - Find next</div>
-        <div className="ml-5">Shift+Enter - Find previous</div>
-      </>
-    ),
-    searchCmdLabel: 'Cmd+F for search',
-  },
-
-  lin: otherEditorConfig,
-  win: otherEditorConfig,
-} as const;
+import { ShortcutsTooltip } from './CodeEditor/ShortcutsTooltip';
 
 type CodeEditorProps = ComponentProps<typeof CodeEditor>;
 
@@ -69,7 +28,7 @@ interface Props extends CodeEditorProps {
 
 export function WebEditorForm({
   id,
-  titleContent = '',
+  titleContent = 'Web editor',
   hideTitle,
   children,
   error,
@@ -81,10 +40,7 @@ export function WebEditorForm({
     <div>
       <div className="web-editor overflow-x-hidden">
         {!hideTitle && (
-          <>
-            <DefaultTitle id={id} />
-            {titleContent ?? null}
-          </>
+          <DefaultTitle id={id}>{titleContent ?? null}</DefaultTitle>
         )}
         {children && (
           <div className="form-group text-muted small">
@@ -111,15 +67,11 @@ export function WebEditorForm({
   );
 }
 
-function DefaultTitle({ id }: { id: string }) {
+function DefaultTitle({ id, children }: { id: string; children?: ReactNode }) {
   return (
     <FormSectionTitle htmlFor={id}>
-      Web editor
-      <div className="text-muted small vertical-center ml-auto">
-        {editorConfig[BROWSER_OS_PLATFORM].searchCmdLabel}
-
-        <Tooltip message={editorConfig[BROWSER_OS_PLATFORM].tooltip} />
-      </div>
+      {children}
+      <ShortcutsTooltip />
     </FormSectionTitle>
   );
 }
diff --git a/app/react/components/modals/Modal/Modal.tsx b/app/react/components/modals/Modal/Modal.tsx
index 0d1b0319c..e7527c148 100644
--- a/app/react/components/modals/Modal/Modal.tsx
+++ b/app/react/components/modals/Modal/Modal.tsx
@@ -21,7 +21,7 @@ interface Props {
   onDismiss?(): void;
   'aria-label'?: string;
   'aria-labelledby'?: string;
-  size?: 'md' | 'lg';
+  size?: 'md' | 'lg' | 'xl';
   className?: string;
 }
 
@@ -53,6 +53,7 @@ export function Modal({
             {
               'w-[450px]': size === 'md',
               'w-[700px]': size === 'lg',
+              'w-[1000px]': size === 'xl',
             }
           )}
         >
diff --git a/app/react/kubernetes/DeployView/StackName/StackName.tsx b/app/react/kubernetes/DeployView/StackName/StackName.tsx
index c6930a1e4..7c99dd07d 100644
--- a/app/react/kubernetes/DeployView/StackName/StackName.tsx
+++ b/app/react/kubernetes/DeployView/StackName/StackName.tsx
@@ -70,7 +70,7 @@ export function StackName({
           Stack
           <Tooltip message={tooltip} setHtmlMessage />
         </label>
-        <div className={inputClassName || 'col-sm-8'}>
+        <div className={inputClassName || 'col-sm-9 col-lg-10'}>
           <AutocompleteSelect
             searchResults={stackResults?.map((result) => ({
               value: result,
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
index 190fef7b1..8d037d251 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -4,11 +4,12 @@ import { vi } from 'vitest';
 
 import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
 import { withTestRouter } from '@/react/test-utils/withRouter';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
 
 import {
   useHelmRepoVersions,
   ChartVersion,
-} from '../queries/useHelmRepositories';
+} from '../../queries/useHelmRepositories';
 import { HelmRelease } from '../../types';
 
 import { openUpgradeHelmModal } from './UpgradeHelmModal';
@@ -25,17 +26,8 @@ vi.mock('@/portainer/services/notifications', () => ({
 }));
 
 // Mock the useHelmRepoVersions and useHelmRepositories hooks
-vi.mock('../queries/useHelmRepositories', () => ({
-  useHelmRepoVersions: vi.fn(() => ({
-    data: [
-      { Version: '1.0.0', Repo: 'stable' },
-      { Version: '1.1.0', Repo: 'stable' },
-    ],
-    isInitialLoading: false,
-    isError: false,
-    isFetching: false,
-    refetch: vi.fn(() => Promise.resolve([])),
-  })),
+vi.mock('../../queries/useHelmRepositories', () => ({
+  useHelmRepoVersions: vi.fn(),
   useHelmRepositories: vi.fn(() => ({
     data: ['repo1', 'repo2'],
     isInitialLoading: false,
@@ -43,6 +35,21 @@ vi.mock('../queries/useHelmRepositories', () => ({
   })),
 }));
 
+// Mock the useHelmRelease hook
+vi.mock('../queries/useHelmRelease', () => ({
+  useHelmRelease: vi.fn(() => ({
+    data: '1.0.0',
+  })),
+}));
+
+// Mock the useUpdateHelmReleaseMutation hook
+vi.mock('../../queries/useUpdateHelmReleaseMutation', () => ({
+  useUpdateHelmReleaseMutation: vi.fn(() => ({
+    mutate: vi.fn(),
+    isLoading: false,
+  })),
+}));
+
 function renderButton(props = {}) {
   const defaultProps = {
     environmentId: 1,
@@ -65,11 +72,27 @@ function renderButton(props = {}) {
     ...props,
   };
 
-  const Wrapped = withTestQueryProvider(withTestRouter(UpgradeButton));
+  const Wrapped = withTestQueryProvider(
+    withUserProvider(withTestRouter(UpgradeButton))
+  );
   return render(<Wrapped {...defaultProps} />);
 }
 
 describe('UpgradeButton', () => {
+  beforeEach(() => {
+    // Set up default mock return values
+    vi.mocked(useHelmRepoVersions).mockReturnValue({
+      data: [
+        { Version: '1.0.0', Repo: 'stable' },
+        { Version: '1.1.0', Repo: 'stable' },
+      ],
+      isInitialLoading: false,
+      isError: false,
+      isFetching: false,
+      refetch: vi.fn(() => Promise.resolve([])),
+    });
+  });
+
   test('should display the upgrade button', () => {
     renderButton();
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 2c32fb69d..3821b18d4 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -6,21 +6,17 @@ import { EnvironmentId } from '@/react/portainer/environments/types';
 import { notifySuccess } from '@/portainer/services/notifications';
 import { semverCompare } from '@/react/common/semver-utils';
 
-import { LoadingButton } from '@@/buttons';
+import { Button, LoadingButton } from '@@/buttons';
 import { InlineLoader } from '@@/InlineLoader';
 import { Tooltip } from '@@/Tip/Tooltip';
 import { Link } from '@@/Link';
 
-import { HelmRelease } from '../../types';
+import { HelmRelease, UpdateHelmReleasePayload } from '../../types';
+import { useUpdateHelmReleaseMutation } from '../../queries/useUpdateHelmReleaseMutation';
 import {
-  useUpdateHelmReleaseMutation,
-  UpdateHelmReleasePayload,
-} from '../queries/useUpdateHelmReleaseMutation';
-import {
-  ChartVersion,
   useHelmRepoVersions,
   useHelmRepositories,
-} from '../queries/useHelmRepositories';
+} from '../../queries/useHelmRepositories';
 import { useHelmRelease } from '../queries/useHelmRelease';
 
 import { openUpgradeHelmModal } from './UpgradeHelmModal';
@@ -39,10 +35,10 @@ export function UpgradeButton({
   updateRelease: (release: HelmRelease) => void;
 }) {
   const router = useRouter();
+  const [useCache, setUseCache] = useState(true);
   const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
 
   const repositoriesQuery = useHelmRepositories();
-  const [useCache, setUseCache] = useState(true);
   const helmRepoVersionsQuery = useHelmRepoVersions(
     release?.chart.metadata?.name || '',
     60 * 60 * 1000, // 1 hour
@@ -50,43 +46,42 @@ export function UpgradeButton({
     useCache
   );
   const versions = helmRepoVersionsQuery.data;
+  const repo = versions?.[0]?.Repo;
 
   // Combined loading state
   const isLoading =
-    repositoriesQuery.isInitialLoading || helmRepoVersionsQuery.isFetching;
+    repositoriesQuery.isInitialLoading || helmRepoVersionsQuery.isFetching; // use 'isFetching' for helmRepoVersionsQuery because we want to show when it's refetching
   const isError = repositoriesQuery.isError || helmRepoVersionsQuery.isError;
-
-  const latestVersion = useHelmRelease(environmentId, releaseName, namespace, {
-    select: (data) => data.chart.metadata?.version,
-  });
+  const latestVersionQuery = useHelmRelease(
+    environmentId,
+    releaseName,
+    namespace,
+    {
+      select: (data) => data.chart.metadata?.version,
+    }
+  );
   const latestVersionAvailable = versions[0]?.Version ?? '';
   const isNewVersionAvailable = Boolean(
-    latestVersion?.data &&
-      semverCompare(latestVersionAvailable, latestVersion?.data) === 1
+    latestVersionQuery?.data &&
+      semverCompare(latestVersionAvailable, latestVersionQuery?.data) === 1
   );
+  const currentVersion = release?.chart.metadata?.version;
 
   const editableHelmRelease: UpdateHelmReleasePayload = {
     name: releaseName,
     namespace: namespace || '',
     values: release?.values?.userSuppliedValues,
     chart: release?.chart.metadata?.name || '',
-    version: release?.chart.metadata?.version,
+    version: currentVersion,
+    repo,
   };
 
-  function handleRefreshVersions() {
-    if (!useCache) {
-      helmRepoVersionsQuery.refetch();
-    } else {
-      setUseCache(false);
-    }
-  }
-
   return (
     <div className="relative">
       <LoadingButton
         color="secondary"
         data-cy="k8sApp-upgradeHelmChartButton"
-        onClick={() => openUpgradeForm(versions, release)}
+        onClick={handleUpgrade}
         disabled={
           versions.length === 0 ||
           isLoading ||
@@ -133,68 +128,75 @@ export function UpgradeButton({
               }
             />
           )}
-          <button
+          <Button
+            data-cy="k8sApp-refreshHelmChartVersionsButton"
+            color="link"
+            size="xsmall"
             onClick={handleRefreshVersions}
-            className="text-primary hover:text-primary-light cursor-pointer bg-transparent border-0 pl-1 p-0"
             type="button"
           >
-            Refresh versions
-          </button>
+            Refresh
+          </Button>
         </span>
       )}
     </div>
   );
 
-  async function openUpgradeForm(
-    versions: ChartVersion[],
-    release?: HelmRelease
-  ) {
-    const result = await openUpgradeHelmModal(editableHelmRelease, versions);
-
-    if (result) {
-      handleUpgrade(result, release);
+  function handleRefreshVersions() {
+    if (useCache) {
+      // clicking 'refresh versions' should get the latest versions from the repo, not the cached versions
+      setUseCache(false);
     }
+    helmRepoVersionsQuery.refetch();
   }
 
-  function handleUpgrade(
-    payload: UpdateHelmReleasePayload,
-    release?: HelmRelease
-  ) {
-    if (release?.info) {
-      const updatedRelease = {
-        ...release,
-        info: {
-          ...release.info,
-          status: 'pending-upgrade',
-          description: 'Preparing upgrade',
+  async function handleUpgrade() {
+    const submittedUpgradeValues = await openUpgradeHelmModal(
+      editableHelmRelease,
+      versions
+    );
+
+    if (submittedUpgradeValues) {
+      upgrade(submittedUpgradeValues, release);
+    }
+
+    function upgrade(payload: UpdateHelmReleasePayload, release?: HelmRelease) {
+      if (release?.info) {
+        const updatedRelease = {
+          ...release,
+          info: {
+            ...release.info,
+            status: 'pending-upgrade',
+            description: 'Preparing upgrade',
+          },
+        };
+        updateRelease(updatedRelease);
+      }
+      updateHelmReleaseMutation.mutate(payload, {
+        onSuccess: () => {
+          notifySuccess('Success', 'Helm chart upgraded successfully');
+          // set the revision url param to undefined to refresh the page at the latest revision
+          router.stateService.go('kubernetes.helm', {
+            namespace,
+            name: releaseName,
+            revision: undefined,
+          });
         },
-      };
-      updateRelease(updatedRelease);
+      });
     }
-    updateHelmReleaseMutation.mutate(payload, {
-      onSuccess: () => {
-        notifySuccess('Success', 'Helm chart upgraded successfully');
-        // set the revision url param to undefined to refresh the page at the latest revision
-        router.stateService.go('kubernetes.helm', {
-          namespace,
-          name: releaseName,
-          revision: undefined,
-        });
-      },
-    });
-  }
-
-  function getStatusMessage(
-    hasNoAvailableVersions: boolean,
-    latestVersionAvailable: string,
-    isNewVersionAvailable: boolean
-  ): string {
-    if (hasNoAvailableVersions) {
-      return 'No versions available ';
-    }
-    if (isNewVersionAvailable) {
-      return `New version available (${latestVersionAvailable}) `;
-    }
-    return '';
   }
 }
+
+function getStatusMessage(
+  hasNoAvailableVersions: boolean,
+  latestVersionAvailable: string,
+  isNewVersionAvailable: boolean
+) {
+  if (hasNoAvailableVersions) {
+    return 'No versions available ';
+  }
+  if (isNewVersionAvailable) {
+    return `New version available (${latestVersionAvailable}) `;
+  }
+  return 'Latest version installed';
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
index 8dba31e38..e1b1ba5e2 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
@@ -3,26 +3,35 @@ import { ArrowUp } from 'lucide-react';
 
 import { withReactQuery } from '@/react-tools/withReactQuery';
 import { withCurrentUser } from '@/react-tools/withCurrentUser';
+import { ChartVersion } from '@/react/kubernetes/helm/queries/useHelmRepositories';
 
 import { Modal, OnSubmit, openModal } from '@@/modals';
 import { Button } from '@@/buttons';
-import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
 import { Input } from '@@/form-components/Input';
-import { CodeEditor } from '@@/CodeEditor';
 import { FormControl } from '@@/form-components/FormControl';
 import { WidgetTitle } from '@@/Widget';
 import { Checkbox } from '@@/form-components/Checkbox';
+import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
 
-import { UpdateHelmReleasePayload } from '../queries/useUpdateHelmReleaseMutation';
-import { ChartVersion } from '../queries/useHelmRepositories';
+import { UpdateHelmReleasePayload } from '../../types';
+import { HelmValuesInput } from '../../components/HelmValuesInput';
+import { useHelmChartValues } from '../../queries/useHelmChartValues';
 
 interface Props {
   onSubmit: OnSubmit<UpdateHelmReleasePayload>;
   values: UpdateHelmReleasePayload;
   versions: ChartVersion[];
+  chartName: string;
+  repo: string;
 }
 
-export function UpgradeHelmModal({ values, versions, onSubmit }: Props) {
+export function UpgradeHelmModal({
+  values,
+  versions,
+  onSubmit,
+  chartName,
+  repo,
+}: Props) {
   const versionOptions: Option<ChartVersion>[] = versions.map((version) => {
     const isCurrentVersion = version.Version === values.version;
     const label = `${version.Repo}@${version.Version}${
@@ -38,11 +47,18 @@ export function UpgradeHelmModal({ values, versions, onSubmit }: Props) {
     versionOptions[0]?.value;
   const [version, setVersion] = useState<ChartVersion>(defaultVersion);
   const [userValues, setUserValues] = useState<string>(values.values || '');
-  const [atomic, setAtomic] = useState<boolean>(false);
+  const [atomic, setAtomic] = useState<boolean>(true);
+
+  const chartValuesRefQuery = useHelmChartValues({
+    chart: chartName,
+    repo,
+    version: version.Version,
+  });
+
   return (
     <Modal
       onDismiss={() => onSubmit()}
-      size="lg"
+      size="xl"
       className="flex flex-col h-[80vh] px-0"
       aria-label="upgrade-helm"
     >
@@ -51,73 +67,65 @@ export function UpgradeHelmModal({ values, versions, onSubmit }: Props) {
       />
       <div className="flex-1 overflow-y-auto px-5">
         <Modal.Body>
-          <FormControl label="Version" inputId="version-input" size="vertical">
-            <PortainerSelect<ChartVersion>
-              value={version}
-              options={versionOptions}
-              onChange={(version) => {
-                if (version) {
-                  setVersion(version);
-                }
-              }}
-              data-cy="helm-version-input"
+          <div className="form-horizontal">
+            <FormControl
+              label="Release name"
+              inputId="release-name-input"
+              size="medium"
+            >
+              <Input
+                id="release-name-input"
+                value={values.name}
+                readOnly
+                disabled
+                data-cy="helm-release-name-input"
+              />
+            </FormControl>
+            <FormControl
+              label="Namespace"
+              inputId="namespace-input"
+              size="medium"
+            >
+              <Input
+                id="namespace-input"
+                value={values.namespace}
+                readOnly
+                disabled
+                data-cy="helm-namespace-input"
+              />
+            </FormControl>
+            <FormControl label="Version" inputId="version-input" size="medium">
+              <PortainerSelect<ChartVersion>
+                value={version}
+                options={versionOptions}
+                onChange={(version) => {
+                  if (version) {
+                    setVersion(version);
+                  }
+                }}
+                data-cy="helm-version-input"
+              />
+            </FormControl>
+            <FormControl
+              label="Rollback on failure"
+              tooltip="Enables automatic rollback on failure (equivalent to the helm --atomic flag). It may increase the time to upgrade."
+              inputId="atomic-input"
+              size="medium"
+            >
+              <Checkbox
+                id="atomic-input"
+                checked={atomic}
+                data-cy="atomic-checkbox"
+                onChange={(e) => setAtomic(e.target.checked)}
+              />
+            </FormControl>
+            <HelmValuesInput
+              values={userValues}
+              setValues={setUserValues}
+              valuesRef={chartValuesRefQuery.data?.values ?? ''}
+              isValuesRefLoading={chartValuesRefQuery.isInitialLoading}
             />
-          </FormControl>
-          <FormControl
-            label="Release name"
-            inputId="release-name-input"
-            size="vertical"
-          >
-            <Input
-              id="release-name-input"
-              value={values.name}
-              readOnly
-              disabled
-              data-cy="helm-release-name-input"
-            />
-          </FormControl>
-          <FormControl
-            label="Namespace"
-            inputId="namespace-input"
-            size="vertical"
-          >
-            <Input
-              id="namespace-input"
-              value={values.namespace}
-              readOnly
-              disabled
-              data-cy="helm-namespace-input"
-            />
-          </FormControl>
-          <FormControl
-            label="Rollback on failure"
-            tooltip="Enables automatic rollback on failure (equivalent to the helm --atomic flag). It may increase the time to upgrade."
-            inputId="atomic-input"
-            className="[&>label]:!pl-0"
-            size="medium"
-          >
-            <Checkbox
-              id="atomic-input"
-              checked={atomic}
-              data-cy="atomic-checkbox"
-              onChange={(e) => setAtomic(e.target.checked)}
-            />
-          </FormControl>
-          <FormControl
-            label="User-defined values"
-            inputId="user-values-editor"
-            size="vertical"
-          >
-            <CodeEditor
-              id="user-values-editor"
-              value={userValues}
-              onChange={(value) => setUserValues(value)}
-              height="50vh"
-              type="yaml"
-              data-cy="helm-user-values-editor"
-              placeholder="Define or paste the content of your values yaml file here"
-            />
-          </FormControl>
+          </div>
         </Modal.Body>
       </div>
       <div className="px-5 border-solid border-0 border-t border-gray-5 th-dark:border-gray-7 th-highcontrast:border-white">
@@ -163,5 +171,7 @@ export async function openUpgradeHelmModal(
   return openModal(withReactQuery(withCurrentUser(UpgradeHelmModal)), {
     values,
     versions,
+    chartName: values.chart,
+    repo: values.repo ?? '',
   });
 }
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
new file mode 100644
index 000000000..a2d6613a1
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
@@ -0,0 +1,174 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi } from 'vitest';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+
+import { Chart } from '../types';
+
+import { HelmInstallForm } from './HelmInstallForm';
+
+const mockMutate = vi.fn();
+const mockNotifySuccess = vi.fn();
+const mockTrackEvent = vi.fn();
+const mockRouterGo = vi.fn();
+
+// Mock the router hook to provide endpointId
+vi.mock('@uirouter/react', async (importOriginal: () => Promise<object>) => ({
+  ...(await importOriginal()),
+  useCurrentStateAndParams: vi.fn(() => ({
+    params: { endpointId: '1' },
+  })),
+  useRouter: vi.fn(() => ({
+    stateService: {
+      go: vi.fn((...args) => mockRouterGo(...args)),
+    },
+  })),
+}));
+
+// Mock dependencies
+vi.mock('@/portainer/services/notifications', () => ({
+  notifySuccess: vi.fn((title: string, text: string) =>
+    mockNotifySuccess(title, text)
+  ),
+}));
+
+vi.mock('../queries/useUpdateHelmReleaseMutation', () => ({
+  useUpdateHelmReleaseMutation: vi.fn(() => ({
+    mutateAsync: vi.fn((...args) => mockMutate(...args)),
+    isLoading: false,
+  })),
+}));
+
+vi.mock('../queries/useHelmRepositories', () => ({
+  useHelmRepoVersions: vi.fn(() => ({
+    data: [
+      { Version: '1.0.0', AppVersion: '1.0.0' },
+      { Version: '0.9.0', AppVersion: '0.9.0' },
+    ],
+    isInitialLoading: false,
+  })),
+}));
+
+vi.mock('./queries/useHelmChartValues', () => ({
+  useHelmChartValues: vi.fn().mockReturnValue({
+    data: { values: 'test-values' },
+    isInitialLoading: false,
+  }),
+}));
+
+vi.mock('@/react/hooks/useAnalytics', () => ({
+  useAnalytics: vi.fn().mockReturnValue({
+    trackEvent: vi.fn((...args) => mockTrackEvent(...args)),
+  }),
+}));
+
+// Sample test data
+const mockChart: Chart = {
+  name: 'test-chart',
+  description: 'Test Chart Description',
+  repo: 'https://example.com',
+  icon: 'test-icon-url',
+  annotations: {
+    category: 'database',
+  },
+};
+
+const mockRouterStateService = {
+  go: vi.fn(),
+};
+
+function renderComponent({
+  selectedChart = mockChart,
+  namespace = 'test-namespace',
+  name = 'test-name',
+  isAdmin = true,
+} = {}) {
+  const user = new UserViewModel({ Username: 'user', Role: isAdmin ? 1 : 2 });
+
+  const Wrapped = withTestQueryProvider(
+    withUserProvider(
+      withTestRouter(() => (
+        <HelmInstallForm
+          selectedChart={selectedChart}
+          namespace={namespace}
+          name={name}
+        />
+      )),
+      user
+    )
+  );
+
+  return {
+    ...render(<Wrapped />),
+    user,
+    mockRouterStateService,
+  };
+}
+
+describe('HelmInstallForm', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('should render the form with version selector and values editor', async () => {
+    renderComponent();
+
+    expect(screen.getByText('Version')).toBeInTheDocument();
+    expect(screen.getByText('Install')).toBeInTheDocument();
+  });
+
+  it('should install helm chart when install button is clicked', async () => {
+    const user = userEvent.setup();
+    renderComponent();
+
+    const installButton = screen.getByText('Install');
+    await user.click(installButton);
+
+    // Check mutate was called with correct values
+    expect(mockMutate).toHaveBeenCalledWith(
+      expect.objectContaining({
+        name: 'test-name',
+        repo: 'https://example.com',
+        chart: 'test-chart',
+        values: '',
+        namespace: 'test-namespace',
+        version: '1.0.0',
+      }),
+      expect.objectContaining({ onSuccess: expect.any(Function) })
+    );
+  });
+
+  it('should disable install button when namespace or name is undefined', () => {
+    renderComponent({ namespace: '' });
+    expect(screen.getByText('Install')).toBeDisabled();
+  });
+
+  it('should call success handlers when installation succeeds', async () => {
+    const user = userEvent.setup();
+    renderComponent();
+
+    const installButton = screen.getByText('Install');
+    await user.click(installButton);
+
+    // Get the onSuccess callback and call it
+    const onSuccessCallback = mockMutate.mock.calls[0][1].onSuccess;
+    onSuccessCallback();
+
+    // Check that success handlers were called
+    expect(mockTrackEvent).toHaveBeenCalledWith('kubernetes-helm-install', {
+      category: 'kubernetes',
+      metadata: {
+        'chart-name': 'test-chart',
+      },
+    });
+    expect(mockNotifySuccess).toHaveBeenCalledWith(
+      'Success',
+      'Helm chart successfully installed'
+    );
+    expect(mockRouterGo).toHaveBeenCalledWith('kubernetes.applications');
+  });
+});
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
new file mode 100644
index 000000000..ba723b1c6
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
@@ -0,0 +1,106 @@
+import { useRef } from 'react';
+import { Formik, FormikProps } from 'formik';
+import { useRouter } from '@uirouter/react';
+
+import { notifySuccess } from '@/portainer/services/notifications';
+import { useAnalytics } from '@/react/hooks/useAnalytics';
+import { useCanExit } from '@/react/hooks/useCanExit';
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+
+import { confirmGenericDiscard } from '@@/modals/confirm';
+import { Option } from '@@/form-components/PortainerSelect';
+
+import { Chart } from '../types';
+import {
+  ChartVersion,
+  useHelmRepoVersions,
+} from '../queries/useHelmRepositories';
+import { useUpdateHelmReleaseMutation } from '../queries/useUpdateHelmReleaseMutation';
+
+import { HelmInstallInnerForm } from './HelmInstallInnerForm';
+import { HelmInstallFormValues } from './types';
+
+type Props = {
+  selectedChart: Chart;
+  namespace?: string;
+  name?: string;
+};
+
+export function HelmInstallForm({ selectedChart, namespace, name }: Props) {
+  const environmentId = useEnvironmentId();
+  const router = useRouter();
+  const analytics = useAnalytics();
+  const helmRepoVersionsQuery = useHelmRepoVersions(
+    selectedChart.name,
+    60 * 60 * 1000, // 1 hour
+    [selectedChart.repo],
+    false
+  );
+  const versions = helmRepoVersionsQuery.data;
+  const versionOptions: Option<ChartVersion>[] = versions.map(
+    (version, index) => ({
+      label: index === 0 ? `${version.Version} (latest)` : version.Version,
+      value: version,
+    })
+  );
+  const defaultVersion = versionOptions[0]?.value;
+  const initialValues: HelmInstallFormValues = {
+    values: '',
+    version: defaultVersion?.Version ?? '',
+  };
+
+  const installHelmChartMutation = useUpdateHelmReleaseMutation(environmentId);
+
+  const formikRef = useRef<FormikProps<HelmInstallFormValues>>(null);
+  useCanExit(() => !formikRef.current?.dirty || confirmGenericDiscard());
+
+  return (
+    <Formik
+      innerRef={formikRef}
+      initialValues={initialValues}
+      enableReinitialize
+      onSubmit={handleSubmit}
+    >
+      <HelmInstallInnerForm
+        selectedChart={selectedChart}
+        namespace={namespace}
+        name={name}
+        versionOptions={versionOptions}
+        isLoadingVersions={helmRepoVersionsQuery.isInitialLoading}
+      />
+    </Formik>
+  );
+
+  async function handleSubmit(values: HelmInstallFormValues) {
+    if (!name || !namespace) {
+      // Theoretically this should never happen and is mainly to keep typescript happy
+      return;
+    }
+
+    await installHelmChartMutation.mutateAsync(
+      {
+        name,
+        repo: selectedChart.repo,
+        chart: selectedChart.name,
+        values: values.values,
+        namespace,
+        version: values.version,
+      },
+      {
+        onSuccess() {
+          analytics.trackEvent('kubernetes-helm-install', {
+            category: 'kubernetes',
+            metadata: {
+              'chart-name': selectedChart.name,
+            },
+          });
+          notifySuccess('Success', 'Helm chart successfully installed');
+
+          // Reset the form so page can be navigated away from without getting "Are you sure?"
+          formikRef.current?.resetForm();
+          router.stateService.go('kubernetes.applications');
+        },
+      }
+    );
+  }
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
new file mode 100644
index 000000000..0f1a35488
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
@@ -0,0 +1,86 @@
+import { Form, useFormikContext } from 'formik';
+import { useMemo } from 'react';
+
+import { FormActions } from '@@/form-components/FormActions';
+import { FormControl } from '@@/form-components/FormControl';
+import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
+import { FormSection } from '@@/form-components/FormSection';
+
+import { ChartVersion } from '../queries/useHelmRepositories';
+import { Chart } from '../types';
+import { useHelmChartValues } from '../queries/useHelmChartValues';
+import { HelmValuesInput } from '../components/HelmValuesInput';
+
+import { HelmInstallFormValues } from './types';
+
+type Props = {
+  selectedChart: Chart;
+  namespace?: string;
+  name?: string;
+  versionOptions: Option<ChartVersion>[];
+  isLoadingVersions: boolean;
+};
+
+export function HelmInstallInnerForm({
+  selectedChart,
+  namespace,
+  name,
+  versionOptions,
+  isLoadingVersions,
+}: Props) {
+  const { values, setFieldValue, isSubmitting } =
+    useFormikContext<HelmInstallFormValues>();
+
+  const chartValuesRefQuery = useHelmChartValues({
+    chart: selectedChart.name,
+    repo: selectedChart.repo,
+    version: values?.version,
+  });
+
+  const selectedVersion = useMemo(
+    () =>
+      versionOptions.find((v) => v.value.Version === values.version)?.value ??
+      versionOptions[0]?.value,
+    [versionOptions, values.version]
+  );
+
+  return (
+    <Form className="form-horizontal">
+      <div className="form-group !m-0">
+        <FormSection title="Configuration" className="mt-4">
+          <FormControl
+            label="Version"
+            inputId="version-input"
+            isLoading={isLoadingVersions}
+            loadingText="Loading versions..."
+          >
+            <PortainerSelect<ChartVersion>
+              value={selectedVersion}
+              options={versionOptions}
+              onChange={(version) => {
+                if (version) {
+                  setFieldValue('version', version.Version);
+                }
+              }}
+              data-cy="helm-version-input"
+            />
+          </FormControl>
+          <HelmValuesInput
+            values={values.values}
+            setValues={(values) => setFieldValue('values', values)}
+            valuesRef={chartValuesRefQuery.data?.values ?? ''}
+            isValuesRefLoading={chartValuesRefQuery.isInitialLoading}
+          />
+        </FormSection>
+      </div>
+
+      <FormActions
+        submitLabel="Install"
+        loadingText="Installing Helm chart"
+        isLoading={isSubmitting}
+        isValid={!!namespace && !!name}
+        data-cy="helm-install"
+      />
+    </Form>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
index 5fb88d64c..24a5420b3 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
@@ -10,6 +10,7 @@ import {
 
 import { HelmTemplatesList } from './HelmTemplatesList';
 import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
+import { HelmInstallForm } from './HelmInstallForm';
 
 interface Props {
   onSelectHelmChart: (chartName: string) => void;
@@ -37,12 +38,17 @@ export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
     <div className="row">
       <div className="col-sm-12 p-0">
         {selectedChart ? (
-          <HelmTemplatesSelectedItem
-            selectedChart={selectedChart}
-            clearHelmChart={clearHelmChart}
-            namespace={namespace}
-            name={name}
-          />
+          <>
+            <HelmTemplatesSelectedItem
+              selectedChart={selectedChart}
+              clearHelmChart={clearHelmChart}
+            />
+            <HelmInstallForm
+              selectedChart={selectedChart}
+              namespace={namespace}
+              name={name}
+            />
+          </>
         ) : (
           <HelmTemplatesList
             charts={chartListQuery.data}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
index f7328cc4d..1a2cbb69f 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
@@ -1,6 +1,4 @@
 import { render, screen } from '@testing-library/react';
-import userEvent from '@testing-library/user-event';
-import { MutationOptions } from '@tanstack/react-query';
 import { vi } from 'vitest';
 
 import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
@@ -12,36 +10,6 @@ import { Chart } from '../types';
 
 import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
 
-const mockMutate = vi.fn();
-const mockNotifySuccess = vi.fn();
-
-// Mock dependencies
-vi.mock('@/portainer/services/notifications', () => ({
-  notifySuccess: (title: string, text: string) =>
-    mockNotifySuccess(title, text),
-}));
-
-vi.mock('./queries/useHelmChartValues', () => ({
-  useHelmChartValues: vi.fn().mockReturnValue({
-    data: { values: 'test-values' },
-    isLoading: false,
-  }),
-}));
-
-vi.mock('./queries/useHelmChartInstall', () => ({
-  useHelmChartInstall: vi.fn().mockReturnValue({
-    mutate: (params: Record<string, string>, options?: MutationOptions) =>
-      mockMutate(params, options),
-    isLoading: false,
-  }),
-}));
-
-vi.mock('@/react/hooks/useAnalytics', () => ({
-  useAnalytics: vi.fn().mockReturnValue({
-    trackEvent: vi.fn(),
-  }),
-}));
-
 // Sample test data
 const mockChart: Chart = {
   name: 'test-chart',
@@ -58,22 +26,15 @@ const mockRouterStateService = {
   go: vi.fn(),
 };
 
-function renderComponent({
-  selectedChart = mockChart,
-  clearHelmChart = clearHelmChartMock,
-  namespace = 'test-namespace',
-  name = 'test-name',
-} = {}) {
-  const user = new UserViewModel({ Username: 'user' });
+function renderComponent({ selectedChart = mockChart, isAdmin = true } = {}) {
+  const user = new UserViewModel({ Username: 'user', Role: isAdmin ? 1 : 2 });
 
   const Wrapped = withTestQueryProvider(
     withUserProvider(
       withTestRouter(() => (
         <HelmTemplatesSelectedItem
           selectedChart={selectedChart}
-          clearHelmChart={clearHelmChart}
-          namespace={namespace}
-          name={name}
+          clearHelmChart={clearHelmChartMock}
         />
       )),
       user
@@ -101,45 +62,4 @@ describe('HelmTemplatesSelectedItem', () => {
     expect(screen.getByText('Clear selection')).toBeInTheDocument();
     expect(screen.getByText('https://example.com')).toBeInTheDocument();
   });
-
-  it('should toggle custom values editor', async () => {
-    renderComponent();
-    const user = userEvent.setup();
-
-    // Verify editor is visible by default
-    expect(screen.getByTestId('helm-app-creation-editor')).toBeInTheDocument();
-
-    // Now hide the editor
-    await user.click(await screen.findByText('Custom values'));
-
-    // Editor should be hidden
-    expect(
-      screen.queryByTestId('helm-app-creation-editor')
-    ).not.toBeInTheDocument();
-  });
-
-  it('should install helm chart and navigate when install button is clicked', async () => {
-    const user = userEvent.setup();
-    renderComponent();
-
-    // Click install button
-    await user.click(screen.getByText('Install'));
-
-    // Check mutate was called with correct values
-    expect(mockMutate).toHaveBeenCalledWith(
-      expect.objectContaining({
-        Name: 'test-name',
-        Repo: 'https://example.com',
-        Chart: 'test-chart',
-        Values: 'test-values',
-        Namespace: 'test-namespace',
-      }),
-      expect.objectContaining({ onSuccess: expect.any(Function) })
-    );
-  });
-
-  it('should disable install button when namespace or name is undefined', () => {
-    renderComponent({ namespace: '' });
-    expect(screen.getByText('Install')).toBeDisabled();
-  });
 });
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
index 837659fcd..d6685f3c6 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
@@ -1,183 +1,58 @@
-import { useRef } from 'react';
 import { X } from 'lucide-react';
-import { Form, Formik, FormikProps } from 'formik';
-import { useRouter } from '@uirouter/react';
-
-import { notifySuccess } from '@/portainer/services/notifications';
-import { useAnalytics } from '@/react/hooks/useAnalytics';
-import { useCanExit } from '@/react/hooks/useCanExit';
 
 import { Widget } from '@@/Widget';
 import { Button } from '@@/buttons/Button';
 import { FallbackImage } from '@@/FallbackImage';
 import { Icon } from '@@/Icon';
-import { WebEditorForm } from '@@/WebEditorForm';
-import { confirmGenericDiscard } from '@@/modals/confirm';
-import { FormSection } from '@@/form-components/FormSection';
-import { InlineLoader } from '@@/InlineLoader';
-import { FormActions } from '@@/form-components/FormActions';
 
 import { Chart } from '../types';
 
-import { useHelmChartValues } from './queries/useHelmChartValues';
 import { HelmIcon } from './HelmIcon';
-import { useHelmChartInstall } from './queries/useHelmChartInstall';
 
 type Props = {
   selectedChart: Chart;
   clearHelmChart: () => void;
-  namespace?: string;
-  name?: string;
-};
-
-type FormValues = {
-  values: string;
-};
-
-const emptyValues: FormValues = {
-  values: '',
 };
 
 export function HelmTemplatesSelectedItem({
   selectedChart,
   clearHelmChart,
-  namespace,
-  name,
 }: Props) {
-  const router = useRouter();
-  const analytics = useAnalytics();
-
-  const { mutate: installHelmChart, isLoading: isInstalling } =
-    useHelmChartInstall();
-  const { data: initialValues, isLoading: loadingValues } =
-    useHelmChartValues(selectedChart);
-
-  const formikRef = useRef<FormikProps<FormValues>>(null);
-  useCanExit(() => !formikRef.current?.dirty || confirmGenericDiscard());
-
-  function handleSubmit(values: FormValues) {
-    if (!name || !namespace) {
-      // Theoretically this should never happen and is mainly to keep typescript happy
-      return;
-    }
-
-    installHelmChart(
-      {
-        Name: name,
-        Repo: selectedChart.repo,
-        Chart: selectedChart.name,
-        Values: values.values,
-        Namespace: namespace,
-      },
-      {
-        onSuccess() {
-          analytics.trackEvent('kubernetes-helm-install', {
-            category: 'kubernetes',
-            metadata: {
-              'chart-name': selectedChart.name,
-            },
-          });
-          notifySuccess('Success', 'Helm chart successfully installed');
-
-          // Reset the form so page can be navigated away from without getting "Are you sure?"
-          formikRef.current?.resetForm();
-          router.stateService.go('kubernetes.applications');
-        },
-      }
-    );
-  }
-
   return (
-    <>
-      <Widget>
-        <div className="flex">
-          <div className="basis-3/4 rounded-[8px] m-2 bg-gray-4 th-highcontrast:bg-black th-highcontrast:text-white th-dark:bg-gray-iron-10 th-dark:text-white">
-            <div className="vertical-center p-5">
-              <FallbackImage
-                src={selectedChart.icon}
-                fallbackIcon={HelmIcon}
-                className="h-16 w-16"
-              />
-              <div className="col-sm-12">
-                <div>
-                  <div className="text-2xl font-bold">{selectedChart.name}</div>
-                  <div className="small text-muted mt-1">
-                    {selectedChart.repo}
-                  </div>
+    <Widget>
+      <div className="flex">
+        <div className="basis-3/4 rounded-lg m-2 bg-gray-4 th-highcontrast:bg-black th-highcontrast:text-white th-dark:bg-gray-iron-10 th-dark:text-white">
+          <div className="vertical-center p-5">
+            <FallbackImage
+              src={selectedChart.icon}
+              fallbackIcon={HelmIcon}
+              className="h-16 w-16"
+            />
+            <div className="col-sm-12">
+              <div>
+                <div className="text-2xl font-bold">{selectedChart.name}</div>
+                <div className="small text-muted mt-1">
+                  {selectedChart.repo}
                 </div>
-                <div className="text-xs mt-2">{selectedChart.description}</div>
               </div>
-            </div>
-          </div>
-          <div className="basis-1/4">
-            <div className="h-full w-full vertical-center justify-end pr-5">
-              <Button
-                color="link"
-                className="!text-gray-8 hover:no-underline th-highcontrast:!text-white th-dark:!text-white"
-                onClick={clearHelmChart}
-                data-cy="clear-selection"
-              >
-                Clear selection
-                <Icon icon={X} className="ml-1" />
-              </Button>
+              <div className="text-xs mt-2">{selectedChart.description}</div>
             </div>
           </div>
         </div>
-      </Widget>
-      <Formik
-        innerRef={formikRef}
-        initialValues={initialValues ?? emptyValues}
-        enableReinitialize
-        onSubmit={(values) => handleSubmit(values)}
-      >
-        {({ values, setFieldValue }) => (
-          <Form className="form-horizontal">
-            <div className="form-group !m-0">
-              <FormSection
-                title="Custom values"
-                isFoldable
-                defaultFolded={false}
-                className="mt-4"
-              >
-                {loadingValues && (
-                  <div className="col-sm-12 p-0">
-                    <InlineLoader>Loading values.yaml...</InlineLoader>
-                  </div>
-                )}
-                {!!initialValues && (
-                  <WebEditorForm
-                    id="helm-app-creation-editor"
-                    value={values.values}
-                    onChange={(value) => setFieldValue('values', value)}
-                    type="yaml"
-                    data-cy="helm-app-creation-editor"
-                    textTip="Define or paste the content of your values yaml file here"
-                  >
-                    You can get more information about Helm values file format
-                    in the{' '}
-                    <a
-                      href="https://helm.sh/docs/chart_template_guide/values_files/"
-                      target="_blank"
-                      rel="noreferrer"
-                    >
-                      official documentation
-                    </a>
-                    .
-                  </WebEditorForm>
-                )}
-              </FormSection>
-            </div>
-
-            <FormActions
-              submitLabel="Install"
-              loadingText="Installing Helm chart"
-              isLoading={isInstalling}
-              isValid={!!namespace && !!name && !loadingValues}
-              data-cy="helm-install"
-            />
-          </Form>
-        )}
-      </Formik>
-    </>
+        <div className="basis-1/4">
+          <div className="h-full w-full vertical-center justify-end pr-5">
+            <Button
+              color="link"
+              className="!text-gray-8 hover:no-underline th-highcontrast:!text-white th-dark:!text-white"
+              onClick={clearHelmChart}
+              data-cy="clear-selection"
+            >
+              Clear selection
+              <Icon icon={X} className="ml-1" />
+            </Button>
+          </div>
+        </div>
+      </div>
+    </Widget>
   );
 }
diff --git a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts b/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts
deleted file mode 100644
index e6664a317..000000000
--- a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartInstall.ts
+++ /dev/null
@@ -1,40 +0,0 @@
-import { useMutation } from '@tanstack/react-query';
-
-import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
-import axios, { parseAxiosError } from '@/portainer/services/axios';
-import { EnvironmentId } from '@/react/portainer/environments/types';
-import {
-  queryClient,
-  withGlobalError,
-  withInvalidate,
-} from '@/react-tools/react-query';
-import { queryKeys } from '@/react/kubernetes/applications/queries/query-keys';
-
-import { InstallChartPayload } from '../../types';
-
-async function installHelmChart(
-  payload: InstallChartPayload,
-  environmentId: EnvironmentId
-) {
-  try {
-    const response = await axios.post(
-      `endpoints/${environmentId}/kubernetes/helm`,
-      payload
-    );
-    return response.data;
-  } catch (err) {
-    throw parseAxiosError(err as Error, 'Installation error');
-  }
-}
-
-export function useHelmChartInstall() {
-  const environmentId = useEnvironmentId();
-
-  return useMutation(
-    (values: InstallChartPayload) => installHelmChart(values, environmentId),
-    {
-      ...withGlobalError('Unable to install Helm chart'),
-      ...withInvalidate(queryClient, [queryKeys.applications(environmentId)]),
-    }
-  );
-}
diff --git a/app/react/kubernetes/helm/HelmTemplates/types.ts b/app/react/kubernetes/helm/HelmTemplates/types.ts
new file mode 100644
index 000000000..df0b09374
--- /dev/null
+++ b/app/react/kubernetes/helm/HelmTemplates/types.ts
@@ -0,0 +1,4 @@
+export type HelmInstallFormValues = {
+  values: string;
+  version: string;
+};
diff --git a/app/react/kubernetes/helm/components/HelmValuesInput.tsx b/app/react/kubernetes/helm/components/HelmValuesInput.tsx
new file mode 100644
index 000000000..3295b8d6e
--- /dev/null
+++ b/app/react/kubernetes/helm/components/HelmValuesInput.tsx
@@ -0,0 +1,80 @@
+import { FormControl } from '@@/form-components/FormControl';
+import { CodeEditor } from '@@/CodeEditor';
+import { ShortcutsTooltip } from '@@/CodeEditor/ShortcutsTooltip';
+
+type Props = {
+  values: string;
+  setValues: (values: string) => void;
+  valuesRef: string;
+  isValuesRefLoading: boolean;
+};
+
+export function HelmValuesInput({
+  values,
+  setValues,
+  valuesRef,
+  isValuesRefLoading,
+}: Props) {
+  return (
+    <div className="grid grid-cols-2 gap-4">
+      <FormControl
+        label="User-defined values"
+        inputId="user-values-editor"
+        size="vertical"
+        className="[&>label]:!mb-1 !mx-0"
+        tooltip={
+          <>
+            User-defined values will override the default chart values.
+            <br />
+            You can get more information about the Helm values file format in
+            the{' '}
+            <a
+              href="https://helm.sh/docs/chart_template_guide/values_files/"
+              target="_blank"
+              data-cy="helm-values-reference-link"
+              rel="noreferrer"
+            >
+              official documentation
+            </a>
+            .
+          </>
+        }
+      >
+        <CodeEditor
+          id="user-values-editor"
+          value={values}
+          onChange={setValues}
+          height="50vh"
+          type="yaml"
+          data-cy="helm-user-values-editor"
+          placeholder="Define or paste the content of your values yaml file here"
+          showToolbar={false}
+        />
+      </FormControl>
+      <FormControl
+        label={
+          <div className="flex justify-between w-full">
+            Values reference (read-only)
+            <ShortcutsTooltip />
+          </div>
+        }
+        inputId="values-reference"
+        size="vertical"
+        isLoading={isValuesRefLoading}
+        loadingText="Loading values..."
+        className="[&>label]:w-full [&>label]:!mb-1 !mx-0"
+      >
+        <CodeEditor
+          id="values-reference"
+          value={valuesRef}
+          height="50vh"
+          type="yaml"
+          readonly
+          data-cy="helm-values-reference"
+          placeholder="No values reference found"
+          showToolbar={false}
+        />
+      </FormControl>
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartValues.ts b/app/react/kubernetes/helm/queries/useHelmChartValues.ts
similarity index 54%
rename from app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartValues.ts
rename to app/react/kubernetes/helm/queries/useHelmChartValues.ts
index 29ec6e45a..2c1a95995 100644
--- a/app/react/kubernetes/helm/HelmTemplates/queries/useHelmChartValues.ts
+++ b/app/react/kubernetes/helm/queries/useHelmChartValues.ts
@@ -3,15 +3,16 @@ import { useQuery } from '@tanstack/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 import { withGlobalError } from '@/react-tools/react-query';
 
-import { Chart } from '../../types';
+type Params = {
+  chart: string;
+  repo: string;
+  version?: string;
+};
 
-async function getHelmChartValues(chart: string, repo: string) {
+async function getHelmChartValues(params: Params) {
   try {
     const response = await axios.get<string>(`/templates/helm/values`, {
-      params: {
-        repo,
-        chart,
-      },
+      params,
     });
     return response.data;
   } catch (err) {
@@ -19,14 +20,15 @@ async function getHelmChartValues(chart: string, repo: string) {
   }
 }
 
-export function useHelmChartValues(chart: Chart) {
+export function useHelmChartValues(params: Params) {
   return useQuery({
-    queryKey: ['helm-chart-values', chart.repo, chart.name],
-    queryFn: () => getHelmChartValues(chart.name, chart.repo),
-    enabled: !!chart.name,
+    queryKey: ['helm-chart-values', params.repo, params.chart, params.version],
+    queryFn: () => getHelmChartValues(params),
+    enabled: !!params.chart && !!params.repo,
     select: (data) => ({
       values: data,
     }),
+    staleTime: 60 * 1000 * 20, // 60 minutes, because values are not expected to change often
     ...withGlobalError('Unable to get Helm chart values'),
   });
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/queries/useHelmRepositories.ts
similarity index 97%
rename from app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
rename to app/react/kubernetes/helm/queries/useHelmRepositories.ts
index bf11eadb1..0713165c0 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRepositories.ts
+++ b/app/react/kubernetes/helm/queries/useHelmRepositories.ts
@@ -6,7 +6,7 @@ import { withGlobalError } from '@/react-tools/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 import { useCurrentUser } from '@/react/hooks/useUser';
 
-import { getHelmRepositories } from '../../queries/useHelmChartList';
+import { getHelmRepositories } from './useHelmChartList';
 
 interface HelmSearch {
   entries: Entries;
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts b/app/react/kubernetes/helm/queries/useUpdateHelmReleaseMutation.ts
similarity index 84%
rename from app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
rename to app/react/kubernetes/helm/queries/useUpdateHelmReleaseMutation.ts
index 4c60faafb..f2278ae58 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useUpdateHelmReleaseMutation.ts
+++ b/app/react/kubernetes/helm/queries/useUpdateHelmReleaseMutation.ts
@@ -5,17 +5,8 @@ import { withGlobalError, withInvalidate } from '@/react-tools/react-query';
 import { queryKeys as applicationsQueryKeys } from '@/react/kubernetes/applications/queries/query-keys';
 import { EnvironmentId } from '@/react/portainer/environments/types';
 
-import { HelmRelease } from '../../types';
+import { HelmRelease, UpdateHelmReleasePayload } from '../types';
 
-export interface UpdateHelmReleasePayload {
-  namespace: string;
-  values?: string;
-  repo?: string;
-  name: string;
-  chart: string;
-  version?: string;
-  atomic?: boolean;
-}
 export function useUpdateHelmReleaseMutation(environmentId: EnvironmentId) {
   const queryClient = useQueryClient();
   return useMutation({
diff --git a/app/react/kubernetes/helm/types.ts b/app/react/kubernetes/helm/types.ts
index 94f8a3a8e..5d5f27536 100644
--- a/app/react/kubernetes/helm/types.ts
+++ b/app/react/kubernetes/helm/types.ts
@@ -112,4 +112,15 @@ export interface InstallChartPayload {
   Chart: string;
   Values: string;
   Namespace: string;
+  Version?: string;
+}
+
+export interface UpdateHelmReleasePayload {
+  namespace: string;
+  values?: string;
+  repo?: string;
+  name: string;
+  chart: string;
+  version?: string;
+  atomic?: boolean;
 }
diff --git a/pkg/libhelm/options/show_options.go b/pkg/libhelm/options/show_options.go
index c94e14d80..a715c6655 100644
--- a/pkg/libhelm/options/show_options.go
+++ b/pkg/libhelm/options/show_options.go
@@ -19,6 +19,7 @@ type ShowOptions struct {
 	OutputFormat ShowOutputFormat
 	Chart        string
 	Repo         string
+	Version      string
 
 	Env []string
 }
diff --git a/pkg/libhelm/sdk/show.go b/pkg/libhelm/sdk/show.go
index 45f77719a..4dc9c402d 100644
--- a/pkg/libhelm/sdk/show.go
+++ b/pkg/libhelm/sdk/show.go
@@ -105,7 +105,7 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 func initShowClient(actionConfig *action.Configuration, showOpts options.ShowOptions) (*action.Show, error) {
 	showClient := action.NewShowWithConfig(action.ShowAll, actionConfig)
 	showClient.ChartPathOptions.RepoURL = showOpts.Repo
-	showClient.ChartPathOptions.Version = "" // Latest version
+	showClient.ChartPathOptions.Version = showOpts.Version // If version is "", it will use the latest version
 
 	// Set output type based on ShowOptions
 	switch showOpts.OutputFormat {

From eaf0deb2f6a310991f1cd72a14363204e96242a0 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Thu, 5 Jun 2025 17:03:43 +1200
Subject: [PATCH 138/212] feat(update-schedules): new update schedules view
 [BE-11754, BE-11887] (#686)

---
 app/assets/css/button.css | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/app/assets/css/button.css b/app/assets/css/button.css
index dc3f82460..0aece2a15 100644
--- a/app/assets/css/button.css
+++ b/app/assets/css/button.css
@@ -24,6 +24,10 @@ fieldset[disabled] .btn {
   box-shadow: none;
 }
 
+.btn-icon {
+  @apply !border-none !bg-transparent p-0;
+}
+
 .btn.btn-primary {
   @apply border-blue-8 bg-blue-8 text-white;
   @apply hover:border-blue-9 hover:bg-blue-9 hover:text-white;
@@ -71,6 +75,9 @@ fieldset[disabled] .btn {
   @apply border-error-5 th-highcontrast:border-error-7 th-dark:border-error-7;
   @apply border border-solid;
 }
+.btn.btn-icon.btn-dangerlight {
+  @apply hover:text-error-11 th-dark:hover:text-error-7;
+}
 
 .btn.btn-success {
   background-color: var(--ui-success-7);
@@ -83,8 +90,8 @@ fieldset[disabled] .btn {
 /* secondary-grey */
 .btn.btn-default,
 .btn.btn-light {
-  @apply border-gray-5 bg-white text-gray-9;
-  @apply hover:border-gray-5 hover:bg-gray-3 hover:text-gray-10;
+  @apply border-gray-5 bg-white text-gray-7;
+  @apply hover:border-gray-5 hover:bg-gray-3 hover:text-gray-9;
 
   /* dark mode */
   @apply th-dark:border-gray-warm-7 th-dark:bg-gray-iron-10 th-dark:text-gray-warm-4;
@@ -138,6 +145,10 @@ fieldset[disabled] .btn {
   box-shadow: 0px 0px 0px 4px var(--btn-focus-color);
 }
 
+.btn.btn-icon:focus {
+  box-shadow: none !important;
+}
+
 [theme='dark'] .btn.btn-primary:focus,
 [theme='dark'] .btn.btn-secondary:focus,
 [theme='dark'] .btn.btn-light:focus,

From 75f165d1fff4561ed287e3123b1565adce40183c Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Thu, 5 Jun 2025 19:46:10 -0300
Subject: [PATCH 139/212] feat(edgestackstatus): optimize the Edge Stack
 structures BE-11740 (#756)

---
 .../edgestackstatus/edgestackstatus.go        |  89 ++++++++++
 api/dataservices/edgestackstatus/tx.go        |  95 +++++++++++
 api/dataservices/interface.go                 |  15 +-
 api/datastore/migrate_data.go                 |  10 +-
 api/datastore/migrator/migrate_2_31_0.go      |  31 ++++
 api/datastore/migrator/migrator.go            |   9 +-
 api/datastore/services.go                     |  14 ++
 api/datastore/services_tx.go                  |   4 +
 .../test_data/output_24_to_latest.json        |   1 +
 .../edgestacks/edgestack_create_file.go       |   3 +-
 .../edgestacks/edgestack_create_git.go        |  12 +-
 .../edgestacks/edgestack_create_string.go     |  10 +-
 .../edgestacks/edgestack_create_test.go       |  31 ++--
 .../handler/edgestacks/edgestack_delete.go    |   5 +-
 .../edgestacks/edgestack_delete_test.go       |  33 ++--
 .../handler/edgestacks/edgestack_inspect.go   |  31 ++++
 api/http/handler/edgestacks/edgestack_list.go |   6 +
 .../edgestacks/edgestack_status_update.go     |  59 +++----
 .../edgestack_status_update_coordinator.go    | 155 ------------------
 .../edgestack_status_update_test.go           |  31 +---
 api/http/handler/edgestacks/edgestack_test.go |  42 ++---
 .../handler/edgestacks/edgestack_update.go    |   6 +-
 .../edgestacks/edgestack_update_test.go       |  40 ++---
 api/http/handler/edgestacks/handler.go        |   4 +-
 .../edgestacks/utils_update_stack_version.go  |  11 +-
 .../endpointedge_status_inspect_test.go       |   7 +-
 api/http/handler/endpoints/endpoint_delete.go |  11 +-
 api/http/handler/endpoints/filter.go          |  17 +-
 api/http/server.go                            |   5 +-
 api/internal/edge/edgestacks/service.go       |  13 +-
 api/internal/edge/edgestacks/status.go        |  26 ---
 api/internal/testhelpers/datastore.go         |   8 +-
 api/portainer.go                              |   9 +
 33 files changed, 452 insertions(+), 391 deletions(-)
 create mode 100644 api/dataservices/edgestackstatus/edgestackstatus.go
 create mode 100644 api/dataservices/edgestackstatus/tx.go
 create mode 100644 api/datastore/migrator/migrate_2_31_0.go
 delete mode 100644 api/http/handler/edgestacks/edgestack_status_update_coordinator.go
 delete mode 100644 api/internal/edge/edgestacks/status.go

diff --git a/api/dataservices/edgestackstatus/edgestackstatus.go b/api/dataservices/edgestackstatus/edgestackstatus.go
new file mode 100644
index 000000000..7d063ba49
--- /dev/null
+++ b/api/dataservices/edgestackstatus/edgestackstatus.go
@@ -0,0 +1,89 @@
+package edgestackstatus
+
+import (
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+var _ dataservices.EdgeStackStatusService = &Service{}
+
+const BucketName = "edge_stack_status"
+
+type Service struct {
+	conn portainer.Connection
+}
+
+func (service *Service) BucketName() string {
+	return BucketName
+}
+
+func NewService(connection portainer.Connection) (*Service, error) {
+	if err := connection.SetServiceName(BucketName); err != nil {
+		return nil, err
+	}
+
+	return &Service{conn: connection}, nil
+}
+
+func (s *Service) Tx(tx portainer.Transaction) ServiceTx {
+	return ServiceTx{
+		service: s,
+		tx:      tx,
+	}
+}
+
+func (s *Service) Create(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Create(edgeStackID, endpointID, status)
+	})
+}
+
+func (s *Service) Read(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) (*portainer.EdgeStackStatusForEnv, error) {
+	var element *portainer.EdgeStackStatusForEnv
+
+	return element, s.conn.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		element, err = s.Tx(tx).Read(edgeStackID, endpointID)
+
+		return err
+	})
+}
+
+func (s *Service) ReadAll(edgeStackID portainer.EdgeStackID) ([]portainer.EdgeStackStatusForEnv, error) {
+	var collection = make([]portainer.EdgeStackStatusForEnv, 0)
+
+	return collection, s.conn.ViewTx(func(tx portainer.Transaction) error {
+		var err error
+		collection, err = s.Tx(tx).ReadAll(edgeStackID)
+
+		return err
+	})
+}
+
+func (s *Service) Update(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Update(edgeStackID, endpointID, status)
+	})
+}
+
+func (s *Service) Delete(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Delete(edgeStackID, endpointID)
+	})
+}
+
+func (s *Service) DeleteAll(edgeStackID portainer.EdgeStackID) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).DeleteAll(edgeStackID)
+	})
+}
+
+func (s *Service) Clear(edgeStackID portainer.EdgeStackID, relatedEnvironmentsIDs []portainer.EndpointID) error {
+	return s.conn.UpdateTx(func(tx portainer.Transaction) error {
+		return s.Tx(tx).Clear(edgeStackID, relatedEnvironmentsIDs)
+	})
+}
+
+func (s *Service) key(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) []byte {
+	return append(s.conn.ConvertToKey(int(edgeStackID)), s.conn.ConvertToKey(int(endpointID))...)
+}
diff --git a/api/dataservices/edgestackstatus/tx.go b/api/dataservices/edgestackstatus/tx.go
new file mode 100644
index 000000000..b0dc14856
--- /dev/null
+++ b/api/dataservices/edgestackstatus/tx.go
@@ -0,0 +1,95 @@
+package edgestackstatus
+
+import (
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+)
+
+var _ dataservices.EdgeStackStatusService = &Service{}
+
+type ServiceTx struct {
+	service *Service
+	tx      portainer.Transaction
+}
+
+func (service ServiceTx) Create(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	identifier := service.service.key(edgeStackID, endpointID)
+	return service.tx.CreateObjectWithStringId(BucketName, identifier, status)
+}
+
+func (s ServiceTx) Read(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) (*portainer.EdgeStackStatusForEnv, error) {
+	var status portainer.EdgeStackStatusForEnv
+	identifier := s.service.key(edgeStackID, endpointID)
+
+	if err := s.tx.GetObject(BucketName, identifier, &status); err != nil {
+		return nil, err
+	}
+
+	return &status, nil
+}
+
+func (s ServiceTx) ReadAll(edgeStackID portainer.EdgeStackID) ([]portainer.EdgeStackStatusForEnv, error) {
+	keyPrefix := s.service.conn.ConvertToKey(int(edgeStackID))
+
+	statuses := make([]portainer.EdgeStackStatusForEnv, 0)
+
+	if err := s.tx.GetAllWithKeyPrefix(BucketName, keyPrefix, &portainer.EdgeStackStatusForEnv{}, dataservices.AppendFn(&statuses)); err != nil {
+		return nil, fmt.Errorf("unable to retrieve EdgeStackStatus for EdgeStack %d: %w", edgeStackID, err)
+	}
+
+	return statuses, nil
+}
+
+func (s ServiceTx) Update(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error {
+	identifier := s.service.key(edgeStackID, endpointID)
+	return s.tx.UpdateObject(BucketName, identifier, status)
+}
+
+func (s ServiceTx) Delete(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) error {
+	identifier := s.service.key(edgeStackID, endpointID)
+	return s.tx.DeleteObject(BucketName, identifier)
+}
+
+func (s ServiceTx) DeleteAll(edgeStackID portainer.EdgeStackID) error {
+	keyPrefix := s.service.conn.ConvertToKey(int(edgeStackID))
+
+	statuses := make([]portainer.EdgeStackStatusForEnv, 0)
+
+	if err := s.tx.GetAllWithKeyPrefix(BucketName, keyPrefix, &portainer.EdgeStackStatusForEnv{}, dataservices.AppendFn(&statuses)); err != nil {
+		return fmt.Errorf("unable to retrieve EdgeStackStatus for EdgeStack %d: %w", edgeStackID, err)
+	}
+
+	for _, status := range statuses {
+		if err := s.tx.DeleteObject(BucketName, s.service.key(edgeStackID, status.EndpointID)); err != nil {
+			return fmt.Errorf("unable to delete EdgeStackStatus for EdgeStack %d and Endpoint %d: %w", edgeStackID, status.EndpointID, err)
+		}
+	}
+
+	return nil
+}
+
+func (s ServiceTx) Clear(edgeStackID portainer.EdgeStackID, relatedEnvironmentsIDs []portainer.EndpointID) error {
+	for _, envID := range relatedEnvironmentsIDs {
+		existingStatus, err := s.Read(edgeStackID, envID)
+		if err != nil && !dataservices.IsErrObjectNotFound(err) {
+			return fmt.Errorf("unable to retrieve status for environment %d: %w", envID, err)
+		}
+
+		var deploymentInfo portainer.StackDeploymentInfo
+		if existingStatus != nil {
+			deploymentInfo = existingStatus.DeploymentInfo
+		}
+
+		if err := s.Update(edgeStackID, envID, &portainer.EdgeStackStatusForEnv{
+			EndpointID:     envID,
+			Status:         []portainer.EdgeStackDeploymentStatus{},
+			DeploymentInfo: deploymentInfo,
+		}); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/api/dataservices/interface.go b/api/dataservices/interface.go
index 8ba55531c..d330d4959 100644
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -12,6 +12,7 @@ type (
 		EdgeGroup() EdgeGroupService
 		EdgeJob() EdgeJobService
 		EdgeStack() EdgeStackService
+		EdgeStackStatus() EdgeStackStatusService
 		Endpoint() EndpointService
 		EndpointGroup() EndpointGroupService
 		EndpointRelation() EndpointRelationService
@@ -39,8 +40,8 @@ type (
 		Open() (newStore bool, err error)
 		Init() error
 		Close() error
-		UpdateTx(func(DataStoreTx) error) error
-		ViewTx(func(DataStoreTx) error) error
+		UpdateTx(func(tx DataStoreTx) error) error
+		ViewTx(func(tx DataStoreTx) error) error
 		MigrateData() error
 		Rollback(force bool) error
 		CheckCurrentEdition() error
@@ -89,6 +90,16 @@ type (
 		BucketName() string
 	}
 
+	EdgeStackStatusService interface {
+		Create(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error
+		Read(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) (*portainer.EdgeStackStatusForEnv, error)
+		ReadAll(edgeStackID portainer.EdgeStackID) ([]portainer.EdgeStackStatusForEnv, error)
+		Update(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID, status *portainer.EdgeStackStatusForEnv) error
+		Delete(edgeStackID portainer.EdgeStackID, endpointID portainer.EndpointID) error
+		DeleteAll(edgeStackID portainer.EdgeStackID) error
+		Clear(edgeStackID portainer.EdgeStackID, relatedEnvironmentsIDs []portainer.EndpointID) error
+	}
+
 	// EndpointService represents a service for managing environment(endpoint) data
 	EndpointService interface {
 		Endpoint(ID portainer.EndpointID) (*portainer.Endpoint, error)
diff --git a/api/datastore/migrate_data.go b/api/datastore/migrate_data.go
index 8047274d1..409936db8 100644
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -40,13 +40,11 @@ func (store *Store) MigrateData() error {
 	}
 
 	// before we alter anything in the DB, create a backup
-	_, err = store.Backup("")
-	if err != nil {
+	if _, err := store.Backup(""); err != nil {
 		return errors.Wrap(err, "while backing up database")
 	}
 
-	err = store.FailSafeMigrate(migrator, version)
-	if err != nil {
+	if err := store.FailSafeMigrate(migrator, version); err != nil {
 		err = errors.Wrap(err, "failed to migrate database")
 
 		log.Warn().Err(err).Msg("migration failed, restoring database to previous version")
@@ -85,6 +83,7 @@ func (store *Store) newMigratorParameters(version *models.Version, flags *portai
 		DockerhubService:        store.DockerHubService,
 		AuthorizationService:    authorization.NewService(store),
 		EdgeStackService:        store.EdgeStackService,
+		EdgeStackStatusService:  store.EdgeStackStatusService,
 		EdgeJobService:          store.EdgeJobService,
 		TunnelServerService:     store.TunnelServerService,
 		PendingActionsService:   store.PendingActionsService,
@@ -140,8 +139,7 @@ func (store *Store) connectionRollback(force bool) error {
 		}
 	}
 
-	err := store.Restore()
-	if err != nil {
+	if err := store.Restore(); err != nil {
 		return err
 	}
 
diff --git a/api/datastore/migrator/migrate_2_31_0.go b/api/datastore/migrator/migrate_2_31_0.go
new file mode 100644
index 000000000..7afea9802
--- /dev/null
+++ b/api/datastore/migrator/migrate_2_31_0.go
@@ -0,0 +1,31 @@
+package migrator
+
+import portainer "github.com/portainer/portainer/api"
+
+func (m *Migrator) migrateEdgeStacksStatuses_2_31_0() error {
+	edgeStacks, err := m.edgeStackService.EdgeStacks()
+	if err != nil {
+		return err
+	}
+
+	for _, edgeStack := range edgeStacks {
+		for envID, status := range edgeStack.Status {
+			if err := m.edgeStackStatusService.Create(edgeStack.ID, envID, &portainer.EdgeStackStatusForEnv{
+				EndpointID:       envID,
+				Status:           status.Status,
+				DeploymentInfo:   status.DeploymentInfo,
+				ReadyRePullImage: status.ReadyRePullImage,
+			}); err != nil {
+				return err
+			}
+		}
+
+		edgeStack.Status = nil
+
+		if err := m.edgeStackService.UpdateEdgeStack(edgeStack.ID, &edgeStack); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/api/datastore/migrator/migrator.go b/api/datastore/migrator/migrator.go
index dc92006ad..992dd0b9d 100644
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -3,12 +3,12 @@ package migrator
 import (
 	"errors"
 
-	"github.com/Masterminds/semver"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices/dockerhub"
 	"github.com/portainer/portainer/api/dataservices/edgejob"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
+	"github.com/portainer/portainer/api/dataservices/edgestackstatus"
 	"github.com/portainer/portainer/api/dataservices/endpoint"
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
@@ -27,6 +27,8 @@ import (
 	"github.com/portainer/portainer/api/dataservices/user"
 	"github.com/portainer/portainer/api/dataservices/version"
 	"github.com/portainer/portainer/api/internal/authorization"
+
+	"github.com/Masterminds/semver"
 	"github.com/rs/zerolog/log"
 )
 
@@ -56,6 +58,7 @@ type (
 		authorizationService    *authorization.Service
 		dockerhubService        *dockerhub.Service
 		edgeStackService        *edgestack.Service
+		edgeStackStatusService  *edgestackstatus.Service
 		edgeJobService          *edgejob.Service
 		TunnelServerService     *tunnelserver.Service
 		pendingActionsService   *pendingactions.Service
@@ -84,6 +87,7 @@ type (
 		AuthorizationService    *authorization.Service
 		DockerhubService        *dockerhub.Service
 		EdgeStackService        *edgestack.Service
+		EdgeStackStatusService  *edgestackstatus.Service
 		EdgeJobService          *edgejob.Service
 		TunnelServerService     *tunnelserver.Service
 		PendingActionsService   *pendingactions.Service
@@ -114,6 +118,7 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		authorizationService:    parameters.AuthorizationService,
 		dockerhubService:        parameters.DockerhubService,
 		edgeStackService:        parameters.EdgeStackService,
+		edgeStackStatusService:  parameters.EdgeStackStatusService,
 		edgeJobService:          parameters.EdgeJobService,
 		TunnelServerService:     parameters.TunnelServerService,
 		pendingActionsService:   parameters.PendingActionsService,
@@ -242,6 +247,8 @@ func (m *Migrator) initMigrations() {
 		m.migratePendingActionsDataForDB130,
 	)
 
+	m.addMigrations("2.31.0", m.migrateEdgeStacksStatuses_2_31_0)
+
 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
 }
diff --git a/api/datastore/services.go b/api/datastore/services.go
index b5363afe9..b0570fa67 100644
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -13,6 +13,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/edgegroup"
 	"github.com/portainer/portainer/api/dataservices/edgejob"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
+	"github.com/portainer/portainer/api/dataservices/edgestackstatus"
 	"github.com/portainer/portainer/api/dataservices/endpoint"
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
@@ -39,6 +40,8 @@ import (
 	"github.com/segmentio/encoding/json"
 )
 
+var _ dataservices.DataStore = &Store{}
+
 // Store defines the implementation of portainer.DataStore using
 // BoltDB as the storage system.
 type Store struct {
@@ -51,6 +54,7 @@ type Store struct {
 	EdgeGroupService          *edgegroup.Service
 	EdgeJobService            *edgejob.Service
 	EdgeStackService          *edgestack.Service
+	EdgeStackStatusService    *edgestackstatus.Service
 	EndpointGroupService      *endpointgroup.Service
 	EndpointService           *endpoint.Service
 	EndpointRelationService   *endpointrelation.Service
@@ -109,6 +113,12 @@ func (store *Store) initServices() error {
 	store.EdgeStackService = edgeStackService
 	endpointRelationService.RegisterUpdateStackFunction(edgeStackService.UpdateEdgeStackFunc, edgeStackService.UpdateEdgeStackFuncTx)
 
+	edgeStackStatusService, err := edgestackstatus.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.EdgeStackStatusService = edgeStackStatusService
+
 	edgeGroupService, err := edgegroup.NewService(store.connection)
 	if err != nil {
 		return err
@@ -269,6 +279,10 @@ func (store *Store) EdgeStack() dataservices.EdgeStackService {
 	return store.EdgeStackService
 }
 
+func (store *Store) EdgeStackStatus() dataservices.EdgeStackStatusService {
+	return store.EdgeStackStatusService
+}
+
 // Environment(Endpoint) gives access to the Environment(Endpoint) data management layer
 func (store *Store) Endpoint() dataservices.EndpointService {
 	return store.EndpointService
diff --git a/api/datastore/services_tx.go b/api/datastore/services_tx.go
index ddedf20cc..cf9f868f4 100644
--- a/api/datastore/services_tx.go
+++ b/api/datastore/services_tx.go
@@ -32,6 +32,10 @@ func (tx *StoreTx) EdgeStack() dataservices.EdgeStackService {
 	return tx.store.EdgeStackService.Tx(tx.tx)
 }
 
+func (tx *StoreTx) EdgeStackStatus() dataservices.EdgeStackStatusService {
+	return tx.store.EdgeStackStatusService.Tx(tx.tx)
+}
+
 func (tx *StoreTx) Endpoint() dataservices.EndpointService {
 	return tx.store.EndpointService.Tx(tx.tx)
 }
diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 40971c519..41494fbee 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -8,6 +8,7 @@
     }
   ],
   "edge_stack": null,
+  "edge_stack_status": null,
   "edgegroups": null,
   "edgejobs": null,
   "endpoint_groups": [
diff --git a/api/http/handler/edgestacks/edgestack_create_file.go b/api/http/handler/edgestacks/edgestack_create_file.go
index 555418835..a0bc2995f 100644
--- a/api/http/handler/edgestacks/edgestack_create_file.go
+++ b/api/http/handler/edgestacks/edgestack_create_file.go
@@ -101,8 +101,7 @@ func (payload *edgeStackFromFileUploadPayload) Validate(r *http.Request) error {
 // @router /edge_stacks/create/file [post]
 func (handler *Handler) createEdgeStackFromFileUpload(r *http.Request, tx dataservices.DataStoreTx, dryrun bool) (*portainer.EdgeStack, error) {
 	payload := &edgeStackFromFileUploadPayload{}
-	err := payload.Validate(r)
-	if err != nil {
+	if err := payload.Validate(r); err != nil {
 		return nil, err
 	}
 
diff --git a/api/http/handler/edgestacks/edgestack_create_git.go b/api/http/handler/edgestacks/edgestack_create_git.go
index 2da816481..d20e5b5c2 100644
--- a/api/http/handler/edgestacks/edgestack_create_git.go
+++ b/api/http/handler/edgestacks/edgestack_create_git.go
@@ -103,8 +103,7 @@ func (payload *edgeStackFromGitRepositoryPayload) Validate(r *http.Request) erro
 // @router /edge_stacks/create/repository [post]
 func (handler *Handler) createEdgeStackFromGitRepository(r *http.Request, tx dataservices.DataStoreTx, dryrun bool, userID portainer.UserID) (*portainer.EdgeStack, error) {
 	var payload edgeStackFromGitRepositoryPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
+	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
 		return nil, err
 	}
 
@@ -137,11 +136,9 @@ func (handler *Handler) createEdgeStackFromGitRepository(r *http.Request, tx dat
 }
 
 func (handler *Handler) storeManifestFromGitRepository(tx dataservices.DataStoreTx, stackFolder string, relatedEndpointIds []portainer.EndpointID, deploymentType portainer.EdgeStackDeploymentType, currentUserID portainer.UserID, repositoryConfig gittypes.RepoConfig) (composePath, manifestPath, projectPath string, err error) {
-	hasWrongType, err := hasWrongEnvironmentType(tx.Endpoint(), relatedEndpointIds, deploymentType)
-	if err != nil {
+	if hasWrongType, err := hasWrongEnvironmentType(tx.Endpoint(), relatedEndpointIds, deploymentType); err != nil {
 		return "", "", "", fmt.Errorf("unable to check for existence of non fitting environments: %w", err)
-	}
-	if hasWrongType {
+	} else if hasWrongType {
 		return "", "", "", errors.New("edge stack with config do not match the environment type")
 	}
 
@@ -153,8 +150,7 @@ func (handler *Handler) storeManifestFromGitRepository(tx dataservices.DataStore
 		repositoryPassword = repositoryConfig.Authentication.Password
 	}
 
-	err = handler.GitService.CloneRepository(projectPath, repositoryConfig.URL, repositoryConfig.ReferenceName, repositoryUsername, repositoryPassword, repositoryConfig.TLSSkipVerify)
-	if err != nil {
+	if err := handler.GitService.CloneRepository(projectPath, repositoryConfig.URL, repositoryConfig.ReferenceName, repositoryUsername, repositoryPassword, repositoryConfig.TLSSkipVerify); err != nil {
 		return "", "", "", err
 	}
 
diff --git a/api/http/handler/edgestacks/edgestack_create_string.go b/api/http/handler/edgestacks/edgestack_create_string.go
index 556633fae..5e3fb57b8 100644
--- a/api/http/handler/edgestacks/edgestack_create_string.go
+++ b/api/http/handler/edgestacks/edgestack_create_string.go
@@ -76,8 +76,7 @@ func (payload *edgeStackFromStringPayload) Validate(r *http.Request) error {
 // @router /edge_stacks/create/string [post]
 func (handler *Handler) createEdgeStackFromFileContent(r *http.Request, tx dataservices.DataStoreTx, dryrun bool) (*portainer.EdgeStack, error) {
 	var payload edgeStackFromStringPayload
-	err := request.DecodeAndValidateJSONPayload(r, &payload)
-	if err != nil {
+	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
 		return nil, err
 	}
 
@@ -96,11 +95,9 @@ func (handler *Handler) createEdgeStackFromFileContent(r *http.Request, tx datas
 }
 
 func (handler *Handler) storeFileContent(tx dataservices.DataStoreTx, stackFolder string, deploymentType portainer.EdgeStackDeploymentType, relatedEndpointIds []portainer.EndpointID, fileContent []byte) (composePath, manifestPath, projectPath string, err error) {
-	hasWrongType, err := hasWrongEnvironmentType(tx.Endpoint(), relatedEndpointIds, deploymentType)
-	if err != nil {
+	if hasWrongType, err := hasWrongEnvironmentType(tx.Endpoint(), relatedEndpointIds, deploymentType); err != nil {
 		return "", "", "", fmt.Errorf("unable to check for existence of non fitting environments: %w", err)
-	}
-	if hasWrongType {
+	} else if hasWrongType {
 		return "", "", "", errors.New("edge stack with config do not match the environment type")
 	}
 
@@ -124,7 +121,6 @@ func (handler *Handler) storeFileContent(tx dataservices.DataStoreTx, stackFolde
 		}
 
 		return "", manifestPath, projectPath, nil
-
 	}
 
 	errMessage := fmt.Sprintf("invalid deployment type: %d", deploymentType)
diff --git a/api/http/handler/edgestacks/edgestack_create_test.go b/api/http/handler/edgestacks/edgestack_create_test.go
index 32158d300..486cc09d0 100644
--- a/api/http/handler/edgestacks/edgestack_create_test.go
+++ b/api/http/handler/edgestacks/edgestack_create_test.go
@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/require"
 
 	"github.com/segmentio/encoding/json"
 )
@@ -28,9 +29,7 @@ func TestCreateAndInspect(t *testing.T) {
 	}
 
 	err := handler.DataStore.EdgeGroup().Create(&edgeGroup)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	endpointRelation := portainer.EndpointRelation{
 		EndpointID: endpoint.ID,
@@ -38,9 +37,7 @@ func TestCreateAndInspect(t *testing.T) {
 	}
 
 	err = handler.DataStore.EndpointRelation().Create(&endpointRelation)
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
 
 	payload := edgeStackFromStringPayload{
 		Name:             "test-stack",
@@ -50,16 +47,14 @@ func TestCreateAndInspect(t *testing.T) {
 	}
 
 	jsonPayload, err := json.Marshal(payload)
-	if err != nil {
-		t.Fatal("JSON marshal error:", err)
-	}
+	require.NoError(t, err)
+
 	r := bytes.NewBuffer(jsonPayload)
 
 	// Create EdgeStack
 	req, err := http.NewRequest(http.MethodPost, "/edge_stacks/create/string", r)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
+
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec := httptest.NewRecorder()
 	handler.ServeHTTP(rec, req)
@@ -70,15 +65,11 @@ func TestCreateAndInspect(t *testing.T) {
 
 	data := portainer.EdgeStack{}
 	err = json.NewDecoder(rec.Body).Decode(&data)
-	if err != nil {
-		t.Fatal("error decoding response:", err)
-	}
+	require.NoError(t, err)
 
 	// Inspect
 	req, err = http.NewRequest(http.MethodGet, fmt.Sprintf("/edge_stacks/%d", data.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec = httptest.NewRecorder()
@@ -90,9 +81,7 @@ func TestCreateAndInspect(t *testing.T) {
 
 	data = portainer.EdgeStack{}
 	err = json.NewDecoder(rec.Body).Decode(&data)
-	if err != nil {
-		t.Fatal("error decoding response:", err)
-	}
+	require.NoError(t, err)
 
 	if payload.Name != data.Name {
 		t.Fatalf("expected EdgeStack Name %s, found %s", payload.Name, data.Name)
diff --git a/api/http/handler/edgestacks/edgestack_delete.go b/api/http/handler/edgestacks/edgestack_delete.go
index 3d71f2bce..0e6307684 100644
--- a/api/http/handler/edgestacks/edgestack_delete.go
+++ b/api/http/handler/edgestacks/edgestack_delete.go
@@ -30,10 +30,9 @@ func (handler *Handler) edgeStackDelete(w http.ResponseWriter, r *http.Request)
 		return httperror.BadRequest("Invalid edge stack identifier route variable", err)
 	}
 
-	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+	if err := handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
 		return handler.deleteEdgeStack(tx, portainer.EdgeStackID(edgeStackID))
-	})
-	if err != nil {
+	}); err != nil {
 		var httpErr *httperror.HandlerError
 		if errors.As(err, &httpErr) {
 			return httpErr
diff --git a/api/http/handler/edgestacks/edgestack_delete_test.go b/api/http/handler/edgestacks/edgestack_delete_test.go
index ef25ae45c..ca334c7ce 100644
--- a/api/http/handler/edgestacks/edgestack_delete_test.go
+++ b/api/http/handler/edgestacks/edgestack_delete_test.go
@@ -8,9 +8,10 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/stretchr/testify/assert"
 
 	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 // Delete
@@ -23,9 +24,7 @@ func TestDeleteAndInspect(t *testing.T) {
 
 	// Inspect
 	req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("/edge_stacks/%d", edgeStack.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec := httptest.NewRecorder()
@@ -37,9 +36,7 @@ func TestDeleteAndInspect(t *testing.T) {
 
 	data := portainer.EdgeStack{}
 	err = json.NewDecoder(rec.Body).Decode(&data)
-	if err != nil {
-		t.Fatal("error decoding response:", err)
-	}
+	require.NoError(t, err)
 
 	if data.ID != edgeStack.ID {
 		t.Fatalf("expected EdgeStackID %d, found %d", int(edgeStack.ID), data.ID)
@@ -47,9 +44,7 @@ func TestDeleteAndInspect(t *testing.T) {
 
 	// Delete
 	req, err = http.NewRequest(http.MethodDelete, fmt.Sprintf("/edge_stacks/%d", edgeStack.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec = httptest.NewRecorder()
@@ -61,9 +56,7 @@ func TestDeleteAndInspect(t *testing.T) {
 
 	// Inspect
 	req, err = http.NewRequest(http.MethodGet, fmt.Sprintf("/edge_stacks/%d", edgeStack.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec = httptest.NewRecorder()
@@ -117,15 +110,12 @@ func TestDeleteEdgeStack_RemoveProjectFolder(t *testing.T) {
 	}
 
 	var buf bytes.Buffer
-	if err := json.NewEncoder(&buf).Encode(payload); err != nil {
-		t.Fatal("error encoding payload:", err)
-	}
+	err := json.NewEncoder(&buf).Encode(payload)
+	require.NoError(t, err)
 
 	// Create
 	req, err := http.NewRequest(http.MethodPost, "/edge_stacks/create/string", &buf)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec := httptest.NewRecorder()
@@ -138,9 +128,8 @@ func TestDeleteEdgeStack_RemoveProjectFolder(t *testing.T) {
 	assert.DirExists(t, handler.FileService.GetEdgeStackProjectPath("1"))
 
 	// Delete
-	if req, err = http.NewRequest(http.MethodDelete, "/edge_stacks/1", nil); err != nil {
-		t.Fatal("request error:", err)
-	}
+	req, err = http.NewRequest(http.MethodDelete, "/edge_stacks/1", nil)
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec = httptest.NewRecorder()
diff --git a/api/http/handler/edgestacks/edgestack_inspect.go b/api/http/handler/edgestacks/edgestack_inspect.go
index 06c118835..2936f320e 100644
--- a/api/http/handler/edgestacks/edgestack_inspect.go
+++ b/api/http/handler/edgestacks/edgestack_inspect.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -33,5 +34,35 @@ func (handler *Handler) edgeStackInspect(w http.ResponseWriter, r *http.Request)
 		return handlerDBErr(err, "Unable to find an edge stack with the specified identifier inside the database")
 	}
 
+	if err := fillEdgeStackStatus(handler.DataStore, edgeStack); err != nil {
+		return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
+	}
+
 	return response.JSON(w, edgeStack)
 }
+
+func fillEdgeStackStatus(tx dataservices.DataStoreTx, edgeStack *portainer.EdgeStack) error {
+	status, err := tx.EdgeStackStatus().ReadAll(edgeStack.ID)
+	if err != nil {
+		return err
+	}
+
+	edgeStack.Status = make(map[portainer.EndpointID]portainer.EdgeStackStatus, len(status))
+
+	emptyStatus := make([]portainer.EdgeStackDeploymentStatus, 0)
+
+	for _, s := range status {
+		if s.Status == nil {
+			s.Status = emptyStatus
+		}
+
+		edgeStack.Status[s.EndpointID] = portainer.EdgeStackStatus{
+			Status:           s.Status,
+			EndpointID:       s.EndpointID,
+			DeploymentInfo:   s.DeploymentInfo,
+			ReadyRePullImage: s.ReadyRePullImage,
+		}
+	}
+
+	return nil
+}
diff --git a/api/http/handler/edgestacks/edgestack_list.go b/api/http/handler/edgestacks/edgestack_list.go
index 26fd7da05..b0df238c3 100644
--- a/api/http/handler/edgestacks/edgestack_list.go
+++ b/api/http/handler/edgestacks/edgestack_list.go
@@ -25,5 +25,11 @@ func (handler *Handler) edgeStackList(w http.ResponseWriter, r *http.Request) *h
 		return httperror.InternalServerError("Unable to retrieve edge stacks from the database", err)
 	}
 
+	for i := range edgeStacks {
+		if err := fillEdgeStackStatus(handler.DataStore, &edgeStacks[i]); err != nil {
+			return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
+		}
+	}
+
 	return response.JSON(w, edgeStacks)
 }
diff --git a/api/http/handler/edgestacks/edgestack_status_update.go b/api/http/handler/edgestacks/edgestack_status_update.go
index fef5a6927..4f99e7ab3 100644
--- a/api/http/handler/edgestacks/edgestack_status_update.go
+++ b/api/http/handler/edgestacks/edgestack_status_update.go
@@ -9,11 +9,10 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
-
-	"github.com/rs/zerolog/log"
 )
 
 type updateStatusPayload struct {
@@ -78,12 +77,25 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 		return httperror.Forbidden("Permission denied to access environment", fmt.Errorf("unauthorized edge endpoint operation: %w. Environment name: %s", err, endpoint.Name))
 	}
 
-	updateFn := func(stack *portainer.EdgeStack) (*portainer.EdgeStack, error) {
-		return handler.updateEdgeStackStatus(stack, stack.ID, payload)
-	}
+	var stack *portainer.EdgeStack
 
-	stack, err := handler.stackCoordinator.UpdateStatus(r, portainer.EdgeStackID(stackID), updateFn)
-	if err != nil {
+	if err := handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+		var err error
+		stack, err = tx.EdgeStack().EdgeStack(portainer.EdgeStackID(stackID))
+		if err != nil {
+			if dataservices.IsErrObjectNotFound(err) {
+				return nil
+			}
+
+			return httperror.InternalServerError("Unable to retrieve Edge stack from the database", err)
+		}
+
+		if err := handler.updateEdgeStackStatus(tx, stack, stack.ID, payload); err != nil {
+			return httperror.InternalServerError("Unable to update Edge stack status", err)
+		}
+
+		return nil
+	}); err != nil {
 		var httpErr *httperror.HandlerError
 		if errors.As(err, &httpErr) {
 			return httpErr
@@ -96,43 +108,34 @@ func (handler *Handler) edgeStackStatusUpdate(w http.ResponseWriter, r *http.Req
 		return nil
 	}
 
+	if err := fillEdgeStackStatus(handler.DataStore, stack); err != nil {
+		return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
+	}
+
 	return response.JSON(w, stack)
 }
 
-func (handler *Handler) updateEdgeStackStatus(stack *portainer.EdgeStack, stackID portainer.EdgeStackID, payload updateStatusPayload) (*portainer.EdgeStack, error) {
+func (handler *Handler) updateEdgeStackStatus(tx dataservices.DataStoreTx, stack *portainer.EdgeStack, stackID portainer.EdgeStackID, payload updateStatusPayload) error {
 	if payload.Version > 0 && payload.Version < stack.Version {
-		return stack, nil
+		return nil
 	}
 
 	status := *payload.Status
 
-	log.Debug().
-		Int("stackID", int(stackID)).
-		Int("status", int(status)).
-		Msg("Updating stack status")
-
 	deploymentStatus := portainer.EdgeStackDeploymentStatus{
 		Type:  status,
 		Error: payload.Error,
 		Time:  payload.Time,
 	}
 
-	updateEnvStatus(payload.EndpointID, stack, deploymentStatus)
-
-	return stack, nil
-}
-
-func updateEnvStatus(environmentId portainer.EndpointID, stack *portainer.EdgeStack, deploymentStatus portainer.EdgeStackDeploymentStatus) {
 	if deploymentStatus.Type == portainer.EdgeStackStatusRemoved {
-		delete(stack.Status, environmentId)
-
-		return
+		return tx.EdgeStackStatus().Delete(stackID, payload.EndpointID)
 	}
 
-	environmentStatus, ok := stack.Status[environmentId]
-	if !ok {
-		environmentStatus = portainer.EdgeStackStatus{
-			EndpointID: environmentId,
+	environmentStatus, err := tx.EdgeStackStatus().Read(stackID, payload.EndpointID)
+	if err != nil {
+		environmentStatus = &portainer.EdgeStackStatusForEnv{
+			EndpointID: payload.EndpointID,
 			Status:     []portainer.EdgeStackDeploymentStatus{},
 		}
 	}
@@ -143,5 +146,5 @@ func updateEnvStatus(environmentId portainer.EndpointID, stack *portainer.EdgeSt
 		environmentStatus.Status = append(environmentStatus.Status, deploymentStatus)
 	}
 
-	stack.Status[environmentId] = environmentStatus
+	return tx.EdgeStackStatus().Update(stackID, payload.EndpointID, environmentStatus)
 }
diff --git a/api/http/handler/edgestacks/edgestack_status_update_coordinator.go b/api/http/handler/edgestacks/edgestack_status_update_coordinator.go
deleted file mode 100644
index 885b4c6da..000000000
--- a/api/http/handler/edgestacks/edgestack_status_update_coordinator.go
+++ /dev/null
@@ -1,155 +0,0 @@
-package edgestacks
-
-import (
-	"errors"
-	"fmt"
-	"net/http"
-
-	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-
-	"github.com/rs/zerolog/log"
-)
-
-type statusRequest struct {
-	respCh   chan statusResponse
-	stackID  portainer.EdgeStackID
-	updateFn statusUpdateFn
-}
-
-type statusResponse struct {
-	Stack *portainer.EdgeStack
-	Error error
-}
-
-type statusUpdateFn func(*portainer.EdgeStack) (*portainer.EdgeStack, error)
-
-type EdgeStackStatusUpdateCoordinator struct {
-	updateCh  chan statusRequest
-	dataStore dataservices.DataStore
-}
-
-var errAnotherStackUpdateInProgress = errors.New("another stack update is in progress")
-
-func NewEdgeStackStatusUpdateCoordinator(dataStore dataservices.DataStore) *EdgeStackStatusUpdateCoordinator {
-	return &EdgeStackStatusUpdateCoordinator{
-		updateCh:  make(chan statusRequest),
-		dataStore: dataStore,
-	}
-}
-
-func (c *EdgeStackStatusUpdateCoordinator) Start() {
-	for {
-		c.loop()
-	}
-}
-
-func (c *EdgeStackStatusUpdateCoordinator) loop() {
-	u := <-c.updateCh
-
-	respChs := []chan statusResponse{u.respCh}
-
-	var stack *portainer.EdgeStack
-
-	err := c.dataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
-		// 1. Load the edge stack
-		var err error
-
-		stack, err = loadEdgeStack(tx, u.stackID)
-		if err != nil {
-			return err
-		}
-
-		// Return early when the agent tries to update the status on a deleted stack
-		if stack == nil {
-			return nil
-		}
-
-		// 2. Mutate the edge stack opportunistically until there are no more pending updates
-		for {
-			stack, err = u.updateFn(stack)
-			if err != nil {
-				return err
-			}
-
-			if m, ok := c.getNextUpdate(stack.ID); ok {
-				u = m
-			} else {
-				break
-			}
-
-			respChs = append(respChs, u.respCh)
-		}
-
-		// 3. Save the changes back to the database
-		if err := tx.EdgeStack().UpdateEdgeStack(stack.ID, stack); err != nil {
-			return handlerDBErr(fmt.Errorf("unable to update Edge stack: %w.", err), "Unable to persist the stack changes inside the database")
-		}
-
-		return nil
-	})
-
-	// 4. Send back the responses
-	for _, ch := range respChs {
-		ch <- statusResponse{Stack: stack, Error: err}
-	}
-}
-
-func loadEdgeStack(tx dataservices.DataStoreTx, stackID portainer.EdgeStackID) (*portainer.EdgeStack, error) {
-	stack, err := tx.EdgeStack().EdgeStack(stackID)
-	if err != nil {
-		if dataservices.IsErrObjectNotFound(err) {
-			// Skip the error when the agent tries to update the status on a deleted stack
-			log.Debug().
-				Err(err).
-				Int("stackID", int(stackID)).
-				Msg("Unable to find a stack inside the database, skipping error")
-
-			return nil, nil
-		}
-
-		return nil, fmt.Errorf("unable to retrieve Edge stack from the database: %w.", err)
-	}
-
-	return stack, nil
-}
-
-func (c *EdgeStackStatusUpdateCoordinator) getNextUpdate(stackID portainer.EdgeStackID) (statusRequest, bool) {
-	for {
-		select {
-		case u := <-c.updateCh:
-			// Discard the update and let the agent retry
-			if u.stackID != stackID {
-				u.respCh <- statusResponse{Error: errAnotherStackUpdateInProgress}
-
-				continue
-			}
-
-			return u, true
-
-		default:
-			return statusRequest{}, false
-		}
-	}
-}
-
-func (c *EdgeStackStatusUpdateCoordinator) UpdateStatus(r *http.Request, stackID portainer.EdgeStackID, updateFn statusUpdateFn) (*portainer.EdgeStack, error) {
-	respCh := make(chan statusResponse)
-	defer close(respCh)
-
-	msg := statusRequest{
-		respCh:   respCh,
-		stackID:  stackID,
-		updateFn: updateFn,
-	}
-
-	select {
-	case c.updateCh <- msg:
-		r := <-respCh
-
-		return r.Stack, r.Error
-
-	case <-r.Context().Done():
-		return nil, r.Context().Err()
-	}
-}
diff --git a/api/http/handler/edgestacks/edgestack_status_update_test.go b/api/http/handler/edgestacks/edgestack_status_update_test.go
index 50a0863d4..4d94368fe 100644
--- a/api/http/handler/edgestacks/edgestack_status_update_test.go
+++ b/api/http/handler/edgestacks/edgestack_status_update_test.go
@@ -10,6 +10,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 
 	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
 )
 
 // Update Status
@@ -28,15 +29,11 @@ func TestUpdateStatusAndInspect(t *testing.T) {
 	}
 
 	jsonPayload, err := json.Marshal(payload)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	r := bytes.NewBuffer(jsonPayload)
 	req, err := http.NewRequest(http.MethodPut, fmt.Sprintf("/edge_stacks/%d/status", edgeStack.ID), r)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Set(portainer.PortainerAgentEdgeIDHeader, endpoint.EdgeID)
 	rec := httptest.NewRecorder()
@@ -48,9 +45,7 @@ func TestUpdateStatusAndInspect(t *testing.T) {
 
 	// Get updated edge stack
 	req, err = http.NewRequest(http.MethodGet, fmt.Sprintf("/edge_stacks/%d", edgeStack.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec = httptest.NewRecorder()
@@ -62,14 +57,10 @@ func TestUpdateStatusAndInspect(t *testing.T) {
 
 	updatedStack := portainer.EdgeStack{}
 	err = json.NewDecoder(rec.Body).Decode(&updatedStack)
-	if err != nil {
-		t.Fatal("error decoding response:", err)
-	}
+	require.NoError(t, err)
 
 	endpointStatus, ok := updatedStack.Status[payload.EndpointID]
-	if !ok {
-		t.Fatal("Missing status")
-	}
+	require.True(t, ok)
 
 	lastStatus := endpointStatus.Status[len(endpointStatus.Status)-1]
 
@@ -84,8 +75,8 @@ func TestUpdateStatusAndInspect(t *testing.T) {
 	if endpointStatus.EndpointID != payload.EndpointID {
 		t.Fatalf("expected EndpointID %d, found %d", payload.EndpointID, endpointStatus.EndpointID)
 	}
-
 }
+
 func TestUpdateStatusWithInvalidPayload(t *testing.T) {
 	handler, _ := setupHandler(t)
 
@@ -136,15 +127,11 @@ func TestUpdateStatusWithInvalidPayload(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.Name, func(t *testing.T) {
 			jsonPayload, err := json.Marshal(tc.Payload)
-			if err != nil {
-				t.Fatal("request error:", err)
-			}
+			require.NoError(t, err)
 
 			r := bytes.NewBuffer(jsonPayload)
 			req, err := http.NewRequest(http.MethodPut, fmt.Sprintf("/edge_stacks/%d/status", edgeStack.ID), r)
-			if err != nil {
-				t.Fatal("request error:", err)
-			}
+			require.NoError(t, err)
 
 			req.Header.Set(portainer.PortainerAgentEdgeIDHeader, endpoint.EdgeID)
 			rec := httptest.NewRecorder()
diff --git a/api/http/handler/edgestacks/edgestack_test.go b/api/http/handler/edgestacks/edgestack_test.go
index ce1e9b659..91600117b 100644
--- a/api/http/handler/edgestacks/edgestack_test.go
+++ b/api/http/handler/edgestacks/edgestack_test.go
@@ -17,6 +17,7 @@ import (
 	"github.com/portainer/portainer/api/jwt"
 
 	"github.com/pkg/errors"
+	"github.com/stretchr/testify/require"
 )
 
 // Helpers
@@ -51,27 +52,21 @@ func setupHandler(t *testing.T) (*Handler, string) {
 		t.Fatal(err)
 	}
 
-	coord := NewEdgeStackStatusUpdateCoordinator(store)
-	go coord.Start()
-
 	handler := NewHandler(
 		security.NewRequestBouncer(store, jwtService, apiKeyService),
 		store,
 		edgestacks.NewService(store),
-		coord,
 	)
 
 	handler.FileService = fs
 
 	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		t.Fatal(err)
-	}
+	require.NoError(t, err)
+
 	settings.EnableEdgeComputeFeatures = true
 
-	if err := handler.DataStore.Settings().UpdateSettings(settings); err != nil {
-		t.Fatal(err)
-	}
+	err = handler.DataStore.Settings().UpdateSettings(settings)
+	require.NoError(t, err)
 
 	handler.GitService = testhelpers.NewGitService(errors.New("Clone error"), "git-service-id")
 
@@ -90,9 +85,8 @@ func createEndpointWithId(t *testing.T, store dataservices.DataStore, endpointID
 		LastCheckInDate: time.Now().Unix(),
 	}
 
-	if err := store.Endpoint().Create(&endpoint); err != nil {
-		t.Fatal(err)
-	}
+	err := store.Endpoint().Create(&endpoint)
+	require.NoError(t, err)
 
 	return endpoint
 }
@@ -113,15 +107,13 @@ func createEdgeStack(t *testing.T, store dataservices.DataStore, endpointID port
 		PartialMatch: false,
 	}
 
-	if err := store.EdgeGroup().Create(&edgeGroup); err != nil {
-		t.Fatal(err)
-	}
+	err := store.EdgeGroup().Create(&edgeGroup)
+	require.NoError(t, err)
 
 	edgeStackID := portainer.EdgeStackID(14)
 	edgeStack := portainer.EdgeStack{
 		ID:             edgeStackID,
 		Name:           "test-edge-stack-" + strconv.Itoa(int(edgeStackID)),
-		Status:         map[portainer.EndpointID]portainer.EdgeStackStatus{},
 		CreationDate:   time.Now().Unix(),
 		EdgeGroups:     []portainer.EdgeGroupID{edgeGroup.ID},
 		ProjectPath:    "/project/path",
@@ -138,13 +130,11 @@ func createEdgeStack(t *testing.T, store dataservices.DataStore, endpointID port
 		},
 	}
 
-	if err := store.EdgeStack().Create(edgeStack.ID, &edgeStack); err != nil {
-		t.Fatal(err)
-	}
+	err = store.EdgeStack().Create(edgeStack.ID, &edgeStack)
+	require.NoError(t, err)
 
-	if err := store.EndpointRelation().Create(&endpointRelation); err != nil {
-		t.Fatal(err)
-	}
+	err = store.EndpointRelation().Create(&endpointRelation)
+	require.NoError(t, err)
 
 	return edgeStack
 }
@@ -155,8 +145,8 @@ func createEdgeGroup(t *testing.T, store dataservices.DataStore) portainer.EdgeG
 		Name: "EdgeGroup 1",
 	}
 
-	if err := store.EdgeGroup().Create(&edgeGroup); err != nil {
-		t.Fatal(err)
-	}
+	err := store.EdgeGroup().Create(&edgeGroup)
+	require.NoError(t, err)
+
 	return edgeGroup
 }
diff --git a/api/http/handler/edgestacks/edgestack_update.go b/api/http/handler/edgestacks/edgestack_update.go
index a3d59abb8..db896d0eb 100644
--- a/api/http/handler/edgestacks/edgestack_update.go
+++ b/api/http/handler/edgestacks/edgestack_update.go
@@ -74,6 +74,10 @@ func (handler *Handler) edgeStackUpdate(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unexpected error", err)
 	}
 
+	if err := fillEdgeStackStatus(handler.DataStore, stack); err != nil {
+		return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
+	}
+
 	return response.JSON(w, stack)
 }
 
@@ -120,7 +124,7 @@ func (handler *Handler) updateEdgeStack(tx dataservices.DataStoreTx, stackID por
 	stack.EdgeGroups = groupsIds
 
 	if payload.UpdateVersion {
-		if err := handler.updateStackVersion(stack, payload.DeploymentType, []byte(payload.StackFileContent), "", relatedEndpointIds); err != nil {
+		if err := handler.updateStackVersion(tx, stack, payload.DeploymentType, []byte(payload.StackFileContent), "", relatedEndpointIds); err != nil {
 			return nil, httperror.InternalServerError("Unable to update stack version", err)
 		}
 	}
diff --git a/api/http/handler/edgestacks/edgestack_update_test.go b/api/http/handler/edgestacks/edgestack_update_test.go
index 7e4a9b23c..68baa4129 100644
--- a/api/http/handler/edgestacks/edgestack_update_test.go
+++ b/api/http/handler/edgestacks/edgestack_update_test.go
@@ -25,9 +25,8 @@ func TestUpdateAndInspect(t *testing.T) {
 	endpointID := portainer.EndpointID(6)
 	newEndpoint := createEndpointWithId(t, handler.DataStore, endpointID)
 
-	if err := handler.DataStore.Endpoint().Create(&newEndpoint); err != nil {
-		t.Fatal(err)
-	}
+	err := handler.DataStore.Endpoint().Create(&newEndpoint)
+	require.NoError(t, err)
 
 	endpointRelation := portainer.EndpointRelation{
 		EndpointID: endpointID,
@@ -36,9 +35,8 @@ func TestUpdateAndInspect(t *testing.T) {
 		},
 	}
 
-	if err := handler.DataStore.EndpointRelation().Create(&endpointRelation); err != nil {
-		t.Fatal(err)
-	}
+	err = handler.DataStore.EndpointRelation().Create(&endpointRelation)
+	require.NoError(t, err)
 
 	newEdgeGroup := portainer.EdgeGroup{
 		ID:           2,
@@ -49,9 +47,8 @@ func TestUpdateAndInspect(t *testing.T) {
 		PartialMatch: false,
 	}
 
-	if err := handler.DataStore.EdgeGroup().Create(&newEdgeGroup); err != nil {
-		t.Fatal(err)
-	}
+	err = handler.DataStore.EdgeGroup().Create(&newEdgeGroup)
+	require.NoError(t, err)
 
 	payload := updateEdgeStackPayload{
 		StackFileContent: "update-test",
@@ -61,15 +58,11 @@ func TestUpdateAndInspect(t *testing.T) {
 	}
 
 	jsonPayload, err := json.Marshal(payload)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	r := bytes.NewBuffer(jsonPayload)
 	req, err := http.NewRequest(http.MethodPut, fmt.Sprintf("/edge_stacks/%d", edgeStack.ID), r)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec := httptest.NewRecorder()
@@ -81,9 +74,7 @@ func TestUpdateAndInspect(t *testing.T) {
 
 	// Get updated edge stack
 	req, err = http.NewRequest(http.MethodGet, fmt.Sprintf("/edge_stacks/%d", edgeStack.ID), nil)
-	if err != nil {
-		t.Fatal("request error:", err)
-	}
+	require.NoError(t, err)
 
 	req.Header.Add("x-api-key", rawAPIKey)
 	rec = httptest.NewRecorder()
@@ -94,9 +85,8 @@ func TestUpdateAndInspect(t *testing.T) {
 	}
 
 	updatedStack := portainer.EdgeStack{}
-	if err := json.NewDecoder(rec.Body).Decode(&updatedStack); err != nil {
-		t.Fatal("error decoding response:", err)
-	}
+	err = json.NewDecoder(rec.Body).Decode(&updatedStack)
+	require.NoError(t, err)
 
 	if payload.UpdateVersion && updatedStack.Version != edgeStack.Version+1 {
 		t.Fatalf("expected EdgeStack version %d, found %d", edgeStack.Version+1, updatedStack.Version+1)
@@ -226,15 +216,11 @@ func TestUpdateWithInvalidPayload(t *testing.T) {
 	for _, tc := range cases {
 		t.Run(tc.Name, func(t *testing.T) {
 			jsonPayload, err := json.Marshal(tc.Payload)
-			if err != nil {
-				t.Fatal("request error:", err)
-			}
+			require.NoError(t, err)
 
 			r := bytes.NewBuffer(jsonPayload)
 			req, err := http.NewRequest(http.MethodPut, fmt.Sprintf("/edge_stacks/%d", edgeStack.ID), r)
-			if err != nil {
-				t.Fatal("request error:", err)
-			}
+			require.NoError(t, err)
 
 			req.Header.Add("x-api-key", rawAPIKey)
 			rec := httptest.NewRecorder()
diff --git a/api/http/handler/edgestacks/handler.go b/api/http/handler/edgestacks/handler.go
index 9fa90776f..78df853a6 100644
--- a/api/http/handler/edgestacks/handler.go
+++ b/api/http/handler/edgestacks/handler.go
@@ -22,17 +22,15 @@ type Handler struct {
 	GitService         portainer.GitService
 	edgeStacksService  *edgestackservice.Service
 	KubernetesDeployer portainer.KubernetesDeployer
-	stackCoordinator   *EdgeStackStatusUpdateCoordinator
 }
 
 // NewHandler creates a handler to manage environment(endpoint) group operations.
-func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, edgeStacksService *edgestackservice.Service, stackCoordinator *EdgeStackStatusUpdateCoordinator) *Handler {
+func NewHandler(bouncer security.BouncerService, dataStore dataservices.DataStore, edgeStacksService *edgestackservice.Service) *Handler {
 	h := &Handler{
 		Router:            mux.NewRouter(),
 		requestBouncer:    bouncer,
 		DataStore:         dataStore,
 		edgeStacksService: edgeStacksService,
-		stackCoordinator:  stackCoordinator,
 	}
 
 	h.Handle("/edge_stacks/create/{method}",
diff --git a/api/http/handler/edgestacks/utils_update_stack_version.go b/api/http/handler/edgestacks/utils_update_stack_version.go
index 2502a88f6..78ac5002f 100644
--- a/api/http/handler/edgestacks/utils_update_stack_version.go
+++ b/api/http/handler/edgestacks/utils_update_stack_version.go
@@ -5,15 +5,18 @@ import (
 	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
-	edgestackutils "github.com/portainer/portainer/api/internal/edge/edgestacks"
 
 	"github.com/rs/zerolog/log"
 )
 
-func (handler *Handler) updateStackVersion(stack *portainer.EdgeStack, deploymentType portainer.EdgeStackDeploymentType, config []byte, oldGitHash string, relatedEnvironmentsIDs []portainer.EndpointID) error {
-	stack.Version = stack.Version + 1
-	stack.Status = edgestackutils.NewStatus(stack.Status, relatedEnvironmentsIDs)
+func (handler *Handler) updateStackVersion(tx dataservices.DataStoreTx, stack *portainer.EdgeStack, deploymentType portainer.EdgeStackDeploymentType, config []byte, oldGitHash string, relatedEnvironmentsIDs []portainer.EndpointID) error {
+	stack.Version++
+
+	if err := tx.EdgeStackStatus().Clear(stack.ID, relatedEnvironmentsIDs); err != nil {
+		return err
+	}
 
 	return handler.storeStackFile(stack, deploymentType, config)
 }
diff --git a/api/http/handler/endpointedge/endpointedge_status_inspect_test.go b/api/http/handler/endpointedge/endpointedge_status_inspect_test.go
index 8bfaa9814..ca9b12723 100644
--- a/api/http/handler/endpointedge/endpointedge_status_inspect_test.go
+++ b/api/http/handler/endpointedge/endpointedge_status_inspect_test.go
@@ -287,11 +287,8 @@ func TestEdgeStackStatus(t *testing.T) {
 
 	edgeStackID := portainer.EdgeStackID(17)
 	edgeStack := portainer.EdgeStack{
-		ID:   edgeStackID,
-		Name: "test-edge-stack-17",
-		Status: map[portainer.EndpointID]portainer.EdgeStackStatus{
-			endpointID: {},
-		},
+		ID:             edgeStackID,
+		Name:           "test-edge-stack-17",
 		CreationDate:   time.Now().Unix(),
 		EdgeGroups:     []portainer.EdgeGroupID{1, 2},
 		ProjectPath:    "/project/path",
diff --git a/api/http/handler/endpoints/endpoint_delete.go b/api/http/handler/endpoints/endpoint_delete.go
index 4752364ec..f26b9dd13 100644
--- a/api/http/handler/endpoints/endpoint_delete.go
+++ b/api/http/handler/endpoints/endpoint_delete.go
@@ -214,14 +214,9 @@ func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID p
 		log.Warn().Err(err).Msg("Unable to retrieve edge stacks from the database")
 	}
 
-	for idx := range edgeStacks {
-		edgeStack := &edgeStacks[idx]
-		if _, ok := edgeStack.Status[endpoint.ID]; ok {
-			delete(edgeStack.Status, endpoint.ID)
-
-			if err := tx.EdgeStack().UpdateEdgeStack(edgeStack.ID, edgeStack); err != nil {
-				log.Warn().Err(err).Msg("Unable to update edge stack")
-			}
+	for _, edgeStack := range edgeStacks {
+		if err := tx.EdgeStackStatus().Delete(edgeStack.ID, endpoint.ID); err != nil {
+			log.Warn().Err(err).Msg("Unable to delete edge stack status")
 		}
 	}
 
diff --git a/api/http/handler/endpoints/filter.go b/api/http/handler/endpoints/filter.go
index 6dc41b0bd..9b6004d1c 100644
--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@@ -247,19 +247,17 @@ func (handler *Handler) filterEndpointsByQuery(
 	return filteredEndpoints, totalAvailableEndpoints, nil
 }
 
-func endpointStatusInStackMatchesFilter(edgeStackStatus map[portainer.EndpointID]portainer.EdgeStackStatus, envId portainer.EndpointID, statusFilter portainer.EdgeStackStatusType) bool {
-	status, ok := edgeStackStatus[envId]
-
+func endpointStatusInStackMatchesFilter(stackStatus *portainer.EdgeStackStatusForEnv, envId portainer.EndpointID, statusFilter portainer.EdgeStackStatusType) bool {
 	// consider that if the env has no status in the stack it is in Pending state
 	if statusFilter == portainer.EdgeStackStatusPending {
-		return !ok || len(status.Status) == 0
+		return stackStatus == nil || len(stackStatus.Status) == 0
 	}
 
-	if !ok {
+	if stackStatus == nil {
 		return false
 	}
 
-	return slices.ContainsFunc(status.Status, func(s portainer.EdgeStackDeploymentStatus) bool {
+	return slices.ContainsFunc(stackStatus.Status, func(s portainer.EdgeStackDeploymentStatus) bool {
 		return s.Type == statusFilter
 	})
 }
@@ -291,7 +289,12 @@ func filterEndpointsByEdgeStack(endpoints []portainer.Endpoint, edgeStackId port
 	if statusFilter != nil {
 		n := 0
 		for _, envId := range envIds {
-			if endpointStatusInStackMatchesFilter(stack.Status, envId, *statusFilter) {
+			edgeStackStatus, err := datastore.EdgeStackStatus().Read(edgeStackId, envId)
+			if err != nil {
+				return nil, errors.WithMessagef(err, "Unable to retrieve edge stack status for environment %d", envId)
+			}
+
+			if endpointStatusInStackMatchesFilter(edgeStackStatus, envId, *statusFilter) {
 				envIds[n] = envId
 				n++
 			}
diff --git a/api/http/server.go b/api/http/server.go
index 183a78c04..88d131650 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -161,10 +161,7 @@ func (server *Server) Start() error {
 	edgeJobsHandler.FileService = server.FileService
 	edgeJobsHandler.ReverseTunnelService = server.ReverseTunnelService
 
-	edgeStackCoordinator := edgestacks.NewEdgeStackStatusUpdateCoordinator(server.DataStore)
-	go edgeStackCoordinator.Start()
-
-	var edgeStacksHandler = edgestacks.NewHandler(requestBouncer, server.DataStore, server.EdgeStacksService, edgeStackCoordinator)
+	var edgeStacksHandler = edgestacks.NewHandler(requestBouncer, server.DataStore, server.EdgeStacksService)
 	edgeStacksHandler.FileService = server.FileService
 	edgeStacksHandler.GitService = server.GitService
 	edgeStacksHandler.KubernetesDeployer = server.KubernetesDeployer
diff --git a/api/internal/edge/edgestacks/service.go b/api/internal/edge/edgestacks/service.go
index 6986a6917..5932a5ec8 100644
--- a/api/internal/edge/edgestacks/service.go
+++ b/api/internal/edge/edgestacks/service.go
@@ -49,7 +49,6 @@ func (service *Service) BuildEdgeStack(
 		DeploymentType:        deploymentType,
 		CreationDate:          time.Now().Unix(),
 		EdgeGroups:            edgeGroups,
-		Status:                make(map[portainer.EndpointID]portainer.EdgeStackStatus, 0),
 		Version:               1,
 		UseManifestNamespaces: useManifestNamespaces,
 	}, nil
@@ -104,6 +103,14 @@ func (service *Service) PersistEdgeStack(
 		return nil, err
 	}
 
+	for _, endpointID := range relatedEndpointIds {
+		status := &portainer.EdgeStackStatusForEnv{EndpointID: endpointID}
+
+		if err := tx.EdgeStackStatus().Create(stack.ID, endpointID, status); err != nil {
+			return nil, err
+		}
+	}
+
 	if err := tx.EndpointRelation().AddEndpointRelationsForEdgeStack(relatedEndpointIds, stack.ID); err != nil {
 		return nil, fmt.Errorf("unable to add endpoint relations: %w", err)
 	}
@@ -158,5 +165,9 @@ func (service *Service) DeleteEdgeStack(tx dataservices.DataStoreTx, edgeStackID
 		return errors.WithMessage(err, "Unable to remove the edge stack from the database")
 	}
 
+	if err := tx.EdgeStackStatus().DeleteAll(edgeStackID); err != nil {
+		return errors.WithMessage(err, "unable to remove edge stack statuses from the database")
+	}
+
 	return nil
 }
diff --git a/api/internal/edge/edgestacks/status.go b/api/internal/edge/edgestacks/status.go
deleted file mode 100644
index 25629d958..000000000
--- a/api/internal/edge/edgestacks/status.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package edgestacks
-
-import (
-	portainer "github.com/portainer/portainer/api"
-)
-
-// NewStatus returns a new status object for an Edge stack
-func NewStatus(oldStatus map[portainer.EndpointID]portainer.EdgeStackStatus, relatedEnvironmentIDs []portainer.EndpointID) map[portainer.EndpointID]portainer.EdgeStackStatus {
-	status := map[portainer.EndpointID]portainer.EdgeStackStatus{}
-
-	for _, environmentID := range relatedEnvironmentIDs {
-		newEnvStatus := portainer.EdgeStackStatus{
-			Status:     []portainer.EdgeStackDeploymentStatus{},
-			EndpointID: environmentID,
-		}
-
-		oldEnvStatus, ok := oldStatus[environmentID]
-		if ok {
-			newEnvStatus.DeploymentInfo = oldEnvStatus.DeploymentInfo
-		}
-
-		status[environmentID] = newEnvStatus
-	}
-
-	return status
-}
diff --git a/api/internal/testhelpers/datastore.go b/api/internal/testhelpers/datastore.go
index d4a29ae09..392f21e97 100644
--- a/api/internal/testhelpers/datastore.go
+++ b/api/internal/testhelpers/datastore.go
@@ -16,6 +16,7 @@ type testDatastore struct {
 	edgeGroup               dataservices.EdgeGroupService
 	edgeJob                 dataservices.EdgeJobService
 	edgeStack               dataservices.EdgeStackService
+	edgeStackStatus         dataservices.EdgeStackStatusService
 	endpoint                dataservices.EndpointService
 	endpointGroup           dataservices.EndpointGroupService
 	endpointRelation        dataservices.EndpointRelationService
@@ -53,8 +54,11 @@ func (d *testDatastore) CustomTemplate() dataservices.CustomTemplateService { re
 func (d *testDatastore) EdgeGroup() dataservices.EdgeGroupService           { return d.edgeGroup }
 func (d *testDatastore) EdgeJob() dataservices.EdgeJobService               { return d.edgeJob }
 func (d *testDatastore) EdgeStack() dataservices.EdgeStackService           { return d.edgeStack }
-func (d *testDatastore) Endpoint() dataservices.EndpointService             { return d.endpoint }
-func (d *testDatastore) EndpointGroup() dataservices.EndpointGroupService   { return d.endpointGroup }
+func (d *testDatastore) EdgeStackStatus() dataservices.EdgeStackStatusService {
+	return d.edgeStackStatus
+}
+func (d *testDatastore) Endpoint() dataservices.EndpointService           { return d.endpoint }
+func (d *testDatastore) EndpointGroup() dataservices.EndpointGroupService { return d.endpointGroup }
 
 func (d *testDatastore) EndpointRelation() dataservices.EndpointRelationService {
 	return d.endpointRelation
diff --git a/api/portainer.go b/api/portainer.go
index bb383e44c..f81a5c767 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -336,6 +336,15 @@ type (
 		UseManifestNamespaces bool
 	}
 
+	EdgeStackStatusForEnv struct {
+		EndpointID EndpointID
+		Status     []EdgeStackDeploymentStatus
+		// EE only feature
+		DeploymentInfo StackDeploymentInfo
+		// ReadyRePullImage is a flag to indicate whether the auto update is trigger to re-pull image
+		ReadyRePullImage bool `json:"ReadyRePullImage,omitempty"`
+	}
+
 	EdgeStackDeploymentType int
 
 	// EdgeStackID represents an edge stack id

From 9a85246631612ef23c6932fbd28b366c2610783a Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Sat, 7 Jun 2025 09:06:57 +1200
Subject: [PATCH 140/212] fix(edgestack): display deploying status by default
 after creating edgestack [BE-11924] (#783)

---
 .../ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx
index 280ee8d77..565eac41e 100644
--- a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx
+++ b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx
@@ -65,7 +65,7 @@ function getStatus(
     };
   }
 
-  if (envStatus.length < numDeployments) {
+  if (!envStatus.length) {
     return {
       label: 'Deploying',
       icon: Loader2,
@@ -84,6 +84,15 @@ function getStatus(
     };
   }
 
+  if (envStatus.length < numDeployments) {
+    return {
+      label: 'Deploying',
+      icon: Loader2,
+      spin: true,
+      mode: 'primary',
+    };
+  }
+
   const allCompleted = envStatus.every((s) => s.Type === StatusType.Completed);
 
   if (allCompleted) {

From c9e3717ce34f957fa46195aa8244ab93be5644a0 Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Mon, 9 Jun 2025 15:12:24 +1200
Subject: [PATCH 141/212] fix(kubernetes): Display more than 10 workloads under
 Helm expandable in the Applications view [R8S-339] (#781)

---
 .../components/datatables/NestedDatatable.tsx |  5 ++-
 .../ApplicationsDatatable/InnerTable.test.tsx | 43 +++++++++++++++++++
 .../ApplicationsDatatable/InnerTable.tsx      |  1 +
 3 files changed, 47 insertions(+), 2 deletions(-)
 create mode 100644 app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.test.tsx

diff --git a/app/react/components/datatables/NestedDatatable.tsx b/app/react/components/datatables/NestedDatatable.tsx
index dfa7f6d54..17081e166 100644
--- a/app/react/components/datatables/NestedDatatable.tsx
+++ b/app/react/components/datatables/NestedDatatable.tsx
@@ -25,7 +25,7 @@ interface Props<D extends DefaultType> extends AutomationTestingProps {
   initialTableState?: Partial<TableState>;
   isLoading?: boolean;
   initialSortBy?: BasicTableSettings['sortBy'];
-
+  enablePagination?: boolean;
   /**
    * keyword to filter by
    */
@@ -42,6 +42,7 @@ export function NestedDatatable<D extends DefaultType>({
   initialTableState = {},
   isLoading,
   initialSortBy,
+  enablePagination = true,
   search,
   'data-cy': dataCy,
   'aria-label': ariaLabel,
@@ -65,7 +66,7 @@ export function NestedDatatable<D extends DefaultType>({
     getCoreRowModel: getCoreRowModel(),
     getFilteredRowModel: getFilteredRowModel(),
     getSortedRowModel: getSortedRowModel(),
-    getPaginationRowModel: getPaginationRowModel(),
+    ...(enablePagination && { getPaginationRowModel: getPaginationRowModel() }),
   });
 
   return (
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.test.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.test.tsx
new file mode 100644
index 000000000..85d432665
--- /dev/null
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.test.tsx
@@ -0,0 +1,43 @@
+import { render, screen } from '@testing-library/react';
+import { vi } from 'vitest';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+
+import { InnerTable } from './InnerTable';
+import { Application } from './types';
+
+// Mock the necessary hooks
+const mockUseEnvironmentId = vi.fn(() => 1);
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => mockUseEnvironmentId(),
+}));
+
+describe('InnerTable', () => {
+  it('should render all rows from the dataset', () => {
+    const mockApplications: Application[] = Array.from(
+      { length: 11 },
+      (_, index) => ({
+        Id: `app-${index}`,
+        Name: `Application ${index}`,
+        Image: `image-${index}`,
+        CreationDate: new Date().toISOString(),
+        ResourcePool: 'default',
+        ApplicationType: 'Deployment',
+        Status: 'Ready',
+        TotalPodsCount: 1,
+        RunningPodsCount: 1,
+        DeploymentType: 'Replicated',
+      })
+    );
+
+    const Wrapped = withTestQueryProvider(withTestRouter(InnerTable));
+    render(<Wrapped dataset={mockApplications} hideStacks={false} />);
+
+    // Verify that all 11 rows are rendered
+    const rows = screen.getAllByRole('row');
+    // Subtract 1 for the header row
+    expect(rows.length - 1).toBe(11);
+  });
+});
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.tsx
index 03c5cb206..ccb1b2d0f 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/InnerTable.tsx
@@ -17,6 +17,7 @@ export function InnerTable({
       dataset={dataset}
       columns={columns}
       data-cy="applications-nested-datatable"
+      enablePagination={false}
     />
   );
 }

From 1963edda6650fb7d868373a50610e7e82ee827cf Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Mon, 9 Jun 2025 20:08:50 +1200
Subject: [PATCH 142/212] feat(helm): add registry dropdown [r8s-340] (#779)

---
 .../ApplicationsDatatable/columns.status.tsx  |  28 ++-
 .../ApplicationsDatatable/columns.tsx         |  13 +-
 .../ChartActions/UpgradeButton.test.tsx       |  12 +-
 .../ChartActions/UpgradeButton.tsx            |  14 +-
 .../ChartActions/UpgradeHelmModal.tsx         |   2 +-
 .../HelmTemplates/HelmInstallForm.test.tsx    |   4 +-
 .../helm/HelmTemplates/HelmInstallForm.tsx    |  18 +-
 .../HelmTemplates/HelmInstallInnerForm.tsx    |  12 +-
 .../helm/HelmTemplates/HelmTemplates.tsx      |  15 +-
 .../HelmTemplates/HelmTemplatesList.test.tsx  |  34 +++-
 .../helm/HelmTemplates/HelmTemplatesList.tsx  | 169 ++++++++++++------
 .../HelmTemplatesSelectedItem.test.tsx        |   2 +
 .../helm/queries/useHelmChartList.ts          |  86 +++------
 .../helm/queries/useHelmRegistries.ts         |  43 +++++
 ...Repositories.ts => useHelmRepoVersions.ts} |  22 +--
 app/react/kubernetes/helm/types.ts            |   4 +-
 16 files changed, 288 insertions(+), 190 deletions(-)
 create mode 100644 app/react/kubernetes/helm/queries/useHelmRegistries.ts
 rename app/react/kubernetes/helm/queries/{useHelmRepositories.ts => useHelmRepoVersions.ts} (81%)

diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.status.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.status.tsx
index ddadc4332..6f3b6e492 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.status.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.status.tsx
@@ -1,4 +1,4 @@
-import { CellContext } from '@tanstack/react-table';
+import { CellContext, Row } from '@tanstack/react-table';
 import clsx from 'clsx';
 
 import {
@@ -6,14 +6,22 @@ import {
   KubernetesApplicationTypes,
 } from '@/kubernetes/models/application/models/appConstants';
 
+import { filterHOC } from '@@/datatables/Filter';
+
 import styles from './columns.status.module.css';
 import { helper } from './columns.helper';
 import { ApplicationRowData } from './types';
 
-export const status = helper.accessor('Status', {
+export const status = helper.accessor(getStatusSummary, {
   header: 'Status',
   cell: Cell,
-  enableSorting: false,
+  meta: {
+    filter: filterHOC('Filter by status'),
+  },
+  enableColumnFilter: true,
+  filterFn: (row: Row<ApplicationRowData>, _: string, filterValue: string[]) =>
+    filterValue.length === 0 ||
+    filterValue.includes(getStatusSummary(row.original)),
 });
 
 function Cell({
@@ -67,3 +75,17 @@ function Cell({
     </>
   );
 }
+
+function getStatusSummary(item: ApplicationRowData): 'Ready' | 'Not Ready' {
+  if (
+    item.ApplicationType === KubernetesApplicationTypes.Pod &&
+    item.Pods &&
+    item.Pods.length > 0
+  ) {
+    return item.Pods[0].Status === 'Running' ? 'Ready' : 'Not Ready';
+  }
+  return item.TotalPodsCount > 0 &&
+    item.TotalPodsCount === item.RunningPodsCount
+    ? 'Ready'
+    : 'Not Ready';
+}
diff --git a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx
index 0ece6ed2e..a60d48072 100644
--- a/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx
+++ b/app/react/kubernetes/applications/ListView/ApplicationsDatatable/columns.tsx
@@ -1,10 +1,11 @@
-import { CellContext } from '@tanstack/react-table';
+import { CellContext, Row } from '@tanstack/react-table';
 
 import { isoDate, truncate } from '@/portainer/filters/filters';
 import { useIsSystemNamespace } from '@/react/kubernetes/namespaces/queries/useIsSystemNamespace';
 
 import { Link } from '@@/Link';
 import { SystemBadge } from '@@/Badge/SystemBadge';
+import { filterHOC } from '@@/datatables/Filter';
 
 import { Application } from './types';
 import { helper } from './columns.helper';
@@ -49,7 +50,15 @@ export const image = helper.accessor('Image', {
 });
 
 export const appType = helper.accessor('ApplicationType', {
-  header: 'Application Type',
+  header: 'Application type',
+  meta: {
+    filter: filterHOC('Filter by application type'),
+  },
+  enableColumnFilter: true,
+  filterFn: (row: Row<Application>, _: string, filterValue: string[]) =>
+    filterValue.length === 0 ||
+    (!!row.original.ApplicationType &&
+      filterValue.includes(row.original.ApplicationType)),
 });
 
 export const published = helper.accessor('Services', {
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
index 8d037d251..4d388ca60 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -9,7 +9,7 @@ import { withUserProvider } from '@/react/test-utils/withUserProvider';
 import {
   useHelmRepoVersions,
   ChartVersion,
-} from '../../queries/useHelmRepositories';
+} from '../../queries/useHelmRepoVersions';
 import { HelmRelease } from '../../types';
 
 import { openUpgradeHelmModal } from './UpgradeHelmModal';
@@ -25,16 +25,18 @@ vi.mock('@/portainer/services/notifications', () => ({
   notifySuccess: vi.fn(),
 }));
 
-// Mock the useHelmRepoVersions and useHelmRepositories hooks
-vi.mock('../../queries/useHelmRepositories', () => ({
-  useHelmRepoVersions: vi.fn(),
-  useHelmRepositories: vi.fn(() => ({
+vi.mock('../../queries/useHelmRegistries', () => ({
+  useHelmRegistries: vi.fn(() => ({
     data: ['repo1', 'repo2'],
     isInitialLoading: false,
     isError: false,
   })),
 }));
 
+vi.mock('../../queries/useHelmRepoVersions', () => ({
+  useHelmRepoVersions: vi.fn(),
+}));
+
 // Mock the useHelmRelease hook
 vi.mock('../queries/useHelmRelease', () => ({
   useHelmRelease: vi.fn(() => ({
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 3821b18d4..2c3f05ab6 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -13,11 +13,9 @@ import { Link } from '@@/Link';
 
 import { HelmRelease, UpdateHelmReleasePayload } from '../../types';
 import { useUpdateHelmReleaseMutation } from '../../queries/useUpdateHelmReleaseMutation';
-import {
-  useHelmRepoVersions,
-  useHelmRepositories,
-} from '../../queries/useHelmRepositories';
+import { useHelmRepoVersions } from '../../queries/useHelmRepoVersions';
 import { useHelmRelease } from '../queries/useHelmRelease';
+import { useHelmRegistries } from '../../queries/useHelmRegistries';
 
 import { openUpgradeHelmModal } from './UpgradeHelmModal';
 
@@ -38,11 +36,11 @@ export function UpgradeButton({
   const [useCache, setUseCache] = useState(true);
   const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
 
-  const repositoriesQuery = useHelmRepositories();
+  const registriesQuery = useHelmRegistries();
   const helmRepoVersionsQuery = useHelmRepoVersions(
     release?.chart.metadata?.name || '',
     60 * 60 * 1000, // 1 hour
-    repositoriesQuery.data,
+    registriesQuery.data,
     useCache
   );
   const versions = helmRepoVersionsQuery.data;
@@ -50,8 +48,8 @@ export function UpgradeButton({
 
   // Combined loading state
   const isLoading =
-    repositoriesQuery.isInitialLoading || helmRepoVersionsQuery.isFetching; // use 'isFetching' for helmRepoVersionsQuery because we want to show when it's refetching
-  const isError = repositoriesQuery.isError || helmRepoVersionsQuery.isError;
+    registriesQuery.isInitialLoading || helmRepoVersionsQuery.isFetching; // use 'isFetching' for helmRepoVersionsQuery because we want to show when it's refetching
+  const isError = registriesQuery.isError || helmRepoVersionsQuery.isError;
   const latestVersionQuery = useHelmRelease(
     environmentId,
     releaseName,
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
index e1b1ba5e2..74a60454c 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
@@ -3,7 +3,7 @@ import { ArrowUp } from 'lucide-react';
 
 import { withReactQuery } from '@/react-tools/withReactQuery';
 import { withCurrentUser } from '@/react-tools/withCurrentUser';
-import { ChartVersion } from '@/react/kubernetes/helm/queries/useHelmRepositories';
+import { ChartVersion } from '@/react/kubernetes/helm/queries/useHelmRepoVersions';
 
 import { Modal, OnSubmit, openModal } from '@@/modals';
 import { Button } from '@@/buttons';
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
index a2d6613a1..80d39eb3e 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
@@ -43,7 +43,7 @@ vi.mock('../queries/useUpdateHelmReleaseMutation', () => ({
   })),
 }));
 
-vi.mock('../queries/useHelmRepositories', () => ({
+vi.mock('../queries/useHelmRepoVersions', () => ({
   useHelmRepoVersions: vi.fn(() => ({
     data: [
       { Version: '1.0.0', AppVersion: '1.0.0' },
@@ -75,6 +75,8 @@ const mockChart: Chart = {
   annotations: {
     category: 'database',
   },
+  version: '1.0.1',
+  versions: ['1.0.0', '1.0.1'],
 };
 
 const mockRouterStateService = {
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
index ba723b1c6..669dbd46c 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
@@ -11,10 +11,6 @@ import { confirmGenericDiscard } from '@@/modals/confirm';
 import { Option } from '@@/form-components/PortainerSelect';
 
 import { Chart } from '../types';
-import {
-  ChartVersion,
-  useHelmRepoVersions,
-} from '../queries/useHelmRepositories';
 import { useUpdateHelmReleaseMutation } from '../queries/useUpdateHelmReleaseMutation';
 
 import { HelmInstallInnerForm } from './HelmInstallInnerForm';
@@ -30,23 +26,16 @@ export function HelmInstallForm({ selectedChart, namespace, name }: Props) {
   const environmentId = useEnvironmentId();
   const router = useRouter();
   const analytics = useAnalytics();
-  const helmRepoVersionsQuery = useHelmRepoVersions(
-    selectedChart.name,
-    60 * 60 * 1000, // 1 hour
-    [selectedChart.repo],
-    false
-  );
-  const versions = helmRepoVersionsQuery.data;
-  const versionOptions: Option<ChartVersion>[] = versions.map(
+  const versionOptions: Option<string>[] = selectedChart.versions.map(
     (version, index) => ({
-      label: index === 0 ? `${version.Version} (latest)` : version.Version,
+      label: index === 0 ? `${version} (latest)` : version,
       value: version,
     })
   );
   const defaultVersion = versionOptions[0]?.value;
   const initialValues: HelmInstallFormValues = {
     values: '',
-    version: defaultVersion?.Version ?? '',
+    version: defaultVersion ?? '',
   };
 
   const installHelmChartMutation = useUpdateHelmReleaseMutation(environmentId);
@@ -66,7 +55,6 @@ export function HelmInstallForm({ selectedChart, namespace, name }: Props) {
         namespace={namespace}
         name={name}
         versionOptions={versionOptions}
-        isLoadingVersions={helmRepoVersionsQuery.isInitialLoading}
       />
     </Formik>
   );
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
index 0f1a35488..9f85a0b48 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
@@ -6,7 +6,6 @@ import { FormControl } from '@@/form-components/FormControl';
 import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
 import { FormSection } from '@@/form-components/FormSection';
 
-import { ChartVersion } from '../queries/useHelmRepositories';
 import { Chart } from '../types';
 import { useHelmChartValues } from '../queries/useHelmChartValues';
 import { HelmValuesInput } from '../components/HelmValuesInput';
@@ -17,8 +16,7 @@ type Props = {
   selectedChart: Chart;
   namespace?: string;
   name?: string;
-  versionOptions: Option<ChartVersion>[];
-  isLoadingVersions: boolean;
+  versionOptions: Option<string>[];
 };
 
 export function HelmInstallInnerForm({
@@ -26,7 +24,6 @@ export function HelmInstallInnerForm({
   namespace,
   name,
   versionOptions,
-  isLoadingVersions,
 }: Props) {
   const { values, setFieldValue, isSubmitting } =
     useFormikContext<HelmInstallFormValues>();
@@ -39,7 +36,7 @@ export function HelmInstallInnerForm({
 
   const selectedVersion = useMemo(
     () =>
-      versionOptions.find((v) => v.value.Version === values.version)?.value ??
+      versionOptions.find((v) => v.value === values.version)?.value ??
       versionOptions[0]?.value,
     [versionOptions, values.version]
   );
@@ -51,15 +48,14 @@ export function HelmInstallInnerForm({
           <FormControl
             label="Version"
             inputId="version-input"
-            isLoading={isLoadingVersions}
             loadingText="Loading versions..."
           >
-            <PortainerSelect<ChartVersion>
+            <PortainerSelect<string>
               value={selectedVersion}
               options={versionOptions}
               onChange={(version) => {
                 if (version) {
-                  setFieldValue('version', version.Version);
+                  setFieldValue('version', version);
                 }
               }}
               data-cy="helm-version-input"
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
index 24a5420b3..ffd122cd2 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
@@ -1,12 +1,11 @@
 import { useState } from 'react';
+import { compact } from 'lodash';
 
 import { useCurrentUser } from '@/react/hooks/useUser';
 
 import { Chart } from '../types';
-import {
-  useHelmChartList,
-  useHelmRepositories,
-} from '../queries/useHelmChartList';
+import { useHelmChartList } from '../queries/useHelmChartList';
+import { useHelmRegistries } from '../queries/useHelmRegistries';
 
 import { HelmTemplatesList } from './HelmTemplatesList';
 import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
@@ -20,10 +19,11 @@ interface Props {
 
 export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
   const [selectedChart, setSelectedChart] = useState<Chart | null>(null);
+  const [selectedRegistry, setSelectedRegistry] = useState<string | null>(null);
 
   const { user } = useCurrentUser();
-  const helmReposQuery = useHelmRepositories(user.Id);
-  const chartListQuery = useHelmChartList(user.Id, helmReposQuery.data ?? []);
+  const helmReposQuery = useHelmRegistries();
+  const chartListQuery = useHelmChartList(user.Id, compact([selectedRegistry]));
   function clearHelmChart() {
     setSelectedChart(null);
     onSelectHelmChart('');
@@ -54,6 +54,9 @@ export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
             charts={chartListQuery.data}
             selectAction={handleChartSelection}
             isLoading={chartListQuery.isInitialLoading}
+            registries={helmReposQuery.data ?? []}
+            selectedRegistry={selectedRegistry}
+            setSelectedRegistry={setSelectedRegistry}
           />
         )}
       </div>
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
index f02d83131..98b96e9a4 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
@@ -19,6 +19,8 @@ const mockCharts: Chart[] = [
     annotations: {
       category: 'database',
     },
+    version: '1.0.0',
+    versions: ['1.0.0', '1.0.1'],
   },
   {
     name: 'test-chart-2',
@@ -27,14 +29,18 @@ const mockCharts: Chart[] = [
     annotations: {
       category: 'database',
     },
+    version: '1.0.0',
+    versions: ['1.0.0', '1.0.1'],
   },
   {
     name: 'nginx-chart',
     description: 'Nginx Web Server',
-    repo: 'https://example.com',
+    repo: 'https://example.com/2',
     annotations: {
       category: 'web',
     },
+    version: '1.0.0',
+    versions: ['1.0.0', '1.0.1'],
   },
 ];
 
@@ -44,8 +50,11 @@ function renderComponent({
   loading = false,
   charts = mockCharts,
   selectAction = selectActionMock,
+  selectedRegistry = '',
 } = {}) {
   const user = new UserViewModel({ Username: 'user' });
+  const registries = ['https://example.com', 'https://example.com/2'];
+
   const Wrapped = withTestQueryProvider(
     withUserProvider(
       withTestRouter(() => (
@@ -53,6 +62,9 @@ function renderComponent({
           isLoading={loading}
           charts={charts}
           selectAction={selectAction}
+          registries={registries}
+          selectedRegistry={selectedRegistry}
+          setSelectedRegistry={() => {}}
         />
       )),
       user
@@ -77,6 +89,7 @@ describe('HelmTemplatesList', () => {
     expect(screen.getByText('Test Chart 1 Description')).toBeInTheDocument();
     expect(screen.getByText('nginx-chart')).toBeInTheDocument();
     expect(screen.getByText('Nginx Web Server')).toBeInTheDocument();
+    expect(screen.getByText('https://example.com/2')).toBeInTheDocument();
   });
 
   it('should call selectAction when a chart is clicked', async () => {
@@ -146,11 +159,24 @@ describe('HelmTemplatesList', () => {
     ).toBeInTheDocument();
   });
 
-  it('should show empty message when no charts are available', async () => {
-    renderComponent({ charts: [] });
+  it('should show empty message when no charts are available and a registry is selected', async () => {
+    renderComponent({ charts: [], selectedRegistry: 'https://example.com' });
 
     // Check for empty message
-    expect(screen.getByText('No helm charts available.')).toBeInTheDocument();
+    expect(
+      screen.getByText('No helm charts available in this registry.')
+    ).toBeInTheDocument();
+  });
+
+  it("should show 'select registry' message when no charts are available and no registry is selected", async () => {
+    renderComponent({ charts: [] });
+
+    // Check for message
+    expect(
+      screen.getByText(
+        'Please select a registry to view available Helm charts.'
+      )
+    ).toBeInTheDocument();
   });
 
   it('should show no results message when search has no matches', async () => {
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
index c41b0acbb..1b02bed1d 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
@@ -1,6 +1,10 @@
 import { useState, useMemo } from 'react';
+import { components, OptionProps } from 'react-select';
 
-import { PortainerSelect } from '@/react/components/form-components/PortainerSelect';
+import {
+  PortainerSelect,
+  Option,
+} from '@/react/components/form-components/PortainerSelect';
 import { Link } from '@/react/components/Link';
 
 import { InsightsBox } from '@@/InsightsBox';
@@ -15,70 +19,31 @@ interface Props {
   isLoading: boolean;
   charts?: Chart[];
   selectAction: (chart: Chart) => void;
-}
-
-/**
- * Get categories from charts
- * @param charts - The charts to get the categories from
- * @returns Categories
- */
-function getCategories(charts: Chart[]) {
-  const annotationCategories = charts
-    .map((chart) => chart.annotations?.category) // get category
-    .filter((c): c is string => !!c); // filter out nulls/undefined
-
-  const availableCategories = [...new Set(annotationCategories)].sort(); // unique and sort
-
-  // Create options array in the format expected by PortainerSelect
-  return availableCategories.map((cat) => ({
-    label: cat,
-    value: cat,
-  }));
-}
-
-/**
- * Get filtered charts
- * @param charts - The charts to get the filtered charts from
- * @param textFilter - The text filter
- * @param selectedCategory - The selected category
- * @returns Filtered charts
- */
-function getFilteredCharts(
-  charts: Chart[],
-  textFilter: string,
-  selectedCategory: string | null
-) {
-  return charts.filter((chart) => {
-    // Text filter
-    if (
-      textFilter &&
-      !chart.name.toLowerCase().includes(textFilter.toLowerCase()) &&
-      !chart.description.toLowerCase().includes(textFilter.toLowerCase())
-    ) {
-      return false;
-    }
-
-    // Category filter
-    if (
-      selectedCategory &&
-      (!chart.annotations || chart.annotations.category !== selectedCategory)
-    ) {
-      return false;
-    }
-
-    return true;
-  });
+  registries: string[];
+  selectedRegistry: string | null;
+  setSelectedRegistry: (registry: string | null) => void;
 }
 
 export function HelmTemplatesList({
   isLoading,
   charts = [],
   selectAction,
+  registries,
+  selectedRegistry,
+  setSelectedRegistry,
 }: Props) {
   const [textFilter, setTextFilter] = useState('');
   const [selectedCategory, setSelectedCategory] = useState<string | null>(null);
 
   const categories = useMemo(() => getCategories(charts), [charts]);
+  const registryOptions = useMemo(
+    () =>
+      registries.map((registry) => ({
+        label: registry,
+        value: registry,
+      })),
+    [registries]
+  );
 
   const filteredCharts = useMemo(
     () => getFilteredCharts(charts, textFilter, selectedCategory),
@@ -87,7 +52,7 @@ export function HelmTemplatesList({
 
   return (
     <section className="datatable" aria-label="Helm charts">
-      <div className="toolBar vertical-center relative w-full flex-wrap !gap-x-5 !gap-y-1 !px-0">
+      <div className="toolBar vertical-center relative w-full flex-wrap !gap-x-5 !gap-y-1 !px-0 !overflow-visible">
         <div className="toolBarTitle vertical-center">Helm chart</div>
 
         <SearchBar
@@ -98,12 +63,25 @@ export function HelmTemplatesList({
           className="!mr-0 h-9"
         />
 
-        <div className="w-full sm:w-1/5">
+        <div className="w-full sm:w-1/4">
+          <PortainerSelect
+            placeholder="Select a registry"
+            value={selectedRegistry ?? ''}
+            options={registryOptions}
+            onChange={setSelectedRegistry}
+            isClearable
+            bindToBody
+            components={{ Option: RegistryOption }}
+            data-cy="helm-registry-select"
+          />
+        </div>
+
+        <div className="w-full sm:w-1/4">
           <PortainerSelect
             placeholder="Select a category"
             value={selectedCategory}
             options={categories}
-            onChange={(value) => setSelectedCategory(value)}
+            onChange={setSelectedCategory}
             isClearable
             bindToBody
             data-cy="helm-category-select"
@@ -173,12 +151,85 @@ export function HelmTemplatesList({
           </div>
         )}
 
-        {!isLoading && charts.length === 0 && (
+        {!isLoading && charts.length === 0 && selectedRegistry && (
           <div className="text-muted text-center">
-            No helm charts available.
+            No helm charts available in this registry.
+          </div>
+        )}
+
+        {!selectedRegistry && (
+          <div className="text-muted text-center">
+            Please select a registry to view available Helm charts.
           </div>
         )}
       </div>
     </section>
   );
 }
+
+// truncate the registry text, because some registry names are urls, which are too long
+function RegistryOption(props: OptionProps<Option<string>>) {
+  const { data: registry } = props;
+
+  return (
+    <div title={registry.value}>
+      {/* eslint-disable-next-line react/jsx-props-no-spreading */}
+      <components.Option {...props} className="whitespace-nowrap truncate">
+        {registry.value}
+      </components.Option>
+    </div>
+  );
+}
+
+/**
+ * Get categories from charts
+ * @param charts - The charts to get the categories from
+ * @returns Categories
+ */
+function getCategories(charts: Chart[]) {
+  const annotationCategories = charts
+    .map((chart) => chart.annotations?.category) // get category
+    .filter((c): c is string => !!c); // filter out nulls/undefined
+
+  const availableCategories = [...new Set(annotationCategories)].sort(); // unique and sort
+
+  // Create options array in the format expected by PortainerSelect
+  return availableCategories.map((cat) => ({
+    label: cat,
+    value: cat,
+  }));
+}
+
+/**
+ * Get filtered charts
+ * @param charts - The charts to get the filtered charts from
+ * @param textFilter - The text filter
+ * @param selectedCategory - The selected category
+ * @returns Filtered charts
+ */
+function getFilteredCharts(
+  charts: Chart[],
+  textFilter: string,
+  selectedCategory: string | null
+) {
+  return charts.filter((chart) => {
+    // Text filter
+    if (
+      textFilter &&
+      !chart.name.toLowerCase().includes(textFilter.toLowerCase()) &&
+      !chart.description.toLowerCase().includes(textFilter.toLowerCase())
+    ) {
+      return false;
+    }
+
+    // Category filter
+    if (
+      selectedCategory &&
+      (!chart.annotations || chart.annotations.category !== selectedCategory)
+    ) {
+      return false;
+    }
+
+    return true;
+  });
+}
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
index 1a2cbb69f..2bbe5696a 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.test.tsx
@@ -19,6 +19,8 @@ const mockChart: Chart = {
   annotations: {
     category: 'database',
   },
+  version: '1.0.1',
+  versions: ['1.0.0', '1.0.1'],
 };
 
 const clearHelmChartMock = vi.fn();
diff --git a/app/react/kubernetes/helm/queries/useHelmChartList.ts b/app/react/kubernetes/helm/queries/useHelmChartList.ts
index 068588c42..5824236bc 100644
--- a/app/react/kubernetes/helm/queries/useHelmChartList.ts
+++ b/app/react/kubernetes/helm/queries/useHelmChartList.ts
@@ -1,66 +1,11 @@
-import { useQuery, useQueries } from '@tanstack/react-query';
+import { useQueries } from '@tanstack/react-query';
 import { compact, flatMap } from 'lodash';
 import { useMemo } from 'react';
 
-import axios, { parseAxiosError } from '@/portainer/services/axios';
+import axios from '@/portainer/services/axios';
 import { withGlobalError } from '@/react-tools/react-query';
-import { UserId } from '@/portainer/users/types';
 
-import { Chart, HelmChartsResponse, HelmRepositoriesResponse } from '../types';
-
-/**
- * Get Helm repositories for user
- */
-export async function getHelmRepositories(userId: UserId) {
-  try {
-    const { data } = await axios.get<HelmRepositoriesResponse>(
-      `users/${userId}/helm/repositories`
-    );
-    const repos = compact([
-      // compact will remove the global repository if it's empty
-      data.GlobalRepository.toLowerCase(),
-      ...data.UserRepositories.map((repo) => repo.URL.toLowerCase()),
-    ]);
-    return [...new Set(repos)];
-  } catch (err) {
-    throw parseAxiosError(err, 'Unable to retrieve helm repositories for user');
-  }
-}
-
-async function getChartsFromRepo(repo: string): Promise<Chart[]> {
-  try {
-    // Construct the URL with required repo parameter
-    const response = await axios.get<HelmChartsResponse>('templates/helm', {
-      params: { repo },
-    });
-
-    return compact(
-      Object.values(response.data.entries).map((versions) =>
-        versions[0] ? { ...versions[0], repo } : null
-      )
-    );
-  } catch (error) {
-    // Ignore errors from chart repositories as some may error but others may not
-    return [];
-  }
-}
-
-/**
- * Hook to fetch all accessible Helm repositories for a user
- *
- * @param userId User ID
- * @returns Query result with list of repository URLs
- */
-export function useHelmRepositories(userId: number) {
-  return useQuery(
-    [userId, 'helm-repositories'],
-    () => getHelmRepositories(userId),
-    {
-      enabled: !!userId,
-      ...withGlobalError('Unable to retrieve Helm repositories'),
-    }
-  );
-}
+import { Chart, HelmChartsResponse } from '../types';
 
 /**
  * React hook to fetch helm charts from the provided repositories
@@ -103,3 +48,28 @@ export function useHelmChartList(userId: number, repositories: string[] = []) {
     isError: chartQueries.some((q) => q.isError),
   };
 }
+
+async function getChartsFromRepo(repo: string): Promise<Chart[]> {
+  try {
+    // Construct the URL with required repo parameter
+    const response = await axios.get<HelmChartsResponse>('templates/helm', {
+      params: { repo },
+    });
+
+    return compact(
+      Object.values(response.data.entries).map((versions) =>
+        versions[0]
+          ? {
+              ...versions[0],
+              repo,
+              // versions are within this response too, so we don't need a new query to fetch versions when this is used
+              versions: versions.map((v) => v.version),
+            }
+          : null
+      )
+    );
+  } catch (error) {
+    // Ignore errors from chart repositories as some may error but others may not
+    return [];
+  }
+}
diff --git a/app/react/kubernetes/helm/queries/useHelmRegistries.ts b/app/react/kubernetes/helm/queries/useHelmRegistries.ts
new file mode 100644
index 000000000..f48fb72fa
--- /dev/null
+++ b/app/react/kubernetes/helm/queries/useHelmRegistries.ts
@@ -0,0 +1,43 @@
+import { useQuery } from '@tanstack/react-query';
+import { compact } from 'lodash';
+
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { UserId } from '@/portainer/users/types';
+import { withGlobalError } from '@/react-tools/react-query';
+import { useCurrentUser } from '@/react/hooks/useUser';
+
+import { HelmRegistriesResponse } from '../types';
+
+/**
+ * Hook to fetch all Helm registries for the current user
+ */
+export function useHelmRegistries() {
+  const { user } = useCurrentUser();
+  return useQuery(
+    ['helm', 'registries'],
+    async () => getHelmRegistries(user.Id),
+    {
+      enabled: !!user.Id,
+      ...withGlobalError('Unable to retrieve helm registries'),
+    }
+  );
+}
+
+/**
+ * Get Helm registries for user
+ */
+async function getHelmRegistries(userId: UserId) {
+  try {
+    const { data } = await axios.get<HelmRegistriesResponse>(
+      `users/${userId}/helm/repositories`
+    );
+    const repos = compact([
+      // compact will remove the global repository if it's empty
+      data.GlobalRepository.toLowerCase(),
+      ...data.UserRepositories.map((repo) => repo.URL.toLowerCase()),
+    ]);
+    return [...new Set(repos)];
+  } catch (err) {
+    throw parseAxiosError(err, 'Unable to retrieve helm repositories for user');
+  }
+}
diff --git a/app/react/kubernetes/helm/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
similarity index 81%
rename from app/react/kubernetes/helm/queries/useHelmRepositories.ts
rename to app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
index 0713165c0..006b74599 100644
--- a/app/react/kubernetes/helm/queries/useHelmRepositories.ts
+++ b/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
@@ -1,12 +1,9 @@
-import { useQuery, useQueries } from '@tanstack/react-query';
+import { useQueries } from '@tanstack/react-query';
 import { useMemo } from 'react';
 import { compact, flatMap } from 'lodash';
 
 import { withGlobalError } from '@/react-tools/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
-import { useCurrentUser } from '@/react/hooks/useUser';
-
-import { getHelmRepositories } from './useHelmChartList';
 
 interface HelmSearch {
   entries: Entries;
@@ -21,26 +18,13 @@ export interface ChartVersion {
   Version: string;
 }
 
-/**
- * Hook to fetch all Helm repositories for the current user
- */
-export function useHelmRepositories() {
-  const { user } = useCurrentUser();
-  return useQuery(
-    ['helm', 'repositories'],
-    async () => getHelmRepositories(user.Id),
-    {
-      enabled: !!user.Id,
-      ...withGlobalError('Unable to retrieve helm repositories'),
-    }
-  );
-}
-
 /**
  * React hook to get a list of available versions for a chart from specified repositories
  *
  * @param chart The chart name to get versions for
  * @param repositories Array of repository URLs to search in
+ * @param staleTime Stale time for the query
+ * @param useCache Whether to use the cache for the query
  */
 export function useHelmRepoVersions(
   chart: string,
diff --git a/app/react/kubernetes/helm/types.ts b/app/react/kubernetes/helm/types.ts
index 5d5f27536..3094f84b2 100644
--- a/app/react/kubernetes/helm/types.ts
+++ b/app/react/kubernetes/helm/types.ts
@@ -87,6 +87,8 @@ export interface HelmChartResponse {
   annotations?: {
     category?: string;
   };
+  version: string;
+  versions: string[];
 }
 
 export interface HelmRepositoryResponse {
@@ -95,7 +97,7 @@ export interface HelmRepositoryResponse {
   URL: string;
 }
 
-export interface HelmRepositoriesResponse {
+export interface HelmRegistriesResponse {
   GlobalRepository: string;
   UserRepositories: HelmRepositoryResponse[];
 }

From 17ebe221bb784a88e8d6f1a33c0145ba8c444679 Mon Sep 17 00:00:00 2001
From: Malcolm Lockyer <segfault88@users.noreply.github.com>
Date: Tue, 10 Jun 2025 16:47:17 +1200
Subject: [PATCH 143/212] chore: bump version to 2.31.0 (#789)

---
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/http/handler/handler.go                      | 2 +-
 api/portainer.go                                 | 2 +-
 package.json                                     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 41494fbee..41a1b49df 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -611,7 +611,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.30.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.31.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -939,7 +939,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.30.0\",\"MigratorCount\":0,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.31.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 72c7f7669..1ae55a002 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.30.0
+// @version 2.31.0
 // @description.markdown api-description.md
 // @termsOfService
 
diff --git a/api/portainer.go b/api/portainer.go
index f81a5c767..b3b917a08 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1728,7 +1728,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.30.0"
+	APIVersion = "2.31.0"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "STS"
 	// Edition is what this edition of Portainer is called
diff --git a/package.json b/package.json
index 28859ab3e..d9c180698 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.30.0",
+  "version": "2.31.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"

From cc676124328e0d803d50bd272d79bdc21da84c57 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 12 Jun 2025 02:26:25 +0100
Subject: [PATCH 144/212] Update bug report template for 2.31.0 (#793)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 4324bf5a8..089ad06fb 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.31.0'
         - '2.30.1'
         - '2.30.0'
         - '2.29.2'

From 6e89ccc0ae893f74a1af15ec1fb0b52490e580d4 Mon Sep 17 00:00:00 2001
From: Yajith Dayarathna <yajith.dayarathna@portainer.io>
Date: Thu, 12 Jun 2025 13:39:34 +1200
Subject: [PATCH 145/212] fix(api-documentation): swagger document genration
 error  (#795)

---
 api/http/handler/kubernetes/event.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/http/handler/kubernetes/event.go b/api/http/handler/kubernetes/event.go
index 0e226d5ec..25f024303 100644
--- a/api/http/handler/kubernetes/event.go
+++ b/api/http/handler/kubernetes/event.go
@@ -20,7 +20,7 @@ import (
 // @param id path int true "Environment identifier"
 // @param namespace path string true "The namespace name the events are associated to"
 // @param resourceId query string false "The resource id of the involved kubernetes object" example:"e5b021b6-4bce-4c06-bd3b-6cca906797aa"
-// @success 200 {object} models.Event[] "Success"
+// @success 200 {object} []kubernetes.K8sEvent "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
 // @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."
@@ -68,7 +68,7 @@ func (handler *Handler) getKubernetesEventsForNamespace(w http.ResponseWriter, r
 // @produce json
 // @param id path int true "Environment identifier"
 // @param resourceId query string false "The resource id of the involved kubernetes object"  example:"e5b021b6-4bce-4c06-bd3b-6cca906797aa"
-// @success 200 {object} models.Event[] "Success"
+// @success 200 {object} []kubernetes.K8sEvent "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
 // @failure 403 "Permission denied - the user is authenticated but does not have the necessary permissions to access the requested resource or perform the specified operation. Check your user roles and permissions."

From f07a3b1875d7ba238296f2540bb81b778cddd3c0 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 12 Jun 2025 17:30:53 +1200
Subject: [PATCH 146/212] security: cve-2025-22874 & cve-2025-22871 bump go to
 1.23.10 (#798)

---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 3a2ba0bf5..dd66b95e2 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/portainer/portainer
 
-go 1.23.8
+go 1.23.10
 
 require (
 	github.com/Masterminds/semver v1.5.0

From 036b87b6498329bbbb681862a647eeab9d65a0af Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 16 Jun 2025 12:56:51 -0300
Subject: [PATCH 147/212] fix(middlewares): fix data race in WithEndpoint()
 BE-11949 (#803)

---
 api/http/middlewares/endpoint.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/api/http/middlewares/endpoint.go b/api/http/middlewares/endpoint.go
index c88731dd3..0050e4300 100644
--- a/api/http/middlewares/endpoint.go
+++ b/api/http/middlewares/endpoint.go
@@ -25,12 +25,12 @@ type key int
 const contextEndpoint key = 0
 
 func WithEndpoint(endpointService dataservices.EndpointService, endpointIDParam string) mux.MiddlewareFunc {
+	if endpointIDParam == "" {
+		endpointIDParam = "id"
+	}
+
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(rw http.ResponseWriter, request *http.Request) {
-			if endpointIDParam == "" {
-				endpointIDParam = "id"
-			}
-
 			endpointID, err := requesthelpers.RetrieveNumericRouteVariableValue(request, endpointIDParam)
 			if err != nil {
 				httperror.WriteError(rw, http.StatusBadRequest, "Invalid environment identifier route variable", err)
@@ -51,7 +51,6 @@ func WithEndpoint(endpointService dataservices.EndpointService, endpointIDParam
 			ctx := context.WithValue(request.Context(), contextEndpoint, endpoint)
 
 			next.ServeHTTP(rw, request.WithContext(ctx))
-
 		})
 	}
 }

From a7009eb8d5109019e53ab8f4af79ed27eeccc838 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Tue, 17 Jun 2025 01:52:12 +0100
Subject: [PATCH 148/212] Update bug report template for 2.27.7 (#805)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 089ad06fb..c049c23fe 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -102,6 +102,7 @@ body:
         - '2.29.0'
         - '2.28.1'
         - '2.28.0'
+        - '2.27.7'
         - '2.27.6'
         - '2.27.5'
         - '2.27.4'

From c2b48cd003caceed88e4580eb181315d5f40fa76 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 19 Jun 2025 09:03:52 +1200
Subject: [PATCH 149/212] feat(k8s): CloudNativePG in applications list and
 details - [R8S-357] (#777)

---
 api/http/models/kubernetes/application.go     | 26 +++++++++++++++----
 .../components/ViewLoading/ViewLoading.tsx    | 10 +------
 2 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/api/http/models/kubernetes/application.go b/api/http/models/kubernetes/application.go
index fcb49b23d..4759d9214 100644
--- a/api/http/models/kubernetes/application.go
+++ b/api/http/models/kubernetes/application.go
@@ -38,14 +38,30 @@ type K8sApplication struct {
 	Labels                  map[string]string                      `json:"Labels,omitempty"`
 	Resource                K8sApplicationResource                 `json:"Resource,omitempty"`
 	HorizontalPodAutoscaler *autoscalingv2.HorizontalPodAutoscaler `json:"HorizontalPodAutoscaler,omitempty"`
+	CustomResourceMetadata  CustomResourceMetadata                 `json:"CustomResourceMetadata,omitempty"`
 }
 
 type Metadata struct {
 	Labels map[string]string `json:"labels"`
 }
 
+type CustomResourceMetadata struct {
+	Kind       string `json:"kind"`
+	APIVersion string `json:"apiVersion"`
+	Plural     string `json:"plural"`
+}
+
 type Pod struct {
-	Status string `json:"Status"`
+	Name            string                 `json:"Name"`
+	ContainerName   string                 `json:"ContainerName"`
+	Image           string                 `json:"Image"`
+	ImagePullPolicy string                 `json:"ImagePullPolicy"`
+	Status          string                 `json:"Status"`
+	NodeName        string                 `json:"NodeName"`
+	PodIP           string                 `json:"PodIP"`
+	UID             string                 `json:"Uid"`
+	Resource        K8sApplicationResource `json:"Resource,omitempty"`
+	CreationDate    time.Time              `json:"CreationDate"`
 }
 
 type Configuration struct {
@@ -72,8 +88,8 @@ type TLSInfo struct {
 
 // Existing types
 type K8sApplicationResource struct {
-	CPURequest    float64 `json:"CpuRequest"`
-	CPULimit      float64 `json:"CpuLimit"`
-	MemoryRequest int64   `json:"MemoryRequest"`
-	MemoryLimit   int64   `json:"MemoryLimit"`
+	CPURequest    float64 `json:"CpuRequest,omitempty"`
+	CPULimit      float64 `json:"CpuLimit,omitempty"`
+	MemoryRequest int64   `json:"MemoryRequest,omitempty"`
+	MemoryLimit   int64   `json:"MemoryLimit,omitempty"`
 }
diff --git a/app/react/components/ViewLoading/ViewLoading.tsx b/app/react/components/ViewLoading/ViewLoading.tsx
index 5ade961bb..139c67637 100644
--- a/app/react/components/ViewLoading/ViewLoading.tsx
+++ b/app/react/components/ViewLoading/ViewLoading.tsx
@@ -1,7 +1,4 @@
 import clsx from 'clsx';
-import { Settings } from 'lucide-react';
-
-import { Icon } from '@@/Icon';
 
 import styles from './ViewLoading.module.css';
 
@@ -18,12 +15,7 @@ export function ViewLoading({ message }: Props) {
         <div className="sk-fold-cube" />
         <div className="sk-fold-cube" />
       </div>
-      {message && (
-        <span className={styles.message}>
-          {message}
-          <Icon icon={Settings} className="!ml-1 animate-spin-slow" />
-        </span>
-      )}
+      {message && <span className={styles.message}>{message}</span>}
     </div>
   );
 }

From e051c86bb586b251961fa93e893b08c481e05f43 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 19 Jun 2025 03:07:18 +0100
Subject: [PATCH 150/212] Updates for release 2.31.1 (#816)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index c049c23fe..c3a7d8d28 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.31.1'
         - '2.31.0'
         - '2.30.1'
         - '2.30.0'

From d51e9205d9d8828574f4ee4fcb2860ec904151e3 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Fri, 20 Jun 2025 20:03:35 -0300
Subject: [PATCH 151/212] fix(endpointrelation): use a read-write transaction
 for mutations BE-11964 (#819)

---
 api/dataservices/endpointrelation/endpointrelation.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/dataservices/endpointrelation/endpointrelation.go b/api/dataservices/endpointrelation/endpointrelation.go
index a81c258b9..556a046bb 100644
--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -112,13 +112,13 @@ func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID,
 }
 
 func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
-	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
 		return service.Tx(tx).AddEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
 	})
 }
 
 func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
-	return service.connection.ViewTx(func(tx portainer.Transaction) error {
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
 		return service.Tx(tx).RemoveEndpointRelationsForEdgeStack(endpointIDs, edgeStackID)
 	})
 }

From c897baad201e3328588adfb47658a9035dd94e9d Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Tue, 24 Jun 2025 15:46:10 +1200
Subject: [PATCH 152/212] fix: fetching values from both install and upgrade
 views - develop [R8S-368] (#820)

---
 .../ChartActions/UpgradeButton.tsx            | 20 ++++--
 .../ChartActions/UpgradeHelmModal.tsx         | 46 +++++++------
 .../helm/queries/useHelmRepoVersions.ts       |  7 +-
 app/react/kubernetes/helm/types.ts            |  3 +-
 pkg/libhelm/release/release.go                |  2 +
 pkg/libhelm/sdk/search_repo.go                | 14 +++-
 pkg/libhelm/sdk/show.go                       | 64 ++++++++++++++-----
 7 files changed, 111 insertions(+), 45 deletions(-)

diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 2c3f05ab6..648e3628d 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -44,7 +44,6 @@ export function UpgradeButton({
     useCache
   );
   const versions = helmRepoVersionsQuery.data;
-  const repo = versions?.[0]?.Repo;
 
   // Combined loading state
   const isLoading =
@@ -63,17 +62,28 @@ export function UpgradeButton({
     latestVersionQuery?.data &&
       semverCompare(latestVersionAvailable, latestVersionQuery?.data) === 1
   );
-  const currentVersion = release?.chart.metadata?.version;
+
+  const currentRepo = versions?.find(
+    (v) =>
+      v.Chart === release?.chart.metadata?.name &&
+      v.AppVersion === release?.chart.metadata?.appVersion &&
+      v.Version === release?.chart.metadata?.version
+  )?.Repo;
 
   const editableHelmRelease: UpdateHelmReleasePayload = {
     name: releaseName,
     namespace: namespace || '',
     values: release?.values?.userSuppliedValues,
     chart: release?.chart.metadata?.name || '',
-    version: currentVersion,
-    repo,
+    appVersion: release?.chart.metadata?.appVersion,
+    version: release?.chart.metadata?.version,
+    repo: currentRepo ?? '',
   };
 
+  const filteredVersions = currentRepo
+    ? versions?.filter((v) => v.Repo === currentRepo) || []
+    : versions || [];
+
   return (
     <div className="relative">
       <LoadingButton
@@ -151,7 +161,7 @@ export function UpgradeButton({
   async function handleUpgrade() {
     const submittedUpgradeValues = await openUpgradeHelmModal(
       editableHelmRelease,
-      versions
+      filteredVersions
     );
 
     if (submittedUpgradeValues) {
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
index 74a60454c..a1382bfd3 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
@@ -19,39 +19,48 @@ import { useHelmChartValues } from '../../queries/useHelmChartValues';
 
 interface Props {
   onSubmit: OnSubmit<UpdateHelmReleasePayload>;
-  values: UpdateHelmReleasePayload;
+  payload: UpdateHelmReleasePayload;
   versions: ChartVersion[];
   chartName: string;
-  repo: string;
 }
 
 export function UpgradeHelmModal({
-  values,
+  payload,
   versions,
   onSubmit,
   chartName,
-  repo,
 }: Props) {
   const versionOptions: Option<ChartVersion>[] = versions.map((version) => {
-    const isCurrentVersion = version.Version === values.version;
-    const label = `${version.Repo}@${version.Version}${
+    const repo = payload.repo === version.Repo ? version.Repo : '';
+    const isCurrentVersion =
+      version.AppVersion === payload.appVersion &&
+      version.Version === payload.version;
+
+    const label = `${repo}@${version.Version}${
       isCurrentVersion ? ' (current)' : ''
     }`;
+
     return {
+      repo,
       label,
       value: version,
     };
   });
+
   const defaultVersion =
-    versionOptions.find((v) => v.value.Version === values.version)?.value ||
-    versionOptions[0]?.value;
+    versionOptions.find(
+      (v) =>
+        v.value.AppVersion === payload.appVersion &&
+        v.value.Version === payload.version &&
+        v.value.Repo === payload.repo
+    )?.value || versionOptions[0]?.value;
   const [version, setVersion] = useState<ChartVersion>(defaultVersion);
-  const [userValues, setUserValues] = useState<string>(values.values || '');
+  const [userValues, setUserValues] = useState<string>(payload.values || '');
   const [atomic, setAtomic] = useState<boolean>(true);
 
   const chartValuesRefQuery = useHelmChartValues({
     chart: chartName,
-    repo,
+    repo: version.Repo,
     version: version.Version,
   });
 
@@ -75,7 +84,7 @@ export function UpgradeHelmModal({
             >
               <Input
                 id="release-name-input"
-                value={values.name}
+                value={payload.name}
                 readOnly
                 disabled
                 data-cy="helm-release-name-input"
@@ -88,7 +97,7 @@ export function UpgradeHelmModal({
             >
               <Input
                 id="namespace-input"
-                value={values.namespace}
+                value={payload.namespace}
                 readOnly
                 disabled
                 data-cy="helm-namespace-input"
@@ -142,10 +151,10 @@ export function UpgradeHelmModal({
           <Button
             onClick={() =>
               onSubmit({
-                name: values.name,
+                name: payload.name,
                 values: userValues,
-                namespace: values.namespace,
-                chart: values.chart,
+                namespace: payload.namespace,
+                chart: payload.chart,
                 repo: version.Repo,
                 version: version.Version,
                 atomic,
@@ -165,13 +174,12 @@ export function UpgradeHelmModal({
 }
 
 export async function openUpgradeHelmModal(
-  values: UpdateHelmReleasePayload,
+  payload: UpdateHelmReleasePayload,
   versions: ChartVersion[]
 ) {
   return openModal(withReactQuery(withCurrentUser(UpgradeHelmModal)), {
-    values,
+    payload,
     versions,
-    chartName: values.chart,
-    repo: values.repo ?? '',
+    chartName: payload.chart,
   });
 }
diff --git a/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts b/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
index 006b74599..5543de3d7 100644
--- a/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
+++ b/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
@@ -10,12 +10,15 @@ interface HelmSearch {
 }
 
 interface Entries {
-  [key: string]: { version: string }[];
+  [key: string]: { version: string; appVersion: string }[];
 }
 
 export interface ChartVersion {
+  Chart?: string;
   Repo: string;
+  Label?: string;
   Version: string;
+  AppVersion?: string;
 }
 
 /**
@@ -77,8 +80,10 @@ async function getSearchHelmRepo(
     const versions = data.entries[chart];
     return (
       versions?.map((v) => ({
+        Chart: chart,
         Repo: repo,
         Version: v.version,
+        AppVersion: v.appVersion,
       })) ?? []
     );
   } catch (err) {
diff --git a/app/react/kubernetes/helm/types.ts b/app/react/kubernetes/helm/types.ts
index 3094f84b2..b1e958471 100644
--- a/app/react/kubernetes/helm/types.ts
+++ b/app/react/kubernetes/helm/types.ts
@@ -120,9 +120,10 @@ export interface InstallChartPayload {
 export interface UpdateHelmReleasePayload {
   namespace: string;
   values?: string;
-  repo?: string;
+  repo: string;
   name: string;
   chart: string;
+  appVersion?: string;
   version?: string;
   atomic?: boolean;
 }
diff --git a/pkg/libhelm/release/release.go b/pkg/libhelm/release/release.go
index 56888291c..acc3328b1 100644
--- a/pkg/libhelm/release/release.go
+++ b/pkg/libhelm/release/release.go
@@ -36,6 +36,8 @@ type Release struct {
 	Manifest string `json:"manifest,omitempty"`
 	// Hooks are all of the hooks declared for this release.
 	Hooks []*Hook `json:"hooks,omitempty"`
+	// AppVersion is the app version of the release.
+	AppVersion string `json:"appVersion,omitempty"`
 	// Version is an int which represents the revision of the release.
 	Version int `json:"version,omitempty"`
 	// Namespace is the kubernetes namespace of the release.
diff --git a/pkg/libhelm/sdk/search_repo.go b/pkg/libhelm/sdk/search_repo.go
index 63015330c..a97b7d606 100644
--- a/pkg/libhelm/sdk/search_repo.go
+++ b/pkg/libhelm/sdk/search_repo.go
@@ -90,8 +90,17 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, errors.Wrap(err, "failed to ensure Helm directories exist")
 	}
 
+	repoName, err := getRepoNameFromURL(repoURL.String())
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Failed to get hostname from URL")
+		return nil, err
+	}
+
 	// Download the index file and update repository configuration
-	indexPath, err := downloadRepoIndex(repoURL.String(), repoSettings, searchRepoOpts.Repo)
+	indexPath, err := downloadRepoIndex(repoURL.String(), repoSettings, repoName)
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -163,7 +172,8 @@ func downloadRepoIndex(repoURLString string, repoSettings *cli.EnvSettings, repo
 	// Create chart repository object
 	rep, err := repo.NewChartRepository(
 		&repo.Entry{
-			URL: repoURLString,
+			Name: repoName,
+			URL:  repoURLString,
 		},
 		getter.All(repoSettings),
 	)
diff --git a/pkg/libhelm/sdk/show.go b/pkg/libhelm/sdk/show.go
index 4dc9c402d..9ad2d6007 100644
--- a/pkg/libhelm/sdk/show.go
+++ b/pkg/libhelm/sdk/show.go
@@ -2,7 +2,8 @@ package sdk
 
 import (
 	"fmt"
-	"os"
+	"net/url"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/portainer/portainer/pkg/libhelm/options"
@@ -32,24 +33,32 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 		Str("output_format", string(showOpts.OutputFormat)).
 		Msg("Showing chart information")
 
-	// Initialize action configuration (no namespace or cluster access needed)
-	actionConfig := new(action.Configuration)
-	err := hspm.initActionConfig(actionConfig, "", nil)
+	repoURL, err := parseRepoURL(showOpts.Repo)
 	if err != nil {
-		// error is already logged in initActionConfig
-		return nil, fmt.Errorf("failed to initialize helm configuration: %w", err)
+		log.Error().
+			Str("context", "HelmClient").
+			Str("repo", showOpts.Repo).
+			Err(err).
+			Msg("Invalid repository URL")
+		return nil, err
 	}
 
-	// Create temporary directory for chart download
-	tempDir, err := os.MkdirTemp("", "helm-show-*")
+	repoName, err := getRepoNameFromURL(repoURL.String())
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
 			Err(err).
-			Msg("Failed to create temp directory")
-		return nil, fmt.Errorf("failed to create temp directory: %w", err)
+			Msg("Failed to get hostname from URL")
+		return nil, err
+	}
+
+	// Initialize action configuration (no namespace or cluster access needed)
+	actionConfig := new(action.Configuration)
+	err = hspm.initActionConfig(actionConfig, "", nil)
+	if err != nil {
+		// error is already logged in initActionConfig
+		return nil, fmt.Errorf("failed to initialize helm configuration: %w", err)
 	}
-	defer os.RemoveAll(tempDir)
 
 	// Create showClient action
 	showClient, err := initShowClient(actionConfig, showOpts)
@@ -68,11 +77,12 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 		Str("repo", showOpts.Repo).
 		Msg("Locating chart")
 
-	chartPath, err := showClient.ChartPathOptions.LocateChart(showOpts.Chart, hspm.settings)
+	fullChartPath := fmt.Sprintf("%s/%s", repoName, showOpts.Chart)
+	chartPath, err := showClient.ChartPathOptions.LocateChart(fullChartPath, hspm.settings)
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
-			Str("chart", showOpts.Chart).
+			Str("chart", fullChartPath).
 			Str("repo", showOpts.Repo).
 			Err(err).
 			Msg("Failed to locate chart")
@@ -104,13 +114,10 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 // and return the show client.
 func initShowClient(actionConfig *action.Configuration, showOpts options.ShowOptions) (*action.Show, error) {
 	showClient := action.NewShowWithConfig(action.ShowAll, actionConfig)
-	showClient.ChartPathOptions.RepoURL = showOpts.Repo
-	showClient.ChartPathOptions.Version = showOpts.Version // If version is "", it will use the latest version
+	showClient.ChartPathOptions.Version = showOpts.Version
 
 	// Set output type based on ShowOptions
 	switch showOpts.OutputFormat {
-	case options.ShowAll:
-		showClient.OutputFormat = action.ShowAll
 	case options.ShowChart:
 		showClient.OutputFormat = action.ShowChart
 	case options.ShowValues:
@@ -127,3 +134,26 @@ func initShowClient(actionConfig *action.Configuration, showOpts options.ShowOpt
 
 	return showClient, nil
 }
+
+// getRepoNameFromURL extracts a unique repository identifier from a URL string.
+// It combines hostname and path to ensure uniqueness across different repositories on the same host.
+// Examples:
+// - https://portainer.github.io/test-public-repo/ -> portainer.github.io-test-public-repo
+// - https://portainer.github.io/another-repo/ -> portainer.github.io-another-repo
+// - https://charts.helm.sh/stable -> charts.helm.sh-stable
+func getRepoNameFromURL(urlStr string) (string, error) {
+	parsedURL, err := url.Parse(urlStr)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse URL: %w", err)
+	}
+
+	hostname := parsedURL.Hostname()
+	path := parsedURL.Path
+	path = strings.Trim(path, "/")
+	path = strings.ReplaceAll(path, "/", "-")
+
+	if path == "" {
+		return hostname, nil
+	}
+	return fmt.Sprintf("%s-%s", hostname, path), nil
+}

From 97838e614dbb9c691bd43ea11e57c98503a33732 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Wed, 25 Jun 2025 06:11:58 +0100
Subject: [PATCH 153/212] Updates for release 2.27.8 (#827)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index c3a7d8d28..e8ed7316a 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -103,6 +103,7 @@ body:
         - '2.29.0'
         - '2.28.1'
         - '2.28.0'
+        - '2.27.8'
         - '2.27.7'
         - '2.27.6'
         - '2.27.5'

From 7d7ae243514b8448727c9360800486959e3a305c Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 26 Jun 2025 04:41:23 +0100
Subject: [PATCH 154/212] Updates for release 2.31.2 (#834)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index e8ed7316a..49ca94eff 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.31.2'
         - '2.31.1'
         - '2.31.0'
         - '2.30.1'

From 8d29b5ae711e822c896b575b2f1d082439de759e Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 27 Jun 2025 09:38:04 +1200
Subject: [PATCH 155/212] fix: kubeconfig download button inconsistency between
 http and https (#829)

---
 .../KubeconfigButton/KubeconfigButton.tsx     | 49 ++++++++++++-------
 1 file changed, 32 insertions(+), 17 deletions(-)

diff --git a/app/react/portainer/HomeView/EnvironmentList/KubeconfigButton/KubeconfigButton.tsx b/app/react/portainer/HomeView/EnvironmentList/KubeconfigButton/KubeconfigButton.tsx
index f2b20857d..393c55f9c 100644
--- a/app/react/portainer/HomeView/EnvironmentList/KubeconfigButton/KubeconfigButton.tsx
+++ b/app/react/portainer/HomeView/EnvironmentList/KubeconfigButton/KubeconfigButton.tsx
@@ -7,6 +7,7 @@ import { trackEvent } from '@/angulartics.matomo/analytics-services';
 import { Query } from '@/react/portainer/environments/queries/useEnvironmentList';
 
 import { Button } from '@@/buttons';
+import { TooltipWithChildren } from '@@/Tip/TooltipWithChildren';
 
 import { KubeconfigPrompt } from './KubeconfigPrompt';
 
@@ -23,23 +24,41 @@ export function KubeconfigButton({ environments, envQueryParams }: Props) {
     isKubernetesEnvironment(env.Type)
   );
 
-  if (!isKubeconfigButtonVisible()) {
-    return null;
+  const isHttp = window.location.protocol === 'http:';
+  const noKubeEnvs = kubeEnvs.length === 0;
+  const isDisabled = noKubeEnvs || isHttp;
+
+  let tooltipMessage = '';
+  if (isHttp) {
+    tooltipMessage =
+      'Kubeconfig download is not available when Portainer is accessed via HTTP. Please use HTTPS';
+  } else if (noKubeEnvs) {
+    tooltipMessage = 'No Kubernetes environments detected';
   }
 
+  const button = (
+    <Button
+      onClick={handleClick}
+      data-cy="download-kubeconfig-button"
+      size="medium"
+      className="!m-0"
+      icon={Download}
+      disabled={isDisabled}
+      color="light"
+    >
+      Kubeconfig
+    </Button>
+  );
+
   return (
     <>
-      <Button
-        onClick={handleClick}
-        data-cy="download-kubeconfig-button"
-        size="medium"
-        className="!m-0"
-        icon={Download}
-        disabled={kubeEnvs.length === 0}
-        color="light"
-      >
-        Kubeconfig
-      </Button>
+      {isDisabled ? (
+        <TooltipWithChildren message={tooltipMessage}>
+          <span className="!m-0">{button}</span>
+        </TooltipWithChildren>
+      ) : (
+        button
+      )}
       {prompt()}
     </>
   );
@@ -60,10 +79,6 @@ export function KubeconfigButton({ environments, envQueryParams }: Props) {
     setIsOpen(false);
   }
 
-  function isKubeconfigButtonVisible() {
-    return window.location.protocol === 'https:';
-  }
-
   function prompt() {
     return (
       isOpen && (

From 303047656e7a040c7f7d89bb11c2b69b9e0e1d99 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Fri, 27 Jun 2025 22:48:40 +1200
Subject: [PATCH 156/212] fix(k8s-services): avoid rerendering services table
 [r8s-387] (#832)

---
 .../queries/useClusterRoles.ts                |   2 +-
 .../namespaces/queries/useNamespacesQuery.ts  |   9 +-
 .../ServicesDatatable.test.tsx                | 148 ++++++++++++++++++
 .../ServicesDatatable/ServicesDatatable.tsx   |  57 +++----
 app/react/kubernetes/services/service.ts      |  13 +-
 .../volumes/ListView/VolumesDatatable.tsx     |  28 ++--
 .../volumes/queries/useDeleteVolumes.ts       |   2 +-
 .../volumes/queries/useNamespaceVolumes.ts    |  51 ------
 .../volumes/queries/useVolumesQuery.ts        |   5 +-
 9 files changed, 216 insertions(+), 99 deletions(-)
 create mode 100644 app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx
 delete mode 100644 app/react/kubernetes/volumes/queries/useNamespaceVolumes.ts

diff --git a/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/queries/useClusterRoles.ts b/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/queries/useClusterRoles.ts
index dbacc4f4c..f27ffe642 100644
--- a/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/queries/useClusterRoles.ts
+++ b/app/react/kubernetes/more-resources/ClusterRolesView/ClusterRolesDatatable/queries/useClusterRoles.ts
@@ -21,7 +21,7 @@ export function useClusterRoles(
     },
     {
       ...withGlobalError('Unable to get cluster roles'),
-      ...options,
+      refetchInterval: options?.autoRefreshRate,
     }
   );
 }
diff --git a/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts b/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts
index 6e521e0aa..b4cd2d712 100644
--- a/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts
+++ b/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts
@@ -8,9 +8,13 @@ import { PortainerNamespace } from '../types';
 
 import { queryKeys } from './queryKeys';
 
-export function useNamespacesQuery(
+export function useNamespacesQuery<T = PortainerNamespace[]>(
   environmentId: EnvironmentId,
-  options?: { autoRefreshRate?: number; withResourceQuota?: boolean }
+  options?: {
+    autoRefreshRate?: number;
+    withResourceQuota?: boolean;
+    select?: (namespaces: PortainerNamespace[]) => T;
+  }
 ) {
   return useQuery(
     queryKeys.list(environmentId, {
@@ -22,6 +26,7 @@ export function useNamespacesQuery(
       refetchInterval() {
         return options?.autoRefreshRate ?? false;
       },
+      select: options?.select,
     }
   );
 }
diff --git a/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx b/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx
new file mode 100644
index 000000000..0d4dfe7fd
--- /dev/null
+++ b/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx
@@ -0,0 +1,148 @@
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { HttpResponse } from 'msw';
+
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { createMockUsers } from '@/react-tools/test-mocks';
+import { server, http } from '@/setup-tests/server';
+
+import { ServicesDatatable } from './ServicesDatatable';
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => 1,
+}));
+
+vi.mock('@/portainer/services/notifications', () => ({
+  notifyError: vi.fn(),
+  notifySuccess: vi.fn(),
+}));
+function createMockServices(count: number) {
+  return Array.from({ length: count }, (_, i) => {
+    let namespace = 'default';
+    if (i % 3 === 0) {
+      namespace = 'kube-system';
+    } else if (i % 2 !== 0) {
+      namespace = 'my-namespace';
+    }
+
+    let type = 'ClusterIP';
+    if (i % 4 === 1) {
+      type = 'NodePort';
+    } else if (i % 4 === 2) {
+      type = 'LoadBalancer';
+    } else if (i % 4 === 3) {
+      type = 'ExternalName';
+    }
+
+    return {
+      UID: `service-${i}`,
+      Name: `service-${i}`,
+      Namespace: namespace,
+      Type: type,
+      Ports: [{ Port: 80 + i, TargetPort: 8080 + i, Protocol: 'TCP' }],
+      Selector: { app: `app-${i}` },
+      CreationTimestamp: new Date(Date.now() - i * 1000 * 60).toISOString(),
+      ApplicationOwner: '',
+      Applications: [{ Name: `app-${i}` }],
+    };
+  });
+}
+
+const mockServices = createMockServices(4);
+
+const mockNamespaces = [
+  {
+    Name: 'default',
+    IsSystem: false,
+    Status: 'Active',
+    CreationTimestamp: '2024-01-01T00:00:00Z',
+  },
+  {
+    Name: 'kube-system',
+    IsSystem: true,
+    Status: 'Active',
+    CreationTimestamp: '2024-01-01T00:00:00Z',
+  },
+  {
+    Name: 'my-namespace',
+    IsSystem: false,
+    Status: 'Active',
+    CreationTimestamp: '2024-01-01T00:00:00Z',
+  },
+];
+
+beforeEach(() => {
+  server.use(
+    http.get('/api/kubernetes/1/services', () =>
+      HttpResponse.json(mockServices)
+    ),
+    http.get('/api/kubernetes/1/namespaces', () =>
+      HttpResponse.json(mockNamespaces)
+    )
+  );
+});
+const mockUser = {
+  ...createMockUsers(1)[0],
+  PortainerAuthorizations: {
+    K8sAccessSystemNamespaces: true,
+    K8sServiceW: true,
+  },
+};
+
+function createTestComponent() {
+  return withTestRouter(
+    withUserProvider(withTestQueryProvider(ServicesDatatable), mockUser),
+    {
+      route: '/kubernetes/services',
+      stateConfig: [
+        {
+          name: 'kubernetes.services',
+          url: '/kubernetes/services',
+          params: { endpointId: '1' },
+        },
+      ],
+    }
+  );
+}
+
+describe('ServicesDatatable', () => {
+  it('renders services data correctly', async () => {
+    const TestComponent = createTestComponent();
+    render(<TestComponent />);
+
+    expect(await screen.findByText('service-1')).toBeInTheDocument();
+    expect(screen.getByText('service-2')).toBeInTheDocument();
+  });
+
+  it('should filter system resources correctly when toggled', async () => {
+    const TestComponent = createTestComponent();
+    render(<TestComponent />);
+
+    const settingsButton = screen.getByRole('button', { name: /settings/i });
+    await userEvent.click(settingsButton);
+
+    await waitFor(() => {
+      expect(screen.queryByText('service-0')).not.toBeInTheDocument();
+    });
+
+    const systemToggle = await screen.findByTestId('show-system-resources');
+    await userEvent.click(systemToggle);
+
+    await waitFor(() => {
+      expect(screen.queryByText('service-0')).toBeInTheDocument();
+    });
+
+    expect(screen.getByText('service-3')).toBeInTheDocument();
+    expect(screen.getByText('service-1')).toBeInTheDocument();
+    expect(screen.getByText('service-2')).toBeInTheDocument();
+  });
+
+  it('should show loading state when data is loading', async () => {
+    const TestComponent = createTestComponent();
+    render(<TestComponent />);
+
+    expect(screen.getByText('Loading...')).toBeInTheDocument();
+  });
+});
diff --git a/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.tsx b/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.tsx
index 4786eaf2f..265808564 100644
--- a/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.tsx
+++ b/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.tsx
@@ -16,6 +16,7 @@ import { DefaultDatatableSettings } from '@/react/kubernetes/datatables/DefaultD
 import { SystemResourceDescription } from '@/react/kubernetes/datatables/SystemResourceDescription';
 import { useNamespacesQuery } from '@/react/kubernetes/namespaces/queries/useNamespacesQuery';
 import { CreateFromManifestButton } from '@/react/kubernetes/components/CreateFromManifestButton';
+import { createStore } from '@/react/kubernetes/datatables/default-kube-datatable-store';
 
 import { Datatable, Table, TableSettingsMenu } from '@@/datatables';
 import { useTableState } from '@@/datatables/useTableState';
@@ -25,7 +26,6 @@ import { useMutationDeleteServices, useClusterServices } from '../../service';
 import { Service } from '../../types';
 
 import { columns } from './columns';
-import { createStore } from './datatable-store';
 import { ServiceRowData } from './types';
 
 const storageKey = 'k8sServicesDatatable';
@@ -34,52 +34,53 @@ const settingsStore = createStore(storageKey);
 export function ServicesDatatable() {
   const tableState = useTableState(settingsStore, storageKey);
   const environmentId = useEnvironmentId();
-  const { data: namespacesArray, ...namespacesQuery } =
-    useNamespacesQuery(environmentId);
+  const { data: namespaces, ...namespacesQuery } = useNamespacesQuery(
+    environmentId,
+    {
+      select: (namespacesArray) =>
+        namespacesArray?.reduce<Record<string, PortainerNamespace>>(
+          (acc, namespace) => {
+            acc[namespace.Name] = namespace;
+            return acc;
+          },
+          {}
+        ),
+    }
+  );
+  const { authorized: canWrite } = useAuthorizations(['K8sServiceW']);
+  const { authorized: canAccessSystemResources } = useAuthorizations(
+    'K8sAccessSystemNamespaces'
+  );
   const { data: services, ...servicesQuery } = useClusterServices(
     environmentId,
     {
       autoRefreshRate: tableState.autoRefreshRate * 1000,
       withApplications: true,
+      select: (services) =>
+        services?.filter(
+          (service) =>
+            (canAccessSystemResources && tableState.showSystemResources) ||
+            !namespaces?.[service.Namespace]?.IsSystem
+        ),
     }
   );
 
-  const namespaces: Record<string, PortainerNamespace> = {};
-  if (Array.isArray(namespacesArray)) {
-    for (let i = 0; i < namespacesArray.length; i++) {
-      const namespace = namespacesArray[i];
-      namespaces[namespace.Name] = namespace;
-    }
-  }
-
-  const { authorized: canWrite } = useAuthorizations(['K8sServiceW']);
-  const readOnly = !canWrite;
-  const { authorized: canAccessSystemResources } = useAuthorizations(
-    'K8sAccessSystemNamespaces'
-  );
-  const filteredServices = services?.filter(
-    (service) =>
-      (canAccessSystemResources && tableState.showSystemResources) ||
-      !namespaces?.[service.Namespace]?.IsSystem
-  );
-
-  const servicesWithIsSystem = useServicesRowData(
-    filteredServices || [],
-    namespaces
-  );
+  const servicesWithIsSystem = useServicesRowData(services || [], namespaces);
 
   return (
     <Datatable
       dataset={servicesWithIsSystem || []}
       columns={columns}
       settingsManager={tableState}
-      isLoading={servicesQuery.isLoading || namespacesQuery.isLoading}
+      isLoading={
+        servicesQuery.isInitialLoading || namespacesQuery.isInitialLoading
+      }
       emptyContentLabel="No services found"
       title="Services"
       titleIcon={Shuffle}
       getRowId={(row) => row.UID}
       isRowSelectable={(row) => !namespaces?.[row.original.Namespace]?.IsSystem}
-      disableSelect={readOnly}
+      disableSelect={!canWrite}
       renderTableActions={(selectedRows) => (
         <TableActions selectedItems={selectedRows} />
       )}
diff --git a/app/react/kubernetes/services/service.ts b/app/react/kubernetes/services/service.ts
index a36f25db9..a7cdbc7f2 100644
--- a/app/react/kubernetes/services/service.ts
+++ b/app/react/kubernetes/services/service.ts
@@ -23,18 +23,21 @@ export const queryKeys = {
  *
  * @returns The result of the query.
  */
-export function useClusterServices(
+export function useClusterServices<T = Service[]>(
   environmentId: EnvironmentId,
-  options?: { autoRefreshRate?: number; withApplications?: boolean }
+  options?: {
+    autoRefreshRate?: number;
+    withApplications?: boolean;
+    select?: (services: Service[]) => T;
+  }
 ) {
   return useQuery(
     queryKeys.clusterServices(environmentId),
     async () => getClusterServices(environmentId, options?.withApplications),
     {
       ...withGlobalError('Unable to get services.'),
-      refetchInterval() {
-        return options?.autoRefreshRate ?? false;
-      },
+      refetchInterval: options?.autoRefreshRate,
+      select: options?.select,
     }
   );
 }
diff --git a/app/react/kubernetes/volumes/ListView/VolumesDatatable.tsx b/app/react/kubernetes/volumes/ListView/VolumesDatatable.tsx
index b81f60e9a..032fe63aa 100644
--- a/app/react/kubernetes/volumes/ListView/VolumesDatatable.tsx
+++ b/app/react/kubernetes/volumes/ListView/VolumesDatatable.tsx
@@ -16,12 +16,17 @@ import {
 } from '../../datatables/DefaultDatatableSettings';
 import { SystemResourceDescription } from '../../datatables/SystemResourceDescription';
 import { useNamespacesQuery } from '../../namespaces/queries/useNamespacesQuery';
-import { useAllVolumesQuery } from '../queries/useVolumesQuery';
+import {
+  convertToVolumeViewModels,
+  useAllVolumesQuery,
+} from '../queries/useVolumesQuery';
 import { isSystemNamespace } from '../../namespaces/queries/useIsSystemNamespace';
 import { useDeleteVolumes } from '../queries/useDeleteVolumes';
 import { isVolumeUsed } from '../utils';
+import { K8sVolumeInfo } from '../types';
 
 import { columns } from './columns';
+import { VolumeViewModel } from './types';
 
 export function VolumesDatatable() {
   const tableState = useTableStateWithStorage<TableSettings>(
@@ -45,21 +50,15 @@ export function VolumesDatatable() {
   const namespaces = namespaceListQuery.data ?? [];
   const volumesQuery = useAllVolumesQuery(envId, {
     refetchInterval: tableState.autoRefreshRate * 1000,
+    select: transformAndFilterVolumes,
   });
   const volumes = volumesQuery.data ?? [];
 
-  const filteredVolumes = tableState.showSystemResources
-    ? volumes
-    : volumes.filter(
-        (volume) =>
-          !isSystemNamespace(volume.ResourcePool.Namespace.Name, namespaces)
-      );
-
   return (
     <Datatable
       data-cy="k8s-volumes-datatable"
       isLoading={volumesQuery.isLoading || namespaceListQuery.isLoading}
-      dataset={filteredVolumes}
+      dataset={volumes}
       columns={columns}
       settingsManager={tableState}
       title="Volumes"
@@ -96,4 +95,15 @@ export function VolumesDatatable() {
       }
     />
   );
+
+  function transformAndFilterVolumes(
+    volumes: K8sVolumeInfo[]
+  ): VolumeViewModel[] {
+    const transformedVolumes = convertToVolumeViewModels(volumes);
+    return transformedVolumes.filter(
+      (volume) =>
+        tableState.showSystemResources ||
+        !isSystemNamespace(volume.ResourcePool.Namespace.Name, namespaces)
+    );
+  }
 }
diff --git a/app/react/kubernetes/volumes/queries/useDeleteVolumes.ts b/app/react/kubernetes/volumes/queries/useDeleteVolumes.ts
index 78d5a295d..7732c2b58 100644
--- a/app/react/kubernetes/volumes/queries/useDeleteVolumes.ts
+++ b/app/react/kubernetes/volumes/queries/useDeleteVolumes.ts
@@ -36,7 +36,7 @@ export function useDeleteVolumes(environmentId: EnvironmentId) {
         );
       }
       queryClient.invalidateQueries(queryKeys.storages(environmentId));
-      queryClient.invalidateQueries(queryKeys.volumes(environmentId));
+      return queryClient.invalidateQueries(queryKeys.volumes(environmentId));
     },
     ...withGlobalError('Unable to remove volumes'),
   });
diff --git a/app/react/kubernetes/volumes/queries/useNamespaceVolumes.ts b/app/react/kubernetes/volumes/queries/useNamespaceVolumes.ts
deleted file mode 100644
index cdf6b6ee0..000000000
--- a/app/react/kubernetes/volumes/queries/useNamespaceVolumes.ts
+++ /dev/null
@@ -1,51 +0,0 @@
-import { useQuery } from '@tanstack/react-query';
-
-import { EnvironmentId } from '@/react/portainer/environments/types';
-import { withGlobalError } from '@/react-tools/react-query';
-import axios, { parseAxiosError } from '@/portainer/services/axios';
-
-import { K8sVolumeInfo } from '../types';
-
-import { queryKeys } from './query-keys';
-import { convertToVolumeViewModels } from './useVolumesQuery';
-
-// useQuery to get a list of all volumes in a cluster
-export function useNamespaceVolumes(
-  environmentId: EnvironmentId,
-  namespace: string,
-  queryOptions?: {
-    refetchInterval?: number;
-    withApplications?: boolean;
-  }
-) {
-  return useQuery(
-    queryKeys.volumes(environmentId),
-    () =>
-      getNamespaceVolumes(environmentId, namespace, {
-        withApplications: queryOptions?.withApplications ?? false,
-      }),
-    {
-      enabled: !!namespace,
-      refetchInterval: queryOptions?.refetchInterval,
-      select: convertToVolumeViewModels,
-      ...withGlobalError('Unable to retrieve volumes'),
-    }
-  );
-}
-
-// get all volumes in a cluster
-async function getNamespaceVolumes(
-  environmentId: EnvironmentId,
-  namespace: string,
-  params?: { withApplications: boolean }
-) {
-  try {
-    const { data } = await axios.get<K8sVolumeInfo[]>(
-      `/kubernetes/${environmentId}/namespaces/${namespace}/volumes`,
-      { params }
-    );
-    return data;
-  } catch (e) {
-    throw parseAxiosError(e, 'Unable to retrieve volumes');
-  }
-}
diff --git a/app/react/kubernetes/volumes/queries/useVolumesQuery.ts b/app/react/kubernetes/volumes/queries/useVolumesQuery.ts
index 94b30345b..646065758 100644
--- a/app/react/kubernetes/volumes/queries/useVolumesQuery.ts
+++ b/app/react/kubernetes/volumes/queries/useVolumesQuery.ts
@@ -14,10 +14,11 @@ import { appOwnerLabel } from '../../applications/constants';
 import { queryKeys } from './query-keys';
 
 // useQuery to get a list of all volumes in a cluster
-export function useAllVolumesQuery(
+export function useAllVolumesQuery<T = K8sVolumeInfo>(
   environmentId: EnvironmentId,
   queryOptions?: {
     refetchInterval?: number;
+    select?: (volumes: K8sVolumeInfo[]) => T[];
   }
 ) {
   return useQuery(
@@ -25,7 +26,7 @@ export function useAllVolumesQuery(
     () => getAllVolumes(environmentId, { withApplications: true }),
     {
       refetchInterval: queryOptions?.refetchInterval,
-      select: convertToVolumeViewModels,
+      select: queryOptions?.select,
       ...withGlobalError('Unable to retrieve volumes'),
     }
   );

From 0556ffb4a11def2c7cc58a43117a2c41e1b219ea Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Sat, 28 Jun 2025 08:41:10 +1200
Subject: [PATCH 157/212] feat(csrf): add trusted origins cli flags [BE-11972]
 (#836)

---
 api/cli/cli.go                                |   1 +
 api/cmd/portainer/main.go                     |  14 ++
 api/http/csrf/csrf.go                         |  42 ++++-
 .../middlewares/plaintext_http_request.go     |  42 ++++-
 .../plaintext_http_request_test.go            | 173 ++++++++++++++++++
 api/http/server.go                            |   3 +-
 api/portainer.go                              |   3 +
 pkg/validate/validate.go                      |  29 +++
 pkg/validate/validate_test.go                 |  61 ++++++
 9 files changed, 359 insertions(+), 9 deletions(-)
 create mode 100644 api/http/middlewares/plaintext_http_request_test.go

diff --git a/api/cli/cli.go b/api/cli/cli.go
index f6035f298..7f6d80e68 100644
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -61,6 +61,7 @@ func CLIFlags() *portainer.CLIFlags {
 		LogMode:                   kingpin.Flag("log-mode", "Set the logging output mode").Default("PRETTY").Enum("NOCOLOR", "PRETTY", "JSON"),
 		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
 		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
+		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
 	}
 }
 
diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 6261efbd9..90fd34fd2 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -52,6 +52,7 @@ import (
 	"github.com/portainer/portainer/pkg/libhelm"
 	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"
+	"github.com/portainer/portainer/pkg/validate"
 
 	"github.com/gofrs/uuid"
 	"github.com/rs/zerolog/log"
@@ -330,6 +331,18 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		featureflags.Parse(*flags.FeatureFlags, portainer.SupportedFeatureFlags)
 	}
 
+	trustedOrigins := []string{}
+	if *flags.TrustedOrigins != "" {
+		// validate if the trusted origins are valid urls
+		for _, origin := range strings.Split(*flags.TrustedOrigins, ",") {
+			if !validate.IsTrustedOrigin(origin) {
+				log.Fatal().Str("trusted_origin", origin).Msg("invalid url for trusted origin. Please check the trusted origins flag.")
+			}
+
+			trustedOrigins = append(trustedOrigins, origin)
+		}
+	}
+
 	fileService := initFileService(*flags.Data)
 	encryptionKey := loadEncryptionSecretKey(*flags.SecretKeyName)
 	if encryptionKey == nil {
@@ -578,6 +591,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		PendingActionsService:       pendingActionsService,
 		PlatformService:             platformService,
 		PullLimitCheckDisabled:      *flags.PullLimitCheckDisabled,
+		TrustedOrigins:              trustedOrigins,
 	}
 }
 
diff --git a/api/http/csrf/csrf.go b/api/http/csrf/csrf.go
index 857d72c8b..6205c9290 100644
--- a/api/http/csrf/csrf.go
+++ b/api/http/csrf/csrf.go
@@ -2,6 +2,7 @@ package csrf
 
 import (
 	"crypto/rand"
+	"errors"
 	"fmt"
 	"net/http"
 	"os"
@@ -9,7 +10,8 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
-	gorillacsrf "github.com/gorilla/csrf"
+	gcsrf "github.com/gorilla/csrf"
+	"github.com/rs/zerolog/log"
 	"github.com/urfave/negroni"
 )
 
@@ -19,7 +21,7 @@ func SkipCSRFToken(w http.ResponseWriter) {
 	w.Header().Set(csrfSkipHeader, "1")
 }
 
-func WithProtect(handler http.Handler) (http.Handler, error) {
+func WithProtect(handler http.Handler, trustedOrigins []string) (http.Handler, error) {
 	// IsDockerDesktopExtension is used to check if we should skip csrf checks in the request bouncer (ShouldSkipCSRFCheck)
 	// DOCKER_EXTENSION is set to '1' in build/docker-extension/docker-compose.yml
 	isDockerDesktopExtension := false
@@ -34,10 +36,12 @@ func WithProtect(handler http.Handler) (http.Handler, error) {
 		return nil, fmt.Errorf("failed to generate CSRF token: %w", err)
 	}
 
-	handler = gorillacsrf.Protect(
+	handler = gcsrf.Protect(
 		token,
-		gorillacsrf.Path("/"),
-		gorillacsrf.Secure(false),
+		gcsrf.Path("/"),
+		gcsrf.Secure(false),
+		gcsrf.TrustedOrigins(trustedOrigins),
+		gcsrf.ErrorHandler(withErrorHandler(trustedOrigins)),
 	)(handler)
 
 	return withSkipCSRF(handler, isDockerDesktopExtension), nil
@@ -55,7 +59,7 @@ func withSendCSRFToken(handler http.Handler) http.Handler {
 			}
 
 			if statusCode := sw.Status(); statusCode >= 200 && statusCode < 300 {
-				sw.Header().Set("X-CSRF-Token", gorillacsrf.Token(r))
+				sw.Header().Set("X-CSRF-Token", gcsrf.Token(r))
 			}
 		})
 
@@ -73,9 +77,33 @@ func withSkipCSRF(handler http.Handler, isDockerDesktopExtension bool) http.Hand
 		}
 
 		if skip {
-			r = gorillacsrf.UnsafeSkipCheck(r)
+			r = gcsrf.UnsafeSkipCheck(r)
 		}
 
 		handler.ServeHTTP(w, r)
 	})
 }
+
+func withErrorHandler(trustedOrigins []string) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		err := gcsrf.FailureReason(r)
+
+		if errors.Is(err, gcsrf.ErrBadOrigin) || errors.Is(err, gcsrf.ErrBadReferer) || errors.Is(err, gcsrf.ErrNoReferer) {
+			log.Error().Err(err).
+				Str("request_url", r.URL.String()).
+				Str("host", r.Host).
+				Str("x_forwarded_proto", r.Header.Get("X-Forwarded-Proto")).
+				Str("forwarded", r.Header.Get("Forwarded")).
+				Str("origin", r.Header.Get("Origin")).
+				Str("referer", r.Header.Get("Referer")).
+				Strs("trusted_origins", trustedOrigins).
+				Msg("Failed to validate Origin or Referer")
+		}
+
+		http.Error(
+			w,
+			http.StatusText(http.StatusForbidden)+" - "+err.Error(),
+			http.StatusForbidden,
+		)
+	})
+}
diff --git a/api/http/middlewares/plaintext_http_request.go b/api/http/middlewares/plaintext_http_request.go
index 668346098..e746fd819 100644
--- a/api/http/middlewares/plaintext_http_request.go
+++ b/api/http/middlewares/plaintext_http_request.go
@@ -3,6 +3,7 @@ package middlewares
 import (
 	"net/http"
 	"slices"
+	"strings"
 
 	"github.com/gorilla/csrf"
 )
@@ -16,6 +17,45 @@ type plainTextHTTPRequestHandler struct {
 	next http.Handler
 }
 
+// parseForwardedHeaderProto parses the Forwarded header and extracts the protocol.
+// The Forwarded header format supports:
+// - Single proxy: Forwarded: by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>
+// - Multiple proxies: Forwarded: for=192.0.2.43, for=198.51.100.17
+// We take the first (leftmost) entry as it represents the original client
+func parseForwardedHeaderProto(forwarded string) string {
+	if forwarded == "" {
+		return ""
+	}
+
+	// Parse the first part (leftmost proxy, closest to original client)
+	firstPart, _, _ := strings.Cut(forwarded, ",")
+	firstPart = strings.TrimSpace(firstPart)
+
+	// Split by semicolon to get key-value pairs within this proxy entry
+	// Format: key=value;key=value;key=value
+	pairs := strings.Split(firstPart, ";")
+	for _, pair := range pairs {
+		// Split by equals sign to separate key and value
+		key, value, found := strings.Cut(pair, "=")
+		if !found {
+			continue
+		}
+
+		if strings.EqualFold(strings.TrimSpace(key), "proto") {
+			return strings.Trim(strings.TrimSpace(value), `"'`)
+		}
+	}
+
+	return ""
+}
+
+// isHTTPSRequest checks if the original request was made over HTTPS
+// by examining both X-Forwarded-Proto and Forwarded headers
+func isHTTPSRequest(r *http.Request) bool {
+	return strings.EqualFold(r.Header.Get("X-Forwarded-Proto"), "https") ||
+		strings.EqualFold(parseForwardedHeaderProto(r.Header.Get("Forwarded")), "https")
+}
+
 func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if slices.Contains(safeMethods, r.Method) {
 		h.next.ServeHTTP(w, r)
@@ -24,7 +64,7 @@ func (h *plainTextHTTPRequestHandler) ServeHTTP(w http.ResponseWriter, r *http.R
 
 	req := r
 	// If original request was HTTPS (via proxy), keep CSRF checks.
-	if xfproto := r.Header.Get("X-Forwarded-Proto"); xfproto != "https" {
+	if !isHTTPSRequest(r) {
 		req = csrf.PlaintextHTTPRequest(r)
 	}
 
diff --git a/api/http/middlewares/plaintext_http_request_test.go b/api/http/middlewares/plaintext_http_request_test.go
new file mode 100644
index 000000000..33912be80
--- /dev/null
+++ b/api/http/middlewares/plaintext_http_request_test.go
@@ -0,0 +1,173 @@
+package middlewares
+
+import (
+	"testing"
+)
+
+var tests = []struct {
+	name      string
+	forwarded string
+	expected  string
+}{
+	{
+		name:      "empty header",
+		forwarded: "",
+		expected:  "",
+	},
+	{
+		name:      "single proxy with proto=https",
+		forwarded: "proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "single proxy with proto=http",
+		forwarded: "proto=http",
+		expected:  "http",
+	},
+	{
+		name:      "single proxy with multiple directives",
+		forwarded: "for=192.0.2.60;proto=https;by=203.0.113.43",
+		expected:  "https",
+	},
+	{
+		name:      "single proxy with proto in middle",
+		forwarded: "for=192.0.2.60;proto=https;host=example.com",
+		expected:  "https",
+	},
+	{
+		name:      "single proxy with proto at end",
+		forwarded: "for=192.0.2.60;host=example.com;proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "multiple proxies - takes first",
+		forwarded: "proto=https, proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "multiple proxies with complex format",
+		forwarded: "for=192.0.2.43;proto=https, for=198.51.100.17;proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "multiple proxies with for directive only",
+		forwarded: "for=192.0.2.43, for=198.51.100.17",
+		expected:  "",
+	},
+	{
+		name:      "multiple proxies with proto only in second",
+		forwarded: "for=192.0.2.43, proto=https",
+		expected:  "",
+	},
+	{
+		name:      "multiple proxies with proto only in first",
+		forwarded: "proto=https, for=198.51.100.17",
+		expected:  "https",
+	},
+	{
+		name:      "quoted protocol value",
+		forwarded: "proto=\"https\"",
+		expected:  "https",
+	},
+	{
+		name:      "single quoted protocol value",
+		forwarded: "proto='https'",
+		expected:  "https",
+	},
+	{
+		name:      "mixed case protocol",
+		forwarded: "proto=HTTPS",
+		expected:  "HTTPS",
+	},
+	{
+		name:      "no proto directive",
+		forwarded: "for=192.0.2.60;by=203.0.113.43",
+		expected:  "",
+	},
+	{
+		name:      "empty proto value",
+		forwarded: "proto=",
+		expected:  "",
+	},
+	{
+		name:      "whitespace around values",
+		forwarded: " proto = https ",
+		expected:  "https",
+	},
+	{
+		name:      "whitespace around semicolons",
+		forwarded: "for=192.0.2.60 ; proto=https ; by=203.0.113.43",
+		expected:  "https",
+	},
+	{
+		name:      "whitespace around commas",
+		forwarded: "proto=https , proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "IPv6 address in for directive",
+		forwarded: "for=\"[2001:db8:cafe::17]:4711\";proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "complex multiple proxies with IPv6",
+		forwarded: "for=192.0.2.43;proto=https, for=\"[2001:db8:cafe::17]\";proto=http",
+		expected:  "https",
+	},
+	{
+		name:      "obfuscated identifiers",
+		forwarded: "for=_mdn;proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "unknown identifier",
+		forwarded: "for=unknown;proto=https",
+		expected:  "https",
+	},
+	{
+		name:      "malformed key-value pair",
+		forwarded: "proto",
+		expected:  "",
+	},
+	{
+		name:      "malformed key-value pair with equals",
+		forwarded: "proto=",
+		expected:  "",
+	},
+	{
+		name:      "multiple equals signs",
+		forwarded: "proto=https=extra",
+		expected:  "https=extra",
+	},
+	{
+		name:      "mixed case directive name",
+		forwarded: "PROTO=https",
+		expected:  "https",
+	},
+	{
+		name:      "mixed case directive name with spaces",
+		forwarded: " Proto = https ",
+		expected:  "https",
+	},
+}
+
+func TestParseForwardedHeaderProto(t *testing.T) {
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := parseForwardedHeaderProto(tt.forwarded)
+			if result != tt.expected {
+				t.Errorf("parseForwardedHeader(%q) = %q, want %q", tt.forwarded, result, tt.expected)
+			}
+		})
+	}
+}
+
+func FuzzParseForwardedHeaderProto(f *testing.F) {
+	for _, t := range tests {
+		f.Add(t.forwarded)
+	}
+
+	f.Fuzz(func(t *testing.T, forwarded string) {
+		parseForwardedHeaderProto(forwarded)
+	})
+}
diff --git a/api/http/server.go b/api/http/server.go
index 88d131650..e876ca5d2 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -113,6 +113,7 @@ type Server struct {
 	PendingActionsService       *pendingactions.PendingActionsService
 	PlatformService             platform.Service
 	PullLimitCheckDisabled      bool
+	TrustedOrigins              []string
 }
 
 // Start starts the HTTP server
@@ -336,7 +337,7 @@ func (server *Server) Start() error {
 
 	handler = middlewares.WithPanicLogger(middlewares.WithSlowRequestsLogger(handler))
 
-	handler, err := csrf.WithProtect(handler)
+	handler, err := csrf.WithProtect(handler, server.TrustedOrigins)
 	if err != nil {
 		return errors.Wrap(err, "failed to create CSRF middleware")
 	}
diff --git a/api/portainer.go b/api/portainer.go
index b3b917a08..1e5f2ea6f 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -139,6 +139,7 @@ type (
 		LogMode                   *string
 		KubectlShellImage         *string
 		PullLimitCheckDisabled    *bool
+		TrustedOrigins            *string
 	}
 
 	// CustomTemplateVariableDefinition
@@ -1787,6 +1788,8 @@ const (
 	LicenseServerBaseURL = "https://api.portainer.io"
 	// URL to validate licenses along with system metadata.
 	LicenseCheckInURL = LicenseServerBaseURL + "/licenses/checkin"
+	// TrustedOriginsEnvVar is the environment variable used to set the trusted origins for CSRF protection
+	TrustedOriginsEnvVar = "TRUSTED_ORIGINS"
 )
 
 // List of supported features
diff --git a/pkg/validate/validate.go b/pkg/validate/validate.go
index f647d1e17..8ad69df72 100644
--- a/pkg/validate/validate.go
+++ b/pkg/validate/validate.go
@@ -80,3 +80,32 @@ func IsDNSName(s string) bool {
 
 	return !IsIP(s) && dnsNameRegex.MatchString(s)
 }
+
+func IsTrustedOrigin(s string) bool {
+	// Reject if a scheme is present
+	if strings.Contains(s, "://") {
+		return false
+	}
+
+	// Prepend http:// for parsing
+	strTemp := "http://" + s
+	parsedOrigin, err := url.Parse(strTemp)
+	if err != nil {
+		return false
+	}
+
+	// Validate host, and ensure no user, path, query, fragment, port, etc.
+	if parsedOrigin.Host == "" ||
+		parsedOrigin.User != nil ||
+		parsedOrigin.Path != "" ||
+		parsedOrigin.RawQuery != "" ||
+		parsedOrigin.Fragment != "" ||
+		parsedOrigin.Opaque != "" ||
+		parsedOrigin.RawFragment != "" ||
+		parsedOrigin.RawPath != "" ||
+		parsedOrigin.Port() != "" {
+		return false
+	}
+
+	return true
+}
diff --git a/pkg/validate/validate_test.go b/pkg/validate/validate_test.go
index f3cb6a01c..ca054190d 100644
--- a/pkg/validate/validate_test.go
+++ b/pkg/validate/validate_test.go
@@ -437,3 +437,64 @@ func Test_IsDNSName(t *testing.T) {
 		})
 	}
 }
+
+func Test_IsTrustedOrigin(t *testing.T) {
+	f := func(s string, expected bool) {
+		t.Helper()
+
+		result := IsTrustedOrigin(s)
+		if result != expected {
+			t.Fatalf("unexpected result for %q; got %t; want %t", s, result, expected)
+		}
+	}
+
+	// Valid trusted origins - host only
+	f("localhost", true)
+	f("example.com", true)
+	f("192.168.1.1", true)
+	f("api.example.com", true)
+	f("subdomain.example.org", true)
+
+	// Invalid trusted origins - host with port (no longer allowed)
+	f("localhost:8080", false)
+	f("example.com:3000", false)
+	f("192.168.1.1:443", false)
+	f("api.example.com:9000", false)
+
+	// Invalid trusted origins - empty or malformed
+	f("", false)
+	f("invalid url", false)
+	f("://example.com", false)
+
+	// Invalid trusted origins - with scheme
+	f("http://example.com", false)
+	f("https://localhost", false)
+	f("ftp://192.168.1.1", false)
+
+	// Invalid trusted origins - with user info
+	f("user@example.com", false)
+	f("user:pass@localhost", false)
+
+	// Invalid trusted origins - with path
+	f("example.com/path", false)
+	f("localhost/api", false)
+	f("192.168.1.1/static", false)
+
+	// Invalid trusted origins - with query parameters
+	f("example.com?param=value", false)
+	f("localhost:8080?query=test", false)
+
+	// Invalid trusted origins - with fragment
+	f("example.com#fragment", false)
+	f("localhost:3000#section", false)
+
+	// Invalid trusted origins - with multiple invalid components
+	f("https://user@example.com/path?query=value#fragment", false)
+	f("http://localhost:8080/api/v1?param=test", false)
+
+	// Edge cases - ports are no longer allowed
+	f("example.com:0", false)     // port 0 is no longer valid
+	f("example.com:65535", false) // max port number is no longer valid
+	f("example.com:99999", false) // invalid port number
+	f("example.com:-1", false)    // negative port
+}

From b43f864511c00cfbee53b8ed2ddb4bba4d55bf7f Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Mon, 30 Jun 2025 15:35:51 +0200
Subject: [PATCH 158/212] fix(api/endpoints): filter out waiting room
 environments for non admins (#810)

---
 api/http/handler/endpoints/endpoint_list.go | 5 ++---
 api/http/handler/endpoints/filter.go        | 7 +++++++
 api/http/handler/endpoints/filter_test.go   | 2 ++
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/api/http/handler/endpoints/endpoint_list.go b/api/http/handler/endpoints/endpoint_list.go
index 86f1b1d3c..43b14ad6a 100644
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -95,12 +95,11 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		return httperror.BadRequest("Invalid query parameters", err)
 	}
 
-	filteredEndpoints := security.FilterEndpoints(endpoints, endpointGroups, securityContext)
-
-	filteredEndpoints, totalAvailableEndpoints, err := handler.filterEndpointsByQuery(filteredEndpoints, query, endpointGroups, edgeGroups, settings)
+	filteredEndpoints, totalAvailableEndpoints, err := handler.filterEndpointsByQuery(endpoints, query, endpointGroups, edgeGroups, settings, securityContext)
 	if err != nil {
 		return httperror.InternalServerError("Unable to filter endpoints", err)
 	}
+	filteredEndpoints = security.FilterEndpoints(filteredEndpoints, endpointGroups, securityContext)
 
 	sortEnvironmentsByField(filteredEndpoints, endpointGroups, getSortKey(sortField), sortOrder == "desc")
 
diff --git a/api/http/handler/endpoints/filter.go b/api/http/handler/endpoints/filter.go
index 9b6004d1c..c8b4ede08 100644
--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@@ -11,6 +11,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/handler/edgegroups"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/endpointutils"
 	"github.com/portainer/portainer/api/slicesx"
@@ -140,6 +141,7 @@ func (handler *Handler) filterEndpointsByQuery(
 	groups []portainer.EndpointGroup,
 	edgeGroups []portainer.EdgeGroup,
 	settings *portainer.Settings,
+	context *security.RestrictedRequestContext,
 ) ([]portainer.Endpoint, int, error) {
 	totalAvailableEndpoints := len(filteredEndpoints)
 
@@ -181,11 +183,16 @@ func (handler *Handler) filterEndpointsByQuery(
 	}
 
 	// filter edge environments by trusted/untrusted
+	// only portainer admins are allowed to see untrusted environments
 	filteredEndpoints = filter(filteredEndpoints, func(endpoint portainer.Endpoint) bool {
 		if !endpointutils.IsEdgeEndpoint(&endpoint) {
 			return true
 		}
 
+		if query.edgeDeviceUntrusted {
+			return !endpoint.UserTrusted && context.IsAdmin
+		}
+
 		return endpoint.UserTrusted == !query.edgeDeviceUntrusted
 	})
 
diff --git a/api/http/handler/endpoints/filter_test.go b/api/http/handler/endpoints/filter_test.go
index f19d0a276..8abc76fb7 100644
--- a/api/http/handler/endpoints/filter_test.go
+++ b/api/http/handler/endpoints/filter_test.go
@@ -6,6 +6,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/slicesx"
 
@@ -263,6 +264,7 @@ func runTest(t *testing.T, test filterTest, handler *Handler, endpoints []portai
 		[]portainer.EndpointGroup{},
 		[]portainer.EdgeGroup{},
 		&portainer.Settings{},
+		&security.RestrictedRequestContext{IsAdmin: true},
 	)
 
 	is.NoError(err)

From b6f3682a62fead59829ca8a00977196705591de4 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Tue, 1 Jul 2025 06:15:56 +1200
Subject: [PATCH 159/212] refactor(edge): init endpoint relation when endpoint
 is created [BE-11928] (#814)

---
 api/datastore/migrator/migrate_2_32_0.go      | 33 +++++++++++++++++++
 api/datastore/migrator/migrator.go            |  2 ++
 .../handler/edgegroups/edgegroup_update.go    |  8 +----
 .../endpointedge_status_inspect.go            |  3 --
 api/http/handler/endpointgroups/endpoints.go  |  9 +----
 api/http/handler/endpoints/endpoint_create.go |  4 +++
 .../endpoints/update_edge_relations.go        | 12 +------
 api/http/handler/tags/tag_delete.go           | 15 +++------
 api/internal/edge/edgestacks/service.go       |  3 --
 api/internal/endpointutils/endpointutils.go   | 16 +++++++++
 10 files changed, 62 insertions(+), 43 deletions(-)
 create mode 100644 api/datastore/migrator/migrate_2_32_0.go

diff --git a/api/datastore/migrator/migrate_2_32_0.go b/api/datastore/migrator/migrate_2_32_0.go
new file mode 100644
index 000000000..c32a63cad
--- /dev/null
+++ b/api/datastore/migrator/migrate_2_32_0.go
@@ -0,0 +1,33 @@
+package migrator
+
+import (
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	perrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/portainer/portainer/api/internal/endpointutils"
+)
+
+func (m *Migrator) addEndpointRelationForEdgeAgents_2_32_0() error {
+	endpoints, err := m.endpointService.Endpoints()
+	if err != nil {
+		return err
+	}
+
+	for _, endpoint := range endpoints {
+		if endpointutils.IsEdgeEndpoint(&endpoint) {
+			_, err := m.endpointRelationService.EndpointRelation(endpoint.ID)
+			if err != nil && errors.Is(err, perrors.ErrObjectNotFound) {
+				relation := &portainer.EndpointRelation{
+					EndpointID: endpoint.ID,
+					EdgeStacks: make(map[portainer.EdgeStackID]bool),
+				}
+
+				if err := m.endpointRelationService.Create(relation); err != nil {
+					return err
+				}
+			}
+		}
+	}
+
+	return nil
+}
diff --git a/api/datastore/migrator/migrator.go b/api/datastore/migrator/migrator.go
index 992dd0b9d..4c2a50e59 100644
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -249,6 +249,8 @@ func (m *Migrator) initMigrations() {
 
 	m.addMigrations("2.31.0", m.migrateEdgeStacksStatuses_2_31_0)
 
+	m.addMigrations("2.32.0", m.addEndpointRelationForEdgeAgents_2_32_0)
+
 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
 }
diff --git a/api/http/handler/edgegroups/edgegroup_update.go b/api/http/handler/edgegroups/edgegroup_update.go
index 7831b634e..a51ae33d4 100644
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -163,7 +163,7 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 
 func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
+	if err != nil {
 		return err
 	}
 
@@ -179,12 +179,6 @@ func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoi
 		edgeStackSet[edgeStackID] = true
 	}
 
-	if relation == nil {
-		relation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: make(map[portainer.EdgeStackID]bool),
-		}
-	}
 	relation.EdgeStacks = edgeStackSet
 
 	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, relation)
diff --git a/api/http/handler/endpointedge/endpointedge_status_inspect.go b/api/http/handler/endpointedge/endpointedge_status_inspect.go
index 4d6368493..9bd341561 100644
--- a/api/http/handler/endpointedge/endpointedge_status_inspect.go
+++ b/api/http/handler/endpointedge/endpointedge_status_inspect.go
@@ -264,9 +264,6 @@ func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID p
 func (handler *Handler) buildEdgeStacks(tx dataservices.DataStoreTx, endpointID portainer.EndpointID) ([]stackStatusResponse, *httperror.HandlerError) {
 	relation, err := tx.EndpointRelation().EndpointRelation(endpointID)
 	if err != nil {
-		if tx.IsErrObjectNotFound(err) {
-			return nil, nil
-		}
 		return nil, httperror.InternalServerError("Unable to retrieve relation object from the database", err)
 	}
 
diff --git a/api/http/handler/endpointgroups/endpoints.go b/api/http/handler/endpointgroups/endpoints.go
index b34032d9e..8b420f2a6 100644
--- a/api/http/handler/endpointgroups/endpoints.go
+++ b/api/http/handler/endpointgroups/endpoints.go
@@ -21,17 +21,10 @@ func (handler *Handler) updateEndpointRelations(tx dataservices.DataStoreTx, end
 	}
 
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil && !tx.IsErrObjectNotFound(err) {
+	if err != nil {
 		return err
 	}
 
-	if endpointRelation == nil {
-		endpointRelation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: make(map[portainer.EdgeStackID]bool),
-		}
-	}
-
 	edgeGroups, err := tx.EdgeGroup().ReadAll()
 	if err != nil {
 		return err
diff --git a/api/http/handler/endpoints/endpoint_create.go b/api/http/handler/endpoints/endpoint_create.go
index 1c6415023..3cfe934bc 100644
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@@ -563,6 +563,10 @@ func (handler *Handler) saveEndpointAndUpdateAuthorizations(tx dataservices.Data
 		return err
 	}
 
+	if err := endpointutils.InitializeEdgeEndpointRelation(endpoint, tx); err != nil {
+		return err
+	}
+
 	for _, tagID := range endpoint.TagIDs {
 		if err := tx.Tag().UpdateTagFunc(tagID, func(tag *portainer.Tag) {
 			tag.Endpoints[endpoint.ID] = true
diff --git a/api/http/handler/endpoints/update_edge_relations.go b/api/http/handler/endpoints/update_edge_relations.go
index 1390c9fd4..c487519f0 100644
--- a/api/http/handler/endpoints/update_edge_relations.go
+++ b/api/http/handler/endpoints/update_edge_relations.go
@@ -17,17 +17,7 @@ func (handler *Handler) updateEdgeRelations(tx dataservices.DataStoreTx, endpoin
 
 	relation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
 	if err != nil {
-		if !tx.IsErrObjectNotFound(err) {
-			return errors.WithMessage(err, "Unable to retrieve environment relation inside the database")
-		}
-
-		relation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: map[portainer.EdgeStackID]bool{},
-		}
-		if err := tx.EndpointRelation().Create(relation); err != nil {
-			return errors.WithMessage(err, "Unable to create environment relation inside the database")
-		}
+		return errors.WithMessage(err, "Unable to retrieve environment relation inside the database")
 	}
 
 	endpointGroup, err := tx.EndpointGroup().Read(endpoint.GroupID)
diff --git a/api/http/handler/tags/tag_delete.go b/api/http/handler/tags/tag_delete.go
index 4f8554faf..1fa98e394 100644
--- a/api/http/handler/tags/tag_delete.go
+++ b/api/http/handler/tags/tag_delete.go
@@ -8,6 +8,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/edge"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -104,9 +105,8 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 	}
 
 	for _, endpoint := range endpoints {
-		if (tag.Endpoints[endpoint.ID] || tag.EndpointGroups[endpoint.GroupID]) && (endpoint.Type == portainer.EdgeAgentOnDockerEnvironment || endpoint.Type == portainer.EdgeAgentOnKubernetesEnvironment) {
-			err = updateEndpointRelations(tx, endpoint, edgeGroups, edgeStacks)
-			if err != nil {
+		if (tag.Endpoints[endpoint.ID] || tag.EndpointGroups[endpoint.GroupID]) && endpointutils.IsEdgeEndpoint(&endpoint) {
+			if err := updateEndpointRelations(tx, endpoint, edgeGroups, edgeStacks); err != nil {
 				return httperror.InternalServerError("Unable to update environment relations in the database", err)
 			}
 		}
@@ -133,17 +133,10 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 
 func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
-	if err != nil && !tx.IsErrObjectNotFound(err) {
+	if err != nil {
 		return err
 	}
 
-	if endpointRelation == nil {
-		endpointRelation = &portainer.EndpointRelation{
-			EndpointID: endpoint.ID,
-			EdgeStacks: make(map[portainer.EdgeStackID]bool),
-		}
-	}
-
 	endpointGroup, err := tx.EndpointGroup().Read(endpoint.GroupID)
 	if err != nil {
 		return err
diff --git a/api/internal/edge/edgestacks/service.go b/api/internal/edge/edgestacks/service.go
index 5932a5ec8..c0ecb5caf 100644
--- a/api/internal/edge/edgestacks/service.go
+++ b/api/internal/edge/edgestacks/service.go
@@ -129,9 +129,6 @@ func (service *Service) updateEndpointRelations(tx dataservices.DataStoreTx, edg
 	for _, endpointID := range relatedEndpointIds {
 		relation, err := endpointRelationService.EndpointRelation(endpointID)
 		if err != nil {
-			if tx.IsErrObjectNotFound(err) {
-				continue
-			}
 			return fmt.Errorf("unable to find endpoint relation in database: %w", err)
 		}
 
diff --git a/api/internal/endpointutils/endpointutils.go b/api/internal/endpointutils/endpointutils.go
index 6b7eb1c2d..f596ae0d5 100644
--- a/api/internal/endpointutils/endpointutils.go
+++ b/api/internal/endpointutils/endpointutils.go
@@ -249,3 +249,19 @@ func getEndpointCheckinInterval(endpoint *portainer.Endpoint, settings *portaine
 
 	return defaultInterval
 }
+
+func InitializeEdgeEndpointRelation(endpoint *portainer.Endpoint, tx dataservices.DataStoreTx) error {
+	if !IsEdgeEndpoint(endpoint) {
+		return nil
+	}
+
+	relation := &portainer.EndpointRelation{
+		EndpointID: endpoint.ID,
+		EdgeStacks: make(map[portainer.EdgeStackID]bool),
+	}
+
+	if err := tx.EndpointRelation().Create(relation); err != nil {
+		return err
+	}
+	return nil
+}

From cf5990ccbab23bb2baafe49c8ed437e3ea29238e Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 30 Jun 2025 20:54:16 -0300
Subject: [PATCH 160/212] fix(edgestackstatus): improve error handling BE-11963
 (#844)

---
 api/http/handler/edgestacks/edgestack_status_update.go | 4 +++-
 api/http/handler/endpoints/filter.go                   | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/api/http/handler/edgestacks/edgestack_status_update.go b/api/http/handler/edgestacks/edgestack_status_update.go
index 4f99e7ab3..0ff6a9eff 100644
--- a/api/http/handler/edgestacks/edgestack_status_update.go
+++ b/api/http/handler/edgestacks/edgestack_status_update.go
@@ -133,7 +133,9 @@ func (handler *Handler) updateEdgeStackStatus(tx dataservices.DataStoreTx, stack
 	}
 
 	environmentStatus, err := tx.EdgeStackStatus().Read(stackID, payload.EndpointID)
-	if err != nil {
+	if err != nil && !tx.IsErrObjectNotFound(err) {
+		return err
+	} else if tx.IsErrObjectNotFound(err) {
 		environmentStatus = &portainer.EdgeStackStatusForEnv{
 			EndpointID: payload.EndpointID,
 			Status:     []portainer.EdgeStackDeploymentStatus{},
diff --git a/api/http/handler/endpoints/filter.go b/api/http/handler/endpoints/filter.go
index c8b4ede08..7cf7b9760 100644
--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@@ -297,7 +297,9 @@ func filterEndpointsByEdgeStack(endpoints []portainer.Endpoint, edgeStackId port
 		n := 0
 		for _, envId := range envIds {
 			edgeStackStatus, err := datastore.EdgeStackStatus().Read(edgeStackId, envId)
-			if err != nil {
+			if dataservices.IsErrObjectNotFound(err) {
+				continue
+			} else if err != nil {
 				return nil, errors.WithMessagef(err, "Unable to retrieve edge stack status for environment %d", envId)
 			}
 

From c6ee9a5a525f86e644c017f7240eb0b01e82dbdc Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Tue, 1 Jul 2025 12:58:31 +1200
Subject: [PATCH 161/212] feat(ui): Rebranding - r8s-374 (#840)

---
 app/assets/css/button.css                     | 102 ++--
 app/assets/css/colors.json                    |  25 +
 app/assets/css/theme.css                      |  53 +-
 app/assets/css/vendor-override.css            |  20 +-
 app/assets/ico/android-chrome-192x192.png     | Bin 5654 -> 1922 bytes
 app/assets/ico/android-chrome-256x256.png     | Bin 8347 -> 2510 bytes
 app/assets/ico/apple-touch-icon.png           | Bin 6116 -> 1840 bytes
 app/assets/ico/favicon-16x16.png              | Bin 772 -> 368 bytes
 app/assets/ico/favicon-32x32.png              | Bin 1137 -> 491 bytes
 app/assets/ico/favicon.ico                    | Bin 2334 -> 7550 bytes
 app/assets/ico/logomark.svg                   |  39 +-
 app/assets/ico/mstile-150x150.png             | Bin 8697 -> 1535 bytes
 app/assets/ico/safari-pinned-tab.svg          |   7 +-
 app/assets/images/logo.png                    | Bin 5074 -> 0 bytes
 app/assets/images/logo_alt.png                | Bin 11073 -> 0 bytes
 app/assets/images/logo_alt.svg                |  72 +--
 app/assets/images/logo_alt_black.svg          |  14 +
 app/assets/images/logo_ico.png                | Bin 4253 -> 0 bytes
 app/assets/images/logo_small.png              | Bin 3105 -> 0 bytes
 app/assets/images/logo_small_alt.png          | Bin 2941 -> 0 bytes
 app/assets/images/purple-gradient.svg         | 522 ++++++++++++++++++
 app/index.html                                |   7 +-
 app/portainer/views/auth/auth.html            |   5 +-
 app/portainer/views/init/admin/initAdmin.html |   5 +-
 app/portainer/views/logout/logout.html        |   5 +-
 app/react/components/InformationPanel.tsx     |   2 +-
 .../account/AccountView/theme-options.tsx     |   6 +-
 .../sidebar/EnvironmentSidebar.module.css     |   5 +-
 app/react/sidebar/EnvironmentSidebar.tsx      |   4 +-
 app/react/sidebar/Footer/Footer.tsx           |   4 +-
 app/react/sidebar/Footer/portainer_logo.svg   |  36 --
 app/react/sidebar/Header.module.css           |   6 +-
 app/react/sidebar/Header.tsx                  |  16 +-
 app/react/sidebar/SidebarItem/SidebarItem.tsx |   4 +-
 .../sidebar/SidebarItem/SidebarParent.tsx     |   4 +-
 .../sidebar/SidebarItem/SidebarTooltip.tsx    |   2 +-
 .../SidebarItem/useSidebarSrefActive.tsx      |   2 +-
 app/react/sidebar/logomark-BE.svg             |  11 +
 app/react/sidebar/logomark-CE.svg             |  11 +
 app/react/sidebar/portainer_logo-BE.svg       |  78 ++-
 app/react/sidebar/portainer_logo-CE.svg       |  96 ++--
 41 files changed, 821 insertions(+), 342 deletions(-)
 delete mode 100644 app/assets/images/logo.png
 delete mode 100644 app/assets/images/logo_alt.png
 create mode 100644 app/assets/images/logo_alt_black.svg
 delete mode 100644 app/assets/images/logo_ico.png
 delete mode 100644 app/assets/images/logo_small.png
 delete mode 100644 app/assets/images/logo_small_alt.png
 create mode 100644 app/assets/images/purple-gradient.svg
 delete mode 100644 app/react/sidebar/Footer/portainer_logo.svg
 create mode 100644 app/react/sidebar/logomark-BE.svg
 create mode 100644 app/react/sidebar/logomark-CE.svg

diff --git a/app/assets/css/button.css b/app/assets/css/button.css
index 0aece2a15..547d9fdc0 100644
--- a/app/assets/css/button.css
+++ b/app/assets/css/button.css
@@ -29,43 +29,79 @@ fieldset[disabled] .btn {
 }
 
 .btn.btn-primary {
-  @apply border-blue-8 bg-blue-8 text-white;
-  @apply hover:border-blue-9 hover:bg-blue-9 hover:text-white;
-  @apply th-dark:hover:border-blue-7 th-dark:hover:bg-blue-7;
+  @apply border-graphite-700 bg-graphite-700 text-mist-100;
+  @apply hover:border-graphite-700/90 hover:bg-graphite-700/90 hover:text-mist-100;
+  @apply focus:border-blue-5 focus:shadow-graphite-700/80 focus:text-mist-100;
+
+  @apply th-dark:border-mist-100 th-dark:bg-mist-100 th-dark:text-graphite-700;
+  @apply th-dark:hover:border-mist-100/90 th-dark:hover:bg-mist-100/90 th-dark:hover:text-graphite-700;
+  @apply th-dark:focus:border-blue-5 th-dark:focus:shadow-white/80 th-dark:focus:text-graphite-700;
+
+  @apply th-highcontrast:border-mist-100 th-highcontrast:bg-mist-100 th-highcontrast:text-graphite-700;
+  @apply th-highcontrast:hover:border-mist-100/90 th-highcontrast:hover:bg-mist-100/90 th-highcontrast:hover:text-graphite-700;
+  @apply th-highcontrast:focus:border-blue-5 th-highcontrast:focus:shadow-white/80 th-highcontrast:focus:text-graphite-700;
+}
+
+/* Sidebar background is always dark, so we need to override the primary button styles */
+.btn.btn-primary.sidebar {
+  @apply border-mist-100 bg-mist-100 text-graphite-700;
+  @apply hover:border-mist-100/90 hover:bg-mist-100/90 hover:text-graphite-700;
+  @apply focus:border-blue-5 focus:shadow-white/80 focus:text-graphite-700;
 }
 
 .btn.btn-primary:active,
 .btn.btn-primary.active,
 .open > .dropdown-toggle.btn-primary {
-  @apply border-blue-5 bg-blue-9;
+  @apply border-graphite-700/80 bg-graphite-700 text-mist-100;
+  @apply th-dark:border-white/80 th-dark:bg-mist-100 th-dark:text-graphite-700;
+  @apply th-highcontrast:border-white/80 th-highcontrast:bg-mist-100 th-highcontrast:text-graphite-700;
 }
 
 .nav-pills > li.active > a,
 .nav-pills > li.active > a:hover,
 .nav-pills > li.active > a:focus {
-  @apply bg-blue-8;
+  @apply bg-graphite-700 text-mist-100;
+  @apply th-dark:bg-mist-100 th-dark:text-graphite-700;
+  @apply th-highcontrast:bg-mist-100 th-highcontrast:text-graphite-700;
 }
 
 /* Button Secondary */
 .btn.btn-secondary {
   @apply border border-solid;
 
-  @apply border-blue-8 bg-blue-2 text-blue-9;
-  @apply hover:bg-blue-3;
+  @apply border-graphite-700 bg-mist-100 text-graphite-700;
+  @apply hover:border-graphite-700 hover:bg-graphite-700/10 hover:text-graphite-700;
+  @apply focus:border-blue-5 focus:shadow-graphite-700/20 focus:text-graphite-700;
 
-  @apply th-dark:border-blue-7 th-dark:bg-gray-10 th-dark:text-blue-3;
-  @apply th-dark:hover:bg-blue-11;
+  @apply th-dark:border-mist-100 th-dark:bg-graphite-700 th-dark:text-mist-100;
+  @apply th-dark:hover:border-mist-100 th-dark:hover:bg-mist-100/20 th-dark:hover:text-mist-100;
+  @apply th-dark:focus:border-blue-5 th-dark:focus:shadow-white/80 th-dark:focus:text-mist-100;
+
+  @apply th-highcontrast:border-mist-100 th-highcontrast:bg-graphite-700 th-highcontrast:text-mist-100;
+  @apply th-highcontrast:hover:border-mist-100 th-highcontrast:hover:bg-mist-100/20 th-highcontrast:hover:text-mist-100;
+  @apply th-highcontrast:focus:border-blue-5 th-highcontrast:focus:shadow-white/80 th-highcontrast:focus:text-mist-100;
+}
+
+.btn.btn-secondary:active,
+.btn.btn-secondary.active,
+.open > .dropdown-toggle.btn-secondary {
+  @apply border-graphite-700 bg-graphite-700/10 text-graphite-700;
+  @apply th-dark:border-mist-100 th-dark:bg-mist-100/20 th-dark:text-mist-100;
+  @apply th-highcontrast:border-mist-100 th-highcontrast:bg-mist-100/20 th-highcontrast:text-mist-100;
 }
 
 .btn.btn-danger {
   @apply border-error-8 bg-error-8;
   @apply hover:border-error-7 hover:bg-error-7 hover:text-white;
+  @apply focus:border-blue-5 focus:shadow-error-8/20 focus:text-white;
+  @apply th-dark:focus:border-blue-5 th-dark:focus:shadow-white/80 th-dark:focus:text-white;
+  @apply th-highcontrast:focus:border-blue-5 th-highcontrast:focus:shadow-white/80 th-highcontrast:focus:text-white;
 }
 
 .btn.btn-danger:active,
 .btn.btn-danger.active,
 .open > .dropdown-toggle.btn-danger {
-  @apply border-blue-5 bg-error-8 text-white;
+  @apply border-error-5 bg-error-8 text-white;
 }
 
 .btn.btn-dangerlight {
@@ -74,6 +110,10 @@ fieldset[disabled] .btn {
   @apply hover:bg-error-2 th-dark:hover:bg-error-11;
   @apply border-error-5 th-highcontrast:border-error-7 th-dark:border-error-7;
   @apply border border-solid;
+
+  @apply focus:border-blue-5 focus:shadow-error-8/20 focus:text-error-9;
+  @apply th-dark:focus:border-blue-5 th-dark:focus:shadow-white/80 th-dark:focus:text-white;
+  @apply th-highcontrast:focus:border-blue-5 th-highcontrast:focus:shadow-white/80;
 }
 .btn.btn-icon.btn-dangerlight {
   @apply hover:text-error-11 th-dark:hover:text-error-7;
@@ -90,15 +130,18 @@ fieldset[disabled] .btn {
 /* secondary-grey */
 .btn.btn-default,
 .btn.btn-light {
-  @apply border-gray-5 bg-white text-gray-7;
-  @apply hover:border-gray-5 hover:bg-gray-3 hover:text-gray-9;
+  @apply border-gray-5 bg-white text-gray-8;
+  @apply hover:border-gray-5 hover:bg-gray-3 hover:text-gray-10;
+  @apply focus:border-blue-5 focus:shadow-graphite-700/20 focus:text-gray-8;
 
   /* dark mode */
   @apply th-dark:border-gray-warm-7 th-dark:bg-gray-iron-10 th-dark:text-gray-warm-4;
   @apply th-dark:hover:border-gray-6 th-dark:hover:bg-gray-iron-9 th-dark:hover:text-gray-warm-4;
+  @apply th-dark:focus:border-blue-5 th-dark:focus:shadow-white/80 th-dark:focus:text-gray-warm-4;
 
   @apply th-highcontrast:border-gray-2 th-highcontrast:bg-black th-highcontrast:text-white;
   @apply th-highcontrast:hover:border-gray-6 th-highcontrast:hover:bg-gray-9 th-highcontrast:hover:text-gray-warm-4;
+  @apply th-highcontrast:focus:border-blue-5 th-highcontrast:focus:shadow-white/80 th-highcontrast:focus:text-white;
 }
 
 .btn.btn-light:active,
@@ -119,42 +162,17 @@ fieldset[disabled] .btn {
 
 .input-group-btn .btn.active,
 .btn-group .btn.active {
-  @apply border-blue-5 bg-blue-2 text-blue-10;
-  @apply th-dark:border-blue-9 th-dark:bg-blue-11 th-dark:text-blue-2;
-}
-
-/* focus */
-
-.btn.btn-primary:focus,
-.btn.btn-secondary:focus,
-.btn.btn-light:focus {
-  @apply border-blue-5;
-}
-
-.btn.btn-danger:focus,
-.btn.btn-dangerlight:focus {
-  @apply border-blue-6;
-}
-
-.btn.btn-primary:focus,
-.btn.btn-secondary:focus,
-.btn.btn-light:focus,
-.btn.btn-danger:focus,
-.btn.btn-dangerlight:focus {
-  --btn-focus-color: var(--ui-blue-3);
-  box-shadow: 0px 0px 0px 4px var(--btn-focus-color);
+  @apply border-graphite-700/80 bg-graphite-700 text-mist-100;
+  @apply th-dark:border-white/80 th-dark:bg-mist-100 th-dark:text-graphite-700;
+  @apply th-highcontrast:border-white/80 th-highcontrast:bg-mist-100 th-highcontrast:text-graphite-700;
 }
 
 .btn.btn-icon:focus {
   box-shadow: none !important;
 }
 
-[theme='dark'] .btn.btn-primary:focus,
-[theme='dark'] .btn.btn-secondary:focus,
-[theme='dark'] .btn.btn-light:focus,
-[theme='dark'] .btn.btn-danger:focus,
-[theme='dark'] .btn.btn-dangerlight:focus {
-  --btn-focus-color: var(--ui-blue-11);
+.btn:focus {
+  box-shadow: 0px 0px 0px 2px var(--tw-shadow-color);
 }
 
 a.no-link,
diff --git a/app/assets/css/colors.json b/app/assets/css/colors.json
index 55f2922e5..94d3c2015 100644
--- a/app/assets/css/colors.json
+++ b/app/assets/css/colors.json
@@ -1,6 +1,31 @@
 {
   "black": "#000000",
   "white": "#ffffff",
+  "graphite": {
+    "10": "#f5f5f6",
+    "50": "#e5e6e8",
+    "100": "#ced0d3",
+    "200": "#abafb5",
+    "300": "#7b8089",
+    "400": "#5c6066",
+    "500": "#484a4e",
+    "600": "#3a3b3f",
+    "700": "#2e2f33",
+    "800": "#222326",
+    "900": "#161719"
+  },
+  "mist": {
+    "50": "#fcfbfa",
+    "100": "#f7f6f3",
+    "200": "#f0f0ec",
+    "300": "#e8e7e2",
+    "400": "#e2e1db",
+    "500": "#d9d8d2",
+    "600": "#ceccc4",
+    "700": "#bebcb4",
+    "800": "#a7a6a0",
+    "900": "#8b8983"
+  },
   "gray": {
     "1": "#fcfcfd",
     "2": "#f9fafb",
diff --git a/app/assets/css/theme.css b/app/assets/css/theme.css
index eb2d36882..318e0d9e4 100644
--- a/app/assets/css/theme.css
+++ b/app/assets/css/theme.css
@@ -3,6 +3,16 @@
   --black-color: var(--ui-black);
   --white-color: var(--ui-white);
 
+  --graphite-600: #3a3b3f;
+  --graphite-700: #2e2f33;
+  --graphite-800: #222326;
+  --graphite-900: #161719;
+
+  --mist-50: #fcfbfa;
+  --mist-100: #f7f6f3;
+  --mist-200: #f0f0ec;
+  --mist-300: #e8e7e2;
+
   --grey-1: #212121;
   --grey-2: #181818;
   --grey-3: #383838;
@@ -58,6 +68,8 @@
   --grey-58: #ebf4f8;
   --grey-59: #e6e6e6;
   --grey-61: rgb(231, 231, 231);
+  --grey-62: #fdfdfd;
+  --grey-63: #121212;
 
   --blue-1: #219;
   --blue-2: #337ab7;
@@ -99,17 +111,16 @@
   /* Default Theme */
   --bg-card-color: var(--white-color);
   --bg-main-color: var(--white-color);
-  --bg-body-color: var(--grey-9);
+  --bg-body-color: var(--grey-62);
   --bg-checkbox-border-color: var(--grey-49);
-  --bg-sidebar-color: var(--ui-blue-10);
-  --bg-sidebar-nav-color: var(--ui-blue-11);
+  --bg-sidebar-color: var(--graphite-700);
+  --bg-sidebar-nav-color: var(--graphite-600);
   --bg-widget-color: var(--white-color);
   --bg-widget-header-color: var(--grey-10);
   --bg-widget-table-color: var(--ui-gray-3);
   --bg-header-color: var(--white-color);
   --bg-hover-table-color: var(--grey-14);
   --bg-input-group-addon-color: var(--ui-gray-3);
-  --bg-btn-default-color: var(--ui-blue-10);
   --bg-blocklist-hover-color: var(--ui-blue-2);
   --bg-table-color: var(--white-color);
   --bg-md-checkbox-color: var(--grey-12);
@@ -128,7 +139,8 @@
   --border-pagination-color: var(--ui-white);
   --bg-pagination-span-color: var(--white-color);
   --bg-pagination-hover-color: var(--ui-blue-3);
-  --bg-motd-body-color: var(--grey-20);
+  --bg-motd-body-color: var(--mist-50);
+  --bg-motd-btn-color: var(--graphite-700);
   --bg-item-highlighted-color: var(--grey-21);
   --bg-item-highlighted-null-color: var(--grey-14);
   --bg-panel-body-color: var(--white-color);
@@ -144,8 +156,6 @@
   --bg-daterangepicker-in-range: var(--grey-58);
   --bg-daterangepicker-active: var(--blue-14);
   --bg-input-autofill-color: var(--bg-inputbox);
-  --bg-btn-default-hover-color: var(--ui-blue-9);
-  --bg-btn-focus: var(--grey-59);
   --bg-small-select-color: var(--white-color);
   --bg-stepper-item-active: var(--white-color);
   --bg-stepper-item-counter: var(--grey-61);
@@ -177,7 +187,6 @@
   --text-navtabs-color: var(--grey-7);
   --text-navtabs-hover-color: var(--grey-6);
   --text-nav-tab-active-color: var(--grey-25);
-
   --text-dropdown-menu-color: var(--grey-6);
   --text-log-viewer-color: var(--black-color);
   --text-json-tree-color: var(--blue-3);
@@ -189,6 +198,8 @@
   --text-pagination-color: var(--grey-26);
   --text-pagination-span-color: var(--grey-3);
   --text-pagination-span-hover-color: var(--grey-3);
+  --text-motd-body-color: var(--black-color);
+  --text-motd-btn-color: var(--mist-100);
   --text-summary-color: var(--black-color);
   --text-tooltip-color: var(--white-color);
   --text-rzslider-color: var(--grey-36);
@@ -203,6 +214,7 @@
   --text-button-group-color: var(--ui-gray-9);
   --text-button-dangerlight-color: var(--ui-error-5);
   --text-stepper-active-color: var(--ui-blue-8);
+
   --border-color: var(--grey-42);
   --border-widget-color: var(--grey-43);
   --border-sidebar-color: var(--ui-blue-9);
@@ -218,7 +230,8 @@
   --border-pre-color: var(--grey-43);
   --border-pagination-span-color: var(--ui-white);
   --border-pagination-hover-color: var(--ui-white);
-  --border-panel-color: var(--white-color);
+  --border-motd-body-color: var(--mist-300);
+  --border-panel-color: var(--mist-300);
   --border-input-sm-color: var(--grey-47);
   --border-daterangepicker-color: var(--grey-19);
   --border-calendar-table: var(--white-color);
@@ -265,8 +278,7 @@
   --text-log-viewer-color-json-red: var(--text-log-viewer-color);
   --text-log-viewer-color-json-blue: var(--text-log-viewer-color);
 
-  --bg-body-color: var(--grey-2);
-  --bg-btn-default-color: var(--grey-3);
+  --bg-body-color: var(--grey-63);
   --bg-blocklist-hover-color: var(--ui-gray-iron-10);
   --bg-blocklist-item-selected-color: var(--ui-gray-iron-10);
   --bg-card-color: var(--grey-1);
@@ -274,8 +286,6 @@
   --bg-code-color: var(--grey-2);
   --bg-dropdown-menu-color: var(--ui-gray-warm-8);
   --bg-main-color: var(--grey-2);
-  --bg-sidebar-color: var(--grey-1);
-  --bg-sidebar-nav-color: var(--grey-2);
   --bg-widget-color: var(--grey-1);
   --bg-widget-header-color: var(--grey-3);
   --bg-widget-table-color: var(--grey-3);
@@ -296,7 +306,8 @@
   --bg-pagination-color: var(--grey-3);
   --bg-pagination-span-color: var(--grey-1);
   --bg-pagination-hover-color: var(--grey-3);
-  --bg-motd-body-color: var(--grey-1);
+  --bg-motd-body-color: var(--graphite-800);
+  --bg-motd-btn-color: var(--mist-100);
   --bg-item-highlighted-color: var(--grey-2);
   --bg-item-highlighted-null-color: var(--grey-2);
   --bg-panel-body-color: var(--grey-1);
@@ -316,8 +327,6 @@
   --bg-daterangepicker-in-range: var(--ui-gray-warm-11);
   --bg-daterangepicker-active: var(--blue-14);
   --bg-input-autofill-color: var(--bg-inputbox);
-  --bg-btn-default-hover-color: var(--grey-4);
-  --bg-btn-focus: var(--grey-3);
   --bg-small-select-color: var(--grey-2);
   --bg-stepper-item-active: var(--grey-1);
   --bg-stepper-item-counter: var(--grey-7);
@@ -348,7 +357,6 @@
   --text-navtabs-color: var(--grey-8);
   --text-navtabs-hover-color: var(--grey-9);
   --text-nav-tab-active-color: var(--white-color);
-
   --text-dropdown-menu-color: var(--white-color);
   --text-log-viewer-color: var(--white-color);
   --text-json-tree-color: var(--grey-40);
@@ -360,6 +368,8 @@
   --text-pagination-color: var(--white-color);
   --text-pagination-span-color: var(--ui-white);
   --text-pagination-span-hover-color: var(--ui-white);
+  --text-motd-body-color: var(--mist-100);
+  --text-motd-btn-color: var(--graphite-700);
   --text-summary-color: var(--white-color);
   --text-tooltip-color: var(--white-color);
   --text-rzslider-color: var(--white-color);
@@ -374,6 +384,7 @@
   --text-button-group-color: var(--ui-white);
   --text-button-dangerlight-color: var(--ui-error-7);
   --text-stepper-active-color: var(--ui-white);
+
   --border-color: var(--grey-3);
   --border-widget-color: var(--grey-1);
   --border-sidebar-color: var(--ui-gray-8);
@@ -391,6 +402,7 @@
   --border-blocklist-item-selected-color: var(--grey-31);
   --border-pagination-span-color: var(--grey-1);
   --border-pagination-hover-color: var(--grey-3);
+  --border-motd-body-color: var(--graphite-800);
   --border-panel-color: var(--grey-2);
   --border-input-sm-color: var(--grey-3);
   --border-daterangepicker-color: var(--grey-3);
@@ -450,6 +462,7 @@
   --bg-panel-body-color: var(--black-color);
   --bg-dropdown-menu-color: var(--ui-gray-warm-8);
   --bg-motd-body-color: var(--black-color);
+  --bg-motd-btn-color: var(--white-color);
   --bg-blocklist-hover-color: var(--black-color);
   --bg-blocklist-item-selected-color: var(--black-color);
   --bg-input-group-addon-color: var(--grey-3);
@@ -481,11 +494,8 @@
 
   --bg-navtabs-hover-color: var(--grey-3);
   --bg-nav-tab-active-color: var(--ui-black);
-  --bg-btn-default-color: var(--black-color);
   --bg-input-autofill-color: var(--bg-inputbox);
   --bg-code-color: var(--ui-black);
-  --bg-btn-default-hover-color: var(--grey-4);
-  --bg-btn-focus: var(--black-color);
   --bg-small-select-color: var(--black-color);
   --bg-stepper-item-active: var(--black-color);
   --bg-stepper-item-counter: var(--grey-3);
@@ -523,6 +533,8 @@
   --text-daterangepicker-end-date: var(--ui-white);
   --text-daterangepicker-in-range: var(--white-color);
   --text-daterangepicker-active: var(--white-color);
+  --text-motd-body-color: var(--white-color);
+  --text-motd-btn-color: var(--black-color);
   --text-json-tree-color: var(--white-color);
   --text-json-tree-leaf-color: var(--white-color);
   --text-json-tree-branch-preview-color: var(--white-color);
@@ -553,6 +565,7 @@
   --border-input-sm-color: var(--white-color);
   --border-pagination-color: var(--grey-1);
   --border-pagination-span-color: var(--grey-1);
+  --border-motd-body-color: var(--white-color);
   --border-daterangepicker-color: var(--white-color);
   --border-calendar-table: var(--black-color);
   --border-daterangepicker: var(--black-color);
diff --git a/app/assets/css/vendor-override.css b/app/assets/css/vendor-override.css
index 74fa94d4e..12e0fc947 100644
--- a/app/assets/css/vendor-override.css
+++ b/app/assets/css/vendor-override.css
@@ -201,8 +201,18 @@ pre {
   background-color: var(--bg-progress-color);
 }
 
-.motd-body {
-  background-color: var(--bg-motd-body-color) !important;
+.widget-body.motd-body {
+  border: 1px solid var(--border-motd-body-color);
+  color: var(--text-motd-body-color);
+  background: var(--bg-motd-body-color) url(../images/purple-gradient.svg) top right / 40% no-repeat;
+}
+
+.widget-body.motd-body .btn.btn-link,
+.widget-body.motd-body .btn.btn-link:hover {
+  padding: 0 5px 0 4px;
+  border-radius: 4px;
+  background-color: var(--bg-motd-btn-color);
+  color: var(--text-motd-btn-color);
 }
 
 .panel-body {
@@ -408,14 +418,10 @@ input:-webkit-autofill {
 }
 
 .sidebar.tippy-box[data-placement^='right'] > .tippy-arrow:before {
-  border-right: 8px solid var(--ui-blue-9);
+  border-right: 8px solid var(--graphite-600);
   border-width: 6px 8px 6px 0;
 }
 
-[theme='dark'] .sidebar.tippy-box[data-placement^='right'] > .tippy-arrow:before {
-  border-right: 8px solid var(--ui-gray-true-9);
-}
-
 [theme='highcontrast'] .sidebar.tippy-box[data-placement^='right'] > .tippy-arrow:before {
   border-right: 8px solid var(--ui-white);
 }
diff --git a/app/assets/ico/android-chrome-192x192.png b/app/assets/ico/android-chrome-192x192.png
index 8f31e405aa2053308dc7f557f95cc7607ef44b9e..236db0e2b8f0d39741d3c7f5690c09bd7d4bf33c 100644
GIT binary patch
literal 1922
zcmb7FdpOj27ytf#Gu9x?jB4bP%S35&+ce5;5C-cKv4~u^MlM@BMi#G`X|S7HqLFeh
z*1H?VXp>7~+L}@%Gj1!yyRim&gqcxeXlMU^pMBnU|2XG7=kh$~Jm>N`IVXHbs>)i*
z0031FcNc%T<o-pd&*a>HGC@%;lrFf3BmtnJ@fSg$tU^<6gp&M8&VW6jvmjTHWG8PY
z09p!FWKjwLDB?U^oC3asmZykbfk8Ul)#<~!dO5Wh-8w^tTlpg_HSgmG^GuswJ&H9X
zSlR?Pjb5S_854A$WZlzcT&+i--S#zd8}JrX*iGY2n3Se&#@qjE`ec$=Hn6hk5&k6d
zcS`q4)#ge?F_Iz`b(H%T>n#%Z;%YRT>+Xr)pGp4K9X@7!%i@Dy*W0^+Y5GvM3gb~>
z3SM|rWe<o{gSbavMm!RXp#U2L!tkKo4O}PyGg^P=c&&)NS><c~f^3iDWs1cGW82*!
z4bT5Lo4A>xt?fVYF<nAl?;+9n3K!O9m5!y~59JUG9En<eYioBJ8`*?yHnBE?ufWJ$
zz-7^fv)8M;Bo9hT0z(>}aX2Ruvs&7Ncj@E<EM+l({PtS*ts&!rXbG?DP+)_Ok;Dlo
zEeQ`;*IyfF`TyH9E#O8))qjMXOrXR6`K0d_oJq6#p8Obpw>=;^gW?T*&h6Of>6!SD
z8W-nQWv}<`9(V&9JZdNt&;K;plajK5oKS(eW`zc5@TSH<wmrcSon9;%#sJBPpIKki
zCG9nmeHN?mGb97CkdYlh-xFtdyVwxs-n#p_TTrv;%QzG;Z3vLgjlR?_#=?%FQfZoY
zP>#P7h%FB{@-%{BZc!}K#OntXAk_~UENv*GK!@-llg;*N$pu#@d@~ER3&TTQK(F_T
zMnLy6E)NBqgdZ8alny2ED7fpS7eKicg3+oyh5(t|Dlor}2F$pwlmy`cM}Qg-yr3Z&
zGZHf%))sa&C<|)J+XdC2rJRcF2ak~qXQ3@mYIEit3S_rfs2YNu_0PB?`mkdZRcq&F
zt)Nl0Y^YXG@l0G={g3p9{n>MC5)ys%7^RffdH<6afBf*2pLw4TSh>m`t4_RBCo%J@
zTF$RkXZ?5&9r!NlutIJYyT7r)ioWeyZI@<uqu=vo%QPC#K%GO4vDJIma<_C(i(+@L
zZvpr+YcFI*4=j5A^XPzi^zL=m6<}y>B^s7dg#qNQc?gL<Hl-$(RHjFV^p`p-alzCA
ze=Wd$Me#{4$k)`aMmI#$j4y-y!E%qU+6Z$8(aal_<+!|d<t+WLc1+_gi{;JuzR^YI
z^)f2j9%BrSi;9J1Z%<F<IfADNnyND{b@CjMJ4g)9f33G>OtLvU7{jo%B%VsZK$<5B
zX~>^O;;?ww;_0H)snr{H^to<b_huHw=!&Lw$SlfrpsQoqDg;7h?Czzu9z%c^H68r?
z0oy7xB5wn7fGvI%JWYBT{SdB0aY1}&At5g{hXh;HP<WDDzGZU)2^0-gj+y$>canfk
zjv8%C(q{I@$f4i#@y?yauTv1#{RxB&^h2c9l09$*7(O(;ai)2EX=^hl!vqI^=X<vR
zKR`|CBb~0KbkhomJW?gjFk+wxP&xyv?+C*l>Y6M=7jN*4VD~aw{Ce?=ZR)n(CbK(C
z!8z(s<5_QTpkD>i5TXH;A7j8b3o~t;4n6tGTpJ=ttndI?x}0_%g7n+@mbThb3}6b*
z(^Z1#UmzJZRAS7Rwi6nFd9Ht}ph9*Q1s>U@J47!|M99N9)H$*_?1+{R{<15QF<G_4
z{)n~sIT}#-@!Qwgo7Q-sbF=%MLl|+jH6L8qXEWE4F&{o`-qpqgg9Ke!njk*;O%D#L
zF*Q-8xq{f64sYonmps47j9B%zJ9RrKO++EfFHKQ!ZE`=6cqFy7Z5NW!CNOzb`z+JL
zJGBfWKVC$*Vt01w>vco$POvZ_{E(GDGQT<6ywa8nW+*dc6xXuyci~~#-g=w!$H9Ow
zG9vg+r|kZ;I<(J6vBTjW!PeS5N$mR~h<b$yu(gPPrKYy7nl>Y**G2WakdXm|!7*#X
z*G=2Ms9oH$Xga43&DJ5zp12KmUZ*9J-=7^~CD2WEXQj5fLMh#{K<NiS5zNOlnkq0q
zty&%UpMXlfgiT)XZ>F;Puz4-3M<cif3>WbT;=}t{r5v6}<i&z46qx@6pZ^xP{||>J
zws)cMRie`EqP4wI=AXh*gm1?2hx}q<G?<Sq|5+KQdO^6-2~Ke@5qpAzi@s7aTW)G%
mj~=%%b9CA+iBUJI`2?P!T((B>ztH3_6L`4#xUiignSTPit2aCV

literal 5654
zcmZWtbyO5kvtMFax?38l1wlHLlyqs9?v`E<q`ReKLApD1m6Vna0g+HxIwhBGczo}D
z|Gjf(=AM~9=G-&CId>vfQ(cJwmlhWQ01&7s%WFT~8Bg4ejrAnAX0x#Y0JKPlH*Yjm
z-n?OgdAQj*INJgMoGF1RlFGd@bp7T!Wnc>6s~9nxN_EPQA7j$=im)l<>L#nhhs(?-
zOPN*N-N{Yx2!nX^=uL9HykHcVJw(K!q8tiTT*tv`MGEnt!FwO?Blk-}Vn?=eLwYTl
z-!6hQNwNRNs;PYxL~r;*Xyk3}Xx^u$hiqSck52mRO_IMEcsTK^#_k2ymHe8a-6xS_
ztmEl&7uXU9AtJ1nw16xr%Tsnush*p+%Y9tbU?q!L5T46HND_A~qBsAELN&oBRjk%g
zViV6HQ+M1rw^2J%_-NRidTf__)TBZ@UW^ifiNit;)s)8(VQJVcHBg=k8tavwMnN{T
zhjcMn2hm3+nMChaf>CY8+@k!4>_BUo?YQ-TctEIWp_y0ik@a9z0pP)Y<*nQGsIbLN
z+L<E+j}a|!p}XG;qH_^4N^gN0PF8DWzIMQEr9%ZNE~lemxrXKoH#cudsWXO<d%;`K
z2nj=fy|(@A-`-Z!(HuM>bbE`ouIe$J_`{m$2^TCYh>|?u@js`qqay9ef&)`FeE$UD
z+<zENjx)#S$q4dPQBweI;t-SLbL#qEvjG6)q$={VP@nmOJco1>+pLg+%UO?_H*!;^
z@DQFvCYBV1zfr=;o$!$TLhSf>C0p`eTB|WF1TmxCVkIFGB^Z9xbXfNBLrfz>8PzQO
zn8%o7*j7<PTR&2vUTJl0u3n3`<4M&~fBw}UR@d)(>UT_tiw{>Jzk3~d7u*IOHHTYL
zNBuv_i!mUb))3h1qH3}18`Qw{&|ZooGQgFcPAz0MDfI8Ne}AA5NHCb%{StvsHu@xb
z`?A?1N&?Dfq@!YW85jS0Jco19qXh({KQ6t|B|I9Yu+GqCpN;r8OtHLAj4UlCLIWjv
zD3jv6FZO_dbtDRZ{~nz;9UuemO_2F8!h~PCp_^-25O3CWH{&{Zm&Dq(XS{Tp`Nx&M
zlz?(rDa6t^HC~Ad+YXxR+l8h64dtX2$6TddDP@nus|g*o?pfh8H<I8JLP*s8G3HNB
zWjaaf_U+zhF9;HZnG2<lnwgOX_w?;z770AOCgH{G#C|>)TQCa<#vG?P4hC9C!p_8`
z=ZH*7Senny2X0ksoAAd#ti|J`5zj*ILzM}N%+REwPYST90HO(ETR0?!#k9P@RtDu6
z<z;}6*(xr@;o*@NWEMFo^%E40H%>%+2&9}%cEm$X6t6M^Cpr+xA4KPdCYmVQ`&^hn
z7;|U~17ZT```obT668|ac~T>t6PBQ~eyV0KgKRzYs$0w*TBW@|9Q{Kxc%iG0zzh#{
zAE)#akz8_W7Vu1F;zYa8-NudWPTzt*x$@XpYNQL#gr0Jp?=p|wQG6D^Xs?164-S!K
z&~0(1t71@Ug)tl}0QnyJF0|FsJK2tzj{5WCzOT}-<bq!7t;48Rttf)HOv|`aFA3Rr
z2D1-;f?A7fhO~+U+Ke`4{IbljI)NUhMFYx{u^R@gS$Xsy*|4R{Q8*S8?qKXa@@wjd
znw$0rH}P2^*2eZ0Y4E6gE0NfjfqU?fS{M)5=P(oR1+`iGOdP?c<fUJ-Lib#?!hr$b
zt(@$mQZnPj#1$yZ;5S?5NXCV-9i%{CDTp9fm$efo1YS&Mj9Saw=(xJkGdJ#ulQu>n
zx#iErA~$7x$JR)e7;v3Z4Ik(8bGxEr8-GWflngunvzpW`G_RD(MSRSmB3~-osk&~s
zjjQUM4Uj-6{u0!ZOnZBqIZM1RSo}J5>?V`f$0EncO3fCLd7cTl3|qq7*I^Ap0`7W~
z<*6=w5Ay=etQN+<Zw2x38z^%elDH=lpT%`Ugg*{;gnS02?3_SnrG1;>IsJW(aMi5T
zw6SY{_HPeK<U#1AgH=<@XdX74CXKD4UwywLl{!V6#AAjs^SZ^!TPUb&-LH;uz2T#=
z1!p$*qMqC6gME&6h-Rw=6N(O8+ZQPH!kU3qZh2oN=7apF7<3&Sc~zJy!5(8>TihM?
z%fhxhsl+ITrk(R;G^h;L-(8O`{#`>SbDC;}y6b6-ONTSvJcsjZSJAppGgb;k<fm)2
zN#}4~8laFMjDqHH6ToY8)`z#~1zyQYI$2YHCI7DRkkuf>cBv^^A?b`5{?jofAG?>s
zpTdvK!CM;Ji}T+kZ#F@#jcSVHUcCaBunxp`LC?B?*M<V?6&1bb6ERp*HsuXOKR9Ih
zXtr&sF$F%F&2F>hyILN6JH(n&d9<r<Ap*}~a3tyM6QMm8jR*%iT+)mp6az!TO^4%y
zg^Q&@_d{ZHZIqi0GAu{VWzbi3KKp8~jT1fcSs+#TbaXX7@n}@BUnJnCT~ptzEHYws
zZ7=<M-+}iEfa8u4e41@|8-~dmkvVHhlvA#U@TGSP1hO=Czi|#V3#fuQN#DO#-~$Ee
zucH>B*A18{gW86VdBe_CHP-!a?I7v``hKID0h|?I@O_LEdO_r_GU5{DJ##k`DFXCA
zq7?YMCLl;+5^>7adG~CNrCO9Z_T{C`9mck_m=N1Udl5BvqoWhP^amduYoQd^$TS&g
zz`pkS5U~$wi(&dqykugvZ6!<uRYk%m%{l@a^c{N9O1FYdA%)!@InRv^$8^=(Fw^>}
z;}qr+u!FcO{`)Zf5&q(!en*07sSoobbUi%QL?`yG^zt~1QO9h`kIX;5-->dwgTi>m
z{ExRe(qs~Fvn=*ITlC26Z&o$^UoLyHNcGqw^Bd)?x2&vaUc^z*a)B`FRJ|QPq&%My
zv#jhfVEeu}DzGHZvH*NIe=rN9j}`$z?N0CuDxA{aD%1RFAY1=(C4Z!=Xs%V!XeCZd
zDYwx=Iit-w6Ag7+<AzbduR}44bL-&O!PYZ8(upXoLZZ#jq4v8iBi<Nu@mFUK>F+~A
zcloK%^b^GF=tq2C6>W(HENXdLIdDhtskR#MRgj^fke;JKX*9uKvU4yCgTbX_)@Ih=
zb+?(fo2<MjIjIBntDsavX=z7YvyJOj-aMOGMi+r<bII}peZ3~?|5Ts<mLLIDp58uz
z|JC9X+2+eHS!KXk=Yx)`gukTs2ES2_^;L&{2|hRf2HjwGJd3SrpGT9#6LJ85GO#Y*
zIX#)bYKV1})Se!x#O$@I<rm<AD{h?u!|=0k+4WBGG@o2Q`479?N*T$ZgRXl~@w05U
zQ!&1^jdO?Y=5bSR{jPUQ`qtqTd0UO5-_6G@Th_3R6AcT{jbz=cC6rRJZDlD*=+6ey
z>E5?7=oPVmc`y^Rur4hP;%z?}M8(=tv+J#2TJz1}<1Bg8g8eGOPj4l<L}I=aEi!t7
zjY&h=soZXO_HAaV6m}L4kuGd{1(^oww$DhcHz0FA4DW#xGd8oCHnZMP8E75#4moaq
zjSeh`LP55#PoUMv{b90Cz=$O?)>cR|8DykKKB9h8&reW_Uiz<5PM2QZCwIP$BYq$*
zhI2=-d)=$LWr<<0fn~}Q@l<{#;p#hz*U6HZS<lSRZ30PP*}QrJ>qp@zzUi*w69L%=
zwO>x5y?Y~H<Yzbi*BR9|-!kgXysvZ<?p6yk$+%n#ekshZQLr7=_L=8ajS3>a#W}wq
zqjkj%1+KnybbHroef(?}xw{Nv@;UE(S9xglRwyY`J;t#n%sa2oyZok25%0?u*8fHS
zzvw<eyhEL8Xs$gP_mtIY99_?g*fT5@iumv2da7vCraumoOTk~v?;ddT0Kll?AHThV
zynSw40?wQFhIenP_EV4-+OoEqH>wnS4q8*wUGrm20TK+QU;9Vp%a#a4qATxK&N)SA
zuNR3q_T9V@QT9`+x^9lApqton?YdXZ=ri&f0~%2Yi$291>k|&15KV$&1q+B$dNf#2
zqc*>mQQ^8A+kU*XffDCvFUSJ*<Dtydvh7C5gj{{5`>6cmW;ZkLk=+_Mr3Mu*j3p(<
zVSTv%Gi4-2qn+OS@E?tWn$@c{k4U5maYX`6e)de>sl7UegTNl+(8j>`BWJ<{N8e@j
zn6J59*ef|%)-SNO##b;4Du({$X}-$+xa{!JU^xB=u>Ep<8*}&eAF-c6-2tETM*~`0
z5!jllhI1%}pGVof1oK=f<u;lc$tc&T)x5RJbCQ|$SImRpQd2eCw*qzj+P~K4pLZy%
zy5wooZT)u7o3%oVZh~0hwOh&#9DUmCFn1BlbG3S5@J}fe`mF4{y*tIHB1YH*qH34T
z{in1a4Dv)fIAi)C`^xQ2nB4c)pTudDklvT*^7EVt>xJ~M)Lp(RtfP!d)6``gx;AUc
zbE>5cxyop);Gu;HQx(ryEGtG3ruJUF$3|(6k*iFa&KwA#QtN(4y%+9NRuogFXp`zr
z5EqhY4-VX!vGQm;U{%+<5}|Q7HoaY;s_fkN!Y=L$(G@DRk<fvz%n%O@*%tH(3jeZ_
zuuDhh=L`2)o;!=_7uhmDgh{+aFxn0yXpz?4d<s_yU_LN8a0J)AYK(lI{tu%VzF3(1
zJQBK*LP#**d*I|1!v3vONN7wEJBLM2K2LUqVdaiXIh+OcOv{wL2pPr7R~510KbXIm
zGe!v{X?Wg7`ujI<NvTW&W|P#DOcqfi(W=<8h_|5WZXl^d>@o{v`}VNd-P%x(fQHij
z&?Ow7PcU<~*g&gtMi@njS4I?uK|lBuY5vV}BtzY|5@lp6^jb)V5^)Da%qiNvPB%~W
z0a{0Ih5I>}%|(8}EhGB09Oi%5QK-M&(RcYFnM?m|)oxEWGgQwwh;`?+mI}a_SR_m;
zYwV^=&i6IbMIUz@J);50WIm0Hmn_8%J-X&3FBa>nd*1QpCt7NQ{!wqKL$*Pr*=4KE
zY!^mL>2T|GZzAh9h~z=&&eFSlr;jCN@yE+{ZQTiUzmR&`&vT?QBu(<ve*9VIU7;{1
zL)*fMxX<c!sNb|6k*qhTu^n$byp=z>6N7}xW8%Kri^pUrn)nY+O+S1(barq91(JSR
zEY*1+ZfRL*%`v-AKu#VeMrG;)^T&=}m%%z*<Cc-ZQ9>PyVE7A$(jlr)!DjzZMv9Gy
zr$6{5VpnC%<d+uQDO5x41c{5pX|Gsm#Q?O`;pch0Y{1^U?PgH>egW`NhA!u5aO6L`
zE_i>$r@}*fSgb5Mgo8fFeZy`M)ELwmJ0d~mMCYCnP1{+@Y<!#1f+i!dJ%~oM+18!k
zZOyLN>*na-t-x3(b*E@pA;xjxiy#10-D0uQzUKvYVm4SI9xEvBH48F_+V#?S4)FZ=
z;Xm=0M*6lOQovf`RsU-<?{ieNq<FA~Rwuze+Yk#`jqFp~N@qcnpk}s6E8(a5xYkDo
zSmbV&P$#~n9?^F=u=x`PK7!HBa+ySV&?LWmnK075$W-7y(sPr*;T3rt9ln#>bFvv0
zAb8XdS}?7hjeq5lTYxS)WiWcFhIz74Q-Nzmr4b4RsE`Dej)2oAv>i-b&idof?ZfMF
zOU892i74}?_)|PAW$y~YJZhCelV5wFcnru5EXy^i-5kmbTtW~PWm|CVR)8B&U}pDj
zOrh1ZcZe+zQWBV_&F%bGd6*z>`vx}{SX<S5a)b|Q9Gwv2-Ki5as~$<n<4#!_2NGd^
zQ>|s6+-~L5TgYN(nX`yNqJOzPDSl2`mc;3y`3#QFfthl0P^IeL6gz|8Iu%PLztP~B
za<R+14OL{qM_;H84kBpB*7UFufsq_EEADcEPjKQ8*)%lvO<v5uxI=-^rmaAu^e~qD
z-4%Hud@FbFd%VFocEJY+Z0}}=>`VnQw&guuQABp%-R7G_3FW1@89LU2v1^)!LxLCf
zq&2X!^dD<|vmZKoxbmc%-Bp~U5gYFrvAq)%-hS4%Nvs|xA)(rg5#i%XWZMv1ks3v0
z%LHuN{cYSoG&E&g#h*-*y<pgsh-gw`;PN>xQL9y%N;@~_g9*b^u>37^sIIzy0VhnI
z6fED!wk;<Nfn=mLP8B5^F!<%w3kB*&v!Cr+%G&KDU|)s@^_SAJ9q1C}6wrLkHaMpU
z<iH}`s#LZ3BI&Pa&q(0{K^S@HNM=nL13U6&@pW7|%qpr$$ehqizm|z|-{_<{%I!}j
z)>I31aPFH)ZGipgzch;ruAYe^23*=;VO?nIg68aFO!N6^yxDr>ANVdWiLcsQwW*$w
z;LINnWM^256WSY_=!#CrX^J2QEXIi-ga_hdWpGZEPtP8$0Ahe?mKCIx73r*+%UnJI
zmi(>5<9^0-T3U2<QJFs$Vr`X>SHmZuLHqW0LSFc5bF47#u(PiZ0k|aS0|DK2RIIQO
zf8{1`x3CiJ_(6wFlV@eDaF}K;wdayLp_+}zj>GUK8$aS<ACp#Qo7a3X{yPzjJ>_Da
z!1_cyLqZB(WumxFN0VN1s#<%n0~u@r+;0tR#K=ccW*NM)+4?##{YeOvWAF;<e8zif
zHI-z=N9JUcD{LIZi&9Fn)^^+GdD2x{gz?E;`Ni3bD4c~6idZN!xhfucC#O=;r7hIg
zrw0Qk0?|_zR8yk*Z_LS@YWH8mq?BwegG$uHIFp{bM2c8Qu`#qIeZ)_HpwI9b&R+|w
znbexO4#t-Bi+Qic86=yme?p*}$|ICoz6)fcV%slOBJzZmx3xq)`>fa*UjpXS{7>jZ
z^yL?_il*T+X_(SHs?!MKUG5XY>cI-*sWYz$+}hMDj^6es(`Z~sXbh-S43<EQ<7^(V
z<U(xGjD-upBp4_H(6+ZrHkk(fB6pK~p2r<|#A($&Ukji0Q3BcIl0Tpx8$<oTe3$T(
zftr<UJvo<?m=bJ@b3b%9h~;_N*D^in9lvDeNIG}|`$B>_Mg`^TOAQygSL)`ef2Y_A
zm&-dS$FC@0mObx-7sfa5&KL-}{hpz^$sc#IBKF<|>8JpBK5s!?Ud%L5)lBZW>dwT4
zJmyq~7)?U(Iu1EP(?Vx{R`&uj2g6ZkPs8anj&K@{R^M~MvdEYvV0%@hv>^6PGm!6i
z7gdlC3e=ZdA__pi!ecVCuXDqIC6)BpM+-Hr!r2gsRU{Li{;*}8UcR|Tt21P^;zspM
z;<z1|BOBk$z13(Eo0BEfIa7s>%lKF)ymzT0_w|S_Cc5-J6wLdRAy5*w25l14aPK7a
zL;IQYyiKw18rCT)vg&^Ol$4^+Ungr`_WcsC#K$#~$*r(EA~k+Qnm27{>$`AMcHbeJ
z-c|lm=st(e|DcT}gO6ax*JyS$Caa%WdNvvKju{$ztlj%bjkJX*$T*^#pN1-h`qTZ&
z5xHQmW&GVoTjDcDZe27~U;LeT!-g)AeACP5Z>MV^t&B9`cT$e8a=N!sSk@TE>J)oM
j0{Fcz{~x^*cqGC*CM1?p(G!1K7y?uj)aC2tEW-W=UkI_W

diff --git a/app/assets/ico/android-chrome-256x256.png b/app/assets/ico/android-chrome-256x256.png
index cc95d0044215f6cd8e6cfba7ac1effda52371387..52848e01967c1126ad7b975041e1fb4966fa91fd 100644
GIT binary patch
literal 2510
zcmd6pX*`sB8^^DEOqPt&sFO9sLzZJm8V}i~7(&N#kgX9}qOlaELuRBz*-ApzjuuND
zd$yQS<2dM`QYmXmj6#;iKKFC?@_G4u&YS1O{kiVn|N32@&;P~$dtFze-4UwTX6elU
zAZBHG$N>Psei0BB#Dd4^Vm~a1gj%|u0T7k=@gZ<KSMrDDj02Sde{{=oF@g6tvo!;#
zOch-}z6mSvu{vb-Ya}u~WOORytrUB1Ea6DR+4K?t?Z<y=$|ZDIhQ;rrY_@i~n}%#s
z^DB`QKA536)vJAX3hcS<ur1KgizDd~ucaSM9XP1+Rp-X+o6<$&w=LIw*26ALM@=ss
zU=@V>+T>cA<)TsD=UEn=%;Z#bkxHWRC$^HT&zC`yw3=_siBCc%1qJ8?*_VAxLx9K1
zL^pC;w>Af*X3psc+)|W`g!ic7*rxvU<8u41h{I?x5iD&$K?h-S@IaLKM<OL7-jIC$
zu}49R^CYe8wR&0EquCZ3oiXBu^4sPQPkfp0>^x^u_vFcZC+ncDo-q^^6^$>?RX+V@
z4$kk7Pg*E?SJv0`t;B?dSt&>t&LN}Up72)#*3NhjFowliDQmh*-=kHDqN3K9iw=Th
zmN19IiJUmYZN8Q_^2OrA%3!qWX1~o>tU<Cg*?#hNP<x@wrDeTmN+8>qY?k0lIW+oW
zOx0T(k7Hja$}~DUP8b#h6J{7Iy~C}{`YlYQGMP9NbS`+Mt6=6<iRgr=kTnEcN>}~m
zrn~&e9tQel<Mfx$Vh>`rCP43=A=g-OSprg6*{E30f1#&1nGU^?nOdHjEOdw-g})#U
zrQ*8GnO(8(OlR@TQqE|qaP&9+_|q9YQ{A)SbVIeKwoHFE*gdLm)ZQIB)tC764Q6X2
zC}=5HDfi!oG>WFkp;0HCsr2q|>WD%{f~kkuU($#|Uj4;h8?R(YyD`qj<f8=kfMWwm
z{wHwA$#1!}YJeaLwQs4^t`Osmy9*DWCgGWjAHDCSrsqqE!=9j!tSRHh0}==`qEao3
zuBHGLT0DV|TuQbuoD$zDLXSRaHI0Y;9pSNQz*fnjc{=MN%%4wWZ^H75U7DugB_rjB
z;9%e{ZBcRPH}g<DiW%fM5r`g5ZVyz%)f<G)|NWakW@##3xub}Mgk-i`CZ>&wBcv3d
zH%>Prf6I25Z2k0aU9i;X7VL|(@2#ZxM4w$-m=EW<zAJmdqYclfIIo-UGBkD`4q&9D
z)|!MQWjLxf8`bTco7hJt(*k#cSXJYD^{y_B@j`Q1l_RN{9UawqwZR9J(_PvKqx`rl
z_f&AEs+v00ligY$r|RlRpMKkWgcP{GP$9(D@bk;RStfrZlg60mn)=Dw?&x|zR?m?W
zfq|>yPZnnGP2F!^3;VrlgNS&!RIWr$T#LHwFce<`z3ENoW)n?w{skw^@l_<Dzyaay
zz*F9xcHSqnrYh$mo@wMtuQl)&sw$nfVM2v}n4SmSg)?n#TMbAdDVvP{CBJwA%k*Zp
zUB1`7<C4_t#ZYl9Q@OLZC)rA`n0rhFDGYI4LcEnKe!`iK_@#HlDICSsUGRxzq%Bhl
z9=dyYsK4tMU`Dw1;QJ`hzq3a)U_atT+bhUcQBd}i5Pwta#)I27(4Xmq1nm27s=a6*
zH!kkW1op1i;hzs;mLw99?i7y3K?P}8dGHjD-O|UqpL?t?T<9)#q^c3+a*Pz%xb6y*
z?lx%9Z<JsQ>{5YIj=|-DjhozHa^TaacQ@>9d(5`O>e>5M<Z)i-F5udF>KE{~7fJ#5
zLg@JEj!puzZ?F8uv#V0z+IEuloQishn7X+PvvOA_Srv9~ui4?5`EA$Hmr*;d{kk+F
zj08Pl(u%;>U-fqxAdDW3mE+t-SE+A1`}$TWhLF)LY7hNy8ak@SR~Pl_)`RT^y6iSF
zXA_n9mkaVpA$f-GDmRXC>+&LrcJy+J1Q<}4JIFn^bp8MA;&8*xEz^C1gIoG6Kw4Qa
zkVPGr>?<mo?%7H;WTgn5&ozknJt?{2UY!e$eWx=9={{aY7tq!h6E;ft&Pdh;gt@Cv
ze>o0Jx8`>nYv>VSGFA$dcf_$CFQA^-V~<>1wkpX0_7?9Y#^aaY85kq2Utjq<HH!rN
z;A9Y;KVFgz?ET&g<&W1;vIO*7{GG$VD%}%a#pvqdKy7H{<FO8mvvf@=is9K&9z3Y&
z`h!j?|NS{WnFvRBI-;6Es20Ys&T>#Q*WVBazVxXA-?0!SM4>s!5lbmFW6%3R&gwZ4
zD7k=vRTF0-3@3*gqRIyuc1uGsP20fXYAb`xZDe3IdDQ8lm^el<S>XC%n-!m-9;~m3
zz2duwfEvf%WG#Ng`A26GFdCa_aie{$r0qvaoC&M6_4%u<ECF38J<&NLgA}TV)u8mK
zZzQeH4G$P5SeN6tnVemg`@UoW0X34#bMq-e)3LM#nP@?C2v8P4y@VmzdsJQ%Dct6L
zX145||M=XPsvsXBLdwIL7si6DGb?e5AgeYPn(|;;=|VJNwN(PPILVHW<!-oq5g1-s
z`#^+vb-`%D;smW+jJJIBmHaNm%gft9K5oN&Er_sqnWwt2u#~bJLrN#h#eG_B{i(wQ
zcAmj&Hx1c>1f*rD*SW0~XtjIM={nQH%Oj};iL-_#P5daG;wFIsD361EmV+PmFX)d9
z1WC&F2>g#D^7#TtHjcHocVbiOWa&&%cc20ghB(|gY>Xto{8eYUyxTTY`Y6uS8wZIZ
zpsWIES@3@%<TS*{YpMR@dFMzO1h+@dC9U(FhqJTKJKUbaCV5GlrBsDH`ssNW?&~`i
z`aODd>=p5!ZV%Y{A!7k8KeO|bZqD0EU5phPt-YT4R<yU8H;SG;ahKpbxGvvVvy>xu
T0RIeIzrf1;$e}+dUKjrZxoa#_

literal 8347
zcmaiZWmFWv_x7^8#M0fdpmcY`BD;iihlHS{2n(WgED92`bc0BDDlM=Qf^>(}Qj*e0
z2=elK-}l4+{J#9p+&MFMzRWrE+`0FeXQK3V)kz2$2>}2AiKYhJ@P6zE0B`^Vc=xkE
z$+D;SPPmJzs=lVGDirDE;ppP#008hL1SKeHbi<f?ZH<cfXmI5tWuBMn(nd!|CYk0D
z&^)RdD}Vc=$abudUDMN(+KPxYSiqFUD*N?oBn|i*8M(AHH-e7$I7BB8@d3Z@*4O9I
z^MaJzm9yA_#Q-+>Qk)?!YG<gN-WMT#EgH%IcW`8Qm6#m5b=mqpuEvMr<7Uvo=y-*r
zAl@Z>&B8HV>KN~Ms`w>xnVYmOtdcU9DlWrYWlg=BU#Qb_MA{si!7iSX%}q)Xb0uZ^
zGo3~|);Ce6(p7Gg$R*8W<VkjeVYuYs4_o@7UH(C<64?(jv~^$z2eq+293sW>Ww+2=
zV<LE{TY2h8Ys0YL1pJ^6I4}m4zQKkZwLRgN7Cqp?eFoc#Sr7aGKv{pXd7XXutgkE=
z@XrbR*yCzY^67QbnX48N8&1#yruVg$(Vx&kmZwKQ;&ocsuUrUQn2&<hR+4e>+)*DT
zo0@(p>9U1VzfNh!AtgnPD>&2yd~K^}ZweWe`1==UUE6C4-Sv#@9v3`&Ep<5H?mz8Q
zdr8v$3IwTP@#-GJ+5dE$M?6`+_lx-6nmP#lO$a$P3G`7L%oG4%P1A&{82kSGo#U7M
z9FcOTEbUcQy<A>jK938RvM{Fo=Hk*?-<pTe*Js9jA7>MaTp*jGpiz9~_^V_@#gjS1
zliC=Z(u)fQ_Z$rE(&D7BBp?#nQN>~vbgdO$0iGctU-yFsExq<yb6@QuGs`bdHe)Y4
z0z7(R2}Fpy|9ATd5vBSfROWWffn~$#oUh@)q~W%3rlHM-49_39ayh&F0g|qy2JhpV
zg=A-7M6{t1c0f^Lsz|$Z7;!h)o}P>RnbkIZh?6$C6xl@BkfpJwN?|=)?M351wfLZE
z^)=YMfT^-uepzpN2E-Bm(3focZ)gDu{qkn#6f<gawwu?n5#%UK)ju-az1w=)i<^HU
ziXDb|keH>Q)I(on`zSMJ(=kb?X2Ra^wSMl6jO-vy83lOYzhQB3FU445*~4r2TV)=3
z%cP+#(e^+W+tyTLjuHGe;31w8?!Kz|I~h}jTG~ys$Uu;<ST33@t4Ig>Ql0O~F2Y-C
zpfA+#wex#A)FJd{F($yjcQKvwge(3H`FA8YV@B)|D^~ldD~s|7=mMaOTwYO-sabb;
zfkUOS7yaxLl7Mf^Shc*J>2jPO#hGulV1Zsd+7EO7Vc89y5IYm%^C>%JGhB7U0-zS_
zMS~T;#a}RyG(EQa$wPTfhx)*Gr#O{+nbhzBQs}pAZ=m_*Ef|r*-9?A$b|o&EiPaFK
zxs2{=!TfDnMxNl({Dxl<tge+=Qr?Kw5^p>f_GjQ5G%H+3HOw{E874uB<;5pZlMf0D
z)1r=yuyc&PqCkZYNR^h2k^UkoA5i#9eob4IE3z?MjBqG>qg7^`tmsp=v6yVHq)&$j
ztUP~oS$O7SyqL_(e!$yZ+{>G*%ThonBUIcwmO8Eh%nB+io2)}o#$%xV=Tc{~*G><p
z%x#Bx%qWy>nx~%!S%@*=ne7`t^dX}@VA|EHu1}RfY0D^PbRF=0lZTCf(QLg%gD57N
zE4#ANi%P!*YUR|?nh_tXw1MP<M>14r5?Db=t4zQM<+kePu5q#N?<vF04yTowohlO@
z=(^)f;z=?F|4@IU9mdu`wvdX-0#_Sup!2)~d*KRt9m@Z1Y&s`BJ|t_!OnJ%;bTKN<
zS7WXSZeLK2?-|7mDi4gtC^`wc0U4+!JuVWQC1eDS{!K!;$<Y$ijD5-kRvZJcYUMh&
z{M_GHviX>|?OKF-{+m+qaljIs9LbFW4}i`4Q|>>{wbF2LTikm!>%t&CrBPEb_TAp|
z=+qIK6f%==ii*_<fG@)(PCrelZR(!h%<DG+NOvzCKKZ~V?h~i?H-<;H#vA&L)+}Gq
zx>$1rnWtuunNQ=H3HS9=S%SwEzjO?!BI|J5W7M*Jgu)Zwl;?8qJ2%YfqL^!qjfHrt
zQUgqLX<y9Mx+*F5f+_;=9!uk<Y#&<p<Pu$ngeq2C_5Jz!gBbf<WhMWpJF=Po&5z`d
zHp^_n8L$uM-cFAv75xQP3C4M+l*XGFoAEdJG<&Lthf|ARS6bOFf?B3>!fPH|xc8hw
z!jlN3ix&*$renPFBD3i~-DM4=(r!*3m*_z8?g1ah1V9E=|5P4}kuAn~RT;JWBW>1-
zOs|x#<~4CycdQk>P;@>-T^2xYs*(P~NNGMR!d96SK`WDQORan?A=6+n$j*<{i$9lS
zrdzb6PTrf$%Ep^pyEg?_9q80WX&<Cb9|7{!ENqq4z#UiiJ(Aj8y$6*9Lr3Owm(+*z
z%e_C*`Y0bn<^jwgUY)`qOPn_(dP5#{oy7A>{$fBNJOCFjd+r=~a@=C1_o6#C1{IrX
zT4wt4ePlO`!}Ta>4G)~*?q*nl`1u!Y0q*H3g4T>g8!Zl}&z8aUNus9*iSXG(@bahf
zT>OdY1ZK0hB9EbDJlB#>T@d*-)d#O$PHTE`>sA5u&IJVj#o;XqA#v;^VY8%e<T!tD
zl~_L!1x|%LND;h!JU*?u)1zy&B3bsL&cD70UWg?#E}<)%%tHC-KM8kZ@C9z(mF>Dj
zE-EDJR=Y}jx^X10Q}yO~uL;*Z+E*}80^E?6IsnCSm@D~KaH}b{wHyY;hu?k)kV#>g
zS07J;%j&I;8CYElAlr<BMVhHnV><&A`9YlrHgY!s5ROC8vbqe4er3dg@}G?!7>#$U
zc>z1NJUsuGa{D76QW%?F_eDl<_ng|87I+)|(DkdgB$6MgBf)dycy+@de;$Y#J2o-}
zrWMzRS8_OM_{NW-8oma=lsN|=x*M4vwXb%qLiRPOG%DU3#YEt4{c^_mLHo?8hAjy~
z+faunfsvB+B-b5RrJNfrSA(kxcr(k*BdnV%6Rna4_LT46yZh^HE&Hp+O0ncw1EjE5
z!(o7Q>jK^aTeZfpPBk|30Bqn_Z1C#dIss)LFIJz_TsD4yPqA39I*Q5UG8>a!&e9~k
zHjOi+<{MPGw)}B`wv)GRj*_K1`IP(nG<ZVW?ztAl`9%1(3s0`8?{Ctz?bz_T$M2Zh
zcYDJWQuO*>vPj1t>Q!!ASeaLHTmVZzTSi&dZJ}3~1WTd2#L^qHi?s<O)zdWum4;D|
z!8Q<0yQK`t)-Mo&E@H8I(Sb&GPkC}g?A+AcZNva4Ka{~~uc-$twl)L1>QiQGZ^xDK
z&j4F%-XBW?E1W+0YLN>nH?1|7p&*4gLzZHRN4sdlP3^JpX=yXTWJptg3*PHl((^tq
zuJGSRGE(`tmrR}Gdc|v-dn(GrXJ&}npyXRvXVsCr8QOX|i`NnFFV&z9^jy13ycYx<
zoqzY*sOCPi>H*B&F2?Ki-MLwZBnyz|zSlmSm;k9@SA<r}2d?&g8A3k|;Vy57FBr~G
zOk?r`TN}En8|gG$U0m=`AFFD~eW@DE7OD*|%XpNd@-KuB^{A_w;&Q&Nud8C>0zUVy
zR2;oA83B<x_Brs2qr_F59-QnQXdf@A-bQg-ZU*Sgxzj3w9)$TMd{<~7C^tZ$5of0u
zQOp@*ryfJI)~bE7GNdw*R^bEJY;I{`eeWTKJD^TdNuYnaw9)wELyppT<MY2^f#6H-
zF1uCBpT#iW%I*{cx?6Y7(n?muf^&7qnwAw89IB}Go@JROEG=9j|8vws14T;&DSlOv
zyQ}s76IinzmOWW=-#07Uam~c{$uz%v(dve&F`LWkp?;2aTD$R$C$#MYS1-jTE=`M;
zv2Eqf=XafyRaR+PlP!(s;6y=$<f7)flf=PGg^x}iX+;I~RDp5Fe?+T}#e@0#yR77t
z@<0OPv=SOm!c+e!zBxE_mgi@Tfb{%_3W=_28<XY(Q4!tVvCJk3<^8u{u1fa;y7%al
z<t$tIWxKx1H$O|k#^0|lsx+Px|K^1mSeig}+x<5nSV~6u`nAxqNa6xHir5-HFOgOM
zGx}OnEUEFS<inWzqlC?M^2IrU+v(`{z=i5E3^MjiWd3cR;@loSibGnS&o}+KXd=Ak
zsZ#tx(nTC^XFOOy-M_*d+{}r4@;GDy6oS(+bs!{}!uv4}30&=27ti;%s8+rjLs#$p
zpq2;UrbhH85Zq8)T2?EI{tEIjnzuh}1astferWEGv&~>SXS%&zUZ9MmY8PURwYfOS
zj?4*uA>04%XW`6lXjN5g<WyY{$MRo|s*oD;GUKpF$(sLnB>&A0yG2m+|3w*NzoVZn
zBnlFew&6dfFj)FG2#<RCrYfCR2P&VZ;H?*r-tGLOpRfmSs4W;YM)I_|ogLmne59qd
zq4FkEEyp$vqFt{p)qV%SrxhYMq4I3eAsKZwz{PE)lS*Ao5HXcT48q*d{^rFG3Lb*B
z;e4+6AMvG3T;$#VgS<}VM2x&Wd#<%q$_jk=Jp~q1iF=?PM#zVsUoXGDP%8xZ_~V@W
zW22Crgboy=!gqsTyVnd3QvwN4AI@+D!onvRR?w&y1|39!eXZ}twNc)H08qe(Qze|$
zVmDF;+AgK_uPcnM$`rG;%!O68RT3oslQ4JB@z$P0pBS<$@bW961K^=zQlU?Q^Yi-S
z2+|9}Rr|6!4gx(YQZ^>Zu_VE&nolD|>m)&Sh4rgDF9~@DqP-1upbPhjD3I89NMPLD
zYp1z-uT(K3f8&~pgi2E>XUw>fhq7b-VTxdMG)J^0sr?t?EAK~7u%9J~AA+IwtUV$L
zZhz)Y^opU&3Xyhh+?<jq`tNVPrr+b&7<<p^pNW^tMoMTw#Z)fhAsxAPmAO<Fv%-vW
z(M9FB@9607I*f#YG;jrHQuFUJblOq<e0!|l)nqV|{^=JgShw%WDi%PmJf028vBS92
zU{-dIpsxNBs-HQ6t>sKE&9G<;KNb1JWjUSUQ%(^DoKaK2HUkf*v83#>6Lldmv2?3j
z7rnCT&bz}OsRn`FS~_TO2XKhdspClC=$k&hKRa?)Mzzuoi;vmFFksYCW$Vqh;Imn%
zZ3W?+v$)qz`pUYlty?J!{=7UNU-X~k4hxKVnxmGki~SxE%X2v*So<I2L+PME2wezX
z!{cx%$9cEeMyl|E2t%)&Pk*P^8DevwM$-TPY4d-B_rK%109A+=Z4VUvP!;vSC^^vf
zkq$JXPSWx@Bn#5xtaz9p*f>O}M-@4qxJGVr54&5NQ={6f+nIm3SS?|?*vPiGB-7*N
z_Z4@nqjDDw#%9!}cWqwT7ctOEMAb&nP+rQlCU1Oa^oj5~H9=%0o+<V|ER|_el(j>V
zY-Qyh0Eft9mJn#9Qn=B=QqYG#Mq95ZAP>{foy0fxVIBca=T7z?>y+)<+N7giw^f2P
z$TI?2A4=*kKDphHb+?c_xu7}Cud$qEd;8mRLza;%{s6W1LcfEni$WW{S;_%6yRWt$
zzy4Ao_D%|hRGue7;0hk<GLUppKMt3FHRa0$3a(3?f-D-(BK!jIqW^Mai<R{l-0rR|
z`ibKO_FM<Pl+~zEG+M$Hd*Rtz=0$xpqdE7B!dUM$<JXbayHW&)byA-BxcmxkHds5W
zGOxkt&Svkrfb6ps(PdIA;q#f$=!mSI9GNI4xu`MaSDKs-LBZZOg*0nbt%Qa7MfBUs
zfHs}AKeSH|HLxr8)*;>;2|3nKAS4-gX7Q}N6!M(d+ljD#k`UY{K@n6TDGouY8iIP=
z#e1FGHD29nEP)dTlEI@))ERa<Bp93M{b!E!LG%-oJ?HG_Sv<sg_R4ttWww3pr5$+9
zE83#h?}D6&>%cO^@^>CVtQ<)Jwe~j#np6s!?YLg?kmpn$?F&LNM4sZkzHq}tHEGMB
zDfR^2=}&!`-c<fTx*e#(vvKFQ$ckWAc$f`iC$wTZW3|^Oo#E&ER!C2Pqq%PbZccvB
z5b^J%)2Y$7+8E6`d3H~gs`@4p%8T8gJ#KQ`J%T64bJ25J1&VMpTa=867QCsjvK*CR
zw?=g#=a(oKVNPiglXKQ8i`dGB^dx%g2cnOE3pR)w8hS{%oHIXPU)^Yh6m}!b$ld!L
z-JX)z=WW4bp5-Izk8gLS^hEPjEU*x)<ec-29A10OPpxN_EIyweO8Ac2nDsGLV7gP^
zyFGI6U5tE*BQY~pBD}oaVLWSRGyR9Uzg00L=v<w9TfPz}qB2X*JQ&J!J0-|g_9T)f
zvad|xp+?3`4wXUIaCyvhu2`+1T?0=y0nVyY7Yj@}9$-Ix#|61KtZFbw1r1il=zY*=
z#eW=GZJWY>?oTnR1LglKCy^qkq`r+<UbL68dGfnbm}hY-`91R5x#x#Ci%Q_MxXZl#
zi{oXSSbP<i)K{%d>ZG)*$mDJU>7qH7?Zt0SN;MpM78f7sBf5|ka`=YvuMf-abK<(7
zYvln2G5T?P41@?%CHOF&8QFx%*?sL&zs73b2(>ZN6`AAa#D?#V<^YyDdG$CC$f#sU
zFY&RZ<xd;Ge@-ww`uh5}zi)D(JF8=?8P8sI)n`~CSPl@F$CxS+V}@cPcc<K_wz9n`
zg80P<Mpoe*;2j(=@*M6?v4Or)`Qq0eODR{Nl*vBM88jX&rZYR_KVC0551MP%BcaY!
zyLuo}qAC0RQ2(D+cw59Z<zUnK`$_jnXAYZXqT}~G`vv{(Vcwx!Cf?@8Gx-AeeunQl
ze>wJiT<<5zn~Uz48^pvaf_mjmS|FEJ)34M*H_NZvM3p+n;k%tSs<&RqPAIWzA*#z9
zVueDM;VCFfDA)ZUexp}Rts;TyUoH0+Oa8^XkDCav2i74A8M*mZBUANp1bL|qD;|%=
z3ksPo4wovS3Ph&p$h?B0tb80dW;qf9aN9Lj1+WRLW=o~B`9xmr`Ge&4Yddi7i{0;J
z_&79s9r7sH$qw3(@5zng5daB)+jGo})Ks8t-!EF1%JJDApv|X9urZkcZk6t4RXi|E
zFd+0L!_t2Xp|yhy#QEbz`y`u0L`)nL9zEK<=pEJn6|7>*o1ICo6{V>*jx(>1vk!p3
zHYJB^*))~z)mvOQo<d=`ega`al)j*Iwv!<0OM9i9W|vc2Z<6GIoa--qTd0wl<Dd|B
z=95?)ZV(YQt@_wtt9b7U$vOAQRTEbPYS2QYQ3v>H=d!gWT~Mv3@gJ<!JOLCcjbl_5
zpa-K}Dka+;p^c+x&PJ9b`5!wOD`g$V-Mu-ry)OxU`GNGlWamp70h~yd@|9Pc*t~DJ
zIg&YQ^9`kQs~q+3F$a7<!^L!@vy;pdksrC@PNHL)xA3>Vo4)+5q&VNTT<(R}#gOH<
z{~5PMh|XWSU>aQiccP(syTBISQmgCHR6?%wyJtmArs-J__uQU)EcydA9p8y2wjVFZ
znrx9fpH6=D+Uyrs6JKIROw5nc$pRX`7w5fo_#!b!%qb(~K4D1UXJZ;$R$s^_g!#f5
zGm+;Pwa6tMY|fb?%<}fc0IS_a(GwnaGX$Q<2jXlGC%-w)?*uP*^~|8E@H&`%FWOU1
z?e|`xKlX;}zCQ898of*MixtWYv>Eq^)i_&t5HwB*8-*DF^Cxpmmr1g5_HAhpTRex>
z9NDvetmY4qChmSWnj@6B+c&Bzl-=&M+buvkK&}Yc#2OGs!y%>wU{<@M@XePXv;tU?
zYauJ$V&5*4N?Ys-WqXkQHe(*nv_<o8GHsJ7s<4M|IXBD;2l;e534MXcd$&3pgV8f?
zUi7mWIDh{ZIGL6zZ;w)D+fYFvxZ-K)H1ry&K}t2-bObN5zc0wL8cdUsopawct1$N#
z`Y*?MiHfx2?kkuF@$Tbgo1W92*9HMjpyhYfx@n~6oMu4n_Ro}YG*-aTOq$c2;i@n7
zFo2_w;BX}PdIb~EcZJ77+bol&d$V^f;{IuaT2V7)F#YS3AX3m>%+|!s*PhQa!+p9&
zQmMLl-4!Z#B<5nehsR&!s^=ccn<~OmYD8KtzU2S|3HvygGEP=!h8MJ<!X-|w;d4e9
z1jhQ=R~-bF?y4nfYvwl2rOD;dm@v+J%SlSmGVfYv#z6A2^DpNIC_v?7bztdYLHQl=
zV&C>2dWP>HGxknh!5}z}gQ)fa-3$fpFOI+<)8d=fpkS)GiLEyj1Tdu~hSFJOXkaFC
zN#pkefdNC~*-@TRORH_1Tj**R*E0~sm^UIU#FnKd{pC+hD1iT$k8ikqc7Fye71{5_
z;_#Gam1j&0YtbcFK}XSI;-LE5p!b**OYZhIva0bjw1g;oAw}@v5Ocw+Z#qt;!g-kW
zvY~$2$iI|!Q9aNBaRNO;vB>M}HPZ?#b8zdcgn$P^lmKr*zF}%_rLh+}txJs^n5adf
zo0%a4Cc%rwrOiJBQ_$TD$|wcpbaZ9eW~OnY41V(m<jL@y6e~UX_-C)6A1dPNS-$bH
z7Qy!3Bu8^R!U2l4xspyg?B@nHo7z}IadjsDcpU}R;)juPICQ>rh`H&g6;L`?zeG)k
z>N|pdUQF3cwj`+s#$ILgM^Tb+y6n%Pw?p*w38jy<bG#{$fYrx6vLm?fQA3p-_qCg&
zKA1g$<*|5c+FBO1G~H!XMnSBChEJmmA~}fS7o}+{E5f{7aBh1Fe#$}<vZ`;}$0&}d
z2#9YpHVi+>`*c_-bXJ#fbp7fJxu4+bP11NdP}3oLiF)9U;99BcHODVr#_n$z8?Jbk
zI9G|-Wo^HZcQtQ=Q;_SDRO;*Ld;=<<#b~l*+$6~+k_2UGWTz^EiPDE78fMi%2HwiT
z!Gu|+!t}$`8W(HPMpev3{TG}9Bz0X~zv`q{Q`OZ5eaRuqr5tHm>5)$~rmY;y%KZ*a
zf2jD2Z-Nk)dQ|FzBDi(ytxq07mq5MAba%2?bD|2%h~@?a5dl27S~vLua9IEDYZ1@e
zIWE#+S`D*uU-~1Q%(h!}9cOpx&$_Amjc3=^sEu`T(4w!Jm<K89*q49n&l*%Nqr!Y0
zY`cC3eMnW!HJc8b&(mauC(y@p3A_-oB=uWF&`ZfnXhJ)>sJlSVKg_I~U_Dw|G>Pgm
z+2aoo4k{Z@F@K)B>acPyg1ep7NI49IF~_AOdyPDz@XD8&wDx5Le6MPwN=-KjrgE2(
zc<06f#KDxFLZtp8riK#(n%DR$=pAdTFJ4J%L_Gm-3MA32B8|h|G)jo6dB2EQ+DO;h
zws5nTD!CW_R(g%kKXxPlDeN*Kg@PJk!R7`pDk37xBLz3zlHgz&+7#6xY7**5)tA8X
zp!Dc%pt$OTSMkW=nXIUVFz^8Le_V17;VjtC2!bvp>-h<H$7r>1a|#Q!ZNvvD$Y+jA
z&=4^Rr3UsbB}bgtb;0z9Ut@W-B^h}tKot{%_U^7qsR32EV+I2w7r8+^XYFdbL_zN<
zc?z#%1Rmt!3Y%Hfb^(wqBV(aR*m-JbjE4;9jEU@$bo|u_)pxsksfufezOE-^z<P?m
z9yFrp86k8jgqe=+=%Y$dxtV28KIUV*#8pAK!1zNg;s;*hN9y7}TH@Nic<tjFC;+v(
zJsHRh$UnRxIJgTPFmjCGB6vQmnV)|xj`eq&YvMd58|yP0(%cxL)*&ajm(VjV&@~{R
zXG!m?)Kube#8s(qfwlJTYn}#I#8T1|u9einO_>at0_33@yw{-|TNJFUF0U<z`-uG8
zeEoiCj{|`g|D?8h)emSkZh=1Lx)a_uxE*^1sPOhDd1XZBMj2}_C^`tfGRZUMS+HQe
zus2q6b^&LNVfgdufgx*Uu=8A$Fv!R9WEuI7G*Az&K140Jts+&-ZKPlvK8c!y=ygi&
zY8hZTR64}d(OED{YbfAe>NonD1`1uTcqB_GU)*eC1qzhP)&1&R>`aAn>(?RFgcn2h
z569PGXu1uNvFcs%n!gs(guhS}DlyUfkHpbU?rhYTNtnJ@J3T>;XesJ`|2Q%IL|72`
zAy5c!KkQl&wWIr7uKWQ(O|)34kgsXv$VvGu73<tHd0cmE<~Y#S)@0O5rtD8E=(AI$
zA~N=C!B3N!K18fI9oc%^!4Acxu{rK-no%t;P)twGj@3dt0h?Tbe<sSeL_D<}QO-qQ
zXwUekNyqJ1W0ya5siR_CtQ<})v0_*%*i7rqL$W$RD;*uj+J-My9)l7*G53kQ)Z4h0
zV?7w5E`D%O6=p-gY*zAyAha*kgWyIkO?RWJEekdy{=3mj;^R>X&=&OP#hTAK1{4-d
zOt+YnwNM7Ip7(<H9P%L<2l`M!p_el4t(2(;#DpiR5|;^Pes<0_^={Tn;CfE8vcf+C
z?L?Q-*iT&Vl4-CwG`Dm5wkOL~q<qBGIecvd{(SuwCV4}pq+)Pa>R!vP%yK6h_o#c_
zY5K22i}zQ1>qT(=dOZIVD=3m(geg*T``Ij@sjR<~_`H{`Vl(X4{dC+UY9fIZO|^mS
z${{TQ8C8t3ltt(|baB>Kpv=fwy9Sra5A;+|^Ba%DAkWXvo)i7$Kk<CZK4!EP7eLuO
z(6a4=zomxP=byB!J@(tWwxYZkzJsAqFA}(<K$yxTY`zUTHmhXHf^ofDMy>AHJm3c0
zfrp&d2F)W-wqZ7TI3e_zxnCH$sWbw{8+;$Gak!^;S)s`Chgj9UDyMVp#<IXIhN~#J
zH_ydd_L7@u`n~jin#kFk&XeOy+T$6)#|_yxj6E-y_FZ}T`~fF(f@K;gIh32mU1cej
z<DUz6>zi6(2J<E{)V@NCW-)ZPhXM>i)~If1crw$X1;(qGXuYbyrhw7N-3PlH>>T5r
tFNzFLl=Atv5W~;z)wciL)RM05c2c+c{PBM}-~U<zG!eS+>PJt*{trOKjQ;=t

diff --git a/app/assets/ico/apple-touch-icon.png b/app/assets/ico/apple-touch-icon.png
index aeea31ce8754a28959e23880001234a69386f5a0..f05e9c1612db04f85923785d1f4ba88dab243d96 100644
GIT binary patch
literal 1840
zcmb7FYcw0!7EXJE&?-UEkSK{swHhs<6ZL3<2(2haI~nilM24o`@1~~FDVK&KEoz1+
zoeUMZF7XbXRz2F%NQ;j5EA^%lLe*n3|7O;@Gi%)+dw*-6eb(CRtnb_3`S(Slqp}i2
z2><{nI}z;NWmxk^faGP_x?A2<28v+>QX~LyK>d%{2YC3Sw(M|Uq`M;yP}!q9Co6zK
zSQjh+P?dRLJ3tNqkbmK1kNqlc-_nRJg&C{;bakd}bw89*O|EILupm7SHv;AqGtW&O
zRcgl#9V|O(F2_sOG=^UIRaoqX3;)>GTS{VFuKQpb<!q{%U8TJe-=#xzSzhKhC%lm~
zkE!Td)M^xu?Jmcz?CdfT3P|EX?+4j8F7Lfk0d|(x&_oW=pK7Pa?@bpYwo>%TQRJpI
z&NQNkbt}1xdI~|gjT3-=V1bpea1A>C7?5!h1SwWU<MjWoficE!izQS{^n9s(T}w;W
zb|a5xSWw{A)LPddk!-c&#nrnz_wRdREy#3K+UO`ee>a}t<#&STN%9)HH#lEzY;svH
z5l)#}O9IgNpO!tJDC}0iq+&_1X*L_4)C;ch=*ZMN?;BVG?|NeyZ0qxN_Do-JG5a_W
zdOKr$?pS5Xx?ZH@zncT@6Zq?e5x`Oprb(rDc1luDSKnM2?#6o}I4bP<^Pp@b0kZM2
zBM4zhM}eR`?oBhp);)`YPfqDbpwB59ts{nQ0Dk_(EZv!HU}wiRRHLI#L5o9ui?Sp|
znddct%K3TPxdms)rEIqGC>X6~m&~@i;g6s!3iG0UmoUNf_7LGOe4;G~66#bUO=VRf
zeKw;+V#C!ttSW9*6&Q1NabY2Xj`zsP$@QiY5EOKu2MXzzlZX{i%ECFkXdt6D?#N?B
z2(>r9CT0Ddto*4+TWbLXp$>&?G?)V!7b;B54JlV2!D~d(Fd*YK{tYA5Q-<;f-;^jq
z@=1j;s%T5o&8+Tjp03=3U!P67d(E^%M@X+dP`No-7jm!Q-*X2DZ0P+C*ER^f$3GyT
zY-%rc>tG!hCLJH2L&&crZdBN0elfd&u%00~#y_69GHd3;4Ol4h8jBX%4RQPrjTqj4
zsooG4?hf-@<WuXOw2qA)a}oHI!lk_Yg@}!T#K~T_<P{W<`gC#8I={)*WOO!Ye+Xz0
z#26f!nC?)7eD3x7PYc)8)@siBCG%e{v(`rag%I@HYRQiyYIF<o@-1#d4W6oq)tOp4
z^vo2Fez<C}^kqa_ztuyQvTz}b@Bi}FgZinaNFeo|ulI_aD@Ksb#zf^CDSTZ1t4MXG
zzq8};9Pi35vT1h~jqJ~l#@>!q$Ld@S4|#jDf^$}%64*Ta?Ulo_Q4@nHc%61BR;}jr
z16S$rD+o5w*3z;m;aNbK=TWRqv3_DblkL_$-bkfe;7rmsr1d?M7y}^nd*5IT`l_T^
zM7|U(#Z!oSO9s%aq~_CsV&Eeg7ix`{0vCr<?`CAw+kp6Z!3$>Lq^%%H*yr%Edlv7T
z?)3s>nOwD%nh;aJV`3BK>}C<?eF<iq(UZn9n_ZA#254G^%ft5m%Cc92pTN;rxS4h3
z>v>YYjC0tL=AM%dg3i}s#WI;P)}*LcmxEN%rd3uW7iG$s>%6veE{2XDvKnR+1eElQ
zp2G@tqiX0uao@X|xN`!ElOx%rPDvI0P*`?{-PEZFaT(c~%Xo64Kt@sH*+f@O&1;qA
zLn_!nSBSWxqzs?NTGjM{BrK&YOoFjf<`Bsb={c3xCxh(;??u*R2LZvV+%{x)ty*#5
z^a-g3?)pdzJaS{kaKCJcXf4~Kfw$xhg%~>P0D*ltQssl_ChaS!&5Jm7tkzu{KdE%d
zPZQ{)+IY%u;Of_YtfY%TXdV%HJhKR)xA`ceGt^-A`zVcmeo}h+`H2sm9MvcQgwy_c
zF`jo1e8zy1BJ3{Td#6`7$IXH@K{c>CKTpgP!F*S*Db7-Jn$`X~oZtwB@RM(U<rzHH
z{C3_=!rQTdq|gL-2qetSrcK0PnF+Y5C)!oMF|yP|>i?tb-B@2@`Zisg=m`sX<*7JW
z=COkm&95<|3Sbukzw^@aIQ0Lz=il1u|8C@A^b)8vy99>c`<8}pXZ%AKIS9;`s}oOa
z$N56_?e#t?Z!j2z+-%+aOhTQEptpJ~tjAVIPpwc!p6dRykN<ff)0>WRDm#8I#o1ub
ynHWJ*@j1S;*Hx<v(>hvWCl=dg<*FDWxd5w1=x-59%Ce6Q0B~|3+E?QI>AwS)Oibbc

literal 6116
zcmb7oWmwct)b=j9^sXQv4NFQR(z$?0Bi#rnA>AcNEZvRNk|L>;gu=4)N`rKRNDIOO
zQu6Ho%lp1x-Ve`*Gw00w&UMYqncp?{J$Ib0wkjDh9Wej^AX9s;tcUf@{~3q?+scj-
zh+rMiTTc}Rs2^k4!*-Nko2c1qX#pN%V-Nrs;{?F_F9mCKSOWlXi-7=KtOx!#R*dt1
zzBU)*{@?h&M5CGPKmdS7TTNNfAOLt|Nt8)7^Dv~7?1nUfJiiPllJxs;fj1rrOivZn
zJmzR4KepL=#4WHqdm*Zt#Khs|Xh0e_$S>@v=sm$*%7XKlC7+b^rt3-Pc9-9qpqlFX
z-}S%$8Q!f*3a!i-BL5+eXFpx81>e8Zp@OkRglT|JI?5TRNEKP4!@y>->yPo^6ZLwP
zqR&A53?2`0V2;LB`gBk@HF+B`khQty2Tu|NMnY&26$V~3+|L{Ul|<pz!@7^FXC;b-
z5w%3qn~Z;4B8B9VC4Q(fng=rI2A|h(!vz|XyB3%#q~}!9e+SJfviM9vuF`pNY`uQQ
z7g$uXV`t%*Vaxjd5XkCNKZN#GXJdgI>GA7TSwO(Bop_7nxxFh9O!BtL+XZV*xWEJa
zi>O%pTJmWU`V3iyw>MS8z0INi%UQ<dkK0ehnBGSinshcI0@1UeBx|Y<DHp0vNYoMe
z8Dxe0a>bPJ=3|9~KAG<Kw<e&%M`Z=$CSQ5g1xqhO0=)ZDhpM6w34r0<$W9-axR3?A
zGqxC}O4(NtjJt92j<FLTvo=P!=nFh8vtpjjT<@-{3&th60@BB9SewbY+nI<_GDR%{
znwKTUMUO^WGXMHMrQJxBoKT{fyRLGLnvhCP{KLiCEG%Yv*BGDyFS3Sw;G#Sg)gy5v
z)SgAj{ga70#PxJxB1n4X<pSu74!KjBp94M`phr<j3&6#qxXx1OFO~Pma;dAX9#t8y
zE}%7X&QB-J&uu!O964KODBv|Q?jV}XCNB$i(dRW56C(SiHDzBa2+hmr$0j<8crCL+
zs^Z6d5mky=trpU<cv#|2ruq7JT1rfnP|2s1pf8u{6l>=N-oV8B&>y|3T>fWMR8$vy
zK{rqLR%L@+-81d^K$Fj@WG+19ec$Y{rhui@Jg1bnP&P-ymCn5wix9Y#;;{?+VRZid
zw9cUKxn2TZO#d{Al2hkZjw=2xi~YNd+Ii{<hwK<f5s|aRazf1%bKQ&BBDpu)Db~(D
zq3sMbFo%-8tj{S3GdjG<L_rvrhPZLC6ML-D0$ZV@5oolc={|^)sQ}Fj#azhQ*<SYc
zdcAX(C+m@=WM<f+>$ss2mgL*@7e8FwL6S{oYC+6O?1()ejHs2f#h~5UuF(BusdxHe
zqZyPN33Anos`s}7$`mMq$tSK|5$)cSo8Usz;}UC|K2!ZY9_Je~kSlDLWk{MavTYF3
zDCXT;h$DUF|5^Cjc73OHfduuUH_c<IaGpc`-MxUO{{ei=zZBQuY^ShYv11z`Xc^zy
z3k>-9{YBr;iOC>5JR9+4C5>K8bzGqg;MG@1=dNTf%rNaG*8$bS+o5Xo<Xgq>G59PP
z>kY&AJ$zzdvEbj*eX6}3!BxJ+-(vY?eQ<bk+42?E<pqf+MdydjNhNyW?cXAE>i4$F
z{61$SsJ;J37_`UKb~F|qBFhA15R=r4l4UpU<&wj5&z4^woxBGij@*-f1XrJ0f>z4o
zWItzEn*+yj-u99BJ}>1t+&Ot>5t-^E*tQX`_Uh>0ZO$4&FW51V@mGH^%h6E{G;`6$
z`vFzHn!{Vh5A;i_yADE1<aLb;OzO3nY>462pN@Ee$Uf)WRt=cwAiJ5rRM6%@s;G~i
zzqM6l{aY<^+11)*@+Ww*r%-b;D;_NxS-A1AWUN?6V08Npv#Bh>I_(nrT$;_N_mIUB
zMA;iVa(Enq_hmQJ?iPcKiGTcTmt1i?c&;08*NQ~^MLF9{{A&2DBA^_+R!0G$2w35M
z?d0{jP=-u)v6FseTI#rm_s&-Nq@#zivg339C;9ywzM(te!-E4G>w_fVuT6d*bR)>J
zL*Tiw?YhKA?>)^**h@1bxc$3RF5L@3Mf=W)MuL;qEFPK*AR`GaGicf#Y3{=&-OHSu
zs6F9aeR?0hv>YL&Ulr~!OwD<Kqm8w{cej$W3eDJbZkAC+L9bKcS@ArtoO5|X$t$P`
z#lY4b1?gWV2@!C@w+gDQkDnM*cRcw|WmlOtxwPM?$JTPS*s*aklOia~k!%vZxOSBZ
z2f@2ppED4+am*^A@b@wisMQ5pj4))G&E@zEFPtm+&y+>3@m5Z>Pt%pebs%ri={tAw
zsi)6-n2fe~-xG3KA6jbc@(*bS(+JejuTP0&<S+Jq+ue@YTv7V@<H8Gbx+`E6RG}Yc
zrP};wvgO(avzP1igb`JqaB{;Rb5%uSKPthWuR{cDQhT}j?nCv^-(cF;4TZO=+-_ZQ
z^vR<M!D;3riiFHmR<$qWxfm;mTi3Kn^@iuVZiKyVi9`T8N7NND5&?KSzSZ}6<9GCj
z2NXN_dk<s|=VtIfK5gpz8EEV@rHH<pI3(<%Uq2EfvUem#V{+OXsX7x)SMhUDZgovI
z#zu-S4!d|i@G1Oa2&Q|$VZUWYTF7OUGw$Gap&1aIormoHNT)1E7RdSx;uETHJdjD>
zInwiXKj)x@g9{T1z8XoP_f=|Z7gMk26~NI*rr>^Z!A&Bl>N&&f&&z=W+tn)-y!^rl
z<RFOh1<m<2prU6d7MPPB$XA6kMDKpJF=#SHuSz!^TrnkmW)8g2ui^XM#7C=@&o0!=
zX7vobJ?8ks?DWo>9C;}sVw<7Ua!zkI$*EK;AKiiuo17&!<*xlHCOVf!7_GvTzXziP
zX1K#rZKMd?riE_oz<N*5_xrE&<6nJH8yfiv+)3<d58ByVc}0vvi!?>ZJh&lk>I&3m
z&1oRfQA6ltKpFg@`<G{Op|33+3+^h3E3<Y>>Np1vAbn$YHjYtM1NF6G;&1Yr$K3(s
zJWXs(Rmj!1MqO6CWiJMoP;L#>6Pb_88z{ZM4%>Fdf^g~;6+lOHhU!YRSVTYRHUxo6
zEGx8~62WE?|3CN_TUYqN@{D@YEmC@D1IALUT>cqMHe8`eF8eP0?VD`phDFU8+bujw
z&HY$3+d}eDFbma{HK?!{^xM}Nl5Z9DHr`}2*z3DW&-*_qE0&^!!mE#WLLX#6U-<79
z@cMf3JkU|QTNW5T)Blune1S#(FElzlb$!@{Y19JRJ3Fz#QNO-AuP}}}1#w{S<x1{`
zjp6)^QIsMbXUN0_r+d_lvpF!1`kO*QY#Bs1Z^HUz3&PXni10}!pV~tLNBw9#M?oey
zFOoEU#v$B6MytCgs?t_V0^$HI7A*-JCG1S{N@V%ef3=J_lV7zrcR$xEb8a{)jwJzu
z=@;?UGdcUPOk}VjRYyPpTRR*Mb;?Z;x2w`%jcI|-;TCPgHeQD*W7Ott<aZzW?oCJb
zo3Ee}N};W%h5>0FemABM(H%|k2DdU~t1t<*s0q&kJA`fhE{vtn3*q&z8a2!qv%(lL
zKe0Vh`=E8jO~l(9KEYvBy}W9L<sTQDJQc6Q!|XL2Jk<vDEma&{Ly4B`(Zh`PeW+90
zg!dZhPik4fP;Ve@9j5p*?nQE29n{^Tj0`$bQr+$J?X!(W^L~)aiJMK2T5UIXQP>-o
z7p!^~cqa0G4&&TfyP@-svhKIpwg|Xanl18vRyz~VgmBlLFPOZ$@;tPEea_=X_FD&#
zCb{I+Gsil$<f)$W(52cUF63K`t<G`We7EDaTxSy|rEnIlM00LL_v|j7*P|J{(4p>Z
zE0}x1c|qU&xP?VDBlkWe?4S|-g?=H^trh20C^R9M+=<V?+OB2B%Zd%By>pyWBXv9?
z42C`GhkDTl9PhAOzp~@z;D%#qDeLR!hNr3uphEd*y@>x^N+x+otKyM>dxDE}!jVhV
z;Pe{CU824zZy052ofUrE$|T2-VHJqaSu@pMG4o{mn=K3Wk07*}zW6uKfMrR4LL@pL
zG<`YlPk*@p(n;NZCw|$~1(D4epKCLeNEmP$)z6#2vN9f9S@A0NZ=3tRZd)a=SIJrB
zisZ<uMz~c>r-t@FnOwsGiz=T#DQ3)tdKpoLde!mvf!3AhW6LrJ$7g(~p-apqeNQsW
zlUDCHO7IKkGvujjo9!I$zX(kw4K>*Dyp9j@%cy}_){OKC-DxFq!Ns>HC+J+fCT%*%
ziG%2FBTuN#lUBaS3SzXnDh{nT57keePy}Bo5nlKqjuNH_NNrWr6T-aUt0`5w_ueeR
zf0Oi(`XEa)DP9TgS9-6S-n^><{`gJNgrIiu%`Gf9Tvd6Obx^Y7>M6h@w<sX%Q-vVg
z2Hl~JcG5SkPy9qXeuNmmDK+av>cM|~T*o1;FW_5hT-F{#yBaq9R)^#Ti&y%4d<{sE
zNK0oerYh+*u^ZciyBWw{mA^93Kzg#S_Nzk{$uz>G_#3meo7k9m0A*Qh%@pmq+B$!#
zQk%cB$wBs7_2MV^Q*UTI0%(j&s7m*U{cj)@>ka~l*kxNT4MP%#Ib`lUP4}j*U<k&9
z&)~N~6+zCDeZydhK9)%c;5|C(R%*w)@3^Qq+DIN8snZUnI8y5N!sX-`8#J3X+E$%!
zZYqGQ)tMz^L49a)83rQ^ni^NwIS4r|<AcenFcW}p58o&ZB=gHUdE+UuTu>_mjE`Vr
zXJ0_0s`Y4t+pXm!1Idy|?=^ucS2SjYoQ=j-?t>THjYtqR$+B4M8WmXOi@P&M82D+R
z`bLH(_41W4Ws!<i(%Ij&w8G9lJZ8cOWJDpp)jU;6g;o{UvgBobqtd8-OWK+UYcWGf
z;OvFa2qx4e|Bf|#ayLoU?%x`#q1B4<wmsOF|CflH;@?7l3P&KbEqyMt<>zK#1`=oO
z{rc_IHT2d;F6hW1CwkZBCxQXKwbI}d@!Scbn>;}}I8iSrMJ-!wX-_CNRT}ryif*-+
z8Cp&t`Dv*kNEL2hR#_N-XJMZUuWKh{!kzwUfSKyF*)i_PpCrTkH(CrJ>vPF69NPG@
zxgl{3W+pq><R}{Yj33B6{IcsL5^76<!{p**l<OZ{bbdnt3XzOW|MYohqrWSZF7c^c
z^U8*VlqCh5e4B(ObE)x|eFu$SUYXo3fm=V{@pQu^*qwC{blQvR^zUk<p=7AfXDodb
zpb>T;+)hE!EjU52cmJfUhOeZx>{5!x64N6iG5Rx@<O5L9qzo+=z;9*ppp<Y{^|Z)P
z4(G#AosiAGRR8eY?~K3xvLm?!xm@`QQ?iZ}gp}rG#=jE}7Bu(5P>!W1q^IrlJw8x-
zsagdc0l2pE;B8YQ{MVatGx`sZgq{v2{4;w<L!3~>tWNKIn`=55%j_o_c&vld5|7~J
z>6FvcfA$naNT5+!@ZDRx+@jvY^Y@Qr#CjX{cJM7bMZv)$jXA267xl|AM|(kA^W1wS
zPfaxMA8YNh1XUBwi+gyHKT#a;JDFg_#Tm5+eCqL;p+P176j2#oR}H0<i6z{@kx{sv
zxOI9FyV}3zqWMUmgRrO*(Idx9mj40!82cbr`D3gvGDKt~Ut;FU1tN==$th|az-u*a
zJTjIX8}di$en&W*mZvR|QOJ7WEu^&dg;5DyO_td0>)gZ>2aTUUq{!SFC&#4>o)^Sx
zeK`J3nMeN_bVjPm@~RcZ#*C1eSA_<J980}K{(%cdVwA}{-*TQ1-`xbX398Oq+2M}E
z)`t1F2gx*}%nb<r7k>1H^f4u9_6T&8oDe&T;A+H6rj1zK$I(N5#&1~~_Bd?G!rOk;
z6<Rko5g6U<zL$H?_=ScgpeLLnyA#E&6>&3O)wAInO3NikimukA&e{cKKpXh2p&$|R
zNC7@gx`T$4-t{U<modNfAgE?K;^j%7oI|!Txc{r4p}vb$1DG(hXmMIqURn299|Ld@
zl9%6$+kbvy_M`c1z)M&H9d+|ctYKkr7)ZshfYKmoQ@jozo=zqeMTRU-e1J8hggI4h
zw<N(RKVSM++fG*x3vheVr1<IDT$v}i@G)=LXDewD$cSysl-Ew4PJego@x~C78Ey<N
z?Xvk9Qj6upsBOoO)n_E|0omVBBrZ+Jk41Zozd+C)T_UA21`>9@C$n+#G$tAm6Y>qj
zZjU^s_BWw^l=bJ&wUDL3-t(5%F8PdH62y<R0YRVSGzBA2QKaefK$nv5x#3*?>>jD;
z?Q4+qz|ZyN*tj8sye~_PRwN<5Cej_ZaN_b$X40+8V|t;wL)m>eZTkX6^i(3^4c_>A
z)+!i?ZqWq7HaK1*%`;nvt}1l8FxY_FNPM<%3T_o07-g3u;f{Q0*LHOEnwPDZ?Ha_b
zvFqy5pJWPlDS}s9-<`@Va#P2YY-Vv_YKBm`8U1;*(fmFe6s{aNZXXRfh%Av%^;T&|
z1Wd_?1fyiEx$<CARY4NwjX8EFA4{E%Sy(NTW!G~AeZ(S9Byjv@ssFj?)I0#*)A8kn
zw(GMQ{%g<eR8ySs==re$ne`b{Nr;9rGjO~3efT!Mav~&vfarb=O+Nx=!Gcc__pq+%
zE$+DOdpN$AgrWvJBd`M0N!X<O>dCARM+H+LVFq=!Er&sx4_+pl4_JWw!Yeix+N}Y<
zQ%S$`Rm7snoBGDe1amY+S7MY4UG4&#8i-qE7r^#1$^=iks$bx`QTMP()b+8-u8~QC
zq>WQ+^Y`!Jukf;MfX@SKIP6NPO4|M9h@P~o)UxWPph{>N(Iz~DMbmYBDVfXBjd!zv
zPpM!j)4T7GYfx>AMU6#Wx}yH}lD1|eRR+|Q{`-qcvM=efku?6)=vW2wdB;U5_D4Db
z8I+k&Q9){NRwIgs=)~@D6Gv6{N5E~+=!`TD@50)^aBO@on{MR8@=Swbr#h0Gvh)C<
ztWUe!T&w!JeYD|4uA3T&M+ieJB)7)<`gzSA9zFywV~a5BO|!94$Uv6BiJ&^vOVfc_
zD?*mvxw^b*-En@r1-2{t5_?;utjAoQOg5R&o3cL&mu|R^FDGKR>skBn9!XUT;iSGU
zO1>kAF*<>yWrX#n!aHg3(<E?`O_!2uzR{;O&@?#xnw}4ai<k2m2i^%W7tUL*ngw0^
zW6K0&*td*qM&H+wOxv047cXanzLE%xnqT*eU;WU3BgyQ|P(qp2Pm(V<IFb~VYx0%O
z+`xl7K#;oqQyA+E-NC5Q){G3H^V@G>wW8ufIt@&N<%*%TGLPkgpdnIu6LCqK1q5GU
ze+8FTYQ305`3V=s`{kmHE+sVi^ee_4SYuB?L(4=<+zGVM;@jehwtX~GC@v7<L0))f
zJ&HR)X->9g-lu!*$cNKw&alKYXB)Gq+R#~>D*2>ZObKxnT_LgM5}@Wbu(}qN{UU3=
z#m^&bRqC;V_@?4_<G-kY(gBSvLi|{9^#|z0FlWtVO|5OGdnAIU+~K7@4J?#Yf87RC
znin!`F7hr(D}mEia{X#vL6|-xX4+xA7uWOLCUig6E9(2~QzJ3B{c}IN_YJB@qRB|H
zV<AxjPLxCd(_`MLs<~Lj{pvzUUZf>x6|ZJ(fK&CEm+W`Rhtj`hH(X1PqMd!}8Rk@r
zYeA!6kMS!(K7zpUYLC?}mm-U^ufMJ6Ob=SW#f^_WD;>?1Y9XPZnXBMfMjM`(F#sr@
z74wlQgs?68HXnjUyFHoPA;SQff3C5sVMOUiztKX@dsN_)i{6kQ?JdUXhex($WZRh>
zB~O<FUgQ(}{kX$&`j_T#yXPh*ADw1$byh84B}Hztlc(<9#MOUDcU9L0%6wX)U$Poz
zbtA3JDsCs8cqBv=VBM##NmS#eHgCL4X+Ds>63MpzpTcV_uGho>PPKVXUX14We@3vH
tFCfpNQ~)ar`}#tk4g;~W@c%yLuRM2h0}2*i)AFCfuBM``Tn~F0@jn)OW)lDa

diff --git a/app/assets/ico/favicon-16x16.png b/app/assets/ico/favicon-16x16.png
index f7a26b564164405686d5aa98dc2e5ceaa5b1d340..8c60e5d9f450a701a57e86f3e6f5159a274d2672 100644
GIT binary patch
literal 368
zcmV-$0gwKPP)<h;3K|Lk000e1NJLTq000mG000mO1^@s6AM^iV00009a7bBm000XU
z000XU0RWnu7ytkO0drDELIAGL9O(c600d`2O+f$vv5yP<VFdsH0R>4!K~#7FrBg8v
z!9W=Oh#%4JtO%>HiW()@B=`wpu`v)o0f|w>sM5K*sxr2nwR`Q{UDBqfJw5S~OMCCj
z_wMC;cPT)~7s@aA5%=3Ag})h}5JiEkI9Qeqp7)Hc1p-o|4#PnYSde7}R+}w2j!W@r
z;DjXAVY!$^`1H3Ek7$Lh=W<ynm5O`<$CCon*&KHJ1I3Giz$f5?H9Q{~R-sm{kW{+u
z7R5WR%O}wJXe7-j0bMsJjynb1JQ`0TJktSA;end4<+zg*1#k*}6Q0MQ-y{F(Sp(Cw
zlLf-4B7r8lNEp~nSb%#5ECdeps{yO^HYkMeysB!!-m+~<fIP{6p7R^$wq~rZ{I)Fs
O0000<MNUMnLSTX$B9wgq

literal 772
zcmV+f1N;1mP)<h;3K|Lk000e1NJLTq000aC000mO1^@s6B4M5f0004nX+uL$Nkc;*
zaB^>EX>4Tx04R}tkv&MmKpe$iQ>7{u1v`j1WT;LSii(JnR-p(LLaorMgUO{|(4-+r
zad8w}3l4rPRvlcNb#-tR1i=pwH#a9m7b)?7O`%1M2gm(*ckglc4iIW3rdb_PK+|nA
z8IOtS%&Hi8MK}5}fEh$(W*Kvmlz`{>x`&UicM+cDeeTcEt7a_*_(bAaW|%hd2JzIU
zZE)Tv4zYr)5}y-~nRG$oN3JU_zj4ktSm2o<GnJet4iSs_Hdfl06-<qIk~pktI^_##
zmsQSNoV8MgHSft^7|iM`%Uq{9j5rpt1PLM(R8T|-HX^j@q*zGOe$2x^)bLB>Qpi;V
zBgX>D&>%Pb;D7MDTPrs)?j{9eK<A6&e2f5rU7%idobO}Dsh<G;XW&Y2`O7t6`jhl(
zOA8+XecQmrbxTwBfXf|V@X3%(xgq&!3b`Ecen#Jv0S0b?o;A0(<~~jzfE0C=xB(6h
zfzdo=uY0_^tG%~>&ouk{0pm<^)Q-Yq4*&oF24YJ`L;(K){{a7>y{D4^000SaNLh0L
z01ejw01ejxLMWSf00007bV*G`2jvM66c82bWaw!C0096=L_t(2&#lqVDnxM<2k_5m
zxRf#(MWUvZ5)wNpYLpik8}bI$Jb+iQP<D!)Qdr;ENgjYE4?tbzPw66K^PBSLUK`Hl
z+v%L|`F_ti{701Iw5uGaTjltr^?R+5(Y%CS^x*+#Ni~YU5Xx~{LkTN5#}(#qidnQ{
zH>pO)MbL19B91Vr;0>23X;=@#Uxg+LIx&F`Y+xCWNR#>K_Os<;z)`HC2aCAIbk;#y
z0(N5zQ#im#-UXWqB|M>ycl75GnhN6>Mg?sl|CO+hI~)du3TAMVXQ_@0)IvTK@IDOr
zp|FO93<raGmd<l54`dROYP1uU-o`UFu@`>xxA*`W9X5?I>Rj~z0000<MNUMnLSTZH
Cib%)+

diff --git a/app/assets/ico/favicon-32x32.png b/app/assets/ico/favicon-32x32.png
index d1ccc9cea45cc27613ccafc8e5ca3f9be354f187..8735718a2b3feceb4c378281f0a78a82865cdd5f 100644
GIT binary patch
literal 491
zcmV<H0Tlj;P)<h;3K|Lk000e1NJLTq001BW001Be1^@s6b9#F800009a7bBm000XU
z000XU0RWnu7ytkO0drDELIAGL9O(c600d`2O+f$vv5yP<VFdsH0f0$FK~#7F?U%7j
z!$1_qzlvkB8)v(!v}?^Q)ImhBW5IS19qQ&F{tF_wwL-^KintV9Ev~KA(PVDAC%fJY
z1cGvRX?pQG^n-&WcW^)QzI*Ro0SRsIl)v#0`urFb;^#GJmUe)3-o$0=0;XXgji&w#
zK@h_AJh-kGJueJk+ZAkD8_1%;;05i6E_?<iQ!XK>R`>Dz<e+(4m#)p#1C2%<wUc9L
z1Bf9^)6fS%Mz;4VPzvDm`ZzqQMdR$eB{f^Qv<syGbj)Z|8sqUKf)J@#+=5bo-y)Ey
z;4f(PfK18&L|Idm8I=GuB}dJl@x#MS#UdTBOcy(w3?|x~L`GE#V6hru%~2;_hi}}u
z+)YS@Nt7pY1)$P=dv`BflPLr;k?WnuK6)%;%6fx^0ce9T3=y#5et8(ZPcURLPurAa
z0%&)-=&*)Eg_gG`%%T#@4L8?Uf4<Wx;1w+8CbZ`4BUkr=6+j{RqT+JOGhwnGBrm7R
hPeGd7P*U1M@B;>Tg<fuLv6=t?002ovPDHLkV1n)y%*X%$

literal 1137
zcmV-%1djWOP)<h;3K|Lk000e1NJLTq000>P001Be1^@s6=bY090004nX+uL$Nkc;*
zaB^>EX>4Tx04R}tkv&MmKpe$iQ>7{u1v`j1WT;LSii(JnR-p(LLaorMgUO{|(4-+r
zad8w}3l4rPRvlcNb#-tR1i=pwH#a9m7b)?7O`%1M2gm(*ckglc4iIW3rdb_PK+|nA
z8IOtS%&Hi8MK}5}fEh$(W*Kvmlz`{>x`&UicM+cDeeTcEt7a_*_(bAaW|%hd2JzIU
zZE)Tv4zYr)5}y-~nRG$oN3JU_zj4ktSm2o<GnJet4iSs_Hdfl06-<qIk~pktI^_##
zmsQSNoV8MgHSft^7|iM`%Uq{9j5rpt1PLM(R8T|-HX^j@q*zGOe$2x^)bLB>Qpi;V
zBgX>D&>%Pb;D7MDTPrs)?j{9eK<A6&e2f5rU7%idobO}Dsh<G;XW&Y2`O7t6`jhl(
zOA8+XecQmrbxTwBfXf|V@X3%(xgq&!3b`Ecen#Jv0S0b?o;A0(<~~jzfE0C=xB(6h
zfzdo=uY0_^tG%~>&ouk{0pm<^)Q-Yq4*&oF24YJ`L;(K){{a7>y{D4^000SaNLh0L
z01ejw01ejxLMWSf00007bV*G`2jvM66c8|=U_34W00M1EL_t(Y$K}>fh*wn<2k_7P
zjm{&PKz+DUf+=WpBZMx(Ny?|<qK%7b72+oUKn4bZZd|o!A;YwA;Z|B`ASAj-5pQKh
z5atv^R0~lXP*9&)nEFPV=jQ(4$KyAD-u#9(es}ktci;D(bH3-C%X5n?lrLtX9B*=_
z)sSF0KE}&gD0gR}OcsqK3sZerDEHwC?&BV|;fE}gulG!nh4L+`E7*ul7{fnBp6<dy
ze42&wvn-UWXZlAn%g+aK6svHs$kXw5PH?%%)7RoU!7d!Z35*tb`nW4e7RryXIWCuC
z3!dO|jeiM-@l9=i0B_<J#xYjp>DTQ8ZG4UkU7Q-h7kCG!uq@uV#8>!khG0x~-U<|X
zI@xLH@NhV(s$Z)l*<9r5L=4yCD1aM9o=z-=x{@kMe!;s7t*s@sTaRET{=gvmV_w$9
zz1~T%KHm6SY>4qcf)DW5Vv$@&zyuy5#ZUMhPZ!vRk~+yC@+jf9Cr_~>hHGt8k|Iy5
z*8kB|>z>@fNj$=zQGNf$y(d{H)1FAOQ1;`KSh+LdEG{)A=?vFPa}dB#ui?6j=^F7v
zT#est#Dj&XtJR@`zj409eh!BtafQ*?+cw}!{1$C<s;i#(1Nc7HN5HWT+c5THMO<IQ
z+w<`z={}@v$8M~i<9sOcbZgVzwHL={8)h}U(a4i5lrO|O8EBB#2mSxGR^Hyew3@Gk
z*EA%6<x_pr+vZ;<Npds3LYm^0d6N`d`lqlbPQ50$+GsKsd3pw~;=L#UU3yz5juv_P
zV`B-ovEt%X((0=Y;r*Da)A%qBwjqocdHVD7^+<mPJGZqPIyr>k00000NkvXXu0mjf
D+RPFA

diff --git a/app/assets/ico/favicon.ico b/app/assets/ico/favicon.ico
index 28ed661f941580820ed764b4700fa332ae4f04ce..066969400119533a6348a47f6cf3f7d06f849245 100644
GIT binary patch
literal 7550
zcmeI1u}i~16voflQE(B#rQp;SbgR%&!O=?Bii?A_bM4%Aue<pJA~@PjL7huoMb~1N
z4h7?O=8HTyLYsSOljAIDdAam*Tz-7--Fuf*h&BJ4D+>R(BQCau*c3wS`j+#p<{SF)
zdD;?UWBt#94oeUF#loXycE4B1%gk0ogX(ETo}bmUR;`?9eO@k=Wb3*aX`Fdn*Ok+6
zPiyZVpIWBlqeJaHH@%*Ao{Y(pnNE3`#giwqb(dUzLLEg+MOpcvWHdh|Roj!ynWmXg
ze-P(ngW*s<zq|(Kx_3b?M6KiaM#s+8iBl743|PCJ_QHH=FcI76Yb+aAb!|+CbxV_p
z*f=##<ubtpHpH5G->7p_OjsMpTTv`@%@h-~>UKKTF>z`pwBqW7`P6+o;=^$q?OvDS
zoLY|m;xLiF)fRhxx*w-))GxLETb2oY5B)xyixX2xFd_eNG{P88u1bQb)ofbFgxY4C
zPI1<s3EyFDqt<eDf}hoOJL`OzctXBH-s19L9NtgN;!yjzOqdV%CyT>DV@Kn$mIrKc
zm}u@rTg08J$GmfsOz`zQ4z=GDlXJ_{2y7;p2E#X&KBQIJOwcFpvrJk{cy{5&59vc~
zQcUm<_6OZ|o4v;+hHwjAqn__|*W&smeE;nCzkgRhvCM}P8~-ko{^!R=uoY(_-G2ek
C1AKJ=

delta 1570
zcmV+-2HpAoI-U}L000310stj200031AOOe(001Tc001R00ssL30RS)q008a<004<l
zPDc$28VUda01Zh<L{b0%03`qb05Av!0001%g|jOF00oapL_t(oh3%MYY*a-Q$A4#c
zySv3gYi|h(B5Hh~p!f)nSP@yO2CW~^h(=L@CO$9(Bp4Ham4t_eM?eB-d?Z9o6{6Aj
zAjAjlEs8N3<AVaWBuZj@1k2vGl-l<0cJKIM?zY=~wRgLI<DX12GxyH9|Cu@SKW8qS
z!SEo(GGv%GKp5z=BB8#K*zy&H(Ez>&9vrEWVv-6122kOyTEQ6c_8DfcfXoG61f~H!
zz;<Ahqf|$K`@FDcn+30w(P(3s_Jttt0-piL0Sh<)ECHH)B8v>u4*c(=O4skhXt2vr
ztN{)ImjSg2#a%!*uosvDd;shMOvAKiR5lKOONUKLrc`5?wr^B*&D{u1z!Sh~QB1cY
zp)dS`O1^7FLKeuAz;yI>el3dE4bvWfc71PgNR4fOj8nPOoCfR%>VSG+DzH5|FBHo*
z#)<@Kd-VDyU_Nj!5CM+(e6rkVw8L!pB=-WOHVo4aqfb#P%7ABqhk<5b75eCBvvm~M
zir%(#j0TniD}ZCJoo@j|=#0({^{;e4sVXyuLTv*cPc!BRlFmAmV+4VOTXG@b+U&O{
zaBehz5^7I<p`V?CSAl&)e0Vxg0(=8J1iTM)y3ck4dw|PblbeRHl|)xMYXDA0f}of6
zSiaGQX@`KI6$#ZFrhPN;r4<QTu3+{8EkFg}6Qn*GN%w}KQMgWxP_^@+5K=y1Bic#t
zDbPk<WT<V`fj&qif(#sj1Otwl6r)SsW)I+h6q{7$EFA|W98^N9Tb@_KiDVn7DK?38
z<cdpWz!<k4cI(LroB-Z*>oJCwi9zsHFF^fv1Y`G6qLCoJ`HKn7swFUPBH`<1lIV)%
zB$W?Mf^0}Oyq+%qq{)m~w+HbD7`5ed!q?13M0-bHYa71OGRYw2`piDyXSeG|wDyR9
zTTUy~mF_dgFzpsA63Qo*nGhin>!I}8n{ax&={<Ci_^*dhu^8n`p35ZVis)^?6>ir_
zbnHrQUmLL0t#<>H&?$>IUj6`1XFI1}ehO!QU4Oq-x8BKhoF%2Cw^K{Oa^N2u<n()+
z2N6mlmr<3YztH#6MmZ!-#wlOCHtXYmjO}w!e$l6^%<cLMSjWJs{SB-gc-=dvj%_Qb
zSh+(eDakrIn@`;WY-YImyWp#AjITirUqj26ZUjI{_KnKcd&jT|Y1}Cu2mwfV6cP$5
z0c7gz{G=*%ke%x33or?!)Z-YG9YX>oRPHp9tLA_R_)9QMd+_#&qrfMHIj={5B-;L=
z^oEJVesQSUb%0n)3j|642J4hn6UH#@Cg8>_b`(0-`VJk4F9Bu&t>E-{y+S&jZN!_$
z0f^HTSAp>tkhGC4%zTW#sic186go{l1uO(EM(67<1EXEp3V_-H97bPC&l-wYbZ#g)
zS$s8%Kq;JtcT_e~Ci-$YKRGFX;C|qC;IS04HNYcidDsf779F^ofj5BGp-82|seik_
zo^krDNXS9w-iLucm*9D6gpvpXF90jiIo3JAT;MHWW?a05#GIr6I(Du)AyAF>t=E8M
zSqSBW0ILJaH=}5zDwb_IU+HW2L9~xeDZq9BSXk9CINef-ILhut#dD{BVHvYGOuHPN
ze@`xeNIE`3vA~)a@-!%Ir3AF|7K0GL?}fzdL8Pj*qTgC1LI77IIRacB3?3j#0M8*K
z59XkM6?wuSQtnTNABx4u#YJ8RWLw%-fPY8Mr5{nR12RZ;cl^-|JOFeQfzWYL{N!~|
zRzV!w5W^8Q0l1F=rLOgVXxj!Bh~m?zM@bk`rQIJHA>cy>;$bTGqJ{Qpv{O6iOyU_F
z=PRqm`?(or=n(fWpIU|v&J%z?fjU86>g#Hc`O7K<!~his>9iujg7Y#@Ns!TKBMP6=
zfj9;@R>a%ZoIx@19~u9w_KX$k!T<mO07*qoM6N<$f+zq003`qk003YB000310g*u&
U1ONa3vk@F+0ka?+RsoSvN@TpV@Bjb+

diff --git a/app/assets/ico/logomark.svg b/app/assets/ico/logomark.svg
index b7679d482..140c1b494 100644
--- a/app/assets/ico/logomark.svg
+++ b/app/assets/ico/logomark.svg
@@ -1,35 +1,12 @@
-<svg width="38" height="47" viewBox="0 0 38 47" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g filter="url(#filter0_dd_1083_50505)">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M15.0154 11.0576H14.4116V14.1824H15.0154V11.0576Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.6118 11.0576H17.008V14.1824H17.6118V11.0576Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M21.1593 5.09492L20.5404 4.02313L10.215 9.98588L10.834 11.0577L21.1593 5.09492Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M21.0989 5.09492L21.7178 4.02313L32.0432 9.98588L31.4243 11.0577L21.0989 5.09492Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M33.8698 11.0727V9.8349H5.5807V11.0727H33.8698Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M22.6688 28.5534V10.2123H23.9067V29.444C23.5746 29.0666 23.1519 28.7949 22.6688 28.5534Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M20.5555 28.2364V2.36261H21.7933V28.3873C21.4461 28.2213 20.6008 28.2364 20.5555 28.2364Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M8.82625 30.8177C7.31669 29.7006 6.32039 27.9193 6.32039 25.8965C6.32039 24.8247 6.6072 23.7681 7.13555 22.8472H17.7024C18.2459 23.7681 18.5176 24.8247 18.5176 25.8965C18.5176 26.8325 18.3968 27.708 18.0194 28.493C17.2194 27.7231 16.0419 27.391 14.8494 27.391C12.736 27.391 10.9245 28.7043 10.4566 30.6667C10.2905 30.6516 10.1848 30.6365 10.0188 30.6365C9.61122 30.6516 9.21873 30.712 8.82625 30.8177Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M14.0191 15.5712H10.8188V18.7865H14.0191V15.5712Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M10.4113 15.5712H7.21101V18.7865H10.4113V15.5712Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M10.4113 19.1489H7.21101V22.3642H10.4113V19.1489Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M14.0191 19.1489H10.8188V22.3642H14.0191V19.1489Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.6118 19.1489H14.4116V22.3642H17.6118V19.1489Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.6118 13.8503H14.4116V17.0657H17.6118V13.8503Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M10.9849 31.3007C11.4227 29.444 13.0983 28.0552 15.0909 28.0552C16.374 28.0552 17.5213 28.6288 18.3062 29.5345C18.9855 29.0666 19.8007 28.7949 20.6913 28.7949C23.016 28.7949 24.903 30.6818 24.903 33.0065C24.903 33.4896 24.8275 33.9424 24.6766 34.3802C25.1898 35.0746 25.5068 35.9501 25.5068 36.8861C25.5068 39.2108 23.6199 41.0977 21.2952 41.0977C20.2687 41.0977 19.3327 40.7354 18.6081 40.1316C17.8383 41.2034 16.5853 41.9129 15.1664 41.9129C13.536 41.9129 12.1171 40.977 11.4076 39.6184C11.1208 39.6787 10.8339 39.7089 10.532 39.7089C8.20731 39.7089 6.30527 37.822 6.30527 35.4973C6.30527 33.1726 8.19222 31.2856 10.532 31.2856C10.683 31.2705 10.8339 31.2705 10.9849 31.3007Z" fill="#13BEF9"/>
+<svg width="38" height="47" viewBox="0 0 84 104" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_282_116279)">
+<rect width="84" height="104" rx="1" fill="#2E2F33"/>
+<path d="M54.2295 74.5278H73.7517V94H54.2295V74.5278Z" fill="#F7F6F3"/>
+<path d="M10 11H40.4488C61.4576 11 73.8513 17.5661 73.8513 38.9807V39.7125C73.8513 61.1936 61.4842 67.6931 40.4754 67.6931H33.8295V93.7845H10V11ZM39.0517 49.3986C45.5579 49.3986 48.984 46.9837 48.984 39.7657V38.9341C48.984 31.7493 45.5579 29.2879 39.0517 29.2879H33.8361V49.3919H39.0517V49.3986Z" fill="#F7F6F3"/>
 </g>
 <defs>
-<filter id="filter0_dd_1083_50505" x="0" y="0" width="38" height="47" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
-<feFlood flood-opacity="0" result="BackgroundImageFix"/>
-<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
-<feOffset dy="1"/>
-<feGaussianBlur stdDeviation="1"/>
-<feColorMatrix type="matrix" values="0 0 0 0 0.0627451 0 0 0 0 0.0941176 0 0 0 0 0.156863 0 0 0 0.06 0"/>
-<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_1083_50505"/>
-<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
-<feOffset dy="1"/>
-<feGaussianBlur stdDeviation="1.5"/>
-<feColorMatrix type="matrix" values="0 0 0 0 0.0627451 0 0 0 0 0.0941176 0 0 0 0 0.156863 0 0 0 0.1 0"/>
-<feBlend mode="normal" in2="effect1_dropShadow_1083_50505" result="effect2_dropShadow_1083_50505"/>
-<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_1083_50505" result="shape"/>
-</filter>
+<clipPath id="clip0_282_116279">
+<rect width="84" height="104" fill="white"/>
+</clipPath>
 </defs>
 </svg>
diff --git a/app/assets/ico/mstile-150x150.png b/app/assets/ico/mstile-150x150.png
index 5e7eb6873cdef750103527c543ff88b06cdbe846..f48374538eec40524b252c9c57d741c46ad25334 100644
GIT binary patch
literal 1535
zcmah}Yd8}M7@lf1h8>E^lgpN(hQh+Zrpa}hr!CW@uu_B*F|wqg9l4}jT1w%#jAYo{
zFLT>Eaw$6}x6^Vtxs+8SF$*(i{W^a-r{{U!?|t6y`MzJ@^S#L@+?`dFw3Gk<fQqY&
z175E8zY(-mUTqbwOv*(u%*87L003|QMg>65<6ZKmLImE~9#Gl8M<_R20?=4A0KmQr
zmXd$~0Pvox1KJ~6K{SRwzK5`@V<9x{`B=;w^Du`_czn4UqziFBHPKLqsSn(K9#XeW
zRIs3jKqGf#1wrt~Ztp*8r6j}|hWksDV-TcytBD6k{Il@ZHWQrr*7c1{Y=cU6$wr$b
zDr)>u&JKjNb(?;jAVCisP&dQlwQDkdJ5_90i18LNtEdx`B!!)NMh||7Xu`qaz(Iyj
zmD>w<cR@lbL1&m-L7~K~VqJfA8WxhLmuj=x?fQLI+g=CFP;Zb2GtnLtVp-EQaW9x!
z@;YRuQzX)!?i9`Ix_khYZ{qQetpo>!!!}}3g%{Yrgk0{E)!fuC_2eoY9eFr4RrUT5
zBV)a~KF`CSHWPQ};?;IeZu`UwCw5weXtvbN#L~(<H<q>Xwq-_o#LP^e4Kpew=UkT#
zJRNO~Si|f7#DN;UCvS<7E<SxR+Gt`5Wr7gZ;NDd5A}-B`rjaqX3QueV!OgS?%HSAo
zN_v;Lby4o|&2y{oWXOgA7|D@oWBh@BJro2F*BTkURWqqV+UIxiUGs4)HpzfSPx{?^
zv9iR0i=nwETaGVAMCP&73r`ki<5K0Ct;e~2nnvGss7RBv&&jz$*uV|-gfh28&R0N^
zS?a}>iivruif~*(=`k+G<Lb5(hMQa5oEy%>ws6AB@`r%zx#Hb_j&z^cVJT4a)N8)9
zbfKOo`h;5FXq6QSJ*HNk0M_|o#%qwUJ%RbKlOzSL=@H3XpUr%K<G7!-h34f!7!wuf
zF;6{g;Ec`RMx}9h_gJfBfw24KBe02cWqL50doaFBOt3g|tw`6x9?Hy|ZSH$R0gK~y
zx+<1CQ1jNNXX9^}DMteHSeV+nCgX9$2bu=*Y_PVC_cLF`+BgGdW|Mb-={W`(QY)sF
z9adW<sDZ#vAn^WwQSLuJXM$8AuiRu|qF#CtwYeDH=P=GKS#~lDGflGdt+J4Cp7VLb
z%RV6`Nsmngts;RUr3FEv`_C15EhMsFl7&%bA2Jbo6|%tLqJ-v`IjExtrjs0rK%qeg
zzxs)-uaDoelsJ?A$j!4~|DwM6h}02Gl)Dm#2Grh5CWcMKHKwQ}d}xL$W#H}6yF}Bi
z5ncri>x*TFaW?T1D|OF=r2)U$F?$+a590j?2#$tOuj?16d7dNJehDj9C++Lv1u{Tz
zXx<$>j7f{OmZq`P*~|W8Ls#fDIzT08s7LTre(ldarQkW$y-;Siv2j(SE&Cx0wj3tL
zwbg$~V!;?Viub8pXQJ8{9r~o|tEAaYvBJ)j5Nq4qrkx~5`%rV4G}We3S1D45^mA#^
zprGnwbq<zl3N?C8?j1NpKfjyNzt<>$OcRU>q9htG`(Q=}WEBQ~l9CCeb2G+i8tLPc
z)sjygGg-V<N210nV=t|AS@WYb_XBnzaV$*9M;KC4LmBMlmsnqFm@$l*=)a*|T<WPD
zLe%PTiU+4@VI^ny?wTpGwwCTY6!zKrc-6kO5t!*zi~aW#;cs|uig00!fbv2OuAiY1
z*gZYT7+quoyG~o*sN_GEewZ!a9eCo3E~;w1vLA@hiYz-79o6Y*AA-!!d7OT&sJXp8
z5AM4(Px&hGd5bz|*MjC->lQEe$H>2gj_&XPZKnbM59>7XT>u{^b(=jcLN5<V?&-M(
ez^E>|GT@+pcXF_o^qoAf0j`ej4wd$P3I71a)5qli

literal 8697
zcmeHMc{r49+aJ;**|MaFL0MwVV$7Jyk}P9nYseC%F$NQ6#w^BKQe;<zlqDf0QrWZg
z$d(qnC@M=R5<*1s&8Vk(-uHQ*_j``x`~G|G<G7FGzOL(c{?7CIUFUh-bIl!LX^!FF
zykj!}0N}?O8{hx{E&<NXvyR;pneirx-7o8JZO6djSwJd{;!5%)0vUc(B9Q1yas>c<
zUreSr_(-7y3|1>5?YV1_$@*IdP(`QhzdE{LkAK!Etz4!YCW>_)N-^EK$$$q}`*n6o
z@@s=dgx?w5vU^d<LyHvRwT9a8!i@Q<1FEgd6HTvT-#l)uYuXk8RUhrymQ`)!xB4aM
zYS}??%zUT8a8=Nq`(K=sdM-BFisba13o<;BPZ4=q7D4k5lBI~`_mnzc&N}((L21vT
z&x*>Hy0S)x?M`aTmseR=a}$@}Tu?m_Ta}x7l<(nJ6<M%=!c_cT#jPh}542SEXuVdD
z2fmK7`cj-XZDupHQ1sDz?huX^5G1`g@c3A1+)QQ0ftB&uFX<-)XL9$B&3cc4b!1R4
zdiwlUt8FpmJx41Ya)diRmEKq=(88pa^ZK1o^Qc1KPaOVQrBEomZ%TG#hedx?tSL5o
z#6&o8x9$7waZ*Wk@w;*HIP|VZx{}%M*AfUohXyB_m12O&Gn`H~a+b7Y7p1k3);bxx
zg`EE&1$)s{YIE)DudzLXiuZbC!CRX!`F6H6p}SjJQ}5HodCxD$W-ak7uFTKJjcFv*
zE}ikaT`RWW5qV^U-yt^Z%PutCnHbo8i4k-;Sjc<ok@K#EQ@y)vNm~O<j-1gH_*it&
zJ=?KEVLi?RXOp6I&WL98F@SECJl1dBIYH2jGU)23DQaBUR<TD&a`7E8IP(x4RPxLw
zU?=lgH%+CW^qD{Xql5NBhX<v4q20|%J`OhSo)stDDCKc2MYaju_n!U))iZQ0DrK83
z*xb$|H;wh2S@v?FmtMFo&>S^i+}XOxEj<TY^g!fA@kHB=$MwPSVmF`V_uVE<aF<-B
zRLqz5O_k5yip$6P=FDI2DReV?Rg{!&`Z;1n-ox?5^0Md<1E=lgqADgk{8AloC1Ffe
zKza9ii?lJ-7K1}w^?PnAVj9$qHbi0bY;|Z0n9-Vt4oV~75m2?8n(z46*eB~PUJAk%
zyk6BLXfR7q(6fsAN5iDME*74=*I`F0bbrU(#QT-8<-Y&WYNx@mjSYa#lwGeyTsw|D
z>Tj6q@4knK|M037{5b~t<-_`nM!(@^tcAV9<~?`4Z2_g?DL0&uwgpKq$(@dgB?`*e
zCQ{OM@fMRn-D|w_kbFnfi<`HEmYZ3Uw$b^U9ekj>=u-6LgKwTVG*HED^UO%hQ!S68
zAs&<Jyxm<L_Ja~u2h~`y_$0lGiN1)^jWCL6FRAOeRZ-ITy{uEOB)cCO8_uX6;cL*=
zAL|;deD5D?{YH=<4XVVBt6l|Os&wzWkydeius-Q<)0USzmbcDS7FLGrD)lv@clVYo
zL|#xx>M1}tKYx}!Z|9UIbc-%_^xdA%`-GcH-w#(><nm~ZJdZh7RCGv{GI43P*uFE*
zEKZ@<Jni+t%)FO~(YTKvLWgS3Yu&C#vmoLZ&w5JnwAY9RWYiSh$`9?m8&}+t$JAUN
zw7E#F%}ABK9Z@yihFhFynAxGLVDb{{QCj(=gRH*^oAN+-Lm7D><jv7`bJ(G!hLO1v
z35s%0$*RFafwDvoP+$P4;;{a!?1}f83PC0)dWN#^M+FhNs<L&>?Y6svbe>`dJ)bVe
zi=XqEf7ZXkXYXMS+}d3cv$Qu%xFTz+<nhyY5WMU)VzkY~yJhZ&wb}FipoygM6fyTp
zeTMFEF}vizEe~tbS8(wnDBSKBb%@5a%c=|KYHrIEdc1QjWA0%oTJnaAps%EwNDV9K
zZ;me(S*opT)_(32)6-q|*mfYkJvbmo)#olY)z0(6L2r%O)Kq1o@sw^uIMBmxx!*iB
zEAxP{xT06s86Lw@qX_1nYmck)w3)CgL1x+O6We*hFgko;eECORPh$?ZUb`kXM!!Bc
zY~uq_mM$GgVbm)gQ8Lr@P~I->pO|v(ZiQHt60@ZbCU(NS+8dmAY3V&HxqL6C*uWq}
z#dPC)xF{^ts@y#VsWmWu=B{mecLTjU3LxK-W?*mQ6LJ2z9rx27D>Tb`eCR{MHi%u$
z`y&|fo<*s!W&ZI#`_pprl+Zn8JMEi=J=|2sZ(EMn`}!Za8<wW2_aSt7@^&-=h`?Lq
z_9~=@S1Bqc@JktNcuK-Gt3FBUTl6EJE|^m*=rVD;*WK6QdX9EXT$iYq&|bY6-uPfZ
zY8vp)S`gg1-`L{FDUWc!lHBW&$^DW%b=xF(PDKQ-10BD9YLe%-Tl*i;_e5jVGEZcw
z23Mt#*Q;?iPU8SlWqi_PTcI;imXfNLs&c|Ke?4w+!op77m#--n4mmPnRDIZ_q)JXf
zr@z7kf2mHn$MI^zb#%dK#b;sE>^B}3BKObiPdghTzL9iBw=m8rT1BaxA!s{UY@|9k
zi)t^%9HE|Pgedvxr2|5G!tUhk(Kqb98he8OL$V30i%T;v#3C>e02&G_P$Fwh6RKW_
zM3hf6yb~+~xx2TF^549N#MvSrrUTMxSA#!Jwr{eQEsm7cxn4REAr&0)*r2wj1tB(}
z7_s}3=Y=ezohVCKu9GNg?6D2mR=jd@5U(jX9@4z`c;yb1L)5LJ7L12*{F$<hUP%Vj
zbej#=B(n22>GCuAr6cdl@eQZ8X$Ck|K_WF1L$;Im^2AI%wnG&p;n#<#-UQYWetXnn
zutx?CcDfK}|BNT^%0qVn>Aa1Q(AFf&rLme@eD?ze73gKMrj%D@gDoq-FCe8Q*Q;jS
zF_Ff5OS$46D9(*34ZP=hYl#W{IxFsO&sZ#ie0&`2$H#oo!>YA!zRk0!Sn)hx4dCN*
zqi%gUe0O(y)Y~hrmj#qNrL(bCZ3-`WYr}K{W+92btU#_dX@HKFo(h-rxuX)%g0pj!
z55Yp=wmGu^c!M&^bRT!9*xfwpZIzQ%7Ofjfmg}~Abn81E)7lrJkMEA;y{f!Uq%Snx
zWA{FZ^7^jek2+!Mm0?db{5F}j+%&%JKn>1$L6O||<SyfVKevm+nI#z&hA)q+Xg<%#
z=}3)aX!x_tvBvWNV6NZul`X~d555NJ^O4_(9D6muounf_xpCWxpd*Xr(-`ArLtyCZ
z{n9I8?P<6|(TkSZy}r>6KB)bkv9s!k7=*A|%=UtMr7rDvP8D*o6^d<_#{9N~<mrp|
ziqK-1Im$=8Rrxd(P63khJj-%Eo40LdkWj*&@28t9Wyh#3H=$?qq3w4@wED%m?mFHN
znK_A@^A$VNFO{0vLBewhhpc~D!B@|`DztGn{G55QP>U6||Fl3uj_kSFVcb2tfwY=v
ztLw-Mj_*21vc;I{2afz>Js&@9w3@wlyKRU4!r3Y`LD1pDT=7swIS(u+QTS5sq~P{V
zjS}c{%r2p@3H}J+F{K+VS0`|d2<7TSb<OL;a(MGu;71$04rTDWbySx`Iu}b9Z%KJO
zW<We>bxs*Bn6nqudbTJe^E5g6v6ZOMRMxIunH;~Y%&lggU^#skwZq+SJ}DnL44=9U
zbT7}$mH1@(R{3b0c~h^h04pZIKdcWL07q_e%vL{@h)|1zpX=LY6sG2uWaz3#13a3y
z(EEII#w|YP3rb^f``f8<5eb(&z4#qFQw0FQCe`Em(sog4%_>33N;bC+P>>;`+Cge{
z{mBC2V}46^>ulRhHHO|QtaBP)FKxOljr5##i^Sio8}A)9SF%fOurw@7RM8&7@Oc}w
z{v*s-cvVe4#BH!jidw^0JapyC!9Y3HxtY`*PE8vQj()~i5s5O^P9~#`cB}pGagUVS
zDALS5b2S@-s2v#3hUAbU#_B4>cmJ!%I-|a<(<V;5#T!^hw+Ekn;{_q}N-{}jt3H%<
zSZj+wlxIS+mC=ES-SE_&0A_}A&d1hO@*u%ick!mY$miFRZ}qC?wQ~wgkP!j(g9O+L
z^t8gIkVti$5Pwtx^|m9#rF}9eR-uUCVQ%rck?GwHce*&|bx|sHxN$gPgll$7_Vs|b
zZ{xaHC&nfj?J2maHzNIKNppJ1BgY23XN&oo+YT*VIvr^HK5_3w?scc`elQ(1G_YT$
z69(dkG}E6CwC>fZO(CY?uy+TzfUm|Enl=mQRrYR=1*~on60NVZy0YU%=;8gCfww_c
zJNoY&YbIpP!j}M%+Dr6M6IKkM)4DVJicfUpO4d%1o)e1&pJ(NB@X|FqhK%<L3&R><
z9ao2^L6u}3(kZtSNhP|MKkXMZA2XW5d7mFtxa7q;RV<`=;uDomV4d(4?>b4p)}xSR
z-lw_TuCg&yx#S@UCHZ>|HVcRG=kU1-zHQwST~Y0R$4pmHkpiVvj**B@0Kto2GHn#&
zO+9)h<N3D;PolNSg|qvCJxS#$I*QJBt{W7)i;$m3Fuhr;1zlPP>+3p~I!-4w@7S6t
zn4lA<aG^SXJ5=x4^(ngn)?MCtq*UPCwGH<hWz8~*KF--3h3+Nf`m1c-`WB4^hNs!M
zZ?W}HFR<JtTBnl#eD&fWX69tfpqt{C@x@kyRnxgLvol#0<+mih@}<xg3o1bdhU_zw
z>z^K$NK^)ab6C<g(Gv)UY`M1}rjrTk_G-093%=4?Ts7VypS|x2?WM&dn{fTMIzoL1
z@MO6|UKZ3`^MYH=+tbJ0OB8w%jx-r;+SfNRcoX2qwXm>_b^7Vd1@>7jl%%h3iPhKt
z{dmUqlNxkh+qiC@RD+XM&K|M#d&4zduA7TTMusQYWNs4MU(l9!x;e+GEn61r?Jera
zCvZa5W~XB+lSvihsTCALA{7m{DbJiV%QTGM*tFuyn(|%{5IVm5n*Gj$`#QbUx5q`i
zdy*&NYlvKe25&bYx^Ab(UkDysymvOPkR_Zx67-?9{iZ8u!=k~Ez3WB9%!Zk+YhKh>
ziUM~+^0#J)#HBFwhA_8O)b4w?AngWHWYrT>6$ON&J|k>iTof~n@r~EaKaL*ZBPAbd
zaY!w}g=$PSJ4rklS9$E1i;C71zr({TCu(hJz>AP89?!Nj?l|$JPPc3Nz#H7dLp<_L
z+>hFT$S(sYrz;&)kkAhb>k0eDqJ{&b0jG{!Im%3(A~fB|0DN^DFrj>YtZ{59Vea?=
zJ{hi{zTX;{2dq8?Ki+w4y7`=0h3se2<_f9l6GpEuaBU!;O4leW8`UwF2^M80mU9UR
zoNCu176w#R-mES=*$Q7?<{CDob%hDvcnAOpMv>U(WjixdG=bu!hIgSj6V-gZsO;PT
z0JL;{sd$11kpXljx{=7*a#NM}<$xp?Z8=*FGl&^gpXg39_NNi8{LQTi{vHIBi=3{`
zW-VVdo4||6zyp1~JjrylueRJ8FPi<#=?2RI*B}fJZ8<wLOQ1f5Mg+pu;A#+%p)bh?
zCa1F*s6}&eMdJ*NzEiMU+H&p;1{Dnkvsf%Ombw~+<_3nMP$)1228O{vYy^nzM`qxC
zL1el-hvFND0g+Ciu@jm^Ap<#_cxMWep)DuJ9tVCW=cK!#FT3-*15SI5p3ZOqW7!Qj
zdp>Lc7zTl8f*>#u3<dtxo;_-2_QRS?|E?liPp~hZ3Wlmdz+PT|u%I&xeSZ4;QwzE^
z`)>;{j!364X#}F750T7}|J5nglS%*8CzDR(bgjkh>Ea4z2esz;R~ro0%<_i~M@Bc2
z7j?~ogZ>riLimBBGHIS`7#9MV=t=Zq2SR5vL;rwhkX(N*&>!Z*8Tq$B*zSJt{{j8G
zUTd+e>54X>5SSdNSOaZ2PP}Lr3W4N;UVDVALy<%XR1>5DcgBO@cnu^-Q^Oerf+8Rq
zC_F;l6$wZDLWL#M8F(^*$f07BtC83|2v@u-9OaAz5nT}o5Zr}L;jBT>03kJ@8c;Zb
zsDVP@f1$9Tk=T`h_xv>~4wVa=3WbMg!clN2h=4-4fZ#9!5`==`At1Q3vkTN2hIEA?
z;A>QzbwKM`VzuR9YLK5jmY#TqD~0BzEoVw1Gkt#!Sd+YnRt!8xG$=wHstMD8z}1mZ
z7zFukc58e#L>ir)<Qz^YL=6U8Gj}1Njo6HMcCwMY@NPsfmF%`Qz*!bFdopZc@toRV
zGq3ft=YrO!5%CNP&6+~-)RyCL138pyB?Z*_UMy%+3SrG~4NP?5)Z6!p+mCkxuQj#6
ze+B+GCM$Oei~PUi`3e2OqDNz}C^QcXnuYUmB7yPOJbwoM!GvS)b#w;J5Bpyx^)EQB
zZ|Q2xwx!Vge(`Tb^#0cRwjp_v)}#Ug*ERt(p72e6I^KuqvbF?l9ls3`-0@^LB73*}
zUTVMhlm0A?5d<Pp6HWl(ks9nuaCL=&PzZ=KI~8Fr>Ij6o3lje=jeoGyDXt6_o<`Jj
zW9I;So!O<ew$4DMwd_;=V=OFpB0EP^pfEH9BKK{1fm&eBhWh*Tv^ZOinHl<50kk+<
z5*o|NJS!%Z>PaHf{wU1viSi$Czu13I%Kv8mE9{%KK85PXE?Ren1&jQb?*9b%jlq;e
zAd=~nzY6_V$TwMjdGD}e{?^BSpRr$$;2-bD?`grQod3t`d%FEUdSFxk<K%DY`;T1z
z$o01r_*>wAvg;qY{+0rN3;a)Z{h!IT`R56nNM`@gW3kWAPqO&lvCrPpmZsL6e`rie
z-mCxNYMj1&i;du7;LNQ6`$l`&AGiTr&Id3CfbjJ@joA%es<AyC0N@kh++2W5sS@nY
zjSQ@r;l>eOAyL(Jp8C6*008b7tbv|2``h^Cr{pY%s8LpAMvuhPgxgAKAU@Ml)v$c~
z`sRta2xVxf!DRI4E0uYv8`mep<i}3*AfRVCU*3OSzd4<&kQUT>63}(4<jP<g9TODu
zz-(@*LHGtk<IxqW_x(Di_54L6xi`ceVrDV;ylCaJOcV6e`g^V)WMnl8oSowi$lUDi
zaCo8*S?JVLu0DXRTA0_{UHv@1n-z!4irIxcGFoAp8MCXKnn4-qbWk)*d9qwV^$*(7
z!B`nI?7Up~q4e;^hGz=MZrgVmPtiuJ)iLE3^m_d^LRw1O-N5{~8f(YQ(b-lIm?m4h
zPEhM>d!55Hb#@fnH|z!w)WRJlBQw-=r+*tx!T9k@OxsO5P5)LG-}E&>wtL1G+QA-S
z8`V79>(tuQ^H%ue%4pEaN1wycJ$`|KYQ1lLFUV*g-WlgSd&Rm*9ytNc^IeR=<P068
zX!(o9)#hVn3!3Uog6x_PywJT@8`3nnoEv4M3yQxRen9Z$XM}0dNZ&hKiSzI7_n3IB
zKpW3j$n23gqy447YLq}oF!rkni@J@0o@Ls-cxN~!>L3-m?EetlxvHmC@wBusQbt;Z
zB26y5&nIZi$}4?rou=>kxuuyqh8{Z~dv>uACh22w*f>B`&^)jh0ncvDKub!83dg+&
zKU*|-P-5nxj7NA2<5f7u>kWN-y6+rfNDf`AB^mcD9OEVrz8ZRI_)g{hlKy=LlE=wI
zO4FU@*H&B{NEq8bJ4KnH(;Fr~`a14T3~O4cdk0^5-i&6>`S-og&e%EJ%Q#HYaK#!w
tDjKRx3=J(a9cvQIo%xwC|N7+og-dNKBZ@T8AH^BM8k!s2+J7wMe*kijPbdHY

diff --git a/app/assets/ico/safari-pinned-tab.svg b/app/assets/ico/safari-pinned-tab.svg
index 79ce7b6fa..d0509a572 100644
--- a/app/assets/ico/safari-pinned-tab.svg
+++ b/app/assets/ico/safari-pinned-tab.svg
@@ -1 +1,6 @@
-<svg version="1" xmlns="http://www.w3.org/2000/svg" width="420" height="420" viewBox="0 0 315.000000 315.000000"><path d="M163 13.3v6.4l-38.3 22.1-38.2 22.1h-34c-2.8.1-3 .3-3.2 4.5-.2 3.4.1 4.5 1.5 4.8.9.2 16 .3 33.5.2 17.4 0 31.7.2 31.8.5.1.3.2 10.3.4 22.1.1 11.8.3 21.8.4 22.2 0 .5 5.5.8 12 .8h11.9l-.1-22.8-.1-22.7 11.2-.1H163V204l3.5.1c1.9.1 4.1.2 4.7.3 1 .1 1.3-13.7 1.3-65.3V73.7l3.3-.3 3.2-.2.1 66.6v66.7l4.8 3.1 4.7 3.2v-69c-.1-38 .1-69.3.4-69.7.3-.4 17.2-.7 37.5-.7h37l.3-4.6.3-4.6-8.3-.3-8.3-.4-37-21.4c-20.3-11.8-37.2-21.6-37.5-21.8-.3-.3-.5-2.8-.6-5.6-.1-2.9-.2-5.8-.3-6.5-.1-.7-1.7-1.2-4.6-1.2H163v6.3zm0 34.1v16.5h-28.2c-28 0-28.3 0-25.8-1.9 1.4-1 4.3-2.8 6.5-4 2.2-1.1 13.5-7.6 25-14.4 11.6-6.9 21.3-12.5 21.8-12.5.4-.1.7 7.3.7 16.3zm28.6-5.4c7.5 4.4 13.7 8 13.9 8 .1 0 4.5 2.5 9.6 5.7 5.2 3.1 10.5 6.2 11.9 6.9 2.1 1.1-2 1.3-26 1.1l-28.5-.2V47.3l-.1-16.1 2.8 1.4c1.5.8 8.9 5 16.4 9.4zm-55.4 40.5c0 4.9-.1 9.7-.1 10.5-.1 1.3-1.5 1.6-7.3 1.5l-7.3-.1-.5-10.5-.5-10.6 7.8.1 7.9.1v9zm-12.3 23.9c.1 6.6-.2 8.5-1.4 9-.8.3-1.5.2-1.6-.2-.4-3.4-.5-15-.1-16 .2-.6 1-1.2 1.7-1.2.9 0 1.3 2.3 1.4 8.4zm6.7.4c0 4.5-.3 8.2-.8 8.2-.4 0-1.1.1-1.5.2-.5.2-.8-3.7-.9-8.5 0-7.5.2-8.7 1.5-8.5 1.3.3 1.6 1.9 1.7 8.6zm6.9 0c.1 7.2-.1 8.2-1.6 8.2-1.6 0-1.8-1-1.7-8.5.1-7.3.3-8.5 1.7-8.3 1.3.3 1.6 1.8 1.6 8.6z"/><path d="M61.9 108c0 .3-.1 5.7-.2 12l-.1 11.5 12.2.3 12.2.3v-24.6H74c-6.6 0-12 .2-12.1.5zm7.1 11.4c0 8-1 11.1-2.6 8.5-.5-.9-.8-8.6-.5-15.2.1-.9.8-1.7 1.6-1.7 1.2 0 1.5 1.6 1.5 8.4zm7-.1c0 8.6-.3 9.9-2.3 9.1-.8-.3-1.1-3-1-7.7.2-10 .1-9.7 1.8-9.7 1.2 0 1.5 1.6 1.5 8.3zm6.8-.3c.3 8.4-.2 10.7-2.1 9.2-.9-.7-1.2-3.6-1.1-8.9.2-9.2.1-8.6 1.7-8.1.8.3 1.3 3 1.5 7.8zM89.4 107.9c-.2.2-.4 5.8-.4 12.3V132h24.5l-.1-11.3c-.1-6.1-.2-11.7-.3-12.2-.1-1-22.7-1.5-23.7-.6zm7.2 11.2c.1 8.6-.3 10-2.2 9.2-1-.4-1.4-2.5-1.4-8.2 0-4.3.3-8.1.7-8.5 1.8-1.8 2.8.7 2.9 7.5zm6.5-7.4c.4 3.9.3 15.7-.2 16.5-1.7 2.7-2.9-.9-2.9-8.8 0-6.8.3-8.4 1.5-8.4.8 0 1.5.3 1.6.7zm7 .5c.5 5.5.3 13.6-.4 15.1-1.6 3.6-2.7.4-2.7-7.9 0-6.8.3-8.4 1.5-8.4.8 0 1.5.6 1.6 1.2zM94.3 134.8l-5.3.3v12c0 8.8.3 11.9 1.3 12 1.7.1 15.5.1 19.7 0l3.5-.1-.1-10.8c-.1-5.9-.2-11.4-.3-12.2-.1-1.5-6.2-1.9-18.8-1.2zm2.2 12.3c0 6.8-.3 8.4-1.5 8.4s-1.6-1.6-1.8-7.3c-.4-8.1.1-10.6 2.1-9.9.8.2 1.2 2.9 1.2 8.8zm6.6-7.4c.5 5.9.3 14.6-.2 15.5-.4.6-1.2.7-1.8.4-1.2-.8-1.6-15.8-.4-16.9 1.2-1.2 2.3-.7 2.4 1zm7-1c0 .5.1 4.4.2 8.8 0 6.3-.2 8-1.4 8-1.1 0-1.5-1.9-1.7-8.8-.2-7.3 0-8.7 1.3-8.7.8 0 1.5.3 1.6.7zM120 134.8l-3.5.3-.1 11.9c0 7.6.4 12 1.1 12.1 4.6.3 21.5 0 22.3-.5.5-.3 1-5.7 1-12.1l.1-11.5-5.7-.1c-3.1 0-7-.1-8.7-.2-1.6-.1-4.6-.1-6.5.1zm3.4 4.8c1 2.7.7 15.2-.5 15.9-.6.4-1.3.4-1.6.1-.7-.7-1.2-15.7-.6-16.9.7-1.2 2.1-.8 2.7.9zm7.3 6c.2 7.9-.4 10.7-2 10.1-.8-.2-1.2-3.2-1.3-8.3-.1-8.5.1-9.7 1.9-9.1.7.2 1.3 3.1 1.4 7.3zm6.9 0c.2 8.5-.3 10.5-2.2 9.7-1.1-.4-1.4-2.2-1.3-8.2.2-8.3.5-9.4 2.2-8.8.8.2 1.2 3 1.3 7.3zM61.9 136.7c-.4 9-.3 21.6.3 21.9.7.4 13.9.7 21.1.5l2.7-.1v-24H74c-10.7 0-12 .2-12.1 1.7zM69 147c0 5-.4 9-.9 9-1.6 0-2.2-1.7-2.2-7.2-.2-9.6 0-10.8 1.6-10.8 1.2 0 1.5 1.7 1.5 9zm6.8-.5c.3 7.2-.7 10.9-2.4 9.2-.4-.4-.7-3.5-.7-6.9.1-10.2.2-11 1.6-10.6.8.3 1.3 3.1 1.5 8.3zm7 0c.2 4.7-.1 8.2-.8 8.9-1.8 1.8-2.6-.8-2.4-8.6.2-9.3.2-9 1.7-8.6.8.3 1.3 3.1 1.5 8.3zM59.4 166.7c-3.1 7.2-4.3 13.6-4 21.2.5 12.5 4.9 22.4 13.7 31.1 4.1 4.1 5.4 4.8 7.2 4.1 1.2-.4 3.9-.7 5.9-.6 3.6.1 3.8-.1 6.8-6.2 8.2-16.7 29.1-23.3 47.6-15.2 2.4 1.1 4.6 2.4 4.9 2.9 2.5 4.1 5.4-3.3 5.9-15.3.4-8-.6-14-3.5-20.7l-2.1-5H61l-1.6 3.7z"/><path d="M118.5 202.8c-6 .9-11 2.8-15.1 5.7-5.2 3.7-11 11.3-11.9 15.6-.6 2.4-1.2 2.9-3.8 3-9.6.2-17.3 3.5-23.7 10-6 6.2-8.4 12.1-8.6 20.9-.3 10.2 2.1 16.5 9.1 23.5 6.6 6.6 12.5 9 22 9 6.7 0 7.1.1 8.9 3 2.6 4.2 7.3 8.3 13.1 11.3 4.2 2.2 6.3 2.6 13 2.6 9.5 0 16.9-2.9 22.8-8.9l3.7-3.8 6.1 3.3c13 6.9 29.4 3.7 38.8-7.6 5.3-6.5 7.2-11.7 7.3-20.4.2-7-.2-8.6-2.8-13.7-2.6-5-2.9-6.4-2.1-9.3 2.3-8.9-1.7-22.2-8.9-29.4-9.8-9.8-22.8-11.7-38.1-5.5-3 1.2-3.4 1.1-5.8-1.4-5.1-5-17.1-9-24-7.9z"/></svg>
\ No newline at end of file
+<svg viewBox="0 0 104 104" xmlns="http://www.w3.org/2000/svg">
+  <g transform="translate(10, 0)">
+    <path d="M54.2295 74.5278H73.7517V94H54.2295V74.5278Z" fill="#000000"/>
+    <path d="M10 11H40.4488C61.4576 11 73.8513 17.5661 73.8513 38.9807V39.7125C73.8513 61.1936 61.4842 67.6931 40.4754 67.6931H33.8295V93.7845H10V11ZM39.0517 49.3986C45.5579 49.3986 48.984 46.9837 48.984 39.7657V38.9341C48.984 31.7493 45.5579 29.2879 39.0517 29.2879H33.8361V49.3919H39.0517V49.3986Z" fill="#000000"/>
+  </g>
+</svg>
\ No newline at end of file
diff --git a/app/assets/images/logo.png b/app/assets/images/logo.png
deleted file mode 100644
index 2e46594f291f5e2e3541c3c8fdd240afb7b70217..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 5074
zcmV;@6D{nCP)<h;3K|Lk000e1NJLTq00A}t003?X1^@s6trkCr000x2Nkl<ZcmeFe
zAprnD2mrB9{Qcb_$bj4S000000000000000007`x^;^TvJ;27cg;5;ewcY61wr$(C
zZQC}&XPeiyZQHfobN|IjcCGQOmHZlZJS#I_zCE?r2c|tDBEfP)L$cUJM8$T$Rcw31
zh)A$gu{~%N+g>mtBEed0vA7j0;bsI*fDsW1wqiRCW6)lz@FjMG5fKUWV%r-(pcZaw
z(2#o6!A%aHLpqFz1R51vHeN+O+?3#TpfOdr9{<430$htI7!gsi`CANb!BW`y3kSpC
z9yFvDyTag7%z~X^I3C7dL`21QDn`T36kO2FJ+@>#iVbj6jW4YN6cH7hPwa*7Tg}nd
z-~lA|VnKHYe2#Ls$-%Rlzlo^Wye%8AAP;Uz@gcVLz{!In(658}TO^F9h=__U1~+2~
z?EH;GJba`o0+(SH><q<mFd`DVd^txO1v^u5ftSyUrr@#G^Ed6kiG(&^%+bC>4cx4?
z=4ie;1izy_f7AY(NNDrs9PQ;+bF|HPtq(<Vr&Vk_!Sup@_!VVvGhh2}BH>$X?{?Ei
zSPVP$7=hRE7T)cJ;nrn+jdy$Db-a(oXq^#ww;e`ALbce!H%3H4x7cz#s20V@v6P}3
zIUOj4n|$kX++$WbUSdQfbc-#^gO=b{WLciWL}Yc~X=}!IG_tI(lmn3EB}PQLLnjXw
z;xZV^!x+=eU(nqX1`DiRI3ptB?_#?G#_|Zpc5~fh?^eb34~%#ge<Ch-oTvsTjdY@4
z;^YQQpn7bRlk~`XXZwfOI+-xyT~97|(w^n<zJIBc3KK~Da-}M^pb>?gup4$qCQN{e
z$MJXsmm&?uYa|(G<58T6B<K?xE`_l?q+$y=>6n1!%^rpcP?uVJlQnq9YrBaOfk#n+
zhLqv1a4)u~t?Zq1kmX7rhHGbynOS=;*0%TBwr$&3UE8*8+qP}ryEX@3|M8@%>#a;q
zaFTP*x7}6mA}2{B-B07!z<6+|(aM(2pb*t74zM|4Jo(4Sb7vKCSf3$`w&lEIDt<XN
z)ivL&%WkwHgRKWko0dX)Ps>=H(8htSsKEB8m3dDu;;`yg@;@52O~o&##zyZN)sWWJ
zOmJ_wB7?0r5c8bYvh5t$9N1!Lw9!XK(>T#=|5W{R+M4NB(^!_c;fmfB?GXUBnGS3Y
zYzfqb0yZdpznm~AZ6rHYmo(UhuqfS6<A|)^ZwIi2(IN*n2R0|CVguVbwROAOSV2&i
zJJo1TNr26%wSeuk|L6ERIk24(0InN#Q%P|rbEKZ1o0B2f8d_=)V8Lz5hLsh}-D#Td
zX$0a|3-PN#T$8-Sv0fdg>^H+N@Aoq6nYKPHwuYjpY0*I9S<W1^vJl@%?+Ls&LE4lN
zrsjmv`yNg5`R(zyvE@%W-=mR)DT*4%w+YH;jS_}EIK6|VX{~9{u++eIj5p}00#vOt
z0^2&AG{3&l7|BS@0PI+!{fwp>oo#f2(VkrIkdH};yrTnM_`QryG&+mF_vU&WzgiMM
zFOF@k3|Yb9H=7zAM!YJlajFe?ZX3Rf=kB!LxgPfo3{wcmu$_$7W?=smTK*F`Cw2&3
z-^OBnTgzyD{OT6qM>D>ucW>{&$)((jI$B_CL!5SEuGX34_Y(={7^C*UA;~uRt=Wim
zTk`hl<g-JKHaF^S)G9{BHo{7SAu@rvJw}$jNdNH(Tl4E%`JhwO3DuObq3nm~rS+-g
zk9CbYlP}AP9&8krN<NyZGOKxP)@~xpv8FXZ?MT??jAjS4EMEl*UE|bz6xwdY>$QOH
z`CQh}9tDgj_`w2*%d9wV$g_Qc^yiilXTFs&58!^D#iWl}pKJDeZ_5#mX81XoV-*+r
zMUwe)_me+b8<ml<XIg$87T`}$($Ks2+<<!r5f1O(9gNC>-Q7li1?1m3oSm^pj7?MP
zk<T}zlK8a_KdPwwuLVA#S5c5Jm!k*pvkmZ&Je_F5^?LZ>rQx1op0mo>Zbna86{otz
zMjyeN0aWZo4YsW#_>(5smg?j}GSO3YWVGe{T_eA}OAQ+(;aiXn@8|GK-G|ihEkgJ)
zUY^|)KfjUd)nu-Y)=tG$mUP3=D$!j5VW{MN-}}60IZ{8Ca3)1>U_00P?Z_YtofxGq
z47hi&ZJ7t=r{I^wm4YkZopie*0(2Sx-<zmZ^<B$Rwfr{2=seOQOv~j>>)8jfSl&lm
zG;W6{0NeT!&b>lb=4087r#eCz`-!l&OdD+H27v4K9L9s~iUe#+tT27d!7{&F*OpVe
z{RV(uCSE^ztq5sV9U1Z*hvqc9=ZRmljD9wH55L~!|Fh)Gi1~CKTSNd`H7$|Z-v0^n
zKh%nkctZdlaM8z70sKX{-nVpmKv(5rqbh;cbm00H@%)Hz%(XK+{%lPAJ$FP9*rYXh
zK@ixic-46M2)7iN{6H9AqQ(3**OyCvo)Ti*t&9Two(&hi<-b&{uh4S;l8Q!W4m<_y
zbB(>dVLkJn97evF^#6{yZJia^XgF*yWz5Tme^F__Ot`)yt(Qo8T}5jz9k9_txx-I1
zF^>=UeQ*(iZKgDd=TY+=%6Lm9wM{t%Xdg2CT!GUeLETb*J5mb!JTl*b#H#|oD(J%P
zPo|$IANd&W3j;Q7;(tlka13K_I<8fT|EtIeU*~bX(o(ZJ;C+dNcP1@|ZRt`s!>=}k
zW1`U)QlNh)yy<{V9BKSGUDNJ_u@T|y%Jo;}**RW*4A1}@o>YoI)2dvZ!rB;hX3Xja
zqyOx@g5O=jg3Sg9K)am^d}ZQRKMSzo&!%=anD6`<W0xbS2t7l}%0TcTqgm2|yOv5l
z6|n7M^t_*d!P$BpJx49^6dyqK7zHP5u<7cDskt_pB%G7%j|J$~4R~f_0n{8?Jgq_)
z0;Y&x3ye040yg4&SA+?bt)fo%pmlPvw7!003?|Uh1xRmHt9eFXTL|m}TiqCPo|VEj
zF-ID{Y(tH*FfvzKG9UC4f!nPBAS~Ew7z)@n$gecPMg{$gr1h-;ELSUUA1XN89SbZo
zpU3ug!0!{K7Os`T+P+X=155`*ZAnTi<8`f3P^H~P=b2+7`gNof-VcCY7_ik)1D2;b
zK^HjvVLdaA+B%BG@O<(}CSW6Nu8%OqVyGB<UiN#IYln+JFGjH-(qs5SdInpB1sh%6
zHTf-bu<<=_7O-C%2xk!$_%u23u6MB+4^AqE3Aze4-g|b;c{sOPHFynE1@yi>B!k~h
ztrOL+o29j|Z%D9Bv(hb1u$?VwdO}Q#@x#P33$RU(u`K8bX^~deaSY{;wK&ppK-Bc0
zYdTLV&nCIRM*2<WdZEBJQohT(F^}LpM#eWU52%P7*ev%=g54kn*xf`5Wtjl!N$KwP
zPjCqJbn9Ku0?1&nVZBTlY~?bR^mWustgWK7!ImKZOcaC8N`4E)1u|2U>|P>63d3@N
zjXc@Cz+gK|D!OfA`d7i2oacTH%3BU>I)0R&{lNZ_cyyMg^b-mFdPLH!YY4C%oB`Oz
zO09Zs!gxNK5!fci2-_Y48o$=?bu#oYk~EE@ZKMTzTnMmzK&4tJur(A*@b?jiLR3@4
zAhNato5;tMyjH>wJxOY&A<`VLku*r+*Rk?}$A<vhRvCb8SMhW6gz-EgBe3lkBW&Bt
zxYtm<N6NthtipH3)MH{qxG@CSp5j`ez}7~r>h~t}b3I+fly9(|6#%ZAC2`fA9I(5`
zyaIu3v3K%S0_`nvSy!xEw%aYCUpvbCHVXl^jWPh+(E{Aj3FEnCMqt||M%cC!unpJN
z3SFnP+!G<d_E3Srwu)G|FHY#^AeldUZ@$6S(P#}nu}r9M!0)Z-viSWrx<K>TmgE6!
z`$hoU?g{<cB}B_e!M1S$z&0lNW`>!7ZRZrg)=0osL--ctNiT!|+rvc$wo8f`Y-L!w
zE>fY(j4loM{R+r^k&5dh3(^%$z60p#c1D-Q;lpHJS5iyWiPG&IT_j-BmSoboQ^%Dm
z*w72o6}^`7kw}!GLrVZ`t!3)ZLu$#4sEx(X!}1BXb!yXf&tv7w+IVn5!mVOn67zps
znbi5W#IZpFzn+#kJ)MgLY$F61mnKNlhFE+{8EjX`q*N-q6jX#@Bd@+Lmdw@(wn;iy
zD)b5Y1l!#ygN;m*IoN*GZE+%KB;$iYQ!5^jiNGUc`ZY|9FOLX33JJERMxRKUc8D3z
zainP}gKc9O@V|({zCwTvO_bq@-D6gE?To&W=~)%|0$V#~GN<jPWC=DI185fG;Mn_Q
z5%rdSRx~M0_w#HdzocSWCWW$~U_+-$w|i=oS>~vfv`R}AY%OKgz;vTg5es&GTL0}W
zHAx9<^>l;Eq+lbhXUm2YonlPbK2-pDPCi#2tXZ3ld$vGeTf%&=@(7?gMr!3}{R%R`
zd|5uu2@(7%SHD<1-@M4c)>*bGn#&TPCK2{4yO?K78f<7^+b_V=Jq$d6%qa5r3+Oq%
zZN9<Qgk?$_(wnGA05;W?QrX>P)H)>Ko6=C2D?>di=M!uPWCXTviBM+71LRGloM_dI
z_3GHpxt&g3p*6c&fS+p_{U;!u62h<c)L4t9_Fs?tiUw?GAKMy6oOdHLH>|@T)tqHb
z*U5R6B@H&>^|Vw-F9WP{Kfuvltz;?Hmr@zN%y0PwTNyoy?+NF0rgSyQ6WCVu%BsMP
z9aMZL5jP_L?J1Mn7pUPRG1w@`S-8Kcxw8V>EOrp6ku73&V;V?%t2?kNnOaXCpB-|d
z=fOS`lwV?fX)p1s2bRX?br)B$2o)RH%2>$0Kp=iAErPC83~d>M8^U7o&jl7g0Q1rW
z8{#{DBC9g~pi&!28nh)%I?*$_NLndXbZh&iFviw_@Tl7`A=vc(zod+PN_iM4Y0%AR
z6DB4v5d+K>fIqKbJ2eZcQNy>+5Nsc?1I151XP*87cpju1@SU_IstE5<5yml&r5394
zF<`uaUoY_g8u4oe(>=<H6>O*}UCP-Khb7GKdJ6OZ>pE@=%-*I&I<thqrWWIOh?}mq
zc^e2l!N!~OH9Z)c8l95yU<7$u-3fUBo2J>1TE@s@uaY002H?8;${aSDEKg&j$wRWB
z8Z~wE48is(*Cx<9nnPv{a#hr*?=uDvr(k@<JE}tXHIK}_gS;ngu>BPkY|?T&l%a(M
zT6olvnP+-?#^L|GC|iR^0Nb)Wf~_hS*wD)C>M~slZcutmCp~)djwoA$KN9kp&Q#zv
z(&gJYpI}2{DPyy8l`-<m0$_Md6pM27wOZLY_P5FoY*wOGGK2ngT4Hl)2`nO!=WzX9
zy5=3D`Yjo15^(&FcQ5eq>jNhBc8NFz<!?)C#|U35;QKc^K4v`ouv_fs6x6w1JW1O*
zy#Hy|n>LgJ_a8bS$2iVUR#+zm+}odnRJb?RI@-;w=YNlI`h0ziDUUJ;J_~p+Li4%y
z2ls3n@vxvrtZ>~F;kn%b$P8N0m*%i$uOay>sKQlM@GW1)ui3=g%lC81Ctt8VQUA10
zsp>?;BRewiE0}5bqW``wR--#)fbeYfo30)%9k6NQ6TXv}F@6h$^Ej@z%Jad*>+|l5
zSZ{kVAlZPHOPpi<23x9#IT^U0^^Oh+<JplyeKHyLR--GZNXGaSq{fUltwWl3%`qil
zpcU3mK^8!{H_p~dmEQ9}t!dP>B@Fv>?A-M%Y(Ed<%dnVp-g;Q!S~=pg{Q=bKA*{CL
zlD}HT$)n6yJd$|dM1DAh<#e4hJ69BlL~#o!tUWwn@Iluiv-aY8JAgKeg!S7w;#UCJ
zmuugo2sS4trxI1XgIq#7T2v#gb%f6XrfL~S_?Vi@8!KrXum^gDH3<KS1DlhRQ(~|I
zmsdhUtqXHig6`L858bWFuUpaDdw|n}?xt0@0paM$xXd#SY)(#2vB8E$h_y=HJo??;
zS@;^-asT1KCdj=@SGLR^7<XWEa&k)Y@IC?N`^f<3?F<&opQ2%NU~_VEU`wK-bS?^}
z@0J_@oRvG#fz8RuDKXe&*NSV{)pd-uwfC19f^C`6Iu2}3PELuzCc6*}#`1ZbEM(5g
zePGngfz8RuDd`KkW3~JVkQLf(5jN~^EUbOxt%bEuytSzIi8mM4Uh%*7?Ggx!HH@S9
zb1&}h)-&!DEaM4xr{eDJ*3mvV6?b=cs5qR4!|sQ@%$)zsFK#{STlgRm@$ZvV@PWjk
zJMJN+%|#SKl2>e9@dBxBBSKPMhOGhaBgHL8<R!_l%}1&mi^xNgVXKT=NO5n`1|i9?
z<<S8tuP;K9VasD2Qr;<)Mo2PjS<OJ|>x__O*s_{{)VCTT$*^VB9jWgiiXbEzwk+!5
z8B*Rglt)N1Y+0>G%DaJzh&&|u=fN$cx+5rpkYw2MXon|Aamx^r3|k>u;}TNZ3p7GV
zGHivajiq>q6t)r}$*}zj_0S8mumW?i5`S|0Q63@5u>DTkQOM3?AF^&Usv;!)ZicNo
z4k6E;peagVBJSW@JB~j1A0bJ<KWso9>_nDbMq9*3YN8kBVI!7cB-)}BLeigQ*nkok
zjWc+Q&vyg!Q45g_Nro+h(rAG}n2I52i%N*}NiuAbWY{Fhut}0(lVsQ=$*@V1VUr}o
oCP{`(l3|l1!zM|FO_F}6_wZymPGo`c5C8xG07*qoM6N<$f|jAd*Z=?k

diff --git a/app/assets/images/logo_alt.png b/app/assets/images/logo_alt.png
deleted file mode 100644
index a6c6707ca9265d78e8ab3021fd865e83caa137aa..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 11073
zcmeHt^;=X=^zaf3vXrsXA<6=m7FS9d0q+vRrKC}$8$m)!P*4zr-9@^Wl9UvX5=C9Q
zyCfteq??z|_j!MQ-#_4e=b7`IxpU{lb7tn8GxyG0Z7nrg1PcNNgVBNy?n5vb`2~>J
zUn0Bcc{6+R4+bNHX=~`ITs%sSo&W#(|1I$UrUjy=?mfBK7%)#rOBc3t;CX!R%@TCU
z|MV%D?o^koP-7m)wfK`g1i8!lZ$lE*!B#Qu^0Q<H+K9t{9u!ZOMln+D)qJcuBiqrJ
z12*B2M=RF)(>xX3aw5%NZ$B6=;6x_Oy6wN*pt?TyNNp&eUG&=>RAr}(-b@N3-7=}w
zJNhy8dmU9Z02}!Dec-P9+f`eG#2)#Uk4YiaALfm7g`2*oGDW@E@}eY+Yf9JhTgF@o
ze)HF^tXDy$h|BravpAEsySz}k-*cO+2`$NAbyrQ%nFF7(IAUM1QQ8fS*A2?9ll`BR
ze6$@GX-a>J3z*;f6N<n2W#OTjQ+R!eeVB!gAhU1A+WjA~g%XMm*~HA`NEnP~6TGje
z=R@*$AoMyJ2@+No)HpU4)H62pOzb}Cg}eAamEdzsUxQ#EJcjXwHH;6gjmSX4a$pz|
zJn0t@_#ey%&mcxNNW%jA?0AZwh}e6R&b*j3cQ28@6f8ok_Py#KH>^=KwKLKr((n6}
ztVCPl#$%?Y$YZ`_tAW(9>g+M`;gk~R@#>4ZHaYCh)G1+?21?{5{yBQLyK(m@69>DI
z*=1H&7dTmGOAZ5fmX^bISBiPag5?4x^8-&Q^Ff&9Oh(Jp2QKAsDp)me$NyFGlX*Up
zX7P6%bGa<{v|v4N{#|3!{5yleu~nwasK9!Hr?s5tEXR7VNm6n-)^tRH2smsvQLa@{
z=bS|9PONR02l_?y3M{yGo2}DA+txkwbtIdRc@`V2%+rXHvb|p23!8<#-p^KKItUKJ
zGPWZIz5Z+!*;`WOR<$2VJ*ttr1v^NmWo36BoA~+B#bi-x%$E@)4L0+BR(Z@3C4x*G
zeI`PAx;Ld(KxsMM*Fv{94ivWGZWbqw^|r)3Z^b*n%1zWH`Nq$Kd4y~md_%Iy=!tv{
zFgE`;*~+&3mq7cS!Ep8xJgM6^3w9xCv0u5YquHvGc0oJHoXf#?f3U4uj=7_#_WzCU
zABa)%raUUDBysCAr;E@sPyR7vS-<DyNh~0Z;WyEG<~hay7(px?gC0j$NghO1*&?ML
z1wv=62_HO-)+`qiZK)La@ieK6Gb2_*d^%7_jxD2<<e!OmFl6H`UTNu#H#V*nfoJe&
z;RzKOVxmKteJ!wT;4gu1`?$_(N2Kl%3^76ykC$Tlbhl6jceSW?=MiPRS>S6JGT-TY
zARR^gy1+s@-tr_ax};9}7VP!X!yr$zqhWzBNL9i-w=}j&o-yMzHE%aZVSkTTWpq_d
za>=bVid0*BXkwtZW#xM6;0a-%YNIoheZs@>6AT%>JIRI=GU0bFC6EWWJo7weC)K{e
zu;YPtEvaP3U7Z~5?=|zLRv=;OY5LjnPBzB^4e;06R)tpYr{x&XDf|lXQky<suNgZ7
z-+q{~@P2nj#$06sqhndN`+5bU=2kh{wqTPzh%pv|(ZBaXFR~Q8#%6Wgy2B>x_sJLq
zqhvGl-Z|A_t}=xP({e*?ErcJX+J$5{j_=oowuDk(gp!c<C%EV|Kk4itcyr2V^wD0d
z@eQE&PPeq*y7U?oOs0uIrMj`W^pWwye1S9|A@ZwzQn{Vo)5miiYx?~t2<BE!-8VgO
z6&8b^hs7Xa+^-4$12=$QBsT!q0|ZF&A8h_U%4KeBR1}F~liFHvo3=l1bgkLlU75lB
zDLyatF!ZwyNUJU>&Bhr6u+lN}0@J*az#RK${x+Zc97$nVEDVMv4JN=YI4VH@BPJ(~
z?0>i5um_l6>^}#(qER(_73ij*<neBGqxIjpCVlg=*<J~0pULEV)&tlF2oAr(Hqtdd
zOqbKf`RG9www1)Sz7M{U506Er%(BGWQMwOtl?<Knp<bg_P1nk$FwEGivG}0RAEM{*
zH09f->NNo7`hQ)wQs-i>qC%c`-Bv76f^K3xlAbjb-gk?9Hd&110<M67%be*3K(*uU
zRsy{u+~>9~3Eht)=WyHn2rXY9XV>cTid<6x)Dhrea|<hmlvDbk5L!kKZ@j{zUK0ep
zHnG@db~+Bjq!=Xjs@Jm;VGJqd&a)EwzGIV!`1gNp$2rXw&Y5ZrS%TELfFQ4uDGWL1
zy&ptiS(C{7z3#`}Df61^vAZ>6o+!Y*ur6M*=8Ot`cwAeZiE)MGa10}X>PHiMcl*Kt
z4FuTBSduf|h`D52|H0fShZ=nQ0JHei@OX;_^}4jgtLpuR!ODMHu=_@z+kTBw;@}tF
z4!S-mqXFE99$-A1$>KYXmsWqAanIYHXxRqc+4?efR;0%TaKmr>58MDQ@WqnwwwMZj
zhyL<1yb%TL-U6DHByQZ=^*kMmMPf-W_=hkkK@n^sA8~!97XEJtF-UY6!ShthySm2q
z-SB=jy_7;zA&9YGEIO>-=pBoymLH~<$6k=B#^U?Aqsr3pC1t0$N=Hq|94}lWtKipZ
z4it!hTmTFlZHYz3;1&BQtD9oN#sdwFRiFomEmbHYP%iM*T68?V`cuHyf2Gg=Q`h$v
z;C0>n;=KYCksf3_T)NY~ywh5G{(Xx5;FsS1DQD0|^~T;<o1W?8=lf$NAiBt`oubD^
zNI~a~wW40^UtvC@5y(*Qg$h{tDiRqCGvj;1{Yv3E*G)4F?9Gwvy2bG1VOpZpoj)m3
ze>%FRj!!6MIOgt@R{ZIZO1BFCRrl057XQwQcRVla(l399A018!Hw(;0^%4Yg*g}4e
zmO}nZJl3`!yx&tw0KCbK?sgcabG6X<8eYS-gEa*v-i_7Q6$a-$*<9d{0^?(%{74h+
zJBD+sAFAF}jki+HZ{Go!TeZ%24!f^QZwKAqXBTt)r9-aYHcWrE-O+c?1MG|Q*&iCJ
zm}U~c7WQEBynTPeY3hgzG@LVZG+f{Du&<x3t@|@GI#`cwJ-8b3c&S#Omo8xF?(g@X
zN)4;#4qs-*Bdu+CtT8X=Nhi#ThLSn@a!)<3sM^V&G}`$s-LooTA1e}wDSE9jTdll&
z5{k!fP;=MfUtRxP5C7P4vaTU4%l%%4$~zGrvZoEzEA(B(2w#7os-Ty1^w-qSW6<Kz
z;~6>6#@?^g<;MeiRXRO3>M!SIe-h~GClZ5t67jNd?2pW-?S7-(hUkE&Af$ImH?T%|
zw$_Wz?~k;<<1_MHvmfE?dZG?F)rbCZ*e2zx+eH5YBPFOY!`QXCDW$*uX1?XJVvQ3)
zyN4d*pyR=Y3Cx-oI~&+&hFIgAr)Vd~44Xt!5nmg}Vn}Iubhl)=KTS^8D!pwa+}GVA
zLqBN9I{}hz@1ek2KSSXFX&IIy=LwZ*mcJb|XyEWx>w~0Je7JajUL`}fq>v`2?Hjn0
zy)S-m=aFcaVtU`y+lx_MXLtF^#Q~if^Gw(D&et3$u;9g;Gg(>oBf-z@DordR8nk@C
zekqscL(J%)_>tF!_A2)GN%y2)=EiW3)9D-XqqzDzcQOc-wW<_C!04a#+#uy>r9v#>
zX}T7HCEE7Z<4wDWT=ZZ%p1lI>$6=wnsSezp#2P*zJ3UXjTD^y7WvB~jCyBIsK<s$$
zOk)n!HDUDGHts9oumpUqYLy4$cUIY?EXRNy6zaUiE-4L9a4^g_I5jZfMjcBJvc{9_
zrc6(24qnKJN80YTJ?+8vIkM}wPcqXFVlI4{coYlGM=~M5DNx8XHANaLwrSqCL(q`a
zpf&C8Ldycow)rZ>b=rk)oOcu1a&7^i(s3>7#N|s4w{z(9_(4ql(LnBF@BIB`cZVIv
zcZ&o)dvF^EeG;gWGVh%y;8`C!4<VIO*-Z+1XQ`5KSo!1@b&Qj*!@%a1NSp^#nFZH4
zX(D$aDI<X(Lph;Z&buj{7=zFdPy(e!<Bg@Hm5OO+2a3F-+X#5}``frabiA>bxs3zF
zz^z-jrk%6H=P*>2)kgSs9(SSDQ4@6MN8}LC>tXdO)bfhniY<1w24AO(A!chfQr$Yd
zU!Z@5dqZINYNQsFwt`{j&r^!}Ycw!-K&uHB^vC7$em{H}IffcS-v-hLGoA}%D4nBM
zV#f7!A!5L<8I<)B%gR3|D0WiT#1jkU1!Jz_96#qj)i{Pd{MnkD;-L*5QP6?~(h*ZR
zO^1y-;9K9Q2sw@DY%G|giHQ(1c`~fF5uF=CFY=Z1_!2*2ykF4x+*<TDF#e*azH%;7
z^C7Y9KL4jdCiL3~WAB%)C{QX%MTA1%%%j4WD|jGH!a#3)A%pQ5V)o(6_)hM|oAbXM
z(wBo}J?6$jkNcK8uU-drhW>7^JgjaHCAf(EGQ=0HFSw9?DRbQmbX@qD+r9RaGRD2g
zvxeTdFS0Co2!&c-RxiFeml}jF`#YfT%G=YA<~=!}Y+$~-ZgKbFB8kF@Zh)LL`t8&S
z;U+*VUlb|wb-Dqoz=?IwR$2E;r^#clQQrtW>_k;ympg})4j?RkHhU>^=v#J-fZ^$~
zo1f(TE6(@5y02BPbH(p#G=%NM1m5?Co(C8XEiF*c_k_-^y_Sj@pIv(!x|BP_ozwPl
zS?lxL!#!WWCAw*?e%-BaQKK<$oxQ4q(>^R|VcMs|lq_waw216*({5Yp-07iYqLpj;
zh!0%rhR9SsAu9%dsm|SLn#5I1Ev$EPf6TUGPkEE4z>j3|`oLfue#e{0)FhH4J*i?^
zO6ppN#^fbm62M|lHvE0&zBEuyo*>entMyD4mOgEbJb9l4uu-9Tzl*;RCST-1<;YEb
z_j>nIB90?3T;<Z^Mc(g|0cx4tTjh~1XC?09HC>_DFIu&px&q2CAhwD+SQzg@EqR^&
zCpHYxyjrL0gz(L)Jq-Ido-cj~E~gifojhfs4F2_gv9zd1h$fr_(um3eMBY#Kw}zC#
z&K%ESS_V7$hcB-sNO#w>E2R2P>C-?EU3{3x!zuOJCEltIn<!{>GjknN$DAhx{E~pp
z;UMuyj~At1<Hf3kw1}zHGwt@tN4o1B9QcX=PHIj>O@C*+jxnz9K*sVh#F3GFCvK))
zpp%cW;gemHb5C+-3y2wXI`|+P>S4y4pWZnYyJ=-2xnN+g9^t4?qwxSURfs>niwN}e
ze3Xb^)7f-ZAy?VW<Qs1YW5=|<xBbm0p=AZ_?S{sI%vw@Eln!FcBRyQrUm;K+XhC}3
z_(^9G&R45ZJL<dXxWY&L>|zIEz9E|55l(O(Q7M~_``1^oVpjvbvNQzvj5KN)fX%``
zws_VO0EmYP;5-ChiqTTEmJWFHNzk6fT_jMvnQiZD@wJEzj&hyFNvC|bEgj;!-Wa5b
zL;@DSa0Mw9_>zUU#yAdtxGA#d8)2i+(jiG?!@Nc$h6CF+VPS+XB#yYg4`OC76r;$5
zi5(T(0M)p#AkV1V$ZJ*Z`n_81hZtg`n8Z+wV9?_rD{N4$o7{dk;qPH(2Q#*6Oa`4c
zA0wuQ4aMT6PBXe<MI-#~%?{cS^+Kfq3urN55OmiMmjb1fW7pL3aW!2@gdM(D2<3kL
zxVkIW>*}xh$>g&;P`jWn;}DN^Vq}(LthQ}(WYz~Q0c;<O0>k0G%PJmMdQ34yu^F8F
z;xaiiUB>rxu$EkpTZ%#Q;g(c}l_(a9A*-q@sJ$}FZ*3lKEM<h$FDul<s3qX=1$ZNP
zmDv78=JIV(dqEohR?BBlI3+6&2Q$+Iol3=lxX13$RBnEYXZ|jQwK)Du^ME(xA)(Z;
zioDw%&TH!$LC33DWpD)<2PNX|MFC(A82j_eVa*}o19A<Os?`hnR3&9`Fl!g9(?;0j
zYY@};B5`5~V%-XN|MVkwJHzQwpnGaKMZw%@TEAdszN(qsCap@|6Fn3vvlaxU9`@p2
z_RREq_T$9(Dfpu@XP*1?x2q}|v)YNi%X)=d!EVVFX+{KGQ>n;MBqAdiTEnpfwqTxE
zBcv(#vi`&ddA~A*2L~kO^8>bzwV)@fx|dHG(1-QQU@fhK^L7x~Ql&!J6KWOj0t|-w
zQ3`$qdFm9-pw`OwCYeg*B7QHt66e&}p_)jgUh=P<;6_O2eSClkXTo9o&}HH4f09%1
zAfPR9D+J56nRQdesyq`M;6a#D>v5w3UJinZN{ZiZ+ii!9&41v|L8CEi>Mf5ykE<#A
zJhU5loApAEdx13pkFV!T(4%8XrIC;T$UGYl^98;<y8m*O6g{S?bN4#v%fP^!L!(lv
zoc+=r=}(11fr<2;N4hh0mueI25H<>h9RkRc{vgOyiU)-PVnb4UiehU)fOeN(7fUB1
zt|Q8tWR{&#6+w`B;stRKZpcs?vu8BxGfu^Eqh`6$k!H#*YK_A7Vfrs^(zQ2p`(2@u
z76QRD?}j@MnssEPgFyJB+`xk*d{st8h$~gJASLS#G%<hl3UPhOAy;|?b1C3WE%jIe
zO)%Xb|H;3{QgGW$vo?1`^noT($Oe@o15eFpb+zGHcx=}b8M3?SrrzwGvY(q#H%;)T
zi^TQa=}~4sQ*Dv<F~s7ndbn<-Vqa;z`D@5$N5@{$o;@!D+|$5BZ0j|1>Y0~FfxR5H
ziGgyTcu5;){aNArhnmD=172$`c&TD|A|0lW;%hRNQ29z&M7xYOD;Y@>!m-V_G%EtI
zTSAbFb_|VKqu6cWIP>MC3dsC<)i#^(SkUvQMmD!>w*@3ttVI+?G=_2%15DJe7_0~D
zP7Gs{(EU4nJ}^IS&8&>tbb{#}0l*euA~9=AO28-fJh_U}oh`wyD}Vm#{rq)00Ui7u
zOk`GkTP(Zd(|w+&hs8_xEHJ?x@#i5^uFanUlG6z(w*`Pz8lMC7ory|<WJ*s~VK=7<
zNA?VxXMt*qmORM()C*dK%8+$5IhOQa_&^MNNiQ91`er?Y@R;9|S*zuVJSg?p020^f
zyFqnSDJleHXZ$k9Bz>I>z<>Uz5Wk2l+QH#(Ul>IYUYOC%5+wgUo_oP;X@?08Tz;jy
zh2F7OYat87mJ^Ezp5nic&J_Ex5NFc6{aVzrFXrp;^3&|6sp*6XYcFUjdq#IjH!);a
z#isUU#U&w$16EJJn2_ZdeD=)kCEQBZy!(Z|E)XQf_lPRBQCtX^%lvf>zY|_h%Ho7e
zCwy`Af>gC*$O6ukTHrX`Rh@uQXKvP_N6$m%|M|8rs)M8cPhBjq0`aubx1=0LM>geg
zeY1<PT-<*&PAeIHaYnzJva*L<!nHK<&+FqdXGD4mZlj7%8=40Q1h(uM-lc)IN<yWm
zDDa$;mf_C^JlB9XM+jA-x3ujV)E$8rjQB#5I>di^b2v35KC|BdGeiymIluvhwEk@&
zppaGr!%fSm{|)OQg36|0J`QTp1tE`&{woMNJ~JaT>eO5vEGvO<k{Z&a%xfEB1lBrP
zLgIaHypfNfJ?--A(n8zMqH4GSx_h4d>Me{h8U#yb&pHi7j2m|ACOkXSutNI*(U_&=
z;T3gE<rRVTXMB<*+eIS9%~Uc*WA$t^kL)*uAAP`!E>)$4tRa-UmwT4U;ZiLiF%&67
z)leO#1hw_K$ukrazSZ$bk)=X>pWnq;1wsi_sbP?tfqn0s<`UW>P)LXmv{!05?OAQT
z5Esa@?%#_+sOpGuNDuz2u`A~Wlr#G^5n9Sy@3`J8zRTmLz7TMV+zHpxp?OUh0M5WG
zYKwHrZGl`J&$dE7-4s$M$}FJ`mVKiO!URtnLa`qdF&Gg9k5V3nD;D4JI~_lUC$Ng`
z)wH6o_1PBzpA1melAa%PcXW5?5EKe|o|v!;BkS{xkfy4J--miKMtB#D5Ku<<6NJN8
zG?`r`tpRF5aY-*OBrS%!mao9}n||4FC?07`irUWX$M!tHh@qkdZ_x-m0hjN$Xy0mF
zv3~r4zZPvAP_F_?k*7N7{*KVEqp4;*s?3@Ry@7(W^MPSn8)2#!F^Zdue({n6WG?<&
zJlkt4owh?PvTfBy2kN7K89ZD!sBQjvs4KYXWfHjnpbkh<1RPyZ@#t=PxoZ%IktcL!
zzpwHA3Na$y&G^Uv)C7lYBsHTDD8<Psx7aUj@xcv4<M6*IOsA%Q_B<f6B2)OH!9=Z=
z@aIeJ_u%1=Kd7TyEhDj8ES`st4ns7qA;c*gXY8TCGHm&)5XOx5qRSvg6OoJjLC6q+
z2W0%Xn4_<PCiY>|LKw^=)fw-^c%7*yENPVNjj?JXk3cY1NH^*whprMg&^3qD<BtYw
zIX0agMvahP;5eEbfJem$hZKKJ=c-di;V}pJP)L8#Y#GTw!R2)~g*<(*Tv+5uXb5G5
z732bK=3g7z{bciSo)Z1THxdiA(5<cLh&B%&6-{Z`8Q?-HUtS!B6cHtg;hkJKyc(Zf
zStAqA_rTX7*LzB;?MJUmz35@{Ho_wV$veZw{8K*|WZ9_%Cl3vC`GCLN;Rjzk*J%<7
z+$c!2oQVgXu3IL-YOI-)e_aC#<DrWD#0MDt>sb*-l$X!uDp{U;NdQMeZ$QQ3=910v
z{V*+PQxcy2B;qmDrHd9XQ#P}@r%|3@Q|q7u`7p3()*J?soOd;!t)^WBEQtg#@j<Vs
z-M}j@Jl+MVDHsO6eVc0;Bb%W-`8>gzt<$4W9|Yx@dsuhULhBbUmg53t`MK|%kVO1*
zD&zn$j0gCk3;@1SzyqKB0~A~UIFdkLcupPrgdDlfzM+o<H%G3@e68MqO})gd;Y^iD
zL4>JuND|VN*DHwj$?$DFHl#@h&0BDQ%5jo}Kkm;|;f*kE7W^liWF2J<&IXKXZxq`h
z*!pJyv3NgDZ!I&7jx4zZuyze_lO?6C7Oli$D|v&rALnUY(L_*a>&bJhOm1W~KS$cw
zt85b<eLyyn4~kLh?9hFYQrGcgZJ2I-1y|HUxMVN2rfIKPhdqMIqHg|>)h>P;nT7bI
zf(BOa>7qG53caaV!XV5EzI!I|$h1)7Z6KoSr39HgVJSLMdKweR-lB!+aE~a-QOZfa
z!gX=1ca88kR>(n#6DP<*aedD+Zi6i(M8PnOjyHr)BkT89+}^1X1*rIwv8Qlrn*#N<
zsy*$6A9fK}$0=n2pF}YW6~(w0EMoK6kU~6YN}+Ec$=6S+%9GQT#mLehCvzCjO@_tx
z#@$p4%7-2$i;1+z6xyeK&*fFwfy7VRgQCO?p&2vi4v|Kh;yT?J-!s;bbo|H>-aeJ|
zI)gM*2-qS`GzG}6hoQ82W&tuB_7s#pcXTXm#)X{WSIMvQ?Br^gB0Bm*7LA_TLz4BE
z&j>OawUBoCkV;~k#LWAOD+?S^04dla!)h(QyOW-|_4EOcwI7o;%M@Lc0YSIq$~$#p
zNDiK$Nh1U7{lnL%Ac9uV*{0VLmZ*~cSUKXpN>R_4j5gq3XtY*5to<`<(l&=*JwZk&
zL7P+yb&c?8;%W0`O+;E|^0mWF`^BeqzIR(c6A0CWj@n>c2$dO7BMfhhir!{>aZNwN
zx6LR8sVc(%s+>SZ%Qrk`IFo9-v{=Z#IU7fZf99#y`v9?`BkZgogGcE{TK(jKM=s@h
zqYgwr2fIk8zj6nS?$?G%k?_J<`+?!lpg4Yad_8NTp+HoZq;orD5afC<5L6eM*P|KE
zznSAEGD!&HB!kn-YItvC=5wRweCwpnQm-KlG`N%{fvy10YmKO@2(g;}R7cSZBhXS#
z7E#LpBMROP>7gNn{j1B1>-?hnQ9W81p}KKDIZpElpQQDy@#Y$w;Zn)!rjn0N-j~pI
zp6s98a9PKm$-ctpKII!6%HCB<{J@)11@Glyk*|@~3-|h!d6^RMaXXuOGhhqMk7=0N
z{C<PjoAoS#uco{9X@iTr)}xYs31}CUFq4NAJ2`nSo3=Hf9DVdrQQ;juu`iaF5A$#0
zkuvcL^hOK&<6IGI=DtW-8B>W$YzW4E=dx^&kNi))g6eqlj&5-=AbII=5efLoH8)Su
zc3gqS>bn{3l0B=&9&_h*@F7@W$EharH89o3Wq*t5+g{OV<s4(@Qs;w%{n$uzLU*I{
z!I$NKKch{bpLq^y?&KQLML>{Sm!gQnmq7KJK5A@Ckkby<M7~K$griHH>JwqcLAb$f
zaAm-GXG=r!mZQr(?Xy2<KV1<93Z9%EReE}+7$l)1Q$p9q|JiY#)bn|v>C?%N)wD~U
z7M9ia=x%;$EUB;V{8eW?>=36zN_S2c#T7ktBXxuU<aW-@?~a1B43Mu(p|VfG5gym_
z|E4-ICF13F&~0xBHv%tRm*UaUF$NOW?<VEFy$)VU%2J%r%-8*g^vaKapY;KWUsfOd
zmi5XKis{Gt`Tu>D2})reR?vcozrzK}6M+dEoak;}0c=(w5SpZ1T;~l{#47ZvBaYaI
zbn!77h^;-HJL3<UM+i^Dds{<~a5wkW$*Ype*%%&aY~!nWfHDhj9bC<@a>JL=0iFid
zh^NryUCAo@<nW9AP)@0xU6TFS6WSz~o#1qXUgeclGV9VAe8z0kRPg}{=|=-IyLxu9
zvhAw0Qzys^|K%1qli>%SCgn;-X6T`-5*j$#co)p-D)es)0tsmvLj1ffSIz9w_CBEC
zhqkx!`(_JzR*KUL4Av=q`N~0(+~Hi~?%W#$Tu92anVw^xV)HA4=@%sl`sUAs8wJL;
zE1budzXS|f*9Zd&rBiy@8{)j4OcS9FBL=FZDpEkRtVuyz+Nr`DUigS)*hg;vUU)7y
z+zN<KdHfU#_89K3eBUr?o?$fgDh^cqTfDr(`%eM6^Hx?eBJi||R(k+P`U1yt)_>qa
zqa+EOr3+uK<q;8e-T!Nd9L@bYLV$Jd_m+b3S(cfx0|G8RRSW`@?+(6vKTxZ<xl~YG
z1(FCi*2Fh@%IUz5Xj29g<N^+FT_y!d5KZ!07VAFQSG8rZAq2*ajEA(s`=lM}m=1<`
zx0p4$Rvc+Zz=*1abdV|hgWntJ&&GlOI>;|Q5jZPe1BgPEd_b1?o${s0eByh;P0_tt
z6RqBR!`DQr$u3d}h3Cu6-u?C8Y)zzIYCnv~|J`+@XL;<a{BD$W%T;_XXi)tnGf2YY
zzoYzW?~_DS1@qnVHIrmgk(7JlY#us&?d60wPo~fBrmQ2hCMsJmbtRD{^`=@4yE10>
zb_iqr?Q};}u#~AOYUaku-qDQJ*3D*tcNJ;y1kc!_aO@XhtdHHzGcui?`K6yyJ3X1s
zKiKT9O{-+psl1*R_RIW-_hWzGT(f7!O_r%syP|w`sbt2={crJ|&?L0nI2|$C%(eL(
zQ)!Zj)ai)gG2!6AU)K`PZ*tsynAct7{#Ai-=&amsp<DK<y}-d%&s+8BHJA67@1CB%
zZ=7x{QBoFj9!UCkF8RpsMno~LHOXJQb}xng*Jg;O72WC18aeU~*&pG<`6I*ddR0+D
zBeoZ-ojDZjXE^$4h{1d2d|#mGVT7rkOb4DZ^2tpRigVlh3z-S+(P}Z@hcb+#RbO9T
z5c>Qt@Z99A>V+={`KMG<ZYjYf5YWlGFFK(bM<-7X9vhlBg$6|=S8Pl#Y&Mk)-I%Uy
zolKiE{EERs6LEaKa;Xj@47PJYamhZsviE65FTa=9ICy#Q-}y-W4@skFS-QFN?;C;T
z2~oJwDE{g-eJ6H{>5>0#IQ&;RpLt1sN$+^B-?<$yS(?5sY=gF(()klO8BTy*xd*}R
zPKNv@4mw(hMH{rM#(4t{+r}>3@Hc~v#Er7>qH*Ko0U-R?yG*G8%L6F93xwq8o$Sq?
z2R7)`?w(6o!|UeNu%!2w3NZ^q;#S?bAAC)==e9VhirI|3hrUmfiihPqKJLlNxev8A
z)boHOzxy9b>6bd1$rWpJEuN3^jQs1X7wO@yW|DJYST)$D0ZFp@D^op~oy{0@GrOu>
z-iv5w(u7Skg;xj%Eb;;hPJy~~<M&o)O0;LAy;INcng|q*?^g=b2Ha9dz`PsFjaOt=
zXS$%<be`24--*jf3&s6nlqw&PFwPU*(Jzjv(T48T@`c8}g!dDj(u61Kh+uU(1Dj{}
zR?A{BkLP@g)t_Gc&`uCzwP!yIh{HUou9?$71T$EdzxA?fG(%xI*sUSh=ft>{a~?rc
zAU4nJ9Y|8PJ(={CtgB6G+cHjD9}kkm9L4kOM|%0F=Ah5}ba>zj+lxsZK~5>GCi+n1
zI_rNN_WP1X;9YILN~pc&Y<C`bbI%#%m&zFQxu$XU>-g08bQ|-dJm^@oj{qCl+Ko(d
zy1K^SVBd}cU>rKjw9gh|k+3^CgVgI0@&GL5j)_vk;{qEj={Lug@%6*4y!X|1#j8y!
zLAw#h4-l6NgbL5@HTjK;UJO{;5?F+;F3RHwu-<}NYjG4Il>mz!J^ZwWPiO!Um*aJZ
zbwc<VZvqM$jm6qoEEnYT-tVtgvs}!}?HMG>*+$^!lH4^KG$)DV<Akf;Q6z6dSu^Kl
z9bv!SVr1N~ByYZ&Z7E7y!)}&MwQPN*WRQbZI0=gEcwIEY+vzJz4qz#pwI^j&uj!i|
zw!X<R$iS#e1RqW~w~)Dg@OMvtP1oGD(avaMyae+XwD6x3^n?Y*igeY?kR+%#`b;WO
zTB`fbrAL~~z;<HgyQ-T>d{oc!Q-;4%%=r4wtJx}&iE79t4uw!y-aDLsM9mBv=1(W=
zR|J!cXav@dl2XiQ9OejF&yvPq+C{b>HN*UGHL*P*AuB67+4=ydX*Stvce-ct8RjJ1
z?f+z!bTd!pS;K4U=CG{}Y6fAL3-zJ30X0*w?R>n5pe4*4XJJzvOk%e#Qp)DQMdnuX
zrSFFlh2@mP;ru0PmSB+uoHGq<zv$druA+=Y@&Si^c^S!pCFpB)kD5LB^iRA<n8_wg
z?-!%%1^Uc8A3mBS<PUQQ`$cU<qd?O&p(Hml1iL@`K0NMAs+K6sJ)b%ITa-BLlUq=-
z#jm=IQP{V+mO^~~T^a?A=Pz<}e)*0t2Y)Uq3rNM5myo>a;!Q^LU)g60W}^MP`L1<f
z)y9qD22|ke!m+*57U_^u?Nu$k?i)8@u1RsjgV(8c`L}qNZ++o6Ig1t|MQ~7lWl3Et
z@lx;~eT?gr-2!<t;$DGWp?ucYj+&S_Mp(Z=;e)u<x<Xd{U{1)u1@_LseI@WtMOB)<
z+_<yj0%dTrk&4uWG<vwC#MGufr;T_eIMr4EN=cbZ{p4|Nd4bH1hk!0@B9nh4wyUjB
z%HP|%yi4zn@geEVRH6mkh`?`s?U`eM{4_D?k>Am<MY$N|%#tF1vvkuqJ}FQ3Btt~a
zNpyH3nayY2Ion1IR;HG2DCbow=mIB!)vQ6p<(H8~marcG>0{zbx<2Ql+pvt~zJB~K
zsUNcQMRu^V<<ahH2k3{tU&v`XEMqZKZhvF@FIh#E><g#%7cWk_hUBN;In&dT|94L<
g_{4%$QUCu^F1|ESmF~MXhx|tYs%YIWQL+sAU#Hh@cmMzZ

diff --git a/app/assets/images/logo_alt.svg b/app/assets/images/logo_alt.svg
index 90e164ca1..8d254e4e5 100644
--- a/app/assets/images/logo_alt.svg
+++ b/app/assets/images/logo_alt.svg
@@ -1,60 +1,14 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 25.0.0, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 940 300" style="enable-background:new 0 0 940 300;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill-rule:evenodd;clip-rule:evenodd;fill:#13BEF9;}
-	.st1{fill:#13BEF9;}
-</style>
-<g>
-	<polygon class="st0" points="84.3,76.6 80.3,76.6 80.3,97.3 84.3,97.3 84.3,76.6 	"/>
-	<polygon class="st0" points="101.5,76.6 97.5,76.6 97.5,97.3 101.5,97.3 101.5,76.6 	"/>
-	<polygon class="st0" points="125,37.1 120.9,30 52.5,69.5 56.6,76.6 125,37.1 	"/>
-	<polygon class="st0" points="124.6,37.1 128.7,30 197.1,69.5 193,76.6 124.6,37.1 	"/>
-	<polygon class="st0" points="209.2,76.7 209.2,68.5 21.8,68.5 21.8,76.7 209.2,76.7 	"/>
-	<path class="st0" d="M135,192.5V71h8.2v127.4C141,195.9,138.2,194.1,135,192.5L135,192.5z"/>
-	<path class="st0" d="M121,190.4V19h8.2v172.4C126.9,190.3,121.3,190.4,121,190.4L121,190.4z"/>
-	<path class="st0" d="M43.3,207.5c-10-7.4-16.6-19.2-16.6-32.6c0-7.1,1.9-14.1,5.4-20.2h70c3.6,6.1,5.4,13.1,5.4,20.2
-		c0,6.2-0.8,12-3.3,17.2c-5.3-5.1-13.1-7.3-21-7.3c-14,0-26,8.7-29.1,21.7c-1.1-0.1-1.8-0.2-2.9-0.2
-		C48.5,206.4,45.9,206.8,43.3,207.5L43.3,207.5z"/>
-	<path class="st1" d="M219.8,115.5c-10.6,0-19.9,4.9-26.3,12.5v-11.4h-10.6v101.3h10.6v-42.7c6.3,7.8,15.7,12.8,26.3,12.8
-		c19.8,0,36.1-16.9,36.1-36.4C255.9,131.8,239.6,115.5,219.8,115.5L219.8,115.5z M220.1,177.5c-13.8,0-26-12.2-26-26
-		c0-14.1,12.2-25.6,26-25.6c14.1,0,24.7,11.5,24.7,25.6C244.8,165.3,234.2,177.5,220.1,177.5L220.1,177.5z"/>
-	<path class="st1" d="M302.3,187.9c19.8,0,36.1-16.9,36.1-36.4c0-19.8-16.3-36.1-36.1-36.1c-19.8,0-36.1,16.3-36.1,36.1
-		C266.2,171,282.5,187.9,302.3,187.9L302.3,187.9z M302.3,125.9c14.1,0,25,11.5,25,25.6c0,13.8-10.9,26-25,26c-14.1,0-25-12.2-25-26
-		C277.3,137.5,288.2,125.9,302.3,125.9L302.3,125.9z"/>
-	<path class="st1" d="M365.6,116.6H355v69.6h10.6v-38.5c0-14.2,11.2-21.8,23.6-21.8v-10.4c-9.6,0-17.9,4.1-23.6,10.6V116.6
-		L365.6,116.6z"/>
-	<polygon class="st1" points="433.8,126.2 433.8,116.6 418.1,116.6 418.1,89.2 407.5,89.2 407.5,116.6 397.1,116.6 397.1,126.2 
-		407.5,126.2 407.5,186.2 418.1,186.2 418.1,126.2 433.8,126.2 	"/>
-	<path class="st1" d="M478.6,187.9c10.6,0,19.9-5.1,26.3-12.8v11.4h10.6v-69.9h-10.6V128c-6.3-7.6-15.7-12.5-26.3-12.5
-		c-19.8,0-36.1,16.3-36.1,36.1C442.5,171,458.8,187.9,478.6,187.9L478.6,187.9z M478.2,177.5c-14.1,0-24.7-12.2-24.7-26
-		c0-14.1,10.6-25.6,24.7-25.6c13.8,0,26,11.5,26,25.6C504.2,165.3,492,177.5,478.2,177.5L478.2,177.5z"/>
-	<path class="st1" d="M543.6,102.5c4,0,7.4-3.3,7.4-7.6c0-3.8-3.5-7.3-7.4-7.3c-4.3,0-7.6,3.5-7.6,7.3
-		C536,99.2,539.3,102.5,543.6,102.5L543.6,102.5z M538.2,186.2h11.1v-69.6h-11.1V186.2L538.2,186.2z"/>
-	<path class="st1" d="M571.6,186.2h10.6v-37c0-15.7,8.7-23.6,22.8-23.3c11.6,0,17.9,6.8,17.9,20.6v39.7h10.6v-39.7
-		c0-22.2-8.5-31-28.5-31c-9.5,0-17.2,3.5-22.8,9.5v-8.4h-10.6V186.2L571.6,186.2z"/>
-	<path class="st1" d="M720.7,151.5c0-19.8-16.3-36.1-36.1-36.1c-19.8,0-36.1,16.3-36.1,36.1c0,19.5,16.3,36.4,36.1,36.4
-		c14.1,0,26.6-8.1,32.4-20.1h-13.1c-4.4,5.7-11.2,9.7-19.3,9.7c-12.3,0-22.3-9.5-24.5-21h60.6L720.7,151.5L720.7,151.5z
-		 M684.6,125.9c12.2,0,22.2,8.9,24.5,20.4h-49.1C662.4,134.8,672.3,125.9,684.6,125.9L684.6,125.9z"/>
-	<path class="st1" d="M747.9,116.6h-10.6v69.6h10.6v-38.5c0-14.2,11.2-21.8,23.6-21.8v-10.4c-9.7,0-17.9,4.1-23.6,10.6V116.6
-		L747.9,116.6z"/>
-	<path class="st1" d="M787.5,187c4.7,0,8.7-4,8.7-8.9c0-4.7-4-8.7-8.7-8.7c-4.9,0-8.9,4-8.9,8.7C778.6,183,782.6,187,787.5,187
-		L787.5,187z"/>
-	<path class="st1" d="M823.5,102.5c4,0,7.4-3.3,7.4-7.6c0-3.8-3.5-7.3-7.4-7.3c-4.3,0-7.6,3.5-7.6,7.3
-		C816,99.2,819.3,102.5,823.5,102.5L823.5,102.5z M818.2,186.2h11.1v-69.6h-11.1V186.2L818.2,186.2z"/>
-	<path class="st1" d="M882.1,187.9c19.8,0,36.1-16.9,36.1-36.4c0-19.8-16.3-36.1-36.1-36.1c-19.8,0-36.1,16.3-36.1,36.1
-		C846,171,862.3,187.9,882.1,187.9L882.1,187.9z M882.1,125.9c14.1,0,25,11.5,25,25.6c0,13.8-10.9,26-25,26c-14.1,0-25-12.2-25-26
-		C857.1,137.5,868,125.9,882.1,125.9L882.1,125.9z"/>
-	<polygon class="st0" points="77.7,106.5 56.5,106.5 56.5,127.8 77.7,127.8 77.7,106.5 	"/>
-	<polygon class="st0" points="53.8,106.5 32.6,106.5 32.6,127.8 53.8,127.8 53.8,106.5 	"/>
-	<polygon class="st0" points="53.8,130.2 32.6,130.2 32.6,151.5 53.8,151.5 53.8,130.2 	"/>
-	<polygon class="st0" points="77.7,130.2 56.5,130.2 56.5,151.5 77.7,151.5 77.7,130.2 	"/>
-	<polygon class="st0" points="101.5,130.2 80.3,130.2 80.3,151.5 101.5,151.5 101.5,130.2 	"/>
-	<polygon class="st0" points="101.5,95.1 80.3,95.1 80.3,116.4 101.5,116.4 101.5,95.1 	"/>
-	<path class="st0" d="M57.6,210.7c2.9-12.3,14-21.5,27.2-21.5c8.5,0,16.1,3.8,21.3,9.8c4.5-3.1,9.9-4.9,15.8-4.9
-		c15.4,0,27.9,12.5,27.9,27.9c0,3.2-0.5,6.2-1.5,9.1c3.4,4.6,5.5,10.4,5.5,16.6c0,15.4-12.5,27.9-27.9,27.9c-6.8,0-13-2.4-17.8-6.4
-		c-5.1,7.1-13.4,11.8-22.8,11.8c-10.8,0-20.2-6.2-24.9-15.2c-1.9,0.4-3.8,0.6-5.8,0.6c-15.4,0-28-12.5-28-27.9s12.5-27.9,28-27.9
-		C55.6,210.5,56.6,210.5,57.6,210.7L57.6,210.7z"/>
-</g>
+<svg width="1064" height="131" viewBox="0 0 1064 131" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M0 3.08984H45.77C77.35 3.08984 95.98 12.9598 95.98 45.1498V46.2498C95.98 78.5398 77.39 88.3098 45.81 88.3098H35.82V127.53H0V3.08984ZM43.67 60.8098C53.45 60.8098 58.6 57.1798 58.6 46.3298V45.0798C58.6 34.2798 53.45 30.5798 43.67 30.5798H35.83V60.7998H43.67V60.8098Z" fill="#F7F6F3"/>
+<path d="M100.93 71.76V58.86C100.93 15.56 117.85 0 153.84 0C189.83 0 206.73 15.56 206.73 58.86V71.76C206.73 115.05 189.81 130.62 153.84 130.62C117.87 130.62 100.93 115.05 100.93 71.76ZM168.87 71.84V58.77C168.87 36.2 165.81 28.65 153.84 28.65C141.87 28.65 138.78 36.2 138.78 58.77V71.84C138.78 94.41 141.9 101.98 153.84 101.98C165.78 101.98 168.87 94.41 168.87 71.84Z" fill="#F7F6F3"/>
+<path d="M213.77 3.08984H256.91C289.3 3.08984 309.24 8.34984 309.24 36.5298V37.0098C309.17 53.8598 302.64 62.4799 291.7 67.1498C301.84 71.2098 305.35 76.0298 306.84 92.9998L308.14 108.5C309.29 121.82 309.77 124.57 311.51 127.53H274.87C273.71 124.4 273.11 120.96 272.8 116.89L271.22 97.1898C270.17 85.3598 268.39 82.3898 258.61 82.3898H249.6V127.52H213.78V3.08984H213.77ZM257.54 55.6898C268.7 55.6898 272.72 52.5198 272.72 43.2398V42.6998C272.72 33.4598 268.7 30.5098 257.54 30.5098H249.59V55.6898H257.54Z" fill="#F7F6F3"/>
+<path d="M343.52 32.5898H312.2V3.08984H410.63V32.5998H379.35V127.54H343.53V32.5898H343.52Z" fill="#F7F6F3"/>
+<path d="M425.88 3.08984H475.1L508.03 127.54H471.03L465.42 102.18H435.52L429.88 127.54H393.03L425.88 3.08984ZM459.58 73.8998L450.55 32.7398H450.32L441.3 73.8998H459.59H459.58Z" fill="#F7F6F3"/>
+<path d="M513.45 3.08984H549.27V127.54H513.45V3.08984Z" fill="#F7F6F3"/>
+<path d="M560.29 3.08984H602.69L629.04 85.0499H629.41L627.13 44.7498V3.08984H660.24V127.54H617.85L591.54 50.1298H591.17L593.39 90.5198V127.54H560.28V3.08984H560.29Z" fill="#F7F6F3"/>
+<path d="M671.24 3.08984H753.91V32.5998H707.06V50.3998H748.46V79.9099H707.06V98.0398H754.52V127.55H671.24V3.08984Z" fill="#F7F6F3"/>
+<path d="M763.42 3.08984H806.56C838.95 3.08984 858.89 8.34984 858.89 36.5298V37.0098C858.82 53.8598 852.29 62.4799 841.35 67.1498C851.49 71.2098 855 76.0298 856.49 92.9998L857.79 108.5C858.94 121.82 859.42 124.57 861.16 127.53H824.52C823.36 124.4 822.76 120.96 822.45 116.89L820.87 97.1898C819.82 85.3598 818.04 82.3898 808.26 82.3898H799.25V127.52H763.43V3.08984H763.42ZM807.2 55.6898C818.36 55.6898 822.38 52.5198 822.38 43.2398V42.6998C822.38 33.4598 818.36 30.5098 807.2 30.5098H799.25V55.6898H807.2Z" fill="#F7F6F3"/>
+<path d="M870.36 93.27H904.71V127.53H870.36V93.27Z" fill="#F7F6F3"/>
+<path d="M914.92 3.08984H949.85V28.7598H914.92V3.08984ZM914.92 35.5798H949.85V127.54H914.92V35.5798Z" fill="#F7F6F3"/>
+<path d="M958.1 71.76V58.86C958.1 15.57 975.02 0 1011.01 0C1047 0 1063.9 15.56 1063.9 58.86V71.76C1063.9 115.05 1046.98 130.62 1011.01 130.62C975.04 130.62 958.1 115.05 958.1 71.76ZM1026.05 71.84V58.77C1026.05 36.2 1022.99 28.65 1011.02 28.65C999.05 28.65 995.96 36.2 995.96 58.77V71.84C995.96 94.41 999.08 101.98 1011.02 101.98C1022.96 101.98 1026.05 94.41 1026.05 71.84Z" fill="#F7F6F3"/>
 </svg>
diff --git a/app/assets/images/logo_alt_black.svg b/app/assets/images/logo_alt_black.svg
new file mode 100644
index 000000000..d9243b464
--- /dev/null
+++ b/app/assets/images/logo_alt_black.svg
@@ -0,0 +1,14 @@
+<svg width="1064" height="131" viewBox="0 0 1064 131" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M0 3.08984H45.77C77.35 3.08984 95.98 12.9598 95.98 45.1498V46.2498C95.98 78.5398 77.39 88.3098 45.81 88.3098H35.82V127.53H0V3.08984ZM43.67 60.8098C53.45 60.8098 58.6 57.1798 58.6 46.3298V45.0798C58.6 34.2798 53.45 30.5798 43.67 30.5798H35.83V60.7998H43.67V60.8098Z" fill="#2E2F33"/>
+<path d="M100.93 71.76V58.86C100.93 15.56 117.85 0 153.84 0C189.83 0 206.73 15.56 206.73 58.86V71.76C206.73 115.05 189.81 130.62 153.84 130.62C117.87 130.62 100.93 115.05 100.93 71.76ZM168.87 71.84V58.77C168.87 36.2 165.81 28.65 153.84 28.65C141.87 28.65 138.78 36.2 138.78 58.77V71.84C138.78 94.41 141.9 101.98 153.84 101.98C165.78 101.98 168.87 94.41 168.87 71.84Z" fill="#2E2F33"/>
+<path d="M213.77 3.08984H256.91C289.3 3.08984 309.24 8.34984 309.24 36.5298V37.0098C309.17 53.8598 302.64 62.4799 291.7 67.1498C301.84 71.2098 305.35 76.0298 306.84 92.9998L308.14 108.5C309.29 121.82 309.77 124.57 311.51 127.53H274.87C273.71 124.4 273.11 120.96 272.8 116.89L271.22 97.1898C270.17 85.3598 268.39 82.3898 258.61 82.3898H249.6V127.52H213.78V3.08984H213.77ZM257.54 55.6898C268.7 55.6898 272.72 52.5198 272.72 43.2398V42.6998C272.72 33.4598 268.7 30.5098 257.54 30.5098H249.59V55.6898H257.54Z" fill="#2E2F33"/>
+<path d="M343.52 32.5898H312.2V3.08984H410.63V32.5998H379.35V127.54H343.53V32.5898H343.52Z" fill="#2E2F33"/>
+<path d="M425.88 3.08984H475.1L508.03 127.54H471.03L465.42 102.18H435.52L429.88 127.54H393.03L425.88 3.08984ZM459.58 73.8998L450.55 32.7398H450.32L441.3 73.8998H459.59H459.58Z" fill="#2E2F33"/>
+<path d="M513.45 3.08984H549.27V127.54H513.45V3.08984Z" fill="#2E2F33"/>
+<path d="M560.29 3.08984H602.69L629.04 85.0499H629.41L627.13 44.7498V3.08984H660.24V127.54H617.85L591.54 50.1298H591.17L593.39 90.5198V127.54H560.28V3.08984H560.29Z" fill="#2E2F33"/>
+<path d="M671.24 3.08984H753.91V32.5998H707.06V50.3998H748.46V79.9099H707.06V98.0398H754.52V127.55H671.24V3.08984Z" fill="#2E2F33"/>
+<path d="M763.42 3.08984H806.56C838.95 3.08984 858.89 8.34984 858.89 36.5298V37.0098C858.82 53.8598 852.29 62.4799 841.35 67.1498C851.49 71.2098 855 76.0298 856.49 92.9998L857.79 108.5C858.94 121.82 859.42 124.57 861.16 127.53H824.52C823.36 124.4 822.76 120.96 822.45 116.89L820.87 97.1898C819.82 85.3598 818.04 82.3898 808.26 82.3898H799.25V127.52H763.43V3.08984H763.42ZM807.2 55.6898C818.36 55.6898 822.38 52.5198 822.38 43.2398V42.6998C822.38 33.4598 818.36 30.5098 807.2 30.5098H799.25V55.6898H807.2Z" fill="#2E2F33"/>
+<path d="M870.36 93.27H904.71V127.53H870.36V93.27Z" fill="#2E2F33"/>
+<path d="M914.92 3.08984H949.85V28.7598H914.92V3.08984ZM914.92 35.5798H949.85V127.54H914.92V35.5798Z" fill="#2E2F33"/>
+<path d="M958.1 71.76V58.86C958.1 15.57 975.02 0 1011.01 0C1047 0 1063.9 15.56 1063.9 58.86V71.76C1063.9 115.05 1046.98 130.62 1011.01 130.62C975.04 130.62 958.1 115.05 958.1 71.76ZM1026.05 71.84V58.77C1026.05 36.2 1022.99 28.65 1011.02 28.65C999.05 28.65 995.96 36.2 995.96 58.77V71.84C995.96 94.41 999.08 101.98 1011.02 101.98C1022.96 101.98 1026.05 94.41 1026.05 71.84Z" fill="#2E2F33"/>
+</svg>
diff --git a/app/assets/images/logo_ico.png b/app/assets/images/logo_ico.png
deleted file mode 100644
index b4bfd2924fd4ebd5f2834a4fdcf2d6719b15f0d0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4253
zcmeH~_fr#Ew}umxgY<|6fkZ&60!q^$phz*&BQ+p!q=XV6M5BZn$^k-;fHbKVI#QDm
zAan#lK%`6PND(9ysZ!*_JNM50?%!~~nYCy3UbAPtvz~YDA9mzJ!v~yf{A>UKfKx|X
z%NPIvs{C1JPMu_un1;6j0H*zi`lk0!j!N|7|HOX?{C^`rnsX>Pnf~9;jSWozTYJwB
zj=lH;&-fo9Pnk@9z9Z9+fB9U>;SSqrkJVWO5H{2*FIxFK{UT@7uMO;9_TNW!Z+BHm
z3gmv>B!ckk%+dSHj%HKhq~5zXnp)(vM+ybcr_Mat4PIlt@Xg}EZ~;X2gMt{jN7ZyX
zgO_WG$svZDuBXyXp<V^+*u4nYej541+5FWPwdSI<f7p}f9_3wcY|Fe9>-W=>C1=b)
zx#pT}+}WUr6_@h9d-vZ9qeGu1S+(DkFwXYHIlUb>RO+ndu~vLDSe@{4qQcwqA?B9U
z-y(}4nr`}uVI2(Vc$yGY!>II~k9yseeyxR%^JN5^Vh%X!lWSIZ319tydyF}oDgeM?
zs-vZD>J41^5>j)@=zLH!soMM2yIA!0V@vmg0X4ChY0(p0M3tG&_~~L+nQ0<zY?i39
zT7AlE{OLzX_sZu_a!<V0R0~)aH*~lNi@cQY+Xh@AyWEuJO}(Ag-QKcCyUxds(9o8%
z6ida69b6F-gSgH_+w|u!Mq<xAbNcxxF$%oKILYjctEXoK%%uGNka_s>bLMCGot|Jn
zqR^Sy3iMdj1{Iy|JVr#P^Nw{&beWJnce;^TBR0jqJx5l)va&JuGYeN1O8G0DZ;*6>
zK@5S8B<JH=vYKjoR<lj!tFYAexsJ~>x(dE+p8}U9Ykbx%7I-=K)Yzi$rOfgas3#>i
zo6lc}kwRE91I+JCA&#z>IH`HH(v_3t&^UuTShtXDy0gO&cD3E0r`!IKo>W}~ngLvH
zhwS-!;p7Ufy|^X&#(1k28eV6!q_*?Q=4Z%40Q!nBF!^y`IY!);Zd)a5APod`#eLFP
z-X=Tn%OGU8Moo%@0z5rj@bXiBZsZur{B)*@l%>`sxhPHn;6RMD?W2%R4uF#mJ4sE7
z%#=5}GU$*N!U9-uk9kd<h;=khNq3!BRs~h$i|{-ST3cBM)Ta)6KT!mvieTaQ=^4IF
zWX<qG)9YvmsBm-;lq8t@^UQe6yN{CHh%MUm1(nihde^gAQSkP8bZT-j3}DjU!a}hH
z+tZg6&R>;KVZYi2i&TPLt|UB*+sbHs5`PiU#q%`8>gDyAH^&|y#k>n{Jbp7vf<9%^
zN*;kYtj(IORNBxC>#z(o$jnV|1)n`D5QI|jn7ks;<e}MF(BOo#RwcElJRGd`dts~Z
zmc;@vH{*jgZuB3lN2qyg7huJrg_Ga5RQpl{-$XB0q}-b~FAd62%U7GcyGxb`LWN`{
z5KyRIP!lXxzX=@tX)ywIBjOX{eERhKXrbPRL$)c8`INE<qt)$O)%zugb5N*bb2?b*
z*h*g3z)1_BAg%qqE-QYm2~0k~FFT~|X^I2BE}OAtpQC&eQT5Hfo4@B=CL~zuGuofi
zEphPkLg}1Uf-J-D{uu{7ZjE0rqRxE8Fjlpy8og{z{Dk8e!8HjoF)izCI~4TPp9wt)
z#?_eEuT|)8m~N=@>Q~F+b@N@rrN{&D$2a1FTepjB56m*hcggQ;P!Ck-eMB7j9faYs
zs8Ww~%f-))<QWJAzVr*9n`9~sJIe7pXc}{y2xJ8gbXA)zPy^H%7O#z6uf%xWi@e|Y
zJA3Gk1)GLv431pP{-?;l)%(9&X35+DI;Ktqi#gATngBZb_+1+%;tqZC+o`AmWb;U3
z0>#pJHrtEL{tFBj?LBUBjZ`ovUN3|&G=k42$O>6wPer^w5kN5hM`m@yG4_a=+^-aM
z+C@U3P*EIr>;fJ&jX1fqTPPnnS!$<A5}_|K0$#LeTIK%rT!U<lwg`c5;p&f-Z(095
zZQ`uka`v2?%LAHb|FCWi6JqWfS85q`lli(H|0#7$b|v&guV|?BD(Hp|;E@hbunt+O
za3WuaW~CR<@MTQ5(%EYoev-=kb#3GXq2AwiJ|q{!`^=sHf>28T@Ba0Gcj0EPisgrl
z#yylTZM#V#VYKONZrV1JN53IPLhsm}Y+N*x(<?7Jd@CEDOBEQp(V{EAs~};e6Vi(-
z#?m*o+5UJmM1Gv^qQ62!fhjpQw;#|dxNq+8KGFOpdG33`)2+vHCoB;qy|I5By~(cU
zC%#m3vxJJIza@Y6rNv<?$3@lh9Cwra6O&0M&b%ud2BkSi5pSHu1R5jVO}H5ZJ%nTu
zi@!7i9vtkeqS9np$)RohiN8rG)8_7a_MB*(h$XkaBo#7cqW-@V^KTA+bbc7P!Iv1B
ziI$?lMQtD}38EF;jLS<5rYnNd@k;cP0~_qvY7XVIhrjw9tn*0VGD9pZo+ZSs9Fko#
zaDs31_ag^;DEylX`+5=HkK^T*ZmUuNbk$wC{w7R>GQwx>PP$ojLBe4yD>5?%J?7*-
zX4t;4ns-xrVR^ta%VceBb93pKf3dY?5-(Gmxd{&&FbtY%{A_g`m4OrCm&3%uiK)2E
zS0hz0U78+?eA&c8R2)trb$2y31}Em>JSjCHcZGhW0ja&OMN=zi?T!CZ3Z-0v@B$fm
zCNBgTnEciJ%WW$dL};3pnB|m*oae8BeO#|e3j2GEmw;!XgCDI+b<nY%!6-7$R*}I#
zBlZt%eP|;EaEY$5l6QBbWiW_W`_h$l6Rm^Jk@E~)lk7zq%r5WtlA{mJjnjQmH6i|o
zG=>_vKW^tk(;0N8%rmlH-{niD3K-%8$aNF;%O+oc;sTAcCzGjeF#NLRBv+sj?~AS-
zTzx?osl0vy@Y`gyROMRP@_3-%e2S}AMC=F5or3njCX;!}u*eg_TqW<wXeUXA+>lw+
z0cvZknKAT!(=b-s)jDvwvH_AOFS<ng(L&{JtjWAx`h0ZC<GSV-+g^)3uf^HFx+{5i
zsCo^_&AQqX;R<)^rw>>&?eqLAXHgl#H5K8a2e5l8)*poMmYn%R0y{|ctl6y11v*d1
z_9A7DbUouo?2Cq|%J(+)Fb>$^EV0AP-c&eCqH1xtD-QhubIA1fO_|*vsZ;!q2Dn=J
zLO&dJP^Pzow@UjCi#ld&i@}HG`8JrpZXrdmrbXxAYQq%G@&@g=DK0g+xb2?!l5e!g
zt+Gxa?>~yatbU!m_PoHQwr3K8&bBOq&9`CaFRjxz)7dHSRS#QYJl3S<jMq#PC%Iym
z5bkEk1EHwqb#N1kk^i2*m!!D2FoK+m@U!uy<=om@1XbF!*~Y39(J9_NM?<w9Y@__X
zNNVegt#>6F;x{v!{d6562{KCqm8%`*uj5y6u3&tvhx<;4HsNif#+uHS+fGjhwiOUj
zwHC1dldDp-?F$*g*9G7qc&Ur?BGXmlCX<XhOrw<tud@ia=Xy<v41_2Yh8?hc6&mWj
z7MbWcC^`d@ey!Ud{Q!#rP<#y38;Hf;S=(#?7)K6Ft~}@mFv|@pUvHSHI?~E?b=!v+
z4zN|{r_@$LrC;AQn10nR1^8;%GmHu5{OztGZhG4v+0)3bZ?TVh3~;#!pTIS<^-N`^
zhLVsE8(Yc;oR+DY%`h<@?IZJ+Te`pzSvBhvCM)aO=i7^F_)#I52AvS`ZeBOLumw48
zztkz*y#~~Po&s1^M96yF9@;8;>aFKEonSX`E}{NmnB93i-yB`At^69GaL|=7Y6B`-
z+T@@n#4RmBIB26F9fso`Bvkv9OOUg0pKh8^GqX<-XU^Fj^^7^XqJ{|bQ$jz-aj+6R
zP)mUvs^rxNsu$|Xr4E3Kg?hBp>}5ii_IM5Yz%6wTOjb-mPEZ3muKvWltCL}}J*b$2
zGJ-TGif9x!@0li23)Z@=8{%Iq)X9~WBP)v1e5ndlH{~}-_`-r6d}n!4op@GJua@1u
zn#U!%GR{GwNB#_UT$@zKdV4a*avUNI!}BlTBR1GM6}asObL=Jwmx_QrSh+dxOs8L$
zu>KmP#8B{61DC{R5b{E7Kj@#t=v*CwdO|NM!F=bq`&~~s$PvJqaN20cM$ds9EQ`OR
z*anRgC*<t``wJL~Au7zX9~iIC1`zIv@P9d7BHUMDz|qJB*UYKT=EH>xCDt~zuJdOz
zRov=ET9^gd+B9e*_uP#^jO3~fj+COf)g$Fdj_9HCdjqUDxa}IG@@!cU#rM?&%kW}4
zc?i_ToRRB@2rJH~)@Py^XzPw}-RYAlAHom1EnvU?kn~ip09>Typ3=naI{lS@=ve+}
z#)2SOTa=d6Aq0Nfj19k(wkHTQRqnV)Clj_!bqGjF`CRMg(4(g}h?=LrSBDCx62UgZ
z{#uXUvcNTw4@3CKGi>=EI2pQ_B5MoqS<U)+yN9I_PiORt`a6G8H}zTXPaSc^&sX?e
z3cdFDoB!3YaIQUnOl-g7@|GZJYlJ64)ru$|w|AqI0OcCmSKg-tTmd)ayg!P*J0VEo
z4p2(StJB87)M|``K@TR3SO&bSKB{^16Q@6*-K$GSnzvWCLf|<8bjFXa=_g8HuJG2G
d4wYk;xXu9KLNqet<m&*?xo@ads$u)jzW`XP=#u~d

diff --git a/app/assets/images/logo_small.png b/app/assets/images/logo_small.png
deleted file mode 100644
index 76d3a46b09e32632c0a74475028a6ac2add3fcb1..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3105
zcmV++4BqpJP)<h;3K|Lk000e1NJLTq0077U002e^1^@s6iQ?Nf000Z<Nkl<ZcmeFe
zfdBvi0Dz$VsTZjN000000ATj)0cNf)3ZwA;joJ!o+qP{RL2WmvZQHhO+qP}%cAfIp
z9NpO~c|H!JcW~zCvMehk?qWPdDPQ2uI}47x7z<HK2V#Rrcz`(&rF0;`A1IHbFg?dS
zB!&1hr2|Qa6);`KBV54~JVj4LfcO)o1Br~GFg-#?#KbL(K@u#2=^|?4Ux<?_9Y`QF
z!3~&ZAOQqHKRCtu4JC01rY*<?aU!JyDT2K)?L>aaYhOC%4T@H{4bvpVfjEKEfh5IT
zn69860zkepkPk)2D46b}9YR8Uk<x*LM-M!}BlJXA$Y%up#?L|0U^z@jP!WGZyou6*
zB>94xI1STT)IdBW_`-Fv;64_9;WCL47b!6S&tO`PTu5Rgo}+Xi-k*4q(t$MniY5R*
z18Xr5P0<UR(A1_49$`D$!L;uC?+1YR5~ZhDosa~A=;#Bn`5$*N9D!l#0#W`z2htsB
zAxMCMpE<=Ejj%BFggDil+g8ZM_pI=9&RhROTxrooEA+w#RwnZu;#4C}SpP1(ZKYds
z$BG4UwO@8amSuHCatLCfzn>4}Hw?xa<b}A<e;A8H7?1xU4pkcmuo<y^=^11SR%0fX
zW1*!3*^K9?263UFI1keW1cx}(c)TgQFAZcF>}`P#gs3XSg?>jxOhYC74sodDn23%D
z;td0dkHR+DkqU)vvf#skY=YS6KwRrTgv5Uk2m2Et5E$YO0~rK+XR#di4r4v+ZS(7a
z02^Vd08!37#p(xp$FK<Y_F**k+f4XH1IdMaNC0^)Gzy~eYo!q#@*P6HXy+VYW$D>C
ze(>71ZQHhOo7c8&+qP}nw(Wy&&*E#6-zHDy?as{Z%<j$Jw8=j?XV9sBZJ(#@68Ar>
zvwY7toTev_k)9ib`}$dS6Wm1)_cDh08j;U8dGCIQV*;Nj6(da_S<cJcVH3yQ+<RDa
z?>_F`A#9dc$a`s}zxe<BILhx<r7tP}!qf+8wcT#?hSF=|c*9lX^Ea2yg-glHD@vz2
zJbN8+7o|);p^Q@w$ZCf6lZCQ<0wf2urcg^Mt>aog%4MTuCnr!yXK|%f#E~cBIIJ{8
z=?R<n$13Fj#PckW9wVM_l+IE*z%wCnCME~<(!_Z!TWfZb4w<h_O4W$BI&tXsv$f>j
zV9mYG+^fr!c(En#dHlbW`x!R6jXK;b)5`msm1;5t(!F~Z&mB~{88|m{?U2jOsc-ZA
zE?~*93h0{QxUiPzPCTsF_ytH~DmbcD?B12vmg(R14hZo_FhIMJ(J*_#M&dPF!ZQJS
z?Pqjx(L?s5L4+x+F-ilN5(YW#xSLTa!zyt?a<bAsAlObk&j4{R(soEGLi&btt)z9&
z8|4=eqw!##-#|L^Nh7<RwL79)aZh*Vzbp4PQU@VAwPBR&9Il0Eyie-#PKU5gq;)Cf
zKOB(5)YlYxZ`~+YKpMu0x?DoLINL>gc$aVQ(*eRa7KnDUhI|ecXO9A;{Q*A!`C6&F
zP(7t0mTNVcuKXzUmd}9Xld*#gnb)wb{tO!a2l&UsG_0Gg#vR`-AkG>}H;OpUVc4Fj
z6yZD1S<@rzuOOh6r7@f-M$I$$e=g7ds&png)zZ@~r(tdc%8SJNS1A1fumzNX7eK;5
z`zzDbGtk*epONPXF8j>?j2u8fL;IMKBAV8#Xcvbln~54j`fdSN5HQ}sE$!C1@DA_q
zwF1Kb3n|Z?I7cpx=94^sj~yKXk}Ev{!f+(RMtVybR^YXgVX>cp5DqbiJ;hpq0B{FW
zz%Y$S+7lm8IU(lUr)uKJrof_*%%bvjfP|Pg6Hh{3tY%^adXTAUh7@^y21p2=0QpV#
z9m=n~I0h}JJ6RlL3sb&#^1Lps?@`Y|=KWegi02j=j}L&<r9AgjX1aWy%oKVz&o)hk
z4YG`3)ps|q1cVCAc5tnJMMdTSOtgZ>iUxFw!#AH|bO<pL>HwJ`D<A<tuAw3$7|Xz{
zRW>${S3p*2fVVc_|IxVbk=I3ed}fzc8his`o1Ps5kbgzT;s+p?EA8Q48M}5u`iqLG
z+SPsnvOzO~EN4rF40HShM9w+wL<88!JAVr!_$b%jb`giPHCo01q`Jp-kT1ory<F__
zy#HoTfH)skyHGT;r^WRmT-!pgf3<^N0faD}jnxJT@^^-hfP5fk8CSXVhVA2>&%GMy
z1wyN+1bJ;C3x)F9G@k*P<+cz7zzv0K7CXkZJGcq&jEVtBQICL>7bC6Po^+H)K$_Ua
zk1e;IXJ3$0L9P|x={w>m0v&+_BuG2B&SyZ13WrFxn}u9qBX&+05d7+&L`4E$k=K}p
zyk@!fiqC+|;Qx3UQe*yqg8%cBZgLq%Bi<REBtR-~Z)P0%8sQO;MhODa+~SzXw-e9g
zq90QPNOAFlAz5w!5q5LWgaDx-uVL6i^dOdNNM75=Fzpv0yWRN7akH-Fox)-PE{AKc
z#W@PKO%fpA#<{uh4D7$-0Z0k1ZNjd*!KH4*la&fUKH>U)+LxPUhh4n$O`?GO7V#E3
z`2~n*@L3Lx@<WWte6jkTEu09w?Tl;mpja>XAW4ASK&KL+m(6ss88LjE0C`Xt@9)^9
zm9jn!;h~BT5aQ2@6OgNgO;L#V?aK2vVY6JHC?I`30<s4GwqJnkX1a7zj7(oG77Yhk
z=AvIQhYqmba7v6g&Wny7#C2{m0O5W|;X1vA^y<7q_Xq<$<$#ceVPbLcTAQ>!$?4L1
zxLV@_gnDFZe}-E?P)o{l8=a#rjoG-VH}h=!MBTg?F`fb*1@C|e@5dHgjb}%DDhl#(
z90N>S7(Ec{6@!W65DReU%Q&dOA;gg*Jzl;7g0P1+Qc(+8m^@RY=}cCR*O2Z&$^k*F
zI`0+^lc!`_#bV<&u}k6B1OT~*{N~emPl^MOYk4<}GwBU$d14zc6AQ{WCJIOv29K9O
zLHGj5Ft%z0gmK%H-fAdzQILvxPZt-9fRjX=3t0%Qsnn18Ylw9IYw!Mb1;|`GK+uao
zU!asr9_vyzQ%O&Ntu1|z7a-_E+`vIPkYSX66MldrOg=UPdqx6)l#LKD_OFR&s|j}R
z2GS9rL#vO*QTL>gJjM+OB0?_#1JpYpG=K|e&<E*Z0w|xj$1=n_`TCns(RsXIz;|+J
z)bHCJ4CA>XF1;i<c7UM!m4=are37Pn!0$wv)c~TNF#ySl0Z13_HFN_A&pvPSi~ZwB
ztF8`)FnY%t9dcNcx;EzSZ8m=b-C4TLiqs!~Xh9qlD~*)VeSU0KtmOiN)yy})!QJ}>
zXR(jb17-?9f*8q(0MbDg01dP?Do2mSJ||bYgK1V{(p#0nw>^kM1NlJg^|I6RJbRtX
zgFsKQTe&4^D#_GFo~HYO?e#jyK47Y8z4s9JXt*(T3e%Dg92PH6rS~l_>Yya{VYc0N
zcRHVU99HyS!id(ba9>XP-g2n#EXtxJooY+U_DPXOZ-7uCK^+wkSppLOq?a1aYVD^~
z_Dhxof5P>PiKAHpfTT=DMvjXqI!_kRd=1Gvb@VWoz8Xl{0?z=YI`qO{Lw9-tVq^e8
z*JAX@(3a^#AYvc(>P8?MeHC25=?jRF0R-KTYitb$&aD`;UPJA)2gJw#B8=>(F|sO0
z{0Tt}P6J3<%K-8LE=wA#pTT|$w)&aLE@N{e-Nzh_{Hm0ZN*NhBKEUzJP$XG_ZSm<S
zBQt{B#D=<Lh7qPB(p3hKs*&V}`lce%RR)kLDF9@u*jbx4GBSXi#98xXhp_NurHzaX
zAekI<O+~0;DkB|brdZWe1V|TC8R;kk$Tj@FX|h8LQyFO|0|<JVgG9*;pPI@@OBq1W
z1MJStkN6+vin9UfCnE!h(48E4e3Mgd&cS|r$~vXHOhue1GJr^(%NmAVsK*A!NfuD{
zav=X|Qwb-e3?S%YrLMB^3joTAU!=(5Jo4)tdA$6@FI*!72;$i7A8bwe#Ec9^29Q+A
v$jAU<WMlv_GBSV|85ux~j0_+~Mn?Y!h(fI+r8bqV00000NkvXXu0mjf;oGm4

diff --git a/app/assets/images/logo_small_alt.png b/app/assets/images/logo_small_alt.png
deleted file mode 100644
index a5bc647714821064c5172bbe93dfff819d58b4b5..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2941
zcmV-@3xf2CP)<h;3K|Lk000e1NJLTq001ih001@!1^@s6UKL=400009a7bBm000XU
z000XU0RWnu7ytkO0drDELIAGL9O(c600d`2O+f$vv5yP<VFdsH3ld30K~#7F?OAzn
zTg4gQ-S>3al4W#Qk>eyLxCHD#2F$eKC?iv*0a~uMDbto=$TV$ALk1?ar8I;pP5VdE
z;V8$@h5<6oK#NTZlz~7FFd0I^p@z$*CBfK^V%ONn*7>e|yZ!b_a)cviVnvz$!*Aw|
z-rM8b-+udj-+sG7=u3P77*z=bog4^)B(PIi7ub=zm2+Md!Y74nG#bT`NJPl)U>IH7
z(a|A6*~wB&<p3=rASyRJJGjKROYQgXQU?5w#Lg6DC#vD9*;7Flo^}7f{Ms1{?jo{$
zb7>`~biFi@`0L8vNBcm_Toj=h;)Iu`pe@|q-Y)yLXKpnXwtY+_asy5#?nZ{u!>Q3D
z-mxsNHT}Vz_kV5mvZYIxlET>4RMv43CH`#_-w5o|-u1tt@xaT;7XyFTdam1jT7&PU
z)E@uKsXYx1r-lN*>ue8foA{e(Bh175%;0IFFQ0*aE7B~_k3br_;->|6<(@$f*G|r;
zga;2?O|M(@L-!-=`+PpbAVh-cV6JJV&hGo!0b|A4KPQRLR$<PG><u0C@5pTqy)ZE!
zG%cay(DF>lT1y^&V1F>MJsV|#hPQ!DgiMUy8C=y7VXLp{o|vdJD0OLy;x-Tv6`hjF
zdOeY-F`Qbx?)lX<Tj+NeEJEptjR=#gsmuAwuAe-93pijgV&EB(EiA8?tt7lyJVKBV
z==;aWrFvWI+Z=2V=Te=<<_+!Ijf)>18%ydnH9-R*YMgaeJsTYzwM6A5YNWNb&Kw!Z
z(LVOM77T_>*UF9!__eK<5G}V4%eK2eSo_k!ht6NUOxS*5?4yX|GDJ~VSC@2?|Ef={
zT3%>X{6%=)WMgI?%1Z$a^1^SaRF3MQ%!?QswCawOi-EB9<YjshA$0`;16CR1udRB0
z!?M!IAx|ZX0j;gA61w;D*D+(3=2>By%+fg9%PmWUMFgqb;XI$~+8b8A-Ejdjv^|J3
zOc*EJS$i409|C0`Ms~;fSXZ|(jwVVp1MN)03KO<uU;>30ig5h-=bslErqgN`_8;ie
zDThL`%`kG{Aq;!Hbyhn{b&^V@P;G4u$z-y;w$?@T$KJZ%xUOxL+wDQxqi;O`?>C3T
zv+&T+VeHs?;91dM>i_5-cKSJ8bo+DXxwqWapUdgg<7p(xWD>dE24Sog3wd5I;le2g
z2Zw1>lat2dEe7YWnz*oHWo%Zcz1O_>;su7V!SQij7Y>6^y^4@msjUsE!^7#^>8H<9
zD3w%>Bqm7?swg_eL}E6Z%Sa?LS|;N(Flb3=%%IE^lI@;aQ`d>+be>`uhN2~t<0=qU
zhKEP8Zg;JMP)cFUtu{9=G(w>(s32OZ&vFhXX2H6;+UWA-OMv8ZEgoN@-FRa}7vDoe
z?<mpe3N;q<=woB14#vRgU60Ks@K{#i@KU!s431VKmd`RuyQ?NYn7f98-{~t>TnQ7t
zQjJEJgS;4!jBBDS9*=8cjQ;+J9*b?Fd5s=tAm&FRHbzILXuXRFfts70fgQ?j5$LUF
zr!s(0lMA6%dpI1ffsAXnwJAIryH?bn^2b*fwzORCm?F!HK2!3B((xv7l!KLaShsE+
zZg^(oRBq@P+w5F9oS1OU_SLHy9rq9&2i|)tYbmb;p^%S&37NZh|0hqR7$FMqdOu^O
z`mhF?(gsbV&az}JZwEYd&X4CaPyK;nxxJ?53Dai(k<FWr5Ioqh2Qw2RNt*1-7{z^k
zec&jg96TdGtXb%9x1(50sW=}fOBQ2G9$|@b8F?CxOu{rJY(u59!Z<npGOG2&fjoy8
zG(m{W6-B|4Byn(MgiDs!Fgb5+MX0BT7sohpvcgs|J`eM3O8SB!F;kk_R$6t*pTU!n
zs_LfVqQ=+=q9Y?-9uB)E?anM1ztC)P2vh;4)huj#=+nNBQ@r`iPGp({)*9i=*j{cT
zYr7J5Mi?CsNs4J|CWJ4RfJhvPG+B$@-`~%S$r<J6s58cUd-Fq7Likt?hHPJ1;H6II
z1;ua1y%X5wT%0!&_|^<Yo_hZYF54DDoZ&vk2hyFlTpHUHL*cNWh!`szOlAy=8Q8c<
z3d*QRv(sc<9C<t*ZeWQaA~zKu2>M<m!@FGgmdPB5qp<&zxguu(67!O;Y$C8IfFWT|
zmb9W7VAu~^TIQ7vOD8}UqjWlri<&sndP;NH|50gtg!gQ=T@nt4P~&8=RPZKEF>oPt
zRnKMxJf0ZWbsa(ijTcRfGc$?dTkJ|aPcDf}nnJQ<l`+V|C{<uaZD6K*xv*I)*CJ#p
zx$4?%I^B+Oz2AdX?F}Gd#a&?rJeS)mBE47>vGHJ`Y(?28-id@6U%9rfH@beTsYy`6
zV$0xWk)g}Rs~%?sAR{8Av1J37q_0oi2g|(+SgQK!<)1V+-?85B58;7gg_)<z!3;#4
zEkuMFqpZz}ONwmPD+!`#rm)+t1e=ux2Ni;*oCdLE<1Ux0qGR~9WJS`et@+cbs3H)r
z32~YGOp&PPcd$a7wSlLdh#8b68;ixj(6W^Yg<}k3_1K>mkF7+eU<Uc^w#{mVDnMDX
zaIC?2-O54B+m8hiDRlKsIIg@2p(1USnbbO$B@&5zY%S3&g5B2T>Z`~E1j;&CZ*MOP
z27?R|mk;3-d*Rf2Vrcu&NBi$H86+=_jcr_ZdU^cdy(HMwi0b_dAZl>vk4C8eKIW!h
zL}RO?j!p>EMFZw=I81fu;6^m}jOR)#xSH8+ZtsesB|o?ui^F1}9Qzt>fyo^rdv{z-
zAAI4W5pVF@u(Q=8T^q#Ni6qLVHWu6F6Q!A3LfIZ7pKWVvvkeccE@|_gwcO*oEk6bG
z5dSE48(whkJ=T_6zH`z#eovi!Cb?n!s>tsnkp{K9yPKj4fR9m5!r^vDCi7pH<MDkf
z;V3<qrN?`a-C2kIv!bXHsOj6!+W5VDfUNMis@)=Tak(%&jNp{nWYF=k_u$TeAz$d5
z_>_j#s8TrGzj^0dclc0+(O}w6!W6`f^#{LxE(+RQgQ^6c7`g212XEL_iFT)RFtGm)
z$@k*cWw?q&1qd>IBBMjqyi9Ix?w66HwyH!0@OUDgPa$V+3T4TP+rsp3pKcb(G^#Ra
zaL$F0dScFJzBiO5E0#%C(=s{<Aa2i1s;UxPL7<)142%PxCLx<np=yJWxrX7Z=>LT2
z5*aRSxqTcP+KcEUfU#k5{Zuv0GFhI>$Uh%mGkIZLC2*?mK`4m2yMvS0)5nWxH-*MV
zWbmiAe1_lLb`4Q7U8qVRLjxOS*#(Ejt{Erc$C??5Mk6Hp;IPYM<Bob6+x6?Ca||sl
z;VW*~2B~V@v^`CF7)kQ%qsqre*0Ntl9=No<UFq!XG-i5#a4e7KJw32g^U`X1#7>>+
zLDlorntzXuDmMG<=I@|I7d?)MH0O&wSPBmft|Pts_OgYG7ju7jsa342J?4RT|Bl!H
zG!_W-!=-e)S+%Td3P8hA>s;2_x>QP~;!-A~I9$KDv&ERd=ptSpyv#bj7}|&0lYiOd
z-u+}klKhZLn3z%(vhFM-Xf{((DBOsva5|5RthS=NgBeXv<O^_Ri#KnM*t6LlS#t#K
zJekCyPy-p&Kc}{w3vQcy@QgA_n{a>sL6C3arlw|ISC=#)?KI(^pz2?8l!LG_vGerw
zd>=FvG4}7@Z&2BWRn>`uPCILwA2uN*F|iT|T@Oz;jtXMSSBRB?OF8QdUh%P}VhAng
n{}GIml79v(zQ_6!|4;l6qVsc7rA{}J00000NkvXXu0mjfr?i}o

diff --git a/app/assets/images/purple-gradient.svg b/app/assets/images/purple-gradient.svg
new file mode 100644
index 000000000..0b3bc7160
--- /dev/null
+++ b/app/assets/images/purple-gradient.svg
@@ -0,0 +1,522 @@
+<svg width="1421" height="507" viewBox="0 0 1421 507" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_414_125114)">
+<path d="M1119.89 1.0446V9.76338H1128.63C1128.71 6.87373 1128.53 3.93425 1128.63 1.0446C1125.74 1.14425 1122.8 0.969872 1119.91 1.0446H1119.89Z" fill="#C080FF"/>
+<path d="M1137.33 9.76292H1146.05V1.01921C1143.16 0.944482 1140.22 1.11885 1137.33 1.01921C1137.43 3.90886 1137.26 6.84833 1137.33 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M1173.45 9.76292H1182.17V1.01921C1179.28 0.944482 1176.34 1.11885 1173.45 1.01921C1173.55 3.90886 1173.38 6.84833 1173.45 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M1190.89 1.0446V9.76338H1199.64C1199.71 6.87373 1199.54 3.93425 1199.64 1.0446C1196.75 1.14425 1193.81 0.969872 1190.92 1.0446H1190.89Z" fill="#C080FF"/>
+<path d="M1208.33 9.76292H1217.05V1.01921C1214.16 0.944482 1211.22 1.11885 1208.33 1.01921C1208.43 3.90886 1208.26 6.84833 1208.33 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M1154.77 1.04403V9.76281H1164.76C1164.83 6.87316 1164.66 3.93368 1164.76 1.04403C1161.44 1.11876 1158.11 0.969304 1154.79 1.04403H1154.77Z" fill="#C080FF"/>
+<path d="M1244.46 9.76292H1253.18V1.01921C1250.29 0.944482 1247.35 1.11885 1244.46 1.01921C1244.56 3.90886 1244.38 6.84833 1244.46 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M1225.77 1.04403V9.76281H1235.76C1235.84 6.87316 1235.66 3.93368 1235.76 1.04403C1232.45 1.11876 1229.11 0.969304 1225.8 1.04403H1225.77Z" fill="#C080FF"/>
+<path d="M1288.06 9.76172C1288.16 12.6264 1288.16 15.6157 1288.06 18.4805C1291.35 18.3808 1294.73 18.3808 1298.02 18.4805C1297.92 15.6157 1297.92 12.6264 1298.02 9.76172C1294.73 9.86136 1291.35 9.86136 1288.06 9.76172Z" fill="#C080FF"/>
+<path d="M1298.02 37.1637V45.8825H1306.77C1306.84 42.9929 1306.67 40.0534 1306.77 37.1637C1303.88 37.2634 1300.94 37.089 1298.05 37.1637H1298.02Z" fill="#C080FF"/>
+<path d="M1306.75 37.1645C1309.64 37.0649 1312.58 37.0649 1315.47 37.1645C1315.37 33.8763 1315.37 30.4884 1315.47 27.2002C1312.6 27.2999 1309.61 27.2999 1306.75 27.2002C1306.85 30.4884 1306.85 33.8763 1306.75 37.1645Z" fill="#C080FF"/>
+<path d="M1261.9 37.1637V45.8825H1270.64C1270.72 42.9929 1270.54 40.0534 1270.64 37.1637C1267.75 37.2634 1264.81 37.089 1261.92 37.1637H1261.9Z" fill="#C080FF"/>
+<path d="M1279.34 18.4548C1279.26 21.3444 1279.44 24.2839 1279.34 27.1735C1282.23 27.0739 1285.17 27.2483 1288.06 27.1735C1288.13 24.2839 1287.96 21.3444 1288.06 18.4548C1285.17 18.5544 1282.23 18.38 1279.34 18.4548Z" fill="#C080FF"/>
+<path d="M1270.62 27.2002C1270.72 30.4884 1270.72 33.8763 1270.62 37.1645C1273.51 37.0649 1276.45 37.0649 1279.34 37.1645C1279.24 33.8763 1279.24 30.4884 1279.34 27.2002C1276.47 27.2999 1273.48 27.2999 1270.62 27.2002Z" fill="#C080FF"/>
+<path d="M1270.62 18.4551H1261.9V27.1988C1264.79 27.2736 1267.73 27.0992 1270.62 27.1988C1270.52 24.3092 1270.69 21.3697 1270.62 18.4801V18.4551Z" fill="#C080FF"/>
+<path d="M1298.02 27.1989C1300.91 27.2737 1303.85 27.0993 1306.74 27.1989C1306.64 24.3093 1306.82 21.3698 1306.74 18.4802C1303.85 18.4054 1300.91 18.5798 1298.02 18.4802C1298.12 21.3698 1297.95 24.3093 1298.02 27.1989Z" fill="#C080FF"/>
+<path d="M1279.34 45.882H1288.06V37.1383C1285.17 37.0636 1282.23 37.238 1279.34 37.1383C1279.44 40.028 1279.26 42.9674 1279.34 45.8571V45.882Z" fill="#C080FF"/>
+<path d="M1324.18 27.2017V18.458H1315.44C1315.36 21.3477 1315.54 24.2872 1315.44 27.1768C1318.33 27.0772 1321.27 27.2515 1324.16 27.1768L1324.18 27.2017Z" fill="#C080FF"/>
+<path d="M1315.46 45.882H1324.18V37.1383C1321.29 37.0636 1318.35 37.238 1315.46 37.1383C1315.56 40.028 1315.39 42.9674 1315.46 45.8571V45.882Z" fill="#C080FF"/>
+<path d="M1261.9 1.0446V9.76338H1270.64C1270.72 6.87373 1270.54 3.93425 1270.64 1.0446C1267.75 1.14425 1264.81 0.969872 1261.92 1.0446H1261.9Z" fill="#C080FF"/>
+<path d="M1288.06 1.02116C1285.17 0.946434 1282.23 1.12081 1279.34 1.02116C1279.44 3.91081 1279.26 6.85029 1279.34 9.73994C1282.23 9.81467 1285.17 9.6403 1288.06 9.73994C1287.96 6.85029 1288.13 3.91081 1288.06 1.02116Z" fill="#C080FF"/>
+<path d="M1298.02 1.02116C1297.95 3.91081 1298.12 6.85029 1298.02 9.73994C1300.91 9.6403 1303.85 9.81467 1306.74 9.73994C1306.82 6.85029 1306.64 3.91081 1306.74 1.02116C1303.85 1.12081 1300.91 0.946434 1298.02 1.02116Z" fill="#C080FF"/>
+<path d="M1315.46 9.76292H1324.18V1.01921C1321.29 0.944482 1318.35 1.11885 1315.46 1.01921C1315.56 3.90886 1315.39 6.84833 1315.46 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M1341.62 18.4551H1332.9V27.1988C1335.79 27.2736 1338.73 27.0992 1341.62 27.1988C1341.52 24.3092 1341.7 21.3697 1341.62 18.4801V18.4551Z" fill="#C080FF"/>
+<path d="M1350.34 45.8821H1360.31V37.1384C1356.99 37.0886 1353.66 37.2381 1350.34 37.1384C1350.44 40.0281 1350.27 42.9675 1350.34 45.8572V45.8821Z" fill="#C080FF"/>
+<path d="M1341.62 27.2002C1341.72 30.4884 1341.72 33.8763 1341.62 37.1645C1344.51 37.0649 1347.45 37.0898 1350.34 37.1645C1350.24 33.8763 1350.24 30.4884 1350.34 27.2002C1347.45 27.275 1344.51 27.2999 1341.62 27.2002Z" fill="#C080FF"/>
+<path d="M1360.31 9.76172C1360.41 12.6264 1360.41 15.6157 1360.31 18.4805C1363.2 18.4057 1366.14 18.3808 1369.03 18.4805C1368.93 15.6157 1368.93 12.6264 1369.03 9.76172C1366.14 9.86136 1363.2 9.83645 1360.31 9.76172Z" fill="#C080FF"/>
+<path d="M1332.9 37.1637V45.8825H1341.65C1341.72 42.9929 1341.55 40.0534 1341.65 37.1637C1338.76 37.2634 1335.82 37.089 1332.93 37.1637H1332.9Z" fill="#C080FF"/>
+<path d="M1350.34 18.4548C1350.27 21.3444 1350.44 24.2839 1350.34 27.1735C1353.66 27.0739 1356.99 27.2483 1360.31 27.1735C1360.38 24.2839 1360.21 21.3444 1360.31 18.4548C1356.99 18.5544 1353.66 18.38 1350.34 18.4548Z" fill="#C080FF"/>
+<path d="M1332.9 1.0446V9.76338H1341.65C1341.72 6.87373 1341.55 3.93425 1341.65 1.0446C1338.76 1.14425 1335.82 0.969872 1332.93 1.0446H1332.9Z" fill="#C080FF"/>
+<path d="M1360.31 1.01634C1356.99 0.96652 1353.66 1.11598 1350.34 1.01634C1350.44 3.90599 1350.27 6.84547 1350.34 9.73512C1353.66 9.78494 1356.99 9.63547 1360.31 9.73512C1360.21 6.84547 1360.38 3.90599 1360.31 1.01634Z" fill="#C080FF"/>
+<path d="M1386.47 54.5788C1386.4 57.4685 1386.57 60.4079 1386.47 63.2976C1389.36 63.1979 1392.3 63.3723 1395.19 63.2976C1395.27 60.4079 1395.09 57.4685 1395.19 54.5788C1392.3 54.6784 1389.36 54.5041 1386.47 54.5788Z" fill="#C080FF"/>
+<path d="M1386.47 80.7591H1395.19V72.0153C1392.3 71.9406 1389.36 72.115 1386.47 72.0153C1386.57 74.905 1386.4 77.8445 1386.47 80.7341V80.7591Z" fill="#C080FF"/>
+<path d="M1369.03 72.0407V80.7595H1377.78C1377.85 77.8698 1377.68 74.9303 1377.78 72.0407C1374.89 72.1403 1371.95 71.966 1369.06 72.0407H1369.03Z" fill="#C080FF"/>
+<path d="M1377.75 54.5791H1369.03V63.3228C1371.92 63.3975 1374.86 63.2231 1377.75 63.3228C1377.65 60.4331 1377.83 57.4936 1377.75 54.604V54.5791Z" fill="#C080FF"/>
+<path d="M1403.91 72.0407V80.7595H1412.66C1412.73 77.8698 1412.56 74.9303 1412.66 72.0407C1409.77 72.1403 1406.83 71.966 1403.94 72.0407H1403.91Z" fill="#C080FF"/>
+<path d="M1403.91 63.323C1406.8 63.3977 1409.74 63.2233 1412.63 63.323C1412.53 60.4333 1412.7 57.4938 1412.63 54.6042C1409.74 54.5295 1406.8 54.7038 1403.91 54.6042C1404.01 57.4938 1403.83 60.4333 1403.91 63.323Z" fill="#C080FF"/>
+<path d="M1412.63 72.0381C1415.52 71.9384 1418.46 71.9633 1421.35 72.0381C1421.25 69.1484 1421.25 66.209 1421.35 63.3193C1418.46 63.394 1415.52 63.4189 1412.63 63.3193C1412.73 66.184 1412.73 69.1733 1412.63 72.0381Z" fill="#C080FF"/>
+<path d="M1377.75 63.3193C1377.85 66.209 1377.85 69.1484 1377.75 72.0381C1380.64 71.9384 1383.58 71.9384 1386.47 72.0381C1386.37 69.1733 1386.37 66.184 1386.47 63.3193C1383.61 63.4189 1380.62 63.4189 1377.75 63.3193Z" fill="#C080FF"/>
+<path d="M1395.19 54.6036C1398.05 54.504 1401.04 54.504 1403.91 54.6036C1403.81 51.7389 1403.81 48.7496 1403.91 45.8848C1401.04 45.9845 1398.05 45.9845 1395.19 45.8848C1395.29 48.7496 1395.29 51.7389 1395.19 54.6036Z" fill="#C080FF"/>
+<path d="M1369.03 37.1637V45.8825H1377.78C1377.85 42.9929 1377.68 40.0534 1377.78 37.1637C1374.89 37.2634 1371.95 37.089 1369.06 37.1637H1369.03Z" fill="#C080FF"/>
+<path d="M1386.47 27.2002C1383.61 27.2999 1380.62 27.2999 1377.75 27.2002C1377.85 30.4884 1377.85 33.8763 1377.75 37.1645C1380.62 37.0649 1383.61 37.0649 1386.47 37.1645C1386.37 33.8763 1386.37 30.4884 1386.47 27.2002Z" fill="#C080FF"/>
+<path d="M1395.19 27.2017V18.458H1386.44C1386.37 21.3477 1386.54 24.2872 1386.44 27.1768C1389.33 27.0772 1392.27 27.2515 1395.16 27.1768L1395.19 27.2017Z" fill="#C080FF"/>
+<path d="M1377.75 18.4548C1374.86 18.38 1371.92 18.5544 1369.03 18.4548C1369.13 21.3444 1368.95 24.2839 1369.03 27.1735C1371.92 27.2483 1374.86 27.0739 1377.75 27.1735C1377.65 24.2839 1377.82 21.3444 1377.75 18.4548Z" fill="#C080FF"/>
+<path d="M1369.03 1.02116C1368.95 3.91081 1369.13 6.85029 1369.03 9.73994C1371.92 9.6403 1374.86 9.81467 1377.75 9.73994C1377.82 6.85029 1377.65 3.91081 1377.75 1.02116C1374.86 1.12081 1371.92 0.946434 1369.03 1.02116Z" fill="#C080FF"/>
+<path d="M1386.47 9.76292H1395.19V1.01921C1392.3 0.944482 1389.36 1.11885 1386.47 1.01921C1386.57 3.90886 1386.4 6.84833 1386.47 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M1395.19 37.1393C1392.3 37.0646 1389.36 37.239 1386.47 37.1393C1386.57 40.029 1386.4 42.9685 1386.47 45.8581C1389.36 45.9328 1392.3 45.7585 1395.19 45.8581C1395.09 42.9685 1395.27 40.029 1395.19 37.1393Z" fill="#C080FF"/>
+<path d="M1403.91 37.1393C1403.83 40.029 1404.01 42.9685 1403.91 45.8581C1406.8 45.7585 1409.74 45.9328 1412.63 45.8581C1412.7 42.9685 1412.53 40.029 1412.63 37.1393C1409.74 37.239 1406.8 37.0646 1403.91 37.1393Z" fill="#C080FF"/>
+<path d="M1412.63 18.4551H1403.89V27.1988C1406.78 27.2736 1409.71 27.0992 1412.61 27.1988C1412.51 24.3092 1412.68 21.3697 1412.61 18.4801L1412.63 18.4551Z" fill="#C080FF"/>
+<path d="M1412.63 27.2002C1412.73 30.4884 1412.73 33.8763 1412.63 37.1645C1415.52 37.0649 1418.46 37.0898 1421.35 37.1645C1421.25 33.8763 1421.25 30.4884 1421.35 27.2002C1418.46 27.275 1415.52 27.2999 1412.63 27.2002Z" fill="#C080FF"/>
+<path d="M1403.91 1.0446V9.76338H1412.66C1412.73 6.87373 1412.56 3.93425 1412.66 1.0446C1409.77 1.14425 1406.83 0.969872 1403.94 1.0446H1403.91Z" fill="#C080FF"/>
+<path d="M1350.34 160.472V170.436H1360.31V160.472H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 427.02V436.984H1360.31V427.02H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 498.016V507.98H1360.31V498.016H1350.34Z" fill="#C080FF"/>
+<path d="M1154.77 231.468V241.432H1164.73V231.468H1154.77Z" fill="#C080FF"/>
+<path d="M1154.77 160.472V170.436H1164.73V160.472H1154.77Z" fill="#C080FF"/>
+<path d="M1225.77 160.472V170.436H1235.74V160.472H1225.77Z" fill="#C080FF"/>
+<path d="M1225.77 231.468V241.432H1235.74V231.468H1225.77Z" fill="#C080FF"/>
+<path d="M1403.91 108.16V116.879H1412.66C1412.73 113.989 1412.56 111.049 1412.66 108.16C1409.77 108.259 1406.83 108.085 1403.94 108.16H1403.91Z" fill="#C080FF"/>
+<path d="M1421.35 98.1973C1418.46 98.272 1415.52 98.2969 1412.63 98.1973C1412.73 101.485 1412.73 104.873 1412.63 108.161C1415.52 108.062 1418.46 108.086 1421.35 108.161C1421.25 104.873 1421.25 101.485 1421.35 98.1973Z" fill="#C080FF"/>
+<path d="M1412.63 89.4521H1403.89V98.1958C1406.78 98.2705 1409.71 98.0962 1412.61 98.1958C1412.51 95.3062 1412.68 92.3667 1412.61 89.477L1412.63 89.4521Z" fill="#C080FF"/>
+<path d="M1403.91 160.472V170.436H1412.66V160.472H1403.91Z" fill="#C080FF"/>
+<path d="M1403.91 231.468V241.432H1412.66V231.468H1403.91Z" fill="#C080FF"/>
+<path d="M1386.47 160.472V170.436H1395.21V160.472H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 231.468V241.432H1395.21V231.468H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 116.88H1395.19V108.136C1392.3 108.061 1389.36 108.235 1386.47 108.136C1386.57 111.025 1386.4 113.965 1386.47 116.855V116.88Z" fill="#C080FF"/>
+<path d="M1369.03 108.16V116.879H1377.78C1377.85 113.989 1377.68 111.049 1377.78 108.16C1374.89 108.259 1371.95 108.085 1369.06 108.16H1369.03Z" fill="#C080FF"/>
+<path d="M1386.47 98.1973C1383.58 98.2969 1380.64 98.2969 1377.75 98.1973C1377.85 101.485 1377.85 104.873 1377.75 108.161C1380.64 108.062 1383.58 108.062 1386.47 108.161C1386.37 104.873 1386.37 101.485 1386.47 98.1973Z" fill="#C080FF"/>
+<path d="M1395.19 98.1939V89.4502H1386.44C1386.37 92.3399 1386.54 95.2793 1386.44 98.169C1389.33 98.0694 1392.27 98.2437 1395.16 98.169L1395.19 98.1939Z" fill="#C080FF"/>
+<path d="M1377.75 89.4521H1369.03V98.1958C1371.92 98.2705 1374.86 98.0962 1377.75 98.1958C1377.65 95.3062 1377.83 92.3667 1377.75 89.477V89.4521Z" fill="#C080FF"/>
+<path d="M1369.03 160.472V170.436H1377.78V160.472H1369.03Z" fill="#C080FF"/>
+<path d="M1369.03 231.468V241.432H1377.78V231.468H1369.03Z" fill="#C080FF"/>
+<path d="M1332.9 72.0407V80.7595H1341.65C1341.72 77.8698 1341.55 74.9303 1341.65 72.0407C1338.76 72.1403 1335.82 71.966 1332.93 72.0407H1332.9Z" fill="#C080FF"/>
+<path d="M1341.62 54.5791H1332.9V63.3228C1335.79 63.3975 1338.73 63.2231 1341.62 63.3228C1341.52 60.4331 1341.7 57.4936 1341.62 54.604V54.5791Z" fill="#C080FF"/>
+<path d="M1350.34 63.3193C1347.45 63.394 1344.51 63.4189 1341.62 63.3193C1341.72 66.209 1341.72 69.1484 1341.62 72.0381C1344.51 71.9384 1347.45 71.9633 1350.34 72.0381C1350.24 69.1484 1350.24 66.209 1350.34 63.3193Z" fill="#C080FF"/>
+<path d="M1350.34 80.7592H1360.31V72.0154C1356.99 71.9656 1353.66 72.1151 1350.34 72.0154C1350.44 74.9051 1350.27 77.8445 1350.34 80.7341V80.7592Z" fill="#C080FF"/>
+<path d="M1360.31 63.3208V54.5771H1350.32C1350.24 57.4667 1350.42 60.4062 1350.32 63.2958C1353.63 63.2211 1356.97 63.3706 1360.28 63.2958L1360.31 63.3208Z" fill="#C080FF"/>
+<path d="M1350.34 89.4502V98.1939H1360.31V89.4502H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 108.135V116.879H1360.31V108.135H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 125.573V134.317H1360.31V125.573H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 143.008V151.752H1360.31V143.008H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 179.131V187.875H1360.31V179.131H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 196.57V205.314H1360.31V196.57H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 214.004V222.748H1360.31V214.004H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 250.128V258.871H1360.31V250.128H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 285.001V293.744H1360.31V285.001H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 321.124V329.868H1360.31V321.124H1350.34Z" fill="#C080FF"/>
+<path d="M1350.34 355.997V364.741H1360.31V355.997H1350.34Z" fill="#C080FF"/>
+<path d="M1332.9 160.472V170.436H1341.65V160.472H1332.9Z" fill="#C080FF"/>
+<path d="M1332.9 231.468V241.432H1341.65V231.468H1332.9Z" fill="#C080FF"/>
+<path d="M1315.46 160.472V170.436H1324.21V160.472H1315.46Z" fill="#C080FF"/>
+<path d="M1298.02 160.472V170.436H1306.77V160.472H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 231.468V241.432H1306.77V231.468H1298.02Z" fill="#C080FF"/>
+<path d="M1279.34 160.472V170.436H1288.08V160.472H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 427.02V436.984H1288.08V427.02H1279.34Z" fill="#C080FF"/>
+<path d="M1261.9 160.472V170.436H1270.64V160.472H1261.9Z" fill="#C080FF"/>
+<path d="M1261.9 231.468V241.432H1270.64V231.468H1261.9Z" fill="#C080FF"/>
+<path d="M1244.46 160.472V170.436H1253.2V160.472H1244.46Z" fill="#C080FF"/>
+<path d="M1235.74 18.4561H1225.77V27.1998C1229.09 27.2496 1232.42 27.1001 1235.74 27.1998C1235.64 24.3101 1235.81 21.3706 1235.74 18.481V18.4561Z" fill="#C080FF"/>
+<path d="M1253.18 27.2017V18.458H1244.43C1244.36 21.3477 1244.53 24.2872 1244.43 27.1768C1247.32 27.0772 1250.26 27.2515 1253.15 27.1768L1253.18 27.2017Z" fill="#C080FF"/>
+<path d="M1244.46 37.1645C1244.36 33.8763 1244.36 30.4884 1244.46 27.2002C1241.57 27.2999 1238.63 27.275 1235.74 27.2002C1235.84 30.4884 1235.84 33.8763 1235.74 37.1645C1238.63 37.0898 1241.57 37.0649 1244.46 37.1645Z" fill="#C080FF"/>
+<path d="M1244.46 45.882H1253.18V37.1383C1250.29 37.0636 1247.35 37.238 1244.46 37.1383C1244.56 40.028 1244.38 42.9674 1244.46 45.8571V45.882Z" fill="#C080FF"/>
+<path d="M1235.74 37.1632C1232.42 37.238 1229.09 37.0885 1225.77 37.1632V45.882H1235.76C1235.84 42.9924 1235.66 40.0529 1235.76 37.1632H1235.74Z" fill="#C080FF"/>
+<path d="M1225.77 54.5771V63.3208H1235.74V54.5771H1225.77Z" fill="#C080FF"/>
+<path d="M1225.77 72.0156V80.7594H1235.74V72.0156H1225.77Z" fill="#C080FF"/>
+<path d="M1225.77 89.4502V98.1939H1235.74V89.4502H1225.77Z" fill="#C080FF"/>
+<path d="M1225.77 125.573V134.317H1235.74V125.573H1225.77Z" fill="#C080FF"/>
+<path d="M1225.77 196.57V205.314H1235.74V196.57H1225.77Z" fill="#C080FF"/>
+<path d="M1208.33 160.472V170.436H1217.08V160.472H1208.33Z" fill="#C080FF"/>
+<path d="M1190.89 37.1637V45.8825H1199.64C1199.71 42.9929 1199.54 40.0534 1199.64 37.1637C1196.75 37.2634 1193.81 37.089 1190.92 37.1637H1190.89Z" fill="#C080FF"/>
+<path d="M1208.33 45.882H1217.05V37.1383C1214.16 37.0636 1211.22 37.238 1208.33 37.1383C1208.43 40.028 1208.26 42.9674 1208.33 45.8571V45.882Z" fill="#C080FF"/>
+<path d="M1217.05 27.2017V18.458H1208.31C1208.23 21.3477 1208.41 24.2872 1208.31 27.1768C1211.2 27.0772 1214.14 27.2515 1217.03 27.1768L1217.05 27.2017Z" fill="#C080FF"/>
+<path d="M1199.61 37.1645C1202.5 37.0649 1205.44 37.0649 1208.33 37.1645C1208.23 33.8763 1208.23 30.4884 1208.33 27.2002C1205.44 27.2999 1202.5 27.2999 1199.61 27.2002C1199.71 30.4884 1199.71 33.8763 1199.61 37.1645Z" fill="#C080FF"/>
+<path d="M1199.61 18.4551H1190.89V27.1988C1193.78 27.2736 1196.72 27.0992 1199.61 27.1988C1199.51 24.3092 1199.69 21.3697 1199.61 18.4801V18.4551Z" fill="#C080FF"/>
+<path d="M1190.89 160.472V170.436H1199.64V160.472H1190.89Z" fill="#C080FF"/>
+<path d="M1173.45 160.472V170.436H1182.2V160.472H1173.45Z" fill="#C080FF"/>
+<path d="M1164.73 37.1632C1161.42 37.238 1158.08 37.0885 1154.77 37.1632V45.882H1164.76C1164.83 42.9924 1164.66 40.0529 1164.76 37.1632H1164.73Z" fill="#C080FF"/>
+<path d="M1173.45 37.1645C1173.35 33.8763 1173.35 30.4884 1173.45 27.2002C1170.56 27.2999 1167.62 27.275 1164.73 27.2002C1164.83 30.4884 1164.83 33.8763 1164.73 37.1645C1167.62 37.0898 1170.56 37.0649 1173.45 37.1645Z" fill="#C080FF"/>
+<path d="M1164.73 18.4561H1154.77V27.1998C1158.08 27.2496 1161.42 27.1001 1164.73 27.1998C1164.63 24.3101 1164.81 21.3706 1164.73 18.481V18.4561Z" fill="#C080FF"/>
+<path d="M1173.45 45.882H1182.17V37.1383C1179.28 37.0636 1176.34 37.238 1173.45 37.1383C1173.55 40.028 1173.38 42.9674 1173.45 45.8571V45.882Z" fill="#C080FF"/>
+<path d="M1182.17 27.2017V18.458H1173.43C1173.35 21.3477 1173.53 24.2872 1173.43 27.1768C1176.32 27.0772 1179.26 27.2515 1182.15 27.1768L1182.17 27.2017Z" fill="#C080FF"/>
+<path d="M1154.77 54.5771V63.3208H1164.73V54.5771H1154.77Z" fill="#C080FF"/>
+<path d="M1154.77 72.0156V80.7594H1164.73V72.0156H1154.77Z" fill="#C080FF"/>
+<path d="M1154.77 89.4502V98.1939H1164.73V89.4502H1154.77Z" fill="#C080FF"/>
+<path d="M1154.77 125.573V134.317H1164.73V125.573H1154.77Z" fill="#C080FF"/>
+<path d="M1154.77 196.57V205.314H1164.73V196.57H1154.77Z" fill="#C080FF"/>
+<path d="M1137.33 427.02V436.984H1146.07V427.02H1137.33Z" fill="#C080FF"/>
+<path d="M1119.89 160.472V170.436H1128.63V160.472H1119.89Z" fill="#C080FF"/>
+<path d="M1083.76 160.472V170.436H1092.51V160.472H1083.76Z" fill="#C080FF"/>
+<path d="M1048.88 160.472V170.436H1057.63V160.472H1048.88Z" fill="#C080FF"/>
+<path d="M1012.76 160.472V170.436H1021.5V160.472H1012.76Z" fill="#C080FF"/>
+<path d="M995.319 427.02V436.984H1004.06V427.02H995.319Z" fill="#C080FF"/>
+<path d="M959.189 1.01953V9.76324H969.159V1.01953H959.189Z" fill="#C080FF"/>
+<path d="M959.189 18.458V27.2017H969.159V18.458H959.189Z" fill="#C080FF"/>
+<path d="M959.189 37.1387V45.8824H969.159V37.1387H959.189Z" fill="#C080FF"/>
+<path d="M959.189 54.5771V63.3208H969.159V54.5771H959.189Z" fill="#C080FF"/>
+<path d="M959.189 72.0156V80.7594H969.159V72.0156H959.189Z" fill="#C080FF"/>
+<path d="M959.189 89.4502V98.1939H969.159V89.4502H959.189Z" fill="#C080FF"/>
+<path d="M959.189 108.135V116.879H969.159V108.135H959.189Z" fill="#C080FF"/>
+<path d="M959.189 143.008V151.752H969.159V143.008H959.189Z" fill="#C080FF"/>
+<path d="M959.189 179.131V187.875H969.159V179.131H959.189Z" fill="#C080FF"/>
+<path d="M959.189 214.004V222.748H969.159V214.004H959.189Z" fill="#C080FF"/>
+<path d="M959.189 250.128V258.871H969.159V250.128H959.189Z" fill="#C080FF"/>
+<path d="M941.749 160.472V170.436H950.499V160.472H941.749Z" fill="#C080FF"/>
+<path d="M888.189 1.01953V9.76324H898.159V1.01953H888.189Z" fill="#C080FF"/>
+<path d="M888.189 18.458V27.2017H898.159V18.458H888.189Z" fill="#C080FF"/>
+<path d="M888.189 37.1387V45.8824H898.159V37.1387H888.189Z" fill="#C080FF"/>
+<path d="M888.189 72.0156V80.7594H898.159V72.0156H888.189Z" fill="#C080FF"/>
+<path d="M888.189 108.135V116.879H898.159V108.135H888.189Z" fill="#C080FF"/>
+<path d="M888.189 143.008V151.752H898.159V143.008H888.189Z" fill="#C080FF"/>
+<path d="M888.189 179.131V187.875H898.159V179.131H888.189Z" fill="#C080FF"/>
+<path d="M888.189 250.128V258.871H898.159V250.128H888.189Z" fill="#C080FF"/>
+<path d="M763.619 18.458V27.2017H773.579V18.458H763.619Z" fill="#C080FF"/>
+<path d="M763.619 54.5771V63.3208H773.579V54.5771H763.619Z" fill="#C080FF"/>
+<path d="M763.619 125.573V134.317H773.579V125.573H763.619Z" fill="#C080FF"/>
+<path d="M426.029 143.008V151.752H435.999V143.008H426.029Z" fill="#C080FF"/>
+<path d="M426.029 72.0156V80.7594H435.999V72.0156H426.029Z" fill="#C080FF"/>
+<path d="M426.029 37.1387V45.8824H435.999V37.1387H426.029Z" fill="#C080FF"/>
+<path d="M426.029 1.01953V9.76324H435.999V1.01953H426.029Z" fill="#C080FF"/>
+<path d="M692.609 18.458V27.2017H702.579V18.458H692.609Z" fill="#C080FF"/>
+<path d="M692.609 54.5771V63.3208H702.579V54.5771H692.609Z" fill="#C080FF"/>
+<path d="M692.609 125.573V134.317H702.579V125.573H692.609Z" fill="#C080FF"/>
+<path d="M497.039 214.004V222.748H506.999V214.004H497.039Z" fill="#C080FF"/>
+<path d="M497.039 143.008V151.752H506.999V143.008H497.039Z" fill="#C080FF"/>
+<path d="M497.039 72.0156V80.7594H506.999V72.0156H497.039Z" fill="#C080FF"/>
+<path d="M497.039 37.1387V45.8824H506.999V37.1387H497.039Z" fill="#C080FF"/>
+<path d="M497.039 1.01953V9.76324H506.999V1.01953H497.039Z" fill="#C080FF"/>
+<path d="M515.719 18.458V27.2017H524.439V18.458H515.719Z" fill="#C080FF"/>
+<path d="M533.159 108.135V116.879H541.879V108.135H533.159Z" fill="#C080FF"/>
+<path d="M533.159 72.0156V80.7594H541.879V72.0156H533.159Z" fill="#C080FF"/>
+<path d="M533.159 37.1387V45.8824H541.879V37.1387H533.159Z" fill="#C080FF"/>
+<path d="M533.159 1.01953V9.76324H541.879V1.01953H533.159Z" fill="#C080FF"/>
+<path d="M550.599 54.5771V63.3208H559.319V54.5771H550.599Z" fill="#C080FF"/>
+<path d="M569.289 285.001V293.744H578.009V285.001H569.289Z" fill="#C080FF"/>
+<path d="M569.289 214.004V222.748H578.009V214.004H569.289Z" fill="#C080FF"/>
+<path d="M569.289 143.008V151.752H578.009V143.008H569.289Z" fill="#C080FF"/>
+<path d="M569.289 108.135V116.879H578.009V108.135H569.289Z" fill="#C080FF"/>
+<path d="M569.289 72.0156V80.7594H578.009V72.0156H569.289Z" fill="#C080FF"/>
+<path d="M569.289 37.1387V45.8824H578.009V37.1387H569.289Z" fill="#C080FF"/>
+<path d="M569.289 1.01953V9.76324H578.009V1.01953H569.289Z" fill="#C080FF"/>
+<path d="M586.729 18.458V27.2017H595.449V18.458H586.729Z" fill="#C080FF"/>
+<path d="M604.169 179.131V187.875H612.889V179.131H604.169Z" fill="#C080FF"/>
+<path d="M604.169 108.135V116.879H612.889V108.135H604.169Z" fill="#C080FF"/>
+<path d="M604.169 72.0156V80.7594H612.889V72.0156H604.169Z" fill="#C080FF"/>
+<path d="M604.169 37.1387V45.8824H612.889V37.1387H604.169Z" fill="#C080FF"/>
+<path d="M604.169 1.01953V9.76324H612.889V1.01953H604.169Z" fill="#C080FF"/>
+<path d="M621.609 54.5771V63.3208H630.329V54.5771H621.609Z" fill="#C080FF"/>
+<path d="M621.609 18.458V27.2017H630.329V18.458H621.609Z" fill="#C080FF"/>
+<path d="M462.149 1.01953V9.76324H470.869V1.01953H462.149Z" fill="#C080FF"/>
+<path d="M462.149 37.1387V45.8824H470.869V37.1387H462.149Z" fill="#C080FF"/>
+<path d="M462.149 108.135V116.879H470.869V108.135H462.149Z" fill="#C080FF"/>
+<path d="M640.289 214.004V222.748H649.009V214.004H640.289Z" fill="#C080FF"/>
+<path d="M640.289 179.131V187.875H649.009V179.131H640.289Z" fill="#C080FF"/>
+<path d="M640.289 143.008V151.752H649.009V143.008H640.289Z" fill="#C080FF"/>
+<path d="M640.289 108.135V116.879H649.009V108.135H640.289Z" fill="#C080FF"/>
+<path d="M640.289 72.0156V80.7594H649.009V72.0156H640.289Z" fill="#C080FF"/>
+<path d="M640.289 37.1387V45.8824H649.009V37.1387H640.289Z" fill="#C080FF"/>
+<path d="M640.289 1.01953V9.76324H649.009V1.01953H640.289Z" fill="#C080FF"/>
+<path d="M657.729 54.5771V63.3208H666.449V54.5771H657.729Z" fill="#C080FF"/>
+<path d="M657.729 18.458V27.2017H666.449V18.458H657.729Z" fill="#C080FF"/>
+<path d="M675.169 179.131V187.875H683.889V179.131H675.169Z" fill="#C080FF"/>
+<path d="M675.169 108.135V116.879H683.889V108.135H675.169Z" fill="#C080FF"/>
+<path d="M675.169 72.0156V80.7594H683.889V72.0156H675.169Z" fill="#C080FF"/>
+<path d="M675.169 37.1387V45.8824H683.889V37.1387H675.169Z" fill="#C080FF"/>
+<path d="M675.169 1.01953V9.76324H683.889V1.01953H675.169Z" fill="#C080FF"/>
+<path d="M711.299 285.001V293.744H720.019V285.001H711.299Z" fill="#C080FF"/>
+<path d="M711.299 214.004V222.748H720.019V214.004H711.299Z" fill="#C080FF"/>
+<path d="M711.299 179.131V187.875H720.019V179.131H711.299Z" fill="#C080FF"/>
+<path d="M711.299 143.008V151.752H720.019V143.008H711.299Z" fill="#C080FF"/>
+<path d="M711.299 108.135V116.879H720.019V108.135H711.299Z" fill="#C080FF"/>
+<path d="M711.299 72.0156V80.7594H720.019V72.0156H711.299Z" fill="#C080FF"/>
+<path d="M711.299 37.1387V45.8824H720.019V37.1387H711.299Z" fill="#C080FF"/>
+<path d="M711.299 1.01953V9.76324H720.019V1.01953H711.299Z" fill="#C080FF"/>
+<path d="M728.739 89.4502V98.1939H737.459V89.4502H728.739Z" fill="#C080FF"/>
+<path d="M728.739 54.5771V63.3208H737.459V54.5771H728.739Z" fill="#C080FF"/>
+<path d="M728.739 18.458V27.2017H737.459V18.458H728.739Z" fill="#C080FF"/>
+<path d="M746.179 179.131V187.875H754.899V179.131H746.179Z" fill="#C080FF"/>
+<path d="M746.179 143.008V151.752H754.899V143.008H746.179Z" fill="#C080FF"/>
+<path d="M746.179 108.135V116.879H754.899V108.135H746.179Z" fill="#C080FF"/>
+<path d="M746.179 72.0156V80.7594H754.899V72.0156H746.179Z" fill="#C080FF"/>
+<path d="M746.179 37.1387V45.8824H754.899V37.1387H746.179Z" fill="#C080FF"/>
+<path d="M746.179 18.458V27.2017H754.899V18.458H746.179Z" fill="#C080FF"/>
+<path d="M746.179 1.01953V9.76324H754.899V1.01953H746.179Z" fill="#C080FF"/>
+<path d="M391.149 1.01953V9.76324H399.869V1.01953H391.149Z" fill="#C080FF"/>
+<path d="M391.149 37.1387V45.8824H399.869V37.1387H391.149Z" fill="#C080FF"/>
+<path d="M391.149 108.135V116.879H399.869V108.135H391.149Z" fill="#C080FF"/>
+<path d="M782.299 285.001V293.744H791.019V285.001H782.299Z" fill="#C080FF"/>
+<path d="M782.299 214.004V222.748H791.019V214.004H782.299Z" fill="#C080FF"/>
+<path d="M782.299 179.131V187.875H791.019V179.131H782.299Z" fill="#C080FF"/>
+<path d="M782.299 143.008V151.752H791.019V143.008H782.299Z" fill="#C080FF"/>
+<path d="M782.299 108.135V116.879H791.019V108.135H782.299Z" fill="#C080FF"/>
+<path d="M782.299 72.0156V80.7594H791.019V72.0156H782.299Z" fill="#C080FF"/>
+<path d="M782.299 54.5771V63.3208H791.019V54.5771H782.299Z" fill="#C080FF"/>
+<path d="M782.299 37.1387V45.8824H791.019V37.1387H782.299Z" fill="#C080FF"/>
+<path d="M782.299 18.458V27.2017H791.019V18.458H782.299Z" fill="#C080FF"/>
+<path d="M782.299 1.01953V9.76324H791.019V1.01953H782.299Z" fill="#C080FF"/>
+<path d="M799.739 89.4502V98.1939H808.459V89.4502H799.739Z" fill="#C080FF"/>
+<path d="M799.739 54.5771V63.3208H808.459V54.5771H799.739Z" fill="#C080FF"/>
+<path d="M799.739 18.458V27.2017H808.459V18.458H799.739Z" fill="#C080FF"/>
+<path d="M817.179 250.128V258.871H825.899V250.128H817.179Z" fill="#C080FF"/>
+<path d="M817.179 179.131V187.875H825.899V179.131H817.179Z" fill="#C080FF"/>
+<path d="M817.179 143.008V151.752H825.899V143.008H817.179Z" fill="#C080FF"/>
+<path d="M817.179 108.135V116.879H825.899V108.135H817.179Z" fill="#C080FF"/>
+<path d="M817.179 72.0156V80.7594H825.899V72.0156H817.179Z" fill="#C080FF"/>
+<path d="M817.179 37.1387V45.8824H825.899V37.1387H817.179Z" fill="#C080FF"/>
+<path d="M817.179 18.458V27.2017H825.899V18.458H817.179Z" fill="#C080FF"/>
+<path d="M817.179 1.01953V9.76324H825.899V1.01953H817.179Z" fill="#C080FF"/>
+<path d="M355.029 1.01953V9.76324H363.749V1.01953H355.029Z" fill="#C080FF"/>
+<path d="M355.029 37.1387V45.8824H363.749V37.1387H355.029Z" fill="#C080FF"/>
+<path d="M355.029 72.0156V80.7594H363.749V72.0156H355.029Z" fill="#C080FF"/>
+<path d="M355.029 143.008V151.752H363.749V143.008H355.029Z" fill="#C080FF"/>
+<path d="M355.029 214.004V222.748H363.749V214.004H355.029Z" fill="#C080FF"/>
+<path d="M835.869 125.573V134.317H844.589V125.573H835.869Z" fill="#C080FF"/>
+<path d="M835.869 89.4502V98.1939H844.589V89.4502H835.869Z" fill="#C080FF"/>
+<path d="M835.869 54.5771V63.3208H844.589V54.5771H835.869Z" fill="#C080FF"/>
+<path d="M835.869 18.458V27.2017H844.589V18.458H835.869Z" fill="#C080FF"/>
+<path d="M853.309 285.001V293.744H862.029V285.001H853.309Z" fill="#C080FF"/>
+<path d="M853.309 214.004V222.748H862.029V214.004H853.309Z" fill="#C080FF"/>
+<path d="M853.309 179.131V187.875H862.029V179.131H853.309Z" fill="#C080FF"/>
+<path d="M853.309 143.008V151.752H862.029V143.008H853.309Z" fill="#C080FF"/>
+<path d="M853.309 108.135V116.879H862.029V108.135H853.309Z" fill="#C080FF"/>
+<path d="M853.309 72.0156V80.7594H862.029V72.0156H853.309Z" fill="#C080FF"/>
+<path d="M853.309 54.5771V63.3208H862.029V54.5771H853.309Z" fill="#C080FF"/>
+<path d="M853.309 37.1387V45.8824H862.029V37.1387H853.309Z" fill="#C080FF"/>
+<path d="M853.309 18.458V27.2017H862.029V18.458H853.309Z" fill="#C080FF"/>
+<path d="M853.309 1.01953V9.76324H862.029V1.01953H853.309Z" fill="#C080FF"/>
+<path d="M870.749 125.573V134.317H879.469V125.573H870.749Z" fill="#C080FF"/>
+<path d="M870.749 89.4502V98.1939H879.469V89.4502H870.749Z" fill="#C080FF"/>
+<path d="M870.749 54.5771V63.3208H879.469V54.5771H870.749Z" fill="#C080FF"/>
+<path d="M870.749 18.458V27.2017H879.469V18.458H870.749Z" fill="#C080FF"/>
+<path d="M870.749 1.01953V9.76324H879.469V1.01953H870.749Z" fill="#C080FF"/>
+<path d="M906.869 196.57V205.314H915.589V196.57H906.869Z" fill="#C080FF"/>
+<path d="M906.869 125.573V134.317H915.589V125.573H906.869Z" fill="#C080FF"/>
+<path d="M906.869 89.4502V98.1939H915.589V89.4502H906.869Z" fill="#C080FF"/>
+<path d="M906.869 54.5771V63.3208H915.589V54.5771H906.869Z" fill="#C080FF"/>
+<path d="M906.869 37.1387V45.8824H915.589V37.1387H906.869Z" fill="#C080FF"/>
+<path d="M906.869 18.458V27.2017H915.589V18.458H906.869Z" fill="#C080FF"/>
+<path d="M320.149 1.01953V9.76324H328.869V1.01953H320.149Z" fill="#C080FF"/>
+<path d="M320.149 37.1387V45.8824H328.869V37.1387H320.149Z" fill="#C080FF"/>
+<path d="M924.309 355.997V364.741H933.029V355.997H924.309Z" fill="#C080FF"/>
+<path d="M924.309 285.001V293.744H933.029V285.001H924.309Z" fill="#C080FF"/>
+<path d="M924.309 214.004V222.748H933.029V214.004H924.309Z" fill="#C080FF"/>
+<path d="M924.309 179.131V187.875H933.029V179.131H924.309Z" fill="#C080FF"/>
+<path d="M924.309 143.008V151.752H933.029V143.008H924.309Z" fill="#C080FF"/>
+<path d="M924.309 108.135V116.879H933.029V108.135H924.309Z" fill="#C080FF"/>
+<path d="M924.309 72.0156V80.7594H933.029V72.0156H924.309Z" fill="#C080FF"/>
+<path d="M924.309 54.5771V63.3208H933.029V54.5771H924.309Z" fill="#C080FF"/>
+<path d="M924.309 37.1387V45.8824H933.029V37.1387H924.309Z" fill="#C080FF"/>
+<path d="M924.309 18.458V27.2017H933.029V18.458H924.309Z" fill="#C080FF"/>
+<path d="M924.309 1.01953V9.76324H933.029V1.01953H924.309Z" fill="#C080FF"/>
+<path d="M941.749 125.573V134.317H950.469V125.573H941.749Z" fill="#C080FF"/>
+<path d="M941.749 89.4502V98.1939H950.469V89.4502H941.749Z" fill="#C080FF"/>
+<path d="M941.749 54.5771V63.3208H950.469V54.5771H941.749Z" fill="#C080FF"/>
+<path d="M941.749 18.458V27.2017H950.469V18.458H941.749Z" fill="#C080FF"/>
+<path d="M941.749 1.01953V9.76324H950.469V1.01953H941.749Z" fill="#C080FF"/>
+<path d="M284.019 1.01953V9.76324H292.739V1.01953H284.019Z" fill="#C080FF"/>
+<path d="M284.019 72.0156V80.7594H292.739V72.0156H284.019Z" fill="#C080FF"/>
+<path d="M284.019 143.008V151.752H292.739V143.008H284.019Z" fill="#C080FF"/>
+<path d="M977.879 196.57V205.314H986.599V196.57H977.879Z" fill="#C080FF"/>
+<path d="M977.879 125.573V134.317H986.599V125.573H977.879Z" fill="#C080FF"/>
+<path d="M977.879 89.4502V98.1939H986.599V89.4502H977.879Z" fill="#C080FF"/>
+<path d="M977.879 54.5771V63.3208H986.599V54.5771H977.879Z" fill="#C080FF"/>
+<path d="M977.879 37.1387V45.8824H986.599V37.1387H977.879Z" fill="#C080FF"/>
+<path d="M977.879 18.458V27.2017H986.599V18.458H977.879Z" fill="#C080FF"/>
+<path d="M977.879 1.0446V9.76338H986.619C986.699 6.87373 986.519 3.93425 986.619 1.0446C983.729 1.14425 980.789 0.969872 977.899 1.0446H977.879Z" fill="#C080FF"/>
+<path d="M995.319 9.76292H1004.04V1.01921C1001.15 0.944482 998.209 1.11885 995.319 1.01921C995.419 3.90886 995.239 6.84833 995.319 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M995.319 355.997V364.741H1004.04V355.997H995.319Z" fill="#C080FF"/>
+<path d="M995.319 285.001V293.744H1004.04V285.001H995.319Z" fill="#C080FF"/>
+<path d="M995.319 250.128V258.871H1004.04V250.128H995.319Z" fill="#C080FF"/>
+<path d="M995.319 214.004V222.748H1004.04V214.004H995.319Z" fill="#C080FF"/>
+<path d="M995.319 179.131V187.875H1004.04V179.131H995.319Z" fill="#C080FF"/>
+<path d="M995.319 143.008V151.752H1004.04V143.008H995.319Z" fill="#C080FF"/>
+<path d="M995.319 125.573V134.317H1004.04V125.573H995.319Z" fill="#C080FF"/>
+<path d="M995.319 108.135V116.879H1004.04V108.135H995.319Z" fill="#C080FF"/>
+<path d="M995.319 89.4502V98.1939H1004.04V89.4502H995.319Z" fill="#C080FF"/>
+<path d="M995.319 72.0156V80.7594H1004.04V72.0156H995.319Z" fill="#C080FF"/>
+<path d="M995.319 54.5771V63.3208H1004.04V54.5771H995.319Z" fill="#C080FF"/>
+<path d="M995.319 37.1387V45.8824H1004.04V37.1387H995.319Z" fill="#C080FF"/>
+<path d="M995.319 18.458V27.2017H1004.04V18.458H995.319Z" fill="#C080FF"/>
+<path d="M1012.76 125.573V134.317H1021.48V125.573H1012.76Z" fill="#C080FF"/>
+<path d="M1012.76 89.4502V98.1939H1021.48V89.4502H1012.76Z" fill="#C080FF"/>
+<path d="M1012.76 54.5771V63.3208H1021.48V54.5771H1012.76Z" fill="#C080FF"/>
+<path d="M1012.76 18.458V27.2017H1021.48V18.458H1012.76Z" fill="#C080FF"/>
+<path d="M1012.76 1.01953V9.76324H1021.48V1.01953H1012.76Z" fill="#C080FF"/>
+<path d="M1031.44 321.124V329.868H1040.16V321.124H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 250.128V258.871H1040.16V250.128H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 214.004V222.748H1040.16V214.004H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 179.131V187.875H1040.16V179.131H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 143.008V151.752H1040.16V143.008H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 108.135V116.879H1040.16V108.135H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 89.4502V98.1939H1040.16V89.4502H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 72.0156V80.7594H1040.16V72.0156H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 54.5771V63.3208H1040.16V54.5771H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 37.1387V45.8824H1040.16V37.1387H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 18.458V27.2017H1040.16V18.458H1031.44Z" fill="#C080FF"/>
+<path d="M1031.44 1.01953V9.76324H1040.16V1.01953H1031.44Z" fill="#C080FF"/>
+<path d="M1048.88 196.57V205.314H1057.6V196.57H1048.88Z" fill="#C080FF"/>
+<path d="M1048.88 125.573V134.317H1057.6V125.573H1048.88Z" fill="#C080FF"/>
+<path d="M1048.88 89.4502V98.1939H1057.6V89.4502H1048.88Z" fill="#C080FF"/>
+<path d="M1048.88 54.5771V63.3208H1057.6V54.5771H1048.88Z" fill="#C080FF"/>
+<path d="M1048.88 37.1387V45.8824H1057.6V37.1387H1048.88Z" fill="#C080FF"/>
+<path d="M1048.88 18.458V27.2017H1057.6V18.458H1048.88Z" fill="#C080FF"/>
+<path d="M1048.88 1.0446V9.76338H1057.63C1057.7 6.87373 1057.53 3.93425 1057.63 1.0446C1054.74 1.14425 1051.8 0.969872 1048.91 1.0446H1048.88Z" fill="#C080FF"/>
+<path d="M1066.32 9.76292H1075.04V1.01921C1072.15 0.944482 1069.21 1.11885 1066.32 1.01921C1066.42 3.90886 1066.25 6.84833 1066.32 9.73798V9.76292Z" fill="#C080FF"/>
+<path d="M1066.32 355.997V364.741H1075.04V355.997H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 285.001V293.744H1075.04V285.001H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 250.128V258.871H1075.04V250.128H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 214.004V222.748H1075.04V214.004H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 179.131V187.875H1075.04V179.131H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 143.008V151.752H1075.04V143.008H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 125.573V134.317H1075.04V125.573H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 108.135V116.879H1075.04V108.135H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 89.4502V98.1939H1075.04V89.4502H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 72.0156V80.7594H1075.04V72.0156H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 54.5771V63.3208H1075.04V54.5771H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 37.1387V45.8824H1075.04V37.1387H1066.32Z" fill="#C080FF"/>
+<path d="M1066.32 18.458V27.2017H1075.04V18.458H1066.32Z" fill="#C080FF"/>
+<path d="M249.139 37.1387V45.8824H257.859V37.1387H249.139Z" fill="#C080FF"/>
+<path d="M1083.76 196.57V205.314H1092.48V196.57H1083.76Z" fill="#C080FF"/>
+<path d="M1083.76 125.573V134.317H1092.48V125.573H1083.76Z" fill="#C080FF"/>
+<path d="M1083.76 89.4502V98.1939H1092.48V89.4502H1083.76Z" fill="#C080FF"/>
+<path d="M1083.76 72.0156V80.7594H1092.48V72.0156H1083.76Z" fill="#C080FF"/>
+<path d="M1083.76 54.5771V63.3208H1092.48V54.5771H1083.76Z" fill="#C080FF"/>
+<path d="M1083.76 37.1387V45.8824H1092.48V37.1387H1083.76Z" fill="#C080FF"/>
+<path d="M1083.76 18.458V27.2017H1092.48V18.458H1083.76Z" fill="#C080FF"/>
+<path d="M1083.76 1.01953V9.76324H1092.48V1.01953H1083.76Z" fill="#C080FF"/>
+<path d="M1102.45 321.124V329.868H1111.17V321.124H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 250.128V258.871H1111.17V250.128H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 214.004V222.748H1111.17V214.004H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 179.131V187.875H1111.17V179.131H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 143.008V151.752H1111.17V143.008H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 108.135V116.879H1111.17V108.135H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 89.4502V98.1939H1111.17V89.4502H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 72.0156V80.7594H1111.17V72.0156H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 54.5771V63.3208H1111.17V54.5771H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 37.1387V45.8824H1111.17V37.1387H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 18.458V27.2017H1111.17V18.458H1102.45Z" fill="#C080FF"/>
+<path d="M1102.45 1.01953V9.76324H1111.17V1.01953H1102.45Z" fill="#C080FF"/>
+<path d="M1119.89 196.57V205.314H1128.61V196.57H1119.89Z" fill="#C080FF"/>
+<path d="M1119.89 125.573V134.317H1128.61V125.573H1119.89Z" fill="#C080FF"/>
+<path d="M1119.89 89.4502V98.1939H1128.61V89.4502H1119.89Z" fill="#C080FF"/>
+<path d="M1119.89 54.5771V63.3208H1128.61V54.5771H1119.89Z" fill="#C080FF"/>
+<path d="M1119.89 37.1387V45.8824H1128.61V37.1387H1119.89Z" fill="#C080FF"/>
+<path d="M1119.89 18.458V27.2017H1128.61V18.458H1119.89Z" fill="#C080FF"/>
+<path d="M213.009 1.01953V9.76324H221.729V1.01953H213.009Z" fill="#C080FF"/>
+<path d="M213.009 72.0156V80.7594H221.729V72.0156H213.009Z" fill="#C080FF"/>
+<path d="M1137.33 355.997V364.741H1146.05V355.997H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 285.001V293.744H1146.05V285.001H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 250.128V258.871H1146.05V250.128H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 214.004V222.748H1146.05V214.004H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 179.131V187.875H1146.05V179.131H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 143.008V151.752H1146.05V143.008H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 125.573V134.317H1146.05V125.573H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 108.135V116.879H1146.05V108.135H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 89.4502V98.1939H1146.05V89.4502H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 72.0156V80.7594H1146.05V72.0156H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 54.5771V63.3208H1146.05V54.5771H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 37.1387V45.8824H1146.05V37.1387H1137.33Z" fill="#C080FF"/>
+<path d="M1137.33 18.458V27.2017H1146.05V18.458H1137.33Z" fill="#C080FF"/>
+<path d="M1173.45 321.124V329.868H1182.17V321.124H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 285.001V293.744H1182.17V285.001H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 250.128V258.871H1182.17V250.128H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 214.004V222.748H1182.17V214.004H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 179.131V187.875H1182.17V179.131H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 143.008V151.752H1182.17V143.008H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 125.573V134.317H1182.17V125.573H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 108.135V116.879H1182.17V108.135H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 89.4502V98.1939H1182.17V89.4502H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 72.0156V80.7594H1182.17V72.0156H1173.45Z" fill="#C080FF"/>
+<path d="M1173.45 54.5771V63.3208H1182.17V54.5771H1173.45Z" fill="#C080FF"/>
+<path d="M1190.89 267.562V276.306H1199.61V267.562H1190.89Z" fill="#C080FF"/>
+<path d="M1190.89 196.57V205.314H1199.61V196.57H1190.89Z" fill="#C080FF"/>
+<path d="M1190.89 125.573V134.317H1199.61V125.573H1190.89Z" fill="#C080FF"/>
+<path d="M1190.89 108.135V116.879H1199.61V108.135H1190.89Z" fill="#C080FF"/>
+<path d="M1190.89 89.4502V98.1939H1199.61V89.4502H1190.89Z" fill="#C080FF"/>
+<path d="M1199.61 54.5791H1190.89V63.3228C1193.78 63.3975 1196.72 63.2231 1199.61 63.3228C1199.51 60.4331 1199.69 57.4936 1199.61 54.604V54.5791Z" fill="#C080FF"/>
+<path d="M1217.05 63.3208V54.5771H1208.31C1208.23 57.4667 1208.41 60.4062 1208.31 63.2958C1211.2 63.1962 1214.14 63.3706 1217.03 63.2958L1217.05 63.3208Z" fill="#C080FF"/>
+<path d="M1208.33 80.7591H1217.05V72.0153C1214.16 71.9406 1211.22 72.115 1208.33 72.0153C1208.43 74.905 1208.26 77.8445 1208.33 80.7341V80.7591Z" fill="#C080FF"/>
+<path d="M1190.89 72.0407V80.7595H1199.64C1199.71 77.8698 1199.54 74.9303 1199.64 72.0407C1196.75 72.1403 1193.81 71.966 1190.92 72.0407H1190.89Z" fill="#C080FF"/>
+<path d="M1208.33 63.3193C1205.44 63.4189 1202.5 63.4189 1199.61 63.3193C1199.71 66.209 1199.71 69.1484 1199.61 72.0381C1202.5 71.9384 1205.44 71.9384 1208.33 72.0381C1208.23 69.1484 1208.23 66.209 1208.33 63.3193Z" fill="#C080FF"/>
+<path d="M1208.33 355.997V364.741H1217.05V355.997H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 321.124V329.868H1217.05V321.124H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 285.001V293.744H1217.05V285.001H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 250.128V258.871H1217.05V250.128H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 214.004V222.748H1217.05V214.004H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 196.57V205.314H1217.05V196.57H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 179.131V187.875H1217.05V179.131H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 143.008V151.752H1217.05V143.008H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 125.573V134.317H1217.05V125.573H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 108.135V116.879H1217.05V108.135H1208.33Z" fill="#C080FF"/>
+<path d="M1208.33 89.4502V98.1939H1217.05V89.4502H1208.33Z" fill="#C080FF"/>
+<path d="M1244.46 392.116V400.859H1253.18V392.116H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 321.124V329.868H1253.18V321.124H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 285.001V293.744H1253.18V285.001H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 250.128V258.871H1253.18V250.128H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 214.004V222.748H1253.18V214.004H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 179.131V187.875H1253.18V179.131H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 143.008V151.752H1253.18V143.008H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 125.573V134.317H1253.18V125.573H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 108.135V116.879H1253.18V108.135H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 89.4502V98.1939H1253.18V89.4502H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 72.0156V80.7594H1253.18V72.0156H1244.46Z" fill="#C080FF"/>
+<path d="M1244.46 54.5771V63.3208H1253.18V54.5771H1244.46Z" fill="#C080FF"/>
+<path d="M142.009 1.01953V9.76324H150.729V1.01953H142.009Z" fill="#C080FF"/>
+<path d="M1261.9 267.562V276.306H1270.62V267.562H1261.9Z" fill="#C080FF"/>
+<path d="M1261.9 196.57V205.314H1270.62V196.57H1261.9Z" fill="#C080FF"/>
+<path d="M1261.9 125.573V134.317H1270.62V125.573H1261.9Z" fill="#C080FF"/>
+<path d="M1261.9 108.135V116.879H1270.62V108.135H1261.9Z" fill="#C080FF"/>
+<path d="M1261.9 89.4502V98.1939H1270.62V89.4502H1261.9Z" fill="#C080FF"/>
+<path d="M1279.34 63.3193C1276.45 63.4189 1273.51 63.4189 1270.62 63.3193C1270.72 66.209 1270.72 69.1484 1270.62 72.0381C1273.51 71.9384 1276.45 71.9384 1279.34 72.0381C1279.24 69.1484 1279.24 66.209 1279.34 63.3193Z" fill="#C080FF"/>
+<path d="M1279.34 80.7591H1288.06V72.0153C1285.17 71.9406 1282.23 72.115 1279.34 72.0153C1279.44 74.905 1279.26 77.8445 1279.34 80.7341V80.7591Z" fill="#C080FF"/>
+<path d="M1288.06 63.3208V54.5771H1279.31C1279.24 57.4667 1279.41 60.4062 1279.31 63.2958C1282.2 63.1962 1285.14 63.3706 1288.03 63.2958L1288.06 63.3208Z" fill="#C080FF"/>
+<path d="M1270.62 54.5791H1261.9V63.3228C1264.79 63.3975 1267.73 63.2231 1270.62 63.3228C1270.52 60.4331 1270.69 57.4936 1270.62 54.604V54.5791Z" fill="#C080FF"/>
+<path d="M1261.9 72.0407V80.7595H1270.64C1270.72 77.8698 1270.54 74.9303 1270.64 72.0407C1267.75 72.1403 1264.81 71.966 1261.92 72.0407H1261.9Z" fill="#C080FF"/>
+<path d="M1279.34 355.997V364.741H1288.06V355.997H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 321.124V329.868H1288.06V321.124H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 285.001V293.744H1288.06V285.001H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 250.128V258.871H1288.06V250.128H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 214.004V222.748H1288.06V214.004H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 196.57V205.314H1288.06V196.57H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 179.131V187.875H1288.06V179.131H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 143.008V151.752H1288.06V143.008H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 125.573V134.317H1288.06V125.573H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 108.135V116.879H1288.06V108.135H1279.34Z" fill="#C080FF"/>
+<path d="M1279.34 89.4502V98.1939H1288.06V89.4502H1279.34Z" fill="#C080FF"/>
+<path d="M1298.02 267.562V276.306H1306.74V267.562H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 196.57V205.314H1306.74V196.57H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 143.008V151.752H1306.74V143.008H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 125.573V134.317H1306.74V125.573H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 108.135V116.879H1306.74V108.135H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 89.4502V98.1939H1306.74V89.4502H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 72.0156V80.7594H1306.74V72.0156H1298.02Z" fill="#C080FF"/>
+<path d="M1298.02 54.5771V63.3208H1306.74V54.5771H1298.02Z" fill="#C080FF"/>
+<path d="M1315.46 392.116V400.859H1324.18V392.116H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 321.124V329.868H1324.18V321.124H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 285.001V293.744H1324.18V285.001H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 250.128V258.871H1324.18V250.128H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 214.004V222.748H1324.18V214.004H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 179.131V187.875H1324.18V179.131H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 143.008V151.752H1324.18V143.008H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 125.573V134.317H1324.18V125.573H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 108.135V116.879H1324.18V108.135H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 89.4502V98.1939H1324.18V89.4502H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 72.0156V80.7594H1324.18V72.0156H1315.46Z" fill="#C080FF"/>
+<path d="M1315.46 54.5771V63.3208H1324.18V54.5771H1315.46Z" fill="#C080FF"/>
+<path d="M1332.9 267.562V276.306H1341.62V267.562H1332.9Z" fill="#C080FF"/>
+<path d="M1332.9 196.57V205.314H1341.62V196.57H1332.9Z" fill="#C080FF"/>
+<path d="M1332.9 125.573V134.317H1341.62V125.573H1332.9Z" fill="#C080FF"/>
+<path d="M1332.9 108.135V116.879H1341.62V108.135H1332.9Z" fill="#C080FF"/>
+<path d="M1332.9 89.4502V98.1939H1341.62V89.4502H1332.9Z" fill="#C080FF"/>
+<path d="M71.0049 1.01953V9.76324H79.7249V1.01953H71.0049Z" fill="#C080FF"/>
+<path d="M71.0049 72.0156V80.7594H79.7249V72.0156H71.0049Z" fill="#C080FF"/>
+<path d="M1369.03 303.686V312.43H1377.75V303.686H1369.03Z" fill="#C080FF"/>
+<path d="M1369.03 267.562V276.306H1377.75V267.562H1369.03Z" fill="#C080FF"/>
+<path d="M1369.03 196.57V205.314H1377.75V196.57H1369.03Z" fill="#C080FF"/>
+<path d="M1369.03 143.008V151.752H1377.75V143.008H1369.03Z" fill="#C080FF"/>
+<path d="M1369.03 125.573V134.317H1377.75V125.573H1369.03Z" fill="#C080FF"/>
+<path d="M1386.47 392.116V400.859H1395.19V392.116H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 355.997V364.741H1395.19V355.997H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 321.124V329.868H1395.19V321.124H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 285.001V293.744H1395.19V285.001H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 250.128V258.871H1395.19V250.128H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 214.004V222.748H1395.19V214.004H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 196.57V205.314H1395.19V196.57H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 179.131V187.875H1395.19V179.131H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 143.008V151.752H1395.19V143.008H1386.47Z" fill="#C080FF"/>
+<path d="M1386.47 125.573V134.317H1395.19V125.573H1386.47Z" fill="#C080FF"/>
+<path d="M1403.91 267.562V276.306H1412.66V267.562H1403.91Z" fill="#C080FF"/>
+<path d="M1403.91 196.57V205.314H1412.66V196.57H1403.91Z" fill="#C080FF"/>
+<path d="M1403.91 179.131V187.875H1412.66V179.131H1403.91Z" fill="#C080FF"/>
+<path d="M1403.91 143.008V151.752H1412.66V143.008H1403.91Z" fill="#C080FF"/>
+<path d="M1403.91 125.573V134.317H1412.66V125.573H1403.91Z" fill="#C080FF"/>
+<path d="M0 1.01953V9.76324H8.72003V1.01953H0Z" fill="#C080FF"/>
+</g>
+<defs>
+<clipPath id="clip0_414_125114">
+<rect width="1421" height="507" fill="white"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/app/index.html b/app/index.html
index 370070b48..52b9b5d10 100644
--- a/app/index.html
+++ b/app/index.html
@@ -20,7 +20,7 @@
     <link rel="apple-touch-icon" sizes="180x180" href="<%=require('./assets/ico/apple-touch-icon.png')%>" />
     <link rel="icon" type="image/png" sizes="32x32" href="<%=require('./assets/ico/favicon-32x32.png')%>" />
     <link rel="icon" type="image/png" sizes="16x16" href="<%=require('./assets/ico/favicon-16x16.png')%>" />
-    <link rel="mask-icon" href="<%=require('./assets/ico/safari-pinned-tab.svg')%>" color="#5bbad5" />
+    <link rel="mask-icon" href="<%=require('./assets/ico/safari-pinned-tab.svg')%>" color="#000000" />
     <link rel="shortcut icon" href="<%=require('./assets/ico/favicon.ico')%>" />
     <meta name="msapplication-config" content="<%=require('./assets/ico/browserconfig.xml')%>" />
     <meta name="theme-color" content="#ffffff" />
@@ -47,7 +47,10 @@
                 <!-- loading box logo -->
                 <div class="row">
                   <img ng-if="logo" ng-src="{{ logo }}" class="simple-box-logo" />
-                  <img ng-if="!logo" src="<%=require('./assets/images/logo_alt.svg')%>" class="simple-box-logo" alt="Portainer" />
+                  <div ng-if="!logo">
+                    <img src="<%=require('./assets/images/logo_alt.svg')%>" class="simple-box-logo hidden th-dark:!block th-highcontrast:!block" alt="Portainer" />
+                    <img src="<%=require('./assets/images/logo_alt_black.svg')%>" class="simple-box-logo block th-dark:hidden th-highcontrast:hidden" alt="Portainer" />
+                  </div>
                 </div>
                 <!-- !loading box logo -->
                 <!-- panel -->
diff --git a/app/portainer/views/auth/auth.html b/app/portainer/views/auth/auth.html
index 09dadf050..2504141a7 100644
--- a/app/portainer/views/auth/auth.html
+++ b/app/portainer/views/auth/auth.html
@@ -4,7 +4,10 @@
     <div class="col-sm-4 col-sm-offset-4">
       <!-- login box logo -->
       <div class="row">
-        <img ng-if="!ctrl.logo" src="~@/assets/images/logo_alt.svg" class="simple-box-logo" alt="Portainer" />
+        <div ng-if="!ctrl.logo">
+          <img src="~@/assets/images/logo_alt.svg" class="simple-box-logo hidden th-dark:!block th-highcontrast:!block" alt="Portainer" />
+          <img src="~@/assets/images/logo_alt_black.svg" class="simple-box-logo block th-dark:hidden th-highcontrast:hidden" alt="Portainer" />
+        </div>
         <img ng-if="ctrl.logo" ng-src="{{ ctrl.logo }}" class="simple-box-logo" />
       </div>
       <!-- !login box logo -->
diff --git a/app/portainer/views/init/admin/initAdmin.html b/app/portainer/views/init/admin/initAdmin.html
index b5cfcfeb4..afff165b2 100644
--- a/app/portainer/views/init/admin/initAdmin.html
+++ b/app/portainer/views/init/admin/initAdmin.html
@@ -5,7 +5,10 @@
       <!-- simple box logo -->
       <div class="row">
         <img ng-if="logo" ng-src="{{ logo }}" class="simple-box-logo" />
-        <img ng-if="!logo" src="~@/assets/images/logo_alt.svg" class="simple-box-logo" alt="Portainer" />
+        <div ng-if="!ctrl.logo">
+          <img src="~@/assets/images/logo_alt.svg" class="simple-box-logo hidden th-dark:!block th-highcontrast:!block" alt="Portainer" />
+          <img src="~@/assets/images/logo_alt_black.svg" class="simple-box-logo block th-dark:hidden th-highcontrast:hidden" alt="Portainer" />
+        </div>
       </div>
       <!-- !simple box logo -->
       <!-- init password panel -->
diff --git a/app/portainer/views/logout/logout.html b/app/portainer/views/logout/logout.html
index fe9b2513d..95299d5d0 100644
--- a/app/portainer/views/logout/logout.html
+++ b/app/portainer/views/logout/logout.html
@@ -4,7 +4,10 @@
     <div class="col-md-6 col-md-offset-3 col-sm-6 col-sm-offset-3">
       <!-- login box logo -->
       <div class="row">
-        <img ng-if="!ctrl.logo" src="~@/assets/images/logo_alt.svg" class="simple-box-logo" alt="Portainer" />
+        <div ng-if="!ctrl.logo">
+          <img src="~@/assets/images/logo_alt.svg" class="simple-box-logo hidden th-dark:!block th-highcontrast:!block" alt="Portainer" />
+          <img src="~@/assets/images/logo_alt_black.svg" class="simple-box-logo block th-dark:hidden th-highcontrast:hidden" alt="Portainer" />
+        </div>
         <img ng-if="ctrl.logo" ng-src="{{ ctrl.logo }}" class="simple-box-logo" />
       </div>
       <div class="row text-center">
diff --git a/app/react/components/InformationPanel.tsx b/app/react/components/InformationPanel.tsx
index b5c9dafc9..f25afadba 100644
--- a/app/react/components/InformationPanel.tsx
+++ b/app/react/components/InformationPanel.tsx
@@ -19,7 +19,7 @@ export function InformationPanel({
   children,
 }: PropsWithChildren<Props>) {
   return (
-    <Widget>
+    <Widget className="border-none">
       <WidgetBody className={bodyClassName}>
         <div style={wrapperStyle}>
           {title && (
diff --git a/app/react/portainer/account/AccountView/theme-options.tsx b/app/react/portainer/account/AccountView/theme-options.tsx
index c76ddaa2f..21c1d00d9 100644
--- a/app/react/portainer/account/AccountView/theme-options.tsx
+++ b/app/react/portainer/account/AccountView/theme-options.tsx
@@ -7,28 +7,24 @@ export const options = [
     id: 'light',
     icon: <BadgeIcon icon={Sun} />,
     label: 'Light Theme',
-    description: 'Default color mode',
     value: 'light',
   },
   {
     id: 'dark',
     icon: <BadgeIcon icon={Moon} />,
     label: 'Dark Theme',
-    description: 'Dark color mode',
     value: 'dark',
   },
   {
     id: 'highcontrast',
     icon: <BadgeIcon icon={Eye} />,
     label: 'High Contrast',
-    description: 'High contrast color mode',
     value: 'highcontrast',
   },
   {
     id: 'auto',
     icon: <BadgeIcon icon={RefreshCw} />,
-    label: 'Auto',
-    description: 'Sync with system theme',
+    label: 'System Theme',
     value: 'auto',
   },
 ];
diff --git a/app/react/sidebar/EnvironmentSidebar.module.css b/app/react/sidebar/EnvironmentSidebar.module.css
index 56165048c..2400d635a 100644
--- a/app/react/sidebar/EnvironmentSidebar.module.css
+++ b/app/react/sidebar/EnvironmentSidebar.module.css
@@ -1,12 +1,11 @@
 .root {
   background-color: var(--bg-sidebar-nav-color);
-  border-color: var(--border-sidebar-color);
 }
 
 .closeBtn {
-  background-color: var(--bg-btn-default-color);
+  background-color: transparent;
 }
 
 .closeBtn:hover {
-  background-color: var(--bg-btn-default-hover-color);
+  background-color: var(--graphite-500);
 }
diff --git a/app/react/sidebar/EnvironmentSidebar.tsx b/app/react/sidebar/EnvironmentSidebar.tsx
index 2e51b449c..bea5f86c1 100644
--- a/app/react/sidebar/EnvironmentSidebar.tsx
+++ b/app/react/sidebar/EnvironmentSidebar.tsx
@@ -36,7 +36,7 @@ export function EnvironmentSidebar() {
   }
 
   return (
-    <div className={clsx(styles.root, 'rounded border border-dotted py-2')}>
+    <div className={clsx(styles.root, 'rounded py-2')}>
       {environment ? (
         <Content environment={environment} onClear={clearEnvironment} />
       ) : (
@@ -151,7 +151,7 @@ function Title({ environment, onClear }: TitleProps) {
         onClick={onClear}
         className={clsx(
           styles.closeBtn,
-          'ml-auto mr-2 flex h-5 w-5 items-center justify-center rounded border-0 p-1 text-sm text-gray-5 transition-colors duration-200 hover:text-white be:text-gray-6 be:hover:text-white'
+          'ml-auto mr-2 flex h-5 w-5 items-center justify-center rounded border-0 p-1 text-sm text-white transition-colors duration-200'
         )}
       >
         <X />
diff --git a/app/react/sidebar/Footer/Footer.tsx b/app/react/sidebar/Footer/Footer.tsx
index 0c6636a3e..7374857c5 100644
--- a/app/react/sidebar/Footer/Footer.tsx
+++ b/app/react/sidebar/Footer/Footer.tsx
@@ -7,7 +7,6 @@ import { UpdateNotification } from './UpdateNotifications';
 import { BuildInfoModalButton } from './BuildInfoModal';
 import '@reach/dialog/styles.css';
 import styles from './Footer.module.css';
-import Logo from './portainer_logo.svg?c';
 
 export function Footer() {
   return isBE ? <BEFooter /> : <CEFooter />;
@@ -19,7 +18,6 @@ function CEFooter() {
       <UpdateNotification />
 
       <FooterContent>
-        <Logo width="90px" height="100%" />
         <span>Community Edition</span>
 
         <BuildInfoModalButton />
@@ -43,7 +41,7 @@ function BEFooter() {
 
 function FooterContent({ children }: PropsWithChildren<unknown>) {
   return (
-    <div className="mx-auto flex items-center justify-center space-x-1 text-[10px] text-gray-5 be:text-gray-6">
+    <div className="mx-auto flex items-baseline justify-center space-x-1 text-[10px] text-gray-5 be:text-gray-6">
       {children}
     </div>
   );
diff --git a/app/react/sidebar/Footer/portainer_logo.svg b/app/react/sidebar/Footer/portainer_logo.svg
deleted file mode 100644
index 1bf390370..000000000
--- a/app/react/sidebar/Footer/portainer_logo.svg
+++ /dev/null
@@ -1,36 +0,0 @@
-<svg width="190" height="47" viewBox="0 0 190 47" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_10456_446354)">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M10.8928 10.604H10.1947V14.2623H10.8928V10.604Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.8949 10.604H13.1968V14.2623H13.8949V10.604Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.9967 3.6233L17.2811 2.36853L5.34241 9.3493L6.058 10.6041L17.9967 3.6233Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.9269 3.6233L18.6425 2.36853L30.5812 9.3493L29.8656 10.6041L17.9269 3.6233Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M32.6932 10.6218V9.17261H-0.0160522V10.6218H32.6932Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M19.7421 31.087V9.6145H21.1733V32.1297C20.7893 31.6879 20.3006 31.3697 19.7421 31.087Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.2985 30.7158V0.424561H18.7298V30.8926C18.3283 30.6982 17.3509 30.7158 17.2985 30.7158Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M3.73663 33.7379C1.99121 32.4301 0.839233 30.3447 0.839233 27.9765C0.839233 26.7217 1.17086 25.4846 1.78176 24.4066H13.9997C14.628 25.4846 14.9422 26.7217 14.9422 27.9765C14.9422 29.0722 14.8026 30.0972 14.3662 31.0162C13.4412 30.1149 12.0797 29.7261 10.7008 29.7261C8.2572 29.7261 6.1627 31.2637 5.62173 33.5611C5.42973 33.5435 5.30753 33.5258 5.11553 33.5258C4.64423 33.5435 4.19043 33.6141 3.73663 33.7379Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M9.74083 15.8883H6.04053V19.6526H9.74083V15.8883Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M5.56933 15.8883H1.86902V19.6526H5.56933V15.8883Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M5.56933 20.0768H1.86902V23.8411H5.56933V20.0768Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M9.74083 20.0768H6.04053V23.8411H9.74083V20.0768Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.895 20.0768H10.1947V23.8411H13.895V20.0768Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.895 13.8735H10.1947V17.6379H13.895V13.8735Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M6.2325 34.3034C6.7387 32.1296 8.6761 30.5037 10.9801 30.5037C12.4637 30.5037 13.7902 31.1753 14.6978 32.2356C15.4833 31.6878 16.4258 31.3697 17.4556 31.3697C20.1436 31.3697 22.3253 33.5788 22.3253 36.3004C22.3253 36.8659 22.2381 37.3961 22.0635 37.9086C22.657 38.7216 23.0235 39.7466 23.0235 40.8423C23.0235 43.5639 20.8417 45.773 18.1538 45.773C16.9669 45.773 15.8847 45.3489 15.0469 44.642C14.1568 45.8967 12.7081 46.7274 11.0674 46.7274C9.1823 46.7274 7.5416 45.6316 6.7213 44.0411C6.3896 44.1118 6.058 44.1471 5.70895 44.1471C3.02101 44.1471 0.821777 41.938 0.821777 39.2164C0.821777 36.4948 3.00356 34.2857 5.70895 34.2857C5.88355 34.268 6.058 34.268 6.2325 34.3034Z" fill="#13BEF9"/>
-<path d="M43.964 17.8839C44.4667 17.2252 45.1513 16.6706 46.018 16.2199C46.8847 15.7692 47.864 15.5439 48.956 15.5439C50.204 15.5439 51.3393 15.8559 52.362 16.4799C53.402 17.0866 54.2167 17.9446 54.806 19.0539C55.3953 20.1632 55.69 21.4372 55.69 22.8759C55.69 24.3146 55.3953 25.6059 54.806 26.7499C54.2167 27.8766 53.402 28.7606 52.362 29.4019C51.3393 30.0259 50.204 30.3379 48.956 30.3379C47.864 30.3379 46.8933 30.1212 46.044 29.6879C45.1947 29.2372 44.5013 28.6826 43.964 28.0239V36.9159H41V15.7779H43.964V17.8839ZM52.674 22.8759C52.674 21.8879 52.466 21.0386 52.05 20.3279C51.6513 19.5999 51.114 19.0539 50.438 18.6899C49.7793 18.3086 49.0687 18.1179 48.306 18.1179C47.5607 18.1179 46.85 18.3086 46.174 18.6899C45.5153 19.0712 44.978 19.6259 44.562 20.3539C44.1633 21.0819 43.964 21.9399 43.964 22.9279C43.964 23.9159 44.1633 24.7826 44.562 25.5279C44.978 26.2559 45.5153 26.8106 46.174 27.1919C46.85 27.5732 47.5607 27.7639 48.306 27.7639C49.0687 27.7639 49.7793 27.5732 50.438 27.1919C51.114 26.7932 51.6513 26.2212 52.05 25.4759C52.466 24.7306 52.674 23.8639 52.674 22.8759Z" fill="white"/>
-<path d="M64.8351 30.3379C63.4831 30.3379 62.2611 30.0346 61.1691 29.4279C60.0771 28.8039 59.2191 27.9372 58.5951 26.8279C57.9711 25.7012 57.6591 24.4012 57.6591 22.9279C57.6591 21.4719 57.9798 20.1806 58.6211 19.0539C59.2624 17.9272 60.1378 17.0606 61.2471 16.4539C62.3564 15.8472 63.5958 15.5439 64.9651 15.5439C66.3344 15.5439 67.5738 15.8472 68.6831 16.4539C69.7924 17.0606 70.6678 17.9272 71.3091 19.0539C71.9504 20.1806 72.2711 21.4719 72.2711 22.9279C72.2711 24.3839 71.9418 25.6752 71.2831 26.8019C70.6244 27.9286 69.7231 28.8039 68.5791 29.4279C67.4524 30.0346 66.2044 30.3379 64.8351 30.3379ZM64.8351 27.7639C65.5978 27.7639 66.3084 27.5819 66.9671 27.2179C67.6431 26.8539 68.1891 26.3079 68.6051 25.5799C69.0211 24.8519 69.2291 23.9679 69.2291 22.9279C69.2291 21.8879 69.0298 21.0126 68.6311 20.3019C68.2324 19.5739 67.7038 19.0279 67.0451 18.6639C66.3864 18.2999 65.6758 18.1179 64.9131 18.1179C64.1504 18.1179 63.4398 18.2999 62.7811 18.6639C62.1398 19.0279 61.6284 19.5739 61.2471 20.3019C60.8658 21.0126 60.6751 21.8879 60.6751 22.9279C60.6751 24.4706 61.0651 25.6666 61.8451 26.5159C62.6424 27.3479 63.6391 27.7639 64.8351 27.7639Z" fill="white"/>
-<path d="M78.1652 17.8579C78.5985 17.1299 79.1705 16.5666 79.8812 16.1679C80.6092 15.7519 81.4672 15.5439 82.4552 15.5439V18.6119H81.7012C80.5398 18.6119 79.6558 18.9066 79.0492 19.4959C78.4598 20.0852 78.1652 21.1079 78.1652 22.5639V30.1039H75.2012V15.7779H78.1652V17.8579Z" fill="white"/>
-<path d="M88.6377 18.1959V26.1259C88.6377 26.6632 88.759 27.0532 89.0017 27.2959C89.2617 27.5212 89.695 27.6339 90.3017 27.6339H92.1217V30.1039H89.7817C88.447 30.1039 87.4244 29.7919 86.7137 29.1679C86.003 28.5439 85.6477 27.5299 85.6477 26.1259V18.1959H83.9577V15.7779H85.6477V12.2159H88.6377V15.7779H92.1217V18.1959H88.6377Z" fill="white"/>
-<path d="M93.8655 22.8759C93.8655 21.4372 94.16 20.1632 94.75 19.0539C95.356 17.9446 96.171 17.0866 97.194 16.4799C98.234 15.8559 99.378 15.5439 100.626 15.5439C101.752 15.5439 102.732 15.7692 103.564 16.2199C104.413 16.6532 105.089 17.1992 105.592 17.8579V15.7779H108.582V30.1039H105.592V27.9719C105.089 28.6479 104.404 29.2112 103.538 29.6619C102.671 30.1126 101.683 30.3379 100.574 30.3379C99.343 30.3379 98.216 30.0259 97.194 29.4019C96.171 28.7606 95.356 27.8766 94.75 26.7499C94.16 25.6059 93.8655 24.3146 93.8655 22.8759ZM105.592 22.9279C105.592 21.9399 105.384 21.0819 104.968 20.3539C104.569 19.6259 104.04 19.0712 103.382 18.6899C102.723 18.3086 102.012 18.1179 101.25 18.1179C100.487 18.1179 99.776 18.3086 99.118 18.6899C98.459 19.0539 97.922 19.5999 97.506 20.3279C97.107 21.0386 96.908 21.8879 96.908 22.8759C96.908 23.8639 97.107 24.7306 97.506 25.4759C97.922 26.2212 98.459 26.7932 99.118 27.1919C99.794 27.5732 100.504 27.7639 101.25 27.7639C102.012 27.7639 102.723 27.5732 103.382 27.1919C104.04 26.8106 104.569 26.2559 104.968 25.5279C105.384 24.7826 105.592 23.9159 105.592 22.9279Z" fill="white"/>
-<path d="M113.983 13.88C113.445 13.88 112.995 13.698 112.631 13.334C112.267 12.97 112.085 12.5193 112.085 11.982C112.085 11.4447 112.267 10.994 112.631 10.63C112.995 10.266 113.445 10.084 113.983 10.084C114.503 10.084 114.945 10.266 115.309 10.63C115.673 10.994 115.855 11.4447 115.855 11.982C115.855 12.5193 115.673 12.97 115.309 13.334C114.945 13.698 114.503 13.88 113.983 13.88ZM115.439 15.778V30.104H112.475V15.778H115.439Z" fill="white"/>
-<path d="M126.558 15.5439C127.685 15.5439 128.69 15.7779 129.574 16.2459C130.475 16.7139 131.177 17.4072 131.68 18.3259C132.183 19.2446 132.434 20.3539 132.434 21.6539V30.1039H129.496V22.0959C129.496 20.8132 129.175 19.8339 128.534 19.1579C127.893 18.4646 127.017 18.1179 125.908 18.1179C124.799 18.1179 123.915 18.4646 123.256 19.1579C122.615 19.8339 122.294 20.8132 122.294 22.0959V30.1039H119.33V15.7779H122.294V17.4159C122.779 16.8266 123.395 16.3672 124.14 16.0379C124.903 15.7086 125.709 15.5439 126.558 15.5439Z" fill="white"/>
-<path d="M149.345 22.5899C149.345 23.1272 149.31 23.6126 149.241 24.0459H138.295C138.382 25.1899 138.806 26.1086 139.569 26.8019C140.332 27.4952 141.268 27.8419 142.377 27.8419C143.972 27.8419 145.098 27.1746 145.757 25.8399H148.955C148.522 27.1572 147.733 28.2406 146.589 29.0899C145.462 29.9219 144.058 30.3379 142.377 30.3379C141.008 30.3379 139.777 30.0346 138.685 29.4279C137.61 28.8039 136.761 27.9372 136.137 26.8279C135.53 25.7012 135.227 24.4012 135.227 22.9279C135.227 21.4546 135.522 20.1632 136.111 19.0539C136.718 17.9272 137.558 17.0606 138.633 16.4539C139.725 15.8472 140.973 15.5439 142.377 15.5439C143.729 15.5439 144.934 15.8386 145.991 16.4279C147.048 17.0172 147.872 17.8492 148.461 18.9239C149.05 19.9812 149.345 21.2032 149.345 22.5899ZM146.251 21.6539C146.234 20.5619 145.844 19.6866 145.081 19.0279C144.318 18.3692 143.374 18.0399 142.247 18.0399C141.224 18.0399 140.349 18.3692 139.621 19.0279C138.893 19.6692 138.46 20.5446 138.321 21.6539H146.251Z" fill="white"/>
-<path d="M155.226 17.8579C155.659 17.1299 156.231 16.5666 156.942 16.1679C157.67 15.7519 158.528 15.5439 159.516 15.5439V18.6119H158.762C157.6 18.6119 156.716 18.9066 156.11 19.4959C155.52 20.0852 155.226 21.1079 155.226 22.5639V30.1039H152.262V15.7779H155.226V17.8579Z" fill="white"/>
-<path d="M163.436 30.286C162.899 30.286 162.448 30.104 162.084 29.74C161.72 29.376 161.538 28.9253 161.538 28.388C161.538 27.8507 161.72 27.4 162.084 27.036C162.448 26.672 162.899 26.49 163.436 26.49C163.956 26.49 164.398 26.672 164.762 27.036C165.126 27.4 165.308 27.8507 165.308 28.388C165.308 28.9253 165.126 29.376 164.762 29.74C164.398 30.104 163.956 30.286 163.436 30.286Z" fill="white"/>
-<path d="M170.02 13.88C169.482 13.88 169.032 13.698 168.668 13.334C168.304 12.97 168.122 12.5193 168.122 11.982C168.122 11.4447 168.304 10.994 168.668 10.63C169.032 10.266 169.482 10.084 170.02 10.084C170.54 10.084 170.982 10.266 171.346 10.63C171.71 10.994 171.892 11.4447 171.892 11.982C171.892 12.5193 171.71 12.97 171.346 13.334C170.982 13.698 170.54 13.88 170.02 13.88ZM171.476 15.778V30.104H168.512V15.778H171.476Z" fill="white"/>
-<path d="M181.581 30.3379C180.229 30.3379 179.007 30.0346 177.915 29.4279C176.823 28.8039 175.965 27.9372 175.341 26.8279C174.717 25.7012 174.405 24.4012 174.405 22.9279C174.405 21.4719 174.726 20.1806 175.367 19.0539C176.009 17.9272 176.884 17.0606 177.993 16.4539C179.103 15.8472 180.342 15.5439 181.711 15.5439C183.081 15.5439 184.32 15.8472 185.429 16.4539C186.539 17.0606 187.414 17.9272 188.055 19.0539C188.697 20.1806 189.017 21.4719 189.017 22.9279C189.017 24.3839 188.688 25.6752 188.029 26.8019C187.371 27.9286 186.469 28.8039 185.325 29.4279C184.199 30.0346 182.951 30.3379 181.581 30.3379ZM181.581 27.7639C182.344 27.7639 183.055 27.5819 183.713 27.2179C184.389 26.8539 184.935 26.3079 185.351 25.5799C185.767 24.8519 185.975 23.9679 185.975 22.9279C185.975 21.8879 185.776 21.0126 185.377 20.3019C184.979 19.5739 184.45 19.0279 183.791 18.6639C183.133 18.2999 182.422 18.1179 181.659 18.1179C180.897 18.1179 180.186 18.2999 179.527 18.6639C178.886 19.0279 178.375 19.5739 177.993 20.3019C177.612 21.0126 177.421 21.8879 177.421 22.9279C177.421 24.4706 177.811 25.6666 178.591 26.5159C179.389 27.3479 180.385 27.7639 181.581 27.7639Z" fill="white"/>
-</g>
-<defs>
-<clipPath id="clip0_10456_446354">
-<rect width="190" height="47" fill="white"/>
-</clipPath>
-</defs>
-</svg>
diff --git a/app/react/sidebar/Header.module.css b/app/react/sidebar/Header.module.css
index 002dad966..82a002e8a 100644
--- a/app/react/sidebar/Header.module.css
+++ b/app/react/sidebar/Header.module.css
@@ -1,9 +1,5 @@
 .logo {
   display: inline;
   max-height: 55px;
-  max-width: min(100%, 230px);
-}
-
-.collapseBtn:hover {
-  background-color: var(--bg-btn-default-hover-color);
+  max-width: min(100%, 220px);
 }
diff --git a/app/react/sidebar/Header.tsx b/app/react/sidebar/Header.tsx
index 60b24b883..b69aa7d3a 100644
--- a/app/react/sidebar/Header.tsx
+++ b/app/react/sidebar/Header.tsx
@@ -2,12 +2,13 @@ import { ChevronsLeft, ChevronsRight } from 'lucide-react';
 import clsx from 'clsx';
 
 import { isBE } from '@/react/portainer/feature-flags/feature-flags.service';
-import smallLogo from '@/assets/ico/logomark.svg';
 
 import { Link } from '@@/Link';
 
 import fullLogoBE from './portainer_logo-BE.svg';
 import fullLogoCE from './portainer_logo-CE.svg';
+import smallLogoBE from './logomark-BE.svg';
+import smallLogoCE from './logomark-CE.svg';
 import { useSidebarState } from './useSidebarState';
 import styles from './Header.module.css';
 
@@ -20,7 +21,7 @@ export function Header({ logo: customLogo }: Props) {
 
   return (
     <div className="flex">
-      <div>
+      <div className={clsx('pr-5 w-full flex', { 'justify-center': !isOpen })}>
         <Link
           to="portainer.home"
           data-cy="portainerSidebar-homeImage"
@@ -64,9 +65,8 @@ export function Header({ logo: customLogo }: Props) {
           styles.collapseBtn,
           'flex h-6 w-6 items-center justify-center rounded border-0',
           'transition-all duration-200',
-          'text-sm text-gray-4 hover:text-white be:text-gray-5 be:hover:text-white',
-          'bg-blue-11 be:bg-gray-10',
-          'th-dark:bg-gray-warm-11',
+          'text-sm text-gray-4',
+          'bg-graphite-900 hover:bg-graphite-500',
           'absolute',
           { '-right-[10px]': !isOpen, 'right-6': isOpen }
         )}
@@ -85,7 +85,7 @@ function getLogo(isOpen: boolean, customLogo?: string) {
   }
 
   if (!isOpen) {
-    return smallLogo;
+    return isBE ? smallLogoBE : smallLogoCE;
   }
 
   return isBE ? fullLogoBE : fullLogoCE;
@@ -103,7 +103,9 @@ function Logo({
   return (
     <img
       src={logo}
-      className={clsx('img-responsive', styles.logo)}
+      className={clsx('img-responsive', styles.logo, {
+        '!max-h-[27px]': !isOpen,
+      })}
       alt="Logo"
     />
   );
diff --git a/app/react/sidebar/SidebarItem/SidebarItem.tsx b/app/react/sidebar/SidebarItem/SidebarItem.tsx
index 96fd5cbc8..7208516f3 100644
--- a/app/react/sidebar/SidebarItem/SidebarItem.tsx
+++ b/app/react/sidebar/SidebarItem/SidebarItem.tsx
@@ -59,7 +59,7 @@ export function SidebarItem({
   return (
     <SidebarTooltip
       content={
-        <div className="rounded bg-blue-8 be:bg-gray-8 th-highcontrast:border th-highcontrast:border-solid th-highcontrast:border-white th-highcontrast:bg-black th-dark:bg-gray-true-8">
+        <div className="rounded th-highcontrast:border th-highcontrast:border-solid th-highcontrast:border-white th-highcontrast:bg-black">
           <Wrapper label={label}>
             <ItemAnchor
               href={anchorProps.href}
@@ -106,7 +106,7 @@ function ItemAnchor({
         className,
         'text-inherit no-underline hover:text-inherit hover:no-underline focus:text-inherit focus:no-underline',
         'flex h-8 w-full flex-1 items-center space-x-4 rounded-md text-sm',
-        'transition-colors duration-200 hover:bg-blue-5/20 be:hover:bg-gray-5/20 th-dark:hover:bg-gray-true-5/20',
+        'transition-colors duration-200 hover:bg-graphite-500',
         {
           // submenu items are always expanded (in a tooltip or in the sidebar)
           'w-full justify-start px-3': isOpen || isSubMenu,
diff --git a/app/react/sidebar/SidebarItem/SidebarParent.tsx b/app/react/sidebar/SidebarItem/SidebarParent.tsx
index 097472fc8..f510d6894 100644
--- a/app/react/sidebar/SidebarItem/SidebarParent.tsx
+++ b/app/react/sidebar/SidebarItem/SidebarParent.tsx
@@ -50,7 +50,7 @@ export function SidebarParent({
     <Wrapper className="flex flex-col">
       <div
         className={clsx(
-          'w-full h-8 items-center ease-in-out transition-colors flex duration-200 hover:bg-blue-5/20 be:hover:bg-gray-5/20 th-dark:hover:bg-gray-true-5/20 rounded-md',
+          'w-full h-8 items-center ease-in-out transition-colors flex duration-200 hover:bg-graphite-500 rounded-md',
           isSidebarOpen && 'pl-3',
           // only highlight the parent when the sidebar is closed/contracted and a child item is selected
           (!isSidebarOpen || !isExpanded) && anchorProps.className
@@ -117,7 +117,7 @@ export function SidebarParent({
           <li className="flex items-center space-x-2 text-sm mb-1">
             <span>{title}</span>
           </li>
-          <div className="bg-blue-8 be:bg-gray-8 th-dark:bg-gray-true-8 th-highcontrast:bg-black th-highcontrast:border th-highcontrast:border-solid th-highcontrast:border-white rounded">
+          <div className="th-highcontrast:bg-black th-highcontrast:border th-highcontrast:border-solid th-highcontrast:border-white rounded">
             {children}
           </div>
         </ul>
diff --git a/app/react/sidebar/SidebarItem/SidebarTooltip.tsx b/app/react/sidebar/SidebarItem/SidebarTooltip.tsx
index b9a2d11d4..ec25ffd99 100644
--- a/app/react/sidebar/SidebarItem/SidebarTooltip.tsx
+++ b/app/react/sidebar/SidebarItem/SidebarTooltip.tsx
@@ -8,7 +8,7 @@ type Props = {
 export function SidebarTooltip({ children, content }: Props) {
   return (
     <Tippy
-      className="sidebar !rounded-md bg-blue-9 p-3 !opacity-100 be:bg-gray-9 th-dark:bg-gray-true-9 th-highcontrast:bg-black th-highcontrast:border th-highcontrast:border-solid th-highcontrast:border-white"
+      className="sidebar !rounded-md bg-graphite-600 p-3 !opacity-100 th-highcontrast:bg-black th-highcontrast:border th-highcontrast:border-solid th-highcontrast:border-white"
       content={content}
       delay={[0, 0]}
       duration={[0, 0]}
diff --git a/app/react/sidebar/SidebarItem/useSidebarSrefActive.tsx b/app/react/sidebar/SidebarItem/useSidebarSrefActive.tsx
index d4ac75381..8dad74d16 100644
--- a/app/react/sidebar/SidebarItem/useSidebarSrefActive.tsx
+++ b/app/react/sidebar/SidebarItem/useSidebarSrefActive.tsx
@@ -22,7 +22,7 @@ export type PathOptions = {
 export function useSidebarSrefActive(
   to: string,
   // default values are the classes used in the sidebar for an active item
-  activeClassName: string = 'bg-blue-5/25 be:bg-gray-5/25 th-dark:bg-gray-true-5/25',
+  activeClassName: string = 'bg-graphite-500',
   params: Partial<Record<string, string>> = {},
   options: TransitionOptions = {},
   pathOptions: PathOptions = {
diff --git a/app/react/sidebar/logomark-BE.svg b/app/react/sidebar/logomark-BE.svg
new file mode 100644
index 000000000..beead5989
--- /dev/null
+++ b/app/react/sidebar/logomark-BE.svg
@@ -0,0 +1,11 @@
+<svg width="169" height="219" viewBox="0 0 169 219" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_261_120691)">
+<path d="M117.083 167.329H168.504V218.618H117.083V167.329Z" fill="#C080FF"/>
+<path d="M0.585938 0H80.7863C136.122 0 168.767 17.2947 168.767 73.6996V75.627C168.767 132.207 136.192 149.327 80.8564 149.327H63.3515V218.05H0.585938V0ZM77.1066 101.14C94.2436 101.14 103.268 94.7791 103.268 75.7672V73.5769C103.268 54.6526 94.2436 48.1693 77.1066 48.1693H63.369V101.122H77.1066V101.14Z" fill="#F7F6F3"/>
+</g>
+<defs>
+<clipPath id="clip0_261_120691">
+<rect width="168.414" height="218.719" fill="white" transform="translate(0.585938)"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/app/react/sidebar/logomark-CE.svg b/app/react/sidebar/logomark-CE.svg
new file mode 100644
index 000000000..1ed2ea259
--- /dev/null
+++ b/app/react/sidebar/logomark-CE.svg
@@ -0,0 +1,11 @@
+<svg width="170" height="219" viewBox="0 0 170 219" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_261_120684)">
+<path d="M0.724609 0H80.925C136.261 0 168.905 17.2947 168.905 73.6996V75.627C168.905 132.207 136.331 149.327 80.9951 149.327H63.4901V218.05H0.724609V0ZM77.2453 101.14C94.3823 101.14 103.406 94.7791 103.406 75.7672V73.5769C103.406 54.6526 94.3823 48.1693 77.2453 48.1693H63.5077V101.122H77.2453V101.14Z" fill="#F7F6F3"/>
+<path d="M117.222 167.329H168.642V218.618H117.222V167.329Z" fill="#FF80F2"/>
+</g>
+<defs>
+<clipPath id="clip0_261_120684">
+<rect width="168.414" height="218.719" fill="white" transform="translate(0.724609)"/>
+</clipPath>
+</defs>
+</svg>
diff --git a/app/react/sidebar/portainer_logo-BE.svg b/app/react/sidebar/portainer_logo-BE.svg
index ed7ab076d..ad9762aa8 100644
--- a/app/react/sidebar/portainer_logo-BE.svg
+++ b/app/react/sidebar/portainer_logo-BE.svg
@@ -1,51 +1,37 @@
-<svg width="190" height="46" viewBox="0 0 190 46" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_10456_446383)">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M10.8935 10.002H10.1953V13.6602H10.8935V10.002Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.8954 10.002H13.1973V13.6602H13.8954V10.002Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.9981 3.0204L17.2824 1.76562L5.34381 8.7464L6.0594 10.0012L17.9981 3.0204Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.9277 3.0204L18.6434 1.76562L30.5821 8.7464L29.8664 10.0012L17.9277 3.0204Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M32.6936 10.0195V8.57031H-0.015625V10.0195H32.6936Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M19.7422 30.4842V9.01172H21.1734V31.5269C20.7894 31.0851 20.3007 30.767 19.7422 30.4842Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.2988 30.1135V-0.177734H18.7301V30.2902C18.3286 30.0958 17.3512 30.1135 17.2988 30.1135Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M3.73725 33.1359C1.99182 31.8282 0.839844 29.7428 0.839844 27.3746C0.839844 26.1198 1.17147 24.8827 1.78237 23.8047H14.0003C14.6287 24.8827 14.9429 26.1198 14.9429 27.3746C14.9429 28.4703 14.8032 29.4953 14.3669 30.4143C13.4418 29.513 12.0804 29.1242 10.7015 29.1242C8.2579 29.1242 6.1634 30.6617 5.6223 32.9592C5.4303 32.9415 5.3081 32.9239 5.1161 32.9239C4.6449 32.9415 4.1911 33.0122 3.73725 33.1359Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M9.74131 15.2852H6.04102V19.0495H9.74131V15.2852Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M5.5694 15.2852H1.86914V19.0495H5.5694V15.2852Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M5.5694 19.4746H1.86914V23.2389H5.5694V19.4746Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M9.74131 19.4746H6.04102V23.2389H9.74131V19.4746Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.8956 19.4746H10.1953V23.2389H13.8956V19.4746Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.8956 13.2715H10.1953V17.0358H13.8956V13.2715Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M6.2331 33.702C6.7392 31.5282 8.6767 29.9023 10.9806 29.9023C12.4642 29.9023 13.7908 30.5739 14.6984 31.6343C15.4838 31.0864 16.4263 30.7683 17.4561 30.7683C20.1441 30.7683 22.3259 32.9774 22.3259 35.699C22.3259 36.2646 22.2386 36.7948 22.0641 37.3073C22.6575 38.1202 23.024 39.1452 23.024 40.241C23.024 42.9626 20.8423 45.1717 18.1543 45.1717C16.9674 45.1717 15.8853 44.7475 15.0475 44.0406C14.1573 45.2954 12.7086 46.126 11.0679 46.126C9.1828 46.126 7.5421 45.0303 6.7218 43.4397C6.3902 43.5104 6.0585 43.5458 5.7094 43.5458C3.0215 43.5458 0.822266 41.3367 0.822266 38.6151C0.822266 35.8934 3.00404 33.6843 5.7094 33.6843C5.884 33.6667 6.0585 33.6667 6.2331 33.702Z" fill="#13BEF9"/>
-<path d="M43.964 12.9406C44.4667 12.282 45.1513 11.7273 46.018 11.2766C46.8847 10.826 47.864 10.6006 48.956 10.6006C50.204 10.6006 51.3393 10.9126 52.362 11.5366C53.402 12.1433 54.2167 13.0013 54.806 14.1106C55.3953 15.22 55.69 16.494 55.69 17.9326C55.69 19.3713 55.3953 20.6626 54.806 21.8066C54.2167 22.9333 53.402 23.8173 52.362 24.4586C51.3393 25.0826 50.204 25.3946 48.956 25.3946C47.864 25.3946 46.8933 25.178 46.044 24.7446C45.1947 24.294 44.5013 23.7393 43.964 23.0806V31.9726H41V10.8346H43.964V12.9406ZM52.674 17.9326C52.674 16.9446 52.466 16.0953 52.05 15.3846C51.6513 14.6566 51.114 14.1106 50.438 13.7466C49.7793 13.3653 49.0687 13.1746 48.306 13.1746C47.5607 13.1746 46.85 13.3653 46.174 13.7466C45.5153 14.128 44.978 14.6826 44.562 15.4106C44.1633 16.1386 43.964 16.9966 43.964 17.9846C43.964 18.9726 44.1633 19.8393 44.562 20.5846C44.978 21.3126 45.5153 21.8673 46.174 22.2486C46.85 22.63 47.5607 22.8206 48.306 22.8206C49.0687 22.8206 49.7793 22.63 50.438 22.2486C51.114 21.85 51.6513 21.278 52.05 20.5326C52.466 19.7873 52.674 18.9206 52.674 17.9326Z" fill="white"/>
-<path d="M64.8351 25.3946C63.4831 25.3946 62.2611 25.0913 61.1691 24.4846C60.0771 23.8606 59.2191 22.994 58.5951 21.8846C57.9711 20.758 57.6591 19.458 57.6591 17.9846C57.6591 16.5286 57.9798 15.2373 58.6211 14.1106C59.2624 12.984 60.1378 12.1173 61.2471 11.5106C62.3564 10.904 63.5958 10.6006 64.9651 10.6006C66.3344 10.6006 67.5738 10.904 68.6831 11.5106C69.7924 12.1173 70.6678 12.984 71.3091 14.1106C71.9504 15.2373 72.2711 16.5286 72.2711 17.9846C72.2711 19.4406 71.9418 20.732 71.2831 21.8586C70.6244 22.9853 69.7231 23.8606 68.5791 24.4846C67.4524 25.0913 66.2044 25.3946 64.8351 25.3946ZM64.8351 22.8206C65.5978 22.8206 66.3084 22.6386 66.9671 22.2746C67.6431 21.9106 68.1891 21.3646 68.6051 20.6366C69.0211 19.9086 69.2291 19.0246 69.2291 17.9846C69.2291 16.9446 69.0298 16.0693 68.6311 15.3586C68.2324 14.6306 67.7038 14.0846 67.0451 13.7206C66.3864 13.3566 65.6758 13.1746 64.9131 13.1746C64.1504 13.1746 63.4398 13.3566 62.7811 13.7206C62.1398 14.0846 61.6284 14.6306 61.2471 15.3586C60.8658 16.0693 60.6751 16.9446 60.6751 17.9846C60.6751 19.5273 61.0651 20.7233 61.8451 21.5726C62.6424 22.4046 63.6391 22.8206 64.8351 22.8206Z" fill="white"/>
-<path d="M78.1652 12.9146C78.5985 12.1866 79.1705 11.6233 79.8812 11.2246C80.6092 10.8086 81.4672 10.6006 82.4552 10.6006V13.6686H81.7012C80.5398 13.6686 79.6558 13.9633 79.0492 14.5526C78.4598 15.142 78.1652 16.1646 78.1652 17.6206V25.1606H75.2012V10.8346H78.1652V12.9146Z" fill="white"/>
-<path d="M88.6378 13.2526V21.1826C88.6378 21.72 88.7591 22.11 89.0018 22.3526C89.2618 22.578 89.6951 22.6906 90.3018 22.6906H92.1218V25.1606H89.7818C88.4471 25.1606 87.4245 24.8486 86.7138 24.2246C86.0031 23.6006 85.6478 22.5866 85.6478 21.1826V13.2526H83.9578V10.8346H85.6478V7.27258H88.6378V10.8346H92.1218V13.2526H88.6378Z" fill="white"/>
-<path d="M93.8655 17.9326C93.8655 16.494 94.16 15.22 94.75 14.1106C95.356 13.0013 96.171 12.1433 97.194 11.5366C98.234 10.9126 99.378 10.6006 100.626 10.6006C101.752 10.6006 102.732 10.826 103.564 11.2766C104.413 11.71 105.089 12.256 105.592 12.9146V10.8346H108.582V25.1606H105.592V23.0286C105.089 23.7046 104.404 24.268 103.538 24.7186C102.671 25.1693 101.683 25.3946 100.574 25.3946C99.343 25.3946 98.216 25.0826 97.194 24.4586C96.171 23.8173 95.356 22.9333 94.75 21.8066C94.16 20.6626 93.8655 19.3713 93.8655 17.9326ZM105.592 17.9846C105.592 16.9966 105.384 16.1386 104.968 15.4106C104.569 14.6826 104.04 14.128 103.382 13.7466C102.723 13.3653 102.012 13.1746 101.25 13.1746C100.487 13.1746 99.776 13.3653 99.118 13.7466C98.459 14.1106 97.922 14.6566 97.506 15.3846C97.107 16.0953 96.908 16.9446 96.908 17.9326C96.908 18.9206 97.107 19.7873 97.506 20.5326C97.922 21.278 98.459 21.85 99.118 22.2486C99.794 22.63 100.504 22.8206 101.25 22.8206C102.012 22.8206 102.723 22.63 103.382 22.2486C104.04 21.8673 104.569 21.3126 104.968 20.5846C105.384 19.8393 105.592 18.9726 105.592 17.9846Z" fill="white"/>
-<path d="M113.983 8.9366C113.445 8.9366 112.995 8.7546 112.631 8.3906C112.267 8.0266 112.085 7.576 112.085 7.0386C112.085 6.50129 112.267 6.05064 112.631 5.68664C112.995 5.32264 113.445 5.14062 113.983 5.14062C114.503 5.14062 114.945 5.32264 115.309 5.68664C115.673 6.05064 115.855 6.50129 115.855 7.0386C115.855 7.576 115.673 8.0266 115.309 8.3906C114.945 8.7546 114.503 8.9366 113.983 8.9366ZM115.439 10.8346V25.1606H112.475V10.8346H115.439Z" fill="white"/>
-<path d="M126.558 10.6006C127.685 10.6006 128.69 10.8346 129.574 11.3026C130.475 11.7706 131.177 12.464 131.68 13.3826C132.183 14.3013 132.434 15.4106 132.434 16.7106V25.1606H129.496V17.1526C129.496 15.87 129.175 14.8906 128.534 14.2146C127.893 13.5213 127.017 13.1746 125.908 13.1746C124.799 13.1746 123.915 13.5213 123.256 14.2146C122.615 14.8906 122.294 15.87 122.294 17.1526V25.1606H119.33V10.8346H122.294V12.4726C122.779 11.8833 123.395 11.424 124.14 11.0946C124.903 10.7653 125.709 10.6006 126.558 10.6006Z" fill="white"/>
-<path d="M149.345 17.6466C149.345 18.184 149.31 18.6693 149.241 19.1026H138.295C138.382 20.2466 138.806 21.1653 139.569 21.8586C140.332 22.552 141.268 22.8986 142.377 22.8986C143.972 22.8986 145.098 22.2313 145.757 20.8966H148.955C148.522 22.214 147.733 23.2973 146.589 24.1466C145.462 24.9786 144.058 25.3946 142.377 25.3946C141.008 25.3946 139.777 25.0913 138.685 24.4846C137.61 23.8606 136.761 22.994 136.137 21.8846C135.53 20.758 135.227 19.458 135.227 17.9846C135.227 16.5113 135.522 15.22 136.111 14.1106C136.718 12.984 137.558 12.1173 138.633 11.5106C139.725 10.904 140.973 10.6006 142.377 10.6006C143.729 10.6006 144.934 10.8953 145.991 11.4846C147.048 12.074 147.872 12.906 148.461 13.9806C149.05 15.038 149.345 16.26 149.345 17.6466ZM146.251 16.7106C146.234 15.6186 145.844 14.7433 145.081 14.0846C144.318 13.426 143.374 13.0966 142.247 13.0966C141.224 13.0966 140.349 13.426 139.621 14.0846C138.893 14.726 138.46 15.6013 138.321 16.7106H146.251Z" fill="white"/>
-<path d="M155.226 12.9146C155.659 12.1866 156.231 11.6233 156.942 11.2246C157.67 10.8086 158.528 10.6006 159.516 10.6006V13.6686H158.762C157.6 13.6686 156.716 13.9633 156.11 14.5526C155.52 15.142 155.226 16.1646 155.226 17.6206V25.1606H152.262V10.8346H155.226V12.9146Z" fill="white"/>
-<path d="M163.436 25.3426C162.899 25.3426 162.448 25.1606 162.084 24.7966C161.72 24.4326 161.538 23.982 161.538 23.4446C161.538 22.9073 161.72 22.4566 162.084 22.0926C162.448 21.7286 162.899 21.5466 163.436 21.5466C163.956 21.5466 164.398 21.7286 164.762 22.0926C165.126 22.4566 165.308 22.9073 165.308 23.4446C165.308 23.982 165.126 24.4326 164.762 24.7966C164.398 25.1606 163.956 25.3426 163.436 25.3426Z" fill="white"/>
-<path d="M170.02 8.9366C169.482 8.9366 169.032 8.7546 168.668 8.3906C168.304 8.0266 168.122 7.576 168.122 7.0386C168.122 6.50129 168.304 6.05064 168.668 5.68664C169.032 5.32264 169.482 5.14062 170.02 5.14062C170.54 5.14062 170.982 5.32264 171.346 5.68664C171.71 6.05064 171.892 6.50129 171.892 7.0386C171.892 7.576 171.71 8.0266 171.346 8.3906C170.982 8.7546 170.54 8.9366 170.02 8.9366ZM171.476 10.8346V25.1606H168.512V10.8346H171.476Z" fill="white"/>
-<path d="M181.581 25.3946C180.229 25.3946 179.007 25.0913 177.915 24.4846C176.823 23.8606 175.965 22.994 175.341 21.8846C174.717 20.758 174.405 19.458 174.405 17.9846C174.405 16.5286 174.726 15.2373 175.367 14.1106C176.009 12.984 176.884 12.1173 177.993 11.5106C179.103 10.904 180.342 10.6006 181.711 10.6006C183.081 10.6006 184.32 10.904 185.429 11.5106C186.539 12.1173 187.414 12.984 188.055 14.1106C188.697 15.2373 189.017 16.5286 189.017 17.9846C189.017 19.4406 188.688 20.732 188.029 21.8586C187.371 22.9853 186.469 23.8606 185.325 24.4846C184.199 25.0913 182.951 25.3946 181.581 25.3946ZM181.581 22.8206C182.344 22.8206 183.055 22.6386 183.713 22.2746C184.389 21.9106 184.935 21.3646 185.351 20.6366C185.767 19.9086 185.975 19.0246 185.975 17.9846C185.975 16.9446 185.776 16.0693 185.377 15.3586C184.979 14.6306 184.45 14.0846 183.791 13.7206C183.133 13.3566 182.422 13.1746 181.659 13.1746C180.897 13.1746 180.186 13.3566 179.527 13.7206C178.886 14.0846 178.375 14.6306 177.993 15.3586C177.612 16.0693 177.421 16.9446 177.421 17.9846C177.421 19.5273 177.811 20.7233 178.591 21.5726C179.389 22.4046 180.385 22.8206 181.581 22.8206Z" fill="white"/>
-<path d="M61.4402 35.2345C61.7911 35.2971 62.0888 35.482 62.3332 35.7891C62.5776 36.0961 62.6998 36.4439 62.6998 36.8325C62.6998 37.1646 62.612 37.4654 62.4366 37.7349C62.2674 37.9981 62.0198 38.208 61.694 38.3647C61.3681 38.5151 60.989 38.5903 60.5566 38.5903H57.9434V32.0573H60.4344C60.8793 32.0573 61.2616 32.1325 61.5812 32.2829C61.9008 32.4333 62.142 32.6369 62.305 32.8939C62.4679 33.1445 62.5494 33.4264 62.5494 33.7398C62.5494 34.1158 62.4491 34.4292 62.2486 34.6799C62.048 34.9305 61.7786 35.1154 61.4402 35.2345ZM59.015 34.8021H60.3404C60.6913 34.8021 60.9639 34.7237 61.1582 34.5671C61.3587 34.4041 61.459 34.1722 61.459 33.8714C61.459 33.5768 61.3587 33.3481 61.1582 33.1852C60.9639 33.016 60.6913 32.9314 60.3404 32.9314H59.015V34.8021ZM60.4626 37.716C60.826 37.716 61.1112 37.6283 61.318 37.4529C61.5248 37.2774 61.6282 37.033 61.6282 36.7197C61.6282 36.4001 61.5185 36.1463 61.2992 35.9583C61.0798 35.7703 60.7884 35.6763 60.425 35.6763H59.015V37.716H60.4626Z" fill="#98A2B3"/>
-<path d="M67.5585 32.0573V36.2215C67.5585 36.7165 67.6869 37.0893 67.9439 37.34C68.2071 37.5906 68.5705 37.716 69.0343 37.716C69.5043 37.716 69.8677 37.5906 70.1247 37.34C70.3879 37.0893 70.5195 36.7165 70.5195 36.2215V32.0573H71.5911V36.2027C71.5911 36.7353 71.4751 37.1865 71.2433 37.5563C71.0114 37.926 70.7012 38.2016 70.3127 38.3834C69.9241 38.5651 69.4949 38.6561 69.0249 38.6561C68.5549 38.6561 68.1256 38.5651 67.7371 38.3834C67.3548 38.2016 67.0509 37.926 66.8253 37.5563C66.5997 37.1865 66.4869 36.7353 66.4869 36.2027V32.0573H67.5585Z" fill="#98A2B3"/>
-<path d="M77.7709 38.6561C77.3322 38.6561 76.9374 38.5809 76.5865 38.4305C76.2356 38.2738 75.9598 38.0545 75.7593 37.7725C75.5588 37.4905 75.4585 37.1615 75.4585 36.7855H76.6053C76.6304 37.0675 76.74 37.2993 76.9343 37.4811C77.1348 37.6628 77.4137 37.7537 77.7709 37.7537C78.1406 37.7537 78.4289 37.6659 78.6357 37.4905C78.8425 37.3087 78.9459 37.0769 78.9459 36.7949C78.9459 36.5755 78.8801 36.3969 78.7485 36.2591C78.6232 36.1212 78.4634 36.0147 78.2691 35.9395C78.0811 35.8643 77.8179 35.7828 77.4795 35.6951C77.0534 35.5823 76.7056 35.4695 76.4361 35.3567C76.1729 35.2376 75.9473 35.0559 75.7593 34.8115C75.5713 34.5671 75.4773 34.2412 75.4773 33.8339C75.4773 33.4579 75.5713 33.1289 75.7593 32.8469C75.9473 32.5649 76.2105 32.3487 76.5489 32.1983C76.8873 32.0479 77.279 31.9727 77.7239 31.9727C78.3568 31.9727 78.8738 32.1325 79.2749 32.4521C79.6822 32.7654 79.9078 33.1978 79.9517 33.7493H78.7673C78.7485 33.5111 78.6357 33.3075 78.4289 33.1383C78.2221 32.9691 77.9495 32.8845 77.6111 32.8845C77.304 32.8845 77.0534 32.9628 76.8591 33.1195C76.6648 33.2761 76.5677 33.5017 76.5677 33.7963C76.5677 33.9968 76.6272 34.1629 76.7463 34.2945C76.8716 34.4198 77.0283 34.5201 77.2163 34.5953C77.4043 34.6705 77.6612 34.7519 77.9871 34.8397C78.4195 34.9587 78.7704 35.0778 79.0399 35.1969C79.3156 35.3159 79.5475 35.5008 79.7355 35.7515C79.9298 35.9959 80.0269 36.3249 80.0269 36.7385C80.0269 37.0706 79.936 37.3839 79.7543 37.6785C79.5788 37.973 79.3188 38.2111 78.9741 38.3929C78.6357 38.5683 78.2346 38.6561 77.7709 38.6561Z" fill="#98A2B3"/>
-<path d="M84.9949 32.0573V38.5903H83.9233V32.0573H84.9949Z" fill="#98A2B3"/>
-<path d="M94.401 38.5903H93.3297L90.1055 33.7117V38.5903H89.0339V32.0479H90.1055L93.3297 36.917V32.0479H94.401V38.5903Z" fill="#98A2B3"/>
-<path d="M99.5119 32.9221V34.8396H101.768V35.7139H99.5119V37.716H102.05V38.5903H98.4399V32.0479H102.05V32.9221H99.5119Z" fill="#98A2B3"/>
-<path d="M108.155 38.6561C107.716 38.6561 107.321 38.5809 106.97 38.4305C106.619 38.2738 106.343 38.0545 106.143 37.7725C105.942 37.4905 105.842 37.1615 105.842 36.7855H106.989C107.014 37.0675 107.124 37.2993 107.318 37.4811C107.518 37.6628 107.797 37.7537 108.155 37.7537C108.524 37.7537 108.813 37.6659 109.019 37.4905C109.226 37.3087 109.33 37.0769 109.33 36.7949C109.33 36.5755 109.264 36.3969 109.132 36.2591C109.007 36.1212 108.847 36.0147 108.653 35.9395C108.465 35.8643 108.202 35.7828 107.863 35.6951C107.437 35.5823 107.089 35.4695 106.82 35.3567C106.557 35.2376 106.331 35.0559 106.143 34.8115C105.955 34.5671 105.861 34.2412 105.861 33.8339C105.861 33.4579 105.955 33.1289 106.143 32.8469C106.331 32.5649 106.594 32.3487 106.933 32.1983C107.271 32.0479 107.663 31.9727 108.108 31.9727C108.74 31.9727 109.257 32.1325 109.659 32.4521C110.066 32.7654 110.291 33.1978 110.335 33.7493H109.151C109.132 33.5111 109.019 33.3075 108.813 33.1383C108.606 32.9691 108.333 32.8845 107.995 32.8845C107.688 32.8845 107.437 32.9628 107.243 33.1195C107.048 33.2761 106.951 33.5017 106.951 33.7963C106.951 33.9968 107.011 34.1629 107.13 34.2945C107.255 34.4198 107.412 34.5201 107.6 34.5953C107.788 34.6705 108.045 34.7519 108.371 34.8397C108.803 34.9587 109.154 35.0778 109.424 35.1969C109.699 35.3159 109.931 35.5008 110.119 35.7515C110.313 35.9959 110.411 36.3249 110.411 36.7385C110.411 37.0706 110.32 37.3839 110.138 37.6785C109.962 37.973 109.702 38.2111 109.358 38.3929C109.019 38.5683 108.618 38.6561 108.155 38.6561Z" fill="#98A2B3"/>
-<path d="M116.46 38.6561C116.021 38.6561 115.626 38.5809 115.275 38.4305C114.924 38.2738 114.649 38.0545 114.448 37.7725C114.247 37.4905 114.147 37.1615 114.147 36.7855H115.294C115.319 37.0675 115.429 37.2993 115.623 37.4811C115.824 37.6628 116.102 37.7537 116.46 37.7537C116.829 37.7537 117.118 37.6659 117.324 37.4905C117.531 37.3087 117.635 37.0769 117.635 36.7949C117.635 36.5755 117.569 36.3969 117.437 36.2591C117.312 36.1212 117.152 36.0147 116.958 35.9395C116.77 35.8643 116.507 35.7828 116.168 35.6951C115.742 35.5823 115.394 35.4695 115.125 35.3567C114.862 35.2376 114.636 35.0559 114.448 34.8115C114.26 34.5671 114.166 34.2412 114.166 33.8339C114.166 33.4579 114.26 33.1289 114.448 32.8469C114.636 32.5649 114.899 32.3487 115.238 32.1983C115.576 32.0479 115.968 31.9727 116.413 31.9727C117.046 31.9727 117.563 32.1325 117.964 32.4521C118.371 32.7654 118.597 33.1978 118.64 33.7493H117.456C117.437 33.5111 117.324 33.3075 117.118 33.1383C116.911 32.9691 116.638 32.8845 116.3 32.8845C115.993 32.8845 115.742 32.9628 115.548 33.1195C115.354 33.2761 115.256 33.5017 115.256 33.7963C115.256 33.9968 115.316 34.1629 115.435 34.2945C115.56 34.4198 115.717 34.5201 115.905 34.5953C116.093 34.6705 116.35 34.7519 116.676 34.8397C117.108 34.9587 117.459 35.0778 117.729 35.1969C118.004 35.3159 118.236 35.5008 118.424 35.7515C118.618 35.9959 118.716 36.3249 118.716 36.7385C118.716 37.0706 118.625 37.3839 118.443 37.6785C118.268 37.973 118.007 38.2111 117.663 38.3929C117.324 38.5683 116.923 38.6561 116.46 38.6561Z" fill="#98A2B3"/>
-<path d="M128.757 32.9221V34.8396H131.013V35.7139H128.757V37.716H131.295V38.5903H127.686V32.0479H131.295V32.9221H128.757Z" fill="#98A2B3"/>
-<path d="M137.381 32.0573C138.077 32.0573 138.685 32.1919 139.205 32.4614C139.731 32.7246 140.135 33.1068 140.417 33.6082C140.706 34.1032 140.85 34.683 140.85 35.3473C140.85 36.0115 140.706 36.5881 140.417 37.0769C140.135 37.5657 139.731 37.9416 139.205 38.2048C138.685 38.4617 138.077 38.5903 137.381 38.5903H135.247V32.0573H137.381ZM137.381 37.716C138.146 37.716 138.732 37.5092 139.139 37.0956C139.546 36.682 139.75 36.0993 139.75 35.3473C139.75 34.589 139.546 33.9968 139.139 33.5707C138.732 33.1445 138.146 32.9314 137.381 32.9314H136.319V37.716H137.381Z" fill="#98A2B3"/>
-<path d="M145.615 32.0573V38.5903H144.544V32.0573H145.615Z" fill="#98A2B3"/>
-<path d="M153.875 32.0573V32.9314H152.136V38.5903H151.064V32.9314H149.316V32.0573H153.875Z" fill="#98A2B3"/>
-<path d="M158.664 32.0573V38.5903H157.592V32.0573H158.664Z" fill="#98A2B3"/>
-<path d="M165.682 38.6561C165.075 38.6561 164.514 38.5151 164 38.2331C163.492 37.9448 163.088 37.5469 162.787 37.0393C162.493 36.5254 162.345 35.9489 162.345 35.3097C162.345 34.6705 162.493 34.0971 162.787 33.5895C163.088 33.0819 163.492 32.6871 164 32.4051C164.514 32.1168 165.075 31.9727 165.682 31.9727C166.297 31.9727 166.857 32.1168 167.365 32.4051C167.879 32.6871 168.283 33.0819 168.578 33.5895C168.872 34.0971 169.019 34.6705 169.019 35.3097C169.019 35.9489 168.872 36.5254 168.578 37.0393C168.283 37.5469 167.879 37.9448 167.365 38.2331C166.857 38.5151 166.297 38.6561 165.682 38.6561ZM165.682 37.7255C166.115 37.7255 166.5 37.6283 166.839 37.4341C167.177 37.2335 167.44 36.9515 167.628 36.5881C167.823 36.2183 167.92 35.7922 167.92 35.3097C167.92 34.8271 167.823 34.4041 167.628 34.0407C167.44 33.6772 167.177 33.3983 166.839 33.2041C166.5 33.0098 166.115 32.9127 165.682 32.9127C165.25 32.9127 164.865 33.0098 164.526 33.2041C164.188 33.3983 163.922 33.6772 163.727 34.0407C163.539 34.4041 163.445 34.8271 163.445 35.3097C163.445 35.7922 163.539 36.2183 163.727 36.5881C163.922 36.9515 164.188 37.2335 164.526 37.4341C164.865 37.6283 165.25 37.7255 165.682 37.7255Z" fill="#98A2B3"/>
-<path d="M178.073 38.5903H177.002L173.778 33.7117V38.5903H172.706V32.0479H173.778L177.002 36.917V32.0479H178.073V38.5903Z" fill="#98A2B3"/>
+<svg width="1064" height="214" viewBox="0 0 1064 214" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_261_120526)">
+<path d="M0 3.08984H45.77C77.35 3.08984 95.98 12.9598 95.98 45.1498V46.2498C95.98 78.5398 77.39 88.3098 45.81 88.3098H35.82V127.53H0V3.08984ZM43.67 60.8098C53.45 60.8098 58.6 57.1798 58.6 46.3298V45.0798C58.6 34.2798 53.45 30.5798 43.67 30.5798H35.83V60.7998H43.67V60.8098Z" fill="#F7F6F3"/>
+<path d="M100.93 71.76V58.86C100.93 15.56 117.85 0 153.84 0C189.83 0 206.73 15.56 206.73 58.86V71.76C206.73 115.05 189.81 130.62 153.84 130.62C117.87 130.62 100.93 115.05 100.93 71.76ZM168.87 71.84V58.77C168.87 36.2 165.81 28.65 153.84 28.65C141.87 28.65 138.78 36.2 138.78 58.77V71.84C138.78 94.41 141.9 101.98 153.84 101.98C165.78 101.98 168.87 94.41 168.87 71.84Z" fill="#F7F6F3"/>
+<path d="M213.77 3.08984H256.91C289.3 3.08984 309.24 8.34984 309.24 36.5298V37.0098C309.17 53.8598 302.64 62.4799 291.7 67.1498C301.84 71.2098 305.35 76.0298 306.84 92.9998L308.14 108.5C309.29 121.82 309.77 124.57 311.51 127.53H274.87C273.71 124.4 273.11 120.96 272.8 116.89L271.22 97.1898C270.17 85.3598 268.39 82.3898 258.61 82.3898H249.6V127.52H213.78V3.08984H213.77ZM257.54 55.6898C268.7 55.6898 272.72 52.5198 272.72 43.2398V42.6998C272.72 33.4598 268.7 30.5098 257.54 30.5098H249.59V55.6898H257.54Z" fill="#F7F6F3"/>
+<path d="M343.52 32.5898H312.2V3.08984H410.63V32.5998H379.35V127.54H343.53V32.5898H343.52Z" fill="#F7F6F3"/>
+<path d="M425.88 3.08984H475.1L508.03 127.54H471.03L465.42 102.18H435.52L429.88 127.54H393.03L425.88 3.08984ZM459.58 73.8998L450.55 32.7398H450.32L441.3 73.8998H459.59H459.58Z" fill="#F7F6F3"/>
+<path d="M513.45 3.08984H549.27V127.54H513.45V3.08984Z" fill="#F7F6F3"/>
+<path d="M560.29 3.08984H602.69L629.04 85.0499H629.41L627.13 44.7498V3.08984H660.24V127.54H617.85L591.54 50.1298H591.17L593.39 90.5198V127.54H560.28V3.08984H560.29Z" fill="#F7F6F3"/>
+<path d="M671.24 3.08984H753.91V32.5998H707.06V50.3998H748.46V79.9099H707.06V98.0398H754.52V127.55H671.24V3.08984Z" fill="#F7F6F3"/>
+<path d="M763.42 3.08984H806.56C838.95 3.08984 858.89 8.34984 858.89 36.5298V37.0098C858.82 53.8598 852.29 62.4799 841.35 67.1498C851.49 71.2098 855 76.0298 856.49 92.9998L857.79 108.5C858.94 121.82 859.42 124.57 861.16 127.53H824.52C823.36 124.4 822.76 120.96 822.45 116.89L820.87 97.1898C819.82 85.3598 818.04 82.3898 808.26 82.3898H799.25V127.52H763.43V3.08984H763.42ZM807.2 55.6898C818.36 55.6898 822.38 52.5198 822.38 43.2398V42.6998C822.38 33.4598 818.36 30.5098 807.2 30.5098H799.25V55.6898H807.2Z" fill="#F7F6F3"/>
+<path d="M870.36 93.27H904.71V127.53H870.36V93.27Z" fill="#F7F6F3"/>
+<path d="M914.92 3.08984H949.85V28.7598H914.92V3.08984ZM914.92 35.5798H949.85V127.54H914.92V35.5798Z" fill="#F7F6F3"/>
+<path d="M958.1 71.76V58.86C958.1 15.57 975.02 0 1011.01 0C1047 0 1063.9 15.56 1063.9 58.86V71.76C1063.9 115.05 1046.98 130.62 1011.01 130.62C975.04 130.62 958.1 115.05 958.1 71.76ZM1026.05 71.84V58.77C1026.05 36.2 1022.99 28.65 1011.02 28.65C999.05 28.65 995.96 36.2 995.96 58.77V71.84C995.96 94.41 999.08 101.98 1011.02 101.98C1022.96 101.98 1026.05 94.41 1026.05 71.84Z" fill="#F7F6F3"/>
+<path d="M82.8498 175.29C90.4398 175.29 94.6398 178.04 94.6398 184.43C94.6398 188.27 92.7698 190.66 89.5998 192.22C94.1698 193.52 96.4099 197 96.4099 201.62C96.4099 209 90.2298 212.37 83.3198 212.37H65.3398V175.27H82.8498V175.29ZM81.8098 190.3C84.7698 190.3 86.7498 188.9 86.7498 185.88C86.7498 182.86 84.7798 181.62 81.2398 181.62H73.4998V190.3H81.8098ZM82.2698 206.04C86.0598 206.04 88.2498 204.48 88.2498 201.16C88.2498 197.58 86.1198 195.86 82.4298 195.86H73.4898V206.04H82.2698Z" fill="#F7F6F3"/>
+<path d="M112.82 175.29V198.51C112.82 203.97 115.21 206.41 120.46 206.41C126.18 206.41 128.15 203.97 128.15 198.51V175.29H136.31V198.51C136.31 207.76 130.96 213.26 120.46 213.26C109.96 213.26 104.67 207.75 104.67 198.51V175.29H112.83H112.82Z" fill="#F7F6F3"/>
+<path d="M173.869 186.35H165.969C165.709 182.61 163.529 180.74 158.699 180.74C155.689 180.74 153.039 182.04 153.039 184.95C153.039 187.65 154.599 188.17 162.909 190.25C168.419 191.65 175.119 193.52 175.119 201.37C175.119 208.38 169.559 213.27 159.689 213.27C151.839 213.27 143.899 209.53 143.899 200.33V200.07H151.799C151.799 205.32 156.109 206.93 159.959 206.93C163.809 206.93 167.229 205.68 167.229 202.31C167.229 199.97 165.409 198.52 160.839 197.37C158.089 196.64 155.699 196.12 153.309 195.34C147.699 193.47 145.149 190.3 145.149 185.57C145.149 178.09 152.219 174.4 159.019 174.4C166.969 174.4 173.879 177.93 173.879 186.35H173.869Z" fill="#F7F6F3"/>
+<path d="M191.01 175.29V212.39H182.85V175.29H191.01Z" fill="#F7F6F3"/>
+<path d="M209.19 175.29L224.67 200.18H224.77V175.29H232.41V212.39H224.25L208.82 187.56H208.72V212.39H201.08V175.29H209.18H209.19Z" fill="#F7F6F3"/>
+<path d="M270.24 175.29V182.15H250.65V190.1H268.63V196.44H250.65V205.53H270.65V212.39H242.49V175.29H270.23H270.24Z" fill="#F7F6F3"/>
+<path d="M306.71 186.35H298.81C298.55 182.61 296.37 180.74 291.54 180.74C288.53 180.74 285.88 182.04 285.88 184.95C285.88 187.65 287.44 188.17 295.75 190.25C301.26 191.65 307.96 193.52 307.96 201.37C307.96 208.38 302.4 213.27 292.53 213.27C284.68 213.27 276.74 209.53 276.74 200.33V200.07H284.64C284.64 205.32 288.95 206.93 292.8 206.93C296.65 206.93 300.07 205.68 300.07 202.31C300.07 199.97 298.25 198.52 293.68 197.37C290.93 196.64 288.54 196.12 286.15 195.34C280.54 193.47 277.99 190.3 277.99 185.57C277.99 178.09 285.06 174.4 291.86 174.4C299.81 174.4 306.72 177.93 306.72 186.35H306.71Z" fill="#F7F6F3"/>
+<path d="M343.34 186.35H335.44C335.18 182.61 333 180.74 328.17 180.74C325.16 180.74 322.51 182.04 322.51 184.95C322.51 187.65 324.07 188.17 332.38 190.25C337.89 191.65 344.59 193.52 344.59 201.37C344.59 208.38 339.03 213.27 329.16 213.27C321.31 213.27 313.37 209.53 313.37 200.33V200.07H321.27C321.27 205.32 325.58 206.93 329.43 206.93C333.28 206.93 336.7 205.68 336.7 202.31C336.7 199.97 334.88 198.52 330.31 197.37C327.56 196.64 325.17 196.12 322.78 195.34C317.17 193.47 314.62 190.3 314.62 185.57C314.62 178.09 321.69 174.4 328.49 174.4C336.44 174.4 343.35 177.93 343.35 186.35H343.34Z" fill="#F7F6F3"/>
+<path d="M397.42 175.29V182.15H377.83V190.1H395.81V196.44H377.83V205.53H397.83V212.39H369.67V175.29H397.41H397.42Z" fill="#F7F6F3"/>
+<path d="M422.15 175.29C432.44 175.29 439.09 181.94 439.09 193.63C439.09 205.32 432.75 212.39 422.36 212.39H406.25V175.29H422.15ZM421.63 205.53C426.72 205.53 430.93 202.36 430.93 194.36C430.93 185.53 427.03 182.15 420.23 182.15H414.41V205.53H421.63Z" fill="#F7F6F3"/>
+<path d="M455.809 175.29V212.39H447.649V175.29H455.809Z" fill="#F7F6F3"/>
+<path d="M493.379 175.29V182.15H482.259V212.39H474.099V182.15H462.979V175.29H493.369H493.379Z" fill="#F7F6F3"/>
+<path d="M508.7 175.29V212.39H500.54V175.29H508.7Z" fill="#F7F6F3"/>
+<path d="M553.64 193.99C553.64 204.8 546.73 213.27 535.4 213.27C524.07 213.27 517.16 204.8 517.16 193.99C517.16 183.18 524.02 174.4 535.4 174.4C546.78 174.4 553.64 182.76 553.64 193.99ZM535.4 206.41C542.31 206.41 545.48 200.75 545.48 193.99C545.48 186.87 542.31 181.26 535.35 181.26C528.39 181.26 525.32 186.82 525.32 193.99C525.32 201.16 528.59 206.41 535.4 206.41Z" fill="#F7F6F3"/>
+<path d="M570.21 175.29L585.69 200.18H585.79V175.29H593.43V212.39H585.27L569.84 187.56H569.74V212.39H562.1V175.29H570.21Z" fill="#F7F6F3"/>
+<path d="M1.87012 174.41H40.8301V213.27H1.87012V174.41Z" fill="#C080FF"/>
 </g>
 <defs>
-<clipPath id="clip0_10456_446383">
-<rect width="190" height="46" fill="white"/>
+<clipPath id="clip0_261_120526">
+<rect width="1063.9" height="213.27" fill="white"/>
 </clipPath>
 </defs>
 </svg>
diff --git a/app/react/sidebar/portainer_logo-CE.svg b/app/react/sidebar/portainer_logo-CE.svg
index 7b6c83a00..707c7b1a7 100644
--- a/app/react/sidebar/portainer_logo-CE.svg
+++ b/app/react/sidebar/portainer_logo-CE.svg
@@ -1,68 +1,38 @@
-<svg width="190" height="46" viewBox="0 0 190 46" fill="none" xmlns="http://www.w3.org/2000/svg">
-<g clip-path="url(#clip0_10456_446427)">
-<g filter="url(#filter0_dd_10456_446427)">
-<path fill-rule="evenodd" clip-rule="evenodd" d="M10.8935 9.95117H10.1953V13.6094H10.8935V9.95117Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.8954 9.95117H13.1973V13.6094H13.8954V9.95117Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.998 2.96962L17.2823 1.71484L5.34375 8.6956L6.05935 9.9504L17.998 2.96962Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.9277 2.96962L18.6434 1.71484L30.5821 8.6956L29.8664 9.9504L17.9277 2.96962Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M32.6936 9.96873V8.51953H-0.015625V9.96873H32.6936Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M19.7422 30.4335V8.96094H21.1734V31.4762C20.7894 31.0344 20.3007 30.7163 19.7422 30.4335Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M17.2988 30.0627V-0.228516H18.7301V30.2395C18.3286 30.0451 17.3512 30.0627 17.2988 30.0627Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M3.73725 33.0852C1.99182 31.7774 0.839844 29.692 0.839844 27.3238C0.839844 26.069 1.17147 24.8319 1.78237 23.7539H14.0003C14.6287 24.8319 14.9429 26.069 14.9429 27.3238C14.9429 28.4195 14.8032 29.4446 14.3669 30.3635C13.4418 29.4622 12.0804 29.0734 10.7015 29.0734C8.2579 29.0734 6.1634 30.611 5.6223 32.9084C5.4303 32.8908 5.3081 32.8731 5.1161 32.8731C4.6449 32.8908 4.1911 32.9615 3.73725 33.0852Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M9.74131 15.2344H6.04102V18.9987H9.74131V15.2344Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M5.5694 15.2344H1.86914V18.9987H5.5694V15.2344Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M5.5694 19.4238H1.86914V23.1881H5.5694V19.4238Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M9.74131 19.4238H6.04102V23.1881H9.74131V19.4238Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.8956 19.4238H10.1953V23.1881H13.8956V19.4238Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M13.8956 13.2207H10.1953V16.985H13.8956V13.2207Z" fill="#13BEF9"/>
-<path fill-rule="evenodd" clip-rule="evenodd" d="M6.2331 33.6512C6.7392 31.4775 8.6767 29.8516 10.9806 29.8516C12.4642 29.8516 13.7908 30.5231 14.6984 31.5835C15.4838 31.0356 16.4263 30.7175 17.4561 30.7175C20.1441 30.7175 22.3259 32.9266 22.3259 35.6483C22.3259 36.2138 22.2386 36.744 22.0641 37.2565C22.6575 38.0694 23.024 39.0945 23.024 40.1902C23.024 42.9118 20.8423 45.1209 18.1543 45.1209C16.9674 45.1209 15.8853 44.6968 15.0475 43.9898C14.1573 45.2446 12.7086 46.0752 11.0679 46.0752C9.1828 46.0752 7.5421 44.9795 6.7218 43.389C6.3902 43.4596 6.0585 43.495 5.7094 43.495C3.0215 43.495 0.822266 41.2859 0.822266 38.5643C0.822266 35.8427 3.00404 33.6336 5.7094 33.6336C5.884 33.6159 6.0585 33.6159 6.2331 33.6512Z" fill="#13BEF9"/>
-</g>
-<path d="M43.964 12.8898C44.4667 12.2312 45.1513 11.6765 46.018 11.2258C46.8847 10.7752 47.864 10.5498 48.956 10.5498C50.204 10.5498 51.3393 10.8618 52.362 11.4858C53.402 12.0925 54.2167 12.9505 54.806 14.0598C55.3953 15.1692 55.69 16.4432 55.69 17.8818C55.69 19.3205 55.3953 20.6118 54.806 21.7558C54.2167 22.8825 53.402 23.7665 52.362 24.4078C51.3393 25.0318 50.204 25.3438 48.956 25.3438C47.864 25.3438 46.8933 25.1272 46.044 24.6938C45.1947 24.2432 44.5013 23.6885 43.964 23.0298V31.9218H41V10.7838H43.964V12.8898ZM52.674 17.8818C52.674 16.8938 52.466 16.0445 52.05 15.3338C51.6513 14.6058 51.114 14.0598 50.438 13.6958C49.7793 13.3145 49.0687 13.1238 48.306 13.1238C47.5607 13.1238 46.85 13.3145 46.174 13.6958C45.5153 14.0772 44.978 14.6318 44.562 15.3598C44.1633 16.0878 43.964 16.9458 43.964 17.9338C43.964 18.9218 44.1633 19.7885 44.562 20.5338C44.978 21.2618 45.5153 21.8165 46.174 22.1978C46.85 22.5792 47.5607 22.7698 48.306 22.7698C49.0687 22.7698 49.7793 22.5792 50.438 22.1978C51.114 21.7992 51.6513 21.2272 52.05 20.4818C52.466 19.7365 52.674 18.8698 52.674 17.8818Z" fill="white"/>
-<path d="M64.8351 25.3438C63.4831 25.3438 62.2611 25.0405 61.1691 24.4338C60.0771 23.8098 59.2191 22.9432 58.5951 21.8338C57.9711 20.7072 57.6591 19.4072 57.6591 17.9338C57.6591 16.4778 57.9798 15.1865 58.6211 14.0598C59.2624 12.9332 60.1378 12.0665 61.2471 11.4598C62.3564 10.8532 63.5958 10.5498 64.9651 10.5498C66.3344 10.5498 67.5738 10.8532 68.6831 11.4598C69.7924 12.0665 70.6678 12.9332 71.3091 14.0598C71.9504 15.1865 72.2711 16.4778 72.2711 17.9338C72.2711 19.3898 71.9418 20.6812 71.2831 21.8078C70.6244 22.9345 69.7231 23.8098 68.5791 24.4338C67.4524 25.0405 66.2044 25.3438 64.8351 25.3438ZM64.8351 22.7698C65.5978 22.7698 66.3084 22.5878 66.9671 22.2238C67.6431 21.8598 68.1891 21.3138 68.6051 20.5858C69.0211 19.8578 69.2291 18.9738 69.2291 17.9338C69.2291 16.8938 69.0298 16.0185 68.6311 15.3078C68.2324 14.5798 67.7038 14.0338 67.0451 13.6698C66.3864 13.3058 65.6758 13.1238 64.9131 13.1238C64.1504 13.1238 63.4398 13.3058 62.7811 13.6698C62.1398 14.0338 61.6284 14.5798 61.2471 15.3078C60.8658 16.0185 60.6751 16.8938 60.6751 17.9338C60.6751 19.4765 61.0651 20.6725 61.8451 21.5218C62.6424 22.3538 63.6391 22.7698 64.8351 22.7698Z" fill="white"/>
-<path d="M78.1652 12.8638C78.5985 12.1358 79.1705 11.5725 79.8812 11.1738C80.6092 10.7578 81.4672 10.5498 82.4552 10.5498V13.6178H81.7012C80.5398 13.6178 79.6558 13.9125 79.0492 14.5018C78.4598 15.0912 78.1652 16.1138 78.1652 17.5698V25.1098H75.2012V10.7838H78.1652V12.8638Z" fill="white"/>
-<path d="M88.6378 13.2018V21.1318C88.6378 21.6692 88.7591 22.0592 89.0018 22.3018C89.2618 22.5272 89.6951 22.6398 90.3018 22.6398H92.1218V25.1098H89.7818C88.4471 25.1098 87.4245 24.7978 86.7138 24.1738C86.0031 23.5498 85.6478 22.5358 85.6478 21.1318V13.2018H83.9578V10.7838H85.6478V7.2218H88.6378V10.7838H92.1218V13.2018H88.6378Z" fill="white"/>
-<path d="M93.8655 17.8818C93.8655 16.4432 94.16 15.1692 94.75 14.0598C95.356 12.9505 96.171 12.0925 97.194 11.4858C98.234 10.8618 99.378 10.5498 100.626 10.5498C101.752 10.5498 102.732 10.7752 103.564 11.2258C104.413 11.6592 105.089 12.2052 105.592 12.8638V10.7838H108.582V25.1098H105.592V22.9778C105.089 23.6538 104.404 24.2172 103.538 24.6678C102.671 25.1185 101.683 25.3438 100.574 25.3438C99.343 25.3438 98.216 25.0318 97.194 24.4078C96.171 23.7665 95.356 22.8825 94.75 21.7558C94.16 20.6118 93.8655 19.3205 93.8655 17.8818ZM105.592 17.9338C105.592 16.9458 105.384 16.0878 104.968 15.3598C104.569 14.6318 104.04 14.0772 103.382 13.6958C102.723 13.3145 102.012 13.1238 101.25 13.1238C100.487 13.1238 99.776 13.3145 99.118 13.6958C98.459 14.0598 97.922 14.6058 97.506 15.3338C97.107 16.0445 96.908 16.8938 96.908 17.8818C96.908 18.8698 97.107 19.7365 97.506 20.4818C97.922 21.2272 98.459 21.7992 99.118 22.1978C99.794 22.5792 100.504 22.7698 101.25 22.7698C102.012 22.7698 102.723 22.5792 103.382 22.1978C104.04 21.8165 104.569 21.2618 104.968 20.5338C105.384 19.7885 105.592 18.9218 105.592 17.9338Z" fill="white"/>
-<path d="M113.983 8.8858C113.445 8.8858 112.995 8.7038 112.631 8.3398C112.267 7.9758 112.085 7.5252 112.085 6.98784C112.085 6.45051 112.267 5.99984 112.631 5.63584C112.995 5.27184 113.445 5.08984 113.983 5.08984C114.503 5.08984 114.945 5.27184 115.309 5.63584C115.673 5.99984 115.855 6.45051 115.855 6.98784C115.855 7.5252 115.673 7.9758 115.309 8.3398C114.945 8.7038 114.503 8.8858 113.983 8.8858ZM115.439 10.7838V25.1098H112.475V10.7838H115.439Z" fill="white"/>
-<path d="M126.558 10.5498C127.685 10.5498 128.69 10.7838 129.574 11.2518C130.475 11.7198 131.177 12.4132 131.68 13.3318C132.183 14.2505 132.434 15.3598 132.434 16.6598V25.1098H129.496V17.1018C129.496 15.8192 129.175 14.8398 128.534 14.1638C127.893 13.4705 127.017 13.1238 125.908 13.1238C124.799 13.1238 123.915 13.4705 123.256 14.1638C122.615 14.8398 122.294 15.8192 122.294 17.1018V25.1098H119.33V10.7838H122.294V12.4218C122.779 11.8325 123.395 11.3732 124.14 11.0438C124.903 10.7145 125.709 10.5498 126.558 10.5498Z" fill="white"/>
-<path d="M149.345 17.5958C149.345 18.1332 149.31 18.6185 149.241 19.0518H138.295C138.382 20.1958 138.806 21.1145 139.569 21.8078C140.332 22.5012 141.268 22.8478 142.377 22.8478C143.972 22.8478 145.098 22.1805 145.757 20.8458H148.955C148.522 22.1632 147.733 23.2465 146.589 24.0958C145.462 24.9278 144.058 25.3438 142.377 25.3438C141.008 25.3438 139.777 25.0405 138.685 24.4338C137.61 23.8098 136.761 22.9432 136.137 21.8338C135.53 20.7072 135.227 19.4072 135.227 17.9338C135.227 16.4605 135.522 15.1692 136.111 14.0598C136.718 12.9332 137.558 12.0665 138.633 11.4598C139.725 10.8532 140.973 10.5498 142.377 10.5498C143.729 10.5498 144.934 10.8445 145.991 11.4338C147.048 12.0232 147.872 12.8552 148.461 13.9298C149.05 14.9872 149.345 16.2092 149.345 17.5958ZM146.251 16.6598C146.234 15.5678 145.844 14.6925 145.081 14.0338C144.318 13.3752 143.374 13.0458 142.247 13.0458C141.224 13.0458 140.349 13.3752 139.621 14.0338C138.893 14.6752 138.46 15.5505 138.321 16.6598H146.251Z" fill="white"/>
-<path d="M155.226 12.8638C155.659 12.1358 156.231 11.5725 156.942 11.1738C157.67 10.7578 158.528 10.5498 159.516 10.5498V13.6178H158.762C157.6 13.6178 156.716 13.9125 156.11 14.5018C155.52 15.0912 155.226 16.1138 155.226 17.5698V25.1098H152.262V10.7838H155.226V12.8638Z" fill="white"/>
-<path d="M163.436 25.2918C162.899 25.2918 162.448 25.1098 162.084 24.7458C161.72 24.3818 161.538 23.9313 161.538 23.3939C161.538 22.8566 161.72 22.4058 162.084 22.0418C162.448 21.6778 162.899 21.4958 163.436 21.4958C163.956 21.4958 164.398 21.6778 164.762 22.0418C165.126 22.4058 165.308 22.8566 165.308 23.3939C165.308 23.9313 165.126 24.3818 164.762 24.7458C164.398 25.1098 163.956 25.2918 163.436 25.2918Z" fill="white"/>
-<path d="M170.02 8.8858C169.482 8.8858 169.032 8.7038 168.668 8.3398C168.304 7.9758 168.122 7.5252 168.122 6.98784C168.122 6.45051 168.304 5.99984 168.668 5.63584C169.032 5.27184 169.482 5.08984 170.02 5.08984C170.54 5.08984 170.982 5.27184 171.346 5.63584C171.71 5.99984 171.892 6.45051 171.892 6.98784C171.892 7.5252 171.71 7.9758 171.346 8.3398C170.982 8.7038 170.54 8.8858 170.02 8.8858ZM171.476 10.7838V25.1098H168.512V10.7838H171.476Z" fill="white"/>
-<path d="M181.581 25.3438C180.229 25.3438 179.007 25.0405 177.915 24.4338C176.823 23.8098 175.965 22.9432 175.341 21.8338C174.717 20.7072 174.405 19.4072 174.405 17.9338C174.405 16.4778 174.726 15.1865 175.367 14.0598C176.009 12.9332 176.884 12.0665 177.993 11.4598C179.103 10.8532 180.342 10.5498 181.711 10.5498C183.081 10.5498 184.32 10.8532 185.429 11.4598C186.539 12.0665 187.414 12.9332 188.055 14.0598C188.697 15.1865 189.017 16.4778 189.017 17.9338C189.017 19.3898 188.688 20.6812 188.029 21.8078C187.371 22.9345 186.469 23.8098 185.325 24.4338C184.199 25.0405 182.951 25.3438 181.581 25.3438ZM181.581 22.7698C182.344 22.7698 183.055 22.5878 183.713 22.2238C184.389 21.8598 184.935 21.3138 185.351 20.5858C185.767 19.8578 185.975 18.9738 185.975 17.9338C185.975 16.8938 185.776 16.0185 185.377 15.3078C184.979 14.5798 184.45 14.0338 183.791 13.6698C183.133 13.3058 182.422 13.1238 181.659 13.1238C180.897 13.1238 180.186 13.3058 179.527 13.6698C178.886 14.0338 178.375 14.5798 177.993 15.3078C177.612 16.0185 177.421 16.8938 177.421 17.9338C177.421 19.4765 177.811 20.6725 178.591 21.5218C179.389 22.3538 180.385 22.7698 181.581 22.7698Z" fill="white"/>
-<path d="M48.2754 35.2589C48.2754 34.6197 48.4227 34.0463 48.7172 33.5387C49.018 33.0311 49.4222 32.6363 49.9298 32.3543C50.4437 32.066 51.0045 31.9219 51.6124 31.9219C52.308 31.9219 52.9253 32.0942 53.4642 32.4389C54.0094 32.7773 54.4042 33.2598 54.6486 33.8865H53.3608C53.1916 33.5418 52.9566 33.2849 52.6558 33.1157C52.355 32.9465 52.0072 32.8619 51.6124 32.8619C51.18 32.8619 50.7946 32.959 50.4562 33.1533C50.1178 33.3475 49.8515 33.6264 49.6572 33.9899C49.4692 34.3533 49.3752 34.7763 49.3752 35.2589C49.3752 35.7414 49.4692 36.1644 49.6572 36.5279C49.8515 36.8913 50.1178 37.1733 50.4562 37.3739C50.7946 37.5681 51.18 37.6653 51.6124 37.6653C52.0072 37.6653 52.355 37.5807 52.6558 37.4115C52.9566 37.2423 53.1916 36.9853 53.3608 36.6407H54.6486C54.4042 37.2673 54.0094 37.7499 53.4642 38.0883C52.9253 38.4267 52.308 38.5959 51.6124 38.5959C50.9983 38.5959 50.4374 38.4549 49.9298 38.1729C49.4222 37.8846 49.018 37.4867 48.7172 36.9791C48.4227 36.4715 48.2754 35.8981 48.2754 35.2589Z" fill="#98A2B3"/>
-<path d="M61.5147 38.6053C60.9068 38.6053 60.346 38.4643 59.8321 38.1823C59.3245 37.894 58.9203 37.4961 58.6195 36.9885C58.325 36.4746 58.1777 35.8981 58.1777 35.2589C58.1777 34.6197 58.325 34.0463 58.6195 33.5387C58.9203 33.0311 59.3245 32.6363 59.8321 32.3543C60.346 32.066 60.9068 31.9219 61.5147 31.9219C62.1288 31.9219 62.6897 32.066 63.1973 32.3543C63.7112 32.6363 64.1154 33.0311 64.4099 33.5387C64.7044 34.0463 64.8517 34.6197 64.8517 35.2589C64.8517 35.8981 64.7044 36.4746 64.4099 36.9885C64.1154 37.4961 63.7112 37.894 63.1973 38.1823C62.6897 38.4643 62.1288 38.6053 61.5147 38.6053ZM61.5147 37.6747C61.9471 37.6747 62.3325 37.5775 62.6709 37.3833C63.0093 37.1827 63.2725 36.9007 63.4605 36.5373C63.6548 36.1675 63.7519 35.7414 63.7519 35.2589C63.7519 34.7763 63.6548 34.3533 63.4605 33.9899C63.2725 33.6264 63.0093 33.3475 62.6709 33.1533C62.3325 32.959 61.9471 32.8619 61.5147 32.8619C61.0823 32.8619 60.6969 32.959 60.3585 33.1533C60.0201 33.3475 59.7538 33.6264 59.5595 33.9899C59.3715 34.3533 59.2775 34.7763 59.2775 35.2589C59.2775 35.7414 59.3715 36.1675 59.5595 36.5373C59.7538 36.9007 60.0201 37.1827 60.3585 37.3833C60.6969 37.5775 61.0823 37.6747 61.5147 37.6747Z" fill="#98A2B3"/>
-<path d="M75.419 32.0065V38.5395H74.3474V34.0651L72.3546 38.5395H71.612L69.6098 34.0651V38.5395H68.5382V32.0065H69.6944L71.988 37.1295L74.2722 32.0065H75.419Z" fill="#98A2B3"/>
-<path d="M86.3402 32.0065V38.5395H85.2687V34.0651L83.2758 38.5395H82.5332L80.531 34.0651V38.5395H79.4594V32.0065H80.6157L82.9092 37.1295L85.1935 32.0065H86.3402Z" fill="#98A2B3"/>
-<path d="M91.4429 32.0065V36.1707C91.4429 36.6657 91.5714 37.0386 91.8283 37.2893C92.0915 37.5399 92.455 37.6653 92.9187 37.6653C93.3887 37.6653 93.7522 37.5399 94.009 37.2893C94.272 37.0386 94.404 36.6657 94.404 36.1707V32.0065H95.476V36.1519C95.476 36.6845 95.36 37.1357 95.128 37.5055C94.896 37.8752 94.586 38.1509 94.197 38.3327C93.8086 38.5144 93.3793 38.6053 92.9093 38.6053C92.4393 38.6053 92.01 38.5144 91.6215 38.3327C91.2392 38.1509 90.9353 37.8752 90.7097 37.5055C90.4841 37.1357 90.3713 36.6845 90.3713 36.1519V32.0065H91.4429Z" fill="#98A2B3"/>
-<path d="M104.87 38.5395H103.799L100.574 33.6609V38.5395H99.5031V31.9971H100.574L103.799 36.8663V31.9971H104.87V38.5395Z" fill="#98A2B3"/>
-<path d="M109.981 32.0065V38.5395H108.909V32.0065H109.981Z" fill="#98A2B3"/>
-<path d="M118.24 32.0065V32.8807H116.501V38.5395H115.43V32.8807H113.681V32.0065H118.24Z" fill="#98A2B3"/>
-<path d="M126.799 32.0065L124.637 36.1707V38.5395H123.565V36.1707L121.394 32.0065H122.588L124.101 35.2119L125.614 32.0065H126.799Z" fill="#98A2B3"/>
-<path d="M136.427 32.8713V34.7889H138.683V35.6631H136.427V37.6653H138.965V38.5395H135.355V31.9971H138.965V32.8713H136.427Z" fill="#98A2B3"/>
-<path d="M145.05 32.0065C145.746 32.0065 146.354 32.1412 146.874 32.4107C147.4 32.6739 147.804 33.0561 148.086 33.5575C148.375 34.0525 148.519 34.6322 148.519 35.2965C148.519 35.9607 148.375 36.5373 148.086 37.0261C147.804 37.5149 147.4 37.8909 146.874 38.1541C146.354 38.411 145.746 38.5395 145.05 38.5395H142.916V32.0065H145.05ZM145.05 37.6653C145.815 37.6653 146.401 37.4585 146.808 37.0449C147.215 36.6313 147.419 36.0485 147.419 35.2965C147.419 34.5382 147.215 33.946 146.808 33.5199C146.401 33.0937 145.815 32.8807 145.05 32.8807H143.988V37.6653H145.05Z" fill="#98A2B3"/>
-<path d="M153.284 32.0065V38.5395H152.213V32.0065H153.284Z" fill="#98A2B3"/>
-<path d="M161.544 32.0065V32.8807H159.805V38.5395H158.733V32.8807H156.985V32.0065H161.544Z" fill="#98A2B3"/>
-<path d="M166.333 32.0065V38.5395H165.261V32.0065H166.333Z" fill="#98A2B3"/>
-<path d="M173.352 38.6053C172.744 38.6053 172.183 38.4643 171.669 38.1823C171.161 37.894 170.757 37.4961 170.456 36.9885C170.162 36.4746 170.015 35.8981 170.015 35.2589C170.015 34.6197 170.162 34.0463 170.456 33.5387C170.757 33.0311 171.161 32.6363 171.669 32.3543C172.183 32.066 172.744 31.9219 173.352 31.9219C173.966 31.9219 174.527 32.066 175.034 32.3543C175.548 32.6363 175.952 33.0311 176.247 33.5387C176.541 34.0463 176.689 34.6197 176.689 35.2589C176.689 35.8981 176.541 36.4746 176.247 36.9885C175.952 37.4961 175.548 37.894 175.034 38.1823C174.527 38.4643 173.966 38.6053 173.352 38.6053ZM173.352 37.6747C173.784 37.6747 174.169 37.5775 174.508 37.3833C174.846 37.1827 175.109 36.9007 175.297 36.5373C175.492 36.1675 175.589 35.7414 175.589 35.2589C175.589 34.7763 175.492 34.3533 175.297 33.9899C175.109 33.6264 174.846 33.3475 174.508 33.1533C174.169 32.959 173.784 32.8619 173.352 32.8619C172.919 32.8619 172.534 32.959 172.195 33.1533C171.857 33.3475 171.591 33.6264 171.396 33.9899C171.208 34.3533 171.114 34.7763 171.114 35.2589C171.114 35.7414 171.208 36.1675 171.396 36.5373C171.591 36.9007 171.857 37.1827 172.195 37.3833C172.534 37.5775 172.919 37.6747 173.352 37.6747Z" fill="#98A2B3"/>
-<path d="M185.742 38.5395H184.671L181.447 33.6609V38.5395H180.375V31.9971H181.447L184.671 36.8663V31.9971H185.742V38.5395Z" fill="#98A2B3"/>
+<svg width="1064" height="214" viewBox="0 0 1064 214" fill="none" xmlns="http://www.w3.org/2000/svg">
+<g clip-path="url(#clip0_261_120595)">
+<path d="M0 3.08984H45.77C77.35 3.08984 95.98 12.9598 95.98 45.1498V46.2498C95.98 78.5398 77.39 88.3098 45.81 88.3098H35.82V127.53H0V3.08984ZM43.67 60.8098C53.45 60.8098 58.6 57.1798 58.6 46.3298V45.0798C58.6 34.2798 53.45 30.5798 43.67 30.5798H35.83V60.7998H43.67V60.8098Z" fill="#F7F6F3"/>
+<path d="M100.93 71.76V58.86C100.93 15.56 117.85 0 153.84 0C189.83 0 206.73 15.56 206.73 58.86V71.76C206.73 115.05 189.81 130.62 153.84 130.62C117.87 130.62 100.93 115.05 100.93 71.76ZM168.87 71.84V58.77C168.87 36.2 165.81 28.65 153.84 28.65C141.87 28.65 138.78 36.2 138.78 58.77V71.84C138.78 94.41 141.9 101.98 153.84 101.98C165.78 101.98 168.87 94.41 168.87 71.84Z" fill="#F7F6F3"/>
+<path d="M213.77 3.08984H256.91C289.3 3.08984 309.24 8.34984 309.24 36.5298V37.0098C309.17 53.8598 302.64 62.4799 291.7 67.1498C301.84 71.2098 305.35 76.0298 306.84 92.9998L308.14 108.5C309.29 121.82 309.77 124.57 311.51 127.53H274.87C273.71 124.4 273.11 120.96 272.8 116.89L271.22 97.1898C270.17 85.3598 268.39 82.3898 258.61 82.3898H249.6V127.52H213.78V3.08984H213.77ZM257.54 55.6898C268.7 55.6898 272.72 52.5198 272.72 43.2398V42.6998C272.72 33.4598 268.7 30.5098 257.54 30.5098H249.59V55.6898H257.54Z" fill="#F7F6F3"/>
+<path d="M343.52 32.5898H312.2V3.08984H410.63V32.5998H379.35V127.54H343.53V32.5898H343.52Z" fill="#F7F6F3"/>
+<path d="M425.88 3.08984H475.1L508.03 127.54H471.03L465.42 102.18H435.52L429.88 127.54H393.03L425.88 3.08984ZM459.58 73.8998L450.55 32.7398H450.32L441.3 73.8998H459.59H459.58Z" fill="#F7F6F3"/>
+<path d="M513.45 3.08984H549.27V127.54H513.45V3.08984Z" fill="#F7F6F3"/>
+<path d="M560.29 3.08984H602.69L629.04 85.0499H629.41L627.13 44.7498V3.08984H660.24V127.54H617.85L591.54 50.1298H591.17L593.39 90.5198V127.54H560.28V3.08984H560.29Z" fill="#F7F6F3"/>
+<path d="M671.24 3.08984H753.91V32.5998H707.06V50.3998H748.46V79.9099H707.06V98.0398H754.52V127.55H671.24V3.08984Z" fill="#F7F6F3"/>
+<path d="M763.42 3.08984H806.56C838.95 3.08984 858.89 8.34984 858.89 36.5298V37.0098C858.82 53.8598 852.29 62.4799 841.35 67.1498C851.49 71.2098 855 76.0298 856.49 92.9998L857.79 108.5C858.94 121.82 859.42 124.57 861.16 127.53H824.52C823.36 124.4 822.76 120.96 822.45 116.89L820.87 97.1898C819.82 85.3598 818.04 82.3898 808.26 82.3898H799.25V127.52H763.43V3.08984H763.42ZM807.2 55.6898C818.36 55.6898 822.38 52.5198 822.38 43.2398V42.6998C822.38 33.4598 818.36 30.5098 807.2 30.5098H799.25V55.6898H807.2Z" fill="#F7F6F3"/>
+<path d="M870.36 93.27H904.71V127.53H870.36V93.27Z" fill="#F7F6F3"/>
+<path d="M914.92 3.08984H949.85V28.7598H914.92V3.08984ZM914.92 35.5798H949.85V127.54H914.92V35.5798Z" fill="#F7F6F3"/>
+<path d="M958.1 71.76V58.86C958.1 15.57 975.02 0 1011.01 0C1047 0 1063.9 15.56 1063.9 58.86V71.76C1063.9 115.05 1046.98 130.62 1011.01 130.62C975.04 130.62 958.1 115.05 958.1 71.76ZM1026.05 71.84V58.77C1026.05 36.2 1022.99 28.65 1011.02 28.65C999.05 28.65 995.96 36.2 995.96 58.77V71.84C995.96 94.41 999.08 101.98 1011.02 101.98C1022.96 101.98 1026.05 94.41 1026.05 71.84Z" fill="#F7F6F3"/>
+<path d="M97.9702 187.76H90.0702C89.5002 184.12 86.0202 181.26 81.9702 181.26C75.3202 181.26 71.8902 186.51 71.8902 193.99C71.8902 200.95 75.1602 206.41 81.9702 206.41C86.6502 206.41 89.7102 203.4 90.3902 198.1H98.2902C97.4602 207.45 91.0702 213.27 81.9802 213.27C70.6502 213.27 63.7402 204.85 63.7402 193.99C63.7402 183.13 70.4902 174.4 81.9802 174.4C90.2902 174.4 97.0502 179.39 97.9802 187.75L97.9702 187.76Z" fill="#F7F6F3"/>
+<path d="M141.4 193.99C141.4 204.8 134.49 213.27 123.16 213.27C111.83 213.27 104.92 204.8 104.92 193.99C104.92 183.18 111.78 174.4 123.16 174.4C134.54 174.4 141.4 182.76 141.4 193.99ZM123.16 206.41C130.07 206.41 133.24 200.75 133.24 193.99C133.24 186.87 130.07 181.26 123.11 181.26C116.15 181.26 113.08 186.82 113.08 193.99C113.08 201.16 116.35 206.41 123.16 206.41Z" fill="#F7F6F3"/>
+<path d="M161.14 175.29L169.82 200.8H169.92L178.13 175.29H189.61V212.39H181.97V186.1H181.87L172.78 212.39H166.49L157.4 186.36H157.3V212.39H149.66V175.29H161.14Z" fill="#F7F6F3"/>
+<path d="M210.96 175.29L219.64 200.8H219.74L227.95 175.29H239.43V212.39H231.79V186.1H231.69L222.6 212.39H216.31L207.22 186.36H207.12V212.39H199.48V175.29H210.96Z" fill="#F7F6F3"/>
+<path d="M257.3 175.29V198.51C257.3 203.97 259.69 206.41 264.94 206.41C270.66 206.41 272.63 203.97 272.63 198.51V175.29H280.79V198.51C280.79 207.76 275.44 213.26 264.94 213.26C254.44 213.26 249.15 207.75 249.15 198.51V175.29H257.31H257.3Z" fill="#F7F6F3"/>
+<path d="M298.6 175.29L314.08 200.18H314.18V175.29H321.82V212.39H313.66L298.23 187.56H298.13V212.39H290.49V175.29H298.59H298.6Z" fill="#F7F6F3"/>
+<path d="M339.86 175.29V212.39H331.7V175.29H339.86Z" fill="#F7F6F3"/>
+<path d="M377.211 175.29V182.15H366.091V212.39H357.931V182.15H346.811V175.29H377.201H377.211Z" fill="#F7F6F3"/>
+<path d="M389.31 175.29L397.99 189.94L406.61 175.29H415.7L401.93 198.15V212.39H393.77V197.95L380.11 175.3H389.31V175.29Z" fill="#F7F6F3"/>
+<path d="M466.41 175.29V182.15H446.82V190.1H464.8V196.44H446.82V205.53H466.82V212.39H438.66V175.29H466.4H466.41Z" fill="#F7F6F3"/>
+<path d="M490.93 175.29C501.22 175.29 507.87 181.94 507.87 193.63C507.87 205.32 501.53 212.39 491.14 212.39H475.03V175.29H490.93ZM490.41 205.53C495.5 205.53 499.71 202.36 499.71 194.36C499.71 185.53 495.81 182.15 489.01 182.15H483.19V205.53H490.41Z" fill="#F7F6F3"/>
+<path d="M524.391 175.29V212.39H516.23V175.29H524.391Z" fill="#F7F6F3"/>
+<path d="M561.751 175.29V182.15H550.631V212.39H542.471V182.15H531.351V175.29H561.741H561.751Z" fill="#F7F6F3"/>
+<path d="M576.86 175.29V212.39H568.7V175.29H576.86Z" fill="#F7F6F3"/>
+<path d="M621.59 193.99C621.59 204.8 614.68 213.27 603.35 213.27C592.02 213.27 585.11 204.8 585.11 193.99C585.11 183.18 591.97 174.4 603.35 174.4C614.73 174.4 621.59 182.76 621.59 193.99ZM603.36 206.41C610.27 206.41 613.44 200.75 613.44 193.99C613.44 186.87 610.27 181.26 603.31 181.26C596.35 181.26 593.28 186.82 593.28 193.99C593.28 201.16 596.55 206.41 603.36 206.41Z" fill="#F7F6F3"/>
+<path d="M637.961 175.29L653.441 200.18H653.541V175.29H661.181V212.39H653.021L637.591 187.56H637.491V212.39H629.851V175.29H637.961Z" fill="#F7F6F3"/>
+<path d="M1.87012 174.41H40.8301V213.27H1.87012V174.41Z" fill="#FF80F2"/>
 </g>
 <defs>
-<filter id="filter0_dd_10456_446427" x="-3.01562" y="-2.22852" width="38.7092" height="52.3037" filterUnits="userSpaceOnUse" color-interpolation-filters="sRGB">
-<feFlood flood-opacity="0" result="BackgroundImageFix"/>
-<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
-<feOffset dy="1"/>
-<feGaussianBlur stdDeviation="1"/>
-<feColorMatrix type="matrix" values="0 0 0 0 0.0627451 0 0 0 0 0.0941176 0 0 0 0 0.156863 0 0 0 0.06 0"/>
-<feBlend mode="normal" in2="BackgroundImageFix" result="effect1_dropShadow_10456_446427"/>
-<feColorMatrix in="SourceAlpha" type="matrix" values="0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 127 0" result="hardAlpha"/>
-<feOffset dy="1"/>
-<feGaussianBlur stdDeviation="1.5"/>
-<feColorMatrix type="matrix" values="0 0 0 0 0.0627451 0 0 0 0 0.0941176 0 0 0 0 0.156863 0 0 0 0.1 0"/>
-<feBlend mode="normal" in2="effect1_dropShadow_10456_446427" result="effect2_dropShadow_10456_446427"/>
-<feBlend mode="normal" in="SourceGraphic" in2="effect2_dropShadow_10456_446427" result="shape"/>
-</filter>
-<clipPath id="clip0_10456_446427">
-<rect width="190" height="46" fill="white"/>
+<clipPath id="clip0_261_120595">
+<rect width="1063.9" height="213.27" fill="white"/>
 </clipPath>
 </defs>
 </svg>

From 363a62d88560bc35c16205d72811086513467ff9 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Tue, 1 Jul 2025 20:10:39 +1200
Subject: [PATCH 162/212] fix: bump the docker binary version to v28.3.0
 [r8s-390] (#837)

---
 binary-version.json | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/binary-version.json b/binary-version.json
index 3f190e5d3..7a275ec82 100644
--- a/binary-version.json
+++ b/binary-version.json
@@ -1,5 +1,4 @@
 {
-  "docker": "v27.5.1",
-  "kubectl": "v1.32.2",
+  "docker": "v28.3.0",
   "mingit": "2.49.0.1"
 }

From e1c480d3c328cf5fff93eb86b5da7be07b7f91a7 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Tue, 1 Jul 2025 15:04:10 +0200
Subject: [PATCH 163/212] feat(app/edge-stacks): summarize the edge stack
 statuses in the backend (#818)

---
 .../customtemplates/customtemplate_list.go    |   2 +-
 api/http/handler/edgestacks/edgestack_list.go | 133 +++++++++++++-
 .../proxy/factory/docker/access_control.go    |   2 +-
 api/slicesx/filter.go                         |  28 +++
 api/slicesx/filter_test.go                    |  96 ++++++++++
 api/slicesx/flatten.go                        |   7 +
 api/slicesx/flatten_test.go                   |  19 ++
 api/slicesx/includes.go                       |  17 ++
 api/slicesx/includes_test.go                  |  76 ++++++++
 api/slicesx/map.go                            |  15 ++
 api/slicesx/map_test.go                       |  43 +++++
 api/slicesx/slices_test.go                    | 127 -------------
 api/slicesx/slicesx_test.go                   |  29 +++
 api/slicesx/{slices.go => unique.go}          |  22 ---
 api/slicesx/unique_test.go                    |  46 +++++
 .../EdgeStacksDatatable.tsx                   |  20 +--
 .../EdgeStacksDatatable/EdgeStacksStatus.tsx  | 170 ++++++------------
 .../ListView/EdgeStacksDatatable/columns.tsx  |  53 ++++--
 .../ListView/EdgeStacksDatatable/types.ts     |  20 ++-
 .../edge/edge-stacks/queries/useEdgeStacks.ts |  30 ++--
 package.json                                  |   2 +-
 21 files changed, 645 insertions(+), 312 deletions(-)
 create mode 100644 api/slicesx/filter.go
 create mode 100644 api/slicesx/filter_test.go
 create mode 100644 api/slicesx/flatten.go
 create mode 100644 api/slicesx/flatten_test.go
 create mode 100644 api/slicesx/includes.go
 create mode 100644 api/slicesx/includes_test.go
 create mode 100644 api/slicesx/map.go
 create mode 100644 api/slicesx/map_test.go
 delete mode 100644 api/slicesx/slices_test.go
 create mode 100644 api/slicesx/slicesx_test.go
 rename api/slicesx/{slices.go => unique.go} (51%)
 create mode 100644 api/slicesx/unique_test.go

diff --git a/api/http/handler/customtemplates/customtemplate_list.go b/api/http/handler/customtemplates/customtemplate_list.go
index 581b219ae..c96d61523 100644
--- a/api/http/handler/customtemplates/customtemplate_list.go
+++ b/api/http/handler/customtemplates/customtemplate_list.go
@@ -71,7 +71,7 @@ func (handler *Handler) customTemplateList(w http.ResponseWriter, r *http.Reques
 	customTemplates = filterByType(customTemplates, templateTypes)
 
 	if edge != nil {
-		customTemplates = slicesx.Filter(customTemplates, func(customTemplate portainer.CustomTemplate) bool {
+		customTemplates = slicesx.FilterInPlace(customTemplates, func(customTemplate portainer.CustomTemplate) bool {
 			return customTemplate.EdgeTemplate == *edge
 		})
 	}
diff --git a/api/http/handler/edgestacks/edgestack_list.go b/api/http/handler/edgestacks/edgestack_list.go
index b0df238c3..1ea991c4b 100644
--- a/api/http/handler/edgestacks/edgestack_list.go
+++ b/api/http/handler/edgestacks/edgestack_list.go
@@ -3,10 +3,39 @@ package edgestacks
 import (
 	"net/http"
 
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/slicesx"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
 )
 
+type aggregatedStatusesMap map[portainer.EdgeStackStatusType]int
+
+type SummarizedStatus string
+
+const (
+	sumStatusUnavailable      SummarizedStatus = "Unavailable"
+	sumStatusDeploying        SummarizedStatus = "Deploying"
+	sumStatusFailed           SummarizedStatus = "Failed"
+	sumStatusPaused           SummarizedStatus = "Paused"
+	sumStatusPartiallyRunning SummarizedStatus = "PartiallyRunning"
+	sumStatusCompleted        SummarizedStatus = "Completed"
+	sumStatusRunning          SummarizedStatus = "Running"
+)
+
+type edgeStackStatusSummary struct {
+	AggregatedStatus aggregatedStatusesMap
+	Status           SummarizedStatus
+	Reason           string
+}
+
+type edgeStackListResponseItem struct {
+	portainer.EdgeStack
+	StatusSummary edgeStackStatusSummary
+}
+
 // @id EdgeStackList
 // @summary Fetches the list of EdgeStacks
 // @description **Access policy**: administrator
@@ -14,22 +43,122 @@ import (
 // @security ApiKeyAuth
 // @security jwt
 // @produce json
+// @param summarizeStatuses query boolean false "will summarize the statuses"
 // @success 200 {array} portainer.EdgeStack
 // @failure 500
 // @failure 400
 // @failure 503 "Edge compute features are disabled"
 // @router /edge_stacks [get]
 func (handler *Handler) edgeStackList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	summarizeStatuses, _ := request.RetrieveBooleanQueryParameter(r, "summarizeStatuses", true)
+
 	edgeStacks, err := handler.DataStore.EdgeStack().EdgeStacks()
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve edge stacks from the database", err)
 	}
 
+	res := make([]edgeStackListResponseItem, len(edgeStacks))
+
 	for i := range edgeStacks {
-		if err := fillEdgeStackStatus(handler.DataStore, &edgeStacks[i]); err != nil {
+		res[i].EdgeStack = edgeStacks[i]
+
+		if summarizeStatuses {
+			if err := fillStatusSummary(handler.DataStore, &res[i]); err != nil {
+				return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
+			}
+		} else if err := fillEdgeStackStatus(handler.DataStore, &res[i].EdgeStack); err != nil {
 			return handlerDBErr(err, "Unable to retrieve edge stack status from the database")
 		}
 	}
 
-	return response.JSON(w, edgeStacks)
+	return response.JSON(w, res)
+}
+
+func fillStatusSummary(tx dataservices.DataStoreTx, edgeStack *edgeStackListResponseItem) error {
+	statuses, err := tx.EdgeStackStatus().ReadAll(edgeStack.ID)
+	if err != nil {
+		return err
+	}
+
+	aggregated := make(aggregatedStatusesMap)
+
+	for _, envStatus := range statuses {
+		for _, status := range envStatus.Status {
+			aggregated[status.Type]++
+		}
+	}
+
+	status, reason := SummarizeStatuses(statuses, edgeStack.NumDeployments)
+
+	edgeStack.StatusSummary = edgeStackStatusSummary{
+		AggregatedStatus: aggregated,
+		Status:           status,
+		Reason:           reason,
+	}
+
+	edgeStack.Status = map[portainer.EndpointID]portainer.EdgeStackStatus{}
+
+	return nil
+}
+
+func SummarizeStatuses(statuses []portainer.EdgeStackStatusForEnv, numDeployments int) (SummarizedStatus, string) {
+	if numDeployments == 0 {
+		return sumStatusUnavailable, "Your edge stack is currently unavailable due to the absence of an available environment in your edge group"
+	}
+
+	allStatuses := slicesx.FlatMap(statuses, func(x portainer.EdgeStackStatusForEnv) []portainer.EdgeStackDeploymentStatus {
+		return x.Status
+	})
+
+	lastStatuses := slicesx.Map(
+		slicesx.Filter(
+			statuses,
+			func(s portainer.EdgeStackStatusForEnv) bool {
+				return len(s.Status) > 0
+			},
+		),
+		func(x portainer.EdgeStackStatusForEnv) portainer.EdgeStackDeploymentStatus {
+			return x.Status[len(x.Status)-1]
+		},
+	)
+
+	if len(lastStatuses) == 0 {
+		return sumStatusDeploying, ""
+	}
+
+	if allFailed := slicesx.Every(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool {
+		return s.Type == portainer.EdgeStackStatusError
+	}); allFailed {
+		return sumStatusFailed, ""
+	}
+
+	if hasPaused := slicesx.Some(allStatuses, func(s portainer.EdgeStackDeploymentStatus) bool {
+		return s.Type == portainer.EdgeStackStatusPausedDeploying
+	}); hasPaused {
+		return sumStatusPaused, ""
+	}
+
+	if len(lastStatuses) < numDeployments {
+		return sumStatusDeploying, ""
+	}
+
+	hasDeploying := slicesx.Some(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusDeploying })
+	hasRunning := slicesx.Some(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusRunning })
+	hasFailed := slicesx.Some(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusError })
+
+	if hasRunning && hasFailed && !hasDeploying {
+		return sumStatusPartiallyRunning, ""
+	}
+
+	if allCompleted := slicesx.Every(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool { return s.Type == portainer.EdgeStackStatusCompleted }); allCompleted {
+		return sumStatusCompleted, ""
+	}
+
+	if allRunning := slicesx.Every(lastStatuses, func(s portainer.EdgeStackDeploymentStatus) bool {
+		return s.Type == portainer.EdgeStackStatusRunning
+	}); allRunning {
+		return sumStatusRunning, ""
+	}
+
+	return sumStatusDeploying, ""
 }
diff --git a/api/http/proxy/factory/docker/access_control.go b/api/http/proxy/factory/docker/access_control.go
index e945d38da..ac25a7b7a 100644
--- a/api/http/proxy/factory/docker/access_control.go
+++ b/api/http/proxy/factory/docker/access_control.go
@@ -35,7 +35,7 @@ type (
 func getUniqueElements(items string) []string {
 	xs := strings.Split(items, ",")
 	xs = slicesx.Map(xs, strings.TrimSpace)
-	xs = slicesx.Filter(xs, func(x string) bool { return len(x) > 0 })
+	xs = slicesx.FilterInPlace(xs, func(x string) bool { return len(x) > 0 })
 
 	return slicesx.Unique(xs)
 }
diff --git a/api/slicesx/filter.go b/api/slicesx/filter.go
new file mode 100644
index 000000000..13dc12105
--- /dev/null
+++ b/api/slicesx/filter.go
@@ -0,0 +1,28 @@
+package slicesx
+
+// Iterates over elements of collection, returning an array of all elements predicate returns truthy for.
+//
+// Note: Unlike `FilterInPlace`, this method returns a new array.
+func Filter[T any](input []T, predicate func(T) bool) []T {
+	result := make([]T, 0)
+	for i := range input {
+		if predicate(input[i]) {
+			result = append(result, input[i])
+		}
+	}
+	return result
+}
+
+// Filter in place all elements from input that predicate returns truthy for and returns an array of the removed elements.
+//
+// Note: Unlike `Filter`, this method mutates input.
+func FilterInPlace[T any](input []T, predicate func(T) bool) []T {
+	n := 0
+	for _, v := range input {
+		if predicate(v) {
+			input[n] = v
+			n++
+		}
+	}
+	return input[:n]
+}
diff --git a/api/slicesx/filter_test.go b/api/slicesx/filter_test.go
new file mode 100644
index 000000000..36f97fa10
--- /dev/null
+++ b/api/slicesx/filter_test.go
@@ -0,0 +1,96 @@
+package slicesx_test
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/api/slicesx"
+)
+
+func Test_Filter(t *testing.T) {
+	test(t, slicesx.Filter, "Filter even numbers",
+		[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+		[]int{2, 4, 6, 8},
+		func(x int) bool { return x%2 == 0 },
+	)
+	test(t, slicesx.Filter, "Filter odd numbers",
+		[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+		[]int{1, 3, 5, 7, 9},
+		func(x int) bool { return x%2 == 1 },
+	)
+	test(t, slicesx.Filter, "Filter strings starting with 'A'",
+		[]string{"Apple", "Banana", "Avocado", "Grapes", "Apricot"},
+		[]string{"Apple", "Avocado", "Apricot"},
+		func(s string) bool { return s[0] == 'A' },
+	)
+	test(t, slicesx.Filter, "Filter strings longer than 5 chars",
+		[]string{"Apple", "Banana", "Avocado", "Grapes", "Apricot"},
+		[]string{"Banana", "Avocado", "Grapes", "Apricot"},
+		func(s string) bool { return len(s) > 5 },
+	)
+}
+
+func Test_Retain(t *testing.T) {
+	test(t, slicesx.FilterInPlace, "Filter even numbers",
+		[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+		[]int{2, 4, 6, 8},
+		func(x int) bool { return x%2 == 0 },
+	)
+	test(t, slicesx.FilterInPlace, "Filter odd numbers",
+		[]int{1, 2, 3, 4, 5, 6, 7, 8, 9},
+		[]int{1, 3, 5, 7, 9},
+		func(x int) bool { return x%2 == 1 },
+	)
+	test(t, slicesx.FilterInPlace, "Filter strings starting with 'A'",
+		[]string{"Apple", "Banana", "Avocado", "Grapes", "Apricot"},
+		[]string{"Apple", "Avocado", "Apricot"},
+		func(s string) bool { return s[0] == 'A' },
+	)
+	test(t, slicesx.FilterInPlace, "Filter strings longer than 5 chars",
+		[]string{"Apple", "Banana", "Avocado", "Grapes", "Apricot"},
+		[]string{"Banana", "Avocado", "Grapes", "Apricot"},
+		func(s string) bool { return len(s) > 5 },
+	)
+}
+
+func Benchmark_Filter(b *testing.B) {
+	n := 100000
+
+	source := make([]int, n)
+	for i := range source {
+		source[i] = i
+	}
+
+	b.ResetTimer()
+	for range b.N {
+		e := slicesx.Filter(source, func(x int) bool { return x%2 == 0 })
+		if len(e) != n/2 {
+			b.FailNow()
+		}
+	}
+}
+
+func Benchmark_FilterInPlace(b *testing.B) {
+	n := 100000
+
+	source := make([]int, n)
+	for i := range source {
+		source[i] = i
+	}
+
+	// Preallocate all copies before timing
+	// because FilterInPlace mutates the original slice
+	copies := make([][]int, b.N)
+	for i := range b.N {
+		buf := make([]int, len(source))
+		copy(buf, source)
+		copies[i] = buf
+	}
+
+	b.ResetTimer()
+	for i := range b.N {
+		e := slicesx.FilterInPlace(copies[i], func(x int) bool { return x%2 == 0 })
+		if len(e) != n/2 {
+			b.FailNow()
+		}
+	}
+}
diff --git a/api/slicesx/flatten.go b/api/slicesx/flatten.go
new file mode 100644
index 000000000..56a77f3e9
--- /dev/null
+++ b/api/slicesx/flatten.go
@@ -0,0 +1,7 @@
+package slicesx
+
+import "slices"
+
+func Flatten[T any](input [][]T) []T {
+	return slices.Concat(input...)
+}
diff --git a/api/slicesx/flatten_test.go b/api/slicesx/flatten_test.go
new file mode 100644
index 000000000..6875c4e6b
--- /dev/null
+++ b/api/slicesx/flatten_test.go
@@ -0,0 +1,19 @@
+package slicesx_test
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/api/slicesx"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Flatten(t *testing.T) {
+	t.Run("Flatten an array of arrays", func(t *testing.T) {
+		is := assert.New(t)
+
+		source := [][]int{{1, 2, 3}, {4, 5, 6}, {7, 8, 9}}
+		expected := []int{1, 2, 3, 4, 5, 6, 7, 8, 9}
+		is.ElementsMatch(slicesx.Flatten(source), expected)
+
+	})
+}
diff --git a/api/slicesx/includes.go b/api/slicesx/includes.go
new file mode 100644
index 000000000..377a54215
--- /dev/null
+++ b/api/slicesx/includes.go
@@ -0,0 +1,17 @@
+package slicesx
+
+import "slices"
+
+// Checks if predicate returns truthy for any element of input. Iteration is stopped once predicate returns truthy.
+func Some[T any](input []T, predicate func(T) bool) bool {
+	return slices.ContainsFunc(input, predicate)
+}
+
+// Checks if predicate returns truthy for all elements of input. Iteration is stopped once predicate returns falsey.
+//
+// Note: This method returns true for empty collections because everything is true of elements of empty collections.
+// https://en.wikipedia.org/wiki/Vacuous_truth
+func Every[T any](input []T, predicate func(T) bool) bool {
+	// if the slice doesn't contain an inverted predicate then all items follow the predicate
+	return !slices.ContainsFunc(input, func(t T) bool { return !predicate(t) })
+}
diff --git a/api/slicesx/includes_test.go b/api/slicesx/includes_test.go
new file mode 100644
index 000000000..a3f074c1c
--- /dev/null
+++ b/api/slicesx/includes_test.go
@@ -0,0 +1,76 @@
+package slicesx_test
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/api/slicesx"
+)
+
+func Test_Every(t *testing.T) {
+	test(t, slicesx.Every, "All start with an A (ok)",
+		[]string{"Apple", "Avocado", "Apricot"},
+		true,
+		func(s string) bool { return s[0] == 'A' },
+	)
+	test(t, slicesx.Every, "All start with an A (ko = some don't start with A)",
+		[]string{"Apple", "Avocado", "Banana"},
+		false,
+		func(s string) bool { return s[0] == 'A' },
+	)
+	test(t, slicesx.Every, "All are under 5 (ok)",
+		[]int{1, 2, 3},
+		true,
+		func(i int) bool { return i < 5 },
+	)
+	test(t, slicesx.Every, "All are under 5 (ko = some above 10)",
+		[]int{1, 2, 10},
+		false,
+		func(i int) bool { return i < 5 },
+	)
+	test(t, slicesx.Every, "All are true (ok)",
+		[]struct{ x bool }{{x: true}, {x: true}, {x: true}},
+		true,
+		func(s struct{ x bool }) bool { return s.x })
+	test(t, slicesx.Every, "All are true (ko = some are false)",
+		[]struct{ x bool }{{x: true}, {x: true}, {x: false}},
+		false,
+		func(s struct{ x bool }) bool { return s.x })
+	test(t, slicesx.Every, "Must be true on empty slice",
+		[]int{},
+		true,
+		func(i int) bool { return i%2 == 0 },
+	)
+}
+
+func Test_Some(t *testing.T) {
+	test(t, slicesx.Some, "Some start with an A (ok)",
+		[]string{"Apple", "Avocado", "Banana"},
+		true,
+		func(s string) bool { return s[0] == 'A' },
+	)
+	test(t, slicesx.Some, "Some start with an A (ko = all don't start with A)",
+		[]string{"Banana", "Cherry", "Peach"},
+		false,
+		func(s string) bool { return s[0] == 'A' },
+	)
+	test(t, slicesx.Some, "Some are under 5 (ok)",
+		[]int{1, 2, 30},
+		true,
+		func(i int) bool { return i < 5 },
+	)
+	test(t, slicesx.Some, "Some are under 5 (ko = all above 5)",
+		[]int{10, 11, 12},
+		false,
+		func(i int) bool { return i < 5 },
+	)
+	test(t, slicesx.Some, "Some are true (ok)",
+		[]struct{ x bool }{{x: true}, {x: true}, {x: false}},
+		true,
+		func(s struct{ x bool }) bool { return s.x },
+	)
+	test(t, slicesx.Some, "Some are true (ko = all are false)",
+		[]struct{ x bool }{{x: false}, {x: false}, {x: false}},
+		false,
+		func(s struct{ x bool }) bool { return s.x },
+	)
+}
diff --git a/api/slicesx/map.go b/api/slicesx/map.go
new file mode 100644
index 000000000..7e24bdd0d
--- /dev/null
+++ b/api/slicesx/map.go
@@ -0,0 +1,15 @@
+package slicesx
+
+// Map applies the given function to each element of the slice and returns a new slice with the results
+func Map[T, U any](s []T, f func(T) U) []U {
+	result := make([]U, len(s))
+	for i, v := range s {
+		result[i] = f(v)
+	}
+	return result
+}
+
+// FlatMap applies the given function to each element of the slice and returns a new slice with the flattened results
+func FlatMap[T, U any](s []T, f func(T) []U) []U {
+	return Flatten(Map(s, f))
+}
diff --git a/api/slicesx/map_test.go b/api/slicesx/map_test.go
new file mode 100644
index 000000000..a2cd2256d
--- /dev/null
+++ b/api/slicesx/map_test.go
@@ -0,0 +1,43 @@
+package slicesx_test
+
+import (
+	"strconv"
+	"testing"
+
+	"github.com/portainer/portainer/api/slicesx"
+)
+
+func Test_Map(t *testing.T) {
+	test(t, slicesx.Map, "Map integers to strings",
+		[]int{1, 2, 3, 4, 5},
+		[]string{"1", "2", "3", "4", "5"},
+		strconv.Itoa,
+	)
+	test(t, slicesx.Map, "Map strings to integers",
+		[]string{"1", "2", "3", "4", "5"},
+		[]int{1, 2, 3, 4, 5},
+		func(s string) int {
+			n, _ := strconv.Atoi(s)
+			return n
+		},
+	)
+}
+
+func Test_FlatMap(t *testing.T) {
+	test(t, slicesx.FlatMap, "Map integers to strings and flatten",
+		[]int{1, 2, 3, 4, 5},
+		[]string{"1", "1", "2", "2", "3", "3", "4", "4", "5", "5"},
+		func(i int) []string {
+			x := strconv.Itoa(i)
+			return []string{x, x}
+		},
+	)
+	test(t, slicesx.FlatMap, "Map strings to integers and flatten",
+		[]string{"1", "2", "3", "4", "5"},
+		[]int{1, 1, 2, 2, 3, 3, 4, 4, 5, 5},
+		func(s string) []int {
+			n, _ := strconv.Atoi(s)
+			return []int{n, n}
+		},
+	)
+}
diff --git a/api/slicesx/slices_test.go b/api/slicesx/slices_test.go
deleted file mode 100644
index d75f9b559..000000000
--- a/api/slicesx/slices_test.go
+++ /dev/null
@@ -1,127 +0,0 @@
-package slicesx
-
-import (
-	"strconv"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-)
-
-type filterTestCase[T any] struct {
-	name      string
-	input     []T
-	expected  []T
-	predicate func(T) bool
-}
-
-func TestFilter(t *testing.T) {
-	intTestCases := []filterTestCase[int]{
-		{
-			name:     "Filter even numbers",
-			input:    []int{1, 2, 3, 4, 5, 6, 7, 8, 9},
-			expected: []int{2, 4, 6, 8},
-
-			predicate: func(n int) bool {
-				return n%2 == 0
-			},
-		},
-		{
-			name:     "Filter odd numbers",
-			input:    []int{1, 2, 3, 4, 5, 6, 7, 8, 9},
-			expected: []int{1, 3, 5, 7, 9},
-
-			predicate: func(n int) bool {
-				return n%2 != 0
-			},
-		},
-	}
-
-	runTestCases(t, intTestCases)
-
-	stringTestCases := []filterTestCase[string]{
-		{
-			name:     "Filter strings starting with 'A'",
-			input:    []string{"Apple", "Banana", "Avocado", "Grapes", "Apricot"},
-			expected: []string{"Apple", "Avocado", "Apricot"},
-			predicate: func(s string) bool {
-				return s[0] == 'A'
-			},
-		},
-		{
-			name:     "Filter strings longer than 5 characters",
-			input:    []string{"Apple", "Banana", "Avocado", "Grapes", "Apricot"},
-			expected: []string{"Banana", "Avocado", "Grapes", "Apricot"},
-			predicate: func(s string) bool {
-				return len(s) > 5
-			},
-		},
-	}
-
-	runTestCases(t, stringTestCases)
-}
-
-func runTestCases[T any](t *testing.T, testCases []filterTestCase[T]) {
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			is := assert.New(t)
-			result := Filter(testCase.input, testCase.predicate)
-
-			is.Equal(len(testCase.expected), len(result))
-			is.ElementsMatch(testCase.expected, result)
-		})
-	}
-}
-
-func TestMap(t *testing.T) {
-	intTestCases := []struct {
-		name     string
-		input    []int
-		expected []string
-		mapper   func(int) string
-	}{
-		{
-			name:     "Map integers to strings",
-			input:    []int{1, 2, 3, 4, 5},
-			expected: []string{"1", "2", "3", "4", "5"},
-			mapper:   strconv.Itoa,
-		},
-	}
-
-	runMapTestCases(t, intTestCases)
-
-	stringTestCases := []struct {
-		name     string
-		input    []string
-		expected []int
-		mapper   func(string) int
-	}{
-		{
-			name:     "Map strings to integers",
-			input:    []string{"1", "2", "3", "4", "5"},
-			expected: []int{1, 2, 3, 4, 5},
-			mapper: func(s string) int {
-				n, _ := strconv.Atoi(s)
-				return n
-			},
-		},
-	}
-
-	runMapTestCases(t, stringTestCases)
-}
-
-func runMapTestCases[T, U any](t *testing.T, testCases []struct {
-	name     string
-	input    []T
-	expected []U
-	mapper   func(T) U
-}) {
-	for _, testCase := range testCases {
-		t.Run(testCase.name, func(t *testing.T) {
-			is := assert.New(t)
-			result := Map(testCase.input, testCase.mapper)
-
-			is.Equal(len(testCase.expected), len(result))
-			is.ElementsMatch(testCase.expected, result)
-		})
-	}
-}
diff --git a/api/slicesx/slicesx_test.go b/api/slicesx/slicesx_test.go
new file mode 100644
index 000000000..1bb8a76fe
--- /dev/null
+++ b/api/slicesx/slicesx_test.go
@@ -0,0 +1,29 @@
+package slicesx_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type libFunc[T, U, V any] func([]T, func(T) U) V
+type predicateFunc[T, U any] func(T) U
+
+func test[T, U, V any](t *testing.T, libFn libFunc[T, U, V], name string, input []T, expected V, predicate predicateFunc[T, U]) {
+	t.Helper()
+
+	t.Run(name, func(t *testing.T) {
+		is := assert.New(t)
+
+		result := libFn(input, predicate)
+
+		switch reflect.TypeOf(result).Kind() {
+		case reflect.Slice, reflect.Array:
+			is.Equal(expected, result)
+			is.ElementsMatch(expected, result)
+		default:
+			is.Equal(expected, result)
+		}
+	})
+}
diff --git a/api/slicesx/slices.go b/api/slicesx/unique.go
similarity index 51%
rename from api/slicesx/slices.go
rename to api/slicesx/unique.go
index b7e0aa0ef..8659b0778 100644
--- a/api/slicesx/slices.go
+++ b/api/slicesx/unique.go
@@ -1,27 +1,5 @@
 package slicesx
 
-// Map applies the given function to each element of the slice and returns a new slice with the results
-func Map[T, U any](s []T, f func(T) U) []U {
-	result := make([]U, len(s))
-	for i, v := range s {
-		result[i] = f(v)
-	}
-	return result
-}
-
-// Filter returns a new slice containing only the elements of the slice for which the given predicate returns true
-func Filter[T any](s []T, predicate func(T) bool) []T {
-	n := 0
-	for _, v := range s {
-		if predicate(v) {
-			s[n] = v
-			n++
-		}
-	}
-
-	return s[:n]
-}
-
 func Unique[T comparable](items []T) []T {
 	return UniqueBy(items, func(item T) T {
 		return item
diff --git a/api/slicesx/unique_test.go b/api/slicesx/unique_test.go
new file mode 100644
index 000000000..8ff967ca6
--- /dev/null
+++ b/api/slicesx/unique_test.go
@@ -0,0 +1,46 @@
+package slicesx_test
+
+import (
+	"testing"
+
+	"github.com/portainer/portainer/api/slicesx"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_Unique(t *testing.T) {
+	is := assert.New(t)
+	t.Run("Should extract unique numbers", func(t *testing.T) {
+
+		source := []int{1, 1, 2, 3, 4, 4, 5, 4, 6, 7, 8, 9, 1}
+		result := slicesx.Unique(source)
+		expected := []int{1, 2, 3, 4, 5, 6, 7, 8, 9}
+
+		is.ElementsMatch(result, expected)
+	})
+
+	t.Run("Should return empty array", func(t *testing.T) {
+		source := []int{}
+		result := slicesx.Unique(source)
+		expected := []int{}
+		is.ElementsMatch(result, expected)
+	})
+}
+
+func Test_UniqueBy(t *testing.T) {
+	is := assert.New(t)
+	t.Run("Should extract unique numbers by property", func(t *testing.T) {
+
+		source := []struct{ int }{{1}, {1}, {2}, {3}, {4}, {4}, {5}, {4}, {6}, {7}, {8}, {9}, {1}}
+		result := slicesx.UniqueBy(source, func(item struct{ int }) int { return item.int })
+		expected := []struct{ int }{{1}, {2}, {3}, {4}, {5}, {6}, {7}, {8}, {9}}
+
+		is.ElementsMatch(result, expected)
+	})
+
+	t.Run("Should return empty array", func(t *testing.T) {
+		source := []int{}
+		result := slicesx.UniqueBy(source, func(x int) int { return x })
+		expected := []int{}
+		is.ElementsMatch(result, expected)
+	})
+}
diff --git a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksDatatable.tsx b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksDatatable.tsx
index 7dd8e35af..be1f664e0 100644
--- a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksDatatable.tsx
+++ b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksDatatable.tsx
@@ -5,7 +5,6 @@ import { useTableState } from '@@/datatables/useTableState';
 import { getColumnVisibilityState } from '@@/datatables/ColumnVisibilityMenu';
 
 import { useEdgeStacks } from '../../queries/useEdgeStacks';
-import { EdgeStack, StatusType } from '../../types';
 
 import { createStore } from './store';
 import { columns } from './columns';
@@ -20,11 +19,7 @@ const settingsStore = createStore(tableKey);
 export function EdgeStacksDatatable() {
   const tableState = useTableState(settingsStore, tableKey);
   const edgeStacksQuery = useEdgeStacks<Array<DecoratedEdgeStack>>({
-    select: (edgeStacks) =>
-      edgeStacks.map((edgeStack) => ({
-        ...edgeStack,
-        aggregatedStatus: aggregateStackStatus(edgeStack.Status),
-      })),
+    params: { summarizeStatuses: true },
     refetchInterval: tableState.autoRefreshRate * 1000,
   });
 
@@ -50,16 +45,3 @@ export function EdgeStacksDatatable() {
     />
   );
 }
-
-function aggregateStackStatus(stackStatus: EdgeStack['Status']) {
-  const aggregateStatus: Partial<Record<StatusType, number>> = {};
-  return Object.values(stackStatus).reduce(
-    (acc, envStatus) =>
-      envStatus.Status.reduce((acc, status) => {
-        const { Type } = status;
-        acc[Type] = (acc[Type] || 0) + 1;
-        return acc;
-      }, acc),
-    aggregateStatus
-  );
-}
diff --git a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx
index 565eac41e..8c6443396 100644
--- a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx
+++ b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/EdgeStacksStatus.tsx
@@ -1,4 +1,3 @@
-import _ from 'lodash';
 import {
   AlertTriangle,
   CheckCircle,
@@ -6,35 +5,22 @@ import {
   Loader2,
   XCircle,
   MinusCircle,
+  PauseCircle,
 } from 'lucide-react';
 
-import { useEnvironmentList } from '@/react/portainer/environments/queries';
-import { isVersionSmaller } from '@/react/common/semver-utils';
-
 import { Icon, IconMode } from '@@/Icon';
 import { Tooltip } from '@@/Tip/Tooltip';
 
-import { DeploymentStatus, EdgeStack, StatusType } from '../../types';
+import { DecoratedEdgeStack, StatusSummary, SummarizedStatus } from './types';
 
-export function EdgeStackStatus({ edgeStack }: { edgeStack: EdgeStack }) {
-  const status = Object.values(edgeStack.Status);
-  const lastStatus = _.compact(status.map((s) => _.last(s.Status)));
+export function EdgeStackStatus({
+  edgeStack,
+}: {
+  edgeStack: DecoratedEdgeStack;
+}) {
+  const { StatusSummary } = edgeStack;
 
-  const environmentsQuery = useEnvironmentList({ edgeStackId: edgeStack.Id });
-
-  if (environmentsQuery.isLoading) {
-    return null;
-  }
-
-  const hasOldVersion = environmentsQuery.environments.some((env) =>
-    isVersionSmaller(env.Agent.Version, '2.19.0')
-  );
-
-  const { icon, label, mode, spin, tooltip } = getStatus(
-    edgeStack.NumDeployments,
-    lastStatus,
-    hasOldVersion
-  );
+  const { icon, label, mode, spin, tooltip } = getStatus(StatusSummary);
 
   return (
     <div className="mx-auto inline-flex items-center gap-2">
@@ -45,106 +31,68 @@ export function EdgeStackStatus({ edgeStack }: { edgeStack: EdgeStack }) {
   );
 }
 
-function getStatus(
-  numDeployments: number,
-  envStatus: Array<DeploymentStatus>,
-  hasOldVersion: boolean
-): {
+function getStatus(summary?: StatusSummary): {
   label: string;
   icon?: LucideIcon;
   spin?: boolean;
   mode?: IconMode;
   tooltip?: string;
 } {
-  if (!numDeployments || hasOldVersion) {
+  if (!summary) {
     return {
       label: 'Unavailable',
       icon: MinusCircle,
       mode: 'secondary',
-      tooltip: getUnavailableTooltip(),
+      tooltip: 'Status summary is unavailable',
     };
   }
+  const { Status, Reason } = summary;
 
-  if (!envStatus.length) {
-    return {
-      label: 'Deploying',
-      icon: Loader2,
-      spin: true,
-      mode: 'primary',
-    };
-  }
-
-  const allFailed = envStatus.every((s) => s.Type === StatusType.Error);
-
-  if (allFailed) {
-    return {
-      label: 'Failed',
-      icon: XCircle,
-      mode: 'danger',
-    };
-  }
-
-  if (envStatus.length < numDeployments) {
-    return {
-      label: 'Deploying',
-      icon: Loader2,
-      spin: true,
-      mode: 'primary',
-    };
-  }
-
-  const allCompleted = envStatus.every((s) => s.Type === StatusType.Completed);
-
-  if (allCompleted) {
-    return {
-      label: 'Completed',
-      icon: CheckCircle,
-      mode: 'success',
-    };
-  }
-
-  const allRunning = envStatus.every(
-    (s) =>
-      s.Type === StatusType.Running ||
-      (s.Type === StatusType.DeploymentReceived && hasOldVersion)
-  );
-
-  if (allRunning) {
-    return {
-      label: 'Running',
-      icon: CheckCircle,
-      mode: 'success',
-    };
-  }
-
-  const hasDeploying = envStatus.some((s) => s.Type === StatusType.Deploying);
-  const hasRunning = envStatus.some((s) => s.Type === StatusType.Running);
-  const hasFailed = envStatus.some((s) => s.Type === StatusType.Error);
-
-  if (hasRunning && hasFailed && !hasDeploying) {
-    return {
-      label: 'Partially Running',
-      icon: AlertTriangle,
-      mode: 'warning',
-    };
-  }
-
-  return {
-    label: 'Deploying',
-    icon: Loader2,
-    spin: true,
-    mode: 'primary',
-  };
-
-  function getUnavailableTooltip() {
-    if (!numDeployments) {
-      return 'Your edge stack is currently unavailable due to the absence of an available environment in your edge group';
-    }
-
-    if (hasOldVersion) {
-      return 'Please note that the new status feature for the Edge stack is only available for Edge Agent versions 2.19.0 and above. To access the status of your edge stack, it is essential to upgrade your Edge Agent to a corresponding version that is compatible with your Portainer server.';
-    }
-
-    return '';
+  switch (Status) {
+    case SummarizedStatus.Deploying:
+      return {
+        label: 'Deploying',
+        icon: Loader2,
+        spin: true,
+        mode: 'primary',
+      };
+    case SummarizedStatus.Failed:
+      return {
+        label: 'Failed',
+        icon: XCircle,
+        mode: 'danger',
+      };
+    case SummarizedStatus.Paused:
+      return {
+        label: 'Paused',
+        icon: PauseCircle,
+        mode: 'warning',
+      };
+    case SummarizedStatus.PartiallyRunning:
+      return {
+        label: 'Partially Running',
+        icon: AlertTriangle,
+        mode: 'warning',
+      };
+    case SummarizedStatus.Completed:
+      return {
+        label: 'Completed',
+        icon: CheckCircle,
+        mode: 'success',
+      };
+    case SummarizedStatus.Running:
+      return {
+        label: 'Running',
+        icon: CheckCircle,
+        mode: 'success',
+      };
+    case SummarizedStatus.Unavailable:
+    default:
+      return {
+        label: 'Unavailable',
+        icon: MinusCircle,
+        mode: 'secondary',
+        tooltip: Reason,
+      };
   }
 }
diff --git a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/columns.tsx b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/columns.tsx
index 2b1a4472b..8df209598 100644
--- a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/columns.tsx
+++ b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/columns.tsx
@@ -5,8 +5,9 @@ import { isoDateFromTimestamp } from '@/portainer/filters/filters';
 import { isBE } from '@/react/portainer/feature-flags/feature-flags.service';
 import { GitCommitLink } from '@/react/portainer/gitops/GitCommitLink';
 
-import { buildNameColumn } from '@@/datatables/buildNameColumn';
+import { buildNameColumnFromObject } from '@@/datatables/buildNameColumn';
 import { Link } from '@@/Link';
+import { Tooltip } from '@@/Tip/Tooltip';
 
 import { StatusType } from '../../types';
 
@@ -17,14 +18,15 @@ import { DeploymentCounter } from './DeploymentCounter';
 const columnHelper = createColumnHelper<DecoratedEdgeStack>();
 
 export const columns = _.compact([
-  buildNameColumn<DecoratedEdgeStack>(
-    'Name',
-    'edge.stacks.edit',
-    'edge-stacks-name',
-    'stackId'
-  ),
+  buildNameColumnFromObject<DecoratedEdgeStack>({
+    nameKey: 'Name',
+    path: 'edge.stacks.edit',
+    dataCy: 'edge-stacks-name',
+    idParam: 'stackId',
+  }),
   columnHelper.accessor(
-    (item) => item.aggregatedStatus[StatusType.Acknowledged] || 0,
+    (item) =>
+      item.StatusSummary?.AggregatedStatus?.[StatusType.Acknowledged] || 0,
     {
       header: 'Acknowledged',
       enableSorting: false,
@@ -43,7 +45,8 @@ export const columns = _.compact([
   ),
   isBE &&
     columnHelper.accessor(
-      (item) => item.aggregatedStatus[StatusType.ImagesPulled] || 0,
+      (item) =>
+        item.StatusSummary?.AggregatedStatus?.[StatusType.ImagesPulled] || 0,
       {
         header: 'Images pre-pulled',
         cell: ({ getValue, row: { original: item } }) => {
@@ -67,7 +70,9 @@ export const columns = _.compact([
       }
     ),
   columnHelper.accessor(
-    (item) => item.aggregatedStatus[StatusType.DeploymentReceived] || 0,
+    (item) =>
+      item.StatusSummary?.AggregatedStatus?.[StatusType.DeploymentReceived] ||
+      0,
     {
       header: 'Deployments received',
       cell: ({ getValue, row }) => (
@@ -85,7 +90,7 @@ export const columns = _.compact([
     }
   ),
   columnHelper.accessor(
-    (item) => item.aggregatedStatus[StatusType.Error] || 0,
+    (item) => item.StatusSummary?.AggregatedStatus?.[StatusType.Error] || 0,
     {
       header: 'Deployments failed',
       cell: ({ getValue, row }) => {
@@ -123,7 +128,7 @@ export const columns = _.compact([
     }
   ),
   columnHelper.accessor('Status', {
-    header: 'Status',
+    header: StatusHeader,
     cell: ({ row }) => (
       <div className="w-full text-center">
         <EdgeStackStatus edgeStack={row.original} />
@@ -167,3 +172,27 @@ export const columns = _.compact([
       }
     ),
 ]);
+
+function StatusHeader() {
+  return (
+    <>
+      Status
+      <Tooltip
+        position="top"
+        message={
+          <>
+            <div>
+              The status feature for the Edge stack is only available for Edge
+              Agent versions 2.19.0 and above.
+            </div>
+            <div>
+              To access the status of your edge stack, it is essential to
+              upgrade your Edge Agent to a corresponding version that is
+              compatible with your Portainer server.
+            </div>
+          </>
+        }
+      />
+    </>
+  );
+}
diff --git a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/types.ts b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/types.ts
index 89b360342..64f37b83f 100644
--- a/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/types.ts
+++ b/app/react/edge/edge-stacks/ListView/EdgeStacksDatatable/types.ts
@@ -1,5 +1,21 @@
 import { EdgeStack, StatusType } from '../../types';
 
-export type DecoratedEdgeStack = EdgeStack & {
-  aggregatedStatus: Partial<Record<StatusType, number>>;
+export enum SummarizedStatus {
+  Unavailable = 'Unavailable',
+  Deploying = 'Deploying',
+  Failed = 'Failed',
+  Paused = 'Paused',
+  PartiallyRunning = 'PartiallyRunning',
+  Completed = 'Completed',
+  Running = 'Running',
+}
+
+export type StatusSummary = {
+  AggregatedStatus?: Partial<Record<StatusType, number>>;
+  Status: SummarizedStatus;
+  Reason: string;
+};
+
+export type DecoratedEdgeStack = EdgeStack & {
+  StatusSummary?: StatusSummary;
 };
diff --git a/app/react/edge/edge-stacks/queries/useEdgeStacks.ts b/app/react/edge/edge-stacks/queries/useEdgeStacks.ts
index 6ab5a0cf1..d03e143f8 100644
--- a/app/react/edge/edge-stacks/queries/useEdgeStacks.ts
+++ b/app/react/edge/edge-stacks/queries/useEdgeStacks.ts
@@ -1,6 +1,6 @@
 import { useQuery } from '@tanstack/react-query';
 
-import { withError } from '@/react-tools/react-query';
+import { withGlobalError } from '@/react-tools/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 
 import { EdgeStack } from '../types';
@@ -8,28 +8,30 @@ import { EdgeStack } from '../types';
 import { buildUrl } from './buildUrl';
 import { queryKeys } from './query-keys';
 
-export function useEdgeStacks<T = Array<EdgeStack>>({
-  select,
-  /**
-   * If set to a number, the query will continuously refetch at this frequency in milliseconds.
-   * If set to a function, the function will be executed with the latest data and query to compute a frequency
-   * Defaults to `false`.
-   */
+type QueryParams = {
+  summarizeStatuses?: boolean;
+};
+
+export function useEdgeStacks<T extends EdgeStack[] = EdgeStack[]>({
+  params,
   refetchInterval,
 }: {
-  select?: (stacks: EdgeStack[]) => T;
+  params?: QueryParams;
   refetchInterval?: number | false | ((data?: T) => false | number);
 } = {}) {
-  return useQuery(queryKeys.base(), () => getEdgeStacks(), {
-    ...withError('Failed loading Edge stack'),
-    select,
+  return useQuery({
+    queryKey: queryKeys.base(),
+    queryFn: () => getEdgeStacks<T>(params),
     refetchInterval,
+    ...withGlobalError('Failed loading Edge stack'),
   });
 }
 
-export async function getEdgeStacks() {
+async function getEdgeStacks<T extends EdgeStack[] = EdgeStack[]>(
+  params: QueryParams = {}
+) {
   try {
-    const { data } = await axios.get<EdgeStack[]>(buildUrl());
+    const { data } = await axios.get<T>(buildUrl(), { params });
     return data;
   } catch (e) {
     throw parseAxiosError(e as Error);
diff --git a/package.json b/package.json
index d9c180698..3bcac5b09 100644
--- a/package.json
+++ b/package.json
@@ -20,7 +20,7 @@
     "dev": "webpack-dev-server",
     "start": "webpack -w",
     "build": "webpack",
-    "format": "prettier --log-level warn --write \"**/*.{js,css,html,jsx,tsx,ts,json}\"",
+    "format": "prettier --log-level warn --write \"**/*.{js,css,html,jsx,tsx,ts}\"",
     "lint": "eslint --cache --fix './**/*.{js,jsx,ts,tsx}'",
     "test": "vitest run",
     "sb": "yarn storybook",

From e1b9f23f73c05db3c319d4928679b9889e7c502d Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Wed, 2 Jul 2025 06:45:59 +0100
Subject: [PATCH 164/212] Updates for release 2.27.9 (#853)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 49ca94eff..f21be9522 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -104,6 +104,7 @@ body:
         - '2.29.0'
         - '2.28.1'
         - '2.28.0'
+        - '2.27.9'
         - '2.27.8'
         - '2.27.7'
         - '2.27.6'

From 5c6b53922a27f9859bc1c62d11cd8321ceb1b98c Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Wed, 2 Jul 2025 18:14:29 -0300
Subject: [PATCH 165/212] feat(go): upgrade to Go v1.24.4 BE-11774 (#855)

---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index dd66b95e2..f914962d0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/portainer/portainer
 
-go 1.23.10
+go 1.24.4
 
 require (
 	github.com/Masterminds/semver v1.5.0

From 097b125e3ae881989be93557ea5d684d0317eae4 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Wed, 2 Jul 2025 18:17:19 -0300
Subject: [PATCH 166/212] fix(boltdb): change some options to increase
 performance BE-12002 (#848)

---
 api/database/boltdb/db.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/api/database/boltdb/db.go b/api/database/boltdb/db.go
index a0db7f4e0..32a1b55c3 100644
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -138,6 +138,8 @@ func (connection *DbConnection) Open() error {
 	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
 		Timeout:         1 * time.Second,
 		InitialMmapSize: connection.InitialMmapSize,
+		FreelistType:    bolt.FreelistMapType,
+		NoFreelistSync:  true,
 	})
 	if err != nil {
 		return err

From ce86129478b7b547b2431cc4f1ba8fe5a885e38a Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 3 Jul 2025 04:17:50 +0100
Subject: [PATCH 167/212] Updates for release 2.31.3 (#859)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index f21be9522..4b58737c3 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.31.3'
         - '2.31.2'
         - '2.31.1'
         - '2.31.0'

From f4df51884cdf7fe4cdbdd1e27fdfc341f27d67fb Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Thu, 3 Jul 2025 16:01:08 +1200
Subject: [PATCH 168/212] fix(tests): Fix ServicesDatatable tests - r8s-395
 (#860)

---
 .../ServicesDatatable/ServicesDatatable.test.tsx           | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx b/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx
index 0d4dfe7fd..e8539826c 100644
--- a/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx
+++ b/app/react/kubernetes/services/ServicesView/ServicesDatatable/ServicesDatatable.test.tsx
@@ -84,11 +84,8 @@ beforeEach(() => {
   );
 });
 const mockUser = {
-  ...createMockUsers(1)[0],
-  PortainerAuthorizations: {
-    K8sAccessSystemNamespaces: true,
-    K8sServiceW: true,
-  },
+  // Admin user
+  ...createMockUsers(1, 1)[0],
 };
 
 function createTestComponent() {

From 1332f718aecb7f51fa26566a0f03fe47aca58240 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 4 Jul 2025 10:07:57 +1200
Subject: [PATCH 169/212] feat: add warning events count next to the status
 badge (#828)

---
 api/http/handler/kubernetes/namespaces.go     | 15 ++++++++
 api/kubernetes/cli/namespace.go               | 28 +++++++++++++++
 api/portainer.go                              | 19 ++++++-----
 .../SecretsDatatable/SecretsDatatable.tsx     | 20 +++++------
 .../CronJobsDatatable/columns/command.tsx     |  2 +-
 .../CronJobsDatatable/columns/schedule.tsx    |  2 +-
 .../CronJobsDatatable/columns/timezone.tsx    |  2 +-
 .../JobsDatatable/columns/command.tsx         |  2 +-
 .../JobsDatatable/columns/duration.tsx        |  2 +-
 .../JobsDatatable/columns/finished.tsx        |  2 +-
 .../JobsDatatable/columns/started.tsx         |  2 +-
 .../JobsView/JobsDatatable/columns/status.tsx |  2 +-
 .../ItemView/useNamespaceFormValues.test.ts   |  2 ++
 .../ListView/NamespacesDatatable.tsx          |  2 ++
 .../ListView/columns/useColumns.tsx           | 34 ++++++++++++++++---
 .../namespaces/queries/queryKeys.ts           |  3 +-
 .../namespaces/queries/useNamespacesQuery.ts  | 17 ++++++++--
 app/react/kubernetes/namespaces/types.ts      |  1 +
 18 files changed, 120 insertions(+), 37 deletions(-)

diff --git a/api/http/handler/kubernetes/namespaces.go b/api/http/handler/kubernetes/namespaces.go
index 2efde3b85..75dae9e69 100644
--- a/api/http/handler/kubernetes/namespaces.go
+++ b/api/http/handler/kubernetes/namespaces.go
@@ -22,6 +22,7 @@ import (
 // @produce json
 // @param id path int true "Environment identifier"
 // @param withResourceQuota query boolean true "When set to true, include the resource quota information as part of the Namespace information. Default is false"
+// @param withUnhealthyEvents query boolean true "When set to true, include the unhealthy events information as part of the Namespace information. Default is false"
 // @success 200 {array} portainer.K8sNamespaceInfo "Success"
 // @failure 400 "Invalid request payload, such as missing required fields or fields not meeting validation criteria."
 // @failure 401 "Unauthorized access - the user is not authenticated or does not have the necessary permissions. Ensure that you have provided a valid API key or JWT token, and that you have the required permissions."
@@ -36,6 +37,12 @@ func (handler *Handler) getKubernetesNamespaces(w http.ResponseWriter, r *http.R
 		return httperror.BadRequest("an error occurred during the GetKubernetesNamespaces operation, invalid query parameter withResourceQuota. Error: ", err)
 	}
 
+	withUnhealthyEvents, err := request.RetrieveBooleanQueryParameter(r, "withUnhealthyEvents", true)
+	if err != nil {
+		log.Error().Err(err).Str("context", "GetKubernetesNamespaces").Msg("Invalid query parameter withUnhealthyEvents")
+		return httperror.BadRequest("an error occurred during the GetKubernetesNamespaces operation, invalid query parameter withUnhealthyEvents. Error: ", err)
+	}
+
 	cli, httpErr := handler.prepareKubeClient(r)
 	if httpErr != nil {
 		log.Error().Err(httpErr).Str("context", "GetKubernetesNamespaces").Msg("Unable to get a Kubernetes client for the user")
@@ -48,6 +55,14 @@ func (handler *Handler) getKubernetesNamespaces(w http.ResponseWriter, r *http.R
 		return httperror.InternalServerError("an error occurred during the GetKubernetesNamespaces operation, unable to retrieve namespaces from the Kubernetes cluster. Error: ", err)
 	}
 
+	if withUnhealthyEvents {
+		namespaces, err = cli.CombineNamespacesWithUnhealthyEvents(namespaces)
+		if err != nil {
+			log.Error().Err(err).Str("context", "GetKubernetesNamespaces").Msg("Unable to combine namespaces with unhealthy events")
+			return httperror.InternalServerError("an error occurred during the GetKubernetesNamespaces operation, unable to combine namespaces with unhealthy events. Error: ", err)
+		}
+	}
+
 	if withResourceQuota {
 		return cli.CombineNamespacesWithResourceQuotas(namespaces, w)
 	}
diff --git a/api/kubernetes/cli/namespace.go b/api/kubernetes/cli/namespace.go
index 11307d651..bb29680b5 100644
--- a/api/kubernetes/cli/namespace.go
+++ b/api/kubernetes/cli/namespace.go
@@ -351,6 +351,34 @@ func (kcl *KubeClient) DeleteNamespace(namespaceName string) (*corev1.Namespace,
 	return namespace, nil
 }
 
+// CombineNamespacesWithUnhealthyEvents combines namespaces with unhealthy events across all namespaces
+func (kcl *KubeClient) CombineNamespacesWithUnhealthyEvents(namespaces map[string]portainer.K8sNamespaceInfo) (map[string]portainer.K8sNamespaceInfo, error) {
+	allEvents, err := kcl.GetEvents("", "")
+	if err != nil && !k8serrors.IsNotFound(err) {
+		log.Error().
+			Str("context", "CombineNamespacesWithUnhealthyEvents").
+			Err(err).
+			Msg("unable to retrieve unhealthy events from the Kubernetes for an admin user")
+		return nil, err
+	}
+
+	unhealthyEventCounts := make(map[string]int)
+	for _, event := range allEvents {
+		if event.Type == "Warning" {
+			unhealthyEventCounts[event.Namespace]++
+		}
+	}
+
+	for namespaceName, namespace := range namespaces {
+		if count, exists := unhealthyEventCounts[namespaceName]; exists {
+			namespace.UnhealthyEventCount = count
+			namespaces[namespaceName] = namespace
+		}
+	}
+
+	return namespaces, nil
+}
+
 // CombineNamespacesWithResourceQuotas combines namespaces with resource quotas where matching is based on "portainer-rq-"+namespace.Name
 func (kcl *KubeClient) CombineNamespacesWithResourceQuotas(namespaces map[string]portainer.K8sNamespaceInfo, w http.ResponseWriter) *httperror.HandlerError {
 	resourceQuotas, err := kcl.GetResourceQuotas("")
diff --git a/api/portainer.go b/api/portainer.go
index 1e5f2ea6f..bdd52aa34 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -621,15 +621,16 @@ type (
 	JobType int
 
 	K8sNamespaceInfo struct {
-		Id             string                 `json:"Id"`
-		Name           string                 `json:"Name"`
-		Status         corev1.NamespaceStatus `json:"Status"`
-		Annotations    map[string]string      `json:"Annotations"`
-		CreationDate   string                 `json:"CreationDate"`
-		NamespaceOwner string                 `json:"NamespaceOwner"`
-		IsSystem       bool                   `json:"IsSystem"`
-		IsDefault      bool                   `json:"IsDefault"`
-		ResourceQuota  *corev1.ResourceQuota  `json:"ResourceQuota"`
+		Id                  string                 `json:"Id"`
+		Name                string                 `json:"Name"`
+		Status              corev1.NamespaceStatus `json:"Status"`
+		Annotations         map[string]string      `json:"Annotations"`
+		CreationDate        string                 `json:"CreationDate"`
+		UnhealthyEventCount int                    `json:"UnhealthyEventCount"`
+		NamespaceOwner      string                 `json:"NamespaceOwner"`
+		IsSystem            bool                   `json:"IsSystem"`
+		IsDefault           bool                   `json:"IsDefault"`
+		ResourceQuota       *corev1.ResourceQuota  `json:"ResourceQuota"`
 	}
 
 	K8sNodeLimits struct {
diff --git a/app/react/kubernetes/configs/ListView/SecretsDatatable/SecretsDatatable.tsx b/app/react/kubernetes/configs/ListView/SecretsDatatable/SecretsDatatable.tsx
index 8cbc6de59..4f0140d55 100644
--- a/app/react/kubernetes/configs/ListView/SecretsDatatable/SecretsDatatable.tsx
+++ b/app/react/kubernetes/configs/ListView/SecretsDatatable/SecretsDatatable.tsx
@@ -100,18 +100,14 @@ function useSecretRowData(
 ): SecretRowData[] {
   return useMemo(
     () =>
-      secrets?.map(
-        (secret) =>
-          ({
-            ...secret,
-            inUse: secret.IsUsed,
-            isSystem: namespaces
-              ? namespaces.find(
-                  (namespace) => namespace.Name === secret.Namespace
-                )?.IsSystem ?? false
-              : false,
-          }) ?? []
-      ),
+      (secrets ?? []).map((secret) => ({
+        ...secret,
+        inUse: secret.IsUsed,
+        isSystem: namespaces
+          ? namespaces.find((namespace) => namespace.Name === secret.Namespace)
+              ?.IsSystem ?? false
+          : false,
+      })),
     [secrets, namespaces]
   );
 }
diff --git a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/command.tsx b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/command.tsx
index 04e6e155f..2d1977a0a 100644
--- a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/command.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/command.tsx
@@ -3,5 +3,5 @@ import { columnHelper } from './helper';
 export const command = columnHelper.accessor((row) => row.Command, {
   header: 'Command',
   id: 'command',
-  cell: ({ getValue }) => getValue(),
+  cell: ({ getValue }) => getValue() ?? '',
 });
diff --git a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/schedule.tsx b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/schedule.tsx
index 60a673eb0..f979240e8 100644
--- a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/schedule.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/schedule.tsx
@@ -3,5 +3,5 @@ import { columnHelper } from './helper';
 export const schedule = columnHelper.accessor((row) => row.Schedule, {
   header: 'Schedule',
   id: 'schedule',
-  cell: ({ getValue }) => getValue(),
+  cell: ({ getValue }) => getValue() ?? '',
 });
diff --git a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/timezone.tsx b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/timezone.tsx
index 54bb35a79..3b262b93b 100644
--- a/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/timezone.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/CronJobsDatatable/columns/timezone.tsx
@@ -3,5 +3,5 @@ import { columnHelper } from './helper';
 export const timezone = columnHelper.accessor((row) => row.Timezone, {
   header: 'Timezone',
   id: 'timezone',
-  cell: ({ getValue }) => getValue(),
+  cell: ({ getValue }) => getValue() ?? '',
 });
diff --git a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/command.tsx b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/command.tsx
index 04e6e155f..2d1977a0a 100644
--- a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/command.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/command.tsx
@@ -3,5 +3,5 @@ import { columnHelper } from './helper';
 export const command = columnHelper.accessor((row) => row.Command, {
   header: 'Command',
   id: 'command',
-  cell: ({ getValue }) => getValue(),
+  cell: ({ getValue }) => getValue() ?? '',
 });
diff --git a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/duration.tsx b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/duration.tsx
index 23cfcaf34..b189d5a7a 100644
--- a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/duration.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/duration.tsx
@@ -3,5 +3,5 @@ import { columnHelper } from './helper';
 export const duration = columnHelper.accessor((row) => row.Duration, {
   header: 'Duration',
   id: 'duration',
-  cell: ({ getValue }) => getValue(),
+  cell: ({ getValue }) => getValue() ?? '',
 });
diff --git a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/finished.tsx b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/finished.tsx
index b3bcb4e0f..cf8e5b5e3 100644
--- a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/finished.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/finished.tsx
@@ -3,5 +3,5 @@ import { columnHelper } from './helper';
 export const finished = columnHelper.accessor((row) => row.FinishTime, {
   header: 'Finished',
   id: 'finished',
-  cell: ({ getValue }) => getValue(),
+  cell: ({ getValue }) => getValue() ?? '',
 });
diff --git a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/started.tsx b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/started.tsx
index eff7f2465..8ea383c64 100644
--- a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/started.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/started.tsx
@@ -7,6 +7,6 @@ export const started = columnHelper.accessor(
   {
     header: 'Started',
     id: 'started',
-    cell: ({ getValue }) => getValue(),
+    cell: ({ getValue }) => getValue() ?? '',
   }
 );
diff --git a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/status.tsx b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/status.tsx
index 2f6ad1768..93ecb66a2 100644
--- a/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/status.tsx
+++ b/app/react/kubernetes/more-resources/JobsView/JobsDatatable/columns/status.tsx
@@ -26,7 +26,7 @@ function Cell({ row: { original: item } }: CellContext<Job, string>) {
           },
         ])}
       />
-      {item.Status}
+      {item.Status ?? ''}
       {item.Status === 'Failed' && (
         <span className="ml-1">
           <TooltipWithChildren
diff --git a/app/react/kubernetes/namespaces/ItemView/useNamespaceFormValues.test.ts b/app/react/kubernetes/namespaces/ItemView/useNamespaceFormValues.test.ts
index 623a4993c..4a39cf87d 100644
--- a/app/react/kubernetes/namespaces/ItemView/useNamespaceFormValues.test.ts
+++ b/app/react/kubernetes/namespaces/ItemView/useNamespaceFormValues.test.ts
@@ -28,6 +28,7 @@ const tests: NamespaceTestData[] = [
         Status: {
           phase: 'Active',
         },
+        UnhealthyEventCount: 0,
         Annotations: null,
         CreationDate: '2024-10-17T17:50:08+13:00',
         NamespaceOwner: 'admin',
@@ -118,6 +119,7 @@ const tests: NamespaceTestData[] = [
         Status: {
           phase: 'Active',
         },
+        UnhealthyEventCount: 0,
         Annotations: {
           asdf: 'asdf',
         },
diff --git a/app/react/kubernetes/namespaces/ListView/NamespacesDatatable.tsx b/app/react/kubernetes/namespaces/ListView/NamespacesDatatable.tsx
index 7307f830e..56345b53e 100644
--- a/app/react/kubernetes/namespaces/ListView/NamespacesDatatable.tsx
+++ b/app/react/kubernetes/namespaces/ListView/NamespacesDatatable.tsx
@@ -41,6 +41,7 @@ export function NamespacesDatatable() {
   const namespacesQuery = useNamespacesQuery(environmentId, {
     autoRefreshRate: tableState.autoRefreshRate * 1000,
     withResourceQuota: true,
+    withUnhealthyEvents: true,
   });
   const namespaces = Object.values(namespacesQuery.data ?? []);
 
@@ -181,6 +182,7 @@ function TableActions({
           queryClient.setQueryData(
             queryKeys.list(environmentId, {
               withResourceQuota: true,
+              withUnhealthyEvents: true,
             }),
             () => remainingNamespaces
           );
diff --git a/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx b/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx
index 541c2315f..ba5eaf159 100644
--- a/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx
+++ b/app/react/kubernetes/namespaces/ListView/columns/useColumns.tsx
@@ -1,13 +1,17 @@
 import _ from 'lodash';
 import { useMemo } from 'react';
+import { AlertTriangle } from 'lucide-react';
 
 import { isoDate } from '@/portainer/filters/filters';
 import { useAuthorizations } from '@/react/hooks/useUser';
+import { pluralize } from '@/portainer/helpers/strings';
 
 import { Link } from '@@/Link';
 import { StatusBadge } from '@@/StatusBadge';
 import { Badge } from '@@/Badge';
 import { SystemBadge } from '@@/Badge/SystemBadge';
+import { TooltipWithChildren } from '@@/Tip/TooltipWithChildren';
+import { Icon } from '@@/Icon';
 
 import { helper } from './helper';
 import { actions } from './actions';
@@ -45,12 +49,34 @@ export function useColumns() {
         }),
         helper.accessor('Status', {
           header: 'Status',
-          cell({ getValue }) {
+          cell({ getValue, row: { original: item } }) {
             const status = getValue();
             return (
-              <StatusBadge color={getColor(status.phase)}>
-                {status.phase}
-              </StatusBadge>
+              <div className="flex items-center gap-2">
+                <StatusBadge color={getColor(status.phase)}>
+                  {status.phase}
+                </StatusBadge>
+                {item.UnhealthyEventCount > 0 && (
+                  <TooltipWithChildren message="View events" position="top">
+                    <span className="inline-flex">
+                      <Link
+                        to="kubernetes.resourcePools.resourcePool"
+                        params={{ id: item.Name, tab: 'events' }}
+                        data-cy={`namespace-warning-link-${item.Name}`}
+                      >
+                        <Badge type="warnSecondary">
+                          <Icon
+                            icon={AlertTriangle}
+                            className="!mr-1 h-3 w-3"
+                          />
+                          {item.UnhealthyEventCount}{' '}
+                          {pluralize(item.UnhealthyEventCount, 'warning')}
+                        </Badge>
+                      </Link>
+                    </span>
+                  </TooltipWithChildren>
+                )}
+              </div>
             );
 
             function getColor(status?: string) {
diff --git a/app/react/kubernetes/namespaces/queries/queryKeys.ts b/app/react/kubernetes/namespaces/queries/queryKeys.ts
index ecfe4ea58..6c0a04676 100644
--- a/app/react/kubernetes/namespaces/queries/queryKeys.ts
+++ b/app/react/kubernetes/namespaces/queries/queryKeys.ts
@@ -5,7 +5,7 @@ import { EnvironmentId } from '@/react/portainer/environments/types';
 export const queryKeys = {
   list: (
     environmentId: EnvironmentId,
-    options?: { withResourceQuota?: boolean }
+    options?: { withResourceQuota?: boolean; withUnhealthyEvents?: boolean }
   ) =>
     compact([
       'environments',
@@ -13,6 +13,7 @@ export const queryKeys = {
       'kubernetes',
       'namespaces',
       options?.withResourceQuota,
+      options?.withUnhealthyEvents,
     ]),
   namespace: (environmentId: EnvironmentId, namespace: string) =>
     [
diff --git a/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts b/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts
index b4cd2d712..e7977db84 100644
--- a/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts
+++ b/app/react/kubernetes/namespaces/queries/useNamespacesQuery.ts
@@ -13,14 +13,21 @@ export function useNamespacesQuery<T = PortainerNamespace[]>(
   options?: {
     autoRefreshRate?: number;
     withResourceQuota?: boolean;
+    withUnhealthyEvents?: boolean;
     select?: (namespaces: PortainerNamespace[]) => T;
   }
 ) {
   return useQuery(
     queryKeys.list(environmentId, {
       withResourceQuota: !!options?.withResourceQuota,
+      withUnhealthyEvents: !!options?.withUnhealthyEvents,
     }),
-    async () => getNamespaces(environmentId, options?.withResourceQuota),
+    async () =>
+      getNamespaces(
+        environmentId,
+        options?.withResourceQuota,
+        options?.withUnhealthyEvents
+      ),
     {
       ...withGlobalError('Unable to get namespaces.'),
       refetchInterval() {
@@ -34,9 +41,13 @@ export function useNamespacesQuery<T = PortainerNamespace[]>(
 // getNamespaces is used to retrieve namespaces using the Portainer backend with caching
 export async function getNamespaces(
   environmentId: EnvironmentId,
-  withResourceQuota?: boolean
+  withResourceQuota?: boolean,
+  withUnhealthyEvents?: boolean
 ) {
-  const params = withResourceQuota ? { withResourceQuota } : {};
+  const params = {
+    withResourceQuota,
+    withUnhealthyEvents,
+  };
   try {
     const { data: namespaces } = await axios.get<PortainerNamespace[]>(
       `kubernetes/${environmentId}/namespaces`,
diff --git a/app/react/kubernetes/namespaces/types.ts b/app/react/kubernetes/namespaces/types.ts
index ba4abb744..f3626e675 100644
--- a/app/react/kubernetes/namespaces/types.ts
+++ b/app/react/kubernetes/namespaces/types.ts
@@ -10,6 +10,7 @@ export interface PortainerNamespace {
   Id: string;
   Name: string;
   Status: NamespaceStatus;
+  UnhealthyEventCount: number;
   Annotations: Record<string, string> | null;
   CreationDate: string;
   NamespaceOwner: string;

From 8ffe4e284a9de9caacdbd3d4b7d859b63040f38d Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Fri, 4 Jul 2025 10:48:54 +1200
Subject: [PATCH 170/212] fix(tls): set insecureSkipVerify to false in FIPS
 mode [BE-11932] (#849)

---
 api/cmd/portainer/main.go             | 3 ++-
 api/hostmanagement/openamt/openamt.go | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 90fd34fd2..23bd540a5 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -383,7 +383,8 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	gitService := git.NewService(shutdownCtx)
 
-	openAMTService := openamt.NewService()
+	// Setting insecureSkipVerify to true to preserve the old behaviour.
+	openAMTService := openamt.NewService(true)
 
 	cryptoService := &crypto.Service{}
 
diff --git a/api/hostmanagement/openamt/openamt.go b/api/hostmanagement/openamt/openamt.go
index b27b78878..5843c1bdb 100644
--- a/api/hostmanagement/openamt/openamt.go
+++ b/api/hostmanagement/openamt/openamt.go
@@ -32,9 +32,9 @@ type Service struct {
 }
 
 // NewService initializes a new service.
-func NewService() *Service {
+func NewService(insecureSkipVerify bool) *Service {
 	tlsConfig := crypto.CreateTLSConfiguration()
-	tlsConfig.InsecureSkipVerify = true
+	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 
 	return &Service{
 		httpsClient: &http.Client{

From c20a8b5a68dcb9fdede92e707461e3302e7013c4 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Sat, 5 Jul 2025 02:49:33 +1200
Subject: [PATCH 171/212] fix(template): app template v3 error [BE-11998]
 (#854)

---
 api/http/handler/templates/utils_fetch_templates.go  |  6 ++++--
 .../CreateView/tests/app-templates.test.tsx          |  5 +----
 .../DeployFormWidget/EnvVarsFieldset.test.tsx        | 11 +++++++----
 .../DeployFormWidget/EnvVarsFieldset.tsx             | 12 +++++++-----
 .../DeployFormWidget/StackDeployForm/types.ts        |  2 +-
 .../portainer/templates/app-templates/view-model.ts  |  4 +---
 6 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/api/http/handler/templates/utils_fetch_templates.go b/api/http/handler/templates/utils_fetch_templates.go
index 73f9bad56..fc5c97125 100644
--- a/api/http/handler/templates/utils_fetch_templates.go
+++ b/api/http/handler/templates/utils_fetch_templates.go
@@ -40,11 +40,13 @@ func (handler *Handler) fetchTemplates() (*listResponse, *httperror.HandlerError
 	}
 	defer resp.Body.Close()
 
-	err = json.NewDecoder(resp.Body).Decode(&body)
-	if err != nil {
+	if err := json.NewDecoder(resp.Body).Decode(&body); err != nil {
 		return nil, httperror.InternalServerError("Unable to parse template file", err)
 	}
 
+	for i := range body.Templates {
+		body.Templates[i].ID = portainer.TemplateID(i + 1)
+	}
 	return body, nil
 
 }
diff --git a/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx b/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx
index 9cb4ba546..a0d13e43a 100644
--- a/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx
+++ b/app/react/edge/edge-stacks/CreateView/tests/app-templates.test.tsx
@@ -80,10 +80,7 @@ test('The form should submit the correct request body for a given app template',
   // fill in the name and select the docker edge group
   const user = userEvent.setup();
   await user.type(getByRole('textbox', { name: 'Name *' }), 'my-stack');
-  await user.type(
-    getByRole('textbox', { name: 'License key *' }),
-    'license-123'
-  );
+  await user.type(getByRole('textbox', { name: 'License key' }), 'license-123');
   const selectElement = getByLabelText('Edge groups');
   await selectEvent.select(selectElement, 'docker');
 
diff --git a/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.test.tsx b/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.test.tsx
index d5dbb2633..12c836d0d 100644
--- a/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.test.tsx
+++ b/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.test.tsx
@@ -51,7 +51,7 @@ test('calls onChange when input value changes', async () => {
 
   const inputElement = screen.getByDisplayValue(value.VAR1);
   await user.clear(inputElement);
-  expect(onChange).toHaveBeenCalledWith({ VAR1: '' });
+  expect(onChange).toHaveBeenCalledWith({ VAR1: undefined });
 
   const newValue = 'New Value';
   await user.type(inputElement, newValue);
@@ -107,11 +107,14 @@ test('validates env vars fieldset', () => {
   ]);
 
   const validData = { VAR1: 'Value 1', VAR2: 'Value 2' };
-  const invalidData = { VAR1: '', VAR2: 'Value 2' };
+  const emptyData = { VAR1: '', VAR2: 'Value 2' };
+  const undefinedData = { VAR1: undefined, VAR2: 'Value 2' };
 
   const validResult = schema.isValidSync(validData);
-  const invalidResult = schema.isValidSync(invalidData);
+  const emptyResult = schema.isValidSync(emptyData);
+  const undefinedResult = schema.isValidSync(undefinedData);
 
   expect(validResult).toBe(true);
-  expect(invalidResult).toBe(false);
+  expect(emptyResult).toBe(true);
+  expect(undefinedResult).toBe(true);
 });
diff --git a/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.tsx b/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.tsx
index dad33af07..a1281772f 100644
--- a/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.tsx
+++ b/app/react/portainer/templates/app-templates/DeployFormWidget/EnvVarsFieldset.tsx
@@ -6,7 +6,7 @@ import { TemplateEnv } from '@/react/portainer/templates/app-templates/types';
 import { FormControl } from '@@/form-components/FormControl';
 import { Input, Select } from '@@/form-components/Input';
 
-type Value = Record<string, string>;
+type Value = Record<string, string | undefined>;
 
 export { type Value as EnvVarsValue };
 
@@ -27,7 +27,7 @@ export function EnvVarsFieldset({
         <Item
           key={env.name}
           option={env}
-          value={values[env.name]}
+          value={values[env.name] || ''}
           onChange={(value) => handleChange(env.name, value)}
           errors={errors?.[env.name]}
         />
@@ -36,7 +36,7 @@ export function EnvVarsFieldset({
   );
 
   function handleChange(name: string, envValue: string) {
-    onChange({ ...values, [name]: envValue });
+    onChange({ ...values, [name]: envValue || undefined });
   }
 }
 
@@ -55,7 +55,7 @@ function Item({
   return (
     <FormControl
       label={option.label || option.name}
-      required={!option.preset}
+      required={false}
       errors={errors}
       inputId={inputId}
     >
@@ -101,7 +101,9 @@ export function envVarsFieldsetValidation(
 ): SchemaOf<Value> {
   return object(
     Object.fromEntries(
-      definitions.map((v) => [v.name, string().required('Required')])
+      definitions
+        .filter((v) => !v.preset)
+        .map((v) => [v.name, string().optional()])
     )
   );
 }
diff --git a/app/react/portainer/templates/app-templates/DeployFormWidget/StackDeployForm/types.ts b/app/react/portainer/templates/app-templates/DeployFormWidget/StackDeployForm/types.ts
index d94a2412e..f40d79c56 100644
--- a/app/react/portainer/templates/app-templates/DeployFormWidget/StackDeployForm/types.ts
+++ b/app/react/portainer/templates/app-templates/DeployFormWidget/StackDeployForm/types.ts
@@ -2,6 +2,6 @@ import { AccessControlFormData } from '@/react/portainer/access-control/types';
 
 export interface FormValues {
   name: string;
-  envVars: Record<string, string>;
+  envVars: Record<string, string | undefined>;
   accessControl: AccessControlFormData;
 }
diff --git a/app/react/portainer/templates/app-templates/view-model.ts b/app/react/portainer/templates/app-templates/view-model.ts
index 94ea24bc3..3619caa20 100644
--- a/app/react/portainer/templates/app-templates/view-model.ts
+++ b/app/react/portainer/templates/app-templates/view-model.ts
@@ -88,10 +88,8 @@ function setTemplatesV3(this: TemplateViewModel, template: AppTemplate) {
   this.Id = template.id;
 }
 
-let templateV2ID = 0;
-
 function setTemplatesV2(this: TemplateViewModel, template: AppTemplate) {
-  this.Id = templateV2ID++;
+  this.Id = template.id;
   this.Title = template.title;
   this.Type = template.type;
   this.Description = template.description;

From 0a36d4fbfd42362f05363c6e6f75cebbffce2e4f Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Mon, 7 Jul 2025 11:29:29 +1200
Subject: [PATCH 172/212] fix: `kubectl` sdk - capture fatal error and return
 instead of exiting 1 [r7s-371] (#841)

---
 pkg/libkubectl/apply.go   | 16 ++++++++++++++--
 pkg/libkubectl/client.go  |  5 +++++
 pkg/libkubectl/delete.go  | 15 ++++++++++++++-
 pkg/libkubectl/restart.go | 15 ++++++++++++++-
 4 files changed, 47 insertions(+), 4 deletions(-)

diff --git a/pkg/libkubectl/apply.go b/pkg/libkubectl/apply.go
index 5dad5adc5..23619e532 100644
--- a/pkg/libkubectl/apply.go
+++ b/pkg/libkubectl/apply.go
@@ -6,18 +6,30 @@ import (
 	"fmt"
 
 	"k8s.io/kubectl/pkg/cmd/apply"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
 
 func (c *Client) Apply(ctx context.Context, manifests []string) (string, error) {
 	buf := new(bytes.Buffer)
 
+	var fatalErr error
+	cmdutil.BehaviorOnFatal(func(msg string, code int) {
+		fatalErr = newKubectlFatalError(code, msg)
+	})
+	defer cmdutil.DefaultBehaviorOnFatal()
+
 	cmd := apply.NewCmdApply("kubectl", c.factory, c.streams)
 	cmd.SetArgs(resourcesToArgs(manifests))
 	cmd.SetOut(buf)
 
-	if err := cmd.ExecuteContext(ctx); err != nil {
+	err := cmd.ExecuteContext(ctx)
+	// check for the fatal error first so we don't return the error from the command execution
+	if fatalErr != nil {
+		return "", fatalErr
+	}
+	// if there is no fatal error, return the error from the command execution
+	if err != nil {
 		return "", fmt.Errorf("error applying resources: %w", err)
 	}
-
 	return buf.String(), nil
 }
diff --git a/pkg/libkubectl/client.go b/pkg/libkubectl/client.go
index f9d4137f6..0229c8167 100644
--- a/pkg/libkubectl/client.go
+++ b/pkg/libkubectl/client.go
@@ -3,6 +3,7 @@ package libkubectl
 import (
 	"bytes"
 	"errors"
+	"fmt"
 
 	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"k8s.io/cli-runtime/pkg/genericiooptions"
@@ -61,3 +62,7 @@ func generateConfigFlags(token, server, namespace, kubeconfigPath string, insecu
 
 	return configFlags, nil
 }
+
+func newKubectlFatalError(code int, msg string) error {
+	return fmt.Errorf("kubectl fatal error (exit code %d): %s", code, msg)
+}
diff --git a/pkg/libkubectl/delete.go b/pkg/libkubectl/delete.go
index bb093ab4d..4544dfc76 100644
--- a/pkg/libkubectl/delete.go
+++ b/pkg/libkubectl/delete.go
@@ -6,17 +6,30 @@ import (
 	"fmt"
 
 	"k8s.io/kubectl/pkg/cmd/delete"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
 
 func (c *Client) Delete(ctx context.Context, manifests []string) (string, error) {
 	buf := new(bytes.Buffer)
 
+	var fatalErr error
+	cmdutil.BehaviorOnFatal(func(msg string, code int) {
+		fatalErr = newKubectlFatalError(code, msg)
+	})
+	defer cmdutil.DefaultBehaviorOnFatal()
+
 	cmd := delete.NewCmdDelete(c.factory, c.streams)
 	cmd.SetArgs(resourcesToArgs(manifests))
 	cmd.Flags().Set("ignore-not-found", "true")
 	cmd.SetOut(buf)
 
-	if err := cmd.ExecuteContext(ctx); err != nil {
+	err := cmd.ExecuteContext(ctx)
+	// check for the fatal error first so we don't return the error from the command execution
+	if fatalErr != nil {
+		return "", fatalErr
+	}
+	// if there is no fatal error, return the error from the command execution
+	if err != nil {
 		return "", fmt.Errorf("error deleting resources: %w", err)
 	}
 
diff --git a/pkg/libkubectl/restart.go b/pkg/libkubectl/restart.go
index fcfa7fd15..9ce7149aa 100644
--- a/pkg/libkubectl/restart.go
+++ b/pkg/libkubectl/restart.go
@@ -6,11 +6,18 @@ import (
 	"fmt"
 
 	"k8s.io/kubectl/pkg/cmd/rollout"
+	cmdutil "k8s.io/kubectl/pkg/cmd/util"
 )
 
 func (c *Client) RolloutRestart(ctx context.Context, manifests []string) (string, error) {
 	buf := new(bytes.Buffer)
 
+	var fatalErr error
+	cmdutil.BehaviorOnFatal(func(msg string, code int) {
+		fatalErr = newKubectlFatalError(code, msg)
+	})
+	defer cmdutil.DefaultBehaviorOnFatal()
+
 	cmd := rollout.NewCmdRollout(c.factory, c.streams)
 	args := []string{"restart"}
 	args = append(args, resourcesToArgs(manifests)...)
@@ -18,7 +25,13 @@ func (c *Client) RolloutRestart(ctx context.Context, manifests []string) (string
 	cmd.SetArgs(args)
 	cmd.SetOut(buf)
 
-	if err := cmd.ExecuteContext(ctx); err != nil {
+	err := cmd.ExecuteContext(ctx)
+	// check for the fatal error first so we don't return the error from the command execution
+	if fatalErr != nil {
+		return "", fatalErr
+	}
+	// if there is no fatal error, return the error from the command execution
+	if err != nil {
 		return "", fmt.Errorf("error restarting resources: %w", err)
 	}
 

From 0c80b1067d8e3057046bfa8b68eea5fb7acf69bc Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Mon, 7 Jul 2025 20:54:44 +1200
Subject: [PATCH 173/212] fix(styles): update datetime picker styles for
 improved dark mode support [BE-11672] (#863)

---
 .../css/react-datetime-picker-override.css    | 41 ++++++++++++-------
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/app/assets/css/react-datetime-picker-override.css b/app/assets/css/react-datetime-picker-override.css
index acd26fb58..dbbea4766 100644
--- a/app/assets/css/react-datetime-picker-override.css
+++ b/app/assets/css/react-datetime-picker-override.css
@@ -12,35 +12,40 @@
 /*
   Extending Calendar.css from react-daterange-picker__calendar
 */
-.react-daterange-picker__calendar .react-calendar {
+.react-calendar {
   background: var(--bg-calendar-color);
   color: var(--text-main-color);
+  @apply th-dark:bg-gray-iron-10;
 }
 
 /* calendar nav buttons */
-.react-daterange-picker__calendar .react-calendar__navigation button:disabled {
+.react-calendar__navigation button:disabled {
   background: var(--bg-calendar-color);
   @apply opacity-60;
   @apply brightness-95 th-dark:brightness-110;
+  @apply th-dark:bg-gray-iron-7;
 }
-.react-daterange-picker__calendar .react-calendar__navigation button:enabled:hover,
-.react-daterange-picker__calendar .react-calendar__navigation button:enabled:focus {
+.react-calendar__navigation button:enabled:hover,
+.react-calendar__navigation button:enabled:focus {
   background: var(--bg-daterangepicker-color);
+  @apply th-dark:bg-gray-iron-7;
 }
 
 /* date tile */
-.react-daterange-picker__calendar .react-calendar__tile:disabled {
-  background: var(--bg-calendar-color);
+.react-calendar__tile:disabled {
   @apply opacity-60;
   @apply brightness-95 th-dark:brightness-110;
+  @apply th-dark:bg-gray-iron-7;
 }
-.react-daterange-picker__calendar .react-calendar__tile:enabled:hover,
-.react-daterange-picker__calendar .react-calendar__tile:enabled:focus {
+
+.react-calendar__tile:enabled:hover,
+.react-calendar__tile:enabled:focus {
   background: var(--bg-daterangepicker-hover);
+  @apply th-dark:bg-gray-iron-7;
 }
 
 /* today's date tile */
-.react-daterange-picker__calendar .react-calendar__tile--now {
+.react-calendar__tile--now {
   @apply th-highcontrast:text-[color:var(--bg-calendar-color)] th-dark:text-[color:var(--bg-calendar-color)];
   border-radius: 0.25rem !important;
 }
@@ -48,23 +53,27 @@
 .react-daterange-picker__calendar .react-calendar__tile--now:enabled:focus {
   background: var(--bg-daterangepicker-hover);
   color: var(--text-daterangepicker-hover);
+  @apply th-dark:bg-gray-iron-7;
 }
 
 /* probably date tile in range */
-.react-daterange-picker__calendar .react-calendar__tile--hasActive {
+.react-calendar__tile--hasActive {
   background: var(--bg-daterangepicker-end-date);
   color: var(--text-daterangepicker-end-date);
+  @apply th-dark:bg-gray-iron-7;
 }
-.react-daterange-picker__calendar .react-calendar__tile--hasActive:enabled:hover,
-.react-daterange-picker__calendar .react-calendar__tile--hasActive:enabled:focus {
+.react-calendar__tile--hasActive:enabled:hover,
+.react-calendar__tile--hasActive:enabled:focus {
   background: var(--bg-daterangepicker-hover);
   color: var(--text-daterangepicker-hover);
+  @apply th-dark:bg-gray-iron-7;
 }
 
-.react-daterange-picker__calendar .react-calendar__tile--active:enabled:hover,
-.react-daterange-picker__calendar .react-calendar__tile--active:enabled:focus {
+.react-calendar__tile--active:enabled:hover,
+.react-calendar__tile--active:enabled:focus {
   background: var(--bg-daterangepicker-hover);
   color: var(--text-daterangepicker-hover);
+  @apply th-dark:bg-gray-iron-7;
 }
 
 .react-daterange-picker__calendar
@@ -75,9 +84,10 @@
 }
 
 /* on range select hover */
-.react-daterange-picker__calendar .react-calendar--selectRange .react-calendar__tile--hover {
+.react-calendar--selectRange .react-calendar__tile--hover {
   background: var(--bg-daterangepicker-in-range);
   color: var(--text-daterangepicker-in-range);
+  @apply th-dark:bg-gray-iron-7;
 }
 
 /*
@@ -111,4 +121,5 @@
 
 .react-calendar__tile--active.react-calendar__month-view__days__day--weekend {
   color: var(--text-daterangepicker-active);
+  @apply th-dark:bg-gray-iron-7;
 }

From 302deb82999e813239fe42376317e77cb5b5d41f Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 7 Jul 2025 14:29:56 -0300
Subject: [PATCH 174/212] chore(dataservices): enhance ReadAll() so it takes
 predicates for filtering results BE-12016 (#866)

---
 api/dataservices/base.go              |  7 +-
 api/dataservices/base_test.go         | 92 +++++++++++++++++++++++++++
 api/dataservices/base_tx.go           | 23 ++++++-
 api/internal/testhelpers/datastore.go | 36 +++++++++--
 4 files changed, 147 insertions(+), 11 deletions(-)
 create mode 100644 api/dataservices/base_test.go

diff --git a/api/dataservices/base.go b/api/dataservices/base.go
index 04af70b02..18839b60f 100644
--- a/api/dataservices/base.go
+++ b/api/dataservices/base.go
@@ -10,7 +10,7 @@ type BaseCRUD[T any, I constraints.Integer] interface {
 	Create(element *T) error
 	Read(ID I) (*T, error)
 	Exists(ID I) (bool, error)
-	ReadAll() ([]T, error)
+	ReadAll(predicates ...func(T) bool) ([]T, error)
 	Update(ID I, element *T) error
 	Delete(ID I) error
 }
@@ -56,12 +56,13 @@ func (service BaseDataService[T, I]) Exists(ID I) (bool, error) {
 	return exists, err
 }
 
-func (service BaseDataService[T, I]) ReadAll() ([]T, error) {
+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service BaseDataService[T, I]) ReadAll(predicates ...func(T) bool) ([]T, error) {
 	var collection = make([]T, 0)
 
 	return collection, service.Connection.ViewTx(func(tx portainer.Transaction) error {
 		var err error
-		collection, err = service.Tx(tx).ReadAll()
+		collection, err = service.Tx(tx).ReadAll(predicates...)
 
 		return err
 	})
diff --git a/api/dataservices/base_test.go b/api/dataservices/base_test.go
new file mode 100644
index 000000000..e97a09963
--- /dev/null
+++ b/api/dataservices/base_test.go
@@ -0,0 +1,92 @@
+package dataservices
+
+import (
+	"strconv"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/slicesx"
+
+	"github.com/stretchr/testify/require"
+)
+
+type testObject struct {
+	ID    int
+	Value int
+}
+
+type mockConnection struct {
+	store map[int]testObject
+
+	portainer.Connection
+}
+
+func (m mockConnection) UpdateObject(bucket string, key []byte, value interface{}) error {
+	obj := value.(*testObject)
+
+	m.store[obj.ID] = *obj
+
+	return nil
+}
+
+func (m mockConnection) GetAll(bucketName string, obj any, appendFn func(o any) (any, error)) error {
+	for _, v := range m.store {
+		if _, err := appendFn(&v); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m mockConnection) UpdateTx(fn func(portainer.Transaction) error) error {
+	return fn(m)
+}
+
+func (m mockConnection) ViewTx(fn func(portainer.Transaction) error) error {
+	return fn(m)
+}
+
+func (m mockConnection) ConvertToKey(v int) []byte {
+	return []byte(strconv.Itoa(v))
+}
+
+func TestReadAll(t *testing.T) {
+	service := BaseDataService[testObject, int]{
+		Bucket:     "testBucket",
+		Connection: mockConnection{store: make(map[int]testObject)},
+	}
+
+	data := []testObject{
+		{ID: 1, Value: 1},
+		{ID: 2, Value: 2},
+		{ID: 3, Value: 3},
+		{ID: 4, Value: 4},
+		{ID: 5, Value: 5},
+	}
+
+	for _, item := range data {
+		err := service.Update(item.ID, &item)
+		require.NoError(t, err)
+	}
+
+	// ReadAll without predicates
+	result, err := service.ReadAll()
+	require.NoError(t, err)
+
+	expected := append([]testObject{}, data...)
+
+	require.ElementsMatch(t, expected, result)
+
+	// ReadAll with predicates
+	hasLowID := func(obj testObject) bool { return obj.ID < 3 }
+	isEven := func(obj testObject) bool { return obj.Value%2 == 0 }
+
+	result, err = service.ReadAll(hasLowID, isEven)
+	require.NoError(t, err)
+
+	expected = slicesx.Filter(expected, hasLowID)
+	expected = slicesx.Filter(expected, isEven)
+
+	require.ElementsMatch(t, expected, result)
+}
diff --git a/api/dataservices/base_tx.go b/api/dataservices/base_tx.go
index d9915b64c..5d7e7eee0 100644
--- a/api/dataservices/base_tx.go
+++ b/api/dataservices/base_tx.go
@@ -34,13 +34,32 @@ func (service BaseDataServiceTx[T, I]) Exists(ID I) (bool, error) {
 	return service.Tx.KeyExists(service.Bucket, identifier)
 }
 
-func (service BaseDataServiceTx[T, I]) ReadAll() ([]T, error) {
+// ReadAll retrieves all the elements that satisfy all the provided predicates.
+func (service BaseDataServiceTx[T, I]) ReadAll(predicates ...func(T) bool) ([]T, error) {
 	var collection = make([]T, 0)
 
+	if len(predicates) == 0 {
+		return collection, service.Tx.GetAll(
+			service.Bucket,
+			new(T),
+			AppendFn(&collection),
+		)
+	}
+
+	filterFn := func(element T) bool {
+		for _, p := range predicates {
+			if !p(element) {
+				return false
+			}
+		}
+
+		return true
+	}
+
 	return collection, service.Tx.GetAll(
 		service.Bucket,
 		new(T),
-		AppendFn(&collection),
+		FilterFn(&collection, filterFn),
 	)
 }
 
diff --git a/api/internal/testhelpers/datastore.go b/api/internal/testhelpers/datastore.go
index 392f21e97..19254f540 100644
--- a/api/internal/testhelpers/datastore.go
+++ b/api/internal/testhelpers/datastore.go
@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/database"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/portainer/portainer/api/slicesx"
 )
 
 var _ dataservices.DataStore = &testDatastore{}
@@ -152,8 +153,17 @@ type stubUserService struct {
 	users []portainer.User
 }
 
-func (s *stubUserService) BucketName() string                 { return "users" }
-func (s *stubUserService) ReadAll() ([]portainer.User, error) { return s.users, nil }
+func (s *stubUserService) BucketName() string { return "users" }
+func (s *stubUserService) ReadAll(predicates ...func(portainer.User) bool) ([]portainer.User, error) {
+	filtered := s.users
+
+	for _, p := range predicates {
+		filtered = slicesx.Filter(filtered, p)
+	}
+
+	return filtered, nil
+}
+
 func (s *stubUserService) UsersByRole(role portainer.UserRole) ([]portainer.User, error) {
 	return s.users, nil
 }
@@ -171,8 +181,16 @@ type stubEdgeJobService struct {
 	jobs []portainer.EdgeJob
 }
 
-func (s *stubEdgeJobService) BucketName() string                    { return "edgejobs" }
-func (s *stubEdgeJobService) ReadAll() ([]portainer.EdgeJob, error) { return s.jobs, nil }
+func (s *stubEdgeJobService) BucketName() string { return "edgejobs" }
+func (s *stubEdgeJobService) ReadAll(predicates ...func(portainer.EdgeJob) bool) ([]portainer.EdgeJob, error) {
+	filtered := s.jobs
+
+	for _, p := range predicates {
+		filtered = slicesx.Filter(filtered, p)
+	}
+
+	return filtered, nil
+}
 
 // WithEdgeJobs option will instruct testDatastore to return provided jobs
 func WithEdgeJobs(js []portainer.EdgeJob) datastoreOption {
@@ -362,8 +380,14 @@ func (s *stubStacksService) Read(ID portainer.StackID) (*portainer.Stack, error)
 	return nil, errors.ErrObjectNotFound
 }
 
-func (s *stubStacksService) ReadAll() ([]portainer.Stack, error) {
-	return s.stacks, nil
+func (s *stubStacksService) ReadAll(predicates ...func(portainer.Stack) bool) ([]portainer.Stack, error) {
+	filtered := s.stacks
+
+	for _, p := range predicates {
+		filtered = slicesx.Filter(filtered, p)
+	}
+
+	return filtered, nil
 }
 
 func (s *stubStacksService) StacksByEndpointID(endpointID portainer.EndpointID) ([]portainer.Stack, error) {

From 4d11aa8655aa3d010193cf1b42293c2c42ec33d3 Mon Sep 17 00:00:00 2001
From: Oscar Zhou <100548325+oscarzhou-portainer@users.noreply.github.com>
Date: Thu, 10 Jul 2025 00:55:59 +1200
Subject: [PATCH 175/212] fix(tag): ignore "environment not found" when
 deleting tag [BE-11944] (#869)

---
 api/http/handler/tags/tag_delete.go      |  3 +++
 api/http/handler/tags/tag_delete_test.go | 25 ++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/api/http/handler/tags/tag_delete.go b/api/http/handler/tags/tag_delete.go
index 1fa98e394..5e67c4f4c 100644
--- a/api/http/handler/tags/tag_delete.go
+++ b/api/http/handler/tags/tag_delete.go
@@ -59,6 +59,9 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 
 	for endpointID := range tag.Endpoints {
 		endpoint, err := tx.Endpoint().Endpoint(endpointID)
+		if tx.IsErrObjectNotFound(err) {
+			continue
+		}
 		if err != nil {
 			return httperror.InternalServerError("Unable to retrieve environment from the database", err)
 		}
diff --git a/api/http/handler/tags/tag_delete_test.go b/api/http/handler/tags/tag_delete_test.go
index cabf20963..a215e7edd 100644
--- a/api/http/handler/tags/tag_delete_test.go
+++ b/api/http/handler/tags/tag_delete_test.go
@@ -84,3 +84,28 @@ func TestTagDeleteEdgeGroupsConcurrently(t *testing.T) {
 		t.Fatal("the edge group is not consistent")
 	}
 }
+
+func TestDeleteTag(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, false)
+
+	// Test the tx.IsErrObjectNotFound logic when endpoint is not found during cleanup
+	t.Run("should continue gracefully when endpoint not found during cleanup", func(t *testing.T) {
+		// Create a tag with a reference to a non-existent endpoint
+		tag := &portainer.Tag{
+			ID:             1,
+			Name:           "test-tag",
+			Endpoints:      map[portainer.EndpointID]bool{999: true}, // Non-existent endpoint
+			EndpointGroups: make(map[portainer.EndpointGroupID]bool),
+		}
+
+		err := store.Tag().Create(tag)
+		if err != nil {
+			t.Fatal("could not create tag:", err)
+		}
+
+		err = deleteTag(store, 1)
+		if err != nil {
+			t.Fatal("could not delete tag:", err)
+		}
+	})
+}

From ea4b334c7e0f5d3d6e3b24cfcdd74b113c5ce122 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Wed, 9 Jul 2025 16:15:43 -0300
Subject: [PATCH 176/212] feat(csp): enable CSP by default BE-11961 (#872)

---
 api/cli/cli.go                              |  1 +
 api/cmd/portainer/main.go                   |  1 +
 api/http/handler/file/handler.go            |  7 +++--
 api/http/security/bouncer.go                | 10 +++++--
 api/http/security/bouncer_test.go           | 31 +++++++++++++++++++++
 api/http/server.go                          |  6 +++-
 api/internal/testhelpers/request_bouncer.go |  2 ++
 api/portainer.go                            |  3 ++
 8 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/api/cli/cli.go b/api/cli/cli.go
index 7f6d80e68..0722c0b2e 100644
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -62,6 +62,7 @@ func CLIFlags() *portainer.CLIFlags {
 		KubectlShellImage:         kingpin.Flag("kubectl-shell-image", "Kubectl shell image").Envar(portainer.KubectlShellImageEnvVar).Default(portainer.DefaultKubectlShellImage).String(),
 		PullLimitCheckDisabled:    kingpin.Flag("pull-limit-check-disabled", "Pull limit check").Envar(portainer.PullLimitCheckDisabledEnvVar).Default(defaultPullLimitCheckDisabled).Bool(),
 		TrustedOrigins:            kingpin.Flag("trusted-origins", "List of trusted origins for CSRF protection. Separate multiple origins with a comma.").Envar(portainer.TrustedOriginsEnvVar).String(),
+		CSP:                       kingpin.Flag("csp", "Content Security Policy (CSP) header").Envar(portainer.CSPEnvVar).Default("true").Bool(),
 	}
 }
 
diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 23bd540a5..30493a3da 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -559,6 +559,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		Status:                      applicationStatus,
 		BindAddress:                 *flags.Addr,
 		BindAddressHTTPS:            *flags.AddrHTTPS,
+		CSP:                         *flags.CSP,
 		HTTPEnabled:                 sslDBSettings.HTTPEnabled,
 		AssetsPath:                  *flags.Assets,
 		DataStore:                   dataStore,
diff --git a/api/http/handler/file/handler.go b/api/http/handler/file/handler.go
index 66f81b64a..9e57478c8 100644
--- a/api/http/handler/file/handler.go
+++ b/api/http/handler/file/handler.go
@@ -17,12 +17,12 @@ type Handler struct {
 }
 
 // NewHandler creates a handler to serve static files.
-func NewHandler(assetPublicPath string, wasInstanceDisabled func() bool) *Handler {
+func NewHandler(assetPublicPath string, csp bool, wasInstanceDisabled func() bool) *Handler {
 	h := &Handler{
 		Handler: security.MWSecureHeaders(
 			gzhttp.GzipHandler(http.FileServer(http.Dir(assetPublicPath))),
 			featureflags.IsEnabled("hsts"),
-			featureflags.IsEnabled("csp"),
+			csp,
 		),
 		wasInstanceDisabled: wasInstanceDisabled,
 	}
@@ -36,6 +36,7 @@ func isHTML(acceptContent []string) bool {
 			return true
 		}
 	}
+
 	return false
 }
 
@@ -43,11 +44,13 @@ func (handler *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	if handler.wasInstanceDisabled() {
 		if r.RequestURI == "/" || r.RequestURI == "/index.html" {
 			http.Redirect(w, r, "/timeout.html", http.StatusTemporaryRedirect)
+
 			return
 		}
 	} else {
 		if strings.HasPrefix(r.RequestURI, "/timeout.html") {
 			http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+
 			return
 		}
 	}
diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index eb240692d..fa7360f4c 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -35,6 +35,7 @@ type (
 		JWTAuthLookup(*http.Request) (*portainer.TokenData, error)
 		TrustedEdgeEnvironmentAccess(dataservices.DataStoreTx, *portainer.Endpoint) error
 		RevokeJWT(string)
+		DisableCSP()
 	}
 
 	// RequestBouncer represents an entity that manages API request accesses
@@ -72,7 +73,7 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
 		jwtService:    jwtService,
 		apiKeyService: apiKeyService,
 		hsts:          featureflags.IsEnabled("hsts"),
-		csp:           featureflags.IsEnabled("csp"),
+		csp:           true,
 	}
 
 	go b.cleanUpExpiredJWT()
@@ -80,6 +81,11 @@ func NewRequestBouncer(dataStore dataservices.DataStore, jwtService portainer.JW
 	return b
 }
 
+// DisableCSP disables Content Security Policy
+func (bouncer *RequestBouncer) DisableCSP() {
+	bouncer.csp = false
+}
+
 // PublicAccess defines a security check for public API endpoints.
 // No authentication is required to access these endpoints.
 func (bouncer *RequestBouncer) PublicAccess(h http.Handler) http.Handler {
@@ -528,7 +534,7 @@ func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler {
 		}
 
 		if csp {
-			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud")
+			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud; frame-ancestors 'none';")
 		}
 
 		w.Header().Set("X-Content-Type-Options", "nosniff")
diff --git a/api/http/security/bouncer_test.go b/api/http/security/bouncer_test.go
index 4d84dcfee..3dd42fdc5 100644
--- a/api/http/security/bouncer_test.go
+++ b/api/http/security/bouncer_test.go
@@ -530,3 +530,34 @@ func TestJWTRevocation(t *testing.T) {
 
 	require.Equal(t, 1, revokeLen())
 }
+
+func TestCSPHeaderDefault(t *testing.T) {
+	b := NewRequestBouncer(nil, nil, nil)
+
+	srv := httptest.NewServer(
+		b.PublicAccess(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})),
+	)
+	defer srv.Close()
+
+	resp, err := http.Get(srv.URL + "/")
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.Contains(t, resp.Header, "Content-Security-Policy")
+}
+
+func TestCSPHeaderDisabled(t *testing.T) {
+	b := NewRequestBouncer(nil, nil, nil)
+	b.DisableCSP()
+
+	srv := httptest.NewServer(
+		b.PublicAccess(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})),
+	)
+	defer srv.Close()
+
+	resp, err := http.Get(srv.URL + "/")
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	require.NotContains(t, resp.Header, "Content-Security-Policy")
+}
diff --git a/api/http/server.go b/api/http/server.go
index e876ca5d2..5bfa36379 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -77,6 +77,7 @@ type Server struct {
 	AuthorizationService        *authorization.Service
 	BindAddress                 string
 	BindAddressHTTPS            string
+	CSP                         bool
 	HTTPEnabled                 bool
 	AssetsPath                  string
 	Status                      *portainer.Status
@@ -121,6 +122,9 @@ func (server *Server) Start() error {
 	kubernetesTokenCacheManager := server.KubernetesTokenCacheManager
 
 	requestBouncer := security.NewRequestBouncer(server.DataStore, server.JWTService, server.APIKeyService)
+	if !server.CSP {
+		requestBouncer.DisableCSP()
+	}
 
 	rateLimiter := security.NewRateLimiter(10, 1*time.Second, 1*time.Hour)
 	offlineGate := offlinegate.NewOfflineGate()
@@ -200,7 +204,7 @@ func (server *Server) Start() error {
 
 	var dockerHandler = dockerhandler.NewHandler(requestBouncer, server.AuthorizationService, server.DataStore, server.DockerClientFactory, containerService)
 
-	var fileHandler = file.NewHandler(filepath.Join(server.AssetsPath, "public"), adminMonitor.WasInstanceDisabled)
+	var fileHandler = file.NewHandler(filepath.Join(server.AssetsPath, "public"), server.CSP, adminMonitor.WasInstanceDisabled)
 
 	var endpointHelmHandler = helm.NewHandler(requestBouncer, server.DataStore, server.JWTService, server.KubernetesDeployer, server.HelmPackageManager, server.KubeClusterAccessService)
 
diff --git a/api/internal/testhelpers/request_bouncer.go b/api/internal/testhelpers/request_bouncer.go
index b89154549..0586dffef 100644
--- a/api/internal/testhelpers/request_bouncer.go
+++ b/api/internal/testhelpers/request_bouncer.go
@@ -60,6 +60,8 @@ func (testRequestBouncer) JWTAuthLookup(r *http.Request) (*portainer.TokenData,
 
 func (testRequestBouncer) RevokeJWT(jti string) {}
 
+func (testRequestBouncer) DisableCSP() {}
+
 // AddTestSecurityCookie adds a security cookie to the request
 func AddTestSecurityCookie(r *http.Request, jwt string) {
 	r.AddCookie(&http.Cookie{
diff --git a/api/portainer.go b/api/portainer.go
index bdd52aa34..da15479ee 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -110,6 +110,7 @@ type (
 		AdminPassword             *string
 		AdminPasswordFile         *string
 		Assets                    *string
+		CSP                       *bool
 		Data                      *string
 		FeatureFlags              *[]string
 		EnableEdgeComputeFeatures *bool
@@ -1791,6 +1792,8 @@ const (
 	LicenseCheckInURL = LicenseServerBaseURL + "/licenses/checkin"
 	// TrustedOriginsEnvVar is the environment variable used to set the trusted origins for CSRF protection
 	TrustedOriginsEnvVar = "TRUSTED_ORIGINS"
+	// CSPEnvVar is the environment variable used to enable/disable the Content Security Policy
+	CSPEnvVar = "CSP"
 )
 
 // List of supported features

From 3bf84e8b0ccd68aba9c17c061ce1d4774071cc28 Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Thu, 10 Jul 2025 10:52:12 +1200
Subject: [PATCH 177/212] fix(tags): reconcile edge relations prior to deletion
 [BE-11969] (#867)

---
 api/http/handler/tags/tag_delete.go      |  44 ++++++--
 api/http/handler/tags/tag_delete_test.go | 124 ++++++++++++++++++++---
 2 files changed, 147 insertions(+), 21 deletions(-)

diff --git a/api/http/handler/tags/tag_delete.go b/api/http/handler/tags/tag_delete.go
index 5e67c4f4c..f8f1b7786 100644
--- a/api/http/handler/tags/tag_delete.go
+++ b/api/http/handler/tags/tag_delete.go
@@ -107,14 +107,10 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 		return httperror.InternalServerError("Unable to retrieve edge stacks from the database", err)
 	}
 
-	for _, endpoint := range endpoints {
-		if (tag.Endpoints[endpoint.ID] || tag.EndpointGroups[endpoint.GroupID]) && endpointutils.IsEdgeEndpoint(&endpoint) {
-			if err := updateEndpointRelations(tx, endpoint, edgeGroups, edgeStacks); err != nil {
-				return httperror.InternalServerError("Unable to update environment relations in the database", err)
-			}
-		}
+	edgeJobs, err := tx.EdgeJob().ReadAll()
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve edge job configurations from the database", err)
 	}
-
 	for _, edgeGroup := range edgeGroups {
 		edgeGroup.TagIDs = slices.DeleteFunc(edgeGroup.TagIDs, func(t portainer.TagID) bool {
 			return t == tagID
@@ -126,6 +122,16 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 		}
 	}
 
+	for _, endpoint := range endpoints {
+		if (!tag.Endpoints[endpoint.ID] && !tag.EndpointGroups[endpoint.GroupID]) || !endpointutils.IsEdgeEndpoint(&endpoint) {
+			continue
+		}
+
+		if err := updateEndpointRelations(tx, endpoint, edgeGroups, edgeStacks, edgeJobs); err != nil {
+			return httperror.InternalServerError("Unable to update environment relations in the database", err)
+		}
+	}
+
 	err = tx.Tag().Delete(tagID)
 	if err != nil {
 		return httperror.InternalServerError("Unable to remove the tag from the database", err)
@@ -134,7 +140,7 @@ func deleteTag(tx dataservices.DataStoreTx, tagID portainer.TagID) error {
 	return nil
 }
 
-func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
+func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack, edgeJobs []portainer.EdgeJob) error {
 	endpointRelation, err := tx.EndpointRelation().EndpointRelation(endpoint.ID)
 	if err != nil {
 		return err
@@ -153,5 +159,25 @@ func updateEndpointRelations(tx dataservices.DataStoreTx, endpoint portainer.End
 
 	endpointRelation.EdgeStacks = stacksSet
 
-	return tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, endpointRelation)
+	if err := tx.EndpointRelation().UpdateEndpointRelation(endpoint.ID, endpointRelation); err != nil {
+		return err
+	}
+
+	for _, edgeJob := range edgeJobs {
+		endpoints, err := edge.GetEndpointsFromEdgeGroups(edgeJob.EdgeGroups, tx)
+		if err != nil {
+			return err
+		}
+		if slices.Contains(endpoints, endpoint.ID) {
+			continue
+		}
+
+		delete(edgeJob.GroupLogsCollection, endpoint.ID)
+
+		if err := tx.EdgeJob().Update(edgeJob.ID, &edgeJob); err != nil {
+			return err
+		}
+	}
+
+	return nil
 }
diff --git a/api/http/handler/tags/tag_delete_test.go b/api/http/handler/tags/tag_delete_test.go
index a215e7edd..ecced7c0d 100644
--- a/api/http/handler/tags/tag_delete_test.go
+++ b/api/http/handler/tags/tag_delete_test.go
@@ -1,6 +1,7 @@
 package tags
 
 import (
+	"github.com/portainer/portainer/api/dataservices"
 	"net/http"
 	"net/http/httptest"
 	"strconv"
@@ -8,23 +9,18 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	portainerDsErrors "github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestTagDeleteEdgeGroupsConcurrently(t *testing.T) {
 	const tagsCount = 100
 
-	_, store := datastore.MustNewTestStore(t, true, false)
-
-	user := &portainer.User{ID: 2, Username: "admin", Role: portainer.AdministratorRole}
-	if err := store.User().Create(user); err != nil {
-		t.Fatal("could not create admin user:", err)
-	}
-
-	handler := NewHandler(testhelpers.NewTestRequestBouncer())
-	handler.DataStore = store
-
+	handler, store := setUpHandler(t)
 	// Create all the tags and add them to the same edge group
 
 	var tagIDs []portainer.TagID
@@ -85,11 +81,101 @@ func TestTagDeleteEdgeGroupsConcurrently(t *testing.T) {
 	}
 }
 
-func TestDeleteTag(t *testing.T) {
-	_, store := datastore.MustNewTestStore(t, true, false)
+func TestHandler_tagDelete(t *testing.T) {
+	t.Run("should delete tag and update related endpoints and edge groups", func(t *testing.T) {
+		handler, store := setUpHandler(t)
+
+		tag := &portainer.Tag{
+			ID:             1,
+			Name:           "tag-1",
+			Endpoints:      make(map[portainer.EndpointID]bool),
+			EndpointGroups: make(map[portainer.EndpointGroupID]bool),
+		}
+		require.NoError(t, store.Tag().Create(tag))
+
+		endpointGroup := &portainer.EndpointGroup{
+			ID:     2,
+			Name:   "endpoint-group-1",
+			TagIDs: []portainer.TagID{tag.ID},
+		}
+		require.NoError(t, store.EndpointGroup().Create(endpointGroup))
+
+		endpoint1 := &portainer.Endpoint{
+			ID:      1,
+			Name:    "endpoint-1",
+			GroupID: endpointGroup.ID,
+		}
+		require.NoError(t, store.Endpoint().Create(endpoint1))
+
+		endpoint2 := &portainer.Endpoint{
+			ID:     2,
+			Name:   "endpoint-2",
+			TagIDs: []portainer.TagID{tag.ID},
+		}
+		require.NoError(t, store.Endpoint().Create(endpoint2))
+
+		tag.Endpoints[endpoint2.ID] = true
+		tag.EndpointGroups[endpointGroup.ID] = true
+		require.NoError(t, store.Tag().Update(tag.ID, tag))
+
+		dynamicEdgeGroup := &portainer.EdgeGroup{
+			ID:      1,
+			Name:    "edgegroup-1",
+			TagIDs:  []portainer.TagID{tag.ID},
+			Dynamic: true,
+		}
+		require.NoError(t, store.EdgeGroup().Create(dynamicEdgeGroup))
+
+		staticEdgeGroup := &portainer.EdgeGroup{
+			ID:        2,
+			Name:      "edgegroup-2",
+			Endpoints: []portainer.EndpointID{endpoint2.ID},
+		}
+		require.NoError(t, store.EdgeGroup().Create(staticEdgeGroup))
+
+		req, err := http.NewRequest(http.MethodDelete, "/tags/"+strconv.Itoa(int(tag.ID)), nil)
+		if err != nil {
+			t.Fail()
+
+			return
+		}
+
+		rec := httptest.NewRecorder()
+		handler.ServeHTTP(rec, req)
+
+		require.Equal(t, http.StatusNoContent, rec.Code)
+
+		// Check that the tag is deleted
+		_, err = store.Tag().Read(tag.ID)
+		require.ErrorIs(t, err, portainerDsErrors.ErrObjectNotFound)
+
+		// Check that the endpoints are updated
+		endpoint1, err = store.Endpoint().Endpoint(endpoint1.ID)
+		require.NoError(t, err)
+		assert.Len(t, endpoint1.TagIDs, 0, "endpoint-1 should not have any tags")
+		assert.Equal(t, endpoint1.GroupID, endpointGroup.ID, "endpoint-1 should still belong to the endpoint group")
+
+		endpoint2, err = store.Endpoint().Endpoint(endpoint2.ID)
+		require.NoError(t, err)
+		assert.Len(t, endpoint2.TagIDs, 0, "endpoint-2 should not have any tags")
+
+		// Check that the dynamic edge group is updated
+		dynamicEdgeGroup, err = store.EdgeGroup().Read(dynamicEdgeGroup.ID)
+		require.NoError(t, err)
+		assert.Len(t, dynamicEdgeGroup.TagIDs, 0, "dynamic edge group should not have any tags")
+		assert.Len(t, dynamicEdgeGroup.Endpoints, 0, "dynamic edge group should not have any endpoints")
+
+		// Check that the static edge group is not updated
+		staticEdgeGroup, err = store.EdgeGroup().Read(staticEdgeGroup.ID)
+		require.NoError(t, err)
+		assert.Len(t, staticEdgeGroup.TagIDs, 0, "static edge group should not have any tags")
+		assert.Len(t, staticEdgeGroup.Endpoints, 1, "static edge group should have one endpoint")
+		assert.Equal(t, endpoint2.ID, staticEdgeGroup.Endpoints[0], "static edge group should have the endpoint-2")
+	})
 
 	// Test the tx.IsErrObjectNotFound logic when endpoint is not found during cleanup
 	t.Run("should continue gracefully when endpoint not found during cleanup", func(t *testing.T) {
+		_, store := setUpHandler(t)
 		// Create a tag with a reference to a non-existent endpoint
 		tag := &portainer.Tag{
 			ID:             1,
@@ -109,3 +195,17 @@ func TestDeleteTag(t *testing.T) {
 		}
 	})
 }
+
+func setUpHandler(t *testing.T) (*Handler, dataservices.DataStore) {
+	_, store := datastore.MustNewTestStore(t, true, false)
+
+	user := &portainer.User{ID: 2, Username: "admin", Role: portainer.AdministratorRole}
+	if err := store.User().Create(user); err != nil {
+		t.Fatal("could not create admin user:", err)
+	}
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	return handler, store
+}

From ef10ea2a7dff38a64286c23dc52122b17f5d5c56 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Fri, 11 Jul 2025 11:01:37 +1200
Subject: [PATCH 178/212] fix(ui): Fixed TagsDatatable name column link (#847)

---
 .../TagsDatatable/TagsDatatable.test.tsx      | 169 ++++++++++++++++++
 .../TagsDatatable/columns/useColumns.ts       |  16 +-
 2 files changed, 177 insertions(+), 8 deletions(-)
 create mode 100644 app/react/portainer/registries/repositories/ItemView/TagsDatatable/TagsDatatable.test.tsx

diff --git a/app/react/portainer/registries/repositories/ItemView/TagsDatatable/TagsDatatable.test.tsx b/app/react/portainer/registries/repositories/ItemView/TagsDatatable/TagsDatatable.test.tsx
new file mode 100644
index 000000000..6ec8599e1
--- /dev/null
+++ b/app/react/portainer/registries/repositories/ItemView/TagsDatatable/TagsDatatable.test.tsx
@@ -0,0 +1,169 @@
+import { render, screen } from '@testing-library/react';
+import { vi } from 'vitest';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+
+import { TagsDatatable } from './TagsDatatable';
+import { Tag } from './types';
+import { RepositoryTagViewModel } from './view-model';
+
+// Mock the necessary hooks
+const mockUseCurrentStateAndParams = vi.fn();
+
+vi.mock('@uirouter/react', async (importOriginal: () => Promise<object>) => ({
+  ...(await importOriginal()),
+  useCurrentStateAndParams: () => mockUseCurrentStateAndParams(),
+}));
+
+// Mock the Link component to capture route parameters and generate proper hrefs
+vi.mock('@@/Link', () => ({
+  Link: ({
+    children,
+    params,
+    'data-cy': dataCy,
+    title,
+  }: {
+    children: React.ReactNode;
+    params?: Record<string, string>;
+    'data-cy'?: string;
+    title?: string;
+  }) => {
+    // Simulate href generation based on route and params
+    // For 'portainer.registries.registry.repository.tag' route
+    const baseParams = {
+      endpointId: '1',
+      id: '1',
+      repository: 'test-repo',
+      ...params,
+    };
+
+    const tag = (baseParams as Record<string, string>).tag || '';
+    const href = `/endpoints/${baseParams.endpointId}/registries/${baseParams.id}/repositories/${baseParams.repository}/tags/${tag}`;
+
+    return (
+      <a href={href} data-cy={dataCy} title={title}>
+        {children}
+      </a>
+    );
+  },
+}));
+
+vi.mock('../../queries/useTagDetails', () => ({
+  useTagDetails: vi.fn(
+    (
+      params,
+      { select }: { select?: (data: RepositoryTagViewModel) => string } = {}
+    ) => {
+      const data: RepositoryTagViewModel = {
+        Name: params.tag,
+        Os: 'linux',
+        Architecture: 'amd64',
+        ImageId: `sha256:${params.tag}123`,
+        Size: 1024,
+        ImageDigest: '',
+        ManifestV2: {
+          digest: `sha256:${params.tag}123`,
+          schemaVersion: 2,
+          mediaType: 'application/vnd.docker.distribution.manifest.v2+json',
+          config: {
+            digest: `sha256:${params.tag}123`,
+            mediaType: 'application/vnd.docker.container.image.v1+json',
+            size: 1024,
+          },
+          layers: [],
+        },
+        History: [],
+      };
+
+      return {
+        data: select?.(data) || data,
+        isLoading: false,
+        error: null,
+      };
+    }
+  ),
+}));
+
+// Create mock data
+const mockTags: Tag[] = [
+  { Name: 'latest' },
+  { Name: 'v1.0.0' },
+  { Name: 'dev-branch' },
+  { Name: 'feature/new-ui' },
+];
+
+const defaultProps = {
+  dataset: mockTags,
+  advancedFeaturesAvailable: true,
+  onRemove: vi.fn(),
+  onRetag: vi.fn().mockResolvedValue(undefined),
+};
+
+function renderComponent() {
+  const Wrapped = withTestQueryProvider(
+    withTestRouter(() => <TagsDatatable {...defaultProps} />)
+  );
+  return render(<Wrapped />);
+}
+
+describe('TagsDatatable', () => {
+  beforeEach(() => {
+    // Set up default mock values
+    mockUseCurrentStateAndParams.mockReturnValue({
+      params: {
+        endpointId: '1',
+        id: '1',
+        repository: 'test-repo',
+      },
+    });
+  });
+
+  it('renders basic table structure', () => {
+    renderComponent();
+    expect(screen.getByText('Tags')).toBeInTheDocument();
+    expect(screen.getByPlaceholderText('Search...')).toBeInTheDocument();
+  });
+
+  it('renders tag data in table', () => {
+    renderComponent();
+
+    // Check that our mock tags are rendered somewhere in the table
+    expect(screen.getByText('latest')).toBeInTheDocument();
+    expect(screen.getByText('v1.0.0')).toBeInTheDocument();
+    expect(screen.getByText('dev-branch')).toBeInTheDocument();
+    expect(screen.getByText('feature/new-ui')).toBeInTheDocument();
+  });
+
+  it('creates correct hrefs for tag name links', () => {
+    renderComponent();
+
+    // Get the links by their data-cy attributes
+    const latestLink = screen.getByTestId(
+      'registry-tag-name_latest'
+    ) as HTMLAnchorElement;
+    const v100Link = screen.getByTestId(
+      'registry-tag-name_v1.0.0'
+    ) as HTMLAnchorElement;
+    const devBranchLink = screen.getByTestId(
+      'registry-tag-name_dev-branch'
+    ) as HTMLAnchorElement;
+    const featureLink = screen.getByTestId(
+      'registry-tag-name_feature/new-ui'
+    ) as HTMLAnchorElement;
+
+    // Verify the exact path portion of the href
+    expect(new URL(latestLink.href).pathname).toBe(
+      '/endpoints/1/registries/1/repositories/test-repo/tags/latest'
+    );
+    expect(new URL(v100Link.href).pathname).toBe(
+      '/endpoints/1/registries/1/repositories/test-repo/tags/v1.0.0'
+    );
+    expect(new URL(devBranchLink.href).pathname).toBe(
+      '/endpoints/1/registries/1/repositories/test-repo/tags/dev-branch'
+    );
+    expect(new URL(featureLink.href).pathname).toBe(
+      '/endpoints/1/registries/1/repositories/test-repo/tags/feature/new-ui'
+    );
+  });
+});
diff --git a/app/react/portainer/registries/repositories/ItemView/TagsDatatable/columns/useColumns.ts b/app/react/portainer/registries/repositories/ItemView/TagsDatatable/columns/useColumns.ts
index 4f07b5bec..bcedccb47 100644
--- a/app/react/portainer/registries/repositories/ItemView/TagsDatatable/columns/useColumns.ts
+++ b/app/react/portainer/registries/repositories/ItemView/TagsDatatable/columns/useColumns.ts
@@ -4,7 +4,7 @@ import _ from 'lodash';
 import { humanize } from '@/portainer/filters/filters';
 import { trimSHA } from '@/docker/filters/utils';
 
-import { buildNameColumn } from '@@/datatables/buildNameColumn';
+import { buildNameColumnFromObject } from '@@/datatables/buildNameColumn';
 
 import { Tag } from '../types';
 
@@ -13,13 +13,13 @@ import { buildCell } from './buildCell';
 import { actions } from './actions';
 
 const columns = [
-  buildNameColumn<Tag>(
-    'Name',
-    'portainer.registries.registry.repository.tag',
-    'tag',
-    'registry-tag-name',
-    (item) => item.Name
-  ),
+  buildNameColumnFromObject<Tag>({
+    nameKey: 'Name',
+    path: 'portainer.registries.registry.repository.tag',
+    dataCy: 'registry-tag-name',
+    idParam: 'tag',
+    idGetter: (item) => item.Name,
+  }),
   helper.display({
     header: 'OS/Architecture',
     cell: buildCell((model) => `${model.Os}/${model.Architecture}`),

From 150d98617988da4cde4be34a6dc77f8773dd8fdc Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 11 Jul 2025 13:57:21 +1200
Subject: [PATCH 179/212] fix: CVE-2025-53547 (#880)

---
 go.mod |  67 ++++++++++-----------
 go.sum | 183 +++++++++++++++++++++++++++++++++------------------------
 2 files changed, 141 insertions(+), 109 deletions(-)

diff --git a/go.mod b/go.mod
index f914962d0..f20d26f57 100644
--- a/go.mod
+++ b/go.mod
@@ -28,7 +28,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/mux v1.8.1
-	github.com/gorilla/websocket v1.5.0
+	github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/golang-lru v0.5.4
 	github.com/joho/godotenv v1.4.0
@@ -47,21 +47,21 @@ require (
 	github.com/urfave/negroni v1.0.0
 	github.com/viney-shih/go-lock v1.1.1
 	go.etcd.io/bbolt v1.4.0
-	golang.org/x/crypto v0.37.0
+	golang.org/x/crypto v0.39.0
 	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
-	golang.org/x/mod v0.24.0
+	golang.org/x/mod v0.25.0
 	golang.org/x/oauth2 v0.29.0
-	golang.org/x/sync v0.14.0
+	golang.org/x/sync v0.15.0
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
-	helm.sh/helm/v3 v3.17.3
-	k8s.io/api v0.32.3
-	k8s.io/apimachinery v0.32.3
-	k8s.io/cli-runtime v0.32.2
-	k8s.io/client-go v0.32.3
-	k8s.io/kubectl v0.32.2
-	k8s.io/metrics v0.32.2
+	helm.sh/helm/v3 v3.18.4
+	k8s.io/api v0.33.2
+	k8s.io/apimachinery v0.33.2
+	k8s.io/cli-runtime v0.33.2
+	k8s.io/client-go v0.33.2
+	k8s.io/kubectl v0.33.2
+	k8s.io/metrics v0.33.2
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
 
@@ -69,11 +69,10 @@ require github.com/gorilla/securecookie v1.1.2 // indirect
 
 require (
 	dario.cat/mergo v1.0.1 // indirect
-	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
 	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
 	github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c // indirect
-	github.com/BurntSushi/toml v1.4.0 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/DefangLabs/secret-detector v0.0.0-20250403165618-22662109213e // indirect
 	github.com/MakeNowJust/heredoc v1.0.0 // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
@@ -81,6 +80,7 @@ require (
 	github.com/Masterminds/sprig/v3 v3.3.0 // indirect
 	github.com/Masterminds/squirrel v1.5.4 // indirect
 	github.com/ProtonMail/go-crypto v1.1.3 // indirect
+	github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 // indirect
 	github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137 // indirect
@@ -107,7 +107,7 @@ require (
 	github.com/cloudflare/cfssl v1.6.4 // indirect
 	github.com/cloudflare/circl v1.3.7 // indirect
 	github.com/containerd/console v1.0.4 // indirect
-	github.com/containerd/containerd v1.7.24 // indirect
+	github.com/containerd/containerd v1.7.27 // indirect
 	github.com/containerd/containerd/api v1.9.0 // indirect
 	github.com/containerd/containerd/v2 v2.1.1 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
@@ -120,7 +120,7 @@ require (
 	github.com/containers/libtrust v0.0.0-20230121012942-c1716e8a8d01 // indirect
 	github.com/containers/ocicrypt v1.2.1 // indirect
 	github.com/containers/storage v1.53.0 // indirect
-	github.com/cyphar/filepath-securejoin v0.3.6 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/buildx v0.24.0 // indirect
@@ -134,7 +134,7 @@ require (
 	github.com/eiannone/keyboard v0.0.0-20220611211555-0d226195f203 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
-	github.com/evanphx/json-patch v5.9.0+incompatible // indirect
+	github.com/evanphx/json-patch v5.9.11+incompatible // indirect
 	github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect
 	github.com/fatih/camelcase v1.0.0 // indirect
 	github.com/fatih/color v1.15.0 // indirect
@@ -160,9 +160,8 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
-	github.com/google/btree v1.0.1 // indirect
-	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/btree v1.1.3 // indirect
+	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/gosuri/uitable v0.0.4 // indirect
 	github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 // indirect
@@ -237,7 +236,7 @@ require (
 	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/rivo/uniseg v0.4.4 // indirect
-	github.com/rubenv/sql-migrate v1.7.1 // indirect
+	github.com/rubenv/sql-migrate v1.8.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.8.0 // indirect
 	github.com/segmentio/asm v1.1.3 // indirect
@@ -274,8 +273,8 @@ require (
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 // indirect
 	go.opentelemetry.io/otel v1.35.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 // indirect
@@ -285,10 +284,10 @@ require (
 	go.opentelemetry.io/otel/trace v1.35.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
 	go.uber.org/mock v0.5.2 // indirect
-	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
-	golang.org/x/term v0.31.0 // indirect
-	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.26.0 // indirect
 	golang.org/x/time v0.11.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a // indirect
@@ -298,17 +297,19 @@ require (
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	k8s.io/apiextensions-apiserver v0.32.2 // indirect
-	k8s.io/apiserver v0.32.3 // indirect
-	k8s.io/component-base v0.32.3 // indirect
+	k8s.io/apiextensions-apiserver v0.33.2 // indirect
+	k8s.io/apiserver v0.33.2 // indirect
+	k8s.io/component-base v0.33.2 // indirect
+	k8s.io/component-helpers v0.33.2 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f // indirect
+	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
-	oras.land/oras-go v1.2.5 // indirect
+	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
-	sigs.k8s.io/kustomize/api v0.18.0 // indirect
-	sigs.k8s.io/kustomize/kyaml v0.18.1 // indirect
-	sigs.k8s.io/structured-merge-diff/v4 v4.4.2 // indirect
+	sigs.k8s.io/kustomize/api v0.19.0 // indirect
+	sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
+	sigs.k8s.io/randfill v1.0.0 // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.6.0 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 	tags.cncf.io/container-device-interface v1.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index b79c1d644..d0f60eefc 100644
--- a/go.sum
+++ b/go.sum
@@ -11,8 +11,8 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg6
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c h1:/IBSNwUN8+eKzUzbJPqhK839ygXJ82sde8x3ogr6R28=
 github.com/Azure/go-ntlmssp v0.0.0-20200615164410-66371956d46c/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
-github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
 github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU=
 github.com/DefangLabs/secret-detector v0.0.0-20250403165618-22662109213e h1:rd4bOvKmDIx0WeTv9Qz+hghsgyjikFiPrseXHlKepO0=
@@ -136,8 +136,8 @@ github.com/containerd/cgroups/v3 v3.0.5 h1:44na7Ud+VwyE7LIoJ8JTNQOa549a8543BmzaJ
 github.com/containerd/cgroups/v3 v3.0.5/go.mod h1:SA5DLYnXO8pTGYiAHXz94qvLQTKfVM5GEVisn4jpins=
 github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn4ro=
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
-github.com/containerd/containerd v1.7.24 h1:zxszGrGjrra1yYJW/6rhm9cJ1ZQ8rkKBR48brqsa7nA=
-github.com/containerd/containerd v1.7.24/go.mod h1:7QUzfURqZWCZV7RLNEn1XjUCQLEf0bkaK4GjUaZehxw=
+github.com/containerd/containerd v1.7.27 h1:yFyEyojddO3MIGVER2xJLWoCIn+Up4GaHFquP7hsFII=
+github.com/containerd/containerd v1.7.27/go.mod h1:xZmPnl75Vc+BLGt4MIfu6bp+fy03gdHAn9bz+FreFR0=
 github.com/containerd/containerd/api v1.9.0 h1:HZ/licowTRazus+wt9fM6r/9BQO7S0vD5lMcWspGIg0=
 github.com/containerd/containerd/api v1.9.0/go.mod h1:GhghKFmTR3hNtyznBoQ0EMWr9ju5AqHjcZPsSpTKutI=
 github.com/containerd/containerd/v2 v2.1.1 h1:znnkm7Ajz8lg8BcIPMhc/9yjBRN3B+OkNKqKisKfwwM=
@@ -176,13 +176,15 @@ github.com/containers/storage v1.53.0/go.mod h1:pujcoOSc+upx15Jirdkebhtd8uJiLwbS
 github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
 github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
 github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
-github.com/cyphar/filepath-securejoin v0.3.6 h1:4d9N5ykBnSp5Xn2JkhocYDkOpURL/18CYMpo6xB9uWM=
-github.com/cyphar/filepath-securejoin v0.3.6/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
+github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
+github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -190,8 +192,10 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc
 github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5 h1:RAV05c0xOkJ3dZGS0JFybxFKZ2WMLabgx3uXnd7rpGs=
 github.com/dchest/uniuri v0.0.0-20200228104902-7aecb25e1fe5/go.mod h1:GgB8SF9nRG+GqaDtLcwJZsQFhcogVCJ79j4EdT0c2V4=
 github.com/denisenkom/go-mssqldb v0.0.0-20191128021309-1d7a30a10f73/go.mod h1:xbL0rPBG9cCiLr28tMa8zpbdarY27NDyej4t/EjAShU=
-github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc=
-github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
+github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
+github.com/distribution/distribution/v3 v3.0.0 h1:q4R8wemdRQDClzoNNStftB2ZAfqOiN6UX90KJc4HjyM=
+github.com/distribution/distribution/v3 v3.0.0/go.mod h1:tRNuFoZsUdyRVegq8xGNeds4KLjwLCRin/tTo6i1DhU=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/docker/buildx v0.24.0 h1:qiD+xktY+Fs3R79oz8M+7pbhip78qGLx6LBuVmyb+64=
@@ -233,8 +237,8 @@ github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRr
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
 github.com/erikstmartin/go-testdb v0.0.0-20160219214506-8d10e4a1bae5/go.mod h1:a2zkGnVExMxdzMo3M0Hi/3sEU+cWnZpSni0O6/Yb/P0=
-github.com/evanphx/json-patch v5.9.0+incompatible h1:fBXyNpNMuTTDdquAq/uisOr2lShz4oaXpDTX2bLe7ls=
-github.com/evanphx/json-patch v5.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/evanphx/json-patch v5.9.11+incompatible h1:ixHHqfcGvxhWkniF1tWxBHA0yb4Z+d1UQi45df52xW8=
+github.com/evanphx/json-patch v5.9.11+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4=
 github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f/go.mod h1:OSYXu++VVOHnXeitef/D8n/6y4QV8uLHSFXX4NeXMGc=
 github.com/fatih/camelcase v1.0.0 h1:hxNvNX/xYBp0ovncs8WyWZrOrpBNub/JfaMvbURyft8=
@@ -326,15 +330,13 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
-github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k=
-github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0=
-github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4=
-github.com/google/btree v1.0.1/go.mod h1:xXMiIv4Fb/0kKde4SpL7qlzvu5cMJDRkFDxJfI9uaxA=
+github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
+github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
 github.com/google/certificate-transparency-go v1.0.10-0.20180222191210-5ab67e519c93/go.mod h1:QeJfpSbVSfYc7RgB3gJFj9cbuQMMchQxrWXz8Ruopmg=
 github.com/google/certificate-transparency-go v1.1.4 h1:hCyXHDbtqlr/lMXU0D4WgbalXL0Zk4dSWWMbPV8VrqY=
 github.com/google/certificate-transparency-go v1.1.4/go.mod h1:D6lvbfwckhNrbM9WVl1EVeMOyzC19mpIjMOI4nxBHtQ=
-github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
-github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
+github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
@@ -350,15 +352,15 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
 github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
-github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4=
-github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q=
+github.com/gorilla/handlers v1.5.2 h1:cLTUSsNkgcwhgRqvCNmdbRWG0A3N4F+M2nWKdScwyEE=
+github.com/gorilla/handlers v1.5.2/go.mod h1:dX+xVpaxdSw+q0Qek8SSsl3dfMk3jNddUkMzo0GtH0w=
 github.com/gorilla/mux v1.7.0/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
 github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY=
 github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
-github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
-github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674 h1:JeSE6pjso5THxAzdVpqr6/geYxZytqFMBCOtn/ujyeo=
+github.com/gorilla/websocket v1.5.4-0.20250319132907-e064f32e3674/go.mod h1:r4w70xmWCQKmi1ONH4KIaBptdivuRPyosB9RmPlGEwA=
 github.com/gosuri/uitable v0.0.4 h1:IG2xLKRvErL3uhY6e1BylFzG+aJiwQviDDTfOKeKTpY=
 github.com/gosuri/uitable v0.0.4/go.mod h1:tKR86bXuXPZazfOTG1FIzvjIdXzd0mo4Vtn16vt0PJo=
 github.com/gregjones/httpcache v0.0.0-20190611155906-901d90724c79 h1:+ngKgrYPPJrOjhax5N+uePQ0Fh1Z7PheYoUI/0nzkPA=
@@ -378,6 +380,10 @@ github.com/hashicorp/go-version v1.7.0 h1:5tqGy27NaOTB8yJKUZELlFAS/LTKJkrmONwQKe
 github.com/hashicorp/go-version v1.7.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
 github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
 github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/golang-lru/arc/v2 v2.0.5 h1:l2zaLDubNhW4XO3LnliVj0GXO3+/CGNJAg1dcN2Fpfw=
+github.com/hashicorp/golang-lru/arc/v2 v2.0.5/go.mod h1:ny6zBSQZi2JxIeYcv7kt2sH2PXJtirBN7RDhRpxPkxU=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec h1:qv2VnGeEQHchGaZ/u7lxST/RaJw+cv273q79D81Xbog=
 github.com/hinshun/vt10x v0.0.0-20220119200601-820417d04eec/go.mod h1:Q48J4R4DvxnHolD5P8pOtXigYlRuPLGl6moFx3ulM68=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
@@ -615,6 +621,12 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT
 github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5 h1:EaDatTxkdHG+U3Bk4EUr+DZ7fOGwTfezUiUJMaIcaho=
+github.com/redis/go-redis/extra/rediscmd/v9 v9.0.5/go.mod h1:fyalQWdtzDBECAQFBJuQe5bzQ02jGd5Qcbgb97Flm7U=
+github.com/redis/go-redis/extra/redisotel/v9 v9.0.5 h1:EfpWLLCyXw8PSM2/XNJLjI3Pb27yVE+gIAfeqp8LUCc=
+github.com/redis/go-redis/extra/redisotel/v9 v9.0.5/go.mod h1:WZjPDy7VNzn77AAfnAfVjZNvfJTYfPetfZk5yoSTLaQ=
+github.com/redis/go-redis/v9 v9.7.3 h1:YpPyAayJV+XErNsatSElgRZZVCwXX9QzkKYNvO7x0wM=
+github.com/redis/go-redis/v9 v9.7.3/go.mod h1:bGUrSggJ9X9GUmZpZNEOQKaANxSGgOEBRltRTZHSvrA=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.4 h1:8TfxU8dW6PdqD27gjM8MVNuicgxIjxpm4K7x4jp8sis=
 github.com/rivo/uniseg v0.4.4/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -625,8 +637,8 @@ github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWN
 github.com/rs/xid v1.4.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.29.0 h1:Zes4hju04hjbvkVkOhdl2HpZa+0PmVwigmo8XoORE5w=
 github.com/rs/zerolog v1.29.0/go.mod h1:NILgTygv/Uej1ra5XxGf82ZFSLk58MFGAUS2o6usyD0=
-github.com/rubenv/sql-migrate v1.7.1 h1:f/o0WgfO/GqNuVg+6801K/KW3WdDSupzSjDYODmiUq4=
-github.com/rubenv/sql-migrate v1.7.1/go.mod h1:Ob2Psprc0/3ggbM6wCzyYVFFuc6FyZrb2AS+ezLDFb4=
+github.com/rubenv/sql-migrate v1.8.0 h1:dXnYiJk9k3wetp7GfQbKJcPHjVJL6YK19tKj8t2Ns0o=
+github.com/rubenv/sql-migrate v1.8.0/go.mod h1:F2bGFBwCU+pnmbtNYDeKvSuvL6lBVtXDXUUv5t+u1qw=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/secure-systems-lab/go-securesystemslib v0.8.0 h1:mr5An6X45Kb2nddcFlbmfHkLguCE9laoZCUzEEpIZXA=
@@ -732,12 +744,6 @@ github.com/xlab/treeprint v1.2.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
-github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI=
-github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs=
-github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE=
-github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA=
-github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY=
-github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg=
 github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
 github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 github.com/zmap/zcrypto v0.0.0-20210511125630-18f1e0152cfc h1:zkGwegkOW709y0oiAraH/3D8njopUR/pARHv4tZZ6pw=
@@ -750,6 +756,10 @@ go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/bridges/prometheus v0.57.0 h1:UW0+QyeyBVhn+COBec3nGhfnFe5lwB0ic1JBVjzhk0w=
+go.opentelemetry.io/contrib/bridges/prometheus v0.57.0/go.mod h1:ppciCHRLsyCio54qbzQv0E4Jyth/fLWDTJYfvWpcSVk=
+go.opentelemetry.io/contrib/exporters/autoexport v0.57.0 h1:jmTVJ86dP60C01K3slFQa2NQ/Aoi7zA+wy7vMOKD9H4=
+go.opentelemetry.io/contrib/exporters/autoexport v0.57.0/go.mod h1:EJBheUMttD/lABFyLXhce47Wr6DPWYReCzaZiXadH7g=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 h1:x7wzEgXfnzJcHDwStJT+mxOz4etr2EcexjqhBvmoakw=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0/go.mod h1:rg+RlpR5dKwaS95IyyZqj5Wd4E13lk/msnTS0Xl9lJM=
 go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 h1:4BZHA+B1wXEQoGNHxW8mURaLhcdGwvRnmhGbm+odRbc=
@@ -758,20 +768,36 @@ go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0 h1:sbiXRND
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.60.0/go.mod h1:69uWxva0WgAA/4bu2Yy70SLDBwZXuQ6PbBpbsa5iZrQ=
 go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
 go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 h1:FZ6ei8GFW7kyPYdxJaV2rgI6M+4tvZzhYsQ2wgyVC08=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0/go.mod h1:MdEu/mC6j3D+tTEfvI15b5Ci2Fn7NneJ71YMoiS3tpI=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 h1:ZsXq73BERAiNuuFXYqP4MR5hBrjXfMGSO+Cx7qoOZiM=
-go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0/go.mod h1:hg1zaDMpyZJuUzjFxFsRYBoccE86tM9Uf4IqNMUxvrY=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0 h1:WzNab7hOOLzdDF/EoWCt4glhrbMPVMOO5JYTmpz36Ls=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc v0.8.0/go.mod h1:hKvJwTzJdp90Vh7p6q/9PAOd55dI6WA6sWj62a/JvSs=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0 h1:S+LdBGiQXtJdowoJoQPEtI52syEP/JYBUpjO49EQhV8=
+go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp v0.8.0/go.mod h1:5KXybFvPGds3QinJWQT7pmXf+TN5YIa7CNYObWRkj50=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0 h1:j7ZSD+5yn+lo3sGV69nW04rRR0jhYnBwjuX3r0HvnK0=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.32.0/go.mod h1:WXbYJTUaZXAbYd8lbgGuvih0yuCfOFC5RJoYnoLcGz8=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0 h1:t/Qur3vKSkUCcDVaSumWF2PKHt85pc7fRvFuoVT8qFU=
+go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.32.0/go.mod h1:Rl61tySSdcOJWoEgYZVtmnKdA0GeKrSqkHC1t+91CH8=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 h1:1fTNlAIJZGWLP5FVu0fikVry1IsiUnXjf7QFvoNN3Xw=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0/go.mod h1:zjPK58DtkqQFn+YUMbx0M2XV3QgKU0gS9LeGohREyK4=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0 h1:m639+BofXTvcY1q8CGs4ItwQarYtJPOWmVobfM1HpVI=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.35.0/go.mod h1:LjReUci/F4BUyv+y4dwnq3h/26iNOeC3wAIqgvTIZVo=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0 h1:xJ2qHD0C1BeYVTLLR9sX12+Qb95kfeD/byKj6Ky1pXg=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.35.0/go.mod h1:u5BF1xyjstDowA1R5QAO9JHzqK+ublenEW/dyqTjBVk=
+go.opentelemetry.io/otel/exporters/prometheus v0.54.0 h1:rFwzp68QMgtzu9PgP3jm9XaMICI6TsofWWPcBDKwlsU=
+go.opentelemetry.io/otel/exporters/prometheus v0.54.0/go.mod h1:QyjcV9qDP6VeK5qPyKETvNjmaaEc7+gqjh4SS0ZYzDU=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0 h1:CHXNXwfKWfzS65yrlB2PVds1IBZcdsX8Vepy9of0iRU=
+go.opentelemetry.io/otel/exporters/stdout/stdoutlog v0.8.0/go.mod h1:zKU4zUgKiaRxrdovSS2amdM5gOc59slmo/zJwGX+YBg=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0 h1:SZmDnHcgp3zwlPBS2JX2urGYe/jBKEIT6ZedHRUyCz8=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.32.0/go.mod h1:fdWW0HtZJ7+jNpTKUR0GpMEDP69nR8YBJQxNiVCE3jk=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0 h1:cC2yDI3IQd0Udsux7Qmq8ToKAx1XCilTQECZ0KDZyTw=
+go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.32.0/go.mod h1:2PD5Ex6z8CFzDbTdOlwyNIUywRr1DN0ospafJM1wJ+s=
+go.opentelemetry.io/otel/log v0.8.0 h1:egZ8vV5atrUWUbnSsHn6vB8R21G2wrKqNiDt3iWertk=
+go.opentelemetry.io/otel/log v0.8.0/go.mod h1:M9qvDdUTRCopJcGRKg57+JSQ9LgLBrwwfC32epk5NX8=
 go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
 go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
 go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
 go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/log v0.8.0 h1:zg7GUYXqxk1jnGF/dTdLPrK06xJdrXgqgFLnI4Crxvs=
+go.opentelemetry.io/otel/sdk/log v0.8.0/go.mod h1:50iXr0UVwQrYS45KbruFrEt4LvAdCaWWgIrsN3ZQggo=
 go.opentelemetry.io/otel/sdk/metric v1.35.0 h1:1RriWBmCKgkeHEhM7a2uMjMUfP7MsOF5JpUCaEqEI9o=
 go.opentelemetry.io/otel/sdk/metric v1.35.0/go.mod h1:is6XYCUMpcKi+ZsOvfluY5YstFnhW0BidkR+gL+qN+w=
 go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
@@ -793,15 +819,15 @@ golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWP
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE=
-golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc=
+golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
-golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@@ -812,8 +838,8 @@ golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY=
-golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
 golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -824,8 +850,8 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
-golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -858,15 +884,15 @@ golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o=
-golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0=
-golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU=
+golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -874,8 +900,8 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
-golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
+golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -924,42 +950,47 @@ gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
-helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
-k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
-k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
-k8s.io/apiextensions-apiserver v0.32.2 h1:2YMk285jWMk2188V2AERy5yDwBYrjgWYggscghPCvV4=
-k8s.io/apiextensions-apiserver v0.32.2/go.mod h1:GPwf8sph7YlJT3H6aKUWtd0E+oyShk/YHWQHf/OOgCA=
-k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
-k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/apiserver v0.32.3 h1:kOw2KBuHOA+wetX1MkmrxgBr648ksz653j26ESuWNY8=
-k8s.io/apiserver v0.32.3/go.mod h1:q1x9B8E/WzShF49wh3ADOh6muSfpmFL0I2t+TG0Zdgc=
-k8s.io/cli-runtime v0.32.2 h1:aKQR4foh9qeyckKRkNXUccP9moxzffyndZAvr+IXMks=
-k8s.io/cli-runtime v0.32.2/go.mod h1:a/JpeMztz3xDa7GCyyShcwe55p8pbcCVQxvqZnIwXN8=
-k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
-k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
-k8s.io/component-base v0.32.3 h1:98WJvvMs3QZ2LYHBzvltFSeJjEx7t5+8s71P7M74u8k=
-k8s.io/component-base v0.32.3/go.mod h1:LWi9cR+yPAv7cu2X9rZanTiFKB2kHA+JjmhkKjCZRpI=
+helm.sh/helm/v3 v3.18.4 h1:pNhnHM3nAmDrxz6/UC+hfjDY4yeDATQCka2/87hkZXQ=
+helm.sh/helm/v3 v3.18.4/go.mod h1:WVnwKARAw01iEdjpEkP7Ii1tT1pTPYfM1HsakFKM3LI=
+k8s.io/api v0.33.2 h1:YgwIS5jKfA+BZg//OQhkJNIfie/kmRsO0BmNaVSimvY=
+k8s.io/api v0.33.2/go.mod h1:fhrbphQJSM2cXzCWgqU29xLDuks4mu7ti9vveEnpSXs=
+k8s.io/apiextensions-apiserver v0.33.2 h1:6gnkIbngnaUflR3XwE1mCefN3YS8yTD631JXQhsU6M8=
+k8s.io/apiextensions-apiserver v0.33.2/go.mod h1:IvVanieYsEHJImTKXGP6XCOjTwv2LUMos0YWc9O+QP8=
+k8s.io/apimachinery v0.33.2 h1:IHFVhqg59mb8PJWTLi8m1mAoepkUNYmptHsV+Z1m5jY=
+k8s.io/apimachinery v0.33.2/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
+k8s.io/apiserver v0.33.2 h1:KGTRbxn2wJagJowo29kKBp4TchpO1DRO3g+dB/KOJN4=
+k8s.io/apiserver v0.33.2/go.mod h1:9qday04wEAMLPWWo9AwqCZSiIn3OYSZacDyu/AcoM/M=
+k8s.io/cli-runtime v0.33.2 h1:koNYQKSDdq5AExa/RDudXMhhtFasEg48KLS2KSAU74Y=
+k8s.io/cli-runtime v0.33.2/go.mod h1:gnhsAWpovqf1Zj5YRRBBU7PFsRc6NkEkwYNQE+mXL88=
+k8s.io/client-go v0.33.2 h1:z8CIcc0P581x/J1ZYf4CNzRKxRvQAwoAolYPbtQes+E=
+k8s.io/client-go v0.33.2/go.mod h1:9mCgT4wROvL948w6f6ArJNb7yQd7QsvqavDeZHvNmHo=
+k8s.io/component-base v0.33.2 h1:sCCsn9s/dG3ZrQTX/Us0/Sx2R0G5kwa0wbZFYoVp/+0=
+k8s.io/component-base v0.33.2/go.mod h1:/41uw9wKzuelhN+u+/C59ixxf4tYQKW7p32ddkYNe2k=
+k8s.io/component-helpers v0.33.2 h1:AjCtYzst11NV8ensxV/2LEEXRwctqS7Bs44bje9Qcnw=
+k8s.io/component-helpers v0.33.2/go.mod h1:PsPpiCk74n8pGWp1d6kjK/iSKBTyQfIacv02BNkMenU=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f h1:GA7//TjRY9yWGy1poLzYYJJ4JRdzg3+O6e8I+e+8T5Y=
-k8s.io/kube-openapi v0.0.0-20241105132330-32ad38e42d3f/go.mod h1:R/HEjbvWI0qdfb8viZUeVZm0X6IZnxAydC7YU42CMw4=
-k8s.io/kubectl v0.32.2 h1:TAkag6+XfSBgkqK9I7ZvwtF0WVtUAvK8ZqTt+5zi1Us=
-k8s.io/kubectl v0.32.2/go.mod h1:+h/NQFSPxiDZYX/WZaWw9fwYezGLISP0ud8nQKg+3g8=
-k8s.io/metrics v0.32.2 h1:7t/rZzTHFrGa9f94XcgLlm3ToAuJtdlHANcJEHlYl9g=
-k8s.io/metrics v0.32.2/go.mod h1:VL3nJpzcgB6L5nSljkkzoE0nilZhVgcjCfNRgoylaIQ=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
+k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
+k8s.io/kubectl v0.33.2 h1:7XKZ6DYCklu5MZQzJe+CkCjoGZwD1wWl7t/FxzhMz7Y=
+k8s.io/kubectl v0.33.2/go.mod h1:8rC67FB8tVTYraovAGNi/idWIK90z2CHFNMmGJZJ3KI=
+k8s.io/metrics v0.33.2 h1:gNCBmtnUMDMCRg9Ly5ehxP3OdKISMsOnh1vzk01iCgE=
+k8s.io/metrics v0.33.2/go.mod h1:yxoAosKGRsZisv3BGekC5W6T1J8XSV+PoUEevACRv7c=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-oras.land/oras-go v1.2.5 h1:XpYuAwAb0DfQsunIyMfeET92emK8km3W4yEzZvUbsTo=
-oras.land/oras-go v1.2.5/go.mod h1:PuAwRShRZCsZb7g8Ar3jKKQR/2A/qN+pkYxIOd/FAoo=
+oras.land/oras-go/v2 v2.6.0 h1:X4ELRsiGkrbeox69+9tzTu492FMUu7zJQW6eJU+I2oc=
+oras.land/oras-go/v2 v2.6.0/go.mod h1:magiQDfG6H1O9APp+rOsvCPcW1GD2MM7vgnKY0Y+u1o=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 h1:/Rv+M11QRah1itp8VhT6HoVx1Ray9eB4DBr+K+/sCJ8=
 sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3/go.mod h1:18nIHnGi6636UCz6m8i4DhaJ65T6EruyzmoQqI2BVDo=
-sigs.k8s.io/kustomize/api v0.18.0 h1:hTzp67k+3NEVInwz5BHyzc9rGxIauoXferXyjv5lWPo=
-sigs.k8s.io/kustomize/api v0.18.0/go.mod h1:f8isXnX+8b+SGLHQ6yO4JG1rdkZlvhaCf/uZbLVMb0U=
-sigs.k8s.io/kustomize/kyaml v0.18.1 h1:WvBo56Wzw3fjS+7vBjN6TeivvpbW9GmRaWZ9CIVmt4E=
-sigs.k8s.io/kustomize/kyaml v0.18.1/go.mod h1:C3L2BFVU1jgcddNBE1TxuVLgS46TjObMwW5FT9FcjYo=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2 h1:MdmvkGuXi/8io6ixD5wud3vOLwc1rj0aNqRlpuvjmwA=
-sigs.k8s.io/structured-merge-diff/v4 v4.4.2/go.mod h1:N8f93tFZh9U6vpxwRArLiikrE5/2tiu1w1AGfACIGE4=
+sigs.k8s.io/kustomize/api v0.19.0 h1:F+2HB2mU1MSiR9Hp1NEgoU2q9ItNOaBJl0I4Dlus5SQ=
+sigs.k8s.io/kustomize/api v0.19.0/go.mod h1:/BbwnivGVcBh1r+8m3tH1VNxJmHSk1PzP5fkP6lbL1o=
+sigs.k8s.io/kustomize/kyaml v0.19.0 h1:RFge5qsO1uHhwJsu3ipV7RNolC7Uozc0jUBC/61XSlA=
+sigs.k8s.io/kustomize/kyaml v0.19.0/go.mod h1:FeKD5jEOH+FbZPpqUghBP8mrLjJ3+zD3/rf9NNu1cwY=
+sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
+sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0 h1:IUA9nvMmnKWcj5jl84xn+T5MnlZKThmUW1TdblaLVAc=
+sigs.k8s.io/structured-merge-diff/v4 v4.6.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
 sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
 sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
 software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78 h1:SqYE5+A2qvRhErbsXFfUEUmpWEKxxRSMgGLkvRAFOV4=

From b7e906701adffa6ed1f9b002cddf6b5dcc409919 Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Fri, 11 Jul 2025 14:55:48 +1200
Subject: [PATCH 180/212] fix(kubernetes): Namespace access permission changes
 role bindings not created [R8S-366] (#826)

---
 api/http/handler/auth/authenticate.go         |  6 +++
 api/http/handler/auth/handler.go              |  5 ++-
 api/http/handler/auth/logout.go               |  2 +
 .../endpoints/endpoint_registries_list.go     | 18 ++++-----
 api/http/handler/kubernetes/client.go         | 10 ++++-
 api/http/handler/kubernetes/handler.go        |  6 +--
 .../proxy/factory/kubernetes/transport.go     |  1 +
 api/http/server.go                            |  2 +-
 api/kubernetes/cli/client.go                  | 40 ++++++++++++++++++-
 api/kubernetes/cli/client_test.go             | 22 ++++++++++
 10 files changed, 95 insertions(+), 17 deletions(-)
 create mode 100644 api/kubernetes/cli/client_test.go

diff --git a/api/http/handler/auth/authenticate.go b/api/http/handler/auth/authenticate.go
index 989949daa..4df31c92c 100644
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"net/http"
+	"strconv"
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
@@ -82,6 +83,11 @@ func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *h
 		}
 	}
 
+	// Clear any existing user caches
+	if user != nil {
+		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(user.ID)))
+	}
+
 	if user != nil && isUserInitialAdmin(user) || settings.AuthenticationMethod == portainer.AuthenticationInternal {
 		return handler.authenticateInternal(rw, user, payload.Password)
 	}
diff --git a/api/http/handler/auth/handler.go b/api/http/handler/auth/handler.go
index 3b7210fbf..035ceabf8 100644
--- a/api/http/handler/auth/handler.go
+++ b/api/http/handler/auth/handler.go
@@ -8,6 +8,7 @@ import (
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/gorilla/mux"
@@ -23,16 +24,18 @@ type Handler struct {
 	OAuthService                portainer.OAuthService
 	ProxyManager                *proxy.Manager
 	KubernetesTokenCacheManager *kubernetes.TokenCacheManager
+	KubernetesClientFactory     *cli.ClientFactory
 	passwordStrengthChecker     security.PasswordStrengthChecker
 	bouncer                     security.BouncerService
 }
 
 // NewHandler creates a handler to manage authentication operations.
-func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimiter, passwordStrengthChecker security.PasswordStrengthChecker) *Handler {
+func NewHandler(bouncer security.BouncerService, rateLimiter *security.RateLimiter, passwordStrengthChecker security.PasswordStrengthChecker, kubernetesClientFactory *cli.ClientFactory) *Handler {
 	h := &Handler{
 		Router:                  mux.NewRouter(),
 		passwordStrengthChecker: passwordStrengthChecker,
 		bouncer:                 bouncer,
+		KubernetesClientFactory: kubernetesClientFactory,
 	}
 
 	h.Handle("/auth/oauth/validate",
diff --git a/api/http/handler/auth/logout.go b/api/http/handler/auth/logout.go
index 977fafa69..73288565d 100644
--- a/api/http/handler/auth/logout.go
+++ b/api/http/handler/auth/logout.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"net/http"
+	"strconv"
 
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/logoutcontext"
@@ -23,6 +24,7 @@ func (handler *Handler) logout(w http.ResponseWriter, r *http.Request) *httperro
 
 	if tokenData != nil {
 		handler.KubernetesTokenCacheManager.RemoveUserFromCache(tokenData.ID)
+		handler.KubernetesClientFactory.ClearUserClientCache(strconv.Itoa(int(tokenData.ID)))
 		logoutcontext.Cancel(tokenData.Token)
 	}
 
diff --git a/api/http/handler/endpoints/endpoint_registries_list.go b/api/http/handler/endpoints/endpoint_registries_list.go
index e81bc34a9..5bc4a930d 100644
--- a/api/http/handler/endpoints/endpoint_registries_list.go
+++ b/api/http/handler/endpoints/endpoint_registries_list.go
@@ -75,7 +75,7 @@ func (handler *Handler) listRegistries(tx dataservices.DataStoreTx, r *http.Requ
 		return nil, httperror.InternalServerError("Unable to retrieve registries from the database", err)
 	}
 
-	registries, handleError := handler.filterRegistriesByAccess(r, registries, endpoint, user, securityContext.UserMemberships)
+	registries, handleError := handler.filterRegistriesByAccess(tx, r, registries, endpoint, user, securityContext.UserMemberships)
 	if handleError != nil {
 		return nil, handleError
 	}
@@ -87,15 +87,15 @@ func (handler *Handler) listRegistries(tx dataservices.DataStoreTx, r *http.Requ
 	return registries, err
 }
 
-func (handler *Handler) filterRegistriesByAccess(r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
+func (handler *Handler) filterRegistriesByAccess(tx dataservices.DataStoreTx, r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
 	if !endpointutils.IsKubernetesEndpoint(endpoint) {
 		return security.FilterRegistries(registries, user, memberships, endpoint.ID), nil
 	}
 
-	return handler.filterKubernetesEndpointRegistries(r, registries, endpoint, user, memberships)
+	return handler.filterKubernetesEndpointRegistries(tx, r, registries, endpoint, user, memberships)
 }
 
-func (handler *Handler) filterKubernetesEndpointRegistries(r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
+func (handler *Handler) filterKubernetesEndpointRegistries(tx dataservices.DataStoreTx, r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User, memberships []portainer.TeamMembership) ([]portainer.Registry, *httperror.HandlerError) {
 	namespaceParam, _ := request.RetrieveQueryParameter(r, "namespace", true)
 	isAdmin, err := security.IsAdmin(r)
 	if err != nil {
@@ -116,7 +116,7 @@ func (handler *Handler) filterKubernetesEndpointRegistries(r *http.Request, regi
 		return registries, nil
 	}
 
-	return handler.filterKubernetesRegistriesByUserRole(r, registries, endpoint, user)
+	return handler.filterKubernetesRegistriesByUserRole(tx, r, registries, endpoint, user)
 }
 
 func (handler *Handler) isNamespaceAuthorized(endpoint *portainer.Endpoint, namespace string, userId portainer.UserID, memberships []portainer.TeamMembership, isAdmin bool) (bool, error) {
@@ -169,7 +169,7 @@ func registryAccessPoliciesContainsNamespace(registryAccess portainer.RegistryAc
 	return false
 }
 
-func (handler *Handler) filterKubernetesRegistriesByUserRole(r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User) ([]portainer.Registry, *httperror.HandlerError) {
+func (handler *Handler) filterKubernetesRegistriesByUserRole(tx dataservices.DataStoreTx, r *http.Request, registries []portainer.Registry, endpoint *portainer.Endpoint, user *portainer.User) ([]portainer.Registry, *httperror.HandlerError) {
 	err := handler.requestBouncer.AuthorizedEndpointOperation(r, endpoint)
 	if errors.Is(err, security.ErrAuthorizationRequired) {
 		return nil, httperror.Forbidden("User is not authorized", err)
@@ -178,7 +178,7 @@ func (handler *Handler) filterKubernetesRegistriesByUserRole(r *http.Request, re
 		return nil, httperror.InternalServerError("Unable to retrieve info from request context", err)
 	}
 
-	userNamespaces, err := handler.userNamespaces(endpoint, user)
+	userNamespaces, err := handler.userNamespaces(tx, endpoint, user)
 	if err != nil {
 		return nil, httperror.InternalServerError("unable to retrieve user namespaces", err)
 	}
@@ -186,7 +186,7 @@ func (handler *Handler) filterKubernetesRegistriesByUserRole(r *http.Request, re
 	return filterRegistriesByNamespaces(registries, endpoint.ID, userNamespaces), nil
 }
 
-func (handler *Handler) userNamespaces(endpoint *portainer.Endpoint, user *portainer.User) ([]string, error) {
+func (handler *Handler) userNamespaces(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, user *portainer.User) ([]string, error) {
 	kcl, err := handler.K8sClientFactory.GetPrivilegedKubeClient(endpoint)
 	if err != nil {
 		return nil, err
@@ -197,7 +197,7 @@ func (handler *Handler) userNamespaces(endpoint *portainer.Endpoint, user *porta
 		return nil, err
 	}
 
-	userMemberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	userMemberships, err := tx.TeamMembership().TeamMembershipsByUserID(user.ID)
 	if err != nil {
 		return nil, err
 	}
diff --git a/api/http/handler/kubernetes/client.go b/api/http/handler/kubernetes/client.go
index 6612ab7f4..a7f2485e3 100644
--- a/api/http/handler/kubernetes/client.go
+++ b/api/http/handler/kubernetes/client.go
@@ -2,8 +2,10 @@ package kubernetes
 
 import (
 	"net/http"
+	"strconv"
 
 	"github.com/portainer/portainer/api/http/middlewares"
+	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/rs/zerolog/log"
@@ -25,7 +27,13 @@ func (handler *Handler) prepareKubeClient(r *http.Request) (*cli.KubeClient, *ht
 		return nil, httperror.NotFound("Unable to find the Kubernetes endpoint associated to the request.", err)
 	}
 
-	pcli, err := handler.KubernetesClientFactory.GetPrivilegedKubeClient(endpoint)
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		log.Error().Err(err).Str("context", "prepareKubeClient").Msg("Unable to retrieve token data associated to the request.")
+		return nil, httperror.InternalServerError("Unable to retrieve token data associated to the request.", err)
+	}
+
+	pcli, err := handler.KubernetesClientFactory.GetPrivilegedUserKubeClient(endpoint, strconv.Itoa(int(tokenData.ID)))
 	if err != nil {
 		log.Error().Err(err).Str("context", "prepareKubeClient").Msg("Unable to get a privileged Kubernetes client for the user.")
 		return nil, httperror.InternalServerError("Unable to get a privileged Kubernetes client for the user.", err)
diff --git a/api/http/handler/kubernetes/handler.go b/api/http/handler/kubernetes/handler.go
index 07f6bdf3f..a8a5898c8 100644
--- a/api/http/handler/kubernetes/handler.go
+++ b/api/http/handler/kubernetes/handler.go
@@ -146,7 +146,7 @@ func (h *Handler) getProxyKubeClient(r *http.Request) (portainer.KubeClient, *ht
 		return nil, httperror.Forbidden(fmt.Sprintf("an error occurred during the getProxyKubeClient operation, permission denied to access the environment /api/kubernetes/%d. Error: ", endpointID), err)
 	}
 
-	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Token)
+	cli, ok := h.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), strconv.Itoa(int(tokenData.ID)))
 	if !ok {
 		return nil, httperror.InternalServerError("an error occurred during the getProxyKubeClient operation,failed to get proxy KubeClient", nil)
 	}
@@ -179,7 +179,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 		}
 
 		// Check if we have a kubeclient against this auth token already, otherwise generate a new one
-		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), tokenData.Token)
+		_, ok := handler.KubernetesClientFactory.GetProxyKubeClient(strconv.Itoa(endpointID), strconv.Itoa(int(tokenData.ID)))
 		if ok {
 			next.ServeHTTP(w, r)
 			return
@@ -269,7 +269,7 @@ func (handler *Handler) kubeClientMiddleware(next http.Handler) http.Handler {
 			return
 		}
 
-		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), tokenData.Token, kubeCli)
+		handler.KubernetesClientFactory.SetProxyKubeClient(strconv.Itoa(int(endpoint.ID)), strconv.Itoa(int(tokenData.ID)), kubeCli)
 		next.ServeHTTP(w, r)
 	})
 }
diff --git a/api/http/proxy/factory/kubernetes/transport.go b/api/http/proxy/factory/kubernetes/transport.go
index 76e9daa68..ddab7a096 100644
--- a/api/http/proxy/factory/kubernetes/transport.go
+++ b/api/http/proxy/factory/kubernetes/transport.go
@@ -58,6 +58,7 @@ func (transport *baseTransport) proxyKubernetesRequest(request *http.Request) (*
 
 	switch {
 	case strings.EqualFold(requestPath, "/namespaces/portainer/configmaps/portainer-config") && (request.Method == "PUT" || request.Method == "POST"):
+		transport.k8sClientFactory.ClearClientCache()
 		defer transport.tokenManager.UpdateUserServiceAccountsForEndpoint(portainer.EndpointID(endpointID))
 		return transport.executeKubernetesRequest(request)
 	case strings.EqualFold(requestPath, "/namespaces"):
diff --git a/api/http/server.go b/api/http/server.go
index 5bfa36379..8f073ce58 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -131,7 +131,7 @@ func (server *Server) Start() error {
 
 	passwordStrengthChecker := security.NewPasswordStrengthChecker(server.DataStore.Settings())
 
-	var authHandler = auth.NewHandler(requestBouncer, rateLimiter, passwordStrengthChecker)
+	var authHandler = auth.NewHandler(requestBouncer, rateLimiter, passwordStrengthChecker, server.KubernetesClientFactory)
 	authHandler.DataStore = server.DataStore
 	authHandler.CryptoService = server.CryptoService
 	authHandler.JWTService = server.JWTService
diff --git a/api/kubernetes/cli/client.go b/api/kubernetes/cli/client.go
index a40a865f1..550ade1d3 100644
--- a/api/kubernetes/cli/client.go
+++ b/api/kubernetes/cli/client.go
@@ -77,9 +77,26 @@ func (factory *ClientFactory) ClearClientCache() {
 	factory.endpointProxyClients.Flush()
 }
 
+// ClearClientCache removes all cached kube clients for a userId
+func (factory *ClientFactory) ClearUserClientCache(userID string) {
+	for key := range factory.endpointProxyClients.Items() {
+		if strings.HasSuffix(key, "."+userID) {
+			factory.endpointProxyClients.Delete(key)
+		}
+	}
+}
+
 // Remove the cached kube client so a new one can be created
 func (factory *ClientFactory) RemoveKubeClient(endpointID portainer.EndpointID) {
 	factory.endpointProxyClients.Delete(strconv.Itoa(int(endpointID)))
+
+	endpointPrefix := strconv.Itoa(int(endpointID)) + "."
+
+	for key := range factory.endpointProxyClients.Items() {
+		if strings.HasPrefix(key, endpointPrefix) {
+			factory.endpointProxyClients.Delete(key)
+		}
+	}
 }
 
 func (factory *ClientFactory) GetAddrHTTPS() string {
@@ -104,6 +121,24 @@ func (factory *ClientFactory) GetPrivilegedKubeClient(endpoint *portainer.Endpoi
 	return kcl, nil
 }
 
+// GetPrivilegedUserKubeClient checks if an existing admin client is already registered for the environment(endpoint) and user and returns it if one is found.
+// If no client is registered, it will create a new client, register it, and returns it.
+func (factory *ClientFactory) GetPrivilegedUserKubeClient(endpoint *portainer.Endpoint, userID string) (*KubeClient, error) {
+	key := strconv.Itoa(int(endpoint.ID)) + ".admin." + userID
+	pcl, ok := factory.endpointProxyClients.Get(key)
+	if ok {
+		return pcl.(*KubeClient), nil
+	}
+
+	kcl, err := factory.createCachedPrivilegedKubeClient(endpoint)
+	if err != nil {
+		return nil, err
+	}
+
+	factory.endpointProxyClients.Set(key, kcl, cache.DefaultExpiration)
+	return kcl, nil
+}
+
 // GetProxyKubeClient retrieves a KubeClient from the cache. You should be
 // calling SetProxyKubeClient before first. It is normally, called the
 // kubernetes middleware.
@@ -156,8 +191,9 @@ func (factory *ClientFactory) createCachedPrivilegedKubeClient(endpoint *portain
 	}
 
 	return &KubeClient{
-		cli:        cli,
-		instanceID: factory.instanceID,
+		cli:         cli,
+		instanceID:  factory.instanceID,
+		IsKubeAdmin: true,
 	}, nil
 }
 
diff --git a/api/kubernetes/cli/client_test.go b/api/kubernetes/cli/client_test.go
new file mode 100644
index 000000000..993a966e3
--- /dev/null
+++ b/api/kubernetes/cli/client_test.go
@@ -0,0 +1,22 @@
+package cli
+
+import (
+	"testing"
+)
+
+func TestClearUserClientCache(t *testing.T) {
+	factory, _ := NewClientFactory(nil, nil, nil, "", "", "")
+	kcl := &KubeClient{}
+	factory.endpointProxyClients.Set("12.1", kcl, 0)
+	factory.endpointProxyClients.Set("12.12", kcl, 0)
+	factory.endpointProxyClients.Set("12", kcl, 0)
+
+	factory.ClearUserClientCache("12")
+
+	if len(factory.endpointProxyClients.Items()) != 2 {
+		t.Errorf("Incorrect clients cached after clearUserClientCache;\ngot=\n%d\nwant=\n%d", len(factory.endpointProxyClients.Items()), 2)
+	}
+	if _, ok := factory.GetProxyKubeClient("12", "12"); ok {
+		t.Errorf("Expected not to find client cache for user after clear")
+	}
+}

From 96f2d69ae548d61e37cbe09b1b44a64878f16e13 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Fri, 11 Jul 2025 16:55:23 +1200
Subject: [PATCH 181/212] feat(observability): alerting experimental feature
 (#801)

Co-authored-by: JamesPlayer <james.player@portainer.io>
---
 .../test_data/output_24_to_latest.json        |  1 +
 api/portainer.go                              | 61 +++++++++++--------
 go.mod                                        |  1 +
 go.sum                                        |  2 +
 pkg/snapshot/docker.go                        |  5 +-
 pkg/snapshot/kubernetes.go                    | 56 ++++++++++++++++-
 6 files changed, 98 insertions(+), 28 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 41a1b49df..dc50e6788 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -776,6 +776,7 @@
         "ImageCount": 9,
         "IsPodman": false,
         "NodeCount": 0,
+        "PerformanceMetrics": null,
         "RunningContainerCount": 5,
         "ServiceCount": 0,
         "StackCount": 2,
diff --git a/api/portainer.go b/api/portainer.go
index da15479ee..0dc235550 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -215,26 +215,34 @@ type (
 
 	// DockerSnapshot represents a snapshot of a specific Docker environment(endpoint) at a specific time
 	DockerSnapshot struct {
-		Time                    int64             `json:"Time"`
-		DockerVersion           string            `json:"DockerVersion"`
-		Swarm                   bool              `json:"Swarm"`
-		TotalCPU                int               `json:"TotalCPU"`
-		TotalMemory             int64             `json:"TotalMemory"`
-		ContainerCount          int               `json:"ContainerCount"`
-		RunningContainerCount   int               `json:"RunningContainerCount"`
-		StoppedContainerCount   int               `json:"StoppedContainerCount"`
-		HealthyContainerCount   int               `json:"HealthyContainerCount"`
-		UnhealthyContainerCount int               `json:"UnhealthyContainerCount"`
-		VolumeCount             int               `json:"VolumeCount"`
-		ImageCount              int               `json:"ImageCount"`
-		ServiceCount            int               `json:"ServiceCount"`
-		StackCount              int               `json:"StackCount"`
-		SnapshotRaw             DockerSnapshotRaw `json:"DockerSnapshotRaw"`
-		NodeCount               int               `json:"NodeCount"`
-		GpuUseAll               bool              `json:"GpuUseAll"`
-		GpuUseList              []string          `json:"GpuUseList"`
-		IsPodman                bool              `json:"IsPodman"`
-		DiagnosticsData         *DiagnosticsData  `json:"DiagnosticsData"`
+		Time                    int64               `json:"Time"`
+		DockerVersion           string              `json:"DockerVersion"`
+		Swarm                   bool                `json:"Swarm"`
+		TotalCPU                int                 `json:"TotalCPU"`
+		TotalMemory             int64               `json:"TotalMemory"`
+		ContainerCount          int                 `json:"ContainerCount"`
+		RunningContainerCount   int                 `json:"RunningContainerCount"`
+		StoppedContainerCount   int                 `json:"StoppedContainerCount"`
+		HealthyContainerCount   int                 `json:"HealthyContainerCount"`
+		UnhealthyContainerCount int                 `json:"UnhealthyContainerCount"`
+		VolumeCount             int                 `json:"VolumeCount"`
+		ImageCount              int                 `json:"ImageCount"`
+		ServiceCount            int                 `json:"ServiceCount"`
+		StackCount              int                 `json:"StackCount"`
+		SnapshotRaw             DockerSnapshotRaw   `json:"DockerSnapshotRaw"`
+		NodeCount               int                 `json:"NodeCount"`
+		GpuUseAll               bool                `json:"GpuUseAll"`
+		GpuUseList              []string            `json:"GpuUseList"`
+		IsPodman                bool                `json:"IsPodman"`
+		DiagnosticsData         *DiagnosticsData    `json:"DiagnosticsData"`
+		PerformanceMetrics      *PerformanceMetrics `json:"PerformanceMetrics"`
+	}
+
+	// PerformanceMetrics represents the performance metrics of a Docker, Swarm, Podman, and Kubernetes environments
+	PerformanceMetrics struct {
+		CPUUsage     float64 `json:"CPUUsage,omitempty"`
+		MemoryUsage  float64 `json:"MemoryUsage,omitempty"`
+		NetworkUsage float64 `json:"NetworkUsage,omitempty"`
 	}
 
 	// DockerContainerSnapshot is an extent of Docker's Container struct
@@ -663,12 +671,13 @@ type (
 
 	// KubernetesSnapshot represents a snapshot of a specific Kubernetes environment(endpoint) at a specific time
 	KubernetesSnapshot struct {
-		Time              int64            `json:"Time"`
-		KubernetesVersion string           `json:"KubernetesVersion"`
-		NodeCount         int              `json:"NodeCount"`
-		TotalCPU          int64            `json:"TotalCPU"`
-		TotalMemory       int64            `json:"TotalMemory"`
-		DiagnosticsData   *DiagnosticsData `json:"DiagnosticsData"`
+		Time               int64               `json:"Time"`
+		KubernetesVersion  string              `json:"KubernetesVersion"`
+		NodeCount          int                 `json:"NodeCount"`
+		TotalCPU           int64               `json:"TotalCPU"`
+		TotalMemory        int64               `json:"TotalMemory"`
+		DiagnosticsData    *DiagnosticsData    `json:"DiagnosticsData"`
+		PerformanceMetrics *PerformanceMetrics `json:"PerformanceMetrics"`
 	}
 
 	// KubernetesConfiguration represents the configuration of a Kubernetes environment(endpoint)
diff --git a/go.mod b/go.mod
index f20d26f57..d589f19d9 100644
--- a/go.mod
+++ b/go.mod
@@ -61,6 +61,7 @@ require (
 	k8s.io/cli-runtime v0.33.2
 	k8s.io/client-go v0.33.2
 	k8s.io/kubectl v0.33.2
+	k8s.io/kubelet v0.33.2
 	k8s.io/metrics v0.33.2
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
diff --git a/go.sum b/go.sum
index d0f60eefc..ad8e48908 100644
--- a/go.sum
+++ b/go.sum
@@ -974,6 +974,8 @@ k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUy
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff/go.mod h1:5jIi+8yX4RIb8wk3XwBo5Pq2ccx4FP10ohkbSKCZoK8=
 k8s.io/kubectl v0.33.2 h1:7XKZ6DYCklu5MZQzJe+CkCjoGZwD1wWl7t/FxzhMz7Y=
 k8s.io/kubectl v0.33.2/go.mod h1:8rC67FB8tVTYraovAGNi/idWIK90z2CHFNMmGJZJ3KI=
+k8s.io/kubelet v0.33.2 h1:wxEau5/563oJb3j3KfrCKlNWWx35YlSgDLOYUBCQ0pg=
+k8s.io/kubelet v0.33.2/go.mod h1:way8VCDTUMiX1HTOvJv7M3xS/xNysJI6qh7TOqMe5KM=
 k8s.io/metrics v0.33.2 h1:gNCBmtnUMDMCRg9Ly5ehxP3OdKISMsOnh1vzk01iCgE=
 k8s.io/metrics v0.33.2/go.mod h1:yxoAosKGRsZisv3BGekC5W6T1J8XSV+PoUEevACRv7c=
 k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 h1:M3sRQVHv7vB20Xc2ybTt7ODCeFj6JSWYFzOFnYeS6Ro=
diff --git a/pkg/snapshot/docker.go b/pkg/snapshot/docker.go
index deaabdb08..12f3a3089 100644
--- a/pkg/snapshot/docker.go
+++ b/pkg/snapshot/docker.go
@@ -100,7 +100,10 @@ func dockerSnapshotNodes(snapshot *portainer.DockerSnapshot, cli *client.Client)
 
 	snapshot.TotalCPU = int(nanoCpus / 1e9)
 	snapshot.TotalMemory = totalMem
-	snapshot.NodeCount = len(nodes)
+	snapshot.NodeCount = 1
+	if snapshot.Swarm {
+		snapshot.NodeCount = len(nodes)
+	}
 
 	return nil
 }
diff --git a/pkg/snapshot/kubernetes.go b/pkg/snapshot/kubernetes.go
index d8e550e84..77fda14bd 100644
--- a/pkg/snapshot/kubernetes.go
+++ b/pkg/snapshot/kubernetes.go
@@ -5,7 +5,9 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"math"
 	"os"
+	"reflect"
 	"strings"
 	"time"
 
@@ -19,11 +21,11 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 )
 
 func CreateKubernetesSnapshot(cli *kubernetes.Clientset) (*portainer.KubernetesSnapshot, error) {
 	kubernetesSnapshot := &portainer.KubernetesSnapshot{}
-
 	err := kubernetesSnapshotVersion(kubernetesSnapshot, cli)
 	if err != nil {
 		log.Warn().Err(err).Msg("unable to snapshot cluster version")
@@ -54,10 +56,28 @@ func kubernetesSnapshotNodes(snapshot *portainer.KubernetesSnapshot, cli *kubern
 		return err
 	}
 
+	if len(nodeList.Items) == 0 {
+		return nil
+	}
+
 	var totalCPUs, totalMemory int64
+	performanceMetrics := &portainer.PerformanceMetrics{
+		CPUUsage:     0,
+		MemoryUsage:  0,
+		NetworkUsage: 0,
+	}
+
 	for _, node := range nodeList.Items {
 		totalCPUs += node.Status.Capacity.Cpu().Value()
 		totalMemory += node.Status.Capacity.Memory().Value()
+
+		performanceMetrics, err = kubernetesSnapshotNodePerformanceMetrics(cli, node, performanceMetrics)
+		if err != nil {
+			return fmt.Errorf("failed to get node performance metrics: %w", err)
+		}
+		if performanceMetrics != nil {
+			snapshot.PerformanceMetrics = performanceMetrics
+		}
 	}
 
 	snapshot.TotalCPU = totalCPUs
@@ -123,6 +143,40 @@ func kubernetesSnapshotPodErrorLogs(snapshot *portainer.KubernetesSnapshot, cli
 	return nil
 }
 
+func kubernetesSnapshotNodePerformanceMetrics(cli *kubernetes.Clientset, node corev1.Node, performanceMetrics *portainer.PerformanceMetrics) (*portainer.PerformanceMetrics, error) {
+	result := cli.RESTClient().Get().AbsPath(fmt.Sprintf("/api/v1/nodes/%s/proxy/stats/summary", node.Name)).Do(context.TODO())
+	if result.Error() != nil {
+		return nil, fmt.Errorf("failed to get node performance metrics: %w", result.Error())
+	}
+
+	raw, err := result.Raw()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get node performance metrics: %w", err)
+	}
+
+	stats := statsapi.Summary{}
+	err = json.Unmarshal(raw, &stats)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal node performance metrics: %w", err)
+	}
+
+	nodeStats := stats.Node
+	if reflect.DeepEqual(nodeStats, statsapi.NodeStats{}) {
+		return nil, nil
+	}
+
+	if nodeStats.CPU != nil && nodeStats.CPU.UsageNanoCores != nil {
+		performanceMetrics.CPUUsage += math.Round(float64(*nodeStats.CPU.UsageNanoCores) / float64(node.Status.Capacity.Cpu().Value()*1000000000) * 100)
+	}
+	if nodeStats.Memory != nil && nodeStats.Memory.WorkingSetBytes != nil {
+		performanceMetrics.MemoryUsage += math.Round(float64(*nodeStats.Memory.WorkingSetBytes) / float64(node.Status.Capacity.Memory().Value()) * 100)
+	}
+	if nodeStats.Network != nil && nodeStats.Network.RxBytes != nil && nodeStats.Network.TxBytes != nil {
+		performanceMetrics.NetworkUsage += math.Round((float64(*nodeStats.Network.RxBytes) + float64(*nodeStats.Network.TxBytes)) / 1024 / 1024) // MB
+	}
+	return performanceMetrics, nil
+}
+
 // filterLogsByPattern filters the logs by the given patterns and returns a list of logs that match the patterns
 // the logs are returned as a list of maps with the keys "timestamp" and "message"
 func filterLogsByPattern(logBytes []byte, patterns []string) []map[string]string {

From 89f6a94bd839e4a3a595e4b704ca1178b7869a0a Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Fri, 11 Jul 2025 20:06:41 +1200
Subject: [PATCH 182/212] chore(select): show data-cy react select [r8s-402]
 (#881)

---
 .../form-components/ReactSelect.tsx           | 87 +++++++++++++++++--
 1 file changed, 79 insertions(+), 8 deletions(-)

diff --git a/app/react/components/form-components/ReactSelect.tsx b/app/react/components/form-components/ReactSelect.tsx
index a9f4e6282..c7ea47366 100644
--- a/app/react/components/form-components/ReactSelect.tsx
+++ b/app/react/components/form-components/ReactSelect.tsx
@@ -5,12 +5,14 @@ import ReactSelectAsync, {
   AsyncProps as ReactSelectAsyncProps,
 } from 'react-select/async';
 import ReactSelect, {
+  components,
   GroupBase,
+  InputProps,
   OptionsOrGroups,
   Props as ReactSelectProps,
 } from 'react-select';
 import clsx from 'clsx';
-import { RefAttributes, useMemo } from 'react';
+import { RefAttributes, useMemo, useCallback } from 'react';
 import ReactSelectType from 'react-select/dist/declarations/src/Select';
 
 import './ReactSelect.css';
@@ -52,6 +54,9 @@ type Props<
   | CreatableProps<Option, IsMulti, Group>
   | RegularProps<Option, IsMulti, Group>;
 
+/**
+ * DO NOT use this component directly, use PortainerSelect instead.
+ */
 export function Select<
   Option = DefaultOption,
   IsMulti extends boolean = false,
@@ -68,24 +73,37 @@ export function Select<
     id: string;
   }) {
   const Component = isCreatable ? ReactSelectCreatable : ReactSelect;
-  const { options } = props;
+  const {
+    options,
+    'data-cy': dataCy,
+    components: componentsProp,
+    ...rest
+  } = props;
+
+  const memoizedComponents = useMemoizedSelectComponents<
+    Option,
+    IsMulti,
+    Group
+  >(dataCy, componentsProp);
 
   if ((options?.length || 0) > 1000) {
     return (
       <TooManyResultsSelector
+        size={size}
         // eslint-disable-next-line react/jsx-props-no-spreading
         {...props}
-        size={size}
       />
     );
   }
 
   return (
     <Component
+      options={options}
       className={clsx(className, 'portainer-selector-root', size)}
       classNamePrefix="portainer-selector"
+      components={memoizedComponents}
       // eslint-disable-next-line react/jsx-props-no-spreading
-      {...props}
+      {...rest}
     />
   );
 }
@@ -94,13 +112,25 @@ export function Creatable<
   Option = DefaultOption,
   IsMulti extends boolean = false,
   Group extends GroupBase<Option> = GroupBase<Option>,
->({ className, ...props }: ReactSelectCreatableProps<Option, IsMulti, Group>) {
+>({
+  className,
+  ...props
+}: ReactSelectCreatableProps<Option, IsMulti, Group> & AutomationTestingProps) {
+  const { 'data-cy': dataCy, components: componentsProp, ...rest } = props;
+
+  const memoizedComponents = useMemoizedSelectComponents<
+    Option,
+    IsMulti,
+    Group
+  >(dataCy, componentsProp);
+
   return (
     <ReactSelectCreatable
       className={clsx(className, 'portainer-selector-root')}
       classNamePrefix="portainer-selector"
+      components={memoizedComponents}
       // eslint-disable-next-line react/jsx-props-no-spreading
-      {...props}
+      {...rest}
     />
   );
 }
@@ -113,13 +143,24 @@ export function Async<
   className,
   size,
   ...props
-}: ReactSelectAsyncProps<Option, IsMulti, Group> & { size?: 'sm' | 'md' }) {
+}: ReactSelectAsyncProps<Option, IsMulti, Group> & {
+  size?: 'sm' | 'md';
+} & AutomationTestingProps) {
+  const { 'data-cy': dataCy, components: componentsProp, ...rest } = props;
+
+  const memoizedComponents = useMemoizedSelectComponents<
+    Option,
+    IsMulti,
+    Group
+  >(dataCy, componentsProp);
+
   return (
     <ReactSelectAsync
       className={clsx(className, 'portainer-selector-root', size)}
       classNamePrefix="portainer-selector"
+      components={memoizedComponents}
       // eslint-disable-next-line react/jsx-props-no-spreading
-      {...props}
+      {...rest}
     />
   );
 }
@@ -187,3 +228,33 @@ function isGroup<
 
   return 'options' in option;
 }
+
+/**
+ * Memoize components to prevent unnecessary re-renders.
+ */
+function useMemoizedSelectComponents<
+  Option = DefaultOption,
+  IsMulti extends boolean = false,
+  Group extends GroupBase<Option> = GroupBase<Option>,
+>(
+  dataCy: string | undefined,
+  componentsProp: Partial<
+    ReactSelectProps<Option, IsMulti, Group>['components']
+  >
+) {
+  const customInput = useCallback(
+    (inputProps: InputProps<Option, IsMulti, Group>) =>
+      components.Input({ ...inputProps, 'data-cy': dataCy }),
+    [dataCy]
+  );
+
+  const memoizedComponents = useMemo(
+    () => ({
+      Input: customInput,
+      ...componentsProp,
+    }),
+    [customInput, componentsProp]
+  );
+
+  return memoizedComponents;
+}

From b6a6ce9aaf637fde41dda3cbc38d64103d05df21 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Fri, 11 Jul 2025 18:54:05 -0300
Subject: [PATCH 183/212] fix(endpointedge): fix a deadlock in
 createAsyncEdgeAgentEndpoint() BE-12039 (#883)

---
 dev/run_container.sh        | 1 +
 dev/run_container_podman.sh | 1 +
 2 files changed, 2 insertions(+)

diff --git a/dev/run_container.sh b/dev/run_container.sh
index 56b00edd4..56dc1ceda 100755
--- a/dev/run_container.sh
+++ b/dev/run_container.sh
@@ -16,6 +16,7 @@ docker run -d \
   -v /var/run/docker.sock:/var/run/docker.sock:z \
   -v /var/run/docker.sock:/var/run/alternative.sock:z \
   -v /tmp:/tmp \
+  -e CSP=false \
   --name portainer \
   portainer/base \
   /app/portainer $PORTAINER_FLAGS
diff --git a/dev/run_container_podman.sh b/dev/run_container_podman.sh
index 1893efd0b..03e2fb270 100755
--- a/dev/run_container_podman.sh
+++ b/dev/run_container_podman.sh
@@ -16,6 +16,7 @@ sudo podman run -d \
   -v "$PORTAINER_DATA:/data" \
   -v /run/podman/podman.sock:/var/run/docker.sock \
   -v /tmp:/tmp \
+  -e CSP=false \
   --privileged \
   --name portainer \
   portainer/base \

From 2697d6c5d77ea5cac51aa13d89f1ce3181346710 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Sun, 13 Jul 2025 10:37:43 +1200
Subject: [PATCH 184/212] feat(oci): oci helm support [r8s-361] (#787)

---
 .../test_data/output_24_to_latest.json        |   4 +
 api/http/handler/registries/handler.go        | 126 +--
 .../registries/registry_access_test.go        |  89 +++
 .../handler/registries/registry_inspect.go    |  17 +-
 api/http/handler/webhooks/webhook_create.go   |   2 +-
 api/http/handler/webhooks/webhook_update.go   |   2 +-
 api/http/proxy/factory/docker/registry.go     |   5 +-
 api/http/proxy/factory/github/client.go       | 108 +++
 api/http/proxy/factory/gitlab/client.go       | 130 +++
 api/http/proxy/factory/gitlab/transport.go    |  34 -
 api/internal/registryutils/access/access.go   |  52 +-
 api/internal/registryutils/ecr_reg_token.go   |  23 +
 api/kubernetes/cli/namespace.go               |   6 +
 api/portainer.go                              |   9 +
 app/kubernetes/react/components/index.ts      |   1 +
 .../kube-registry-access-view.html            |   1 +
 app/kubernetes/views/deploy/deploy.html       |  17 +-
 .../views/deploy/deployController.js          |  12 +-
 app/portainer/react/components/index.ts       |  12 +
 app/react/components/ExternalLink.tsx         |  12 +-
 app/react/components/FallbackImage.tsx        |   2 +-
 .../form-components/PortainerSelect.tsx       |  52 +-
 .../NamespaceSelector/NamespaceSelector.tsx   |  26 +
 .../RegistryAccessView/NamespacesSelector.tsx |  21 +-
 .../ChartActions/ChartActions.tsx             |  10 +-
 .../ChartActions/UpgradeButton.test.tsx       |   6 +-
 .../ChartActions/UpgradeButton.tsx            |  15 +-
 .../HelmApplicationView.test.tsx              |  78 +-
 .../HelmApplicationView.tsx                   |  49 +-
 .../HelmTemplates/HelmInstallForm.test.tsx    |   1 +
 .../helm/HelmTemplates/HelmInstallForm.tsx    |  31 +-
 .../HelmTemplates/HelmInstallInnerForm.tsx    |  63 +-
 .../helm/HelmTemplates/HelmTemplates.tsx      | 103 ++-
 .../HelmTemplates/HelmTemplatesList.test.tsx  |  68 +-
 .../helm/HelmTemplates/HelmTemplatesList.tsx  | 109 +--
 .../HelmTemplatesSelectedItem.tsx             |   2 +-
 .../kubernetes/helm/HelmTemplates/types.ts    |   1 +
 .../components/HelmRegistrySelect.test.tsx    | 242 ++++++
 .../helm/components/HelmRegistrySelect.tsx    | 156 ++++
 .../helm/queries/useHelmChartList.ts          |  57 +-
 .../helm/queries/useHelmChartValues.ts        |  19 +-
 .../helm/queries/useHelmRegistries.ts         |  43 -
 .../helm/queries/useHelmRepoVersions.ts       |  35 +-
 .../helm/queries/useHelmRepositories.ts       |  84 ++
 app/react/kubernetes/helm/types.ts            |  13 +-
 .../AccessControlPanelDetails.tsx             |   6 +-
 .../HelmRepositoryDatatable.tsx               |  32 +-
 .../environments/queries/query-keys.ts        |   9 +-
 .../queries/useEnvironmentRegistries.ts       |  19 +-
 .../registries/CreateView/options.tsx         |  54 +-
 .../portainer/registries/queries/build-url.ts |  12 +-
 .../registries/queries/useRegistries.ts       |   2 +
 .../portainer/registries/utils/constants.tsx  |  35 +
 .../KubeSettingsPanel/HelmSection.tsx         |  38 +-
 go.mod                                        |   4 +-
 pkg/libhelm/cache/cache.go                    | 126 +++
 pkg/libhelm/cache/manager.go                  |  81 ++
 pkg/libhelm/options/chart_reference.go        |  38 +
 pkg/libhelm/options/chart_reference_test.go   | 100 +++
 pkg/libhelm/options/install_options.go        |   7 +-
 pkg/libhelm/options/search_repo_options.go    |   7 +-
 pkg/libhelm/options/show_options.go           |   6 +-
 pkg/libhelm/release/release.go                |   8 +
 pkg/libhelm/sdk/chartsources.go               | 297 +++++++
 pkg/libhelm/sdk/chartsources_test.go          | 752 ++++++++++++++++++
 pkg/libhelm/sdk/common.go                     | 208 ++++-
 pkg/libhelm/sdk/get.go                        |   3 +-
 pkg/libhelm/sdk/install.go                    |  48 +-
 pkg/libhelm/sdk/search_repo.go                | 434 ++++++----
 pkg/libhelm/sdk/show.go                       |  96 +--
 pkg/libhelm/sdk/show_test.go                  |   4 +-
 pkg/libhelm/sdk/upgrade.go                    |  51 +-
 pkg/libhelm/sdk/values.go                     |   4 +-
 pkg/liboras/generic_listrepo_client.go        |  47 ++
 pkg/liboras/github_listrepo_client.go         |  57 ++
 pkg/liboras/gitlab_listrepo_client.go         |  47 ++
 pkg/liboras/listrepo_client.go                |  39 +
 pkg/liboras/registry.go                       |  79 ++
 pkg/liboras/registry_test.go                  | 252 ++++++
 pkg/liboras/repository.go                     | 126 +++
 80 files changed, 4264 insertions(+), 812 deletions(-)
 create mode 100644 api/http/handler/registries/registry_access_test.go
 create mode 100644 api/http/proxy/factory/github/client.go
 create mode 100644 api/http/proxy/factory/gitlab/client.go
 delete mode 100644 api/http/proxy/factory/gitlab/transport.go
 create mode 100644 app/react/kubernetes/helm/components/HelmRegistrySelect.test.tsx
 create mode 100644 app/react/kubernetes/helm/components/HelmRegistrySelect.tsx
 delete mode 100644 app/react/kubernetes/helm/queries/useHelmRegistries.ts
 create mode 100644 app/react/kubernetes/helm/queries/useHelmRepositories.ts
 create mode 100644 app/react/portainer/registries/utils/constants.tsx
 create mode 100644 pkg/libhelm/cache/cache.go
 create mode 100644 pkg/libhelm/cache/manager.go
 create mode 100644 pkg/libhelm/options/chart_reference.go
 create mode 100644 pkg/libhelm/options/chart_reference_test.go
 create mode 100644 pkg/libhelm/sdk/chartsources.go
 create mode 100644 pkg/libhelm/sdk/chartsources_test.go
 create mode 100644 pkg/liboras/generic_listrepo_client.go
 create mode 100644 pkg/liboras/github_listrepo_client.go
 create mode 100644 pkg/liboras/gitlab_listrepo_client.go
 create mode 100644 pkg/liboras/listrepo_client.go
 create mode 100644 pkg/liboras/registry.go
 create mode 100644 pkg/liboras/registry_test.go
 create mode 100644 pkg/liboras/repository.go

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index dc50e6788..8bdc55983 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -121,6 +121,10 @@
       "Ecr": {
         "Region": ""
       },
+      "Github": {
+        "OrganisationName": "",
+        "UseOrganisation": false
+      },
       "Gitlab": {
         "InstanceURL": "",
         "ProjectId": 0,
diff --git a/api/http/handler/registries/handler.go b/api/http/handler/registries/handler.go
index dee14885e..026039833 100644
--- a/api/http/handler/registries/handler.go
+++ b/api/http/handler/registries/handler.go
@@ -5,10 +5,10 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/http/security"
-	"github.com/portainer/portainer/api/internal/endpointutils"
-	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/api/internal/registryutils/access"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 	"github.com/portainer/portainer/api/pendingactions"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
@@ -17,6 +17,7 @@ import (
 	"github.com/gorilla/mux"
 
 	"github.com/pkg/errors"
+	"github.com/rs/zerolog/log"
 )
 
 func hideFields(registry *portainer.Registry, hideAccesses bool) {
@@ -56,17 +57,20 @@ func newHandler(bouncer security.BouncerService) *Handler {
 func (handler *Handler) initRouter(bouncer accessGuard) {
 	adminRouter := handler.NewRoute().Subrouter()
 	adminRouter.Use(bouncer.AdminAccess)
-
-	authenticatedRouter := handler.NewRoute().Subrouter()
-	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
-
 	adminRouter.Handle("/registries", httperror.LoggerHandler(handler.registryList)).Methods(http.MethodGet)
 	adminRouter.Handle("/registries", httperror.LoggerHandler(handler.registryCreate)).Methods(http.MethodPost)
 	adminRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryUpdate)).Methods(http.MethodPut)
 	adminRouter.Handle("/registries/{id}/configure", httperror.LoggerHandler(handler.registryConfigure)).Methods(http.MethodPost)
 	adminRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryDelete)).Methods(http.MethodDelete)
 
-	authenticatedRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryInspect)).Methods(http.MethodGet)
+	// Use registry-specific access bouncer for inspect and repositories endpoints
+	registryAccessRouter := handler.NewRoute().Subrouter()
+	registryAccessRouter.Use(bouncer.AuthenticatedAccess, handler.RegistryAccess)
+	registryAccessRouter.Handle("/registries/{id}", httperror.LoggerHandler(handler.registryInspect)).Methods(http.MethodGet)
+
+	// Keep the gitlab proxy on the regular authenticated router as it doesn't require specific registry access
+	authenticatedRouter := handler.NewRoute().Subrouter()
+	authenticatedRouter.Use(bouncer.AuthenticatedAccess)
 	authenticatedRouter.PathPrefix("/registries/proxies/gitlab").Handler(httperror.LoggerHandler(handler.proxyRequestsToGitlabAPIWithoutRegistry))
 }
 
@@ -88,9 +92,7 @@ func (handler *Handler) registriesHaveSameURLAndCredentials(r1, r2 *portainer.Re
 }
 
 // this function validates that
-//
 // 1. user has the appropriate authorizations to perform the request
-//
 // 2. user has a direct or indirect access to the registry
 func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portainer.Registry) (hasAccess bool, isAdmin bool, err error) {
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
@@ -98,11 +100,6 @@ func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portain
 		return false, false, err
 	}
 
-	user, err := handler.DataStore.User().Read(securityContext.UserID)
-	if err != nil {
-		return false, false, err
-	}
-
 	// Portainer admins always have access to everything
 	if securityContext.IsAdmin {
 		return true, true, nil
@@ -128,47 +125,68 @@ func (handler *Handler) userHasRegistryAccess(r *http.Request, registry *portain
 		return false, false, err
 	}
 
-	memberships, err := handler.DataStore.TeamMembership().TeamMembershipsByUserID(user.ID)
+	// Use the enhanced registry access utility function that includes namespace validation
+	_, err = access.GetAccessibleRegistry(
+		handler.DataStore,
+		handler.K8sClientFactory,
+		securityContext.UserID,
+		endpointId,
+		registry.ID,
+	)
 	if err != nil {
-		return false, false, nil
+		return false, false, nil // No access
 	}
 
-	// validate access for kubernetes namespaces (leverage registry.RegistryAccesses[endpointId].Namespaces)
-	if endpointutils.IsKubernetesEndpoint(endpoint) {
-		kcl, err := handler.K8sClientFactory.GetPrivilegedKubeClient(endpoint)
-		if err != nil {
-			return false, false, errors.Wrap(err, "unable to retrieve kubernetes client to validate registry access")
-		}
-		accessPolicies, err := kcl.GetNamespaceAccessPolicies()
-		if err != nil {
-			return false, false, errors.Wrap(err, "unable to retrieve environment's namespaces policies to validate registry access")
-		}
-
-		authorizedNamespaces := registry.RegistryAccesses[endpointId].Namespaces
-
-		for _, namespace := range authorizedNamespaces {
-			// when the default namespace is authorized to use a registry, all users have the ability to use it
-			// unless the default namespace is restricted: in this case continue to search for other potential accesses authorizations
-			if namespace == kubernetes.DefaultNamespace && !endpoint.Kubernetes.Configuration.RestrictDefaultNamespace {
-				return true, false, nil
-			}
-
-			namespacePolicy := accessPolicies[namespace]
-			if security.AuthorizedAccess(user.ID, memberships, namespacePolicy.UserAccessPolicies, namespacePolicy.TeamAccessPolicies) {
-				return true, false, nil
-			}
-		}
-		return false, false, nil
-	}
-
-	// validate access for docker environments
-	// leverage registry.RegistryAccesses[endpointId].UserAccessPolicies (direct access)
-	// and registry.RegistryAccesses[endpointId].TeamAccessPolicies (indirect access via his teams)
-	if security.AuthorizedRegistryAccess(registry, user, memberships, endpoint.ID) {
-		return true, false, nil
-	}
-
-	// when user has no access via their role, direct grant or indirect grant
-	// then they don't have access to the registry
-	return false, false, nil
+	return true, false, nil
+}
+
+// RegistryAccess defines a security check for registry-specific API endpoints.
+// Authentication is required to access these endpoints.
+// The user must have direct or indirect access to the specific registry being requested.
+// This bouncer validates registry access using the userHasRegistryAccess logic.
+func (handler *Handler) RegistryAccess(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// First ensure the user is authenticated
+		tokenData, err := security.RetrieveTokenData(r)
+		if err != nil {
+			httperror.WriteError(w, http.StatusUnauthorized, "Authentication required", httperrors.ErrUnauthorized)
+			return
+		}
+
+		// Extract registry ID from the route
+		registryID, err := request.RetrieveNumericRouteVariableValue(r, "id")
+		if err != nil {
+			httperror.WriteError(w, http.StatusBadRequest, "Invalid registry identifier route variable", err)
+			return
+		}
+
+		// Get the registry from the database
+		registry, err := handler.DataStore.Registry().Read(portainer.RegistryID(registryID))
+		if handler.DataStore.IsErrObjectNotFound(err) {
+			httperror.WriteError(w, http.StatusNotFound, "Unable to find a registry with the specified identifier inside the database", err)
+			return
+		} else if err != nil {
+			httperror.WriteError(w, http.StatusInternalServerError, "Unable to find a registry with the specified identifier inside the database", err)
+			return
+		}
+
+		// Check if user has access to this registry
+		hasAccess, _, err := handler.userHasRegistryAccess(r, registry)
+		if err != nil {
+			httperror.WriteError(w, http.StatusInternalServerError, "Unable to retrieve info from request context", err)
+			return
+		}
+		if !hasAccess {
+			log.Debug().
+				Int("registry_id", registryID).
+				Str("registry_name", registry.Name).
+				Int("user_id", int(tokenData.ID)).
+				Str("context", "RegistryAccessBouncer").
+				Msg("User access denied to registry")
+			httperror.WriteError(w, http.StatusForbidden, "Access denied to resource", httperrors.ErrResourceAccessDenied)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
 }
diff --git a/api/http/handler/registries/registry_access_test.go b/api/http/handler/registries/registry_access_test.go
new file mode 100644
index 000000000..8231f4d66
--- /dev/null
+++ b/api/http/handler/registries/registry_access_test.go
@@ -0,0 +1,89 @@
+package registries
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_RegistryAccess_RequiresAuthentication(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	registry := &portainer.Registry{
+		ID:   1,
+		Name: "test-registry",
+		URL:  "https://registry.test.com",
+	}
+	err := store.Registry().Create(registry)
+	assert.NoError(t, err)
+	handler := &Handler{
+		DataStore: store,
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/1", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "1"})
+	rr := httptest.NewRecorder()
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusUnauthorized, rr.Code)
+}
+
+func Test_RegistryAccess_InvalidRegistryID(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	user := &portainer.User{ID: 1, Username: "test", Role: portainer.StandardUserRole}
+	err := store.User().Create(user)
+	assert.NoError(t, err)
+
+	handler := &Handler{
+		DataStore: store,
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/invalid", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "invalid"})
+	tokenData := &portainer.TokenData{ID: 1, Role: portainer.StandardUserRole}
+	req = req.WithContext(security.StoreTokenData(req, tokenData))
+
+	rr := httptest.NewRecorder()
+
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+}
+
+func Test_RegistryAccess_RegistryNotFound(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+	user := &portainer.User{ID: 1, Username: "test", Role: portainer.StandardUserRole}
+	err := store.User().Create(user)
+	assert.NoError(t, err)
+
+	handler := &Handler{
+		DataStore:      store,
+		requestBouncer: testhelpers.NewTestRequestBouncer(),
+	}
+	req := httptest.NewRequest(http.MethodGet, "/registries/999", nil)
+	req = mux.SetURLVars(req, map[string]string{"id": "999"})
+	tokenData := &portainer.TokenData{ID: 1, Role: portainer.StandardUserRole}
+	req = req.WithContext(security.StoreTokenData(req, tokenData))
+
+	rr := httptest.NewRecorder()
+
+	testHandler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+
+	bouncer := handler.RegistryAccess(testHandler)
+	bouncer.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusNotFound, rr.Code)
+}
diff --git a/api/http/handler/registries/registry_inspect.go b/api/http/handler/registries/registry_inspect.go
index a1f0bd9c5..f606a953e 100644
--- a/api/http/handler/registries/registry_inspect.go
+++ b/api/http/handler/registries/registry_inspect.go
@@ -4,10 +4,12 @@ import (
 	"net/http"
 
 	portainer "github.com/portainer/portainer/api"
-	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/http/security"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
+
+	"github.com/rs/zerolog/log"
 )
 
 // @id RegistryInspect
@@ -31,6 +33,11 @@ func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.BadRequest("Invalid registry identifier route variable", err)
 	}
 
+	log.Debug().
+		Int("registry_id", registryID).
+		Str("context", "RegistryInspectHandler").
+		Msg("Starting registry inspection")
+
 	registry, err := handler.DataStore.Registry().Read(portainer.RegistryID(registryID))
 	if handler.DataStore.IsErrObjectNotFound(err) {
 		return httperror.NotFound("Unable to find a registry with the specified identifier inside the database", err)
@@ -38,14 +45,12 @@ func (handler *Handler) registryInspect(w http.ResponseWriter, r *http.Request)
 		return httperror.InternalServerError("Unable to find a registry with the specified identifier inside the database", err)
 	}
 
-	hasAccess, isAdmin, err := handler.userHasRegistryAccess(r, registry)
+	// Check if user is admin to determine if we should hide sensitive fields
+	securityContext, err := security.RetrieveRestrictedRequestContext(r)
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve info from request context", err)
 	}
-	if !hasAccess {
-		return httperror.Forbidden("Access denied to resource", httperrors.ErrResourceAccessDenied)
-	}
 
-	hideFields(registry, !isAdmin)
+	hideFields(registry, !securityContext.IsAdmin)
 	return response.JSON(w, registry)
 }
diff --git a/api/http/handler/webhooks/webhook_create.go b/api/http/handler/webhooks/webhook_create.go
index b69e93db3..d7edde333 100644
--- a/api/http/handler/webhooks/webhook_create.go
+++ b/api/http/handler/webhooks/webhook_create.go
@@ -80,7 +80,7 @@ func (handler *Handler) webhookCreate(w http.ResponseWriter, r *http.Request) *h
 			return httperror.InternalServerError("Unable to retrieve user authentication token", err)
 		}
 
-		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, endpointID, payload.RegistryID)
+		_, err = access.GetAccessibleRegistry(handler.DataStore, nil, tokenData.ID, endpointID, payload.RegistryID)
 		if err != nil {
 			return httperror.Forbidden("Permission deny to access registry", err)
 		}
diff --git a/api/http/handler/webhooks/webhook_update.go b/api/http/handler/webhooks/webhook_update.go
index 7a026fcd7..94133c49a 100644
--- a/api/http/handler/webhooks/webhook_update.go
+++ b/api/http/handler/webhooks/webhook_update.go
@@ -69,7 +69,7 @@ func (handler *Handler) webhookUpdate(w http.ResponseWriter, r *http.Request) *h
 			return httperror.InternalServerError("Unable to retrieve user authentication token", err)
 		}
 
-		_, err = access.GetAccessibleRegistry(handler.DataStore, tokenData.ID, webhook.EndpointID, payload.RegistryID)
+		_, err = access.GetAccessibleRegistry(handler.DataStore, nil, tokenData.ID, webhook.EndpointID, payload.RegistryID)
 		if err != nil {
 			return httperror.Forbidden("Permission deny to access registry", err)
 		}
diff --git a/api/http/proxy/factory/docker/registry.go b/api/http/proxy/factory/docker/registry.go
index ecf7935f1..7036853c7 100644
--- a/api/http/proxy/factory/docker/registry.go
+++ b/api/http/proxy/factory/docker/registry.go
@@ -55,12 +55,13 @@ func createRegistryAuthenticationHeader(
 		return
 	}
 
-	if err = registryutils.EnsureRegTokenValid(dataStore, matchingRegistry); err != nil {
+	if err = registryutils.PrepareRegistryCredentials(dataStore, matchingRegistry); err != nil {
 		return
 	}
 
 	authenticationHeader.Serveraddress = matchingRegistry.URL
-	authenticationHeader.Username, authenticationHeader.Password, err = registryutils.GetRegEffectiveCredential(matchingRegistry)
+	authenticationHeader.Username = matchingRegistry.Username
+	authenticationHeader.Password = matchingRegistry.Password
 
 	return
 }
diff --git a/api/http/proxy/factory/github/client.go b/api/http/proxy/factory/github/client.go
new file mode 100644
index 000000000..74dcfb994
--- /dev/null
+++ b/api/http/proxy/factory/github/client.go
@@ -0,0 +1,108 @@
+package github
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/segmentio/encoding/json"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+const GitHubAPIHost = "https://api.github.com"
+
+// Package represents a GitHub container package
+type Package struct {
+	Name  string `json:"name"`
+	Owner struct {
+		Login string `json:"login"`
+	} `json:"owner"`
+}
+
+// Client represents a GitHub API client
+type Client struct {
+	httpClient *http.Client
+	baseURL    string
+}
+
+// NewClient creates a new GitHub API client
+func NewClient(token string) *Client {
+	return &Client{
+		httpClient: NewHTTPClient(token),
+		baseURL:    GitHubAPIHost,
+	}
+}
+
+// GetContainerPackages fetches container packages for the configured namespace
+// It's a small http client wrapper instead of using the github client because listing repositories is the only known operation that isn't directly supported by oras
+func (c *Client) GetContainerPackages(ctx context.Context, useOrganisation bool, organisationName string) ([]string, error) {
+	// Determine the namespace (user or organisation) for the request
+	namespace := "user"
+	if useOrganisation {
+		namespace = "orgs/" + organisationName
+	}
+
+	// Build the full URL for listing container packages
+	url := fmt.Sprintf("%s/%s/packages?package_type=container", c.baseURL, namespace)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitHub API returned status %d: %s", resp.StatusCode, resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	var packages []Package
+	if err := json.Unmarshal(body, &packages); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	// Extract repository names in the form "owner/name"
+	repositories := make([]string, len(packages))
+	for i, pkg := range packages {
+		repositories[i] = fmt.Sprintf("%s/%s", strings.ToLower(pkg.Owner.Login), strings.ToLower(pkg.Name))
+	}
+
+	return repositories, nil
+}
+
+// NewHTTPClient creates a new HTTP client configured for GitHub API requests
+func NewHTTPClient(token string) *http.Client {
+	return &http.Client{
+		Transport: &tokenTransport{
+			token:     token,
+			transport: retry.NewTransport(&http.Transport{}), // Use ORAS retry transport for consistent rate limiting and error handling
+		},
+		Timeout: 1 * time.Minute,
+	}
+}
+
+// tokenTransport automatically adds the Bearer token header to requests
+type tokenTransport struct {
+	token     string
+	transport http.RoundTripper
+}
+
+func (t *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	if t.token != "" {
+		req.Header.Set("Authorization", "Bearer "+t.token)
+		req.Header.Set("Accept", "application/vnd.github+json")
+	}
+	return t.transport.RoundTrip(req)
+}
diff --git a/api/http/proxy/factory/gitlab/client.go b/api/http/proxy/factory/gitlab/client.go
new file mode 100644
index 000000000..13d07e18b
--- /dev/null
+++ b/api/http/proxy/factory/gitlab/client.go
@@ -0,0 +1,130 @@
+package gitlab
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"time"
+
+	"github.com/segmentio/encoding/json"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+// Repository represents a GitLab registry repository
+type Repository struct {
+	ID        int    `json:"id"`
+	Name      string `json:"name"`
+	Path      string `json:"path"`
+	ProjectID int    `json:"project_id"`
+	Location  string `json:"location"`
+	CreatedAt string `json:"created_at"`
+	Status    string `json:"status"`
+}
+
+// Client represents a GitLab API client
+type Client struct {
+	httpClient *http.Client
+	baseURL    string
+}
+
+// NewClient creates a new GitLab API client
+// it currently is an http client because only GetRegistryRepositoryNames is needed (oras supports other commands).
+// if we need to support other commands, consider using the gitlab client library.
+func NewClient(baseURL, token string) *Client {
+	return &Client{
+		httpClient: NewHTTPClient(token),
+		baseURL:    baseURL,
+	}
+}
+
+// GetRegistryRepositoryNames fetches registry repository names for a given project.
+// It's a small http client wrapper instead of using the gitlab client library because listing repositories is the only known operation that isn't directly supported by oras
+func (c *Client) GetRegistryRepositoryNames(ctx context.Context, projectID int) ([]string, error) {
+	url := fmt.Sprintf("%s/api/v4/projects/%d/registry/repositories", c.baseURL, projectID)
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create request: %w", err)
+	}
+
+	resp, err := c.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("failed to execute request: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return nil, fmt.Errorf("GitLab API returned status %d: %s", resp.StatusCode, resp.Status)
+	}
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read response body: %w", err)
+	}
+
+	var repositories []Repository
+	if err := json.Unmarshal(body, &repositories); err != nil {
+		return nil, fmt.Errorf("failed to parse response: %w", err)
+	}
+
+	// Extract repository names
+	names := make([]string, len(repositories))
+	for i, repo := range repositories {
+		// the full path is required for further repo operations
+		names[i] = repo.Path
+	}
+
+	return names, nil
+}
+
+type Transport struct {
+	httpTransport *http.Transport
+}
+
+// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
+// interface for proxying requests to the Gitlab API.
+func NewTransport() *Transport {
+	return &Transport{
+		httpTransport: &http.Transport{},
+	}
+}
+
+// RoundTrip is the implementation of the http.RoundTripper interface
+func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
+	token := request.Header.Get("Private-Token")
+	if token == "" {
+		return nil, errors.New("no gitlab token provided")
+	}
+
+	r, err := http.NewRequest(request.Method, request.URL.String(), request.Body)
+	if err != nil {
+		return nil, err
+	}
+
+	r.Header.Set("Private-Token", token)
+	return transport.httpTransport.RoundTrip(r)
+}
+
+// NewHTTPClient creates a new HTTP client configured for GitLab API requests
+func NewHTTPClient(token string) *http.Client {
+	return &http.Client{
+		Transport: &tokenTransport{
+			token:     token,
+			transport: retry.NewTransport(&http.Transport{}), // Use ORAS retry transport for consistent rate limiting and error handling
+		},
+		Timeout: 1 * time.Minute,
+	}
+}
+
+// tokenTransport automatically adds the Private-Token header to requests
+type tokenTransport struct {
+	token     string
+	transport http.RoundTripper
+}
+
+func (t *tokenTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	req.Header.Set("Private-Token", t.token)
+	return t.transport.RoundTrip(req)
+}
diff --git a/api/http/proxy/factory/gitlab/transport.go b/api/http/proxy/factory/gitlab/transport.go
deleted file mode 100644
index 7e1804c45..000000000
--- a/api/http/proxy/factory/gitlab/transport.go
+++ /dev/null
@@ -1,34 +0,0 @@
-package gitlab
-
-import (
-	"errors"
-	"net/http"
-)
-
-type Transport struct {
-	httpTransport *http.Transport
-}
-
-// NewTransport returns a pointer to a new instance of Transport that implements the HTTP Transport
-// interface for proxying requests to the Gitlab API.
-func NewTransport() *Transport {
-	return &Transport{
-		httpTransport: &http.Transport{},
-	}
-}
-
-// RoundTrip is the implementation of the http.RoundTripper interface
-func (transport *Transport) RoundTrip(request *http.Request) (*http.Response, error) {
-	token := request.Header.Get("Private-Token")
-	if token == "" {
-		return nil, errors.New("no gitlab token provided")
-	}
-
-	r, err := http.NewRequest(request.Method, request.URL.String(), request.Body)
-	if err != nil {
-		return nil, err
-	}
-
-	r.Header.Set("Private-Token", token)
-	return transport.httpTransport.RoundTrip(r)
-}
diff --git a/api/internal/registryutils/access/access.go b/api/internal/registryutils/access/access.go
index 0d14cba39..bfa5181c0 100644
--- a/api/internal/registryutils/access/access.go
+++ b/api/internal/registryutils/access/access.go
@@ -2,40 +2,82 @@ package access
 
 import (
 	"errors"
+	"fmt"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/kubernetes"
+	"github.com/portainer/portainer/api/kubernetes/cli"
 )
 
 func hasPermission(
 	dataStore dataservices.DataStore,
+	k8sClientFactory *cli.ClientFactory,
 	userID portainer.UserID,
 	endpointID portainer.EndpointID,
 	registry *portainer.Registry,
 ) (hasPermission bool, err error) {
 	user, err := dataStore.User().Read(userID)
 	if err != nil {
-		return
+		return false, err
 	}
 
 	if user.Role == portainer.AdministratorRole {
-		return true, err
+		return true, nil
+	}
+
+	endpoint, err := dataStore.Endpoint().Endpoint(endpointID)
+	if err != nil {
+		return false, err
 	}
 
 	teamMemberships, err := dataStore.TeamMembership().TeamMembershipsByUserID(userID)
 	if err != nil {
-		return
+		return false, err
 	}
 
+	// validate access for kubernetes namespaces (leverage registry.RegistryAccesses[endpointId].Namespaces)
+	if endpointutils.IsKubernetesEndpoint(endpoint) && k8sClientFactory != nil {
+		kcl, err := k8sClientFactory.GetPrivilegedKubeClient(endpoint)
+		if err != nil {
+			return false, fmt.Errorf("unable to retrieve kubernetes client to validate registry access: %w", err)
+		}
+		accessPolicies, err := kcl.GetNamespaceAccessPolicies()
+		if err != nil {
+			return false, fmt.Errorf("unable to retrieve environment's namespaces policies to validate registry access: %w", err)
+		}
+
+		authorizedNamespaces := registry.RegistryAccesses[endpointID].Namespaces
+
+		for _, namespace := range authorizedNamespaces {
+			// when the default namespace is authorized to use a registry, all users have the ability to use it
+			// unless the default namespace is restricted: in this case continue to search for other potential accesses authorizations
+			if namespace == kubernetes.DefaultNamespace && !endpoint.Kubernetes.Configuration.RestrictDefaultNamespace {
+				return true, nil
+			}
+
+			namespacePolicy := accessPolicies[namespace]
+			if security.AuthorizedAccess(user.ID, teamMemberships, namespacePolicy.UserAccessPolicies, namespacePolicy.TeamAccessPolicies) {
+				return true, nil
+			}
+		}
+		return false, nil
+	}
+
+	// validate access for docker environments
+	// leverage registry.RegistryAccesses[endpointId].UserAccessPolicies (direct access)
+	// and registry.RegistryAccesses[endpointId].TeamAccessPolicies (indirect access via his teams)
 	hasPermission = security.AuthorizedRegistryAccess(registry, user, teamMemberships, endpointID)
 
-	return
+	return hasPermission, nil
 }
 
 // GetAccessibleRegistry get the registry if the user has permission
 func GetAccessibleRegistry(
 	dataStore dataservices.DataStore,
+	k8sClientFactory *cli.ClientFactory,
 	userID portainer.UserID,
 	endpointID portainer.EndpointID,
 	registryID portainer.RegistryID,
@@ -46,7 +88,7 @@ func GetAccessibleRegistry(
 		return
 	}
 
-	hasPermission, err := hasPermission(dataStore, userID, endpointID, registry)
+	hasPermission, err := hasPermission(dataStore, k8sClientFactory, userID, endpointID, registry)
 	if err != nil {
 		return
 	}
diff --git a/api/internal/registryutils/ecr_reg_token.go b/api/internal/registryutils/ecr_reg_token.go
index cbcceb982..6e9a754bf 100644
--- a/api/internal/registryutils/ecr_reg_token.go
+++ b/api/internal/registryutils/ecr_reg_token.go
@@ -62,3 +62,26 @@ func GetRegEffectiveCredential(registry *portainer.Registry) (username, password
 
 	return
 }
+
+// PrepareRegistryCredentials consolidates the common pattern of ensuring valid ECR token
+// and setting effective credentials on the registry when authentication is enabled.
+// This function modifies the registry in-place by setting Username and Password to the effective values.
+func PrepareRegistryCredentials(tx dataservices.DataStoreTx, registry *portainer.Registry) error {
+	if !registry.Authentication {
+		return nil
+	}
+
+	if err := EnsureRegTokenValid(tx, registry); err != nil {
+		return err
+	}
+
+	username, password, err := GetRegEffectiveCredential(registry)
+	if err != nil {
+		return err
+	}
+
+	registry.Username = username
+	registry.Password = password
+
+	return nil
+}
diff --git a/api/kubernetes/cli/namespace.go b/api/kubernetes/cli/namespace.go
index bb29680b5..560b91e75 100644
--- a/api/kubernetes/cli/namespace.go
+++ b/api/kubernetes/cli/namespace.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"sort"
 	"strconv"
 	"time"
 
@@ -437,5 +438,10 @@ func (kcl *KubeClient) ConvertNamespaceMapToSlice(namespaces map[string]portaine
 		namespaceSlice = append(namespaceSlice, namespace)
 	}
 
+	// Sort namespaces by name
+	sort.Slice(namespaceSlice, func(i, j int) bool {
+		return namespaceSlice[i].Name < namespaceSlice[j].Name
+	})
+
 	return namespaceSlice
 }
diff --git a/api/portainer.go b/api/portainer.go
index 0dc235550..e2bac623b 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -603,6 +603,12 @@ type (
 		ProjectPath string `json:"ProjectPath"`
 	}
 
+	// GithubRegistryData represents data required for Github registry to work
+	GithubRegistryData struct {
+		UseOrganisation  bool   `json:"UseOrganisation"`
+		OrganisationName string `json:"OrganisationName"`
+	}
+
 	HelmUserRepositoryID int
 
 	// HelmUserRepositories stores a Helm repository URL for the given user
@@ -823,6 +829,7 @@ type (
 		Password                string                           `json:"Password,omitempty" example:"registry_password"`
 		ManagementConfiguration *RegistryManagementConfiguration `json:"ManagementConfiguration"`
 		Gitlab                  GitlabRegistryData               `json:"Gitlab"`
+		Github                  GithubRegistryData               `json:"Github"`
 		Quay                    QuayRegistryData                 `json:"Quay"`
 		Ecr                     EcrData                          `json:"Ecr"`
 		RegistryAccesses        RegistryAccesses                 `json:"RegistryAccesses"`
@@ -1972,6 +1979,8 @@ const (
 	DockerHubRegistry
 	// EcrRegistry represents an ECR registry
 	EcrRegistry
+	// Github container registry
+	GithubRegistry
 )
 
 const (
diff --git a/app/kubernetes/react/components/index.ts b/app/kubernetes/react/components/index.ts
index 27aa04444..cfb103823 100644
--- a/app/kubernetes/react/components/index.ts
+++ b/app/kubernetes/react/components/index.ts
@@ -92,6 +92,7 @@ export const ngModule = angular
       'onChange',
       'placeholder',
       'value',
+      'allowSelectAll',
     ])
   )
   .component(
diff --git a/app/kubernetes/registries/kube-registry-access-view/kube-registry-access-view.html b/app/kubernetes/registries/kube-registry-access-view/kube-registry-access-view.html
index 11184ae0f..5c5e68255 100644
--- a/app/kubernetes/registries/kube-registry-access-view/kube-registry-access-view.html
+++ b/app/kubernetes/registries/kube-registry-access-view/kube-registry-access-view.html
@@ -19,6 +19,7 @@
                 namespaces="$ctrl.resourcePools"
                 placeholder="'Select one or more namespaces'"
                 on-change="($ctrl.onChangeResourcePools)"
+                allow-select-all="true"
               ></namespaces-selector>
             </div>
             <div class="col-sm-12 small text-muted vertical-center">
diff --git a/app/kubernetes/views/deploy/deploy.html b/app/kubernetes/views/deploy/deploy.html
index d57d0caa7..60e7b0144 100644
--- a/app/kubernetes/views/deploy/deploy.html
+++ b/app/kubernetes/views/deploy/deploy.html
@@ -40,17 +40,15 @@
                 </div>
 
                 <div class="form-group" ng-if="ctrl.formValues.Namespace">
-                  <label for="target_node" class="col-lg-2 col-sm-3 control-label text-left">Namespace</label>
+                  <label for="target_namespace" class="col-lg-2 col-sm-3 control-label text-left">Namespace</label>
                   <div class="col-sm-9 col-lg-10">
-                    <select
+                    <namespace-portainer-select
                       ng-if="!ctrl.formValues.namespace_toggle || ctrl.state.BuildMethod === ctrl.BuildMethods.HELM"
-                      data-cy="namespace-select"
-                      ng-disabled="ctrl.formValues.namespace_toggle && ctrl.state.BuildMethod !== ctrl.BuildMethods.HELM"
-                      class="form-control"
-                      ng-model="ctrl.formValues.Namespace"
-                      ng-change="ctrl.onChangeNamespace()"
-                      ng-options="namespace.Name as namespace.Name for namespace in ctrl.namespaces"
-                    ></select>
+                      is-disabled="ctrl.formValues.namespace_toggle && ctrl.state.BuildMethod !== ctrl.BuildMethods.HELM || ctrl.state.isNamespaceInputDisabled"
+                      value="ctrl.formValues.Namespace"
+                      on-change="(ctrl.onChangeNamespace)"
+                      options="ctrl.namespaceOptions"
+                    ></namespace-portainer-select>
                     <span ng-if="ctrl.formValues.namespace_toggle && ctrl.state.BuildMethod !== ctrl.BuildMethods.HELM" class="small text-muted pt-[7px]"
                       >Namespaces specified in the manifest will be used</span
                     >
@@ -186,7 +184,6 @@
 
                 <!-- Helm -->
                 <div ng-show="ctrl.state.BuildMethod === ctrl.BuildMethods.HELM">
-                  <div class="col-sm-12 form-section-title" ng-if="ctrl.state.selectedHelmChart">Selected Helm chart</div>
                   <helm-templates-view on-select-helm-chart="(ctrl.onSelectHelmChart)" namespace="ctrl.formValues.Namespace" name="ctrl.formValues.Name" />
                 </div>
                 <!-- !Helm -->
diff --git a/app/kubernetes/views/deploy/deployController.js b/app/kubernetes/views/deploy/deployController.js
index 89f416ac3..b44d3d7bb 100644
--- a/app/kubernetes/views/deploy/deployController.js
+++ b/app/kubernetes/views/deploy/deployController.js
@@ -101,9 +101,10 @@ class KubernetesDeployController {
     this.onChangeNamespace = this.onChangeNamespace.bind(this);
   }
 
-  onChangeNamespace() {
+  onChangeNamespace(namespaceName) {
     return this.$async(async () => {
-      const applications = await this.KubernetesApplicationService.get(this.formValues.Namespace);
+      this.formValues.Namespace = namespaceName;
+      const applications = await this.KubernetesApplicationService.get(namespaceName);
       const stacks = _.map(applications, (item) => item.StackName).filter((item) => item !== '');
       this.stacks = _.uniq(stacks);
     });
@@ -371,6 +372,10 @@ class KubernetesDeployController {
       if (this.namespaces.length > 0) {
         this.formValues.Namespace = this.namespaces[0].Name;
       }
+      this.namespaceOptions = _.map(namespaces, (namespace) => ({
+        label: namespace.Name,
+        value: namespace.Name,
+      }));
     } catch (err) {
       this.Notifications.error('Failure', err, 'Unable to load namespaces data');
     }
@@ -404,7 +409,8 @@ class KubernetesDeployController {
         }
       }
 
-      this.onChangeNamespace();
+      this.onChangeNamespace(this.formValues.Namespace);
+
       this.state.viewReady = true;
 
       this.$window.onbeforeunload = () => {
diff --git a/app/portainer/react/components/index.ts b/app/portainer/react/components/index.ts
index 4b1c03608..9b2f7325d 100644
--- a/app/portainer/react/components/index.ts
+++ b/app/portainer/react/components/index.ts
@@ -9,6 +9,7 @@ import { withFormValidation } from '@/react-tools/withFormValidation';
 import { GroupAssociationTable } from '@/react/portainer/environments/environment-groups/components/GroupAssociationTable';
 import { AssociatedEnvironmentsSelector } from '@/react/portainer/environments/environment-groups/components/AssociatedEnvironmentsSelector';
 import { withControlledInput } from '@/react-tools/withControlledInput';
+import { NamespacePortainerSelect } from '@/react/kubernetes/applications/components/NamespaceSelector/NamespaceSelector';
 
 import {
   EnvironmentVariablesFieldset,
@@ -199,11 +200,22 @@ export const ngModule = angular
       'onChange',
       'options',
       'isMulti',
+      'filterOption',
       'isClearable',
       'components',
       'isLoading',
       'noOptionsMessage',
       'aria-label',
+      'loadingMessage',
+    ])
+  )
+  .component(
+    'namespacePortainerSelect',
+    r2a(NamespacePortainerSelect, [
+      'value',
+      'onChange',
+      'isDisabled',
+      'options',
     ])
   )
   .component(
diff --git a/app/react/components/ExternalLink.tsx b/app/react/components/ExternalLink.tsx
index ef16dcb66..1bd839cad 100644
--- a/app/react/components/ExternalLink.tsx
+++ b/app/react/components/ExternalLink.tsx
@@ -1,20 +1,20 @@
-import { ExternalLink as ExternalLinkIcon } from 'lucide-react';
+import { ArrowUpRight } from 'lucide-react';
 import { PropsWithChildren } from 'react';
 import clsx from 'clsx';
 
 import { AutomationTestingProps } from '@/types';
 
-import { Icon } from '@@/Icon';
-
 interface Props {
   to: string;
   className?: string;
+  showIcon?: boolean;
 }
 
 export function ExternalLink({
   to,
   className,
   children,
+  showIcon = true,
   'data-cy': dataCy,
 }: PropsWithChildren<Props & AutomationTestingProps>) {
   return (
@@ -23,10 +23,10 @@ export function ExternalLink({
       target="_blank"
       rel="noreferrer"
       data-cy={dataCy}
-      className={clsx('inline-flex items-center gap-1', className)}
+      className={clsx('inline-flex align-baseline', className)}
     >
-      <Icon icon={ExternalLinkIcon} />
-      <span>{children}</span>
+      {children}
+      {showIcon && <ArrowUpRight className="align-top" />}
     </a>
   );
 }
diff --git a/app/react/components/FallbackImage.tsx b/app/react/components/FallbackImage.tsx
index ee6956f24..eaa4f1272 100644
--- a/app/react/components/FallbackImage.tsx
+++ b/app/react/components/FallbackImage.tsx
@@ -27,5 +27,5 @@ export function FallbackImage({ src, fallbackIcon, alt, className }: Props) {
   }
 
   // fallback icon if there is an error loading the image
-  return <>{fallbackIcon}</>;
+  return <div className={className}>{fallbackIcon}</div>;
 }
diff --git a/app/react/components/form-components/PortainerSelect.tsx b/app/react/components/form-components/PortainerSelect.tsx
index 9ddf234da..6800d0013 100644
--- a/app/react/components/form-components/PortainerSelect.tsx
+++ b/app/react/components/form-components/PortainerSelect.tsx
@@ -5,15 +5,25 @@ import {
 } from 'react-select';
 import _ from 'lodash';
 import { AriaAttributes } from 'react';
+import { FilterOptionOption } from 'react-select/dist/declarations/src/filters';
 
 import { AutomationTestingProps } from '@/types';
 
-import { Select as ReactSelect } from '@@/form-components/ReactSelect';
+import {
+  Creatable,
+  Select as ReactSelect,
+} from '@@/form-components/ReactSelect';
 
 export interface Option<TValue> {
   value: TValue;
   label: string;
   disabled?: boolean;
+  [key: string]: unknown;
+}
+
+export interface GroupOption<TValue> {
+  label: string;
+  options: Option<TValue>[];
 }
 
 type Options<TValue> = OptionsOrGroups<
@@ -21,7 +31,7 @@ type Options<TValue> = OptionsOrGroups<
   GroupBase<Option<TValue>>
 >;
 
-interface SharedProps
+interface SharedProps<TValue>
   extends AutomationTestingProps,
     Pick<AriaAttributes, 'aria-label'> {
   name?: string;
@@ -32,9 +42,14 @@ interface SharedProps
   bindToBody?: boolean;
   isLoading?: boolean;
   noOptionsMessage?: () => string;
+  loadingMessage?: () => string;
+  filterOption?: (
+    option: FilterOptionOption<Option<TValue>>,
+    rawInput: string
+  ) => boolean;
 }
 
-interface MultiProps<TValue> extends SharedProps {
+interface MultiProps<TValue> extends SharedProps<TValue> {
   value: readonly TValue[];
   onChange(value: TValue[]): void;
   options: Options<TValue>;
@@ -44,9 +59,12 @@ interface MultiProps<TValue> extends SharedProps {
     true,
     GroupBase<Option<TValue>>
   >;
+  formatCreateLabel?: (input: string) => string;
+  onCreateOption?: (input: string) => void;
+  isCreatable?: boolean;
 }
 
-interface SingleProps<TValue> extends SharedProps {
+interface SingleProps<TValue> extends SharedProps<TValue> {
   value: TValue;
   onChange(value: TValue | null): void;
   options: Options<TValue>;
@@ -58,9 +76,13 @@ interface SingleProps<TValue> extends SharedProps {
   >;
 }
 
-type Props<TValue> = MultiProps<TValue> | SingleProps<TValue>;
+export type PortainerSelectProps<TValue> =
+  | MultiProps<TValue>
+  | SingleProps<TValue>;
 
-export function PortainerSelect<TValue = string>(props: Props<TValue>) {
+export function PortainerSelect<TValue = string>(
+  props: PortainerSelectProps<TValue>
+) {
   return isMultiProps(props) ? (
     // eslint-disable-next-line react/jsx-props-no-spreading
     <MultiSelect {...props} />
@@ -71,7 +93,7 @@ export function PortainerSelect<TValue = string>(props: Props<TValue>) {
 }
 
 function isMultiProps<TValue>(
-  props: Props<TValue>
+  props: PortainerSelectProps<TValue>
 ): props is MultiProps<TValue> {
   return 'isMulti' in props && !!props.isMulti;
 }
@@ -87,9 +109,11 @@ export function SingleSelect<TValue = string>({
   placeholder,
   isClearable,
   bindToBody,
+  filterOption,
   components,
   isLoading,
   noOptionsMessage,
+  loadingMessage,
   isMulti,
   ...aria
 }: SingleProps<TValue>) {
@@ -116,9 +140,11 @@ export function SingleSelect<TValue = string>({
       placeholder={placeholder}
       isDisabled={disabled}
       menuPortalTarget={bindToBody ? document.body : undefined}
+      filterOption={filterOption}
       components={components}
       isLoading={isLoading}
       noOptionsMessage={noOptionsMessage}
+      loadingMessage={loadingMessage}
       // eslint-disable-next-line react/jsx-props-no-spreading
       {...aria}
     />
@@ -159,14 +185,20 @@ export function MultiSelect<TValue = string>({
   disabled,
   isClearable,
   bindToBody,
+  filterOption,
   components,
   isLoading,
   noOptionsMessage,
+  loadingMessage,
+  formatCreateLabel,
+  onCreateOption,
+  isCreatable,
   ...aria
 }: Omit<MultiProps<TValue>, 'isMulti'>) {
   const selectedOptions = findSelectedOptions(options, value);
+  const SelectComponent = isCreatable ? Creatable : ReactSelect;
   return (
-    <ReactSelect
+    <SelectComponent
       name={name}
       isMulti
       isClearable={isClearable}
@@ -183,9 +215,13 @@ export function MultiSelect<TValue = string>({
       placeholder={placeholder}
       isDisabled={disabled}
       menuPortalTarget={bindToBody ? document.body : undefined}
+      filterOption={filterOption}
       components={components}
       isLoading={isLoading}
       noOptionsMessage={noOptionsMessage}
+      loadingMessage={loadingMessage}
+      formatCreateLabel={formatCreateLabel}
+      onCreateOption={onCreateOption}
       // eslint-disable-next-line react/jsx-props-no-spreading
       {...aria}
     />
diff --git a/app/react/kubernetes/applications/components/NamespaceSelector/NamespaceSelector.tsx b/app/react/kubernetes/applications/components/NamespaceSelector/NamespaceSelector.tsx
index dd8cffaa2..63341301a 100644
--- a/app/react/kubernetes/applications/components/NamespaceSelector/NamespaceSelector.tsx
+++ b/app/react/kubernetes/applications/components/NamespaceSelector/NamespaceSelector.tsx
@@ -51,3 +51,29 @@ export function NamespaceSelector({
     </FormControl>
   );
 }
+
+/** NamespacePortainerSelect is exported for use by angular views, so that the data-cy attribute is set correctly */
+export function NamespacePortainerSelect({
+  value,
+  onChange,
+  isDisabled,
+  options,
+}: {
+  value: string;
+  onChange: (value: string) => void;
+  isDisabled: boolean;
+  options: { label: string; value: string }[];
+}) {
+  return (
+    <PortainerSelect
+      value={value}
+      options={options}
+      onChange={onChange}
+      disabled={isDisabled}
+      noOptionsMessage={() => 'No namespaces found'}
+      placeholder="No namespaces found" // will only show when there are no options
+      inputId="namespace-selector"
+      data-cy="namespace-select"
+    />
+  );
+}
diff --git a/app/react/kubernetes/cluster/RegistryAccessView/NamespacesSelector.tsx b/app/react/kubernetes/cluster/RegistryAccessView/NamespacesSelector.tsx
index 4c16ecaac..5c2da7344 100644
--- a/app/react/kubernetes/cluster/RegistryAccessView/NamespacesSelector.tsx
+++ b/app/react/kubernetes/cluster/RegistryAccessView/NamespacesSelector.tsx
@@ -1,4 +1,5 @@
 import _ from 'lodash';
+import { useMemo } from 'react';
 
 import { Select } from '@@/form-components/ReactSelect';
 
@@ -15,6 +16,7 @@ interface Props {
   dataCy: string;
   inputId?: string;
   placeholder?: string;
+  allowSelectAll?: boolean;
 }
 
 export function NamespacesSelector({
@@ -25,23 +27,34 @@ export function NamespacesSelector({
   dataCy,
   inputId,
   placeholder,
+  allowSelectAll,
 }: Props) {
+  const options = useMemo(() => {
+    if (allowSelectAll) {
+      return [{ id: 'all', name: 'Select all' }, ...namespaces];
+    }
+    return namespaces;
+  }, [namespaces, allowSelectAll]);
   return (
     <Select
       name={name}
       isMulti
       getOptionLabel={(namespace) => namespace.name}
       getOptionValue={(namespace) => String(namespace.id)}
-      options={namespaces}
+      options={options}
       value={_.compact(
         value.map((namespaceName) =>
           namespaces.find((namespace) => namespace.name === namespaceName)
         )
       )}
       closeMenuOnSelect={false}
-      onChange={(selectedTeams) =>
-        onChange(selectedTeams.map((namespace) => namespace.name))
-      }
+      onChange={(selectedNamespaces) => {
+        if (selectedNamespaces.some((namespace) => namespace.id === 'all')) {
+          onChange(namespaces.map((namespace) => namespace.name));
+        } else {
+          onChange(selectedNamespaces.map((namespace) => namespace.name));
+        }
+      }}
       data-cy={dataCy}
       id={dataCy}
       inputId={inputId}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
index 161034f6d..764443bb8 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/ChartActions.tsx
@@ -39,11 +39,6 @@ export function ChartActions({
         release={release}
         updateRelease={updateRelease}
       />
-      <UninstallButton
-        environmentId={environmentId}
-        releaseName={releaseName}
-        namespace={namespace}
-      />
       {showRollbackButton && (
         <RollbackButton
           latestRevision={latestRevision}
@@ -53,6 +48,11 @@ export function ChartActions({
           namespace={namespace}
         />
       )}
+      <UninstallButton
+        environmentId={environmentId}
+        releaseName={releaseName}
+        namespace={namespace}
+      />
     </div>
   );
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
index 4d388ca60..f05a2d5e8 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -25,8 +25,8 @@ vi.mock('@/portainer/services/notifications', () => ({
   notifySuccess: vi.fn(),
 }));
 
-vi.mock('../../queries/useHelmRegistries', () => ({
-  useHelmRegistries: vi.fn(() => ({
+vi.mock('../../queries/useHelmRepositories', () => ({
+  useUserHelmRepositories: vi.fn(() => ({
     data: ['repo1', 'repo2'],
     isInitialLoading: false,
     isError: false,
@@ -146,7 +146,7 @@ describe('UpgradeButton', () => {
 
     renderButton();
 
-    expect(screen.getByText('No versions available')).toBeInTheDocument();
+    expect(screen.getByText(/No versions available/)).toBeInTheDocument();
   });
 
   test('should open upgrade modal when clicked', async () => {
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 648e3628d..0e3e634fc 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -15,7 +15,7 @@ import { HelmRelease, UpdateHelmReleasePayload } from '../../types';
 import { useUpdateHelmReleaseMutation } from '../../queries/useUpdateHelmReleaseMutation';
 import { useHelmRepoVersions } from '../../queries/useHelmRepoVersions';
 import { useHelmRelease } from '../queries/useHelmRelease';
-import { useHelmRegistries } from '../../queries/useHelmRegistries';
+import { useUserHelmRepositories } from '../../queries/useHelmRepositories';
 
 import { openUpgradeHelmModal } from './UpgradeHelmModal';
 
@@ -36,19 +36,22 @@ export function UpgradeButton({
   const [useCache, setUseCache] = useState(true);
   const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
 
-  const registriesQuery = useHelmRegistries();
+  const userRepositoriesQuery = useUserHelmRepositories();
   const helmRepoVersionsQuery = useHelmRepoVersions(
     release?.chart.metadata?.name || '',
     60 * 60 * 1000, // 1 hour
-    registriesQuery.data,
+    userRepositoriesQuery.data?.map((repo) => ({
+      repo,
+    })),
     useCache
   );
   const versions = helmRepoVersionsQuery.data;
 
   // Combined loading state
   const isLoading =
-    registriesQuery.isInitialLoading || helmRepoVersionsQuery.isFetching; // use 'isFetching' for helmRepoVersionsQuery because we want to show when it's refetching
-  const isError = registriesQuery.isError || helmRepoVersionsQuery.isError;
+    userRepositoriesQuery.isInitialLoading || helmRepoVersionsQuery.isFetching; // use 'isFetching' for helmRepoVersionsQuery because we want to show when it's refetching
+  const isError =
+    userRepositoriesQuery.isError || helmRepoVersionsQuery.isError;
   const latestVersionQuery = useHelmRelease(
     environmentId,
     releaseName,
@@ -101,7 +104,7 @@ export function UpgradeButton({
         icon={ArrowUp}
         size="medium"
       >
-        Upgrade
+        Edit/Upgrade
       </LoadingButton>
       {isLoading && (
         <InlineLoader
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
index 9cad1d046..2e0f3b4da 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.test.tsx
@@ -137,6 +137,47 @@ const helmReleaseHistory = [
   },
 ];
 
+// Common MSW handlers for all tests
+function createCommonHandlers() {
+  return [
+    http.get('/api/users/undefined/helm/repositories', () =>
+      HttpResponse.json({
+        GlobalRepository: 'https://charts.helm.sh/stable',
+        UserRepositories: [{ Id: '1', URL: 'https://charts.helm.sh/stable' }],
+      })
+    ),
+    http.get('/api/templates/helm', () =>
+      HttpResponse.json({
+        entries: {
+          'test-chart': [{ version: '1.0.0' }],
+        },
+      })
+    ),
+    http.get('/api/endpoints/3/kubernetes/helm/test-release/history', () =>
+      HttpResponse.json(helmReleaseHistory)
+    ),
+    http.get('/api/kubernetes/3/namespaces/default/events', () =>
+      HttpResponse.json([])
+    ),
+    http.get('/api/kubernetes/3/namespaces/default', () =>
+      HttpResponse.json({
+        Id: 'default',
+        Name: 'default',
+        Status: { phase: 'Active' },
+        Annotations: {},
+        CreationDate: '2021-01-01T00:00:00Z',
+        NamespaceOwner: '',
+        IsSystem: false,
+        IsDefault: true,
+      })
+    ),
+  ];
+}
+
+function setupMockHandlers(helmReleaseHandler: ReturnType<typeof http.get>) {
+  server.use(helmReleaseHandler, ...createCommonHandlers());
+}
+
 function renderComponent() {
   const user = new UserViewModel({ Username: 'user' });
   const Wrapped = withTestQueryProvider(
@@ -162,30 +203,9 @@ describe(
     it('should display helm release details for minimal release when data is loaded', async () => {
       vi.spyOn(console, 'error').mockImplementation(() => {});
 
-      server.use(
+      setupMockHandlers(
         http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
           HttpResponse.json(minimalHelmRelease)
-        ),
-        http.get('/api/users/undefined/helm/repositories', () =>
-          HttpResponse.json({
-            GlobalRepository: 'https://charts.helm.sh/stable',
-            UserRepositories: [
-              { Id: '1', URL: 'https://charts.helm.sh/stable' },
-            ],
-          })
-        ),
-        http.get('/api/templates/helm', () =>
-          HttpResponse.json({
-            entries: {
-              'test-chart': [{ version: '1.0.0' }],
-            },
-          })
-        ),
-        http.get('/api/endpoints/3/kubernetes/helm/test-release/history', () =>
-          HttpResponse.json(helmReleaseHistory)
-        ),
-        http.get('/api/kubernetes/3/namespaces/default/events', () =>
-          HttpResponse.json([])
         )
       );
 
@@ -224,13 +244,9 @@ describe(
 
     it('should display error message when API request fails', async () => {
       // Mock API failure
-      server.use(
+      setupMockHandlers(
         http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
           HttpResponse.error()
-        ),
-        // Add mock for events endpoint
-        http.get('/api/kubernetes/3/namespaces/default/events', () =>
-          HttpResponse.json([])
         )
       );
 
@@ -253,15 +269,9 @@ describe(
     });
 
     it('should display additional details when available in helm release', async () => {
-      server.use(
+      setupMockHandlers(
         http.get('/api/endpoints/3/kubernetes/helm/test-release', () =>
           HttpResponse.json(completeHelmRelease)
-        ),
-        http.get('/api/endpoints/3/kubernetes/helm/test-release/history', () =>
-          HttpResponse.json(helmReleaseHistory)
-        ),
-        http.get('/api/kubernetes/3/namespaces/default/events', () =>
-          HttpResponse.json([])
         )
       );
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
index 625bb55fe..b73be1a7c 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -11,6 +11,7 @@ import { Card } from '@@/Card';
 import { Alert } from '@@/Alert';
 
 import { HelmRelease } from '../types';
+import { useIsSystemNamespace } from '../../namespaces/queries/useIsSystemNamespace';
 
 import { HelmSummary } from './HelmSummary';
 import { ReleaseTabs } from './ReleaseDetails/ReleaseTabs';
@@ -37,6 +38,8 @@ export function HelmApplicationView() {
     revision: selectedRevision,
   });
 
+  const isSystemNamespace = useIsSystemNamespace(namespace);
+
   return (
     <>
       <PageHeader
@@ -63,28 +66,30 @@ export function HelmApplicationView() {
                         />
                       </div>
                       <Authorized authorizations="K8sApplicationsW">
-                        <ChartActions
-                          environmentId={environmentId}
-                          releaseName={String(name)}
-                          namespace={String(namespace)}
-                          latestRevision={latestRevision ?? 1}
-                          earlistRevision={earlistRevision}
-                          selectedRevision={selectedRevision}
-                          release={helmReleaseQuery.data}
-                          updateRelease={(updatedRelease: HelmRelease) => {
-                            queryClient.setQueryData(
-                              [
-                                environmentId,
-                                'helm',
-                                'releases',
-                                namespace,
-                                name,
-                                true,
-                              ],
-                              updatedRelease
-                            );
-                          }}
-                        />
+                        {!isSystemNamespace && (
+                          <ChartActions
+                            environmentId={environmentId}
+                            releaseName={String(name)}
+                            namespace={String(namespace)}
+                            latestRevision={latestRevision ?? 1}
+                            earlistRevision={earlistRevision}
+                            selectedRevision={selectedRevision}
+                            release={helmReleaseQuery.data}
+                            updateRelease={(updatedRelease: HelmRelease) => {
+                              queryClient.setQueryData(
+                                [
+                                  environmentId,
+                                  'helm',
+                                  'releases',
+                                  namespace,
+                                  name,
+                                  true,
+                                ],
+                                updatedRelease
+                              );
+                            }}
+                          />
+                        )}
                       </Authorized>
                     </div>
                   </WidgetTitle>
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
index 80d39eb3e..9eeead61e 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
@@ -98,6 +98,7 @@ function renderComponent({
           selectedChart={selectedChart}
           namespace={namespace}
           name={name}
+          isRepoAvailable
         />
       )),
       user
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
index 669dbd46c..824b9e32c 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
@@ -12,6 +12,10 @@ import { Option } from '@@/form-components/PortainerSelect';
 
 import { Chart } from '../types';
 import { useUpdateHelmReleaseMutation } from '../queries/useUpdateHelmReleaseMutation';
+import {
+  ChartVersion,
+  useHelmRepoVersions,
+} from '../queries/useHelmRepoVersions';
 
 import { HelmInstallInnerForm } from './HelmInstallInnerForm';
 import { HelmInstallFormValues } from './types';
@@ -20,22 +24,39 @@ type Props = {
   selectedChart: Chart;
   namespace?: string;
   name?: string;
+  isRepoAvailable: boolean;
 };
 
-export function HelmInstallForm({ selectedChart, namespace, name }: Props) {
+export function HelmInstallForm({
+  selectedChart,
+  namespace,
+  name,
+  isRepoAvailable,
+}: Props) {
   const environmentId = useEnvironmentId();
   const router = useRouter();
   const analytics = useAnalytics();
-  const versionOptions: Option<string>[] = selectedChart.versions.map(
+  const helmRepoVersionsQuery = useHelmRepoVersions(
+    selectedChart.name,
+    60 * 60 * 1000, // 1 hour
+    [
+      {
+        repo: selectedChart.repo,
+      },
+    ]
+  );
+  const versions = helmRepoVersionsQuery.data;
+  const versionOptions: Option<ChartVersion>[] = versions.map(
     (version, index) => ({
-      label: index === 0 ? `${version} (latest)` : version,
+      label: index === 0 ? `${version.Version} (latest)` : version.Version,
       value: version,
     })
   );
   const defaultVersion = versionOptions[0]?.value;
   const initialValues: HelmInstallFormValues = {
     values: '',
-    version: defaultVersion ?? '',
+    version: defaultVersion?.Version ?? '',
+    repo: defaultVersion?.Repo ?? selectedChart.repo ?? '',
   };
 
   const installHelmChartMutation = useUpdateHelmReleaseMutation(environmentId);
@@ -55,6 +76,8 @@ export function HelmInstallForm({ selectedChart, namespace, name }: Props) {
         namespace={namespace}
         name={name}
         versionOptions={versionOptions}
+        isVersionsLoading={helmRepoVersionsQuery.isInitialLoading}
+        isRepoAvailable={isRepoAvailable}
       />
     </Formik>
   );
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
index 9f85a0b48..9153c566e 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
@@ -1,14 +1,15 @@
 import { Form, useFormikContext } from 'formik';
 import { useMemo } from 'react';
 
-import { FormActions } from '@@/form-components/FormActions';
 import { FormControl } from '@@/form-components/FormControl';
 import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
 import { FormSection } from '@@/form-components/FormSection';
+import { LoadingButton } from '@@/buttons';
 
 import { Chart } from '../types';
 import { useHelmChartValues } from '../queries/useHelmChartValues';
 import { HelmValuesInput } from '../components/HelmValuesInput';
+import { ChartVersion } from '../queries/useHelmRepoVersions';
 
 import { HelmInstallFormValues } from './types';
 
@@ -16,7 +17,9 @@ type Props = {
   selectedChart: Chart;
   namespace?: string;
   name?: string;
-  versionOptions: Option<string>[];
+  versionOptions: Option<ChartVersion>[];
+  isVersionsLoading: boolean;
+  isRepoAvailable: boolean;
 };
 
 export function HelmInstallInnerForm({
@@ -24,21 +27,39 @@ export function HelmInstallInnerForm({
   namespace,
   name,
   versionOptions,
+  isVersionsLoading,
+  isRepoAvailable,
 }: Props) {
   const { values, setFieldValue, isSubmitting } =
     useFormikContext<HelmInstallFormValues>();
 
-  const chartValuesRefQuery = useHelmChartValues({
-    chart: selectedChart.name,
-    repo: selectedChart.repo,
-    version: values?.version,
-  });
-
-  const selectedVersion = useMemo(
+  const selectedVersion: ChartVersion | undefined = useMemo(
     () =>
-      versionOptions.find((v) => v.value === values.version)?.value ??
-      versionOptions[0]?.value,
-    [versionOptions, values.version]
+      versionOptions.find(
+        (v) =>
+          v.value.Version === values.version &&
+          v.value.Repo === selectedChart.repo
+      )?.value ?? versionOptions[0]?.value,
+    [versionOptions, values.version, selectedChart.repo]
+  );
+
+  const repoParams = {
+    repo: selectedChart.repo,
+  };
+  // use isLatestVersionFetched to cache the latest version, to avoid duplicate fetches
+  const isLatestVersionFetched =
+    // if no version is selected, the latest version gets fetched
+    !versionOptions.length ||
+    // otherwise check if the selected version is the latest version
+    (selectedVersion?.Version === versionOptions[0]?.value.Version &&
+      selectedVersion?.Repo === versionOptions[0]?.value.Repo);
+  const chartValuesRefQuery = useHelmChartValues(
+    {
+      chart: selectedChart.name,
+      version: values?.version,
+      ...repoParams,
+    },
+    isLatestVersionFetched
   );
 
   return (
@@ -48,14 +69,18 @@ export function HelmInstallInnerForm({
           <FormControl
             label="Version"
             inputId="version-input"
+            isLoading={isVersionsLoading}
             loadingText="Loading versions..."
           >
-            <PortainerSelect<string>
+            <PortainerSelect<ChartVersion>
               value={selectedVersion}
               options={versionOptions}
+              noOptionsMessage={() => 'No versions found'}
+              placeholder="Select a version"
               onChange={(version) => {
                 if (version) {
-                  setFieldValue('version', version);
+                  setFieldValue('version', version.Version);
+                  setFieldValue('repo', version.Repo);
                 }
               }}
               data-cy="helm-version-input"
@@ -70,13 +95,15 @@ export function HelmInstallInnerForm({
         </FormSection>
       </div>
 
-      <FormActions
-        submitLabel="Install"
+      <LoadingButton
+        className="!ml-0"
         loadingText="Installing Helm chart"
         isLoading={isSubmitting}
-        isValid={!!namespace && !!name}
+        disabled={!namespace || !name || !isRepoAvailable}
         data-cy="helm-install"
-      />
+      >
+        Install
+      </LoadingButton>
     </Form>
   );
 }
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
index ffd122cd2..cca219fbc 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
@@ -1,15 +1,20 @@
 import { useState } from 'react';
-import { compact } from 'lodash';
 
 import { useCurrentUser } from '@/react/hooks/useUser';
 
-import { Chart } from '../types';
-import { useHelmChartList } from '../queries/useHelmChartList';
-import { useHelmRegistries } from '../queries/useHelmRegistries';
+import { FormSection } from '@@/form-components/FormSection';
+
+import { useHelmHTTPChartList } from '../queries/useHelmChartList';
+import { Chart } from '../types';
+import {
+  HelmRegistrySelect,
+  RepoValue,
+} from '../components/HelmRegistrySelect';
+import { useHelmRepoOptions } from '../queries/useHelmRepositories';
 
-import { HelmTemplatesList } from './HelmTemplatesList';
-import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
 import { HelmInstallForm } from './HelmInstallForm';
+import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
+import { HelmTemplatesList } from './HelmTemplatesList';
 
 interface Props {
   onSelectHelmChart: (chartName: string) => void;
@@ -19,11 +24,60 @@ interface Props {
 
 export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
   const [selectedChart, setSelectedChart] = useState<Chart | null>(null);
-  const [selectedRegistry, setSelectedRegistry] = useState<string | null>(null);
-
+  const [selectedRepo, setSelectedRepo] = useState<RepoValue | null>(null);
   const { user } = useCurrentUser();
-  const helmReposQuery = useHelmRegistries();
-  const chartListQuery = useHelmChartList(user.Id, compact([selectedRegistry]));
+  const chartListQuery = useHelmHTTPChartList(
+    user.Id,
+    selectedRepo?.repoUrl ?? '',
+    !!selectedRepo?.repoUrl
+  );
+  const repoOptionsQuery = useHelmRepoOptions();
+  const isRepoAvailable =
+    !!repoOptionsQuery.data && repoOptionsQuery.data.length > 0;
+
+  return (
+    <div className="row">
+      <div className="col-sm-12 p-0">
+        <FormSection title="Helm chart">
+          {selectedChart ? (
+            <>
+              <HelmTemplatesSelectedItem
+                selectedChart={selectedChart}
+                clearHelmChart={clearHelmChart}
+              />
+              <HelmInstallForm
+                selectedChart={selectedChart}
+                namespace={namespace}
+                name={name}
+                isRepoAvailable={isRepoAvailable}
+              />
+            </>
+          ) : (
+            <>
+              <HelmRegistrySelect
+                selectedRegistry={selectedRepo}
+                onRegistryChange={setSelectedRepo}
+                namespace={namespace}
+                isRepoAvailable={isRepoAvailable}
+                isLoading={repoOptionsQuery.isLoading}
+                isError={repoOptionsQuery.isError}
+                repoOptions={repoOptionsQuery.data ?? []}
+              />
+              {selectedRepo && (
+                <HelmTemplatesList
+                  charts={chartListQuery.data ?? []}
+                  selectAction={handleChartSelection}
+                  isLoadingCharts={chartListQuery.isInitialLoading}
+                  selectedRegistry={selectedRepo}
+                />
+              )}
+            </>
+          )}
+        </FormSection>
+      </div>
+    </div>
+  );
+
   function clearHelmChart() {
     setSelectedChart(null);
     onSelectHelmChart('');
@@ -33,33 +87,4 @@ export function HelmTemplates({ onSelectHelmChart, namespace, name }: Props) {
     setSelectedChart(chart);
     onSelectHelmChart(chart.name);
   }
-
-  return (
-    <div className="row">
-      <div className="col-sm-12 p-0">
-        {selectedChart ? (
-          <>
-            <HelmTemplatesSelectedItem
-              selectedChart={selectedChart}
-              clearHelmChart={clearHelmChart}
-            />
-            <HelmInstallForm
-              selectedChart={selectedChart}
-              namespace={namespace}
-              name={name}
-            />
-          </>
-        ) : (
-          <HelmTemplatesList
-            charts={chartListQuery.data}
-            selectAction={handleChartSelection}
-            isLoading={chartListQuery.isInitialLoading}
-            registries={helmReposQuery.data ?? []}
-            selectedRegistry={selectedRegistry}
-            setSelectedRegistry={setSelectedRegistry}
-          />
-        )}
-      </div>
-    </div>
-  );
 }
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
index 98b96e9a4..bfaa6e7e8 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.test.tsx
@@ -46,25 +46,63 @@ const mockCharts: Chart[] = [
 
 const selectActionMock = vi.fn();
 
+const mockUseEnvironmentId = vi.fn(() => 1);
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => mockUseEnvironmentId(),
+}));
+
+// Mock the helm registries query
+vi.mock('../queries/useHelmRegistries', () => ({
+  useHelmRegistries: vi.fn(() => ({
+    data: ['https://example.com', 'https://example.com/2'],
+    isInitialLoading: false,
+    isError: false,
+  })),
+}));
+
+// Mock the environment registries query
+vi.mock(
+  '@/react/portainer/environments/queries/useEnvironmentRegistries',
+  () => ({
+    useEnvironmentRegistries: vi.fn(() => ({
+      data: [
+        { Id: 1, URL: 'https://registry.example.com' },
+        { Id: 2, URL: 'https://registry2.example.com' },
+      ],
+      isInitialLoading: false,
+      isError: false,
+    })),
+  })
+);
+
 function renderComponent({
   loading = false,
   charts = mockCharts,
   selectAction = selectActionMock,
-  selectedRegistry = '',
+  selectedRegistry = {
+    repoUrl: 'https://example.com',
+    name: 'Test Registry',
+  },
+}: {
+  loading?: boolean;
+  charts?: Chart[];
+  selectAction?: (chart: Chart) => void;
+  selectedRegistry?: {
+    repoUrl?: string;
+    name?: string;
+  } | null;
 } = {}) {
   const user = new UserViewModel({ Username: 'user' });
-  const registries = ['https://example.com', 'https://example.com/2'];
 
   const Wrapped = withTestQueryProvider(
     withUserProvider(
       withTestRouter(() => (
         <HelmTemplatesList
-          isLoading={loading}
+          isLoadingCharts={loading}
           charts={charts}
           selectAction={selectAction}
-          registries={registries}
           selectedRegistry={selectedRegistry}
-          setSelectedRegistry={() => {}}
         />
       )),
       user
@@ -81,8 +119,10 @@ describe('HelmTemplatesList', () => {
   it('should display title and charts list', async () => {
     renderComponent();
 
-    // Check for the title
-    expect(screen.getByText('Helm chart')).toBeInTheDocument();
+    // Check for the title with registry name
+    expect(
+      screen.getByText('Select a helm chart from Test Registry')
+    ).toBeInTheDocument();
 
     // Check for charts
     expect(screen.getByText('test-chart-1')).toBeInTheDocument();
@@ -160,21 +200,27 @@ describe('HelmTemplatesList', () => {
   });
 
   it('should show empty message when no charts are available and a registry is selected', async () => {
-    renderComponent({ charts: [], selectedRegistry: 'https://example.com' });
+    renderComponent({
+      charts: [],
+      selectedRegistry: {
+        repoUrl: 'https://example.com',
+        name: 'Test Registry',
+      },
+    });
 
     // Check for empty message
     expect(
-      screen.getByText('No helm charts available in this registry.')
+      screen.getByText('No helm charts available in this repository.')
     ).toBeInTheDocument();
   });
 
   it("should show 'select registry' message when no charts are available and no registry is selected", async () => {
-    renderComponent({ charts: [] });
+    renderComponent({ charts: [], selectedRegistry: null });
 
     // Check for message
     expect(
       screen.getByText(
-        'Please select a registry to view available Helm charts.'
+        'Please select a repository to view available Helm charts.'
       )
     ).toBeInTheDocument();
   });
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
index 1b02bed1d..3d9e86578 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
@@ -1,59 +1,47 @@
 import { useState, useMemo } from 'react';
-import { components, OptionProps } from 'react-select';
 
-import {
-  PortainerSelect,
-  Option,
-} from '@/react/components/form-components/PortainerSelect';
-import { Link } from '@/react/components/Link';
+import { PortainerSelect } from '@/react/components/form-components/PortainerSelect';
 
-import { InsightsBox } from '@@/InsightsBox';
 import { SearchBar } from '@@/datatables/SearchBar';
 import { InlineLoader } from '@@/InlineLoader';
 
 import { Chart } from '../types';
+import { RepoValue } from '../components/HelmRegistrySelect';
 
 import { HelmTemplatesListItem } from './HelmTemplatesListItem';
 
 interface Props {
-  isLoading: boolean;
+  isLoadingCharts: boolean;
   charts?: Chart[];
   selectAction: (chart: Chart) => void;
-  registries: string[];
-  selectedRegistry: string | null;
-  setSelectedRegistry: (registry: string | null) => void;
+  selectedRegistry: RepoValue | null;
 }
 
 export function HelmTemplatesList({
-  isLoading,
+  isLoadingCharts,
   charts = [],
   selectAction,
-  registries,
   selectedRegistry,
-  setSelectedRegistry,
 }: Props) {
   const [textFilter, setTextFilter] = useState('');
   const [selectedCategory, setSelectedCategory] = useState<string | null>(null);
 
   const categories = useMemo(() => getCategories(charts), [charts]);
-  const registryOptions = useMemo(
-    () =>
-      registries.map((registry) => ({
-        label: registry,
-        value: registry,
-      })),
-    [registries]
-  );
 
   const filteredCharts = useMemo(
     () => getFilteredCharts(charts, textFilter, selectedCategory),
     [charts, textFilter, selectedCategory]
   );
 
+  const isSelectedRegistryEmpty =
+    !isLoadingCharts && charts.length === 0 && selectedRegistry;
+
   return (
     <section className="datatable" aria-label="Helm charts">
-      <div className="toolBar vertical-center relative w-full flex-wrap !gap-x-5 !gap-y-1 !px-0 !overflow-visible">
-        <div className="toolBarTitle vertical-center">Helm chart</div>
+      <div className="toolBar vertical-center relative w-full !gap-x-5 !gap-y-1 !px-0 overflow-auto">
+        <div className="toolBarTitle vertical-center whitespace-nowrap">
+          Select a helm chart from {selectedRegistry?.name}
+        </div>
 
         <SearchBar
           value={textFilter}
@@ -63,20 +51,7 @@ export function HelmTemplatesList({
           className="!mr-0 h-9"
         />
 
-        <div className="w-full sm:w-1/4">
-          <PortainerSelect
-            placeholder="Select a registry"
-            value={selectedRegistry ?? ''}
-            options={registryOptions}
-            onChange={setSelectedRegistry}
-            isClearable
-            bindToBody
-            components={{ Option: RegistryOption }}
-            data-cy="helm-registry-select"
-          />
-        </div>
-
-        <div className="w-full sm:w-1/4">
+        <div className="w-full sm:w-1/4 flex-none">
           <PortainerSelect
             placeholder="Select a category"
             value={selectedCategory}
@@ -88,42 +63,6 @@ export function HelmTemplatesList({
           />
         </div>
       </div>
-      <div className="w-fit">
-        <div className="small text-muted mb-2">
-          Select the Helm chart to use. Bring further Helm charts into your
-          selection list via{' '}
-          <Link
-            to="portainer.account"
-            params={{ '#': 'helm-repositories' }}
-            data-cy="helm-repositories-link"
-          >
-            User settings - Helm repositories
-          </Link>
-          .
-        </div>
-
-        <InsightsBox
-          header="Disclaimer"
-          type="slim"
-          content={
-            <>
-              At present Portainer does not support OCI format Helm charts.
-              Support for OCI charts will be available in a future release.
-              <br />
-              If you would like to provide feedback on OCI support or get access
-              to early releases to test this functionality,{' '}
-              <a
-                href="https://bit.ly/3WVkayl"
-                target="_blank"
-                rel="noopener noreferrer"
-              >
-                please get in touch
-              </a>
-              .
-            </>
-          }
-        />
-      </div>
 
       <div className="blocklist !px-0" role="list">
         {filteredCharts.map((chart) => (
@@ -138,7 +77,7 @@ export function HelmTemplatesList({
           <div className="text-muted small mt-4">No Helm charts found</div>
         )}
 
-        {isLoading && (
+        {isLoadingCharts && (
           <div className="flex flex-col">
             <InlineLoader className="justify-center">
               Loading helm charts...
@@ -151,15 +90,15 @@ export function HelmTemplatesList({
           </div>
         )}
 
-        {!isLoading && charts.length === 0 && selectedRegistry && (
+        {isSelectedRegistryEmpty && (
           <div className="text-muted text-center">
-            No helm charts available in this registry.
+            No helm charts available in this repository.
           </div>
         )}
 
         {!selectedRegistry && (
           <div className="text-muted text-center">
-            Please select a registry to view available Helm charts.
+            Please select a repository to view available Helm charts.
           </div>
         )}
       </div>
@@ -167,20 +106,6 @@ export function HelmTemplatesList({
   );
 }
 
-// truncate the registry text, because some registry names are urls, which are too long
-function RegistryOption(props: OptionProps<Option<string>>) {
-  const { data: registry } = props;
-
-  return (
-    <div title={registry.value}>
-      {/* eslint-disable-next-line react/jsx-props-no-spreading */}
-      <components.Option {...props} className="whitespace-nowrap truncate">
-        {registry.value}
-      </components.Option>
-    </div>
-  );
-}
-
 /**
  * Get categories from charts
  * @param charts - The charts to get the categories from
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
index d6685f3c6..cc85170e2 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesSelectedItem.tsx
@@ -26,7 +26,7 @@ export function HelmTemplatesSelectedItem({
             <FallbackImage
               src={selectedChart.icon}
               fallbackIcon={HelmIcon}
-              className="h-16 w-16"
+              className="h-16 w-16 flex-none"
             />
             <div className="col-sm-12">
               <div>
diff --git a/app/react/kubernetes/helm/HelmTemplates/types.ts b/app/react/kubernetes/helm/HelmTemplates/types.ts
index df0b09374..61a8451c9 100644
--- a/app/react/kubernetes/helm/HelmTemplates/types.ts
+++ b/app/react/kubernetes/helm/HelmTemplates/types.ts
@@ -1,4 +1,5 @@
 export type HelmInstallFormValues = {
   values: string;
   version: string;
+  repo: string;
 };
diff --git a/app/react/kubernetes/helm/components/HelmRegistrySelect.test.tsx b/app/react/kubernetes/helm/components/HelmRegistrySelect.test.tsx
new file mode 100644
index 000000000..5934e75ba
--- /dev/null
+++ b/app/react/kubernetes/helm/components/HelmRegistrySelect.test.tsx
@@ -0,0 +1,242 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi } from 'vitest';
+
+import selectEvent from '@/react/test-utils/react-select';
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+import { RegistryTypes } from '@/react/portainer/registries/types/registry';
+import { useCurrentUser } from '@/react/hooks/useUser';
+import { User, Role } from '@/portainer/users/types';
+
+import { HelmRegistrySelect, RepoValue } from './HelmRegistrySelect';
+
+// Mock the hooks with factory functions - preserve other exports
+vi.mock('@/react/hooks/useUser', async () => {
+  const actual = await vi.importActual('@/react/hooks/useUser');
+  return {
+    ...actual,
+    useCurrentUser: vi.fn(),
+  };
+});
+
+const mockOnRegistryChange = vi.fn();
+
+const defaultProps = {
+  selectedRegistry: null,
+  onRegistryChange: mockOnRegistryChange,
+  isRepoAvailable: true,
+  isLoading: false,
+  isError: false,
+  repoOptions: [],
+};
+
+const mockRepoOptions = [
+  {
+    value: {
+      repoUrl: 'https://charts.bitnami.com/bitnami',
+      name: 'Bitnami',
+      type: RegistryTypes.CUSTOM,
+    },
+    label: 'Bitnami',
+  },
+  {
+    value: {
+      repoUrl: 'https://kubernetes-charts.storage.googleapis.com',
+      name: 'Stable',
+      type: RegistryTypes.CUSTOM,
+    },
+    label: 'Stable',
+  },
+];
+
+interface MockUserHookReturn {
+  user: User;
+  isPureAdmin: boolean;
+}
+
+interface UserProps {
+  isPureAdmin?: boolean;
+}
+
+// Get the mocked functions
+const mockUseCurrentUser = vi.mocked(useCurrentUser);
+
+function renderComponent(props = {}, userProps: UserProps = {}) {
+  const userResult: MockUserHookReturn = {
+    user: {
+      Id: 1,
+      Username: 'admin',
+      Role: Role.Admin,
+      EndpointAuthorizations: {},
+      UseCache: false,
+      ThemeSettings: {
+        color: 'auto',
+      },
+    },
+    isPureAdmin: userProps.isPureAdmin || false,
+  };
+
+  mockUseCurrentUser.mockReturnValue(userResult);
+
+  const Component = withTestQueryProvider(
+    withUserProvider(
+      withTestRouter(HelmRegistrySelect),
+      new UserViewModel({ Username: 'admin', Role: 1 })
+    )
+  );
+
+  return render(<Component {...defaultProps} {...props} />);
+}
+
+describe('HelmRegistrySelect', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    mockUseCurrentUser.mockClear();
+  });
+
+  describe('Basic rendering', () => {
+    it('should render with default placeholder', () => {
+      renderComponent();
+      expect(screen.getByText('Select a repository')).toBeInTheDocument();
+    });
+
+    it('should render with custom placeholder', () => {
+      renderComponent({ placeholder: 'Custom placeholder' });
+      expect(screen.getByText('Custom placeholder')).toBeInTheDocument();
+    });
+
+    it('should render loading state', () => {
+      renderComponent({ isLoading: true });
+      expect(screen.getByRole('combobox')).toBeInTheDocument();
+    });
+
+    it('should render error state', () => {
+      renderComponent({ isError: true });
+      expect(
+        screen.getByText('Unable to load registry options.')
+      ).toBeInTheDocument();
+    });
+  });
+
+  describe('Repository options', () => {
+    it('should display repository options', async () => {
+      const user = userEvent.setup();
+      renderComponent({ repoOptions: mockRepoOptions });
+
+      const select = screen.getByRole('combobox');
+      await user.click(select);
+
+      expect(screen.getByText('Bitnami')).toBeInTheDocument();
+      expect(screen.getByText('Stable')).toBeInTheDocument();
+    });
+
+    it.skip('should call onRegistryChange when option is selected', async () => {
+      // Skipping this test due to react-select testing complexity
+      // The onChange functionality is covered by integration tests
+      renderComponent({ repoOptions: mockRepoOptions });
+
+      const select = screen.getByRole('combobox');
+      await selectEvent.select(select, 'Bitnami');
+
+      expect(mockOnRegistryChange).toHaveBeenCalledWith({
+        repoUrl: 'https://charts.bitnami.com/bitnami',
+        name: 'Bitnami',
+        type: RegistryTypes.CUSTOM,
+      });
+    });
+
+    it('should show selected repository value', () => {
+      const selectedRegistry: RepoValue = {
+        repoUrl: 'https://charts.bitnami.com/bitnami',
+        name: 'Bitnami',
+        type: RegistryTypes.CUSTOM,
+      };
+
+      renderComponent({
+        selectedRegistry,
+        repoOptions: mockRepoOptions,
+      });
+
+      // Since the component uses PortainerSelect which manages the display value,
+      // we verify the props are correctly passed by checking the select element exists
+      expect(screen.getByRole('combobox')).toBeInTheDocument();
+    });
+  });
+
+  describe('No repositories warning', () => {
+    it('should show no repositories warning when no repos are available', () => {
+      renderComponent({
+        isRepoAvailable: false,
+        namespace: 'test-namespace',
+      });
+
+      expect(
+        screen.getByText(/There are no repositories available./)
+      ).toBeInTheDocument();
+    });
+
+    it('should not show warning when loading', () => {
+      renderComponent({
+        isRepoAvailable: false,
+        namespace: 'test-namespace',
+        isLoading: true,
+      });
+
+      expect(
+        screen.queryByText('There are no repositories available.')
+      ).not.toBeInTheDocument();
+    });
+
+    it('should not show warning when no namespace is provided', () => {
+      renderComponent({
+        isRepoAvailable: false,
+      });
+
+      expect(
+        screen.queryByText('There are no repositories available.')
+      ).not.toBeInTheDocument();
+    });
+  });
+
+  describe('Tooltip content', () => {
+    it('should render the component with label and tooltip', () => {
+      renderComponent({}, { isPureAdmin: true });
+
+      // Verify that the component renders the main label
+      expect(screen.getByText('Helm chart source')).toBeInTheDocument();
+
+      expect(screen.getByRole('combobox')).toBeInTheDocument();
+    });
+  });
+
+  describe('Loading and error states', () => {
+    it('should not show no repos warning when loading', () => {
+      renderComponent({
+        isLoading: true,
+        isRepoAvailable: false,
+        repoOptions: [],
+        namespace: 'test-namespace',
+      });
+
+      expect(
+        screen.queryByText('There are no repositories available.')
+      ).not.toBeInTheDocument();
+    });
+
+    it('should show error when API fails', () => {
+      renderComponent({
+        isLoading: false,
+        isError: true,
+        isRepoAvailable: false,
+        namespace: 'test-namespace',
+      });
+
+      expect(
+        screen.getByText('Unable to load registry options.')
+      ).toBeInTheDocument();
+    });
+  });
+});
diff --git a/app/react/kubernetes/helm/components/HelmRegistrySelect.tsx b/app/react/kubernetes/helm/components/HelmRegistrySelect.tsx
new file mode 100644
index 000000000..55569f900
--- /dev/null
+++ b/app/react/kubernetes/helm/components/HelmRegistrySelect.tsx
@@ -0,0 +1,156 @@
+import { GroupBase } from 'react-select';
+
+import {
+  PortainerSelect,
+  Option,
+} from '@/react/components/form-components/PortainerSelect';
+import { useCurrentUser } from '@/react/hooks/useUser';
+import { RegistryTypes } from '@/react/portainer/registries/types/registry';
+
+import { FormControl } from '@@/form-components/FormControl';
+import { Alert } from '@@/Alert';
+import { Link } from '@@/Link';
+import { TextTip } from '@@/Tip/TextTip';
+
+export type RepoValue = {
+  repoUrl?: string; // set for traditional https helm repos
+  name?: string;
+  type?: RegistryTypes;
+};
+
+interface Props {
+  selectedRegistry: RepoValue | null;
+  onRegistryChange: (registry: RepoValue | null) => void;
+  namespace?: string;
+  placeholder?: string;
+  'data-cy'?: string;
+  isRepoAvailable: boolean;
+  isLoading: boolean;
+  isError: boolean;
+  repoOptions: GroupBase<Option<RepoValue>>[];
+}
+
+export function HelmRegistrySelect({
+  selectedRegistry,
+  onRegistryChange,
+  namespace,
+  placeholder = 'Select a repository',
+  'data-cy': dataCy = 'helm-registry-select',
+  isRepoAvailable,
+  isLoading,
+  isError,
+  repoOptions,
+}: Props) {
+  const { isPureAdmin } = useCurrentUser();
+
+  return (
+    <FormControl
+      label="Helm chart source"
+      tooltip={<HelmChartSourceTooltip isPureAdmin={isPureAdmin} />}
+    >
+      <PortainerSelect<RepoValue>
+        placeholder={placeholder}
+        value={selectedRegistry ?? {}}
+        options={repoOptions}
+        isLoading={isLoading}
+        onChange={onRegistryChange}
+        isClearable
+        bindToBody
+        data-cy={dataCy}
+      />
+      <NoReposWarning
+        hasNoRepos={!isRepoAvailable}
+        isLoading={isLoading}
+        namespace={namespace}
+        isPureAdmin={isPureAdmin}
+      />
+      {isError && <Alert color="error">Unable to load registry options.</Alert>}
+    </FormControl>
+  );
+}
+
+function HelmChartSourceTooltip({ isPureAdmin }: { isPureAdmin: boolean }) {
+  if (isPureAdmin) {
+    return (
+      <>
+        <CreateUserRepoMessage />
+        <br />
+        <CreateGlobalRepoMessage />
+      </>
+    );
+  }
+
+  // Non-admin
+  return <CreateUserRepoMessage />;
+}
+
+function NoReposWarning({
+  hasNoRepos,
+  isLoading,
+  namespace,
+  isPureAdmin,
+}: {
+  hasNoRepos: boolean;
+  isLoading: boolean;
+  namespace?: string;
+  isPureAdmin: boolean;
+}) {
+  if (!hasNoRepos || isLoading || !namespace) {
+    return null;
+  }
+
+  return (
+    <TextTip color="blue" className="mt-2">
+      There are no repositories available.
+      <CreateRepoMessage isPureAdmin={isPureAdmin} />
+    </TextTip>
+  );
+}
+
+function CreateRepoMessage({ isPureAdmin }: { isPureAdmin: boolean }) {
+  if (isPureAdmin) {
+    return (
+      <>
+        <CreateUserRepoMessage />
+        <br />
+        <CreateGlobalRepoMessage />
+      </>
+    );
+  }
+
+  // Non-admin
+  return <CreateUserRepoMessage />;
+}
+
+function CreateUserRepoMessage() {
+  return (
+    <>
+      You can define <b>repositories</b> in the{' '}
+      <Link
+        to="portainer.account"
+        params={{ '#': 'helm-repositories' }}
+        data-cy="helm-repositories-link"
+      >
+        User settings - Helm repositories
+      </Link>
+      .
+    </>
+  );
+}
+
+function CreateGlobalRepoMessage() {
+  return (
+    <>
+      You can also define repositories in the{' '}
+      <Link
+        to="portainer.settings"
+        params={{ '#': 'kubernetes-settings' }}
+        data-cy="portainer-settings-link"
+        target="_blank"
+      >
+        Portainer settings
+      </Link>
+      .
+    </>
+  );
+}
diff --git a/app/react/kubernetes/helm/queries/useHelmChartList.ts b/app/react/kubernetes/helm/queries/useHelmChartList.ts
index 5824236bc..01995f681 100644
--- a/app/react/kubernetes/helm/queries/useHelmChartList.ts
+++ b/app/react/kubernetes/helm/queries/useHelmChartList.ts
@@ -1,6 +1,5 @@
-import { useQueries } from '@tanstack/react-query';
-import { compact, flatMap } from 'lodash';
-import { useMemo } from 'react';
+import { compact } from 'lodash';
+import { useQuery } from '@tanstack/react-query';
 
 import axios from '@/portainer/services/axios';
 import { withGlobalError } from '@/react-tools/react-query';
@@ -8,45 +7,27 @@ import { withGlobalError } from '@/react-tools/react-query';
 import { Chart, HelmChartsResponse } from '../types';
 
 /**
- * React hook to fetch helm charts from the provided repositories
- * Charts from each repository are loaded independently, allowing the UI
- * to show charts as they become available instead of waiting for all
- * repositories to load
+ * React hook to fetch helm charts from the provided HTTP repository.
+ * Charts are loaded from the specified repository URL.
  *
  * @param userId User ID
- * @param repositories List of repository URLs to fetch charts from
+ * @param repository Repository URL to fetch charts from
+ * @param enabled Flag indicating if the query should be enabled
+ * @returns Query result containing helm charts
  */
-export function useHelmChartList(userId: number, repositories: string[] = []) {
-  // Fetch charts from each repository in parallel as separate queries
-  const chartQueries = useQueries({
-    queries: useMemo(
-      () =>
-        repositories.map((repo) => ({
-          queryKey: [userId, repo, 'helm-charts'],
-          queryFn: () => getChartsFromRepo(repo),
-          enabled: !!userId && repositories.length > 0,
-          // one request takes a long time, so fail early to get feedback to the user faster
-          retries: false,
-          ...withGlobalError(`Unable to retrieve Helm charts from ${repo}`),
-        })),
-      [repositories, userId]
-    ),
+export function useHelmHTTPChartList(
+  userId: number,
+  repository: string,
+  enabled: boolean
+) {
+  return useQuery({
+    queryKey: [userId, repository, 'helm-charts'],
+    queryFn: () => getChartsFromRepo(repository),
+    enabled: !!userId && !!repository && enabled,
+    // one request takes a long time, so fail early to get feedback to the user faster
+    retry: false,
+    ...withGlobalError(`Unable to retrieve Helm charts from ${repository}`),
   });
-
-  // Combine the results for easier consumption by components
-  const allCharts = useMemo(
-    () => flatMap(compact(chartQueries.map((q) => q.data))),
-    [chartQueries]
-  );
-
-  return {
-    // Data from all repositories that have loaded so far
-    data: allCharts,
-    // Overall loading state
-    isInitialLoading: chartQueries.some((q) => q.isInitialLoading),
-    // Overall error state
-    isError: chartQueries.some((q) => q.isError),
-  };
 }
 
 async function getChartsFromRepo(repo: string): Promise<Chart[]> {
diff --git a/app/react/kubernetes/helm/queries/useHelmChartValues.ts b/app/react/kubernetes/helm/queries/useHelmChartValues.ts
index 2c1a95995..81e9cd9c2 100644
--- a/app/react/kubernetes/helm/queries/useHelmChartValues.ts
+++ b/app/react/kubernetes/helm/queries/useHelmChartValues.ts
@@ -4,8 +4,11 @@ import axios, { parseAxiosError } from '@/portainer/services/axios';
 import { withGlobalError } from '@/react-tools/react-query';
 
 type Params = {
+  /** The name of the chart to get the values for */
   chart: string;
+  /** The repository URL or registry ID */
   repo: string;
+  /** The version of the chart to get the values for */
   version?: string;
 };
 
@@ -16,18 +19,26 @@ async function getHelmChartValues(params: Params) {
     });
     return response.data;
   } catch (err) {
-    throw parseAxiosError(err as Error, 'Unable to get Helm chart values');
+    throw parseAxiosError(err, 'Unable to get Helm chart values');
   }
 }
 
-export function useHelmChartValues(params: Params) {
+export function useHelmChartValues(params: Params, isLatestVersion = false) {
+  const hasValidRepoUrl = !!params.repo;
   return useQuery({
-    queryKey: ['helm-chart-values', params.repo, params.chart, params.version],
+    queryKey: [
+      'helm-chart-values',
+      params.repo,
+      params.chart,
+      // if the latest version is fetched, use the latest version key to cache the latest version
+      isLatestVersion ? 'latest' : params.version,
+    ],
     queryFn: () => getHelmChartValues(params),
-    enabled: !!params.chart && !!params.repo,
+    enabled: !!params.chart && hasValidRepoUrl,
     select: (data) => ({
       values: data,
     }),
+    retry: 1,
     staleTime: 60 * 1000 * 20, // 60 minutes, because values are not expected to change often
     ...withGlobalError('Unable to get Helm chart values'),
   });
diff --git a/app/react/kubernetes/helm/queries/useHelmRegistries.ts b/app/react/kubernetes/helm/queries/useHelmRegistries.ts
deleted file mode 100644
index f48fb72fa..000000000
--- a/app/react/kubernetes/helm/queries/useHelmRegistries.ts
+++ /dev/null
@@ -1,43 +0,0 @@
-import { useQuery } from '@tanstack/react-query';
-import { compact } from 'lodash';
-
-import axios, { parseAxiosError } from '@/portainer/services/axios';
-import { UserId } from '@/portainer/users/types';
-import { withGlobalError } from '@/react-tools/react-query';
-import { useCurrentUser } from '@/react/hooks/useUser';
-
-import { HelmRegistriesResponse } from '../types';
-
-/**
- * Hook to fetch all Helm registries for the current user
- */
-export function useHelmRegistries() {
-  const { user } = useCurrentUser();
-  return useQuery(
-    ['helm', 'registries'],
-    async () => getHelmRegistries(user.Id),
-    {
-      enabled: !!user.Id,
-      ...withGlobalError('Unable to retrieve helm registries'),
-    }
-  );
-}
-
-/**
- * Get Helm registries for user
- */
-async function getHelmRegistries(userId: UserId) {
-  try {
-    const { data } = await axios.get<HelmRegistriesResponse>(
-      `users/${userId}/helm/repositories`
-    );
-    const repos = compact([
-      // compact will remove the global repository if it's empty
-      data.GlobalRepository.toLowerCase(),
-      ...data.UserRepositories.map((repo) => repo.URL.toLowerCase()),
-    ]);
-    return [...new Set(repos)];
-  } catch (err) {
-    throw parseAxiosError(err, 'Unable to retrieve helm repositories for user');
-  }
-}
diff --git a/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts b/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
index 5543de3d7..98b7c3c99 100644
--- a/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
+++ b/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
@@ -21,6 +21,10 @@ export interface ChartVersion {
   AppVersion?: string;
 }
 
+type RepoSource = {
+  repo?: string;
+};
+
 /**
  * React hook to get a list of available versions for a chart from specified repositories
  *
@@ -32,21 +36,21 @@ export interface ChartVersion {
 export function useHelmRepoVersions(
   chart: string,
   staleTime: number,
-  repositories: string[] = [],
+  repoSources: RepoSource[] = [],
   useCache: boolean = true
 ) {
   // Fetch versions from each repository in parallel as separate queries
   const versionQueries = useQueries({
     queries: useMemo(
       () =>
-        repositories.map((repo) => ({
+        repoSources.map(({ repo }) => ({
           queryKey: ['helm', 'repositories', chart, repo, useCache],
-          queryFn: () => getSearchHelmRepo(repo, chart, useCache),
-          enabled: !!chart && repositories.length > 0,
+          queryFn: () => getSearchHelmRepo({ repo, chart, useCache }),
+          enabled: !!chart && repoSources.length > 0,
           staleTime,
           ...withGlobalError(`Unable to retrieve versions from ${repo}`),
         })),
-      [repositories, chart, staleTime, useCache]
+      [repoSources, chart, staleTime, useCache]
     ),
   });
 
@@ -58,30 +62,35 @@ export function useHelmRepoVersions(
 
   return {
     data: allVersions,
-    isInitialLoading: versionQueries.some((q) => q.isLoading),
+    isInitialLoading: versionQueries.some((q) => q.isInitialLoading),
     isError: versionQueries.some((q) => q.isError),
     isFetching: versionQueries.some((q) => q.isFetching),
     refetch: () => Promise.all(versionQueries.map((q) => q.refetch())),
   };
 }
 
+type SearchRepoParams = {
+  repo?: string;
+  chart: string;
+  useCache?: boolean;
+};
+
 /**
  * Get Helm repositories for user
  */
 async function getSearchHelmRepo(
-  repo: string,
-  chart: string,
-  useCache: boolean = true
+  params: SearchRepoParams
 ): Promise<ChartVersion[]> {
   try {
     const { data } = await axios.get<HelmSearch>(`templates/helm`, {
-      params: { repo, chart, useCache },
+      params,
     });
-    const versions = data.entries[chart];
+    // if separated by '/', take the last part
+    const chartKey = params.chart.split('/').pop() || params.chart;
+    const versions = data.entries[chartKey];
     return (
       versions?.map((v) => ({
-        Chart: chart,
-        Repo: repo,
+        Repo: params.repo ?? '',
         Version: v.version,
         AppVersion: v.appVersion,
       })) ?? []
diff --git a/app/react/kubernetes/helm/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/queries/useHelmRepositories.ts
new file mode 100644
index 000000000..32a054325
--- /dev/null
+++ b/app/react/kubernetes/helm/queries/useHelmRepositories.ts
@@ -0,0 +1,84 @@
+import { useQuery } from '@tanstack/react-query';
+import { compact } from 'lodash';
+
+import axios, { parseAxiosError } from '@/portainer/services/axios';
+import { UserId } from '@/portainer/users/types';
+import { withGlobalError } from '@/react-tools/react-query';
+import { useCurrentUser } from '@/react/hooks/useUser';
+import { Option } from '@/react/components/form-components/PortainerSelect';
+
+import { HelmRegistriesResponse } from '../types';
+import { RepoValue } from '../components/HelmRegistrySelect';
+
+/**
+ * Hook to fetch all Helm registries for the current user
+ */
+export function useUserHelmRepositories<T = string[]>({
+  select,
+}: {
+  select?: (registries: string[]) => T;
+} = {}) {
+  const { user } = useCurrentUser();
+  return useQuery(
+    ['helm', 'registries'],
+    async () => getUserHelmRepositories(user.Id),
+    {
+      enabled: !!user.Id,
+      select,
+      ...withGlobalError('Unable to retrieve helm registries'),
+    }
+  );
+}
+
+export function useHelmRepoOptions() {
+  return useUserHelmRepositories({
+    select: (registries) => {
+      const repoOptions = registries
+        .map<Option<RepoValue>>((registry) => ({
+          label: registry,
+          value: {
+            repoUrl: registry,
+            isOCI: false,
+            name: registry,
+          },
+        }))
+        .sort((a, b) => a.label.localeCompare(b.label));
+      return [
+        {
+          label: 'Helm Repositories',
+          options: repoOptions,
+        },
+        {
+          label: 'OCI Registries',
+          options: [
+            {
+              label:
+                'Installing from an OCI registry is a Portainer Business Feature',
+              value: {},
+              disabled: true,
+            },
+          ],
+        },
+      ];
+    },
+  });
+}
+
+/**
+ * Get Helm repositories for user
+ */
+async function getUserHelmRepositories(userId: UserId) {
+  try {
+    const { data } = await axios.get<HelmRegistriesResponse>(
+      `users/${userId}/helm/repositories`
+    );
+    // compact will remove the global repository if it's empty
+    const repos = compact([
+      data.GlobalRepository.toLowerCase(),
+      ...data.UserRepositories.map((repo) => repo.URL.toLowerCase()),
+    ]);
+    return [...new Set(repos)];
+  } catch (err) {
+    throw parseAxiosError(err, 'Unable to retrieve helm repositories for user');
+  }
+}
diff --git a/app/react/kubernetes/helm/types.ts b/app/react/kubernetes/helm/types.ts
index b1e958471..208745944 100644
--- a/app/react/kubernetes/helm/types.ts
+++ b/app/react/kubernetes/helm/types.ts
@@ -91,7 +91,7 @@ export interface HelmChartResponse {
   versions: string[];
 }
 
-export interface HelmRepositoryResponse {
+export interface HelmRegistryResponse {
   Id: number;
   UserId: number;
   URL: string;
@@ -99,7 +99,7 @@ export interface HelmRepositoryResponse {
 
 export interface HelmRegistriesResponse {
   GlobalRepository: string;
-  UserRepositories: HelmRepositoryResponse[];
+  UserRepositories: HelmRegistryResponse[];
 }
 
 export interface HelmChartsResponse {
@@ -108,15 +108,6 @@ export interface HelmChartsResponse {
   generated: string;
 }
 
-export interface InstallChartPayload {
-  Name: string;
-  Repo: string;
-  Chart: string;
-  Values: string;
-  Namespace: string;
-  Version?: string;
-}
-
 export interface UpdateHelmReleasePayload {
   namespace: string;
   values?: string;
diff --git a/app/react/portainer/access-control/AccessControlPanel/AccessControlPanelDetails.tsx b/app/react/portainer/access-control/AccessControlPanel/AccessControlPanelDetails.tsx
index 725e115cd..f53015cea 100644
--- a/app/react/portainer/access-control/AccessControlPanel/AccessControlPanelDetails.tsx
+++ b/app/react/portainer/access-control/AccessControlPanel/AccessControlPanelDetails.tsx
@@ -201,8 +201,10 @@ function InheritanceMessage({
   return (
     <tr>
       <td colSpan={2} aria-label="inheritance-message">
-        <Icon icon={Info} mode="primary" className="mr-1" />
-        {children}
+        <div className="inline-flex items-center gap-1">
+          <Icon icon={Info} mode="primary" />
+          {children}
+        </div>
         <Tooltip message={tooltip} />
       </td>
     </tr>
diff --git a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx
index 7ed2f4651..bad68c293 100644
--- a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx
+++ b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/HelmRepositoryDatatable.tsx
@@ -81,21 +81,25 @@ export function HelmRepositoryDatatable() {
 function HelmDatatableDescription({ isAdmin }: { isAdmin: boolean }) {
   return (
     <TextTip color="blue" className="mb-3">
-      Adding a Helm repo here only makes it available in your own user
-      account&apos;s Portainer UI. Helm charts are pulled down from these repos
-      (plus the{' '}
-      {isAdmin ? (
-        <Link
-          to="portainer.settings"
-          params={{ '#': 'kubernetes-settings' }}
-          data-cy="k8s-globally-select-repo-link"
-        >
-          <span>globally-set Helm repo</span>
-        </Link>
-      ) : (
-        <span>globally-set Helm repo</span>
+      <p>
+        Adding a Helm repository here makes it available only in your Portainer
+        user account. The Helm charts from these repositories (along with the
+        globally set Helm repository) are shown in the &apos;Create from
+        Code&apos; screen.
+      </p>
+      {isAdmin && (
+        <>
+          To manage your helm repositories globally, navigate to{' '}
+          <Link
+            to="portainer.settings"
+            params={{ '#': 'kubernetes-settings' }}
+            data-cy="helm-settings-link"
+          >
+            Settings &gt; General
+          </Link>
+          .
+        </>
       )}
-      ) and shown in the Create from code screen&apos;s Helm charts list.
     </TextTip>
   );
 }
diff --git a/app/react/portainer/environments/queries/query-keys.ts b/app/react/portainer/environments/queries/query-keys.ts
index ed0600c19..5cb21a348 100644
--- a/app/react/portainer/environments/queries/query-keys.ts
+++ b/app/react/portainer/environments/queries/query-keys.ts
@@ -3,6 +3,11 @@ import { EnvironmentId } from '../types';
 export const environmentQueryKeys = {
   base: () => ['environments'] as const,
   item: (id: EnvironmentId) => [...environmentQueryKeys.base(), id] as const,
-  registries: (environmentId: EnvironmentId) =>
-    [...environmentQueryKeys.base(), environmentId, 'registries'] as const,
+  registries: (environmentId: EnvironmentId, namespace?: string) =>
+    [
+      ...environmentQueryKeys.base(),
+      environmentId,
+      'registries',
+      namespace,
+    ] as const,
 };
diff --git a/app/react/portainer/environments/queries/useEnvironmentRegistries.ts b/app/react/portainer/environments/queries/useEnvironmentRegistries.ts
index 19588b5ca..c25ffa157 100644
--- a/app/react/portainer/environments/queries/useEnvironmentRegistries.ts
+++ b/app/react/portainer/environments/queries/useEnvironmentRegistries.ts
@@ -14,17 +14,28 @@ export function useEnvironmentRegistries<T = Array<Registry>>(
   environmentId: EnvironmentId,
   queryOptions: GenericRegistriesQueryOptions<T> = {}
 ) {
+  const { namespace } = queryOptions;
   return useGenericRegistriesQuery(
-    environmentQueryKeys.registries(environmentId),
-    () => getEnvironmentRegistries(environmentId),
+    environmentQueryKeys.registries(environmentId, namespace),
+    () => getEnvironmentRegistries(environmentId, { namespace }),
     queryOptions
   );
 }
 
-async function getEnvironmentRegistries(environmentId: EnvironmentId) {
+type Params = {
+  namespace?: string;
+};
+
+async function getEnvironmentRegistries(
+  environmentId: EnvironmentId,
+  params: Params
+) {
   try {
     const { data } = await axios.get<Array<Registry>>(
-      buildUrl(environmentId, 'registries')
+      buildUrl(environmentId, 'registries'),
+      {
+        params,
+      }
     );
     return data;
   } catch (err) {
diff --git a/app/react/portainer/registries/CreateView/options.tsx b/app/react/portainer/registries/CreateView/options.tsx
index b6802e60b..984eaa892 100644
--- a/app/react/portainer/registries/CreateView/options.tsx
+++ b/app/react/portainer/registries/CreateView/options.tsx
@@ -1,62 +1,56 @@
-import { Edit } from 'lucide-react';
-
-import Docker from '@/assets/ico/vendor/docker.svg?c';
-import Ecr from '@/assets/ico/vendor/ecr.svg?c';
-import Quay from '@/assets/ico/vendor/quay.svg?c';
-import Proget from '@/assets/ico/vendor/proget.svg?c';
-import Azure from '@/assets/ico/vendor/azure.svg?c';
-import Gitlab from '@/assets/ico/vendor/gitlab.svg?c';
-
 import { BadgeIcon } from '@@/BadgeIcon';
 
+import { RegistryTypes } from '../types/registry';
+import { registryIconMap, registryLabelMap } from '../utils/constants';
+
 export const options = [
   {
     id: 'registry_dockerhub',
-    icon: Docker,
-    label: 'DockerHub',
+    icon: registryIconMap[RegistryTypes.DOCKERHUB],
+    label: registryLabelMap[RegistryTypes.DOCKERHUB],
     description: 'DockerHub authenticated account',
-    value: '6',
+    value: String(RegistryTypes.DOCKERHUB),
   },
   {
     id: 'registry_aws_ecr',
-    icon: Ecr,
-    label: 'AWS ECR',
+    icon: registryIconMap[RegistryTypes.ECR],
+    label: registryLabelMap[RegistryTypes.ECR],
     description: 'Amazon elastic container registry',
-    value: '7',
+    value: String(RegistryTypes.ECR),
   },
   {
     id: 'registry_quay',
-    icon: Quay,
-    label: 'Quay.io',
+    icon: registryIconMap[RegistryTypes.QUAY],
+    label: registryLabelMap[RegistryTypes.QUAY],
     description: 'Quay container registry',
-    value: '1',
+    value: String(RegistryTypes.QUAY),
   },
   {
     id: 'registry_proget',
-    icon: Proget,
-    label: 'ProGet',
+    icon: registryIconMap[RegistryTypes.PROGET],
+    label: registryLabelMap[RegistryTypes.PROGET],
     description: 'ProGet container registry',
-    value: '5',
+    value: String(RegistryTypes.PROGET),
   },
   {
     id: 'registry_azure',
-    icon: Azure,
-    label: 'Azure',
+    icon: registryIconMap[RegistryTypes.AZURE],
+    label: registryLabelMap[RegistryTypes.AZURE],
     description: 'Azure container registry',
-    value: '2',
+    value: String(RegistryTypes.AZURE),
   },
   {
     id: 'registry_gitlab',
-    icon: Gitlab,
-    label: 'GitLab',
+    icon: registryIconMap[RegistryTypes.GITLAB],
+    label: registryLabelMap[RegistryTypes.GITLAB],
     description: 'GitLab container registry',
-    value: '4',
+    value: String(RegistryTypes.GITLAB),
   },
   {
     id: 'registry_custom',
-    icon: <BadgeIcon icon={Edit} />,
-    label: 'Custom registry',
+    icon: <BadgeIcon icon={registryIconMap[RegistryTypes.CUSTOM]} />,
+    label: registryLabelMap[RegistryTypes.CUSTOM],
     description: 'Define your own registry',
-    value: '3',
+    value: String(RegistryTypes.CUSTOM),
   },
 ];
diff --git a/app/react/portainer/registries/queries/build-url.ts b/app/react/portainer/registries/queries/build-url.ts
index 3f76215bd..f490ec406 100644
--- a/app/react/portainer/registries/queries/build-url.ts
+++ b/app/react/portainer/registries/queries/build-url.ts
@@ -1,13 +1,17 @@
 import { RegistryId } from '../types/registry';
 
-export function buildUrl(registryId: RegistryId) {
-  const base = '/registries';
+export function buildUrl(registryId: RegistryId, resource?: 'repositories') {
+  let url = '/registries';
 
   if (registryId) {
-    return `${base}/${registryId}`;
+    url += `/${registryId}`;
   }
 
-  return base;
+  if (resource) {
+    url += `/${resource}`;
+  }
+
+  return url;
 }
 
 export function buildProxyUrl(registryId: RegistryId) {
diff --git a/app/react/portainer/registries/queries/useRegistries.ts b/app/react/portainer/registries/queries/useRegistries.ts
index 007ab70cb..4ea5aad6e 100644
--- a/app/react/portainer/registries/queries/useRegistries.ts
+++ b/app/react/portainer/registries/queries/useRegistries.ts
@@ -24,6 +24,8 @@ export type GenericRegistriesQueryOptions<T> = {
   onSuccess?: (data: T) => void;
   /** is used to hide the default registry from the list of registries, regardless of the user's settings. Kubernetes views use this. */
   hideDefault?: boolean;
+  /** is used to filter the registries by namespace. Kubernetes views use this. */
+  namespace?: string;
 };
 
 export function useGenericRegistriesQuery<T = Registry[]>(
diff --git a/app/react/portainer/registries/utils/constants.tsx b/app/react/portainer/registries/utils/constants.tsx
new file mode 100644
index 000000000..e20ee285f
--- /dev/null
+++ b/app/react/portainer/registries/utils/constants.tsx
@@ -0,0 +1,35 @@
+import { Edit } from 'lucide-react';
+
+import Docker from '@/assets/ico/vendor/docker.svg?c';
+import Ecr from '@/assets/ico/vendor/ecr.svg?c';
+import Quay from '@/assets/ico/vendor/quay.svg?c';
+import Proget from '@/assets/ico/vendor/proget.svg?c';
+import Azure from '@/assets/ico/vendor/azure.svg?c';
+import Gitlab from '@/assets/ico/vendor/gitlab.svg?c';
+
+import { RegistryTypes } from '../types/registry';
+
+export const registryLabelMap: Record<RegistryTypes, string> = {
+  [RegistryTypes.ANONYMOUS]: 'Anonymous',
+  [RegistryTypes.DOCKERHUB]: 'DockerHub',
+  [RegistryTypes.ECR]: 'AWS ECR',
+  [RegistryTypes.QUAY]: 'Quay.io',
+  [RegistryTypes.PROGET]: 'ProGet',
+  [RegistryTypes.AZURE]: 'Azure',
+  [RegistryTypes.GITLAB]: 'GitLab',
+  [RegistryTypes.CUSTOM]: 'Custom registry',
+  [RegistryTypes.GITHUB]: 'GitHub',
+};
+
+export const registryIconMap = {
+  [RegistryTypes.DOCKERHUB]: Docker,
+  [RegistryTypes.ECR]: Ecr,
+  [RegistryTypes.QUAY]: Quay,
+  [RegistryTypes.PROGET]: Proget,
+  [RegistryTypes.AZURE]: Azure,
+  [RegistryTypes.GITLAB]: Gitlab,
+  [RegistryTypes.CUSTOM]: Edit,
+  // github and anonymous don't have an icon
+  [RegistryTypes.GITHUB]: null,
+  [RegistryTypes.ANONYMOUS]: null,
+};
diff --git a/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx b/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx
index e5d519174..0c21140aa 100644
--- a/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx
+++ b/app/react/portainer/settings/SettingsView/KubeSettingsPanel/HelmSection.tsx
@@ -4,7 +4,7 @@ import { TextTip } from '@@/Tip/TextTip';
 import { FormControl } from '@@/form-components/FormControl';
 import { FormSection } from '@@/form-components/FormSection';
 import { Input } from '@@/form-components/Input';
-import { InsightsBox } from '@@/InsightsBox';
+import { ExternalLink } from '@@/ExternalLink';
 
 export function HelmSection() {
   const [{ name }, { error }] = useField<string>('helmRepositoryUrl');
@@ -13,39 +13,17 @@ export function HelmSection() {
     <FormSection title="Helm repository">
       <div className="mb-2">
         <TextTip color="blue">
-          You can specify the URL to your own Helm repository here. See the{' '}
-          <a
-            href="https://helm.sh/docs/topics/chart_repository/"
-            target="_blank"
-            rel="noreferrer"
+          You can specify the URL to your own{' '}
+          <ExternalLink
+            to="https://helm.sh/docs/topics/chart_repository/"
+            data-cy="helm-repository-link"
           >
-            official documentation
-          </a>{' '}
-          for more details.
+            Helm repository
+          </ExternalLink>{' '}
+          here.
         </TextTip>
       </div>
 
-      <InsightsBox
-        header="Disclaimer"
-        content={
-          <>
-            At present Portainer does not support OCI format Helm charts.
-            Support for OCI charts will be available in a future release. If you
-            would like to provide feedback on OCI support or get access to early
-            releases to test this functionality,{' '}
-            <a
-              href="https://bit.ly/3WVkayl"
-              target="_blank"
-              rel="noopener noreferrer"
-            >
-              please get in touch
-            </a>
-            .
-          </>
-        }
-        className="block w-fit mt-2 mb-1"
-      />
-
       <FormControl label="URL" errors={error} inputId="helm-repo-url">
         <Field
           as={Input}
diff --git a/go.mod b/go.mod
index d589f19d9..a7e925466 100644
--- a/go.mod
+++ b/go.mod
@@ -36,6 +36,7 @@ require (
 	github.com/klauspost/compress v1.18.0
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
 	github.com/opencontainers/go-digest v1.0.0
+	github.com/opencontainers/image-spec v1.1.1
 	github.com/orcaman/concurrent-map v1.0.0
 	github.com/patrickmn/go-cache v2.1.0+incompatible
 	github.com/pkg/errors v0.9.1
@@ -63,6 +64,7 @@ require (
 	k8s.io/kubectl v0.33.2
 	k8s.io/kubelet v0.33.2
 	k8s.io/metrics v0.33.2
+	oras.land/oras-go/v2 v2.6.0
 	software.sslmate.com/src/go-pkcs12 v0.0.0-20210415151418-c5206de65a78
 )
 
@@ -225,7 +227,6 @@ require (
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
-	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/opencontainers/runtime-spec v1.2.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
@@ -305,7 +306,6 @@ require (
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241104100929-3ea5e8cea738 // indirect
-	oras.land/oras-go/v2 v2.6.0 // indirect
 	sigs.k8s.io/json v0.0.0-20241010143419-9aa6b5e7a4b3 // indirect
 	sigs.k8s.io/kustomize/api v0.19.0 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.19.0 // indirect
diff --git a/pkg/libhelm/cache/cache.go b/pkg/libhelm/cache/cache.go
new file mode 100644
index 000000000..e555bc090
--- /dev/null
+++ b/pkg/libhelm/cache/cache.go
@@ -0,0 +1,126 @@
+package cache
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/patrickmn/go-cache"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+// Cache manages Helm registry clients with TTL-based expiration
+// Registry clients are cached per registry ID rather than per user session
+// to optimize rate limiting - one login per registry per Portainer instance
+type Cache struct {
+	cache *cache.Cache
+}
+
+// CachedRegistryClient wraps a registry client with metadata
+type CachedRegistryClient struct {
+	Client     *registry.Client
+	RegistryID portainer.RegistryID
+	CreatedAt  time.Time
+}
+
+// newCache creates a new Helm registry client cache with the specified timeout
+func newCache(userSessionTimeout string) (*Cache, error) {
+	timeout, err := time.ParseDuration(userSessionTimeout)
+	if err != nil {
+		return nil, fmt.Errorf("invalid user session timeout: %w", err)
+	}
+
+	return &Cache{
+		cache: cache.New(timeout, timeout),
+	}, nil
+}
+
+// getByRegistryID retrieves a cached registry client by registry ID
+// Cache key strategy: use registryID for maximum efficiency against rate limits
+// This means one login per registry per Portainer instance, regardless of user/environment
+func (c *Cache) getByRegistryID(registryID portainer.RegistryID) (*registry.Client, bool) {
+	key := generateRegistryIDCacheKey(registryID)
+
+	cachedClient, found := c.cache.Get(key)
+	if !found {
+		log.Debug().
+			Str("cache_key", key).
+			Int("registry_id", int(registryID)).
+			Str("context", "HelmRegistryCache").
+			Msg("Cache miss for registry client")
+		return nil, false
+	}
+
+	client := cachedClient.(CachedRegistryClient)
+
+	log.Debug().
+		Str("cache_key", key).
+		Int("registry_id", int(registryID)).
+		Str("context", "HelmRegistryCache").
+		Msg("Cache hit for registry client")
+
+	return client.Client, true
+}
+
+// setByRegistryID stores a registry client in the cache with registry ID context
+func (c *Cache) setByRegistryID(registryID portainer.RegistryID, client *registry.Client) {
+	if client == nil {
+		log.Warn().
+			Int("registry_id", int(registryID)).
+			Str("context", "HelmRegistryCache").
+			Msg("Attempted to cache nil registry client")
+		return
+	}
+
+	key := generateRegistryIDCacheKey(registryID)
+
+	cachedClient := CachedRegistryClient{
+		Client:     client,
+		RegistryID: registryID,
+		CreatedAt:  time.Now(),
+	}
+
+	c.cache.Set(key, cachedClient, cache.DefaultExpiration)
+
+	log.Debug().
+		Str("cache_key", key).
+		Int("registry_id", int(registryID)).
+		Str("context", "HelmRegistryCache").
+		Msg("Cached registry client")
+}
+
+// flushRegistry removes cached registry client for a specific registry ID
+// This should be called whenever registry credentials change
+func (c *Cache) flushRegistry(registryID portainer.RegistryID) {
+	key := generateRegistryIDCacheKey(registryID)
+
+	c.cache.Delete(key)
+	log.Info().
+		Int("registry_id", int(registryID)).
+		Str("context", "HelmRegistryCache").
+		Msg("Flushed registry client due to registry change")
+}
+
+// flushAll removes all cached registry clients
+func (c *Cache) flushAll() {
+	itemCount := c.cache.ItemCount()
+	c.cache.Flush()
+
+	if itemCount > 0 {
+		log.Info().
+			Int("cached_clients_removed", itemCount).
+			Str("context", "HelmRegistryCache").
+			Msg("Flushed all registry clients")
+	}
+}
+
+// generateRegistryIDCacheKey creates a cache key from registry ID
+// Key strategy decision: Use registry ID instead of user sessions or URL+username
+// This provides optimal rate limiting protection since each registry only gets
+// logged into once per Portainer instance, regardless of how many users access it
+// RBAC security is enforced before reaching this caching layer
+// When a new user needs access, they reuse the same cached client
+func generateRegistryIDCacheKey(registryID portainer.RegistryID) string {
+	return fmt.Sprintf("registry:%d", registryID)
+}
diff --git a/pkg/libhelm/cache/manager.go b/pkg/libhelm/cache/manager.go
new file mode 100644
index 000000000..6520b314c
--- /dev/null
+++ b/pkg/libhelm/cache/manager.go
@@ -0,0 +1,81 @@
+package cache
+
+import (
+	"sync"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+var (
+	// Global singleton instance
+	instance *Cache
+	once     sync.Once
+)
+
+// Initialize creates and initializes the global cache instance
+func Initialize(userSessionTimeout string) error {
+	var err error
+	once.Do(func() {
+		instance, err = newCache(userSessionTimeout)
+		if err != nil {
+			log.Error().
+				Err(err).
+				Str("user_session_timeout", userSessionTimeout).
+				Msg("Failed to initialize Helm registry cache")
+		} else {
+			log.Info().
+				Str("user_session_timeout", userSessionTimeout).
+				Msg("Helm registry cache initialized")
+		}
+	})
+	return err
+}
+
+// Registry-based cache management functions
+
+// GetCachedRegistryClientByID retrieves a cached registry client by registry ID
+func GetCachedRegistryClientByID(registryID portainer.RegistryID) (*registry.Client, bool) {
+	if instance == nil {
+		log.Debug().
+			Str("context", "HelmRegistryCache").
+			Msg("Cache not initialized, returning nil")
+		return nil, false
+	}
+	return instance.getByRegistryID(registryID)
+}
+
+// SetCachedRegistryClientByID stores a registry client in the cache by registry ID
+func SetCachedRegistryClientByID(registryID portainer.RegistryID, client *registry.Client) {
+	if instance == nil {
+		log.Warn().
+			Str("context", "HelmRegistryCache").
+			Msg("Cannot set cache entry - cache not initialized")
+		return
+	}
+	instance.setByRegistryID(registryID, client)
+}
+
+// FlushRegistryByID removes cached registry client for a specific registry ID
+// This should be called whenever registry credentials change
+func FlushRegistryByID(registryID portainer.RegistryID) {
+	if instance == nil {
+		log.Debug().
+			Str("context", "HelmRegistryCache").
+			Msg("Cache not initialized, nothing to flush")
+		return
+	}
+	instance.flushRegistry(registryID)
+}
+
+// FlushAll removes all cached registry clients
+func FlushAll() {
+	if instance == nil {
+		log.Debug().
+			Str("context", "HelmRegistryCache").
+			Msg("Cache not initialized, nothing to flush")
+		return
+	}
+	instance.flushAll()
+}
diff --git a/pkg/libhelm/options/chart_reference.go b/pkg/libhelm/options/chart_reference.go
new file mode 100644
index 000000000..11b3daf53
--- /dev/null
+++ b/pkg/libhelm/options/chart_reference.go
@@ -0,0 +1,38 @@
+package options
+
+import (
+	"strings"
+)
+
+const (
+	// OCIProtocolPrefix is the standard OCI protocol prefix
+	OCIProtocolPrefix = "oci://"
+)
+
+// ConstructChartReference constructs the appropriate chart reference based on registry type
+func ConstructChartReference(registryURL string, chartName string) string {
+	if registryURL == "" {
+		return chartName
+	}
+
+	// Don't double-prefix if chart already contains the registry URL
+	if strings.HasPrefix(chartName, OCIProtocolPrefix) {
+		return chartName
+	}
+
+	baseURL := ConstructOCIRegistryReference(registryURL)
+
+	// Handle cases where chartName might already have a path separator
+	if strings.HasPrefix(chartName, "/") {
+		return baseURL + chartName
+	}
+
+	return baseURL + "/" + chartName
+}
+
+func ConstructOCIRegistryReference(registryURL string) string {
+	// Remove oci:// prefix if present to avoid duplication
+	registryURL = strings.TrimPrefix(registryURL, OCIProtocolPrefix)
+	// Ensure we have oci:// prefix for OCI registries
+	return OCIProtocolPrefix + registryURL
+}
diff --git a/pkg/libhelm/options/chart_reference_test.go b/pkg/libhelm/options/chart_reference_test.go
new file mode 100644
index 000000000..06db8c26e
--- /dev/null
+++ b/pkg/libhelm/options/chart_reference_test.go
@@ -0,0 +1,100 @@
+package options
+
+import (
+	"testing"
+)
+
+func TestConstructChartReference(t *testing.T) {
+	tests := []struct {
+		name        string
+		registryURL string
+		chartName   string
+		expected    string
+	}{
+		{
+			name:        "empty registry URL returns chart name as-is",
+			registryURL: "",
+			chartName:   "nginx",
+			expected:    "nginx",
+		},
+		{
+			name:        "basic OCI registry with chart name",
+			registryURL: "registry.example.com",
+			chartName:   "nginx",
+			expected:    "oci://registry.example.com/nginx",
+		},
+		{
+			name:        "registry with project path",
+			registryURL: "harbor.example.com",
+			chartName:   "library/nginx",
+			expected:    "oci://harbor.example.com/library/nginx",
+		},
+		{
+			name:        "chart name already has oci prefix returns as-is",
+			registryURL: "registry.example.com",
+			chartName:   "oci://registry.example.com/nginx",
+			expected:    "oci://registry.example.com/nginx",
+		},
+		{
+			name:        "chart name with leading slash",
+			registryURL: "registry.example.com",
+			chartName:   "/nginx",
+			expected:    "oci://registry.example.com/nginx",
+		},
+		{
+			name:        "registry URL already has oci prefix",
+			registryURL: "oci://registry.example.com",
+			chartName:   "nginx",
+			expected:    "oci://registry.example.com/nginx",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ConstructChartReference(tt.registryURL, tt.chartName)
+			if result != tt.expected {
+				t.Errorf("ConstructChartReference(%q, %q) = %q, want %q",
+					tt.registryURL, tt.chartName, result, tt.expected)
+			}
+		})
+	}
+}
+
+func TestConstructOCIRegistryReference(t *testing.T) {
+	tests := []struct {
+		name        string
+		registryURL string
+		expected    string
+	}{
+		{
+			name:        "simple registry URL",
+			registryURL: "registry.example.com",
+			expected:    "oci://registry.example.com",
+		},
+		{
+			name:        "registry URL with oci prefix",
+			registryURL: "oci://registry.example.com",
+			expected:    "oci://registry.example.com",
+		},
+		{
+			name:        "registry URL with port",
+			registryURL: "registry.example.com:5000",
+			expected:    "oci://registry.example.com:5000",
+		},
+		{
+			name:        "empty registry URL",
+			registryURL: "",
+			expected:    "oci://",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := ConstructOCIRegistryReference(tt.registryURL)
+			if result != tt.expected {
+				t.Errorf("ConstructOCIRegistryReference(%q) = %q, want %q",
+					tt.registryURL, result, tt.expected)
+			}
+		})
+	}
+}
diff --git a/pkg/libhelm/options/install_options.go b/pkg/libhelm/options/install_options.go
index 807862683..60b14cf0f 100644
--- a/pkg/libhelm/options/install_options.go
+++ b/pkg/libhelm/options/install_options.go
@@ -1,6 +1,10 @@
 package options
 
-import "time"
+import (
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+)
 
 type InstallOptions struct {
 	Name                    string
@@ -8,6 +12,7 @@ type InstallOptions struct {
 	Version                 string
 	Namespace               string
 	Repo                    string
+	Registry                *portainer.Registry
 	Wait                    bool
 	ValuesFile              string
 	PostRenderer            string
diff --git a/pkg/libhelm/options/search_repo_options.go b/pkg/libhelm/options/search_repo_options.go
index 0b35c0bbd..333c28c8b 100644
--- a/pkg/libhelm/options/search_repo_options.go
+++ b/pkg/libhelm/options/search_repo_options.go
@@ -1,10 +1,15 @@
 package options
 
-import "net/http"
+import (
+	"net/http"
+
+	portainer "github.com/portainer/portainer/api"
+)
 
 type SearchRepoOptions struct {
 	Repo     string       `example:"https://charts.gitlab.io/"`
 	Client   *http.Client `example:"&http.Client{Timeout: time.Second * 10}"`
 	Chart    string       `example:"my-chart"`
 	UseCache bool         `example:"false"`
+	Registry *portainer.Registry
 }
diff --git a/pkg/libhelm/options/show_options.go b/pkg/libhelm/options/show_options.go
index a715c6655..dadbab906 100644
--- a/pkg/libhelm/options/show_options.go
+++ b/pkg/libhelm/options/show_options.go
@@ -1,5 +1,7 @@
 package options
 
+import portainer "github.com/portainer/portainer/api"
+
 // ShowOutputFormat is the format of the output of `helm show`
 type ShowOutputFormat string
 
@@ -20,6 +22,6 @@ type ShowOptions struct {
 	Chart        string
 	Repo         string
 	Version      string
-
-	Env []string
+	Env          []string
+	Registry     *portainer.Registry // Registry credentials for authentication
 }
diff --git a/pkg/libhelm/release/release.go b/pkg/libhelm/release/release.go
index acc3328b1..bb49c0435 100644
--- a/pkg/libhelm/release/release.go
+++ b/pkg/libhelm/release/release.go
@@ -45,6 +45,8 @@ type Release struct {
 	// Labels of the release.
 	// Disabled encoding into Json cause labels are stored in storage driver metadata field.
 	Labels map[string]string `json:"-"`
+	// ChartReference are the labels that are used to identify the chart source.
+	ChartReference ChartReference `json:"chartReference,omitempty"`
 	// Values are the values used to deploy the chart.
 	Values Values `json:"values,omitempty"`
 }
@@ -54,6 +56,12 @@ type Values struct {
 	ComputedValues     string `json:"computedValues,omitempty"`
 }
 
+type ChartReference struct {
+	ChartPath  string `json:"chartPath,omitempty"`
+	RepoURL    string `json:"repoURL,omitempty"`
+	RegistryID int64  `json:"registryID,omitempty"`
+}
+
 // Chart is a helm package that contains metadata, a default config, zero or more
 // optionally parameterizable templates, and zero or more charts (dependencies).
 type Chart struct {
diff --git a/pkg/libhelm/sdk/chartsources.go b/pkg/libhelm/sdk/chartsources.go
new file mode 100644
index 000000000..c42196f3d
--- /dev/null
+++ b/pkg/libhelm/sdk/chartsources.go
@@ -0,0 +1,297 @@
+package sdk
+
+// Helm Registry Client Caching Strategy
+//
+// This package implements a registry-based caching mechanism for Helm OCI registry clients
+// to address rate limiting issues caused by repeated registry authentication.
+//
+// Key Design Decisions:
+//
+// 1. Cache Key Strategy: Registry ID
+//    - Uses portainer.RegistryID as the cache key instead of user sessions or URL+username
+//    - One cached client per registry per Portainer instance, regardless of users
+//    - Optimal for rate limiting: each registry only gets one login per Portainer instance
+//    - New users reuse existing cached clients rather than creating new ones
+//
+// 2. Cache Invalidation: Registry Change Events
+//    - Cache is flushed when registry credentials are updated (registryUpdate handler)
+//    - Cache is flushed when registry is reconfigured (registryConfigure handler)
+//    - Cache is flushed when registry is deleted (registryDelete handler)
+//    - Cache is flushed when registry authentication fails (show, install, upgrade)
+//    - No time-based expiration needed since registry credentials rarely change
+//
+// 3. Alternative Approaches NOT Used:
+//    - registry.ClientOptCredentialsFile(): Still requires token exchange on each client creation
+//    - User/session-based caching: Less efficient for rate limiting, creates unnecessary logins
+//    - URL+username caching: More complex, harder to invalidate, doesn't handle registry updates
+//
+// 4. Security Model:
+//    - RBAC security is enforced BEFORE reaching this caching layer (handler.getRegistryWithAccess)
+
+import (
+	"strings"
+
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/pkg/libhelm/cache"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/rs/zerolog/log"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/registry"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+// IsOCIRegistry returns true if the registry is an OCI registry (not nil), false if it's an HTTP repository (nil)
+func IsOCIRegistry(registry *portainer.Registry) bool {
+	return registry != nil
+}
+
+// IsHTTPRepository returns true if it's an HTTP repository (registry is nil), false if it's an OCI registry
+func IsHTTPRepository(registry *portainer.Registry) bool {
+	return registry == nil
+}
+
+// parseChartRef parses chart and repo references based on the registry type
+func parseChartRef(chart, repo string, registry *portainer.Registry) (string, string, error) {
+	if IsHTTPRepository(registry) {
+		return parseHTTPRepoChartRef(chart, repo)
+	}
+	return parseOCIChartRef(chart, registry)
+}
+
+// parseOCIChartRef constructs the full OCI chart reference
+func parseOCIChartRef(chart string, registry *portainer.Registry) (string, string, error) {
+
+	chartRef := options.ConstructChartReference(registry.URL, chart)
+
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("chart_ref", chartRef).
+		Bool("authentication", registry.Authentication).
+		Msg("Constructed OCI chart reference")
+
+	return chartRef, registry.URL, nil
+}
+
+// parseHTTPRepoChartRef returns chart and repo as-is for HTTP repositories
+func parseHTTPRepoChartRef(chart, repo string) (string, string, error) {
+	return chart, repo, nil
+}
+
+// shouldFlushCacheOnError determines if a registry client should be removed from cache based on the error
+// This helps handle cases where cached credentials have become invalid
+func shouldFlushCacheOnError(err error, registryID portainer.RegistryID) bool {
+	if err == nil || registryID == 0 {
+		return false
+	}
+
+	errorStr := strings.ToLower(err.Error())
+
+	// Authentication/authorization errors that indicate invalid cached credentials
+	authenticationErrors := []string{
+		"unauthorized",
+		"authentication",
+		"login failed",
+		"invalid credentials",
+		"access denied",
+		"forbidden",
+		"401",
+		"403",
+		"token",
+		"auth",
+	}
+
+	for _, authErr := range authenticationErrors {
+		if strings.Contains(errorStr, authErr) {
+			log.Info().
+				Int("registry_id", int(registryID)).
+				Str("error", err.Error()).
+				Str("context", "HelmClient").
+				Msg("Detected authentication error - will flush registry cache")
+			return true
+		}
+	}
+
+	return false
+}
+
+// authenticateChartSource handles both HTTP repositories and OCI registries
+func authenticateChartSource(actionConfig *action.Configuration, registry *portainer.Registry) error {
+	// For HTTP repositories, no authentication needed (CE and EE)
+	if IsHTTPRepository(registry) {
+		return nil
+	}
+
+	// If RegistryClient is already set, we're done
+	if actionConfig.RegistryClient != nil {
+		log.Debug().
+			Str("context", "HelmClient").
+			Msg("Registry client already set in action config")
+		return nil
+	}
+
+	// Validate registry credentials first
+	err := validateRegistryCredentials(registry)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Err(err).
+			Msg("Registry credential validation failed")
+		return errors.Wrap(err, "registry credential validation failed")
+	}
+
+	// No authentication required
+	if !registry.Authentication {
+		log.Debug().
+			Str("context", "HelmClient").
+			Msg("No OCI registry authentication required")
+		return nil
+	}
+
+	// Cache Strategy Decision: Use registry ID as cache key
+	// This provides optimal rate limiting protection since each registry only gets
+	// logged into once per Portainer instance, regardless of how many users access it.
+	// RBAC security is enforced before reaching this caching layer.
+	// When a new user needs access, they reuse the same cached client.
+	//
+	// Alternative approach (NOT used): registry.ClientOptCredentialsFile()
+	// We don't use Helm's credential file approach because:
+	// 1. It still requires token exchange with registry on each new client creation
+	// 2. Rate limiting occurs during token exchange, not credential loading
+	// 3. Our caching approach reuses existing authenticated clients completely
+	// 4. Credential files add complexity without solving the core rate limiting issue
+
+	// Try to get cached registry client (registry ID-based key)
+	if cachedClient, found := cache.GetCachedRegistryClientByID(registry.ID); found {
+		log.Debug().
+			Int("registry_id", int(registry.ID)).
+			Str("registry_url", registry.URL).
+			Str("context", "HelmClient").
+			Msg("Using cached registry client")
+
+		actionConfig.RegistryClient = cachedClient
+		return nil
+	}
+
+	// Cache miss - perform login and cache the result
+	log.Debug().
+		Int("registry_id", int(registry.ID)).
+		Str("registry_url", registry.URL).
+		Str("context", "HelmClient").
+		Msg("Cache miss - creating new registry client")
+
+	registryClient, err := loginToOCIRegistry(registry)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("registry_url", registry.URL).
+			Err(err).
+			Msg("Failed to login to registry")
+		return errors.Wrap(err, "failed to login to registry")
+	}
+
+	// Cache the client if login was successful (registry ID-based key)
+	if registryClient != nil {
+		cache.SetCachedRegistryClientByID(registry.ID, registryClient)
+		log.Debug().
+			Int("registry_id", int(registry.ID)).
+			Str("registry_url", registry.URL).
+			Str("context", "HelmClient").
+			Msg("Registry client cached successfully")
+	}
+
+	actionConfig.RegistryClient = registryClient
+	return nil
+}
+
+// configureChartPathOptions sets chart path options based on registry type
+func configureChartPathOptions(chartPathOptions *action.ChartPathOptions, version, repo string, registry *portainer.Registry) error {
+	chartPathOptions.Version = version
+	// Set chart path options based on registry type
+	if IsHTTPRepository(registry) {
+		configureHTTPRepoChartPathOptions(chartPathOptions, repo)
+	} else {
+		configureOCIChartPathOptions(chartPathOptions, registry)
+	}
+
+	return nil
+}
+
+// configureHTTPRepoChartPathOptions sets chart path options for HTTP repositories
+func configureHTTPRepoChartPathOptions(chartPathOptions *action.ChartPathOptions, repo string) {
+	chartPathOptions.RepoURL = repo
+}
+
+// configureOCIChartPathOptions sets chart path options for OCI registries
+func configureOCIChartPathOptions(chartPathOptions *action.ChartPathOptions, registry *portainer.Registry) {
+	if registry.Authentication {
+		chartPathOptions.Username = registry.Username
+		chartPathOptions.Password = registry.Password
+	}
+}
+
+// loginToOCIRegistry performs registry login for OCI-based registries using Helm SDK
+// Tries to get a cached registry client if available, otherwise creates and caches a new one
+func loginToOCIRegistry(portainerRegistry *portainer.Registry) (*registry.Client, error) {
+	if IsHTTPRepository(portainerRegistry) || !portainerRegistry.Authentication {
+		return nil, nil // No authentication needed
+	}
+
+	// Check cache first using registry ID-based key
+	if cachedClient, found := cache.GetCachedRegistryClientByID(portainerRegistry.ID); found {
+		return cachedClient, nil
+	}
+
+	log.Debug().
+		Str("context", "loginToRegistry").
+		Int("registry_id", int(portainerRegistry.ID)).
+		Str("registry_url", portainerRegistry.URL).
+		Msg("Attempting to login to OCI registry")
+
+	registryClient, err := registry.NewClient(registry.ClientOptHTTPClient(retry.DefaultClient))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create registry client")
+	}
+
+	loginOpts := []registry.LoginOption{
+		registry.LoginOptBasicAuth(portainerRegistry.Username, portainerRegistry.Password),
+	}
+
+	err = registryClient.Login(portainerRegistry.URL, loginOpts...)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to login to registry %s", portainerRegistry.URL)
+	}
+
+	log.Debug().
+		Str("context", "loginToRegistry").
+		Int("registry_id", int(portainerRegistry.ID)).
+		Str("registry_url", portainerRegistry.URL).
+		Msg("Successfully logged in to OCI registry")
+
+	// Cache using registry ID-based key
+	cache.SetCachedRegistryClientByID(portainerRegistry.ID, registryClient)
+
+	return registryClient, nil
+}
+
+// validateRegistryCredentials validates registry authentication settings
+func validateRegistryCredentials(registry *portainer.Registry) error {
+	if IsHTTPRepository(registry) {
+		return nil // No registry means no validation needed
+	}
+
+	if !registry.Authentication {
+		return nil // No authentication required
+	}
+
+	// Authentication is enabled - validate credentials
+	if strings.TrimSpace(registry.Username) == "" {
+		return errors.New("username is required when registry authentication is enabled")
+	}
+
+	if strings.TrimSpace(registry.Password) == "" {
+		return errors.New("password is required when registry authentication is enabled")
+	}
+
+	return nil
+}
diff --git a/pkg/libhelm/sdk/chartsources_test.go b/pkg/libhelm/sdk/chartsources_test.go
new file mode 100644
index 000000000..663601abc
--- /dev/null
+++ b/pkg/libhelm/sdk/chartsources_test.go
@@ -0,0 +1,752 @@
+package sdk
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
+	helmregistrycache "github.com/portainer/portainer/pkg/libhelm/cache"
+	"github.com/stretchr/testify/assert"
+	"helm.sh/helm/v3/pkg/action"
+	"helm.sh/helm/v3/pkg/registry"
+)
+
+func TestIsOCIRegistry(t *testing.T) {
+	t.Run("should return false for nil registry (HTTP repo)", func(t *testing.T) {
+		assert.False(t, IsOCIRegistry(nil))
+	})
+
+	t.Run("should return true for non-nil registry (OCI registry)", func(t *testing.T) {
+		assert.True(t, IsOCIRegistry(&portainer.Registry{}))
+	})
+}
+
+func TestIsHTTPRepository(t *testing.T) {
+	t.Run("should return true for nil registry (HTTP repo)", func(t *testing.T) {
+		assert.True(t, IsHTTPRepository(nil))
+	})
+
+	t.Run("should return false for non-nil registry (OCI registry)", func(t *testing.T) {
+		assert.False(t, IsHTTPRepository(&portainer.Registry{}))
+	})
+}
+
+func TestParseHTTPRepoChartRef(t *testing.T) {
+	is := assert.New(t)
+
+	chartRef, repoURL, err := parseHTTPRepoChartRef("my-chart", "https://my.repo/charts")
+
+	is.NoError(err)
+	is.Equal("my-chart", chartRef)
+	is.Equal("https://my.repo/charts", repoURL)
+}
+
+func TestParseOCIChartRef(t *testing.T) {
+	is := assert.New(t)
+
+	registry := &portainer.Registry{
+		URL:            "my-registry.io/my-namespace",
+		Authentication: true,
+		Username:       "user",
+		Password:       "pass",
+	}
+
+	chartRef, repoURL, err := parseOCIChartRef("my-chart", registry)
+
+	is.NoError(err)
+	is.Equal("oci://my-registry.io/my-namespace/my-chart", chartRef)
+	is.Equal("my-registry.io/my-namespace", repoURL)
+}
+
+func TestParseOCIChartRef_GitLab(t *testing.T) {
+	is := assert.New(t)
+
+	registry := &portainer.Registry{
+		Type:           portainer.GitlabRegistry,
+		URL:            "registry.gitlab.com",
+		Authentication: true,
+		Username:       "gitlab-ci-token",
+		Password:       "glpat-xxxxxxxxxxxxxxxxxxxx",
+		Gitlab: portainer.GitlabRegistryData{
+			ProjectID:   12345,
+			InstanceURL: "https://gitlab.com",
+			ProjectPath: "my-group/my-project",
+		},
+	}
+
+	chartRef, repoURL, err := parseOCIChartRef("my-chart", registry)
+
+	is.NoError(err)
+	is.Equal("oci://registry.gitlab.com/my-chart", chartRef)
+	is.Equal("registry.gitlab.com", repoURL)
+}
+
+func TestParseChartRef(t *testing.T) {
+	t.Run("should parse HTTP repo chart ref when registry is nil", func(t *testing.T) {
+		is := assert.New(t)
+
+		chartRef, repoURL, err := parseChartRef("my-chart", "https://my.repo/charts", nil)
+
+		is.NoError(err)
+		is.Equal("my-chart", chartRef)
+		is.Equal("https://my.repo/charts", repoURL)
+	})
+
+	t.Run("should parse OCI chart ref when registry is provided", func(t *testing.T) {
+		is := assert.New(t)
+
+		registry := &portainer.Registry{
+			URL:            "my-registry.io/my-namespace",
+			Authentication: true,
+			Username:       "user",
+			Password:       "pass",
+		}
+
+		chartRef, repoURL, err := parseChartRef("my-chart", "", registry)
+
+		is.NoError(err)
+		is.Equal("oci://my-registry.io/my-namespace/my-chart", chartRef)
+		is.Equal("my-registry.io/my-namespace", repoURL)
+	})
+}
+
+func TestConfigureHTTPRepoChartPathOptions(t *testing.T) {
+	is := assert.New(t)
+	chartPathOptions := &action.ChartPathOptions{}
+
+	configureHTTPRepoChartPathOptions(chartPathOptions, "https://my.repo/charts")
+
+	is.Equal("https://my.repo/charts", chartPathOptions.RepoURL)
+}
+
+func TestConfigureOCIChartPathOptions(t *testing.T) {
+	is := assert.New(t)
+	chartPathOptions := &action.ChartPathOptions{}
+
+	registry := &portainer.Registry{
+		URL:            "my-registry.io/my-namespace",
+		Authentication: true,
+		Username:       "user",
+		Password:       "pass",
+	}
+
+	configureOCIChartPathOptions(chartPathOptions, registry)
+
+	is.Equal("user", chartPathOptions.Username)
+	is.Equal("pass", chartPathOptions.Password)
+}
+
+func TestConfigureOCIChartPathOptions_NoAuth(t *testing.T) {
+	is := assert.New(t)
+	chartPathOptions := &action.ChartPathOptions{}
+
+	registry := &portainer.Registry{
+		URL:            "my-registry.io/my-namespace",
+		Authentication: false,
+	}
+
+	configureOCIChartPathOptions(chartPathOptions, registry)
+
+	is.Empty(chartPathOptions.Username)
+	is.Empty(chartPathOptions.Password)
+}
+
+func TestConfigureChartPathOptions(t *testing.T) {
+	t.Run("should configure HTTP repo when registry is nil", func(t *testing.T) {
+		is := assert.New(t)
+		chartPathOptions := &action.ChartPathOptions{}
+
+		err := configureChartPathOptions(chartPathOptions, "1.0.0", "https://my.repo/charts", nil)
+
+		is.NoError(err)
+		is.Equal("https://my.repo/charts", chartPathOptions.RepoURL)
+		is.Equal("1.0.0", chartPathOptions.Version)
+	})
+
+	t.Run("should configure OCI registry when registry is provided", func(t *testing.T) {
+		is := assert.New(t)
+		chartPathOptions := &action.ChartPathOptions{}
+
+		registry := &portainer.Registry{
+			URL:            "my-registry.io/my-namespace",
+			Authentication: true,
+			Username:       "user",
+			Password:       "pass",
+		}
+
+		err := configureChartPathOptions(chartPathOptions, "1.0.0", "", registry)
+
+		is.NoError(err)
+		is.Equal("user", chartPathOptions.Username)
+		is.Equal("pass", chartPathOptions.Password)
+		is.Equal("1.0.0", chartPathOptions.Version)
+	})
+}
+
+func TestLoginToOCIRegistry(t *testing.T) {
+	is := assert.New(t)
+
+	t.Run("should return nil for HTTP repository (nil registry)", func(t *testing.T) {
+		client, err := loginToOCIRegistry(nil)
+		is.NoError(err)
+		is.Nil(client)
+	})
+
+	t.Run("should return nil for registry with auth disabled", func(t *testing.T) {
+		registry := &portainer.Registry{
+			URL:            "my-registry.io",
+			Authentication: false,
+		}
+		client, err := loginToOCIRegistry(registry)
+		is.NoError(err)
+		is.Nil(client)
+	})
+
+	t.Run("should return error for invalid credentials", func(t *testing.T) {
+		registry := &portainer.Registry{
+			URL:            "my-registry.io",
+			Authentication: true,
+			Username:       " ",
+		}
+		client, err := loginToOCIRegistry(registry)
+		is.Error(err)
+		is.Nil(client)
+		// The error might be a validation error or a login error, both are acceptable
+		is.True(err.Error() == "username is required when registry authentication is enabled" ||
+			strings.Contains(err.Error(), "failed to login to registry"))
+	})
+
+	t.Run("should attempt login for valid credentials", func(t *testing.T) {
+		registry := &portainer.Registry{
+			ID:             123,
+			URL:            "my-registry.io",
+			Authentication: true,
+			Username:       "user",
+			Password:       "pass",
+		}
+		// this will fail because it can't connect to the registry,
+		// but it proves that the loginToOCIRegistry function is calling the login function.
+		client, err := loginToOCIRegistry(registry)
+		is.Error(err)
+		is.Nil(client)
+		is.Contains(err.Error(), "failed to login to registry")
+	})
+
+	t.Run("should attempt login for GitLab registry with valid credentials", func(t *testing.T) {
+		registry := &portainer.Registry{
+			ID:             456,
+			Type:           portainer.GitlabRegistry,
+			URL:            "registry.gitlab.com",
+			Authentication: true,
+			Username:       "gitlab-ci-token",
+			Password:       "glpat-xxxxxxxxxxxxxxxxxxxx",
+			Gitlab: portainer.GitlabRegistryData{
+				ProjectID:   12345,
+				InstanceURL: "https://gitlab.com",
+				ProjectPath: "my-group/my-project",
+			},
+		}
+		// this will fail because it can't connect to the registry,
+		// but it proves that the loginToOCIRegistry function is calling the login function.
+		client, err := loginToOCIRegistry(registry)
+		is.Error(err)
+		is.Nil(client)
+		is.Contains(err.Error(), "failed to login to registry")
+	})
+}
+
+func TestAuthenticateChartSource(t *testing.T) {
+	t.Run("should do nothing for HTTP repo (nil registry)", func(t *testing.T) {
+		is := assert.New(t)
+		actionConfig := &action.Configuration{}
+		err := authenticateChartSource(actionConfig, nil)
+		is.NoError(err)
+		is.Nil(actionConfig.RegistryClient)
+	})
+
+	t.Run("should do nothing if registry client already set", func(t *testing.T) {
+		is := assert.New(t)
+		actionConfig := &action.Configuration{}
+		// Mock an existing registry client
+		existingClient := &registry.Client{}
+		actionConfig.RegistryClient = existingClient
+
+		registry := &portainer.Registry{
+			ID:             123,
+			Authentication: true,
+			Username:       "user",
+			Password:       "pass",
+		}
+
+		err := authenticateChartSource(actionConfig, registry)
+		is.NoError(err)
+		is.Equal(existingClient, actionConfig.RegistryClient)
+	})
+
+	t.Run("should authenticate OCI registry when registry is provided", func(t *testing.T) {
+		is := assert.New(t)
+		actionConfig := &action.Configuration{}
+		registry := &portainer.Registry{
+			ID:             123,
+			Authentication: false,
+		}
+		err := authenticateChartSource(actionConfig, registry)
+		is.NoError(err)
+	})
+
+	t.Run("should return error for invalid registry credentials", func(t *testing.T) {
+		is := assert.New(t)
+		actionConfig := &action.Configuration{}
+		registry := &portainer.Registry{
+			ID:             123,
+			Authentication: true,
+			Username:       " ", // Invalid username
+		}
+		err := authenticateChartSource(actionConfig, registry)
+		is.Error(err)
+		is.Contains(err.Error(), "registry credential validation failed")
+	})
+}
+
+func TestGetRegistryClientFromCache(t *testing.T) {
+	// Initialize cache for testing
+	err := helmregistrycache.Initialize("24h")
+	if err != nil {
+		t.Fatalf("Failed to initialize cache: %v", err)
+	}
+	// Clear cache before each test
+	helmregistrycache.FlushAll()
+
+	t.Run("should return nil for invalid registry ID", func(t *testing.T) {
+		is := assert.New(t)
+		client, found := helmregistrycache.GetCachedRegistryClientByID(0)
+		is.False(found)
+		is.Nil(client)
+	})
+
+	t.Run("should return nil for non-existent registry ID", func(t *testing.T) {
+		is := assert.New(t)
+		client, found := helmregistrycache.GetCachedRegistryClientByID(123)
+		is.False(found)
+		is.Nil(client)
+	})
+
+	t.Run("should return cached client for valid registry ID", func(t *testing.T) {
+		is := assert.New(t)
+		// Create a mock client
+		mockClient := &registry.Client{}
+
+		// Store in cache
+		helmregistrycache.SetCachedRegistryClientByID(123, mockClient)
+
+		// Retrieve from cache
+		cachedClient, found := helmregistrycache.GetCachedRegistryClientByID(123)
+		is.True(found)
+		is.NotNil(cachedClient)
+		is.Equal(mockClient, cachedClient)
+	})
+}
+
+func TestSetRegistryClientInCache(t *testing.T) {
+	// Initialize cache for testing
+	err := helmregistrycache.Initialize("24h")
+	if err != nil {
+		t.Fatalf("Failed to initialize cache: %v", err)
+	}
+	// Clear cache before each test
+	helmregistrycache.FlushAll()
+
+	t.Run("should store and retrieve client successfully", func(t *testing.T) {
+		is := assert.New(t)
+		// Create a mock client
+		client := &registry.Client{}
+
+		// Store in cache
+		helmregistrycache.SetCachedRegistryClientByID(123, client)
+
+		// Verify the cache returns the client
+		cachedClient, found := helmregistrycache.GetCachedRegistryClientByID(123)
+		is.True(found)
+		is.NotNil(cachedClient)
+		is.Equal(client, cachedClient)
+	})
+
+	t.Run("should handle invalid parameters gracefully", func(t *testing.T) {
+		// Clear cache to start clean
+		helmregistrycache.FlushAll()
+
+		// These should not panic
+		helmregistrycache.SetCachedRegistryClientByID(0, nil)                  // nil client should be rejected
+		helmregistrycache.SetCachedRegistryClientByID(999, &registry.Client{}) // valid client with registry ID 999 should be accepted
+		helmregistrycache.SetCachedRegistryClientByID(123, nil)                // nil client should be rejected
+
+		// Verify that nil clients don't get stored, but valid clients do
+		is := assert.New(t)
+
+		// Registry ID 999 with a valid client should be found (the second call above)
+		client, found := helmregistrycache.GetCachedRegistryClientByID(999)
+		is.True(found)
+		is.NotNil(client)
+
+		// Registry ID 0 with nil client should not be found
+		client, found = helmregistrycache.GetCachedRegistryClientByID(0)
+		is.False(found)
+		is.Nil(client)
+
+		// Registry ID 123 with nil client should not be found
+		client, found = helmregistrycache.GetCachedRegistryClientByID(123)
+		is.False(found)
+		is.Nil(client)
+	})
+}
+
+func TestFlushRegistryCache(t *testing.T) {
+	// Initialize cache for testing
+	err := helmregistrycache.Initialize("24h")
+	if err != nil {
+		t.Fatalf("Failed to initialize cache: %v", err)
+	}
+	// Clear cache before test
+	helmregistrycache.FlushAll()
+
+	t.Run("should flush specific registry cache", func(t *testing.T) {
+		is := assert.New(t)
+		// Create mock clients
+		client1 := &registry.Client{}
+		client2 := &registry.Client{}
+
+		// Store in cache
+		helmregistrycache.SetCachedRegistryClientByID(123, client1)
+		helmregistrycache.SetCachedRegistryClientByID(456, client2)
+
+		// Verify both are cached
+		client, found := helmregistrycache.GetCachedRegistryClientByID(123)
+		is.True(found)
+		is.NotNil(client)
+		client, found = helmregistrycache.GetCachedRegistryClientByID(456)
+		is.True(found)
+		is.NotNil(client)
+
+		// Flush only one
+		helmregistrycache.FlushRegistryByID(123)
+
+		// Verify only one is flushed
+		client, found = helmregistrycache.GetCachedRegistryClientByID(123)
+		is.False(found)
+		is.Nil(client)
+		client, found = helmregistrycache.GetCachedRegistryClientByID(456)
+		is.True(found)
+		is.NotNil(client)
+	})
+}
+
+func TestFlushAllRegistryCache(t *testing.T) {
+	// Initialize cache for testing
+	err := helmregistrycache.Initialize("24h")
+	if err != nil {
+		t.Fatalf("Failed to initialize cache: %v", err)
+	}
+
+	t.Run("should flush all registry cache", func(t *testing.T) {
+		is := assert.New(t)
+		// Create mock clients
+		client1 := &registry.Client{}
+		client2 := &registry.Client{}
+
+		// Store in cache
+		helmregistrycache.SetCachedRegistryClientByID(123, client1)
+		helmregistrycache.SetCachedRegistryClientByID(456, client2)
+
+		// Verify both are cached
+		client, found := helmregistrycache.GetCachedRegistryClientByID(123)
+		is.True(found)
+		is.NotNil(client)
+		client, found = helmregistrycache.GetCachedRegistryClientByID(456)
+		is.True(found)
+		is.NotNil(client)
+
+		// Flush all
+		helmregistrycache.FlushAll()
+
+		// Verify both are flushed
+		client, found = helmregistrycache.GetCachedRegistryClientByID(123)
+		is.False(found)
+		is.Nil(client)
+		client, found = helmregistrycache.GetCachedRegistryClientByID(456)
+		is.False(found)
+		is.Nil(client)
+		client, found = helmregistrycache.GetCachedRegistryClientByID(456)
+		is.False(found)
+		is.Nil(client)
+	})
+}
+
+func TestValidateRegistryCredentials(t *testing.T) {
+	tests := []struct {
+		name        string
+		registry    *portainer.Registry
+		expectError bool
+		errorMsg    string
+	}{
+		{
+			name:        "nil registry should pass validation",
+			registry:    nil,
+			expectError: false,
+		},
+		{
+			name: "registry with authentication disabled should pass validation",
+			registry: &portainer.Registry{
+				Authentication: false,
+			},
+			expectError: false,
+		},
+		{
+			name: "registry with authentication enabled and valid credentials should pass",
+			registry: &portainer.Registry{
+				Authentication: true,
+				Username:       "testuser",
+				Password:       "testpass",
+			},
+			expectError: false,
+		},
+		{
+			name: "registry with authentication enabled but empty username should fail",
+			registry: &portainer.Registry{
+				Authentication: true,
+				Username:       "",
+				Password:       "testpass",
+			},
+			expectError: true,
+			errorMsg:    "username is required when registry authentication is enabled",
+		},
+		{
+			name: "registry with authentication enabled but whitespace username should fail",
+			registry: &portainer.Registry{
+				Authentication: true,
+				Username:       " ",
+				Password:       "testpass",
+			},
+			expectError: true,
+			errorMsg:    "username is required when registry authentication is enabled",
+		},
+		{
+			name: "registry with authentication enabled but empty password should fail",
+			registry: &portainer.Registry{
+				Authentication: true,
+				Username:       "testuser",
+				Password:       "",
+			},
+			expectError: true,
+			errorMsg:    "password is required when registry authentication is enabled",
+		},
+		{
+			name: "registry with authentication enabled but whitespace password should fail",
+			registry: &portainer.Registry{
+				Authentication: true,
+				Username:       "testuser",
+				Password:       " ",
+			},
+			expectError: true,
+			errorMsg:    "password is required when registry authentication is enabled",
+		},
+		{
+			name: "GitLab registry with authentication enabled and valid credentials should pass",
+			registry: &portainer.Registry{
+				Type:           portainer.GitlabRegistry,
+				Authentication: true,
+				Username:       "gitlab-ci-token",
+				Password:       "glpat-xxxxxxxxxxxxxxxxxxxx",
+				Gitlab: portainer.GitlabRegistryData{
+					ProjectID:   12345,
+					InstanceURL: "https://gitlab.com",
+					ProjectPath: "my-group/my-project",
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "GitLab registry with authentication enabled but empty username should fail",
+			registry: &portainer.Registry{
+				Type:           portainer.GitlabRegistry,
+				Authentication: true,
+				Username:       "",
+				Password:       "glpat-xxxxxxxxxxxxxxxxxxxx",
+				Gitlab: portainer.GitlabRegistryData{
+					ProjectID:   12345,
+					InstanceURL: "https://gitlab.com",
+					ProjectPath: "my-group/my-project",
+				},
+			},
+			expectError: true,
+			errorMsg:    "username is required when registry authentication is enabled",
+		},
+		{
+			name: "GitLab registry with authentication enabled but empty password should fail",
+			registry: &portainer.Registry{
+				Type:           portainer.GitlabRegistry,
+				Authentication: true,
+				Username:       "gitlab-ci-token",
+				Password:       "",
+				Gitlab: portainer.GitlabRegistryData{
+					ProjectID:   12345,
+					InstanceURL: "https://gitlab.com",
+					ProjectPath: "my-group/my-project",
+				},
+			},
+			expectError: true,
+			errorMsg:    "password is required when registry authentication is enabled",
+		},
+		{
+			name: "GitLab registry with authentication disabled should pass validation",
+			registry: &portainer.Registry{
+				Type:           portainer.GitlabRegistry,
+				Authentication: false,
+				Gitlab: portainer.GitlabRegistryData{
+					ProjectID:   12345,
+					InstanceURL: "https://gitlab.com",
+					ProjectPath: "my-group/my-project",
+				},
+			},
+			expectError: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := validateRegistryCredentials(tt.registry)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				if err != nil {
+					assert.Equal(t, tt.errorMsg, err.Error())
+				}
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}
+
+// Note: buildCacheKey function was removed since we now use registry ID-based caching
+// instead of endpoint/session-based caching for better rate limiting protection
+
+func TestShouldFlushCacheOnError(t *testing.T) {
+	tests := []struct {
+		name        string
+		err         error
+		registryID  portainer.RegistryID
+		shouldFlush bool
+	}{
+		{
+			name:        "nil error should not flush",
+			err:         nil,
+			registryID:  123,
+			shouldFlush: false,
+		},
+		{
+			name:        "zero registry ID should not flush",
+			err:         errors.New("some error"),
+			registryID:  0,
+			shouldFlush: false,
+		},
+		{
+			name:        "unauthorized error should flush",
+			err:         errors.New("unauthorized access to registry"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "authentication failed error should flush",
+			err:         errors.New("authentication failed"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "login failed error should flush",
+			err:         errors.New("login failed for user"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "invalid credentials error should flush",
+			err:         errors.New("invalid credentials provided"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "access denied error should flush",
+			err:         errors.New("access denied to repository"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "forbidden error should flush",
+			err:         errors.New("forbidden: insufficient permissions"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "401 error should flush",
+			err:         errors.New("HTTP 401 Unauthorized"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "403 error should flush",
+			err:         errors.New("HTTP 403 Forbidden"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "token error should flush",
+			err:         errors.New("token expired or invalid"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "auth error should flush",
+			err:         errors.New("auth validation failed"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+		{
+			name:        "chart not found error should not flush",
+			err:         errors.New("chart not found in repository"),
+			registryID:  123,
+			shouldFlush: false,
+		},
+		{
+			name:        "network error should not flush",
+			err:         errors.New("connection timeout"),
+			registryID:  123,
+			shouldFlush: false,
+		},
+		{
+			name:        "helm validation error should not flush",
+			err:         errors.New("invalid chart values"),
+			registryID:  123,
+			shouldFlush: false,
+		},
+		{
+			name:        "kubernetes error should not flush",
+			err:         errors.New("namespace not found"),
+			registryID:  123,
+			shouldFlush: false,
+		},
+		{
+			name:        "case insensitive matching works",
+			err:         errors.New("UNAUTHORIZED access denied"),
+			registryID:  123,
+			shouldFlush: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			result := shouldFlushCacheOnError(tt.err, tt.registryID)
+			is := assert.New(t)
+			is.Equal(tt.shouldFlush, result, "Expected shouldFlushCacheOnError to return %v for error: %v", tt.shouldFlush, tt.err)
+		})
+	}
+}
diff --git a/pkg/libhelm/sdk/common.go b/pkg/libhelm/sdk/common.go
index 2a51c7f8b..c831a69fa 100644
--- a/pkg/libhelm/sdk/common.go
+++ b/pkg/libhelm/sdk/common.go
@@ -1,24 +1,38 @@
 package sdk
 
 import (
+	"fmt"
+	"maps"
+	"net/url"
 	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/libhelm/release"
 	"github.com/rs/zerolog/log"
 	"helm.sh/helm/v3/pkg/action"
 	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/chart/loader"
+	"helm.sh/helm/v3/pkg/cli"
 	"helm.sh/helm/v3/pkg/downloader"
 	"helm.sh/helm/v3/pkg/getter"
+	"helm.sh/helm/v3/pkg/repo"
+)
+
+// Helm chart reference label constants
+const (
+	ChartPathAnnotation  = "portainer/chart-path"
+	RepoURLAnnotation    = "portainer/repo-url"
+	RegistryIDAnnotation = "portainer/registry-id"
 )
 
 // loadAndValidateChartWithPathOptions locates and loads the chart, and validates it.
 // it also checks for chart dependencies and updates them if necessary.
 // it returns the chart information.
 func (hspm *HelmSDKPackageManager) loadAndValidateChartWithPathOptions(chartPathOptions *action.ChartPathOptions, chartName, version string, repoURL string, dependencyUpdate bool, operation string) (*chart.Chart, error) {
-	// Locate and load the chart
-	chartPathOptions.RepoURL = repoURL
-	chartPathOptions.Version = version
 	chartPath, err := chartPathOptions.LocateChart(chartName, hspm.settings)
 	if err != nil {
 		log.Error().
@@ -26,6 +40,11 @@ func (hspm *HelmSDKPackageManager) loadAndValidateChartWithPathOptions(chartPath
 			Str("chart", chartName).
 			Err(err).
 			Msg("Failed to locate chart for helm " + operation)
+
+		// For OCI charts, chartName already contains the full reference
+		if strings.HasPrefix(chartName, options.OCIProtocolPrefix) {
+			return nil, errors.Wrapf(err, "failed to find the helm chart: %s", chartName)
+		}
 		return nil, errors.Wrapf(err, "failed to find the helm chart at the path: %s/%s", repoURL, chartName)
 	}
 
@@ -86,3 +105,186 @@ func (hspm *HelmSDKPackageManager) loadAndValidateChartWithPathOptions(chartPath
 
 	return chartReq, nil
 }
+
+// parseRepoURL parses and validates a Helm repository URL using RFC 3986 standards.
+// Used by search and show operations before downloading index.yaml files.
+func parseRepoURL(repoURL string) (*url.URL, error) {
+	parsedURL, err := url.ParseRequestURI(repoURL)
+	if err != nil {
+		return nil, errors.Wrap(err, "invalid helm chart URL: "+repoURL)
+	}
+	return parsedURL, nil
+}
+
+// getRepoNameFromURL generates a unique repository identifier from a URL.
+// Combines hostname and path for uniqueness (e.g., "charts.helm.sh/stable" → "charts.helm.sh-stable").
+// Used for Helm's repositories.yaml entries, caching, and chart references.
+func getRepoNameFromURL(urlStr string) (string, error) {
+	parsedURL, err := url.Parse(urlStr)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse URL: %w", err)
+	}
+
+	hostname := parsedURL.Hostname()
+	path := parsedURL.Path
+	path = strings.Trim(path, "/")
+	path = strings.ReplaceAll(path, "/", "-")
+
+	if path == "" {
+		return hostname, nil
+	}
+	return fmt.Sprintf("%s-%s", hostname, path), nil
+}
+
+// loadIndexFile loads and parses a Helm repository index.yaml file.
+// Called after downloading from HTTP repos or generating from OCI registries.
+// Contains chart metadata used for discovery, version resolution, and caching.
+func loadIndexFile(indexPath string) (*repo.IndexFile, error) {
+	log.Debug().
+		Str("context", "HelmClient").
+		Str("index_path", indexPath).
+		Msg("Loading index file")
+
+	indexFile, err := repo.LoadIndexFile(indexPath)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("index_path", indexPath).
+			Err(err).
+			Msg("Failed to load index file")
+		return nil, errors.Wrapf(err, "failed to load downloaded index file: %s", indexPath)
+	}
+	return indexFile, nil
+}
+
+// ensureHelmDirectoriesExist creates required Helm directories and configuration files.
+// Creates repository cache, config directories, and ensures repositories.yaml exists.
+// Essential for Helm operations to function properly.
+func ensureHelmDirectoriesExist(settings *cli.EnvSettings) error {
+	log.Debug().
+		Str("context", "helm_sdk_dirs").
+		Msg("Ensuring Helm directories exist")
+
+	// List of directories to ensure exist
+	directories := []string{
+		filepath.Dir(settings.RepositoryConfig), // Repository config directory
+		settings.RepositoryCache,                // Repository cache directory
+		filepath.Dir(settings.RegistryConfig),   // Registry config directory
+		settings.PluginsDirectory,               // Plugins directory
+	}
+
+	// Create each directory if it doesn't exist
+	for _, dir := range directories {
+		if dir == "" {
+			continue // Skip empty paths
+		}
+
+		if _, err := os.Stat(dir); os.IsNotExist(err) {
+			if err := os.MkdirAll(dir, 0700); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("directory", dir).
+					Err(err).
+					Msg("Failed to create directory")
+				return errors.Wrapf(err, "failed to create directory: %s", dir)
+			}
+		}
+	}
+
+	// Ensure registry config file exists
+	if settings.RegistryConfig != "" {
+		if _, err := os.Stat(settings.RegistryConfig); os.IsNotExist(err) {
+			// Create the directory if it doesn't exist
+			dir := filepath.Dir(settings.RegistryConfig)
+			if err := os.MkdirAll(dir, 0700); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("directory", dir).
+					Err(err).
+					Msg("Failed to create directory")
+				return errors.Wrapf(err, "failed to create directory: %s", dir)
+			}
+
+			// Create an empty registry config file
+			if _, err := os.Create(settings.RegistryConfig); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("file", settings.RegistryConfig).
+					Err(err).
+					Msg("Failed to create registry config file")
+				return errors.Wrapf(err, "failed to create registry config file: %s", settings.RegistryConfig)
+			}
+		}
+	}
+
+	// Ensure repository config file exists
+	if settings.RepositoryConfig != "" {
+		if _, err := os.Stat(settings.RepositoryConfig); os.IsNotExist(err) {
+			// Create an empty repository config file with default yaml structure
+			f := repo.NewFile()
+			if err := f.WriteFile(settings.RepositoryConfig, 0644); err != nil {
+				log.Error().
+					Str("context", "helm_sdk_dirs").
+					Str("file", settings.RepositoryConfig).
+					Err(err).
+					Msg("Failed to create repository config file")
+				return errors.Wrapf(err, "failed to create repository config file: %s", settings.RepositoryConfig)
+			}
+		}
+	}
+
+	log.Debug().
+		Str("context", "helm_sdk_dirs").
+		Msg("Successfully ensured all Helm directories exist")
+
+	return nil
+}
+
+// appendChartReferenceAnnotations encodes chart reference values for safe storage in Helm labels.
+// It creates a new map with encoded values for specific chart reference labels.
+// Preserves existing labels and handles edge cases gracefully.
+func appendChartReferenceAnnotations(chartPath, repoURL string, registryID int, existingAnnotations map[string]string) map[string]string {
+	// Copy existing annotations
+	annotations := make(map[string]string)
+	maps.Copy(annotations, existingAnnotations)
+
+	// delete the existing portainer specific labels, for a clean overwrite
+	delete(annotations, ChartPathAnnotation)
+	delete(annotations, RepoURLAnnotation)
+	delete(annotations, RegistryIDAnnotation)
+
+	if chartPath != "" {
+		annotations[ChartPathAnnotation] = chartPath
+	}
+
+	if repoURL != "" && registryID == 0 {
+		annotations[RepoURLAnnotation] = repoURL
+	}
+
+	if registryID != 0 {
+		annotations[RegistryIDAnnotation] = strconv.Itoa(registryID)
+	}
+
+	return annotations
+}
+
+// extractChartReferenceAnnotations decodes chart reference labels for display purposes.
+// It handles existing labels gracefully and only decodes known chart reference labels.
+// If a chart reference label cannot be decoded, it is omitted entirely from the result.
+// Returns a ChartReference struct with decoded values.
+func extractChartReferenceAnnotations(annotations map[string]string) release.ChartReference {
+	if annotations == nil {
+		return release.ChartReference{}
+	}
+
+	registryID, err := strconv.Atoi(annotations[RegistryIDAnnotation])
+	if err != nil {
+		registryID = 0
+	}
+
+	return release.ChartReference{
+		ChartPath:  annotations[ChartPathAnnotation],
+		RepoURL:    annotations[RepoURLAnnotation],
+		RegistryID: int64(registryID),
+	}
+}
diff --git a/pkg/libhelm/sdk/get.go b/pkg/libhelm/sdk/get.go
index c15b65715..e252ce7a6 100644
--- a/pkg/libhelm/sdk/get.go
+++ b/pkg/libhelm/sdk/get.go
@@ -97,6 +97,7 @@ func convert(sdkRelease *sdkrelease.Release, values release.Values) *release.Rel
 				AppVersion: sdkRelease.Chart.Metadata.AppVersion,
 			},
 		},
-		Values: values,
+		Values:         values,
+		ChartReference: extractChartReferenceAnnotations(sdkRelease.Chart.Metadata.Annotations),
 	}
 }
diff --git a/pkg/libhelm/sdk/install.go b/pkg/libhelm/sdk/install.go
index ca904dcca..08c563559 100644
--- a/pkg/libhelm/sdk/install.go
+++ b/pkg/libhelm/sdk/install.go
@@ -4,6 +4,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/cache"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
 	"github.com/rs/zerolog/log"
@@ -42,6 +43,12 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to initialize helm configuration for helm release installation")
 	}
 
+	// Setup chart source
+	err = authenticateChartSource(actionConfig, installOpts.Registry)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to setup chart source for helm release installation")
+	}
+
 	installClient, err := initInstallClient(actionConfig, installOpts)
 	if err != nil {
 		log.Error().
@@ -51,7 +58,7 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to initialize helm install client for helm release installation")
 	}
 
-	values, err := hspm.GetHelmValuesFromFile(installOpts.ValuesFile)
+	values, err := hspm.getHelmValuesFromFile(installOpts.ValuesFile)
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -60,15 +67,36 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to get Helm values from file for helm release installation")
 	}
 
-	chart, err := hspm.loadAndValidateChartWithPathOptions(&installClient.ChartPathOptions, installOpts.Chart, installOpts.Version, installOpts.Repo, installClient.DependencyUpdate, "release installation")
+	chartRef, repoURL, err := parseChartRef(installOpts.Chart, installOpts.Repo, installOpts.Registry)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse chart reference for helm release installation")
+	}
+	chart, err := hspm.loadAndValidateChartWithPathOptions(&installClient.ChartPathOptions, chartRef, installOpts.Version, repoURL, installClient.DependencyUpdate, "release installation")
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
 			Err(err).
 			Msg("Failed to load and validate chart for helm release installation")
+
+		// Check if this is an authentication error and flush cache if needed
+		if installOpts.Registry != nil && shouldFlushCacheOnError(err, installOpts.Registry.ID) {
+			cache.FlushRegistryByID(installOpts.Registry.ID)
+			log.Info().
+				Int("registry_id", int(installOpts.Registry.ID)).
+				Str("context", "HelmClient").
+				Msg("Flushed registry cache due to chart loading authentication error during install")
+		}
+
 		return nil, errors.Wrap(err, "failed to load and validate chart for helm release installation")
 	}
 
+	// Add chart references to annotations
+	var registryID int
+	if installOpts.Registry != nil {
+		registryID = int(installOpts.Registry.ID)
+	}
+	chart.Metadata.Annotations = appendChartReferenceAnnotations(installOpts.Chart, installOpts.Repo, registryID, chart.Metadata.Annotations)
+
 	// Run the installation
 	log.Info().
 		Str("context", "HelmClient").
@@ -76,7 +104,6 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 		Str("name", installOpts.Name).
 		Str("namespace", installOpts.Namespace).
 		Msg("Running chart installation for helm release")
-
 	helmRelease, err := installClient.Run(chart, values)
 	if err != nil {
 		log.Error().
@@ -94,9 +121,10 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 		Namespace: helmRelease.Namespace,
 		Chart: release.Chart{
 			Metadata: &release.Metadata{
-				Name:       helmRelease.Chart.Metadata.Name,
-				Version:    helmRelease.Chart.Metadata.Version,
-				AppVersion: helmRelease.Chart.Metadata.AppVersion,
+				Name:        helmRelease.Chart.Metadata.Name,
+				Version:     helmRelease.Chart.Metadata.Version,
+				AppVersion:  helmRelease.Chart.Metadata.AppVersion,
+				Annotations: helmRelease.Chart.Metadata.Annotations,
 			},
 		},
 		Labels:   helmRelease.Labels,
@@ -111,13 +139,17 @@ func initInstallClient(actionConfig *action.Configuration, installOpts options.I
 	installClient := action.NewInstall(actionConfig)
 	installClient.DependencyUpdate = true
 	installClient.ReleaseName = installOpts.Name
-	installClient.ChartPathOptions.RepoURL = installOpts.Repo
 	installClient.Wait = installOpts.Wait
 	installClient.Timeout = installOpts.Timeout
+	installClient.Version = installOpts.Version
+	err := configureChartPathOptions(&installClient.ChartPathOptions, installOpts.Version, installOpts.Repo, installOpts.Registry)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to configure chart path options for helm release installation")
+	}
 
 	// Set default values if not specified
 	if installOpts.Timeout == 0 {
-		installClient.Timeout = 5 * time.Minute
+		installClient.Timeout = 15 * time.Minute // set a bigger timeout for large charts
 	} else {
 		installClient.Timeout = installOpts.Timeout
 	}
diff --git a/pkg/libhelm/sdk/search_repo.go b/pkg/libhelm/sdk/search_repo.go
index a97b7d606..42011d4ae 100644
--- a/pkg/libhelm/sdk/search_repo.go
+++ b/pkg/libhelm/sdk/search_repo.go
@@ -1,24 +1,30 @@
 package sdk
 
 import (
-	"net/url"
-	"os"
+	"context"
+	"fmt"
+	"io"
 	"path/filepath"
+	"strings"
 	"sync"
 	"time"
 
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/pkg/libhelm/options"
+	"github.com/portainer/portainer/pkg/liboras"
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
+	"helm.sh/helm/v3/pkg/chart"
 	"helm.sh/helm/v3/pkg/cli"
 	"helm.sh/helm/v3/pkg/getter"
 	"helm.sh/helm/v3/pkg/repo"
+	"oras.land/oras-go/v2/registry"
 )
 
 var (
 	errRequiredSearchOptions = errors.New("repo is required")
-	errInvalidRepoURL        = errors.New("the request failed since either the Helm repository was not found or the index.yaml is not valid")
 )
 
 type RepoIndex struct {
@@ -40,7 +46,6 @@ var (
 
 // SearchRepo downloads the `index.yaml` file for specified repo, parses it and returns JSON to caller.
 func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoOptions) ([]byte, error) {
-	// Validate input options
 	if err := validateSearchRepoOptions(searchRepoOpts); err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -55,33 +60,8 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		Str("repo", searchRepoOpts.Repo).
 		Msg("Searching repository")
 
-	// Parse and validate the repository URL
-	repoURL, err := parseRepoURL(searchRepoOpts.Repo)
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Str("repo", searchRepoOpts.Repo).
-			Err(err).
-			Msg("Invalid repository URL")
-		return nil, err
-	}
-
-	// Check cache first
-	if searchRepoOpts.UseCache {
-		cacheMutex.RLock()
-		if cached, exists := indexCache[repoURL.String()]; exists {
-			if time.Since(cached.Timestamp) < cacheDuration {
-				cacheMutex.RUnlock()
-				return convertAndMarshalIndex(cached.Index, searchRepoOpts.Chart)
-			}
-		}
-		cacheMutex.RUnlock()
-	}
-
 	// Set up Helm CLI environment
 	repoSettings := cli.New()
-
-	// Ensure all required Helm directories exist
 	if err := ensureHelmDirectoriesExist(repoSettings); err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -90,7 +70,88 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, errors.Wrap(err, "failed to ensure Helm directories exist")
 	}
 
-	repoName, err := getRepoNameFromURL(repoURL.String())
+	// Try cache first for HTTP repos
+	if IsHTTPRepository(searchRepoOpts.Registry) && searchRepoOpts.UseCache {
+		if cachedResult := hspm.tryGetFromCache(searchRepoOpts.Repo, searchRepoOpts.Chart); cachedResult != nil {
+			return cachedResult, nil
+		}
+	}
+
+	// Download index based on source type
+	indexFile, err := hspm.downloadRepoIndex(searchRepoOpts, repoSettings)
+	if err != nil {
+		return nil, err
+	}
+
+	// Update cache for HTTP repos
+	if IsHTTPRepository(searchRepoOpts.Registry) {
+		hspm.updateCache(searchRepoOpts.Repo, indexFile)
+	}
+
+	return convertAndMarshalIndex(indexFile, searchRepoOpts.Chart)
+}
+
+// tryGetFromCache attempts to retrieve a cached index file and convert it to the response format
+func (hspm *HelmSDKPackageManager) tryGetFromCache(repoURL, chartName string) []byte {
+	cacheMutex.RLock()
+	defer cacheMutex.RUnlock()
+
+	if cached, exists := indexCache[repoURL]; exists {
+		if time.Since(cached.Timestamp) < cacheDuration {
+			result, err := convertAndMarshalIndex(cached.Index, chartName)
+			if err != nil {
+				log.Debug().
+					Str("context", "HelmClient").
+					Str("repo", repoURL).
+					Err(err).
+					Msg("Failed to convert cached index")
+				return nil
+			}
+			return result
+		}
+	}
+	return nil
+}
+
+// updateCache updates the cache with the provided index file and cleans up expired entries
+func (hspm *HelmSDKPackageManager) updateCache(repoURL string, indexFile *repo.IndexFile) {
+	cacheMutex.Lock()
+	defer cacheMutex.Unlock()
+
+	indexCache[repoURL] = RepoIndexCache{
+		Index:     indexFile,
+		Timestamp: time.Now(),
+	}
+
+	// Clean up expired entries
+	for key, index := range indexCache {
+		if time.Since(index.Timestamp) > cacheDuration {
+			delete(indexCache, key)
+		}
+	}
+}
+
+// downloadRepoIndex downloads the repository index based on the source type (HTTP or OCI)
+func (hspm *HelmSDKPackageManager) downloadRepoIndex(opts options.SearchRepoOptions, repoSettings *cli.EnvSettings) (*repo.IndexFile, error) {
+	if IsOCIRegistry(opts.Registry) {
+		return hspm.downloadOCIRepoIndex(opts.Registry, repoSettings, opts.Chart)
+	}
+	return hspm.downloadHTTPRepoIndex(opts.Repo, repoSettings)
+}
+
+// downloadHTTPRepoIndex downloads and loads an index file from an HTTP repository
+func (hspm *HelmSDKPackageManager) downloadHTTPRepoIndex(repoURL string, repoSettings *cli.EnvSettings) (*repo.IndexFile, error) {
+	parsedURL, err := parseRepoURL(repoURL)
+	if err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("repo", repoURL).
+			Err(err).
+			Msg("Invalid repository URL")
+		return nil, err
+	}
+
+	repoName, err := getRepoNameFromURL(parsedURL.String())
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -99,70 +160,55 @@ func (hspm *HelmSDKPackageManager) SearchRepo(searchRepoOpts options.SearchRepoO
 		return nil, err
 	}
 
-	// Download the index file and update repository configuration
-	indexPath, err := downloadRepoIndex(repoURL.String(), repoSettings, repoName)
+	indexPath, err := downloadRepoIndexFromHttpRepo(parsedURL.String(), repoSettings, repoName)
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
-			Str("repo_url", repoURL.String()).
+			Str("repo_url", parsedURL.String()).
 			Err(err).
 			Msg("Failed to download repository index")
 		return nil, err
 	}
 
-	// Load and parse the index file
-	log.Debug().
-		Str("context", "HelmClient").
-		Str("index_path", indexPath).
-		Msg("Loading index file")
+	return loadIndexFile(indexPath)
+}
 
-	indexFile, err := loadIndexFile(indexPath)
+// downloadOCIRepoIndex downloads and loads an index file from an OCI registry
+func (hspm *HelmSDKPackageManager) downloadOCIRepoIndex(registry *portainer.Registry, repoSettings *cli.EnvSettings, chartPath string) (*repo.IndexFile, error) {
+	// Validate registry credentials first
+	if err := validateRegistryCredentials(registry); err != nil {
+		log.Error().
+			Str("context", "HelmClient").
+			Str("repo", registry.URL).
+			Err(err).
+			Msg("Registry credential validation failed for OCI search")
+		return nil, fmt.Errorf("registry credential validation failed: %w", err)
+	}
+
+	indexPath, err := downloadRepoIndexFromOciRegistry(registry, repoSettings, chartPath)
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
-			Str("index_path", indexPath).
+			Str("repo", registry.URL).
 			Err(err).
-			Msg("Failed to load index file")
+			Msg("Failed to download repository index")
 		return nil, err
 	}
 
-	// Update cache and remove old entries
-	cacheMutex.Lock()
-	indexCache[searchRepoOpts.Repo] = RepoIndexCache{
-		Index:     indexFile,
-		Timestamp: time.Now(),
-	}
-	for key, index := range indexCache {
-		if time.Since(index.Timestamp) > cacheDuration {
-			delete(indexCache, key)
-		}
-	}
-
-	cacheMutex.Unlock()
-
-	return convertAndMarshalIndex(indexFile, searchRepoOpts.Chart)
+	return loadIndexFile(indexPath)
 }
 
 // validateSearchRepoOptions validates the required search repository options.
 func validateSearchRepoOptions(opts options.SearchRepoOptions) error {
-	if opts.Repo == "" {
+	if opts.Repo == "" && IsHTTPRepository(opts.Registry) {
 		return errRequiredSearchOptions
 	}
 	return nil
 }
 
-// parseRepoURL parses and validates the repository URL.
-func parseRepoURL(repoURL string) (*url.URL, error) {
-	parsedURL, err := url.ParseRequestURI(repoURL)
-	if err != nil {
-		return nil, errors.Wrap(err, "invalid helm chart URL: "+repoURL)
-	}
-	return parsedURL, nil
-}
-
-// downloadRepoIndex downloads the index.yaml file from the repository and updates
+// downloadRepoIndexFromHttpRepo downloads the index.yaml file from the repository and updates
 // the repository configuration.
-func downloadRepoIndex(repoURLString string, repoSettings *cli.EnvSettings, repoName string) (string, error) {
+func downloadRepoIndexFromHttpRepo(repoURLString string, repoSettings *cli.EnvSettings, repoName string) (string, error) {
 	log.Debug().
 		Str("context", "helm_sdk_repo_index").
 		Str("repo_url", repoURLString).
@@ -183,7 +229,7 @@ func downloadRepoIndex(repoURLString string, repoSettings *cli.EnvSettings, repo
 			Str("repo_url", repoURLString).
 			Err(err).
 			Msg("Failed to create chart repository object")
-		return "", errInvalidRepoURL
+		return "", errors.New("the request failed since either the Helm repository was not found or the index.yaml is not valid")
 	}
 
 	// Load repository configuration file
@@ -239,13 +285,168 @@ func downloadRepoIndex(repoURLString string, repoSettings *cli.EnvSettings, repo
 	return indexPath, nil
 }
 
-// loadIndexFile loads the index file from the given path.
-func loadIndexFile(indexPath string) (*repo.IndexFile, error) {
-	indexFile, err := repo.LoadIndexFile(indexPath)
-	if err != nil {
-		return nil, errors.Wrapf(err, "failed to load downloaded index file: %s", indexPath)
+func downloadRepoIndexFromOciRegistry(registry *portainer.Registry, repoSettings *cli.EnvSettings, chartPath string) (string, error) {
+	if IsHTTPRepository(registry) {
+		return "", errors.New("registry information is required for OCI search")
 	}
-	return indexFile, nil
+
+	if chartPath == "" {
+		return "", errors.New("chart path is required for OCI search")
+	}
+
+	ctx := context.Background()
+
+	registryClient, err := liboras.CreateClient(*registry)
+	if err != nil {
+		log.Error().
+			Str("context", "helm_sdk_repo_index_oci").
+			Str("registry_url", registry.URL).
+			Err(err).
+			Msg("Failed to create ORAS registry client")
+		return "", errors.Wrap(err, "failed to create ORAS registry client")
+	}
+
+	// Obtain repository handle for the specific chart path (relative to registry host)
+	repository, err := registryClient.Repository(ctx, chartPath)
+	if err != nil {
+		log.Error().
+			Str("context", "helm_sdk_repo_index_oci").
+			Str("repository", chartPath).
+			Err(err).
+			Msg("Failed to obtain repository handle")
+		return "", errors.Wrap(err, "failed to obtain repository handle")
+	}
+
+	// List all tags for this chart repository
+	var tags []string
+	err = repository.Tags(ctx, "", func(t []string) error {
+		tags = append(tags, t...)
+		return nil
+	})
+	if err != nil {
+		log.Error().
+			Str("context", "helm_sdk_repo_index_oci").
+			Str("repository", chartPath).
+			Err(err).
+			Msg("Failed to list tags")
+		return "", errors.Wrap(err, "failed to list tags for repository")
+	}
+
+	if len(tags) == 0 {
+		return "", errors.Errorf("no tags found for repository %s", chartPath)
+	}
+
+	// Build Helm index file in memory
+	indexFile := repo.NewIndexFile()
+
+	const helmConfigMediaType = "application/vnd.cncf.helm.config.v1+json"
+
+	for _, tag := range tags {
+		chartVersion, err := processOCITag(ctx, repository, registry, chartPath, tag, helmConfigMediaType)
+		if err != nil {
+			log.Debug().
+				Str("context", "helm_sdk_repo_index_oci").
+				Str("repository", chartPath).
+				Str("tag", tag).
+				Err(err).
+				Msg("Failed to process tag; skipping")
+			continue
+		}
+
+		if chartVersion != nil {
+			indexFile.Entries[chartVersion.Name] = append(indexFile.Entries[chartVersion.Name], chartVersion)
+		}
+	}
+
+	if len(indexFile.Entries) == 0 {
+		return "", errors.Errorf("no helm chart versions found for repository %s", chartPath)
+	}
+
+	indexFile.SortEntries()
+
+	fileNameSafe := strings.ReplaceAll(chartPath, "/", "-")
+	destPath := filepath.Join(repoSettings.RepositoryCache, fmt.Sprintf("%s-%d-index.yaml", fileNameSafe, time.Now().UnixNano()))
+
+	if err := indexFile.WriteFile(destPath, 0644); err != nil {
+		return "", errors.Wrap(err, "failed to write OCI index file")
+	}
+
+	log.Debug().
+		Str("context", "helm_sdk_repo_index_oci").
+		Str("dest_path", destPath).
+		Int("entries", len(indexFile.Entries)).
+		Msg("Successfully generated OCI index file")
+
+	return destPath, nil
+}
+
+// processOCITag processes a single OCI tag and returns a Helm chart version.
+func processOCITag(ctx context.Context, repository registry.Repository, registry *portainer.Registry, chartPath string, tag string, helmConfigMediaType string) (*repo.ChartVersion, error) {
+	// Resolve tag to get descriptor
+	descriptor, err := repository.Resolve(ctx, tag)
+	if err != nil {
+		log.Debug().
+			Str("context", "helm_sdk_repo_index_oci").
+			Str("repository", chartPath).
+			Str("tag", tag).
+			Err(err).
+			Msg("Failed to resolve tag; skipping")
+		return nil, nil
+	}
+
+	// Fetch manifest to validate media type and obtain config descriptor
+	manifestReader, err := repository.Manifests().Fetch(ctx, descriptor)
+	if err != nil {
+		log.Debug().
+			Str("context", "helm_sdk_repo_index_oci").
+			Str("repository", chartPath).
+			Str("tag", tag).
+			Err(err).
+			Msg("Failed to fetch manifest; skipping")
+		return nil, nil
+	}
+
+	manifestContent, err := io.ReadAll(manifestReader)
+	manifestReader.Close()
+	if err != nil {
+		return nil, nil
+	}
+
+	var manifest ocispec.Manifest
+	if err := json.Unmarshal(manifestContent, &manifest); err != nil {
+		return nil, nil
+	}
+
+	// Ensure manifest config is Helm chart metadata
+	if manifest.Config.MediaType != helmConfigMediaType {
+		return nil, nil
+	}
+
+	// Fetch config blob (chart metadata)
+	cfgReader, err := repository.Blobs().Fetch(ctx, manifest.Config)
+	if err != nil {
+		return nil, nil
+	}
+	cfgBytes, err := io.ReadAll(cfgReader)
+	cfgReader.Close()
+	if err != nil {
+		return nil, nil
+	}
+
+	var metadata chart.Metadata
+	if err := json.Unmarshal(cfgBytes, &metadata); err != nil {
+		return nil, nil
+	}
+
+	// Build chart version entry
+	chartVersion := &repo.ChartVersion{
+		Metadata: &metadata,
+		URLs:     []string{fmt.Sprintf("oci://%s/%s:%s", registry.URL, chartPath, tag)},
+		Created:  time.Now(),
+		Digest:   descriptor.Digest.String(),
+	}
+
+	return chartVersion, nil
 }
 
 // convertIndexToResponse converts the Helm index file to our response format.
@@ -258,7 +459,7 @@ func convertIndexToResponse(indexFile *repo.IndexFile, chartName string) (RepoIn
 
 	// Convert Helm SDK types to our response types
 	for name, charts := range indexFile.Entries {
-		if chartName == "" || name == chartName {
+		if chartName == "" || strings.Contains(strings.ToLower(chartName), strings.ToLower(name)) {
 			result.Entries[name] = convertChartsToChartInfo(charts)
 		}
 	}
@@ -304,87 +505,6 @@ type ChartInfo struct {
 	Annotations any      `json:"annotations,omitempty"`
 }
 
-// ensureHelmDirectoriesExist checks and creates required Helm directories if they don't exist
-func ensureHelmDirectoriesExist(settings *cli.EnvSettings) error {
-	log.Debug().
-		Str("context", "helm_sdk_dirs").
-		Msg("Ensuring Helm directories exist")
-
-	// List of directories to ensure exist
-	directories := []string{
-		filepath.Dir(settings.RepositoryConfig), // Repository config directory
-		settings.RepositoryCache,                // Repository cache directory
-		filepath.Dir(settings.RegistryConfig),   // Registry config directory
-		settings.PluginsDirectory,               // Plugins directory
-	}
-
-	// Create each directory if it doesn't exist
-	for _, dir := range directories {
-		if dir == "" {
-			continue // Skip empty paths
-		}
-
-		if _, err := os.Stat(dir); os.IsNotExist(err) {
-			if err := os.MkdirAll(dir, 0700); err != nil {
-				log.Error().
-					Str("context", "helm_sdk_dirs").
-					Str("directory", dir).
-					Err(err).
-					Msg("Failed to create directory")
-				return errors.Wrapf(err, "failed to create directory: %s", dir)
-			}
-		}
-	}
-
-	// Ensure registry config file exists
-	if settings.RegistryConfig != "" {
-		if _, err := os.Stat(settings.RegistryConfig); os.IsNotExist(err) {
-			// Create the directory if it doesn't exist
-			dir := filepath.Dir(settings.RegistryConfig)
-			if err := os.MkdirAll(dir, 0700); err != nil {
-				log.Error().
-					Str("context", "helm_sdk_dirs").
-					Str("directory", dir).
-					Err(err).
-					Msg("Failed to create directory")
-				return errors.Wrapf(err, "failed to create directory: %s", dir)
-			}
-
-			// Create an empty registry config file
-			if _, err := os.Create(settings.RegistryConfig); err != nil {
-				log.Error().
-					Str("context", "helm_sdk_dirs").
-					Str("file", settings.RegistryConfig).
-					Err(err).
-					Msg("Failed to create registry config file")
-				return errors.Wrapf(err, "failed to create registry config file: %s", settings.RegistryConfig)
-			}
-		}
-	}
-
-	// Ensure repository config file exists
-	if settings.RepositoryConfig != "" {
-		if _, err := os.Stat(settings.RepositoryConfig); os.IsNotExist(err) {
-			// Create an empty repository config file with default yaml structure
-			f := repo.NewFile()
-			if err := f.WriteFile(settings.RepositoryConfig, 0644); err != nil {
-				log.Error().
-					Str("context", "helm_sdk_dirs").
-					Str("file", settings.RepositoryConfig).
-					Err(err).
-					Msg("Failed to create repository config file")
-				return errors.Wrapf(err, "failed to create repository config file: %s", settings.RepositoryConfig)
-			}
-		}
-	}
-
-	log.Debug().
-		Str("context", "helm_sdk_dirs").
-		Msg("Successfully ensured all Helm directories exist")
-
-	return nil
-}
-
 func convertAndMarshalIndex(indexFile *repo.IndexFile, chartName string) ([]byte, error) {
 	// Convert the index file to our response format
 	result, err := convertIndexToResponse(indexFile, chartName)
diff --git a/pkg/libhelm/sdk/show.go b/pkg/libhelm/sdk/show.go
index 9ad2d6007..70e97e364 100644
--- a/pkg/libhelm/sdk/show.go
+++ b/pkg/libhelm/sdk/show.go
@@ -2,21 +2,20 @@ package sdk
 
 import (
 	"fmt"
-	"net/url"
-	"strings"
 
 	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/cache"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/rs/zerolog/log"
 	"helm.sh/helm/v3/pkg/action"
 )
 
-var errRequiredShowOptions = errors.New("chart, repo and output format are required")
+var errRequiredShowOptions = errors.New("chart, output format and either repo or registry are required")
 
 // Show implements the HelmPackageManager interface by using the Helm SDK to show chart information.
 // It supports showing chart values, readme, and chart details based on the provided ShowOptions.
 func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, error) {
-	if showOpts.Chart == "" || showOpts.Repo == "" || showOpts.OutputFormat == "" {
+	if showOpts.Chart == "" || (showOpts.Repo == "" && IsHTTPRepository(showOpts.Registry)) || showOpts.OutputFormat == "" {
 		log.Error().
 			Str("context", "HelmClient").
 			Str("chart", showOpts.Chart).
@@ -33,31 +32,10 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 		Str("output_format", string(showOpts.OutputFormat)).
 		Msg("Showing chart information")
 
-	repoURL, err := parseRepoURL(showOpts.Repo)
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Str("repo", showOpts.Repo).
-			Err(err).
-			Msg("Invalid repository URL")
-		return nil, err
-	}
-
-	repoName, err := getRepoNameFromURL(repoURL.String())
-	if err != nil {
-		log.Error().
-			Str("context", "HelmClient").
-			Err(err).
-			Msg("Failed to get hostname from URL")
-		return nil, err
-	}
-
-	// Initialize action configuration (no namespace or cluster access needed)
 	actionConfig := new(action.Configuration)
-	err = hspm.initActionConfig(actionConfig, "", nil)
+	err := authenticateChartSource(actionConfig, showOpts.Registry)
 	if err != nil {
-		// error is already logged in initActionConfig
-		return nil, fmt.Errorf("failed to initialize helm configuration: %w", err)
+		return nil, fmt.Errorf("failed to setup chart source: %w", err)
 	}
 
 	// Create showClient action
@@ -70,22 +48,28 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 		return nil, fmt.Errorf("failed to initialize helm show client: %w", err)
 	}
 
-	// Locate and load the chart
-	log.Debug().
-		Str("context", "HelmClient").
-		Str("chart", showOpts.Chart).
-		Str("repo", showOpts.Repo).
-		Msg("Locating chart")
-
-	fullChartPath := fmt.Sprintf("%s/%s", repoName, showOpts.Chart)
-	chartPath, err := showClient.ChartPathOptions.LocateChart(fullChartPath, hspm.settings)
+	chartRef, _, err := parseChartRef(showOpts.Chart, showOpts.Repo, showOpts.Registry)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse chart reference: %w", err)
+	}
+	chartPath, err := showClient.ChartPathOptions.LocateChart(chartRef, hspm.settings)
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
-			Str("chart", fullChartPath).
+			Str("chart", chartRef).
 			Str("repo", showOpts.Repo).
 			Err(err).
 			Msg("Failed to locate chart")
+
+		// Check if this is an authentication error and flush cache if needed
+		if showOpts.Registry != nil && shouldFlushCacheOnError(err, showOpts.Registry.ID) {
+			cache.FlushRegistryByID(showOpts.Registry.ID)
+			log.Info().
+				Int("registry_id", int(showOpts.Registry.ID)).
+				Str("context", "HelmClient").
+				Msg("Flushed registry cache due to chart registry authentication error")
+		}
+
 		return nil, fmt.Errorf("failed to locate chart: %w", err)
 	}
 
@@ -98,6 +82,16 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 			Str("output_format", string(showOpts.OutputFormat)).
 			Err(err).
 			Msg("Failed to show chart info")
+
+		// Check if this is an authentication error and flush cache if needed
+		if showOpts.Registry != nil && shouldFlushCacheOnError(err, showOpts.Registry.ID) {
+			cache.FlushRegistryByID(showOpts.Registry.ID)
+			log.Info().
+				Int("registry_id", int(showOpts.Registry.ID)).
+				Str("context", "HelmClient").
+				Msg("Flushed registry cache due to chart show authentication error")
+		}
+
 		return nil, fmt.Errorf("failed to show chart info: %w", err)
 	}
 
@@ -114,7 +108,10 @@ func (hspm *HelmSDKPackageManager) Show(showOpts options.ShowOptions) ([]byte, e
 // and return the show client.
 func initShowClient(actionConfig *action.Configuration, showOpts options.ShowOptions) (*action.Show, error) {
 	showClient := action.NewShowWithConfig(action.ShowAll, actionConfig)
-	showClient.ChartPathOptions.Version = showOpts.Version
+	err := configureChartPathOptions(&showClient.ChartPathOptions, showOpts.Version, showOpts.Repo, showOpts.Registry)
+	if err != nil {
+		return nil, fmt.Errorf("failed to configure chart path options: %w", err)
+	}
 
 	// Set output type based on ShowOptions
 	switch showOpts.OutputFormat {
@@ -134,26 +131,3 @@ func initShowClient(actionConfig *action.Configuration, showOpts options.ShowOpt
 
 	return showClient, nil
 }
-
-// getRepoNameFromURL extracts a unique repository identifier from a URL string.
-// It combines hostname and path to ensure uniqueness across different repositories on the same host.
-// Examples:
-// - https://portainer.github.io/test-public-repo/ -> portainer.github.io-test-public-repo
-// - https://portainer.github.io/another-repo/ -> portainer.github.io-another-repo
-// - https://charts.helm.sh/stable -> charts.helm.sh-stable
-func getRepoNameFromURL(urlStr string) (string, error) {
-	parsedURL, err := url.Parse(urlStr)
-	if err != nil {
-		return "", fmt.Errorf("failed to parse URL: %w", err)
-	}
-
-	hostname := parsedURL.Hostname()
-	path := parsedURL.Path
-	path = strings.Trim(path, "/")
-	path = strings.ReplaceAll(path, "/", "-")
-
-	if path == "" {
-		return hostname, nil
-	}
-	return fmt.Sprintf("%s-%s", hostname, path), nil
-}
diff --git a/pkg/libhelm/sdk/show_test.go b/pkg/libhelm/sdk/show_test.go
index 302f188ca..26801eb93 100644
--- a/pkg/libhelm/sdk/show_test.go
+++ b/pkg/libhelm/sdk/show_test.go
@@ -28,7 +28,7 @@ func Test_Show(t *testing.T) {
 		})
 	}
 
-	t.Run("show requires chart, repo and output format", func(t *testing.T) {
+	t.Run("show requires chart, output format and repo or registry", func(t *testing.T) {
 		showOpts := options.ShowOptions{
 			Chart:        "",
 			Repo:         "",
@@ -36,7 +36,7 @@ func Test_Show(t *testing.T) {
 		}
 		_, err := hspm.Show(showOpts)
 		is.Error(err, "should return error when required options are missing")
-		is.Contains(err.Error(), "chart, repo and output format are required", "error message should indicate required options")
+		is.Contains(err.Error(), "chart, output format and either repo or registry are required", "error message should indicate required options")
 	})
 
 	t.Run("show chart values", func(t *testing.T) {
diff --git a/pkg/libhelm/sdk/upgrade.go b/pkg/libhelm/sdk/upgrade.go
index b47a439a9..1e2a1a5c2 100644
--- a/pkg/libhelm/sdk/upgrade.go
+++ b/pkg/libhelm/sdk/upgrade.go
@@ -4,6 +4,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/portainer/portainer/pkg/libhelm/cache"
 	"github.com/portainer/portainer/pkg/libhelm/options"
 	"github.com/portainer/portainer/pkg/libhelm/release"
 	"github.com/rs/zerolog/log"
@@ -66,6 +67,12 @@ func (hspm *HelmSDKPackageManager) Upgrade(upgradeOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to initialize helm configuration for helm release upgrade")
 	}
 
+	// Setup chart source
+	err = authenticateChartSource(actionConfig, upgradeOpts.Registry)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to setup chart source for helm release upgrade")
+	}
+
 	upgradeClient, err := initUpgradeClient(actionConfig, upgradeOpts)
 	if err != nil {
 		log.Error().
@@ -75,7 +82,7 @@ func (hspm *HelmSDKPackageManager) Upgrade(upgradeOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to initialize helm upgrade client for helm release upgrade")
 	}
 
-	values, err := hspm.GetHelmValuesFromFile(upgradeOpts.ValuesFile)
+	values, err := hspm.getHelmValuesFromFile(upgradeOpts.ValuesFile)
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
@@ -84,15 +91,36 @@ func (hspm *HelmSDKPackageManager) Upgrade(upgradeOpts options.InstallOptions) (
 		return nil, errors.Wrap(err, "failed to get Helm values from file for helm release upgrade")
 	}
 
-	chart, err := hspm.loadAndValidateChartWithPathOptions(&upgradeClient.ChartPathOptions, upgradeOpts.Chart, upgradeOpts.Version, upgradeOpts.Repo, upgradeClient.DependencyUpdate, "release upgrade")
+	chartRef, repoURL, err := parseChartRef(upgradeOpts.Chart, upgradeOpts.Repo, upgradeOpts.Registry)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse chart reference for helm release upgrade")
+	}
+	chart, err := hspm.loadAndValidateChartWithPathOptions(&upgradeClient.ChartPathOptions, chartRef, upgradeOpts.Version, repoURL, upgradeClient.DependencyUpdate, "release upgrade")
 	if err != nil {
 		log.Error().
 			Str("context", "HelmClient").
 			Err(err).
 			Msg("Failed to load and validate chart for helm release upgrade")
+
+		// Check if this is an authentication error and flush cache if needed
+		if upgradeOpts.Registry != nil && shouldFlushCacheOnError(err, upgradeOpts.Registry.ID) {
+			cache.FlushRegistryByID(upgradeOpts.Registry.ID)
+			log.Info().
+				Int("registry_id", int(upgradeOpts.Registry.ID)).
+				Str("context", "HelmClient").
+				Msg("Flushed registry cache due to chart loading authentication error during upgrade")
+		}
+
 		return nil, errors.Wrap(err, "failed to load and validate chart for helm release upgrade")
 	}
 
+	// Add chart references to annotations
+	var registryID int
+	if upgradeOpts.Registry != nil {
+		registryID = int(upgradeOpts.Registry.ID)
+	}
+	chart.Metadata.Annotations = appendChartReferenceAnnotations(upgradeOpts.Chart, upgradeOpts.Repo, registryID, chart.Metadata.Annotations)
+
 	log.Info().
 		Str("context", "HelmClient").
 		Str("chart", upgradeOpts.Chart).
@@ -117,9 +145,10 @@ func (hspm *HelmSDKPackageManager) Upgrade(upgradeOpts options.InstallOptions) (
 		Namespace: helmRelease.Namespace,
 		Chart: release.Chart{
 			Metadata: &release.Metadata{
-				Name:       helmRelease.Chart.Metadata.Name,
-				Version:    helmRelease.Chart.Metadata.Version,
-				AppVersion: helmRelease.Chart.Metadata.AppVersion,
+				Name:        helmRelease.Chart.Metadata.Name,
+				Version:     helmRelease.Chart.Metadata.Version,
+				AppVersion:  helmRelease.Chart.Metadata.AppVersion,
+				Annotations: helmRelease.Chart.Metadata.Annotations,
 			},
 		},
 		Labels:   helmRelease.Labels,
@@ -134,12 +163,20 @@ func initUpgradeClient(actionConfig *action.Configuration, upgradeOpts options.I
 	upgradeClient := action.NewUpgrade(actionConfig)
 	upgradeClient.DependencyUpdate = true
 	upgradeClient.Atomic = upgradeOpts.Atomic
-	upgradeClient.ChartPathOptions.RepoURL = upgradeOpts.Repo
 	upgradeClient.Wait = upgradeOpts.Wait
+	upgradeClient.Version = upgradeOpts.Version
+	err := configureChartPathOptions(&upgradeClient.ChartPathOptions, upgradeOpts.Version, upgradeOpts.Repo, upgradeOpts.Registry)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to configure chart path options for helm release upgrade")
+	}
 
 	// Set default values if not specified
 	if upgradeOpts.Timeout == 0 {
-		upgradeClient.Timeout = 5 * time.Minute
+		if upgradeClient.Atomic {
+			upgradeClient.Timeout = 30 * time.Minute // the atomic flag significantly increases the upgrade time
+		} else {
+			upgradeClient.Timeout = 15 * time.Minute
+		}
 	} else {
 		upgradeClient.Timeout = upgradeOpts.Timeout
 	}
diff --git a/pkg/libhelm/sdk/values.go b/pkg/libhelm/sdk/values.go
index 8dc6325a3..7e3e5a07e 100644
--- a/pkg/libhelm/sdk/values.go
+++ b/pkg/libhelm/sdk/values.go
@@ -11,9 +11,9 @@ import (
 	"helm.sh/helm/v3/pkg/action"
 )
 
-// GetHelmValuesFromFile reads the values file and parses it into a map[string]any
+// getHelmValuesFromFile reads the values file and parses it into a map[string]any
 // and returns the map.
-func (hspm *HelmSDKPackageManager) GetHelmValuesFromFile(valuesFile string) (map[string]any, error) {
+func (hspm *HelmSDKPackageManager) getHelmValuesFromFile(valuesFile string) (map[string]any, error) {
 	var vals map[string]any
 	if valuesFile != "" {
 		log.Debug().
diff --git a/pkg/liboras/generic_listrepo_client.go b/pkg/liboras/generic_listrepo_client.go
new file mode 100644
index 000000000..a99587c0e
--- /dev/null
+++ b/pkg/liboras/generic_listrepo_client.go
@@ -0,0 +1,47 @@
+package liboras
+
+import (
+	"context"
+	"errors"
+
+	portainer "github.com/portainer/portainer/api"
+	"oras.land/oras-go/v2/registry/remote"
+)
+
+// GenericListRepoClient implements RepositoryListClient for standard OCI registries
+// This client handles repository listing for registries that follow the standard OCI distribution spec
+type GenericListRepoClient struct {
+	registry       *portainer.Registry
+	registryClient *remote.Registry
+}
+
+// NewGenericListRepoClient creates a new generic repository listing client
+func NewGenericListRepoClient(registry *portainer.Registry) *GenericListRepoClient {
+	return &GenericListRepoClient{
+		registry: registry,
+		// registryClient will be set when needed
+	}
+}
+
+// SetRegistryClient sets the ORAS registry client for repository listing operations
+func (c *GenericListRepoClient) SetRegistryClient(registryClient *remote.Registry) {
+	c.registryClient = registryClient
+}
+
+// ListRepositories fetches repositories from a standard OCI registry using ORAS
+func (c *GenericListRepoClient) ListRepositories(ctx context.Context) ([]string, error) {
+	if c.registryClient == nil {
+		return nil, errors.New("registry client not initialized for repository listing")
+	}
+
+	var repositories []string
+	err := c.registryClient.Repositories(ctx, "", func(repos []string) error {
+		repositories = append(repositories, repos...)
+		return nil
+	})
+	if err != nil {
+		return nil, errors.New("failed to list repositories")
+	}
+
+	return repositories, nil
+}
diff --git a/pkg/liboras/github_listrepo_client.go b/pkg/liboras/github_listrepo_client.go
new file mode 100644
index 000000000..e80789bec
--- /dev/null
+++ b/pkg/liboras/github_listrepo_client.go
@@ -0,0 +1,57 @@
+package liboras
+
+import (
+	"context"
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy/factory/github"
+	"github.com/rs/zerolog/log"
+)
+
+// GithubListRepoClient implements RepositoryListClient specifically for GitHub registries
+// This client handles the GitHub Packages API's unique repository listing implementation
+type GithubListRepoClient struct {
+	registry *portainer.Registry
+	client   *github.Client
+}
+
+// NewGithubListRepoClient creates a new GitHub repository listing client
+func NewGithubListRepoClient(registry *portainer.Registry) *GithubListRepoClient {
+	// Prefer the management configuration credentials when available
+	token := registry.Password
+	if registry.ManagementConfiguration != nil && registry.ManagementConfiguration.Password != "" {
+		token = registry.ManagementConfiguration.Password
+	}
+
+	client := github.NewClient(token)
+
+	return &GithubListRepoClient{
+		registry: registry,
+		client:   client,
+	}
+}
+
+// ListRepositories fetches repositories from a GitHub registry using the GitHub Packages API
+func (c *GithubListRepoClient) ListRepositories(ctx context.Context) ([]string, error) {
+	repositories, err := c.client.GetContainerPackages(
+		ctx,
+		c.registry.Github.UseOrganisation,
+		c.registry.Github.OrganisationName,
+	)
+	if err != nil {
+		log.Error().
+			Str("registry_name", c.registry.Name).
+			Err(err).
+			Msg("Failed to list GitHub repositories")
+		return nil, fmt.Errorf("failed to list GitHub repositories: %w", err)
+	}
+
+	log.Debug().
+		Bool("use_organisation", c.registry.Github.UseOrganisation).
+		Str("organisation_name", c.registry.Github.OrganisationName).
+		Int("repository_count", len(repositories)).
+		Msg("Successfully listed GitHub repositories")
+
+	return repositories, nil
+}
diff --git a/pkg/liboras/gitlab_listrepo_client.go b/pkg/liboras/gitlab_listrepo_client.go
new file mode 100644
index 000000000..762d4984e
--- /dev/null
+++ b/pkg/liboras/gitlab_listrepo_client.go
@@ -0,0 +1,47 @@
+package liboras
+
+import (
+	"context"
+	"fmt"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/http/proxy/factory/gitlab"
+	"github.com/rs/zerolog/log"
+)
+
+// GitlabListRepoClient implements RepositoryListClient specifically for GitLab registries
+// This client handles the GitLab Container Registry API's unique repository listing implementation
+type GitlabListRepoClient struct {
+	registry *portainer.Registry
+	client   *gitlab.Client
+}
+
+// NewGitlabListRepoClient creates a new GitLab repository listing client
+func NewGitlabListRepoClient(registry *portainer.Registry) *GitlabListRepoClient {
+	client := gitlab.NewClient(registry.Gitlab.InstanceURL, registry.Password)
+
+	return &GitlabListRepoClient{
+		registry: registry,
+		client:   client,
+	}
+}
+
+// ListRepositories fetches repositories from a GitLab registry using the GitLab API
+func (c *GitlabListRepoClient) ListRepositories(ctx context.Context) ([]string, error) {
+	repositories, err := c.client.GetRegistryRepositoryNames(ctx, c.registry.Gitlab.ProjectID)
+	if err != nil {
+		log.Error().
+			Str("registry_name", c.registry.Name).
+			Err(err).
+			Msg("Failed to list GitLab repositories")
+		return nil, fmt.Errorf("failed to list GitLab repositories: %w", err)
+	}
+
+	log.Debug().
+		Str("gitlab_url", c.registry.Gitlab.InstanceURL).
+		Int("project_id", c.registry.Gitlab.ProjectID).
+		Int("repository_count", len(repositories)).
+		Msg("Successfully listed GitLab repositories")
+
+	return repositories, nil
+}
diff --git a/pkg/liboras/listrepo_client.go b/pkg/liboras/listrepo_client.go
new file mode 100644
index 000000000..f3e066de4
--- /dev/null
+++ b/pkg/liboras/listrepo_client.go
@@ -0,0 +1,39 @@
+package liboras
+
+import (
+	"context"
+
+	portainer "github.com/portainer/portainer/api"
+	"oras.land/oras-go/v2/registry/remote"
+)
+
+// RepositoryListClient provides an interface specifically for listing repositories
+// This exists because listing repositories isn't a standard OCI operation, and we need to handle
+// different registry types differently.
+type RepositoryListClient interface {
+	// ListRepositories returns a list of repository names from the registry
+	ListRepositories(ctx context.Context) ([]string, error)
+}
+
+// RepositoryListClientFactory creates repository listing clients based on registry type
+type RepositoryListClientFactory struct{}
+
+// NewRepositoryListClientFactory creates a new factory instance
+func NewRepositoryListClientFactory() *RepositoryListClientFactory {
+	return &RepositoryListClientFactory{}
+}
+
+// CreateListClientWithRegistry creates a repository listing client based on the registry type
+// and automatically configures it with the provided ORAS registry client for generic registries
+func (f *RepositoryListClientFactory) CreateListClientWithRegistry(registry *portainer.Registry, registryClient *remote.Registry) (RepositoryListClient, error) {
+	switch registry.Type {
+	case portainer.GitlabRegistry:
+		return NewGitlabListRepoClient(registry), nil
+	case portainer.GithubRegistry:
+		return NewGithubListRepoClient(registry), nil
+	default:
+		genericClient := NewGenericListRepoClient(registry)
+		genericClient.SetRegistryClient(registryClient)
+		return genericClient, nil
+	}
+}
diff --git a/pkg/liboras/registry.go b/pkg/liboras/registry.go
new file mode 100644
index 000000000..576f848ac
--- /dev/null
+++ b/pkg/liboras/registry.go
@@ -0,0 +1,79 @@
+package liboras
+
+import (
+	"strings"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/rs/zerolog/log"
+	"oras.land/oras-go/v2/registry/remote"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+func CreateClient(registry portainer.Registry) (*remote.Registry, error) {
+	registryClient, err := remote.NewRegistry(registry.URL)
+	if err != nil {
+		log.Error().Err(err).Str("registryUrl", registry.URL).Msg("Failed to create registry client")
+		return nil, err
+	}
+	// By default, oras sends multiple requests to get the full list of repos/tags/referrers.
+	// set a high page size limit for fewer round trips.
+	// e.g. https://github.com/oras-project/oras-go/blob/v2.6.0/registry/remote/registry.go#L129-L142
+	registryClient.RepositoryListPageSize = 1000
+	registryClient.TagListPageSize = 1000
+	registryClient.ReferrerListPageSize = 1000
+
+	// Only apply authentication if explicitly enabled AND credentials are provided
+	if registry.Authentication &&
+		strings.TrimSpace(registry.Username) != "" &&
+		strings.TrimSpace(registry.Password) != "" {
+
+		registryClient.Client = &auth.Client{
+			Client: retry.DefaultClient,
+			Cache:  auth.NewCache(),
+			Credential: auth.StaticCredential(registry.URL, auth.Credential{
+				Username: registry.Username,
+				Password: registry.Password,
+			}),
+		}
+
+		log.Debug().
+			Str("registryURL", registry.URL).
+			Str("registryType", getRegistryTypeName(registry.Type)).
+			Bool("authentication", true).
+			Msg("Created ORAS registry client with authentication")
+	} else {
+		// Use default client for anonymous access
+		registryClient.Client = retry.DefaultClient
+
+		log.Debug().
+			Str("registryURL", registry.URL).
+			Str("registryType", getRegistryTypeName(registry.Type)).
+			Bool("authentication", false).
+			Msg("Created ORAS registry client for anonymous access")
+	}
+
+	return registryClient, nil
+}
+
+// getRegistryTypeName returns a human-readable name for the registry type
+func getRegistryTypeName(registryType portainer.RegistryType) string {
+	switch registryType {
+	case portainer.QuayRegistry:
+		return "Quay"
+	case portainer.AzureRegistry:
+		return "Azure"
+	case portainer.CustomRegistry:
+		return "Custom"
+	case portainer.GitlabRegistry:
+		return "GitLab"
+	case portainer.ProGetRegistry:
+		return "ProGet"
+	case portainer.DockerHubRegistry:
+		return "DockerHub"
+	case portainer.EcrRegistry:
+		return "ECR"
+	default:
+		return "Unknown"
+	}
+}
diff --git a/pkg/liboras/registry_test.go b/pkg/liboras/registry_test.go
new file mode 100644
index 000000000..78172f25d
--- /dev/null
+++ b/pkg/liboras/registry_test.go
@@ -0,0 +1,252 @@
+package liboras
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/assert"
+	"oras.land/oras-go/v2/registry/remote/auth"
+	"oras.land/oras-go/v2/registry/remote/retry"
+)
+
+func TestCreateClient_AuthenticationScenarios(t *testing.T) {
+	tests := []struct {
+		name                string
+		registry            portainer.Registry
+		expectAuthenticated bool
+		description         string
+	}{
+		{
+			name: "authentication disabled should create anonymous client",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: false,
+				Username:       "testuser",
+				Password:       "testpass",
+			},
+			expectAuthenticated: false,
+			description:         "Even with credentials present, authentication=false should result in anonymous access",
+		},
+		{
+			name: "authentication enabled with valid credentials should create authenticated client",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: true,
+				Username:       "testuser",
+				Password:       "testpass",
+			},
+			expectAuthenticated: true,
+			description:         "Valid credentials with authentication=true should result in authenticated access",
+		},
+		{
+			name: "authentication enabled with empty username should create anonymous client",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: true,
+				Username:       "",
+				Password:       "testpass",
+			},
+			expectAuthenticated: false,
+			description:         "Empty username should fallback to anonymous access",
+		},
+		{
+			name: "authentication enabled with whitespace-only username should create anonymous client",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: true,
+				Username:       "   ",
+				Password:       "testpass",
+			},
+			expectAuthenticated: false,
+			description:         "Whitespace-only username should fallback to anonymous access",
+		},
+		{
+			name: "authentication enabled with empty password should create anonymous client",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: true,
+				Username:       "testuser",
+				Password:       "",
+			},
+			expectAuthenticated: false,
+			description:         "Empty password should fallback to anonymous access",
+		},
+		{
+			name: "authentication enabled with whitespace-only password should create anonymous client",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: true,
+				Username:       "testuser",
+				Password:       "   ",
+			},
+			expectAuthenticated: false,
+			description:         "Whitespace-only password should fallback to anonymous access",
+		},
+		{
+			name: "authentication enabled with both credentials empty should create anonymous client",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: true,
+				Username:       "",
+				Password:       "",
+			},
+			expectAuthenticated: false,
+			description:         "Both credentials empty should fallback to anonymous access",
+		},
+		{
+			name: "public registry with no authentication should create anonymous client",
+			registry: portainer.Registry{
+				URL:            "docker.io",
+				Authentication: false,
+				Username:       "",
+				Password:       "",
+			},
+			expectAuthenticated: false,
+			description:         "Public registries without authentication should use anonymous access",
+		},
+		{
+			name: "GitLab registry with valid credentials should create authenticated client",
+			registry: portainer.Registry{
+				Type:           portainer.GitlabRegistry,
+				URL:            "registry.gitlab.com",
+				Authentication: true,
+				Username:       "gitlab-ci-token",
+				Password:       "glpat-xxxxxxxxxxxxxxxxxxxx",
+				Gitlab: portainer.GitlabRegistryData{
+					ProjectID:   12345,
+					InstanceURL: "https://gitlab.com",
+					ProjectPath: "my-group/my-project",
+				},
+			},
+			expectAuthenticated: true,
+			description:         "GitLab registry with valid credentials should result in authenticated access",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			client, err := CreateClient(tt.registry)
+
+			assert.NoError(t, err, "CreateClient should not return an error")
+			assert.NotNil(t, client, "Client should not be nil")
+
+			// Check if the client has authentication configured
+			if tt.expectAuthenticated {
+				// Should have auth.Client with credentials
+				authClient, ok := client.Client.(*auth.Client)
+				assert.True(t, ok, "Expected auth.Client for authenticated access")
+				assert.NotNil(t, authClient, "Auth client should not be nil")
+				assert.NotNil(t, authClient.Credential, "Credential function should be set")
+			} else {
+				// Should use retry.DefaultClient (no authentication)
+				assert.Equal(t, retry.DefaultClient, client.Client,
+					"Expected retry.DefaultClient for anonymous access")
+			}
+		})
+	}
+}
+
+func TestCreateClient_RegistryTypes(t *testing.T) {
+	registryTypes := []struct {
+		name         string
+		registryType portainer.RegistryType
+		expectedName string
+	}{
+		{"DockerHub", portainer.DockerHubRegistry, "DockerHub"},
+		{"Azure", portainer.AzureRegistry, "Azure"},
+		{"Custom", portainer.CustomRegistry, "Custom"},
+		{"GitLab", portainer.GitlabRegistry, "GitLab"},
+		{"Quay", portainer.QuayRegistry, "Quay"},
+		{"ProGet", portainer.ProGetRegistry, "ProGet"},
+		{"ECR", portainer.EcrRegistry, "ECR"},
+	}
+
+	for _, rt := range registryTypes {
+		t.Run(rt.name, func(t *testing.T) {
+			registry := portainer.Registry{
+				URL:            "registry.example.com",
+				Type:           rt.registryType,
+				Authentication: false,
+			}
+
+			client, err := CreateClient(registry)
+
+			assert.NoError(t, err, "CreateClient should not return an error")
+			assert.NotNil(t, client, "Client should not be nil")
+
+			// Verify that getRegistryTypeName returns the expected name
+			typeName := getRegistryTypeName(rt.registryType)
+			assert.Equal(t, rt.expectedName, typeName, "Registry type name mismatch")
+		})
+	}
+}
+
+func TestGetRegistryTypeName(t *testing.T) {
+	tests := []struct {
+		registryType portainer.RegistryType
+		expectedName string
+	}{
+		{portainer.QuayRegistry, "Quay"},
+		{portainer.AzureRegistry, "Azure"},
+		{portainer.CustomRegistry, "Custom"},
+		{portainer.GitlabRegistry, "GitLab"},
+		{portainer.ProGetRegistry, "ProGet"},
+		{portainer.DockerHubRegistry, "DockerHub"},
+		{portainer.EcrRegistry, "ECR"},
+		{portainer.RegistryType(999), "Unknown"}, // Unknown type
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.expectedName, func(t *testing.T) {
+			result := getRegistryTypeName(tt.registryType)
+			assert.Equal(t, tt.expectedName, result, "Registry type name mismatch")
+		})
+	}
+}
+
+func TestCreateClient_ErrorHandling(t *testing.T) {
+	tests := []struct {
+		name        string
+		registry    portainer.Registry
+		expectError bool
+	}{
+		{
+			name: "valid registry URL should not error",
+			registry: portainer.Registry{
+				URL:            "registry.example.com",
+				Authentication: false,
+			},
+			expectError: false,
+		},
+		{
+			name: "empty registry URL should error",
+			registry: portainer.Registry{
+				URL:            "",
+				Authentication: false,
+			},
+			expectError: true,
+		},
+		{
+			name: "invalid registry URL should error",
+			registry: portainer.Registry{
+				URL:            "://invalid-url",
+				Authentication: false,
+			},
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			client, err := CreateClient(tt.registry)
+
+			if tt.expectError {
+				assert.Error(t, err, "Expected an error but got none")
+				assert.Nil(t, client, "Client should be nil when error occurs")
+			} else {
+				assert.NoError(t, err, "Expected no error but got: %v", err)
+				assert.NotNil(t, client, "Client should not be nil")
+			}
+		})
+	}
+}
diff --git a/pkg/liboras/repository.go b/pkg/liboras/repository.go
new file mode 100644
index 000000000..2bd78f46a
--- /dev/null
+++ b/pkg/liboras/repository.go
@@ -0,0 +1,126 @@
+package liboras
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"sort"
+
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/concurrent"
+	"github.com/segmentio/encoding/json"
+	"golang.org/x/mod/semver"
+	"oras.land/oras-go/v2/registry"
+	"oras.land/oras-go/v2/registry/remote"
+)
+
+// ListRepositories retrieves all repositories from a registry using specialized repository listing clients
+// Each registry type has different repository listing implementations that require specific API calls
+func ListRepositories(ctx context.Context, registry *portainer.Registry, registryClient *remote.Registry) ([]string, error) {
+	factory := NewRepositoryListClientFactory()
+	listClient, err := factory.CreateListClientWithRegistry(registry, registryClient)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create repository list client: %w", err)
+	}
+
+	return listClient.ListRepositories(ctx)
+}
+
+// FilterRepositoriesByMediaType filters repositories to only include those with the expected media type
+func FilterRepositoriesByMediaType(ctx context.Context, repositoryNames []string, registryClient *remote.Registry, expectedMediaType string) ([]string, error) {
+	// Run concurrently as this can take 10s+ to complete in serial
+	var tasks []concurrent.Func
+	for _, repoName := range repositoryNames {
+		name := repoName
+		task := func(ctx context.Context) (any, error) {
+			repository, err := registryClient.Repository(ctx, name)
+			if err != nil {
+				return nil, err
+			}
+
+			if HasMediaType(ctx, repository, expectedMediaType) {
+				return name, nil
+			}
+			return nil, nil // not a repository with the expected media type
+		}
+		tasks = append(tasks, task)
+	}
+
+	// 10 is a reasonable max concurrency limit
+	results, err := concurrent.Run(ctx, 10, tasks...)
+	if err != nil {
+		return nil, err
+	}
+
+	// Collect repository names
+	var repositories []string
+	for _, result := range results {
+		if result.Result != nil {
+			if repoName, ok := result.Result.(string); ok {
+				repositories = append(repositories, repoName)
+			}
+		}
+	}
+
+	return repositories, nil
+}
+
+// HasMediaType checks if a repository has artifacts with the specified media type
+func HasMediaType(ctx context.Context, repository registry.Repository, expectedMediaType string) bool {
+	// Check the first available tag
+	// Reasonable limitation - it won't work for repos where the latest tag is missing the expected media type but other tags have it
+	// This tradeoff is worth it for the performance benefits
+	var latestTag string
+	err := repository.Tags(ctx, "", func(tagList []string) error {
+		if len(tagList) > 0 {
+			// Order the taglist by latest semver, then get the latest tag
+			// e.g. ["1.0", "1.1"] -> ["1.1", "1.0"] -> "1.1"
+			sort.Slice(tagList, func(i, j int) bool {
+				return semver.Compare(tagList[i], tagList[j]) > 0
+			})
+			latestTag = tagList[0]
+		}
+		return nil
+	})
+
+	if err != nil {
+		return false
+	}
+
+	if latestTag == "" {
+		return false
+	}
+
+	descriptor, err := repository.Resolve(ctx, latestTag)
+	if err != nil {
+		return false
+	}
+
+	return descriptorHasMediaType(ctx, repository, descriptor, expectedMediaType)
+}
+
+// descriptorHasMediaType checks if a descriptor or its manifest contains the expected media type
+func descriptorHasMediaType(ctx context.Context, repository registry.Repository, descriptor ocispec.Descriptor, expectedMediaType string) bool {
+	// Check if the descriptor indicates the expected media type
+	if descriptor.MediaType == expectedMediaType {
+		return true
+	}
+
+	// Otherwise, look for the expected media type in the entire manifest content
+	manifestReader, err := repository.Manifests().Fetch(ctx, descriptor)
+	if err != nil {
+		return false
+	}
+	defer manifestReader.Close()
+
+	content, err := io.ReadAll(manifestReader)
+	if err != nil {
+		return false
+	}
+	var manifest ocispec.Manifest
+	if err := json.Unmarshal(content, &manifest); err != nil {
+		return false
+	}
+	return manifest.Config.MediaType == expectedMediaType
+}

From db2e168540304b87d515cc8893624d7ec4a32a3c Mon Sep 17 00:00:00 2001
From: Cara Ryan <cara.ryan@portainer.io>
Date: Mon, 14 Jul 2025 10:23:05 +1200
Subject: [PATCH 185/212] chore: bump version to 2.32.0 (#884)

---
 api/datastore/test_data/output_24_to_latest.json | 4 ++--
 api/http/handler/handler.go                      | 2 +-
 api/portainer.go                                 | 2 +-
 package.json                                     | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/api/datastore/test_data/output_24_to_latest.json b/api/datastore/test_data/output_24_to_latest.json
index 8bdc55983..5e8b0eefa 100644
--- a/api/datastore/test_data/output_24_to_latest.json
+++ b/api/datastore/test_data/output_24_to_latest.json
@@ -615,7 +615,7 @@
       "RequiredPasswordLength": 12
     },
     "KubeconfigExpiry": "0",
-    "KubectlShellImage": "portainer/kubectl-shell:2.31.0",
+    "KubectlShellImage": "portainer/kubectl-shell:2.32.0",
     "LDAPSettings": {
       "AnonymousMode": true,
       "AutoCreateUsers": true,
@@ -944,7 +944,7 @@
     }
   ],
   "version": {
-    "VERSION": "{\"SchemaVersion\":\"2.31.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
+    "VERSION": "{\"SchemaVersion\":\"2.32.0\",\"MigratorCount\":1,\"Edition\":1,\"InstanceID\":\"463d5c47-0ea5-4aca-85b1-405ceefee254\"}"
   },
   "webhooks": null
 }
\ No newline at end of file
diff --git a/api/http/handler/handler.go b/api/http/handler/handler.go
index 1ae55a002..1704eb316 100644
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -81,7 +81,7 @@ type Handler struct {
 }
 
 // @title PortainerCE API
-// @version 2.31.0
+// @version 2.32.0
 // @description.markdown api-description.md
 // @termsOfService
 
diff --git a/api/portainer.go b/api/portainer.go
index e2bac623b..8172f08fa 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1747,7 +1747,7 @@ type (
 
 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.31.0"
+	APIVersion = "2.32.0"
 	// Support annotation for the API version ("STS" for Short-Term Support or "LTS" for Long-Term Support)
 	APIVersionSupport = "STS"
 	// Edition is what this edition of Portainer is called
diff --git a/package.json b/package.json
index 3bcac5b09..9a250005a 100644
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
   "author": "Portainer.io",
   "name": "portainer",
   "homepage": "http://portainer.io",
-  "version": "2.31.0",
+  "version": "2.32.0",
   "repository": {
     "type": "git",
     "url": "git@github.com:portainer/portainer.git"

From 9f906b7417e7df177822c4b18f9f2376a5f82b04 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Mon, 14 Jul 2025 17:16:33 +1200
Subject: [PATCH 186/212] refactor(app/tests): Make createMockUsers more
 deterministic [r8s-406] (#887)

---
 app/react-tools/test-mocks.ts                 | 11 +++++--
 .../TeamAssociationSelector.stories.tsx       |  4 +--
 .../TeamMembersList.stories.tsx               |  2 +-
 .../UsersList/UsersList.stories.tsx           | 29 +++++++++++++++----
 app/setup-tests/setup-handlers/users.ts       |  5 +++-
 5 files changed, 40 insertions(+), 11 deletions(-)

diff --git a/app/react-tools/test-mocks.ts b/app/react-tools/test-mocks.ts
index 20fe7dee3..d9c7d273c 100644
--- a/app/react-tools/test-mocks.ts
+++ b/app/react-tools/test-mocks.ts
@@ -10,7 +10,7 @@ import {
 
 export function createMockUsers(
   count: number,
-  roles: Role | Role[] | ((id: UserId) => Role) = () => _.random(1, 3)
+  roles: Role | Role[] | ((id: UserId) => Role)
 ): User[] {
   return _.range(1, count + 1).map((value) => ({
     Id: value,
@@ -40,7 +40,14 @@ function getRoles(
     return roles;
   }
 
-  return roles[id];
+  // Roles is an array
+  if (roles.length === 0) {
+    throw new Error('No roles provided');
+  }
+
+  // The number of roles is not necessarily the same length as the number of users
+  // so we need to distribute the roles evenly and consistently
+  return roles[(id - 1) % roles.length];
 }
 
 export function createMockTeams(count: number): Team[] {
diff --git a/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamAssociationSelector.stories.tsx b/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamAssociationSelector.stories.tsx
index d4d4142f7..9c7fa8a32 100644
--- a/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamAssociationSelector.stories.tsx
+++ b/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamAssociationSelector.stories.tsx
@@ -2,7 +2,7 @@ import { Meta } from '@storybook/react';
 import { useMemo, useState } from 'react';
 
 import { createMockUsers } from '@/react-tools/test-mocks';
-import { Role, User } from '@/portainer/users/types';
+import { Role } from '@/portainer/users/types';
 import { UserViewModel } from '@/portainer/models/user';
 import { UserContext } from '@/react/hooks/useUser';
 
@@ -28,7 +28,7 @@ function Example({ userRole }: Args) {
     () => ({ user: new UserViewModel({ Role: userRole }) }),
     [userRole]
   );
-  const [users] = useState(createMockUsers(20) as User[]);
+  const [users] = useState(createMockUsers(20, Role.Standard));
 
   const [memberships] = useState<Omit<TeamMembership, 'Id' | 'TeamID'>[]>(
     users
diff --git a/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamMembersList/TeamMembersList.stories.tsx b/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamMembersList/TeamMembersList.stories.tsx
index 6f2e53f1e..efe4cc908 100644
--- a/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamMembersList/TeamMembersList.stories.tsx
+++ b/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/TeamMembersList/TeamMembersList.stories.tsx
@@ -28,7 +28,7 @@ function Example({ userRole }: Args) {
     [userRole]
   );
 
-  const [users] = useState(createMockUsers(20));
+  const [users] = useState(createMockUsers(20, Role.Standard));
   const [roles] = useState(
     Object.fromEntries(
       users.map((user) => [
diff --git a/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/UsersList/UsersList.stories.tsx b/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/UsersList/UsersList.stories.tsx
index bbbcc6498..8966d6fad 100644
--- a/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/UsersList/UsersList.stories.tsx
+++ b/app/react/portainer/users/teams/ItemView/TeamAssociationSelector/UsersList/UsersList.stories.tsx
@@ -1,6 +1,10 @@
 import { Meta } from '@storybook/react';
+import { useMemo } from 'react';
 
 import { createMockUsers } from '@/react-tools/test-mocks';
+import { Role } from '@/portainer/users/types';
+import { UserContext } from '@/react/hooks/useUser';
+import { UserViewModel } from '@/portainer/models/user';
 
 import { UsersList } from './UsersList';
 
@@ -13,10 +17,25 @@ export default meta;
 
 export { Example };
 
-function Example() {
-  const users = createMockUsers(20);
-
-  return <UsersList users={users} teamId={3} />;
+interface Args {
+  userRole: Role;
 }
 
-Example.args = {};
+function Example({ userRole }: Args) {
+  const userProviderState = useMemo(
+    () => ({ user: new UserViewModel({ Role: userRole }) }),
+    [userRole]
+  );
+
+  const users = createMockUsers(20, Role.Standard);
+
+  return (
+    <UserContext.Provider value={userProviderState}>
+      <UsersList users={users} teamId={3} />
+    </UserContext.Provider>
+  );
+}
+
+Example.args = {
+  userRole: Role.Admin,
+};
diff --git a/app/setup-tests/setup-handlers/users.ts b/app/setup-tests/setup-handlers/users.ts
index 67eb6debb..be8c3a5e3 100644
--- a/app/setup-tests/setup-handlers/users.ts
+++ b/app/setup-tests/setup-handlers/users.ts
@@ -2,9 +2,12 @@ import { http, HttpResponse } from 'msw';
 
 import { TeamMembership } from '@/react/portainer/users/teams/types';
 import { createMockUsers } from '@/react-tools/test-mocks';
+import { Role } from '@/portainer/users/types';
 
 export const userHandlers = [
-  http.get('/api/users', async () => HttpResponse.json(createMockUsers(10))),
+  http.get('/api/users', async () =>
+    HttpResponse.json(createMockUsers(10, Role.Standard))
+  ),
   http.get<never, never, TeamMembership[]>(
     '/api/users/:userId/memberships',
     () => HttpResponse.json([])

From 383bcc4113b724ee859e368e9cb0ad2c5c7d09c1 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Tue, 15 Jul 2025 13:57:43 +1200
Subject: [PATCH 187/212] fix(docker/images): Fix image detail actions icon
 colours [be-12044] (#892)

---
 app/docker/views/images/edit/image.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/docker/views/images/edit/image.html b/app/docker/views/images/edit/image.html
index 7bee83a2b..af37cd0e2 100644
--- a/app/docker/views/images/edit/image.html
+++ b/app/docker/views/images/edit/image.html
@@ -16,19 +16,19 @@
                   <span class="input-group-btn" style="padding: 0px 5px">
                     <span style="margin: 0px 5px" authorization="DockerImagePush">
                       <a data-toggle="tooltip" class="btn btn-primary interactive" title="Push to registry" ng-click="pushTag(tag)">
-                        <pr-icon icon="'upload'" class="text-white"></pr-icon>
+                        <pr-icon icon="'upload'"></pr-icon>
                       </a>
                     </span>
 
                     <span class="mx-1 my-0" authorization="DockerImageCreate">
                       <a data-toggle="tooltip" class="btn btn-primary interactive" title="Pull from registry" ng-click="pullTag(tag)">
-                        <pr-icon icon="'download'" class="text-white"></pr-icon>
+                        <pr-icon icon="'download'"></pr-icon>
                       </a>
                     </span>
 
                     <span class="mx-1 my-0" authorization="DockerImageDelete">
                       <a data-toggle="tooltip" class="btn btn-primary interactive" title="Remove tag" ng-click="removeTag(tag)">
-                        <pr-icon icon="'trash-2'" class="text-white"></pr-icon>
+                        <pr-icon icon="'trash-2'"></pr-icon>
                       </a>
                     </span>
                   </span>

From 4e4c5ffdb623cbb2e5fee3a00dcfe7caa6912dd5 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Wed, 16 Jul 2025 16:37:59 +1200
Subject: [PATCH 188/212] fix(app/kubernetes): Fix listing of secrets and
 configmaps with same name [r8s-288] (#897)

---
 .../ApplicationEnvVarsTable.test.tsx          | 702 ++++++++++++++++++
 .../ApplicationEnvVarsTable.tsx               |  20 +-
 .../ApplicationVolumeConfigsTable.test.tsx    | 583 +++++++++++++++
 .../ApplicationVolumeConfigsTable.tsx         |  36 +-
 4 files changed, 1316 insertions(+), 25 deletions(-)
 create mode 100644 app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.test.tsx
 create mode 100644 app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.test.tsx

diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.test.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.test.tsx
new file mode 100644
index 000000000..22baba628
--- /dev/null
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.test.tsx
@@ -0,0 +1,702 @@
+import React from 'react';
+import { render, screen } from '@testing-library/react';
+import { vi, beforeEach, afterEach } from 'vitest';
+
+import { Application } from '../../types';
+
+import { ApplicationEnvVarsTable } from './ApplicationEnvVarsTable';
+
+// Mock icon components
+vi.mock('lucide-react', () => ({
+  Asterisk: () => <span data-cy="asterisk-icon" />,
+  File: () => <span data-cy="file-icon" />,
+  FileCode: () => <span data-cy="file-code-icon" />,
+  Key: () => <span data-cy="key-icon" />,
+  Lock: () => <span data-cy="lock-icon" />,
+}));
+
+// Mock UI components
+vi.mock('@@/Icon', () => ({
+  Icon: ({
+    icon: IconComponent,
+    ...props
+  }: {
+    icon: React.ComponentType;
+    [key: string]: unknown;
+  }) => <IconComponent {...props} />,
+}));
+
+vi.mock('@@/Tip/TextTip', () => ({
+  TextTip: ({
+    children,
+    color,
+  }: {
+    children: React.ReactNode;
+    color?: string;
+  }) => (
+    <div data-cy="text-tip" data-color={color}>
+      {children}
+    </div>
+  ),
+}));
+
+// Mock the Link component to capture routing props
+const mockLink = vi.fn();
+vi.mock('@@/Link', () => ({
+  Link: ({
+    children,
+    to,
+    params,
+    'data-cy': dataCy,
+    className,
+  }: {
+    children: React.ReactNode;
+    to: string;
+    params: Record<string, string>;
+    'data-cy'?: string;
+    className?: string;
+  }) => {
+    mockLink({ children, to, params, 'data-cy': dataCy, className });
+    return (
+      <span
+        data-cy={dataCy}
+        data-testid={dataCy}
+        role="link"
+        data-to={to}
+        data-params={JSON.stringify(params)}
+        className={className}
+      >
+        {children}
+      </span>
+    );
+  },
+}));
+
+describe('ApplicationEnvVarsTable', () => {
+  beforeEach(() => {
+    mockLink.mockClear();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('should render helpful tip when there are no environment variables', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(
+      screen.getByText('Environment variables, ConfigMaps or Secrets')
+    ).toBeInTheDocument();
+    expect(screen.getByTestId('text-tip')).toBeInTheDocument();
+    expect(
+      screen.getByText(
+        'This application is not using any environment variable, ConfigMap or Secret.'
+      )
+    ).toBeInTheDocument();
+  });
+
+  it('should render nothing when app is undefined', () => {
+    render(<ApplicationEnvVarsTable namespace="default" app={undefined} />);
+
+    expect(
+      screen.getByText('Environment variables, ConfigMaps or Secrets')
+    ).toBeInTheDocument();
+    expect(screen.getByTestId('text-tip')).toBeInTheDocument();
+  });
+
+  it('should render regular environment variables with direct values', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            env: [
+              {
+                name: 'ENV_VAR',
+                value: 'test-value',
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('ENV_VAR')).toBeInTheDocument();
+    expect(screen.getByText('test-value')).toBeInTheDocument();
+    expect(screen.getByText('-')).toBeInTheDocument(); // No configuration resource
+  });
+
+  it('should render configmap environment variables with correct routing', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            env: [
+              {
+                name: 'CONFIG_VAR',
+                valueFrom: {
+                  configMapKeyRef: {
+                    name: 'test-configmap',
+                    key: 'config-key',
+                  },
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getAllByText('CONFIG_VAR')).toHaveLength(2); // Appears in name and value columns
+    // Note: config-key is not displayed in UI - the component shows the env var name
+    expect(screen.getByText('test-configmap')).toBeInTheDocument();
+    expect(screen.getByTestId('key-icon')).toBeInTheDocument();
+    expect(screen.getByTestId('file-code-icon')).toBeInTheDocument();
+
+    // Verify the Link component was called with correct routing parameters
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.configmaps.configmap',
+        params: {
+          name: 'test-configmap',
+          namespace: 'default',
+        },
+        'data-cy': 'configmap-link-test-configmap',
+      })
+    );
+  });
+
+  it('should render secret environment variables with correct routing', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            env: [
+              {
+                name: 'SECRET_VAR',
+                valueFrom: {
+                  secretKeyRef: {
+                    name: 'test-secret',
+                    key: 'secret-key',
+                  },
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getAllByText('SECRET_VAR')).toHaveLength(2); // Appears in name and value columns
+    // Note: secret-key is not displayed in UI - the component shows the env var name
+    expect(screen.getByText('test-secret')).toBeInTheDocument();
+    expect(screen.getByTestId('key-icon')).toBeInTheDocument();
+    expect(screen.getByTestId('lock-icon')).toBeInTheDocument();
+
+    // Verify the Link component was called with correct routing parameters for secret
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.secrets.secret',
+        params: {
+          name: 'test-secret',
+          namespace: 'default',
+        },
+        'data-cy': 'configmap-link-test-secret',
+      })
+    );
+  });
+
+  it('should render downward API field references', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            env: [
+              {
+                name: 'POD_NAME',
+                valueFrom: {
+                  fieldRef: {
+                    fieldPath: 'metadata.name',
+                  },
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('POD_NAME')).toBeInTheDocument();
+    expect(
+      screen.getByText(
+        (content, element) =>
+          content.includes('metadata.name') && element?.tagName === 'SPAN'
+      )
+    ).toBeInTheDocument();
+    expect(screen.getByText('downward API')).toBeInTheDocument();
+    expect(screen.getByTestId('asterisk-icon')).toBeInTheDocument();
+    expect(screen.getByText('-')).toBeInTheDocument(); // No configuration resource
+  });
+
+  it('should render envFrom configmap (entire configmap import)', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            envFrom: [
+              {
+                configMapRef: {
+                  name: 'entire-configmap',
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getAllByText('-')).toHaveLength(2); // EnvFrom doesn't have a specific key name or value
+    expect(screen.getByText('entire-configmap')).toBeInTheDocument();
+    expect(screen.getByTestId('file-code-icon')).toBeInTheDocument();
+
+    // Verify configmap routing
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.configmaps.configmap',
+        params: {
+          name: 'entire-configmap',
+          namespace: 'default',
+        },
+        'data-cy': 'configmap-link-entire-configmap',
+      })
+    );
+  });
+
+  it('should render envFrom secret (entire secret import)', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            envFrom: [
+              {
+                secretRef: {
+                  name: 'entire-secret',
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getAllByText('-')).toHaveLength(2); // EnvFrom doesn't have a specific key name or value
+    expect(screen.getByText('entire-secret')).toBeInTheDocument();
+    expect(screen.getByTestId('lock-icon')).toBeInTheDocument();
+
+    // Verify secret routing
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.secrets.secret',
+        params: {
+          name: 'entire-secret',
+          namespace: 'default',
+        },
+        'data-cy': 'configmap-link-entire-secret',
+      })
+    );
+  });
+
+  it('should render init containers with asterisk indicator', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'main-container',
+            image: 'main-image',
+            env: [
+              {
+                name: 'MAIN_VAR',
+                value: 'main-value',
+              },
+            ],
+          },
+        ],
+        initContainers: [
+          {
+            name: 'init-container',
+            image: 'init-image',
+            env: [
+              {
+                name: 'INIT_VAR',
+                value: 'init-value',
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    // Check main container
+    expect(screen.getByText('main-container')).toBeInTheDocument();
+    expect(screen.getByText('MAIN_VAR')).toBeInTheDocument();
+    expect(screen.getByText('main-value')).toBeInTheDocument();
+
+    // Check init container
+    expect(screen.getByText('init-container')).toBeInTheDocument();
+    expect(screen.getByText('INIT_VAR')).toBeInTheDocument();
+    expect(screen.getByText('init-value')).toBeInTheDocument();
+    expect(screen.getByText('init container')).toBeInTheDocument();
+    expect(screen.getByTestId('asterisk-icon')).toBeInTheDocument();
+  });
+
+  it('should handle mixed environment variable types correctly', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            env: [
+              {
+                name: 'REGULAR_VAR',
+                value: 'regular-value',
+              },
+              {
+                name: 'CONFIG_VAR',
+                valueFrom: {
+                  configMapKeyRef: {
+                    name: 'test-configmap',
+                    key: 'config-key',
+                  },
+                },
+              },
+              {
+                name: 'SECRET_VAR',
+                valueFrom: {
+                  secretKeyRef: {
+                    name: 'test-secret',
+                    key: 'secret-key',
+                  },
+                },
+              },
+            ],
+            envFrom: [
+              {
+                configMapRef: {
+                  name: 'entire-configmap',
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getAllByText('test-container')).toHaveLength(4); // Should appear 4 times - once for each env var
+    expect(screen.getByText('REGULAR_VAR')).toBeInTheDocument();
+    expect(screen.getByText('regular-value')).toBeInTheDocument();
+    expect(screen.getAllByText('CONFIG_VAR')).toHaveLength(2); // Appears in name and value columns
+    // Note: config-key is not displayed in UI - the component shows the env var name
+    expect(screen.getAllByText('SECRET_VAR')).toHaveLength(2); // Appears in name and value columns
+    // Note: secret-key is not displayed in UI - the component shows the env var name
+    expect(screen.getByText('test-configmap')).toBeInTheDocument();
+    expect(screen.getByText('test-secret')).toBeInTheDocument();
+    expect(screen.getByText('entire-configmap')).toBeInTheDocument();
+
+    // Should have made multiple Link calls
+    expect(mockLink).toHaveBeenCalledTimes(3);
+
+    // Verify different routing calls
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.configmaps.configmap',
+      })
+    );
+
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.secrets.secret',
+      })
+    );
+  });
+
+  it('should handle Deployment kind applications', () => {
+    const app: Application = {
+      metadata: { name: 'test-deployment', namespace: 'default' },
+      spec: {
+        selector: {
+          matchLabels: {
+            app: 'test-app',
+          },
+        },
+        template: {
+          spec: {
+            containers: [
+              {
+                name: 'test-container',
+                image: 'test-image',
+                env: [
+                  {
+                    name: 'ENV_VAR',
+                    value: 'test-value',
+                  },
+                ],
+              },
+            ],
+          },
+        },
+      },
+      kind: 'Deployment',
+      apiVersion: 'apps/v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('ENV_VAR')).toBeInTheDocument();
+    expect(screen.getByText('test-value')).toBeInTheDocument();
+  });
+
+  it('should handle missing resource names gracefully', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            env: [
+              {
+                name: 'CONFIG_VAR',
+                valueFrom: {
+                  configMapKeyRef: {
+                    // name is undefined
+                    key: 'config-key',
+                  },
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getAllByText('CONFIG_VAR')).toHaveLength(2); // Appears in name and value columns
+    // Note: config-key is not displayed in UI - the component shows the env var name
+
+    // Should show dash for missing resource name
+    const dashElements = screen.getAllByText('-');
+    expect(dashElements.length).toBeGreaterThan(0);
+  });
+
+  it('should handle containers without environment variables', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            // No env or envFrom
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(
+      screen.getByText('Environment variables, ConfigMaps or Secrets')
+    ).toBeInTheDocument();
+    expect(screen.getByTestId('text-tip')).toBeInTheDocument();
+    expect(
+      screen.getByText(
+        'This application is not using any environment variable, ConfigMap or Secret.'
+      )
+    ).toBeInTheDocument();
+  });
+
+  it('should handle environment variables without keys', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            env: [
+              {
+                name: '', // Empty name to test this edge case
+                value: 'test-value',
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('test-value')).toBeInTheDocument();
+
+    // Should show dash for missing env var name
+    const dashElements = screen.getAllByText('-');
+    expect(dashElements.length).toBeGreaterThan(0);
+  });
+
+  it('should render multiple containers with different environment variable types', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'container-1',
+            image: 'image-1',
+            env: [
+              {
+                name: 'CONFIG_VAR',
+                valueFrom: {
+                  configMapKeyRef: {
+                    name: 'shared-config',
+                    key: 'config-key',
+                  },
+                },
+              },
+            ],
+          },
+          {
+            name: 'container-2',
+            image: 'image-2',
+            env: [
+              {
+                name: 'SECRET_VAR',
+                valueFrom: {
+                  secretKeyRef: {
+                    name: 'shared-config', // Same name but different type
+                    key: 'secret-key',
+                  },
+                },
+              },
+            ],
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationEnvVarsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('container-1')).toBeInTheDocument();
+    expect(screen.getByText('container-2')).toBeInTheDocument();
+    expect(screen.getAllByText('CONFIG_VAR')).toHaveLength(2); // Appears in name and value columns
+    expect(screen.getAllByText('SECRET_VAR')).toHaveLength(2); // Appears in name and value columns
+    expect(screen.getAllByText('shared-config')).toHaveLength(2);
+
+    // Should have made two Link calls - one for configmap, one for secret
+    expect(mockLink).toHaveBeenCalledTimes(2);
+
+    // Verify configmap routing
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.configmaps.configmap',
+        params: {
+          name: 'shared-config',
+          namespace: 'default',
+        },
+      })
+    );
+
+    // Verify secret routing
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.secrets.secret',
+        params: {
+          name: 'shared-config',
+          namespace: 'default',
+        },
+      })
+    );
+  });
+});
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.tsx
index c1b7435f2..bbfefef0d 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.tsx
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationEnvVarsTable.tsx
@@ -84,8 +84,8 @@ export function ApplicationEnvVarsTable({ namespace, app }: Props) {
                     ))}
                 </td>
                 <td data-cy="k8sAppDetail-configName">
-                  {!envVar.resourseName && <span>-</span>}
-                  {envVar.resourseName && (
+                  {!envVar.resourceName && <span>-</span>}
+                  {envVar.resourceName && (
                     <span>
                       <Link
                         to={
@@ -94,17 +94,17 @@ export function ApplicationEnvVarsTable({ namespace, app }: Props) {
                             : 'kubernetes.secrets.secret'
                         }
                         params={{
-                          name: envVar.resourseName,
+                          name: envVar.resourceName,
                           namespace,
                         }}
                         className="flex items-center"
-                        data-cy={`configmap-link-${envVar.resourseName}`}
+                        data-cy={`configmap-link-${envVar.resourceName}`}
                       >
                         <Icon
                           icon={envVar.type === 'configMap' ? FileCode : Lock}
                           className="!mr-1"
                         />
-                        {envVar.resourseName}
+                        {envVar.resourceName}
                       </Link>
                     </span>
                   )}
@@ -126,7 +126,7 @@ interface ContainerEnvVar {
   containerName: string;
   isInitContainer: boolean;
   type: EnvVarType;
-  resourseName: string;
+  resourceName: string;
 }
 
 function getApplicationEnvironmentVariables(
@@ -159,7 +159,7 @@ function getApplicationEnvironmentVariables(
             containerName: container.name,
             isInitContainer: false,
             type: envtype,
-            resourseName:
+            resourceName:
               envVar?.valueFrom?.configMapKeyRef?.name ||
               envVar?.valueFrom?.secretKeyRef?.name ||
               '',
@@ -170,7 +170,7 @@ function getApplicationEnvironmentVariables(
       const containerEnvFroms: ContainerEnvVar[] =
         container?.envFrom?.map((envFrom) => ({
           name: '',
-          resourseName:
+          resourceName:
             envFrom?.configMapRef?.name || envFrom?.secretRef?.name || '',
           containerName: container.name,
           isInitContainer: false,
@@ -196,7 +196,7 @@ function getApplicationEnvironmentVariables(
             containerName: container.name,
             isInitContainer: true,
             type: envtype,
-            resourseName:
+            resourceName:
               envVar?.valueFrom?.configMapKeyRef?.name ||
               envVar?.valueFrom?.secretKeyRef?.name ||
               '',
@@ -207,7 +207,7 @@ function getApplicationEnvironmentVariables(
       const containerEnvFroms: ContainerEnvVar[] =
         container?.envFrom?.map((envFrom) => ({
           name: '',
-          resourseName:
+          resourceName:
             envFrom?.configMapRef?.name || envFrom?.secretRef?.name || '',
           containerName: container.name,
           isInitContainer: true,
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.test.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.test.tsx
new file mode 100644
index 000000000..2fce798ea
--- /dev/null
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.test.tsx
@@ -0,0 +1,583 @@
+import React from 'react';
+import { render, screen } from '@testing-library/react';
+import { vi, beforeEach, afterEach } from 'vitest';
+
+import { Application } from '../../types';
+
+import { ApplicationVolumeConfigsTable } from './ApplicationVolumeConfigsTable';
+
+// Mock icon components
+vi.mock('lucide-react', () => ({
+  Asterisk: () => <span data-cy="asterisk-icon" />,
+  Plus: () => <span data-cy="plus-icon" />,
+}));
+
+// Mock UI components
+vi.mock('@@/Icon', () => ({
+  Icon: ({
+    icon: IconComponent,
+    ...props
+  }: {
+    icon: React.ComponentType;
+    [key: string]: unknown;
+  }) => <IconComponent {...props} />,
+}));
+
+// Mock the Link component to capture routing props
+const mockLink = vi.fn();
+vi.mock('@@/Link', () => ({
+  Link: ({
+    children,
+    to,
+    params,
+    'data-cy': dataCy,
+    className,
+  }: {
+    children: React.ReactNode;
+    to: string;
+    params: Record<string, string>;
+    'data-cy'?: string;
+    className?: string;
+  }) => {
+    mockLink({ children, to, params, 'data-cy': dataCy, className });
+    return (
+      <span
+        data-cy={dataCy}
+        data-testid={dataCy}
+        role="link"
+        data-to={to}
+        data-params={JSON.stringify(params)}
+        className={className}
+      >
+        {children}
+      </span>
+    );
+  },
+}));
+
+describe('ApplicationVolumeConfigsTable', () => {
+  beforeEach(() => {
+    mockLink.mockClear();
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('should render nothing when there are no volume configurations', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    const { container } = render(
+      <ApplicationVolumeConfigsTable namespace="default" app={app} />
+    );
+
+    expect(container.firstChild).toBeNull();
+  });
+
+  it('should render nothing when app is undefined', () => {
+    const { container } = render(
+      <ApplicationVolumeConfigsTable namespace="default" app={undefined} />
+    );
+
+    expect(container.firstChild).toBeNull();
+  });
+
+  it('should render volume configurations from configmaps with items', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            volumeMounts: [
+              {
+                name: 'config-volume',
+                mountPath: '/etc/config',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'config-volume',
+            configMap: {
+              name: 'test-configmap',
+              items: [
+                {
+                  key: 'config-key',
+                  path: 'config.yaml',
+                },
+              ],
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('/etc/config/config.yaml')).toBeInTheDocument();
+    expect(screen.getByText('config-key')).toBeInTheDocument();
+    expect(screen.getAllByTestId('plus-icon')).toHaveLength(2); // One for value, one for link
+    expect(screen.getByText('test-configmap')).toBeInTheDocument();
+
+    // Verify the Link component was called with correct routing parameters
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.configmaps.configmap',
+        params: {
+          name: 'test-configmap',
+          namespace: 'default',
+        },
+        'data-cy': 'config-link-test-configmap',
+      })
+    );
+  });
+
+  it('should render volume configurations from secrets with items', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            volumeMounts: [
+              {
+                name: 'secret-volume',
+                mountPath: '/etc/secrets',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'secret-volume',
+            secret: {
+              secretName: 'test-secret',
+              items: [
+                {
+                  key: 'secret-key',
+                  path: 'secret.txt',
+                },
+              ],
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('/etc/secrets/secret.txt')).toBeInTheDocument();
+    expect(screen.getByText('secret-key')).toBeInTheDocument();
+    expect(screen.getAllByTestId('plus-icon')).toHaveLength(2); // One for value, one for link
+    expect(screen.getByText('test-secret')).toBeInTheDocument();
+
+    // Verify the Link component was called with correct routing parameters for secret
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.secrets.secret',
+        params: {
+          name: 'test-secret',
+          namespace: 'default',
+        },
+        'data-cy': 'secret-link-test-secret',
+      })
+    );
+  });
+
+  it('should render init containers with asterisk indicator', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'main-container',
+            image: 'main-image',
+            volumeMounts: [
+              {
+                name: 'config-volume',
+                mountPath: '/etc/config',
+              },
+            ],
+          },
+        ],
+        initContainers: [
+          {
+            name: 'init-container',
+            image: 'init-image',
+            volumeMounts: [
+              {
+                name: 'config-volume',
+                mountPath: '/etc/init-config',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'config-volume',
+            configMap: {
+              name: 'shared-config',
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    // Check main container
+    expect(screen.getByText('main-container')).toBeInTheDocument();
+    expect(screen.getByText('/etc/config')).toBeInTheDocument();
+
+    // Check init container
+    expect(screen.getByText('init-container')).toBeInTheDocument();
+    expect(screen.getByText('/etc/init-config')).toBeInTheDocument();
+    expect(screen.getByTestId('asterisk-icon')).toBeInTheDocument();
+    expect(screen.getByText('init container')).toBeInTheDocument();
+  });
+
+  it('should render secret volume configurations correctly based on type', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            volumeMounts: [
+              {
+                name: 'secret-volume',
+                mountPath: '/etc/secrets',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'secret-volume',
+            secret: {
+              secretName: 'test-secret',
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('test-secret')).toBeInTheDocument();
+
+    // Should route to secret page because type is 'secret'
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.secrets.secret',
+        params: {
+          name: 'test-secret',
+          namespace: 'default',
+        },
+        'data-cy': 'secret-link-test-secret',
+      })
+    );
+  });
+
+  it('should render configmap volume configurations correctly based on type', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            volumeMounts: [
+              {
+                name: 'config-volume',
+                mountPath: '/etc/config',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'config-volume',
+            configMap: {
+              name: 'test-configmap',
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('test-configmap')).toBeInTheDocument();
+
+    // Should route to configmap page because type is 'configMap'
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.configmaps.configmap',
+        params: {
+          name: 'test-configmap',
+          namespace: 'default',
+        },
+        'data-cy': 'config-link-test-configmap',
+      })
+    );
+  });
+
+  it('should handle volumes without items (entire volume mount)', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            volumeMounts: [
+              {
+                name: 'config-volume',
+                mountPath: '/etc/config',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'config-volume',
+            configMap: {
+              name: 'test-configmap',
+              // No items - entire configmap is mounted
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('/etc/config')).toBeInTheDocument();
+    expect(screen.getByText('-')).toBeInTheDocument(); // No specific key
+    expect(screen.getByText('test-configmap')).toBeInTheDocument();
+  });
+
+  it('should handle multiple volumes with different types correctly', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            volumeMounts: [
+              {
+                name: 'secret-volume',
+                mountPath: '/etc/secrets',
+              },
+              {
+                name: 'config-volume',
+                mountPath: '/etc/config',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'secret-volume',
+            secret: {
+              secretName: 'test-secret',
+            },
+          },
+          {
+            name: 'config-volume',
+            configMap: {
+              name: 'test-configmap',
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getAllByText('test-container')).toHaveLength(2); // Should appear twice - once for each volume
+    expect(screen.getByText('test-secret')).toBeInTheDocument();
+    expect(screen.getByText('test-configmap')).toBeInTheDocument();
+
+    // Should have made two Link calls - one for secret, one for configmap
+    expect(mockLink).toHaveBeenCalledTimes(2);
+
+    // Verify secret link
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.secrets.secret',
+        params: {
+          name: 'test-secret',
+          namespace: 'default',
+        },
+        'data-cy': 'secret-link-test-secret',
+      })
+    );
+
+    // Verify configmap link
+    expect(mockLink).toHaveBeenCalledWith(
+      expect.objectContaining({
+        to: 'kubernetes.configmaps.configmap',
+        params: {
+          name: 'test-configmap',
+          namespace: 'default',
+        },
+        'data-cy': 'config-link-test-configmap',
+      })
+    );
+  });
+
+  it('should handle containers without volume mounts', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            // No volumeMounts
+          },
+        ],
+        volumes: [
+          {
+            name: 'config-volume',
+            configMap: {
+              name: 'test-configmap',
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    const { container } = render(
+      <ApplicationVolumeConfigsTable namespace="default" app={app} />
+    );
+
+    // Should render nothing because there are no matching volume mounts
+    expect(container.firstChild).toBeNull();
+  });
+
+  it('should handle Deployment kind applications', () => {
+    const app: Application = {
+      metadata: { name: 'test-deployment', namespace: 'default' },
+      spec: {
+        selector: {
+          matchLabels: {
+            app: 'test-app',
+          },
+        },
+        template: {
+          spec: {
+            containers: [
+              {
+                name: 'test-container',
+                image: 'test-image',
+                volumeMounts: [
+                  {
+                    name: 'config-volume',
+                    mountPath: '/etc/config',
+                  },
+                ],
+              },
+            ],
+            volumes: [
+              {
+                name: 'config-volume',
+                configMap: {
+                  name: 'test-configmap',
+                },
+              },
+            ],
+          },
+        },
+      },
+      kind: 'Deployment',
+      apiVersion: 'apps/v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('/etc/config')).toBeInTheDocument();
+    expect(screen.getByText('test-configmap')).toBeInTheDocument();
+  });
+
+  it('should handle missing volume config names', () => {
+    const app: Application = {
+      metadata: { name: 'test-pod', namespace: 'default' },
+      spec: {
+        containers: [
+          {
+            name: 'test-container',
+            image: 'test-image',
+            volumeMounts: [
+              {
+                name: 'config-volume',
+                mountPath: '/etc/config',
+              },
+            ],
+          },
+        ],
+        volumes: [
+          {
+            name: 'config-volume',
+            configMap: {
+              // name is undefined
+            },
+          },
+        ],
+      },
+      kind: 'Pod',
+      apiVersion: 'v1',
+    };
+
+    render(<ApplicationVolumeConfigsTable namespace="default" app={app} />);
+
+    expect(screen.getByText('test-container')).toBeInTheDocument();
+    expect(screen.getByText('/etc/config')).toBeInTheDocument();
+
+    // Should show dash for missing volume config name
+    const dashElements = screen.getAllByText('-');
+    expect(dashElements.length).toBeGreaterThan(0);
+  });
+});
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.tsx
index b3cff0f19..d3b418386 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.tsx
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationDetailsWidget/ApplicationVolumeConfigsTable.tsx
@@ -1,15 +1,23 @@
-import { KeyToPath, Pod, Secret } from 'kubernetes-types/core/v1';
+import { KeyToPath, Pod, VolumeMount } from 'kubernetes-types/core/v1';
 import { Asterisk, Plus } from 'lucide-react';
 
-import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
-import { useK8sSecrets } from '@/react/kubernetes/configs/queries/useK8sSecrets';
-
 import { Icon } from '@@/Icon';
 import { Link } from '@@/Link';
 
 import { Application } from '../../types';
 import { applicationIsKind } from '../../utils';
 
+type VolumeConfigType = 'configMap' | 'secret';
+
+type AppVolumeConfig = {
+  volumeConfigName: string | undefined;
+  containerVolumeMount: VolumeMount | undefined;
+  containerName: string;
+  isInitContainer: boolean;
+  item: KeyToPath;
+  type: VolumeConfigType;
+};
+
 type Props = {
   namespace: string;
   app?: Application;
@@ -18,8 +26,6 @@ type Props = {
 export function ApplicationVolumeConfigsTable({ namespace, app }: Props) {
   const containerVolumeConfigs = getApplicationVolumeConfigs(app);
 
-  const { data: secrets } = useK8sSecrets(useEnvironmentId(), namespace);
-
   if (containerVolumeConfigs.length === 0) {
     return null;
   }
@@ -41,6 +47,7 @@ export function ApplicationVolumeConfigsTable({ namespace, app }: Props) {
               containerName,
               item,
               volumeConfigName,
+              type,
             },
             index
           ) => (
@@ -76,7 +83,7 @@ export function ApplicationVolumeConfigsTable({ namespace, app }: Props) {
                 {!item.key && '-'}
               </td>
               <td>
-                {isVolumeConfigNameFromSecret(secrets, volumeConfigName) ? (
+                {type === 'secret' ? (
                   <Link
                     className="flex items-center"
                     to="kubernetes.secrets.secret"
@@ -107,15 +114,8 @@ export function ApplicationVolumeConfigsTable({ namespace, app }: Props) {
   );
 }
 
-function isVolumeConfigNameFromSecret(
-  secrets?: Secret[],
-  volumeConfigName?: string
-) {
-  return secrets?.some((secret) => secret.metadata?.name === volumeConfigName);
-}
-
 // getApplicationVolumeConfigs returns a list of volume configs / secrets for each container and each item within the matching volume
-function getApplicationVolumeConfigs(app?: Application) {
+function getApplicationVolumeConfigs(app?: Application): AppVolumeConfig[] {
   if (!app) {
     return [];
   }
@@ -142,6 +142,10 @@ function getApplicationVolumeConfigs(app?: Application) {
         const containerVolumeMount = container.volumeMounts?.find(
           (volumeMount) => volumeMount.name === volume.name
         );
+        const type: VolumeConfigType = volume.configMap
+          ? 'configMap'
+          : 'secret';
+
         if (volConfigMapItems.length === 0) {
           return [
             {
@@ -150,6 +154,7 @@ function getApplicationVolumeConfigs(app?: Application) {
               containerName: container.name,
               isInitContainer: appInitContainers.includes(container),
               item: {} as KeyToPath,
+              type,
             },
           ];
         }
@@ -160,6 +165,7 @@ function getApplicationVolumeConfigs(app?: Application) {
           containerName: container.name,
           isInitContainer: appInitContainers.includes(container),
           item,
+          type,
         }));
       })
       // only return the app volumes where the container volumeMounts include the volume name (from map step above)

From eaa2be017d4703af5a68b6809d5c35959a37b766 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Thu, 17 Jul 2025 12:07:11 +1200
Subject: [PATCH 189/212] fix(helm): ensure the form is not 'dirty', when the
 values are unchanged [r8s-421] (#901)

---
 app/react/kubernetes/helm/queries/useHelmChartList.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/react/kubernetes/helm/queries/useHelmChartList.ts b/app/react/kubernetes/helm/queries/useHelmChartList.ts
index 01995f681..b2cc82b9d 100644
--- a/app/react/kubernetes/helm/queries/useHelmChartList.ts
+++ b/app/react/kubernetes/helm/queries/useHelmChartList.ts
@@ -27,6 +27,7 @@ export function useHelmHTTPChartList(
     // one request takes a long time, so fail early to get feedback to the user faster
     retry: false,
     ...withGlobalError(`Unable to retrieve Helm charts from ${repository}`),
+    cacheTime: 1000 * 60 * 60 * 8, // 8 hours so that the chart list populates faster (keep stale time the same to always revalidate)
   });
 }
 

From 55cc250d2e0e86de222ab5c081f8aa9ac153bbed Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Mon, 21 Jul 2025 15:05:08 +1200
Subject: [PATCH 190/212] fix(pods): represent pod container statuses correctly
 [r8s-416] (#910)

---
 .../views/applications/logs/logsController.js |   1 +
 .../views/stacks/logs/logsController.js       |   1 +
 app/react/components/datatables/index.ts      |   1 +
 .../ApplicationContainersDatatable.tsx        |  58 ++-
 .../columns/actions.tsx                       |  33 +-
 .../columns/name.tsx                          |  59 +++
 .../columns/status.tsx                        |  38 +-
 .../computeContainerStatus.test.ts            | 483 ++++++++++++++++++
 .../computeContainerStatus.ts                 | 360 +++++++++++++
 .../ApplicationContainersDatatable/types.ts   |  13 +-
 package.json                                  |   2 +-
 yarn.lock                                     |   8 +-
 12 files changed, 996 insertions(+), 61 deletions(-)
 create mode 100644 app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.test.ts
 create mode 100644 app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.ts

diff --git a/app/kubernetes/views/applications/logs/logsController.js b/app/kubernetes/views/applications/logs/logsController.js
index 66601d98b..37cae6cad 100644
--- a/app/kubernetes/views/applications/logs/logsController.js
+++ b/app/kubernetes/views/applications/logs/logsController.js
@@ -77,6 +77,7 @@ class KubernetesApplicationLogsController {
       await this.getApplicationLogsAsync();
     } catch (err) {
       this.Notifications.error('Failure', err, 'Unable to retrieve application logs');
+      this.stopRepeater();
     } finally {
       this.state.viewReady = true;
     }
diff --git a/app/kubernetes/views/stacks/logs/logsController.js b/app/kubernetes/views/stacks/logs/logsController.js
index 536ea2ae4..d4e1b5ba7 100644
--- a/app/kubernetes/views/stacks/logs/logsController.js
+++ b/app/kubernetes/views/stacks/logs/logsController.js
@@ -104,6 +104,7 @@ class KubernetesStackLogsController {
       await this.getStackLogsAsync();
     } catch (err) {
       this.Notifications.error('Failure', err, 'Unable to retrieve stack logs');
+      this.stopRepeater();
     } finally {
       this.state.viewReady = true;
     }
diff --git a/app/react/components/datatables/index.ts b/app/react/components/datatables/index.ts
index 809efc23b..3ab420889 100644
--- a/app/react/components/datatables/index.ts
+++ b/app/react/components/datatables/index.ts
@@ -11,3 +11,4 @@ export { TableHeaderRow } from './TableHeaderRow';
 export { TableRow } from './TableRow';
 export { TableContent } from './TableContent';
 export { TableFooter } from './TableFooter';
+export { TableSettingsMenuAutoRefresh } from './TableSettingsMenuAutoRefresh';
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/ApplicationContainersDatatable.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/ApplicationContainersDatatable.tsx
index b365c5851..7b40b4852 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/ApplicationContainersDatatable.tsx
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/ApplicationContainersDatatable.tsx
@@ -1,14 +1,18 @@
 import { Server } from 'lucide-react';
 import { useCurrentStateAndParams } from '@uirouter/react';
 import { useMemo } from 'react';
-import { ContainerStatus, Pod } from 'kubernetes-types/core/v1';
+import { Pod } from 'kubernetes-types/core/v1';
 
 import { IndexOptional } from '@/react/kubernetes/configs/types';
 import { createStore } from '@/react/kubernetes/datatables/default-kube-datatable-store';
 import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
 import { useEnvironment } from '@/react/portainer/environments/queries';
 
-import { Datatable } from '@@/datatables';
+import {
+  Datatable,
+  TableSettingsMenu,
+  TableSettingsMenuAutoRefresh,
+} from '@@/datatables';
 import { useTableState } from '@@/datatables/useTableState';
 
 import { useApplication } from '../../queries/useApplication';
@@ -16,6 +20,7 @@ import { useApplicationPods } from '../../queries/useApplicationPods';
 
 import { ContainerRowData } from './types';
 import { getColumns } from './columns';
+import { computeContainerStatus } from './computeContainerStatus';
 
 const storageKey = 'k8sContainersDatatable';
 const settingsStore = createStore(storageKey);
@@ -36,13 +41,19 @@ export function ApplicationContainersDatatable() {
     environmentId,
     namespace,
     name,
-    resourceType
+    resourceType,
+    {
+      autoRefreshRate: tableState.autoRefreshRate * 1000,
+    }
   );
   const podsQuery = useApplicationPods(
     environmentId,
     namespace,
     name,
-    applicationQuery.data
+    applicationQuery.data,
+    {
+      autoRefreshRate: tableState.autoRefreshRate * 1000,
+    }
   );
   const appContainers = useContainersRowData(podsQuery.data);
 
@@ -61,6 +72,14 @@ export function ApplicationContainersDatatable() {
       getRowId={(row) => row.podName} // use pod name because it's unique (name is not unique)
       disableSelect
       data-cy="k8s-application-containers-datatable"
+      renderTableSettings={() => (
+        <TableSettingsMenu>
+          <TableSettingsMenuAutoRefresh
+            value={tableState.autoRefreshRate}
+            onChange={(value) => tableState.setAutoRefreshRate(value)}
+          />
+        </TableSettingsMenu>
+      )}
     />
   );
 }
@@ -73,8 +92,14 @@ function useContainersRowData(pods?: Pod[]): ContainerRowData[] {
       () =>
         pods?.flatMap((pod) => {
           const containers = [
-            ...(pod.spec?.containers || []),
-            ...(pod.spec?.initContainers || []),
+            ...(pod.spec?.containers?.map((c) => ({ ...c, isInit: false })) ||
+              []),
+            ...(pod.spec?.initContainers?.map((c) => ({
+              ...c,
+              isInit: true,
+              // https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/#sidecar-containers-and-pod-lifecycle
+              isSidecar: c.restartPolicy === 'Always',
+            })) || []),
           ];
           return containers.map((container) => ({
             ...container,
@@ -84,7 +109,8 @@ function useContainersRowData(pods?: Pod[]): ContainerRowData[] {
             creationDate: pod.status?.startTime ?? '',
             status: computeContainerStatus(
               container.name,
-              pod.status?.containerStatuses
+              pod.status?.containerStatuses,
+              pod.status?.initContainerStatuses
             ),
           }));
         }) || [],
@@ -92,21 +118,3 @@ function useContainersRowData(pods?: Pod[]): ContainerRowData[] {
     ) || []
   );
 }
-
-function computeContainerStatus(
-  containerName: string,
-  statuses?: ContainerStatus[]
-) {
-  const status = statuses?.find((status) => status.name === containerName);
-  if (!status) {
-    return 'Terminated';
-  }
-  const { state } = status;
-  if (state?.waiting) {
-    return 'Waiting';
-  }
-  if (!state?.running) {
-    return 'Terminated';
-  }
-  return 'Running';
-}
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/actions.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/actions.tsx
index d3b06ca52..c875db4a6 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/actions.tsx
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/actions.tsx
@@ -13,27 +13,30 @@ export function getActions(isServerMetricsEnabled: boolean) {
     enableSorting: false,
     cell: ({ row: { original: container } }) => (
       <div className="flex gap-x-2">
-        {container.status === 'Running' && isServerMetricsEnabled && (
+        {container.status.status.includes('Running') &&
+          isServerMetricsEnabled && (
+            <Link
+              className="flex items-center gap-1"
+              to="kubernetes.applications.application.stats"
+              params={{ pod: container.podName, container: container.name }}
+              data-cy={`application-container-stats-${container.name}`}
+            >
+              <Icon icon={BarChart} />
+              Stats
+            </Link>
+          )}
+        {container.status.hasLogs !== false && (
           <Link
             className="flex items-center gap-1"
-            to="kubernetes.applications.application.stats"
+            to="kubernetes.applications.application.logs"
             params={{ pod: container.podName, container: container.name }}
-            data-cy={`application-container-stats-${container.name}`}
+            data-cy={`application-container-logs-${container.name}`}
           >
-            <Icon icon={BarChart} />
-            Stats
+            <Icon icon={FileText} />
+            Logs
           </Link>
         )}
-        <Link
-          className="flex items-center gap-1"
-          to="kubernetes.applications.application.logs"
-          params={{ pod: container.podName, container: container.name }}
-          data-cy={`application-container-logs-${container.name}`}
-        >
-          <Icon icon={FileText} />
-          Logs
-        </Link>
-        {container.status === 'Running' && (
+        {container.status.status.includes('Running') && (
           <Authorized authorizations="K8sApplicationConsoleRW">
             <Link
               className="flex items-center gap-1"
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/name.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/name.tsx
index db2f4bfdf..e1d144d8d 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/name.tsx
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/name.tsx
@@ -1,6 +1,65 @@
+import { Badge } from '@@/Badge';
+import { Tooltip } from '@@/Tip/Tooltip';
+import { ExternalLink } from '@@/ExternalLink';
+
+import { ContainerRowData } from '../types';
+
 import { columnHelper } from './helper';
 
 export const name = columnHelper.accessor('name', {
   header: 'Name',
   id: 'name',
+  cell: ({ row: { original: container } }) => (
+    <div className="flex justify-between gap-2">
+      <span>{container.name}</span>
+      <ContainerTypeBadge container={container} />
+    </div>
+  ),
 });
+
+function ContainerTypeBadge({ container }: { container: ContainerRowData }) {
+  if (container.isSidecar) {
+    return (
+      <Badge type="info">
+        Sidecar
+        <Tooltip
+          message={
+            <>
+              <ExternalLink
+                to="https://kubernetes.io/docs/concepts/workloads/pods/sidecar-containers/"
+                data-cy="sidecar-link"
+              >
+                Sidecar containers
+              </ExternalLink>{' '}
+              run continuously alongside the main application, starting before
+              other containers.
+            </>
+          }
+        />
+      </Badge>
+    );
+  }
+
+  if (container.isInit) {
+    return (
+      <Badge type="info">
+        Init
+        <Tooltip
+          message={
+            <>
+              <ExternalLink
+                to="https://kubernetes.io/docs/concepts/workloads/pods/init-containers/"
+                data-cy="init-link"
+              >
+                Init containers
+              </ExternalLink>{' '}
+              run and complete before the main application containers start.
+            </>
+          }
+        />
+      </Badge>
+    );
+  }
+
+  return null;
+}
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/status.tsx b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/status.tsx
index d181f8377..7a47e3026 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/status.tsx
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/columns/status.tsx
@@ -1,6 +1,9 @@
 import { CellContext } from '@tanstack/react-table';
 
-import { Badge, BadgeType } from '@@/Badge';
+import { pluralize } from '@/react/common/string-utils';
+
+import { Badge } from '@@/Badge';
+import { Tooltip } from '@@/Tip/Tooltip';
 
 import { ContainerRowData } from '../types';
 
@@ -11,19 +14,24 @@ export const status = columnHelper.accessor('status', {
   cell: StatusCell,
 });
 
-function StatusCell({ getValue }: CellContext<ContainerRowData, string>) {
-  return <Badge type={getContainerStatusType(getValue())}>{getValue()}</Badge>;
-}
+function StatusCell({
+  getValue,
+}: CellContext<ContainerRowData, ContainerRowData['status']>) {
+  const statusData = getValue();
 
-function getContainerStatusType(status: string): BadgeType {
-  switch (status.toLowerCase()) {
-    case 'running':
-      return 'success';
-    case 'waiting':
-      return 'warn';
-    case 'terminated':
-      return 'info';
-    default:
-      return 'danger';
-  }
+  return (
+    <Badge type={statusData.type}>
+      <div className="flex items-center gap-1">
+        <span>
+          {statusData.status}
+          {statusData.restartCount &&
+            ` (Restarted ${statusData.restartCount} ${pluralize(
+              statusData.restartCount,
+              'time'
+            )})`}
+        </span>
+      </div>
+      {statusData.message && <Tooltip message={statusData.message} />}
+    </Badge>
+  );
 }
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.test.ts b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.test.ts
new file mode 100644
index 000000000..4cc56809e
--- /dev/null
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.test.ts
@@ -0,0 +1,483 @@
+import { ContainerStatus } from 'kubernetes-types/core/v1';
+
+import { computeContainerStatus } from './computeContainerStatus';
+
+// Helper to create a base ContainerStatus with required properties
+function createContainerStatus(
+  overrides: Partial<ContainerStatus>
+): ContainerStatus {
+  return {
+    name: 'test-container',
+    ready: false,
+    restartCount: 0,
+    image: 'test-image:latest',
+    imageID: 'sha256:test123',
+    ...overrides,
+  };
+}
+
+describe('computeContainerStatus', () => {
+  describe('Critical Container States', () => {
+    test('ImagePullBackOff should return danger type with no logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          waiting: {
+            reason: 'ImagePullBackOff',
+            message: 'Failed to pull image',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('ImagePullBackOff');
+      expect(result.type).toBe('danger');
+      expect(result.hasLogs).toBe(false);
+    });
+
+    test('ImagePullBackOff with containerID should return danger type with logs', () => {
+      const containerStatus = createContainerStatus({
+        containerID: 'docker://abc123def456',
+        state: {
+          waiting: {
+            reason: 'ImagePullBackOff',
+            message: 'Failed to pull image',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('ImagePullBackOff');
+      expect(result.type).toBe('danger');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('CrashLoopBackOff should return danger type with logs if container started', () => {
+      const containerStatus = createContainerStatus({
+        restartCount: 5,
+        state: {
+          waiting: {
+            reason: 'CrashLoopBackOff',
+            message: 'Back-off restarting failed container',
+          },
+        },
+        lastState: {
+          terminated: {
+            startedAt: '2023-01-01T10:00:00Z',
+            exitCode: 1,
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('CrashLoopBackOff');
+      expect(result.type).toBe('danger');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('CrashLoopBackOff with only containerID should return danger type with logs', () => {
+      const containerStatus = createContainerStatus({
+        containerID: 'docker://crashed123',
+        restartCount: 3,
+        state: {
+          waiting: {
+            reason: 'CrashLoopBackOff',
+            message: 'Back-off restarting failed container',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('CrashLoopBackOff');
+      expect(result.type).toBe('danger');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Running and ready should return success type with logs', () => {
+      const containerStatus = createContainerStatus({
+        ready: true,
+        state: {
+          running: {
+            startedAt: '2023-01-01T10:00:00Z',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('Running');
+      expect(result.type).toBe('success');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Running but not ready should return warn type with logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          running: {
+            startedAt: '2023-01-01T10:00:00Z',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('Running (not ready)');
+      expect(result.type).toBe('warn');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('OOMKilled should return danger type with logs', () => {
+      const containerStatus = createContainerStatus({
+        restartCount: 2,
+        state: {
+          terminated: {
+            reason: 'OOMKilled',
+            exitCode: 137,
+            startedAt: '2023-01-01T10:00:00Z',
+            finishedAt: '2023-01-01T10:05:00Z',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('OOMKilled');
+      expect(result.type).toBe('danger');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Completed successfully should return success type with logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          terminated: {
+            reason: 'Completed',
+            exitCode: 0,
+            startedAt: '2023-01-01T10:00:00Z',
+            finishedAt: '2023-01-01T10:05:00Z',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('Completed');
+      expect(result.type).toBe('success');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('ContainerCreating should return info type with no logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          waiting: {
+            reason: 'ContainerCreating',
+            message: 'Container is being created',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('ContainerCreating');
+      expect(result.type).toBe('info');
+      expect(result.hasLogs).toBe(false);
+    });
+
+    test('ContainerCreating with containerID should return info type with logs', () => {
+      const containerStatus = createContainerStatus({
+        containerID: 'docker://creating123',
+        state: {
+          waiting: {
+            reason: 'ContainerCreating',
+            message: 'Container is being created',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('ContainerCreating');
+      expect(result.type).toBe('info');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('PodInitializing should return info type with prefixed status', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          waiting: {
+            reason: 'PodInitializing',
+            message: 'Waiting for init containers',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('Waiting (PodInitializing)');
+      expect(result.type).toBe('info');
+      expect(result.hasLogs).toBe(false);
+    });
+
+    test('Container not found should return unknown with muted type', () => {
+      const result = computeContainerStatus('nonexistent-container', []);
+
+      expect(result.status).toBe('Unknown');
+      expect(result.type).toBe('muted');
+      expect(result.hasLogs).toBeUndefined();
+    });
+
+    test('Container with no state should return unknown with muted type', () => {
+      const containerStatus = createContainerStatus({
+        state: {},
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('Unknown');
+      expect(result.type).toBe('muted');
+      expect(result.hasLogs).toBe(false);
+    });
+
+    test('Container with no state but with containerID should have logs available', () => {
+      const containerStatus = createContainerStatus({
+        containerID: 'docker://unknown123',
+        state: {},
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.status).toBe('Unknown');
+      expect(result.type).toBe('muted');
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Sidecar container should be handled like regular container', () => {
+      const containerStatus = createContainerStatus({
+        ready: true,
+        state: {
+          running: {
+            startedAt: '2023-01-01T10:00:00Z',
+          },
+        },
+      });
+
+      const result = computeContainerStatus(
+        'test-container',
+        [],
+        [containerStatus]
+      ); // Sidecar containers are found in initContainerStatuses
+
+      expect(result.status).toBe('Running');
+      expect(result.type).toBe('success');
+      expect(result.hasLogs).toBe(true);
+    });
+  });
+
+  describe('Container Log Availability Tests', () => {
+    test('Container with running state should have logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          running: {
+            startedAt: '2023-01-01T10:00:00Z',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Container with terminated state should have logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          terminated: {
+            startedAt: '2023-01-01T10:00:00Z',
+            exitCode: 0,
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Container with lastState running should have logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          waiting: {
+            reason: 'CrashLoopBackOff',
+          },
+        },
+        lastState: {
+          running: {
+            startedAt: '2023-01-01T10:00:00Z',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Container with lastState terminated should have logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          waiting: {
+            reason: 'CrashLoopBackOff',
+          },
+        },
+        lastState: {
+          terminated: {
+            startedAt: '2023-01-01T10:00:00Z',
+            exitCode: 1,
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Container with only containerID should have logs', () => {
+      const containerStatus = createContainerStatus({
+        containerID: 'docker://abc123def456',
+        state: {
+          waiting: {
+            reason: 'Unknown',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Container with empty containerID should not have logs', () => {
+      const containerStatus = createContainerStatus({
+        containerID: '',
+        state: {
+          waiting: {
+            reason: 'ImagePullBackOff',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(false);
+    });
+
+    test('Container without containerID or start times should not have logs', () => {
+      const containerStatus = createContainerStatus({
+        state: {
+          waiting: {
+            reason: 'ImagePullBackOff',
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(false);
+    });
+
+    test('Container with terminated state but no startedAt should rely on containerID', () => {
+      const containerStatus = createContainerStatus({
+        containerID: 'docker://terminated123',
+        state: {
+          terminated: {
+            exitCode: 0,
+            // No startedAt field
+          },
+        },
+      });
+
+      const result = computeContainerStatus('test-container', [
+        containerStatus,
+      ]);
+
+      expect(result.hasLogs).toBe(true);
+    });
+
+    test('Multiple containers with different log availability', () => {
+      const containerWithLogs = createContainerStatus({
+        name: 'container-with-logs',
+        containerID: 'docker://logs123',
+        state: {
+          running: {
+            startedAt: '2023-01-01T10:00:00Z',
+          },
+        },
+      });
+
+      const containerWithoutLogs = createContainerStatus({
+        name: 'container-without-logs',
+        state: {
+          waiting: {
+            reason: 'ImagePullBackOff',
+          },
+        },
+      });
+
+      const resultWithLogs = computeContainerStatus('container-with-logs', [
+        containerWithLogs,
+        containerWithoutLogs,
+      ]);
+
+      const resultWithoutLogs = computeContainerStatus(
+        'container-without-logs',
+        [containerWithLogs, containerWithoutLogs]
+      );
+
+      expect(resultWithLogs.hasLogs).toBe(true);
+      expect(resultWithoutLogs.hasLogs).toBe(false);
+    });
+  });
+});
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.ts b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.ts
new file mode 100644
index 000000000..b5ca69073
--- /dev/null
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/computeContainerStatus.ts
@@ -0,0 +1,360 @@
+import { ContainerStatus } from 'kubernetes-types/core/v1';
+
+import { ContainerRowData } from './types';
+
+/**
+ * Compute the status of a container, with translated messages.
+ *
+ * The cases are hardcoded, because there is not a single source that enumerates
+ * all the possible states.
+ * @param containerName - The name of the container
+ * @param containerStatuses - The statuses of the container
+ * @param initContainerStatuses - The statuses of the init container
+ * @returns The status of the container
+ */
+export function computeContainerStatus(
+  containerName: string,
+  containerStatuses?: ContainerStatus[],
+  initContainerStatuses?: ContainerStatus[]
+): ContainerRowData['status'] {
+  // Choose the correct status array based on container type
+  const statuses = [
+    ...(containerStatuses || []),
+    ...(initContainerStatuses || []),
+  ];
+  const status = statuses?.find((status) => status.name === containerName);
+
+  if (!status) {
+    return {
+      status: 'Unknown',
+      type: 'muted',
+      message: 'Container status information is not available',
+    };
+  }
+
+  const hasLogs = hasContainerEverStarted(status);
+  const { state, restartCount = 0 } = status;
+
+  // Handle waiting state with more specific reasons
+  if (state?.waiting) {
+    const { reason, message } = state.waiting;
+    if (reason) {
+      // Return specific waiting reasons that match kubectl output
+      switch (reason) {
+        case 'ImagePullBackOff':
+        case 'ErrImagePull':
+        case 'ImageInspectError':
+        case 'ErrImageNeverPull':
+          return {
+            status: reason,
+            type: 'danger',
+            message:
+              message ||
+              'Failed to pull container image. Check image name, registry access, and network connectivity.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'ContainerCreating':
+          return {
+            status: reason,
+            type: 'info',
+            message:
+              message ||
+              'Container is being created. This may take a few moments.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'info')
+              ? restartCount
+              : undefined,
+          };
+        case 'PodInitializing':
+          return {
+            status: `Waiting (${reason})`,
+            type: 'info',
+            message:
+              message ||
+              'Waiting for init containers to complete. Wait a few moments or check the logs of any init containers that failed to complete.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'info')
+              ? restartCount
+              : undefined,
+          };
+        case 'CreateContainerConfigError':
+        case 'CreateContainerError':
+          return {
+            status: reason,
+            type: 'danger',
+            message:
+              message ||
+              'Failed to create container. Check resource limits, security contexts, and volume mounts.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'InvalidImageName':
+          return {
+            status: reason,
+            type: 'danger',
+            message:
+              message ||
+              'The specified container image name is invalid or malformed.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'CrashLoopBackOff':
+          return {
+            status: reason,
+            type: 'danger',
+            message: `Container keeps crashing after startup. Check application logs and startup configuration. ${
+              message ? `Details: '${message}'` : ''
+            }`,
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'RunContainerError':
+          return {
+            status: reason,
+            type: 'danger',
+            message:
+              message ||
+              'Failed to start container process. Check command, arguments, and environment variables.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'KillContainerError':
+          return {
+            status: reason,
+            type: 'danger',
+            message:
+              message ||
+              'Failed to stop container gracefully. Container may be unresponsive.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'VerifyNonRootError':
+          return {
+            status: reason,
+            type: 'danger',
+            message:
+              message ||
+              'Container is trying to run as root but security policy requires non-root execution.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'ConfigError':
+          return {
+            status: reason,
+            type: 'danger',
+            message:
+              message ||
+              'Container configuration is invalid. Check resource requirements and security settings.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        default:
+          return {
+            status: reason,
+            type: 'muted',
+            message: message || `Container is waiting: ${reason}`,
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'muted')
+              ? restartCount
+              : undefined,
+          };
+      }
+    }
+    return {
+      status: 'Waiting',
+      type: 'muted',
+      message: message || 'Container is waiting to be scheduled or started.',
+      hasLogs,
+      restartCount: shouldShowRestartCount(restartCount, 'muted')
+        ? restartCount
+        : undefined,
+    };
+  }
+
+  // Handle terminated state
+  if (state?.terminated) {
+    const { exitCode = 0, reason, message } = state.terminated;
+
+    if (reason) {
+      switch (reason) {
+        case 'Error':
+          return {
+            status: 'Error',
+            type: 'danger',
+            message: `Container exited with code ${exitCode}${
+              restartCount > 0 ? ` (restarted ${restartCount} times)` : ''
+            }. ${message || 'Check application logs for error details.'}`,
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'Completed':
+          return {
+            status: 'Completed',
+            type: 'success',
+            message,
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'success')
+              ? restartCount
+              : undefined,
+          };
+        case 'OOMKilled':
+          return {
+            status: 'OOMKilled',
+            type: 'danger',
+            message:
+              message ||
+              'Container was killed due to out-of-memory. Consider increasing memory limits.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'DeadlineExceeded':
+          return {
+            status: 'DeadlineExceeded',
+            type: 'danger',
+            message:
+              message ||
+              'Container was terminated because it exceeded the active deadline.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        case 'Evicted':
+          return {
+            status: 'Evicted',
+            type: 'warn',
+            message:
+              message ||
+              'Container was evicted due to resource pressure on the node.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'warn')
+              ? restartCount
+              : undefined,
+          };
+        case 'NodeLost':
+          return {
+            status: 'NodeLost',
+            type: 'danger',
+            message:
+              message || 'Container was lost when the node became unreachable.',
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'danger')
+              ? restartCount
+              : undefined,
+          };
+        default:
+          return {
+            status: reason,
+            type: 'muted',
+            message: `Container terminated: ${reason}${
+              restartCount > 0 ? ` (restarted ${restartCount} times)` : ''
+            }. ${message || ''}`,
+            hasLogs,
+            restartCount: shouldShowRestartCount(restartCount, 'muted')
+              ? restartCount
+              : undefined,
+          };
+      }
+    }
+
+    if (exitCode === 0) {
+      return {
+        status: 'Completed',
+        type: 'success',
+        message,
+        hasLogs,
+        restartCount: shouldShowRestartCount(restartCount, 'success')
+          ? restartCount
+          : undefined,
+      };
+    }
+
+    return {
+      status: 'Error',
+      type: 'danger',
+      message: `Container exited with code ${exitCode}${
+        restartCount > 0 ? ` (restarted ${restartCount} times)` : ''
+      }. ${message || 'Check application logs for error details.'}`,
+      hasLogs,
+      restartCount: shouldShowRestartCount(restartCount, 'danger')
+        ? restartCount
+        : undefined,
+    };
+  }
+
+  // Handle running state
+  if (state?.running) {
+    // Check if container is ready
+    if (status.ready === false) {
+      return {
+        status: 'Running (not ready)',
+        type: 'warn',
+        message:
+          'Container is running but not ready. Check readiness probe configuration.',
+        hasLogs,
+        restartCount: shouldShowRestartCount(restartCount, 'warn')
+          ? restartCount
+          : undefined,
+      };
+    }
+    return {
+      status: 'Running',
+      type: 'success',
+      hasLogs,
+      restartCount: shouldShowRestartCount(restartCount, 'success')
+        ? restartCount
+        : undefined,
+    };
+  }
+
+  // Fallback
+  return {
+    status: 'Unknown',
+    type: 'muted',
+    message:
+      'Container state cannot be determined. Status information may be incomplete.',
+    hasLogs,
+    restartCount: shouldShowRestartCount(restartCount, 'muted')
+      ? restartCount
+      : undefined,
+  };
+}
+
+// Helper function to determine if restart count should be shown
+function shouldShowRestartCount(
+  restartCount: number,
+  type: ContainerRowData['status']['type']
+) {
+  return restartCount >= 1 && (type === 'danger' || type === 'warn');
+}
+
+function hasContainerEverStarted(status: ContainerStatus): boolean {
+  return (
+    !!status.state?.running?.startedAt ||
+    !!status.state?.terminated?.startedAt ||
+    !!status.lastState?.running?.startedAt ||
+    !!status.lastState?.terminated?.startedAt ||
+    !!status.containerID
+  );
+}
diff --git a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/types.ts b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/types.ts
index 7981ab187..bdd229f89 100644
--- a/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/types.ts
+++ b/app/react/kubernetes/applications/DetailsView/ApplicationContainersDatatable/types.ts
@@ -1,9 +1,20 @@
 import { Container } from 'kubernetes-types/core/v1';
 
+import { BadgeType } from '@@/Badge';
+
 export interface ContainerRowData extends Container {
   podName: string;
   nodeName: string;
   podIp: string;
   creationDate: string;
-  status: string;
+  status: {
+    status: string;
+    type: BadgeType;
+    message?: string;
+    hasLogs?: boolean;
+    startedAt?: string;
+    restartCount?: number;
+  };
+  isInit?: boolean;
+  isSidecar?: boolean;
 }
diff --git a/package.json b/package.json
index 9a250005a..8cab91593 100644
--- a/package.json
+++ b/package.json
@@ -199,7 +199,7 @@
     "html-loader": "^0.5.5",
     "html-webpack-plugin": "^5.5.3",
     "husky": "^8.0.0",
-    "kubernetes-types": "^1.26.0",
+    "kubernetes-types": "^1.30.0",
     "lint-staged": "^14.0.1",
     "lodash-webpack-plugin": "^0.11.6",
     "mini-css-extract-plugin": "^2.7.6",
diff --git a/yarn.lock b/yarn.lock
index 3bdc96e8a..3e826163f 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -12868,10 +12868,10 @@ klona@^2.0.6:
   resolved "https://registry.yarnpkg.com/klona/-/klona-2.0.6.tgz#85bffbf819c03b2f53270412420a4555ef882e22"
   integrity sha512-dhG34DXATL5hSxJbIexCft8FChFXtmskoZYnoPWjXQuebWYCNkVeV3KkGegCK9CP1oswI/vQibS2GY7Em/sJJA==
 
-kubernetes-types@^1.26.0:
-  version "1.26.0"
-  resolved "https://registry.yarnpkg.com/kubernetes-types/-/kubernetes-types-1.26.0.tgz#47b7db20eb084931cfebf67937cc6b9091dc3da3"
-  integrity sha512-jv0XaTIGW/p18jaiKRD85hLTYWx0yEj+cb6PDX3GdNa3dWoRxnD4Gv7+bE6C/ehcsp2skcdy34vT25jbPofDIQ==
+kubernetes-types@^1.30.0:
+  version "1.30.0"
+  resolved "https://registry.yarnpkg.com/kubernetes-types/-/kubernetes-types-1.30.0.tgz#f686cacb08ffc5f7e89254899c2153c723420116"
+  integrity sha512-Dew1okvhM/SQcIa2rcgujNndZwU8VnSapDgdxlYoB84ZlpAD43U6KLAFqYo17ykSFGHNPrg0qry0bP+GJd9v7Q==
 
 kuler@^2.0.0:
   version "2.0.0"

From caf382b64c135368469b9f47a67d1788f8cc66cf Mon Sep 17 00:00:00 2001
From: Devon Steenberg <devon.steenberg@portainer.io>
Date: Tue, 22 Jul 2025 08:36:08 +1200
Subject: [PATCH 191/212] feat(git): support bearer token auth for git
 [BE-11770] (#879)

---
 api/git/azure_integration_test.go             |  78 +++++++-
 api/git/backup.go                             |  11 +-
 api/git/git.go                                |  42 +++-
 api/git/git_integration_test.go               | 189 ++++++++++++++++--
 api/git/git_test.go                           |  22 +-
 api/git/service.go                            |  88 +++++++-
 api/git/types/types.go                        |  18 +-
 api/git/update/update.go                      |  31 ++-
 .../customtemplate_git_fetch_test.go          |  38 +++-
 .../customtemplates/customtemplate_update.go  |  27 ++-
 .../edgestacks/edgestack_create_git.go        |  19 +-
 .../handler/gitops/git_repo_file_preview.go   |  19 +-
 api/http/handler/stacks/stack_update_git.go   |  31 ++-
 .../stacks/stack_update_git_redeploy.go       |  20 +-
 .../handler/stacks/update_kubernetes_stack.go |  27 ++-
 api/http/handler/templates/template_file.go   |  11 +-
 api/http/proxy/factory/docker/transport.go    |  10 +-
 api/internal/testhelpers/git_service.go       |  45 ++++-
 api/portainer.go                              |  40 +++-
 api/stacks/stackutils/gitops.go               |  21 +-
 20 files changed, 670 insertions(+), 117 deletions(-)

diff --git a/api/git/azure_integration_test.go b/api/git/azure_integration_test.go
index 3e297a129..5de18b303 100644
--- a/api/git/azure_integration_test.go
+++ b/api/git/azure_integration_test.go
@@ -58,7 +58,15 @@ func TestService_ClonePublicRepository_Azure(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			dst := t.TempDir()
 			repositoryUrl := fmt.Sprintf(tt.args.repositoryURLFormat, tt.args.password)
-			err := service.CloneRepository(dst, repositoryUrl, tt.args.referenceName, "", "", false)
+			err := service.CloneRepository(
+				dst,
+				repositoryUrl,
+				tt.args.referenceName,
+				"",
+				"",
+				gittypes.GitCredentialAuthType_Basic,
+				false,
+			)
 			assert.NoError(t, err)
 			assert.FileExists(t, filepath.Join(dst, "README.md"))
 		})
@@ -73,7 +81,15 @@ func TestService_ClonePrivateRepository_Azure(t *testing.T) {
 
 	dst := t.TempDir()
 
-	err := service.CloneRepository(dst, privateAzureRepoURL, "refs/heads/main", "", pat, false)
+	err := service.CloneRepository(
+		dst,
+		privateAzureRepoURL,
+		"refs/heads/main",
+		"",
+		pat,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.FileExists(t, filepath.Join(dst, "README.md"))
 }
@@ -84,7 +100,14 @@ func TestService_LatestCommitID_Azure(t *testing.T) {
 	pat := getRequiredValue(t, "AZURE_DEVOPS_PAT")
 	service := NewService(context.TODO())
 
-	id, err := service.LatestCommitID(privateAzureRepoURL, "refs/heads/main", "", pat, false)
+	id, err := service.LatestCommitID(
+		privateAzureRepoURL,
+		"refs/heads/main",
+		"",
+		pat,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, id, "cannot guarantee commit id, but it should be not empty")
 }
@@ -96,7 +119,14 @@ func TestService_ListRefs_Azure(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := NewService(context.TODO())
 
-	refs, err := service.ListRefs(privateAzureRepoURL, username, accessToken, false, false)
+	refs, err := service.ListRefs(
+		privateAzureRepoURL,
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 }
@@ -108,8 +138,8 @@ func TestService_ListRefs_Azure_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
-	go service.ListRefs(privateAzureRepoURL, username, accessToken, false, false)
-	service.ListRefs(privateAzureRepoURL, username, accessToken, false, false)
+	go service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListRefs(privateAzureRepoURL, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 
 	time.Sleep(2 * time.Second)
 }
@@ -247,7 +277,17 @@ func TestService_ListFiles_Azure(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			paths, err := service.ListFiles(tt.args.repositoryUrl, tt.args.referenceName, tt.args.username, tt.args.password, false, false, tt.extensions, false)
+			paths, err := service.ListFiles(
+				tt.args.repositoryUrl,
+				tt.args.referenceName,
+				tt.args.username,
+				tt.args.password,
+				gittypes.GitCredentialAuthType_Basic,
+				false,
+				false,
+				tt.extensions,
+				false,
+			)
 			if tt.expect.shouldFail {
 				assert.Error(t, err)
 				if tt.expect.err != nil {
@@ -270,8 +310,28 @@ func TestService_ListFiles_Azure_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "AZURE_DEVOPS_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
-	go service.ListFiles(privateAzureRepoURL, "refs/heads/main", username, accessToken, false, false, []string{}, false)
-	service.ListFiles(privateAzureRepoURL, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	go service.ListFiles(
+		privateAzureRepoURL,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
+	service.ListFiles(
+		privateAzureRepoURL,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 
 	time.Sleep(2 * time.Second)
 }
diff --git a/api/git/backup.go b/api/git/backup.go
index 286b51876..6928f521a 100644
--- a/api/git/backup.go
+++ b/api/git/backup.go
@@ -19,6 +19,7 @@ type CloneOptions struct {
 	ReferenceName string
 	Username      string
 	Password      string
+	AuthType      gittypes.GitCredentialAuthType
 	// TLSSkipVerify skips SSL verification when cloning the Git repository
 	TLSSkipVerify bool `example:"false"`
 }
@@ -42,7 +43,15 @@ func CloneWithBackup(gitService portainer.GitService, fileService portainer.File
 
 	cleanUp = true
 
-	if err := gitService.CloneRepository(options.ProjectPath, options.URL, options.ReferenceName, options.Username, options.Password, options.TLSSkipVerify); err != nil {
+	if err := gitService.CloneRepository(
+		options.ProjectPath,
+		options.URL,
+		options.ReferenceName,
+		options.Username,
+		options.Password,
+		options.AuthType,
+		options.TLSSkipVerify,
+	); err != nil {
 		cleanUp = false
 		if err := filesystem.MoveDirectory(backupProjectPath, options.ProjectPath, false); err != nil {
 			log.Warn().Err(err).Msg("failed restoring backup folder")
diff --git a/api/git/git.go b/api/git/git.go
index 6c2835815..cf0c9f478 100644
--- a/api/git/git.go
+++ b/api/git/git.go
@@ -7,12 +7,14 @@ import (
 	"strings"
 
 	gittypes "github.com/portainer/portainer/api/git/types"
+	"github.com/rs/zerolog/log"
 
 	"github.com/go-git/go-git/v5"
 	"github.com/go-git/go-git/v5/config"
 	"github.com/go-git/go-git/v5/plumbing"
 	"github.com/go-git/go-git/v5/plumbing/filemode"
 	"github.com/go-git/go-git/v5/plumbing/object"
+	"github.com/go-git/go-git/v5/plumbing/transport"
 	githttp "github.com/go-git/go-git/v5/plumbing/transport/http"
 	"github.com/go-git/go-git/v5/storage/memory"
 	"github.com/pkg/errors"
@@ -33,7 +35,7 @@ func (c *gitClient) download(ctx context.Context, dst string, opt cloneOption) e
 		URL:             opt.repositoryUrl,
 		Depth:           opt.depth,
 		InsecureSkipTLS: opt.tlsSkipVerify,
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		Tags:            git.NoTags,
 	}
 
@@ -51,7 +53,10 @@ func (c *gitClient) download(ctx context.Context, dst string, opt cloneOption) e
 	}
 
 	if !c.preserveGitDirectory {
-		os.RemoveAll(filepath.Join(dst, ".git"))
+		err := os.RemoveAll(filepath.Join(dst, ".git"))
+		if err != nil {
+			log.Error().Err(err).Msg("failed to remove .git directory")
+		}
 	}
 
 	return nil
@@ -64,7 +69,7 @@ func (c *gitClient) latestCommitID(ctx context.Context, opt fetchOption) (string
 	})
 
 	listOptions := &git.ListOptions{
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		InsecureSkipTLS: opt.tlsSkipVerify,
 	}
 
@@ -94,7 +99,23 @@ func (c *gitClient) latestCommitID(ctx context.Context, opt fetchOption) (string
 	return "", errors.Errorf("could not find ref %q in the repository", opt.referenceName)
 }
 
-func getAuth(username, password string) *githttp.BasicAuth {
+func getAuth(authType gittypes.GitCredentialAuthType, username, password string) transport.AuthMethod {
+	if password == "" {
+		return nil
+	}
+
+	switch authType {
+	case gittypes.GitCredentialAuthType_Basic:
+		return getBasicAuth(username, password)
+	case gittypes.GitCredentialAuthType_Token:
+		return getTokenAuth(password)
+	default:
+		log.Warn().Msg("unknown git credentials authorization type, defaulting to None")
+		return nil
+	}
+}
+
+func getBasicAuth(username, password string) *githttp.BasicAuth {
 	if password != "" {
 		if username == "" {
 			username = "token"
@@ -108,6 +129,15 @@ func getAuth(username, password string) *githttp.BasicAuth {
 	return nil
 }
 
+func getTokenAuth(token string) *githttp.TokenAuth {
+	if token != "" {
+		return &githttp.TokenAuth{
+			Token: token,
+		}
+	}
+	return nil
+}
+
 func (c *gitClient) listRefs(ctx context.Context, opt baseOption) ([]string, error) {
 	rem := git.NewRemote(memory.NewStorage(), &config.RemoteConfig{
 		Name: "origin",
@@ -115,7 +145,7 @@ func (c *gitClient) listRefs(ctx context.Context, opt baseOption) ([]string, err
 	})
 
 	listOptions := &git.ListOptions{
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		InsecureSkipTLS: opt.tlsSkipVerify,
 	}
 
@@ -143,7 +173,7 @@ func (c *gitClient) listFiles(ctx context.Context, opt fetchOption) ([]string, e
 		Depth:           1,
 		SingleBranch:    true,
 		ReferenceName:   plumbing.ReferenceName(opt.referenceName),
-		Auth:            getAuth(opt.username, opt.password),
+		Auth:            getAuth(opt.authType, opt.username, opt.password),
 		InsecureSkipTLS: opt.tlsSkipVerify,
 		Tags:            git.NoTags,
 	}
diff --git a/api/git/git_integration_test.go b/api/git/git_integration_test.go
index add10afd6..6cb10253a 100644
--- a/api/git/git_integration_test.go
+++ b/api/git/git_integration_test.go
@@ -2,6 +2,8 @@ package git
 
 import (
 	"context"
+	"net/http"
+	"net/http/httptest"
 	"path/filepath"
 	"testing"
 	"time"
@@ -24,7 +26,15 @@ func TestService_ClonePrivateRepository_GitHub(t *testing.T) {
 	dst := t.TempDir()
 
 	repositoryUrl := privateGitRepoURL
-	err := service.CloneRepository(dst, repositoryUrl, "refs/heads/main", username, accessToken, false)
+	err := service.CloneRepository(
+		dst,
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.FileExists(t, filepath.Join(dst, "README.md"))
 }
@@ -37,7 +47,14 @@ func TestService_LatestCommitID_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 0, 0)
 
 	repositoryUrl := privateGitRepoURL
-	id, err := service.LatestCommitID(repositoryUrl, "refs/heads/main", username, accessToken, false)
+	id, err := service.LatestCommitID(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	assert.NoError(t, err)
 	assert.NotEmpty(t, id, "cannot guarantee commit id, but it should be not empty")
 }
@@ -50,7 +67,7 @@ func TestService_ListRefs_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 0, 0)
 
 	repositoryUrl := privateGitRepoURL
-	refs, err := service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	refs, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 }
@@ -63,8 +80,8 @@ func TestService_ListRefs_Github_Concurrently(t *testing.T) {
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
 	repositoryUrl := privateGitRepoURL
-	go service.ListRefs(repositoryUrl, username, accessToken, false, false)
-	service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	go service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 
 	time.Sleep(2 * time.Second)
 }
@@ -202,7 +219,17 @@ func TestService_ListFiles_GitHub(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			paths, err := service.ListFiles(tt.args.repositoryUrl, tt.args.referenceName, tt.args.username, tt.args.password, false, false, tt.extensions, false)
+			paths, err := service.ListFiles(
+				tt.args.repositoryUrl,
+				tt.args.referenceName,
+				tt.args.username,
+				tt.args.password,
+				gittypes.GitCredentialAuthType_Basic,
+				false,
+				false,
+				tt.extensions,
+				false,
+			)
 			if tt.expect.shouldFail {
 				assert.Error(t, err)
 				if tt.expect.err != nil {
@@ -226,8 +253,28 @@ func TestService_ListFiles_Github_Concurrently(t *testing.T) {
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	service := newService(context.TODO(), repositoryCacheSize, 200*time.Millisecond)
 
-	go service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
-	service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	go service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
+	service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 
 	time.Sleep(2 * time.Second)
 }
@@ -240,8 +287,18 @@ func TestService_purgeCache_Github(t *testing.T) {
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	service := NewService(context.TODO())
 
-	service.ListRefs(repositoryUrl, username, accessToken, false, false)
-	service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 
 	assert.Equal(t, 1, service.repoRefCache.Len())
 	assert.Equal(t, 1, service.repoFileCache.Len())
@@ -261,8 +318,18 @@ func TestService_purgeCacheByTTL_Github(t *testing.T) {
 	// 40*timeout is designed for giving enough time for ListRefs and ListFiles to cache the result
 	service := newService(context.TODO(), 2, 40*timeout)
 
-	service.ListRefs(repositoryUrl, username, accessToken, false, false)
-	service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
+	service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 	assert.Equal(t, 1, service.repoFileCache.Len())
 
@@ -293,12 +360,12 @@ func TestService_HardRefresh_ListRefs_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 2, 0)
 
 	repositoryUrl := privateGitRepoURL
-	refs, err := service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	refs, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 
-	_, err = service.ListRefs(repositoryUrl, username, "fake-token", false, false)
+	_, err = service.ListRefs(repositoryUrl, username, "fake-token", gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.Error(t, err)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 }
@@ -311,26 +378,46 @@ func TestService_HardRefresh_ListRefs_And_RemoveAllCaches_GitHub(t *testing.T) {
 	service := newService(context.TODO(), 2, 0)
 
 	repositoryUrl := privateGitRepoURL
-	refs, err := service.ListRefs(repositoryUrl, username, accessToken, false, false)
+	refs, err := service.ListRefs(repositoryUrl, username, accessToken, gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(refs), 1)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 
-	files, err := service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	files, err := service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(files), 1)
 	assert.Equal(t, 1, service.repoFileCache.Len())
 
-	files, err = service.ListFiles(repositoryUrl, "refs/heads/test", username, accessToken, false, false, []string{}, false)
+	files, err = service.ListFiles(
+		repositoryUrl,
+		"refs/heads/test",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(files), 1)
 	assert.Equal(t, 2, service.repoFileCache.Len())
 
-	_, err = service.ListRefs(repositoryUrl, username, "fake-token", false, false)
+	_, err = service.ListRefs(repositoryUrl, username, "fake-token", gittypes.GitCredentialAuthType_Basic, false, false)
 	assert.Error(t, err)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 
-	_, err = service.ListRefs(repositoryUrl, username, "fake-token", true, false)
+	_, err = service.ListRefs(repositoryUrl, username, "fake-token", gittypes.GitCredentialAuthType_Basic, true, false)
 	assert.Error(t, err)
 	assert.Equal(t, 1, service.repoRefCache.Len())
 	// The relevant file caches should be removed too
@@ -344,12 +431,72 @@ func TestService_HardRefresh_ListFiles_GitHub(t *testing.T) {
 	accessToken := getRequiredValue(t, "GITHUB_PAT")
 	username := getRequiredValue(t, "GITHUB_USERNAME")
 	repositoryUrl := privateGitRepoURL
-	files, err := service.ListFiles(repositoryUrl, "refs/heads/main", username, accessToken, false, false, []string{}, false)
+	files, err := service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{},
+		false,
+	)
 	assert.NoError(t, err)
 	assert.GreaterOrEqual(t, len(files), 1)
 	assert.Equal(t, 1, service.repoFileCache.Len())
 
-	_, err = service.ListFiles(repositoryUrl, "refs/heads/main", username, "fake-token", false, true, []string{}, false)
+	_, err = service.ListFiles(
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		"fake-token",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		true,
+		[]string{},
+		false,
+	)
 	assert.Error(t, err)
 	assert.Equal(t, 0, service.repoFileCache.Len())
 }
+
+func TestService_CloneRepository_TokenAuth(t *testing.T) {
+	ensureIntegrationTest(t)
+
+	service := newService(context.TODO(), 2, 0)
+	var requests []*http.Request
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		requests = append(requests, r)
+	}))
+	accessToken := "test_access_token"
+	username := "test_username"
+	repositoryUrl := testServer.URL
+
+	// Since we aren't hitting a real git server we ignore the error
+	_ = service.CloneRepository(
+		"test_dir",
+		repositoryUrl,
+		"refs/heads/main",
+		username,
+		accessToken,
+		gittypes.GitCredentialAuthType_Token,
+		false,
+	)
+
+	testServer.Close()
+
+	if len(requests) != 1 {
+		t.Fatalf("expected 1 request sent but got %d", len(requests))
+	}
+
+	gotAuthHeader := requests[0].Header.Get("Authorization")
+	if gotAuthHeader == "" {
+		t.Fatal("no Authorization header in git request")
+	}
+
+	expectedAuthHeader := "Bearer test_access_token"
+	if gotAuthHeader != expectedAuthHeader {
+		t.Fatalf("expected Authorization header %q but got %q", expectedAuthHeader, gotAuthHeader)
+	}
+}
diff --git a/api/git/git_test.go b/api/git/git_test.go
index 81efa2688..fc0db196d 100644
--- a/api/git/git_test.go
+++ b/api/git/git_test.go
@@ -38,7 +38,7 @@ func Test_ClonePublicRepository_Shallow(t *testing.T) {
 
 	dir := t.TempDir()
 	t.Logf("Cloning into %s", dir)
-	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", false)
+	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", gittypes.GitCredentialAuthType_Basic, false)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, getCommitHistoryLength(t, err, dir), "cloned repo has incorrect depth")
 }
@@ -50,7 +50,7 @@ func Test_ClonePublicRepository_NoGitDirectory(t *testing.T) {
 
 	dir := t.TempDir()
 	t.Logf("Cloning into %s", dir)
-	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", false)
+	err := service.CloneRepository(dir, repositoryURL, referenceName, "", "", gittypes.GitCredentialAuthType_Basic, false)
 	assert.NoError(t, err)
 	assert.NoDirExists(t, filepath.Join(dir, ".git"))
 }
@@ -84,7 +84,7 @@ func Test_latestCommitID(t *testing.T) {
 	repositoryURL := setup(t)
 	referenceName := "refs/heads/main"
 
-	id, err := service.LatestCommitID(repositoryURL, referenceName, "", "", false)
+	id, err := service.LatestCommitID(repositoryURL, referenceName, "", "", gittypes.GitCredentialAuthType_Basic, false)
 
 	assert.NoError(t, err)
 	assert.Equal(t, "68dcaa7bd452494043c64252ab90db0f98ecf8d2", id)
@@ -95,7 +95,7 @@ func Test_ListRefs(t *testing.T) {
 
 	repositoryURL := setup(t)
 
-	fs, err := service.ListRefs(repositoryURL, "", "", false, false)
+	fs, err := service.ListRefs(repositoryURL, "", "", gittypes.GitCredentialAuthType_Basic, false, false)
 
 	assert.NoError(t, err)
 	assert.Equal(t, []string{"refs/heads/main"}, fs)
@@ -107,7 +107,17 @@ func Test_ListFiles(t *testing.T) {
 	repositoryURL := setup(t)
 	referenceName := "refs/heads/main"
 
-	fs, err := service.ListFiles(repositoryURL, referenceName, "", "", false, false, []string{".yml"}, false)
+	fs, err := service.ListFiles(
+		repositoryURL,
+		referenceName,
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+		false,
+		[]string{".yml"},
+		false,
+	)
 
 	assert.NoError(t, err)
 	assert.Equal(t, []string{"docker-compose.yml"}, fs)
@@ -255,7 +265,7 @@ func Test_listFilesPrivateRepository(t *testing.T) {
 			name: "list tree with real repository and head ref but no credential",
 			args: fetchOption{
 				baseOption: baseOption{
-					repositoryUrl: privateGitRepoURL + "fake",
+					repositoryUrl: privateGitRepoURL,
 					username:      "",
 					password:      "",
 				},
diff --git a/api/git/service.go b/api/git/service.go
index 3e995eccd..834e0c827 100644
--- a/api/git/service.go
+++ b/api/git/service.go
@@ -8,6 +8,7 @@ import (
 	"time"
 
 	lru "github.com/hashicorp/golang-lru"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/sync/singleflight"
 )
@@ -22,6 +23,7 @@ type baseOption struct {
 	repositoryUrl string
 	username      string
 	password      string
+	authType      gittypes.GitCredentialAuthType
 	tlsSkipVerify bool
 }
 
@@ -123,13 +125,22 @@ func (service *Service) timerHasStopped() bool {
 
 // CloneRepository clones a git repository using the specified URL in the specified
 // destination folder.
-func (service *Service) CloneRepository(destination, repositoryURL, referenceName, username, password string, tlsSkipVerify bool) error {
+func (service *Service) CloneRepository(
+	destination,
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) error {
 	options := cloneOption{
 		fetchOption: fetchOption{
 			baseOption: baseOption{
 				repositoryUrl: repositoryURL,
 				username:      username,
 				password:      password,
+				authType:      authType,
 				tlsSkipVerify: tlsSkipVerify,
 			},
 			referenceName: referenceName,
@@ -155,12 +166,20 @@ func (service *Service) cloneRepository(destination string, options cloneOption)
 }
 
 // LatestCommitID returns SHA1 of the latest commit of the specified reference
-func (service *Service) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
+func (service *Service) LatestCommitID(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) (string, error) {
 	options := fetchOption{
 		baseOption: baseOption{
 			repositoryUrl: repositoryURL,
 			username:      username,
 			password:      password,
+			authType:      authType,
 			tlsSkipVerify: tlsSkipVerify,
 		},
 		referenceName: referenceName,
@@ -170,7 +189,14 @@ func (service *Service) LatestCommitID(repositoryURL, referenceName, username, p
 }
 
 // ListRefs will list target repository's references without cloning the repository
-func (service *Service) ListRefs(repositoryURL, username, password string, hardRefresh bool, tlsSkipVerify bool) ([]string, error) {
+func (service *Service) ListRefs(
+	repositoryURL,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	hardRefresh bool,
+	tlsSkipVerify bool,
+) ([]string, error) {
 	refCacheKey := generateCacheKey(repositoryURL, username, password, strconv.FormatBool(tlsSkipVerify))
 	if service.cacheEnabled && hardRefresh {
 		// Should remove the cache explicitly, so that the following normal list can show the correct result
@@ -196,6 +222,7 @@ func (service *Service) ListRefs(repositoryURL, username, password string, hardR
 		repositoryUrl: repositoryURL,
 		username:      username,
 		password:      password,
+		authType:      authType,
 		tlsSkipVerify: tlsSkipVerify,
 	}
 
@@ -215,18 +242,62 @@ var singleflightGroup = &singleflight.Group{}
 
 // ListFiles will list all the files of the target repository with specific extensions.
 // If extension is not provided, it will list all the files under the target repository
-func (service *Service) ListFiles(repositoryURL, referenceName, username, password string, dirOnly, hardRefresh bool, includedExts []string, tlsSkipVerify bool) ([]string, error) {
-	repoKey := generateCacheKey(repositoryURL, referenceName, username, password, strconv.FormatBool(tlsSkipVerify), strconv.FormatBool(dirOnly))
+func (service *Service) ListFiles(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	dirOnly,
+	hardRefresh bool,
+	includedExts []string,
+	tlsSkipVerify bool,
+) ([]string, error) {
+	repoKey := generateCacheKey(
+		repositoryURL,
+		referenceName,
+		username,
+		password,
+		strconv.FormatBool(tlsSkipVerify),
+		strconv.Itoa(int(authType)),
+		strconv.FormatBool(dirOnly),
+	)
 
 	fs, err, _ := singleflightGroup.Do(repoKey, func() (any, error) {
-		return service.listFiles(repositoryURL, referenceName, username, password, dirOnly, hardRefresh, tlsSkipVerify)
+		return service.listFiles(
+			repositoryURL,
+			referenceName,
+			username,
+			password,
+			authType,
+			dirOnly,
+			hardRefresh,
+			tlsSkipVerify,
+		)
 	})
 
 	return filterFiles(fs.([]string), includedExts), err
 }
 
-func (service *Service) listFiles(repositoryURL, referenceName, username, password string, dirOnly, hardRefresh bool, tlsSkipVerify bool) ([]string, error) {
-	repoKey := generateCacheKey(repositoryURL, referenceName, username, password, strconv.FormatBool(tlsSkipVerify), strconv.FormatBool(dirOnly))
+func (service *Service) listFiles(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	dirOnly,
+	hardRefresh bool,
+	tlsSkipVerify bool,
+) ([]string, error) {
+	repoKey := generateCacheKey(
+		repositoryURL,
+		referenceName,
+		username,
+		password,
+		strconv.FormatBool(tlsSkipVerify),
+		strconv.Itoa(int(authType)),
+		strconv.FormatBool(dirOnly),
+	)
 
 	if service.cacheEnabled && hardRefresh {
 		// Should remove the cache explicitly, so that the following normal list can show the correct result
@@ -247,6 +318,7 @@ func (service *Service) listFiles(repositoryURL, referenceName, username, passwo
 			repositoryUrl: repositoryURL,
 			username:      username,
 			password:      password,
+			authType:      authType,
 			tlsSkipVerify: tlsSkipVerify,
 		},
 		referenceName: referenceName,
diff --git a/api/git/types/types.go b/api/git/types/types.go
index 12d95e093..cb9d7cf03 100644
--- a/api/git/types/types.go
+++ b/api/git/types/types.go
@@ -1,12 +1,21 @@
 package gittypes
 
-import "errors"
+import (
+	"errors"
+)
 
 var (
 	ErrIncorrectRepositoryURL = errors.New("git repository could not be found, please ensure that the URL is correct")
 	ErrAuthenticationFailure  = errors.New("authentication failed, please ensure that the git credentials are correct")
 )
 
+type GitCredentialAuthType int
+
+const (
+	GitCredentialAuthType_Basic GitCredentialAuthType = iota
+	GitCredentialAuthType_Token
+)
+
 // RepoConfig represents a configuration for a repo
 type RepoConfig struct {
 	// The repo url
@@ -24,10 +33,11 @@ type RepoConfig struct {
 }
 
 type GitAuthentication struct {
-	Username string
-	Password string
+	Username          string
+	Password          string
+	AuthorizationType GitCredentialAuthType
 	// Git credentials identifier when the value is not 0
-	// When the value is 0, Username and Password are set without using saved credential
+	// When the value is 0, Username, Password, and Authtype are set without using saved credential
 	// This is introduced since 2.15.0
 	GitCredentialID int `example:"0"`
 }
diff --git a/api/git/update/update.go b/api/git/update/update.go
index 203e361dd..780d6e046 100644
--- a/api/git/update/update.go
+++ b/api/git/update/update.go
@@ -29,7 +29,14 @@ func UpdateGitObject(gitService portainer.GitService, objId string, gitConfig *g
 		return false, "", errors.WithMessagef(err, "failed to get credentials for %v", objId)
 	}
 
-	newHash, err := gitService.LatestCommitID(gitConfig.URL, gitConfig.ReferenceName, username, password, gitConfig.TLSSkipVerify)
+	newHash, err := gitService.LatestCommitID(
+		gitConfig.URL,
+		gitConfig.ReferenceName,
+		username,
+		password,
+		gittypes.GitCredentialAuthType_Basic,
+		gitConfig.TLSSkipVerify,
+	)
 	if err != nil {
 		return false, "", errors.WithMessagef(err, "failed to fetch latest commit id of %v", objId)
 	}
@@ -62,6 +69,7 @@ func UpdateGitObject(gitService portainer.GitService, objId string, gitConfig *g
 		cloneParams.auth = &gitAuth{
 			username: username,
 			password: password,
+			authType: gitConfig.Authentication.AuthorizationType,
 		}
 	}
 
@@ -89,14 +97,31 @@ type cloneRepositoryParameters struct {
 }
 
 type gitAuth struct {
+	authType gittypes.GitCredentialAuthType
 	username string
 	password string
 }
 
 func cloneGitRepository(gitService portainer.GitService, cloneParams *cloneRepositoryParameters) error {
 	if cloneParams.auth != nil {
-		return gitService.CloneRepository(cloneParams.toDir, cloneParams.url, cloneParams.ref, cloneParams.auth.username, cloneParams.auth.password, cloneParams.tlsSkipVerify)
+		return gitService.CloneRepository(
+			cloneParams.toDir,
+			cloneParams.url,
+			cloneParams.ref,
+			cloneParams.auth.username,
+			cloneParams.auth.password,
+			cloneParams.auth.authType,
+			cloneParams.tlsSkipVerify,
+		)
 	}
 
-	return gitService.CloneRepository(cloneParams.toDir, cloneParams.url, cloneParams.ref, "", "", cloneParams.tlsSkipVerify)
+	return gitService.CloneRepository(
+		cloneParams.toDir,
+		cloneParams.url,
+		cloneParams.ref,
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		cloneParams.tlsSkipVerify,
+	)
 }
diff --git a/api/http/handler/customtemplates/customtemplate_git_fetch_test.go b/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
index 60ed1666f..b63db356d 100644
--- a/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
+++ b/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
@@ -33,13 +33,28 @@ type TestGitService struct {
 	targetFilePath string
 }
 
-func (g *TestGitService) CloneRepository(destination string, repositoryURL, referenceName string, username, password string, tlsSkipVerify bool) error {
+func (g *TestGitService) CloneRepository(
+	destination string,
+	repositoryURL,
+	referenceName string,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) error {
 	time.Sleep(100 * time.Millisecond)
 
 	return createTestFile(g.targetFilePath)
 }
 
-func (g *TestGitService) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
+func (g *TestGitService) LatestCommitID(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) (string, error) {
 	return "", nil
 }
 
@@ -56,11 +71,26 @@ type InvalidTestGitService struct {
 	targetFilePath string
 }
 
-func (g *InvalidTestGitService) CloneRepository(dest, repoUrl, refName, username, password string, tlsSkipVerify bool) error {
+func (g *InvalidTestGitService) CloneRepository(
+	dest,
+	repoUrl,
+	refName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) error {
 	return errors.New("simulate network error")
 }
 
-func (g *InvalidTestGitService) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
+func (g *InvalidTestGitService) LatestCommitID(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) (string, error) {
 	return "", nil
 }
 
diff --git a/api/http/handler/customtemplates/customtemplate_update.go b/api/http/handler/customtemplates/customtemplate_update.go
index f14d228f3..f12eeb2e1 100644
--- a/api/http/handler/customtemplates/customtemplate_update.go
+++ b/api/http/handler/customtemplates/customtemplate_update.go
@@ -37,14 +37,16 @@ type customTemplateUpdatePayload struct {
 	RepositoryURL string `example:"https://github.com/openfaas/faas" validate:"required"`
 	// Reference name of a Git repository hosting the Stack file
 	RepositoryReferenceName string `example:"refs/heads/master"`
-	// Use basic authentication to clone the Git repository
+	// Use authentication to clone the Git repository
 	RepositoryAuthentication bool `example:"true"`
 	// Username used in basic authentication. Required when RepositoryAuthentication is true
-	// and RepositoryGitCredentialID is 0
+	// and RepositoryGitCredentialID is 0. Ignored if RepositoryAuthType is token
 	RepositoryUsername string `example:"myGitUsername"`
-	// Password used in basic authentication. Required when RepositoryAuthentication is true
-	// and RepositoryGitCredentialID is 0
+	// Password used in basic authentication or token used in token authentication.
+	// Required when RepositoryAuthentication is true and RepositoryGitCredentialID is 0
 	RepositoryPassword string `example:"myGitPassword"`
+	// RepositoryAuthorizationType is the authorization type to use
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType `example:"0"`
 	// GitCredentialID used to identify the bound git credential. Required when RepositoryAuthentication
 	// is true and RepositoryUsername/RepositoryPassword are not provided
 	RepositoryGitCredentialID int `example:"0"`
@@ -182,12 +184,15 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 
 		repositoryUsername := ""
 		repositoryPassword := ""
+		repositoryAuthType := gittypes.GitCredentialAuthType_Basic
 		if payload.RepositoryAuthentication {
 			repositoryUsername = payload.RepositoryUsername
 			repositoryPassword = payload.RepositoryPassword
+			repositoryAuthType = payload.RepositoryAuthorizationType
 			gitConfig.Authentication = &gittypes.GitAuthentication{
-				Username: payload.RepositoryUsername,
-				Password: payload.RepositoryPassword,
+				Username:          payload.RepositoryUsername,
+				Password:          payload.RepositoryPassword,
+				AuthorizationType: payload.RepositoryAuthorizationType,
 			}
 		}
 
@@ -197,6 +202,7 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 			ReferenceName: gitConfig.ReferenceName,
 			Username:      repositoryUsername,
 			Password:      repositoryPassword,
+			AuthType:      repositoryAuthType,
 			TLSSkipVerify: gitConfig.TLSSkipVerify,
 		})
 		if err != nil {
@@ -205,7 +211,14 @@ func (handler *Handler) customTemplateUpdate(w http.ResponseWriter, r *http.Requ
 
 		defer cleanBackup()
 
-		commitHash, err := handler.GitService.LatestCommitID(gitConfig.URL, gitConfig.ReferenceName, repositoryUsername, repositoryPassword, gitConfig.TLSSkipVerify)
+		commitHash, err := handler.GitService.LatestCommitID(
+			gitConfig.URL,
+			gitConfig.ReferenceName,
+			repositoryUsername,
+			repositoryPassword,
+			repositoryAuthType,
+			gitConfig.TLSSkipVerify,
+		)
 		if err != nil {
 			return httperror.InternalServerError("Unable get latest commit id", fmt.Errorf("failed to fetch latest commit id of the template %v: %w", customTemplate.ID, err))
 		}
diff --git a/api/http/handler/edgestacks/edgestack_create_git.go b/api/http/handler/edgestacks/edgestack_create_git.go
index d20e5b5c2..a8775495d 100644
--- a/api/http/handler/edgestacks/edgestack_create_git.go
+++ b/api/http/handler/edgestacks/edgestack_create_git.go
@@ -33,6 +33,8 @@ type edgeStackFromGitRepositoryPayload struct {
 	RepositoryUsername string `example:"myGitUsername"`
 	// Password used in basic authentication. Required when RepositoryAuthentication is true.
 	RepositoryPassword string `example:"myGitPassword"`
+	// RepositoryAuthorizationType is the authorization type to use
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType `example:"0"`
 	// Path to the Stack file inside the Git repository
 	FilePathInRepository string `example:"docker-compose.yml" default:"docker-compose.yml"`
 	// List of identifiers of EdgeGroups
@@ -125,8 +127,9 @@ func (handler *Handler) createEdgeStackFromGitRepository(r *http.Request, tx dat
 
 	if payload.RepositoryAuthentication {
 		repoConfig.Authentication = &gittypes.GitAuthentication{
-			Username: payload.RepositoryUsername,
-			Password: payload.RepositoryPassword,
+			Username:          payload.RepositoryUsername,
+			Password:          payload.RepositoryPassword,
+			AuthorizationType: payload.RepositoryAuthorizationType,
 		}
 	}
 
@@ -145,12 +148,22 @@ func (handler *Handler) storeManifestFromGitRepository(tx dataservices.DataStore
 	projectPath = handler.FileService.GetEdgeStackProjectPath(stackFolder)
 	repositoryUsername := ""
 	repositoryPassword := ""
+	repositoryAuthType := gittypes.GitCredentialAuthType_Basic
 	if repositoryConfig.Authentication != nil && repositoryConfig.Authentication.Password != "" {
 		repositoryUsername = repositoryConfig.Authentication.Username
 		repositoryPassword = repositoryConfig.Authentication.Password
+		repositoryAuthType = repositoryConfig.Authentication.AuthorizationType
 	}
 
-	if err := handler.GitService.CloneRepository(projectPath, repositoryConfig.URL, repositoryConfig.ReferenceName, repositoryUsername, repositoryPassword, repositoryConfig.TLSSkipVerify); err != nil {
+	if err := handler.GitService.CloneRepository(
+		projectPath,
+		repositoryConfig.URL,
+		repositoryConfig.ReferenceName,
+		repositoryUsername,
+		repositoryPassword,
+		repositoryAuthType,
+		repositoryConfig.TLSSkipVerify,
+	); err != nil {
 		return "", "", "", err
 	}
 
diff --git a/api/http/handler/gitops/git_repo_file_preview.go b/api/http/handler/gitops/git_repo_file_preview.go
index 1eaa52716..43c08c870 100644
--- a/api/http/handler/gitops/git_repo_file_preview.go
+++ b/api/http/handler/gitops/git_repo_file_preview.go
@@ -17,10 +17,11 @@ type fileResponse struct {
 }
 
 type repositoryFilePreviewPayload struct {
-	Repository string `json:"repository" example:"https://github.com/openfaas/faas" validate:"required"`
-	Reference  string `json:"reference" example:"refs/heads/master"`
-	Username   string `json:"username" example:"myGitUsername"`
-	Password   string `json:"password" example:"myGitPassword"`
+	Repository        string                         `json:"repository" example:"https://github.com/openfaas/faas" validate:"required"`
+	Reference         string                         `json:"reference" example:"refs/heads/master"`
+	Username          string                         `json:"username" example:"myGitUsername"`
+	Password          string                         `json:"password" example:"myGitPassword"`
+	AuthorizationType gittypes.GitCredentialAuthType `json:"authorizationType"`
 	// Path to file whose content will be read
 	TargetFile string `json:"targetFile" example:"docker-compose.yml"`
 	// TLSSkipVerify skips SSL verification when cloning the Git repository
@@ -68,7 +69,15 @@ func (handler *Handler) gitOperationRepoFilePreview(w http.ResponseWriter, r *ht
 		return httperror.InternalServerError("Unable to create temporary folder", err)
 	}
 
-	err = handler.gitService.CloneRepository(projectPath, payload.Repository, payload.Reference, payload.Username, payload.Password, payload.TLSSkipVerify)
+	err = handler.gitService.CloneRepository(
+		projectPath,
+		payload.Repository,
+		payload.Reference,
+		payload.Username,
+		payload.Password,
+		payload.AuthorizationType,
+		payload.TLSSkipVerify,
+	)
 	if err != nil {
 		if errors.Is(err, gittypes.ErrAuthenticationFailure) {
 			return httperror.BadRequest("Invalid git credential", err)
diff --git a/api/http/handler/stacks/stack_update_git.go b/api/http/handler/stacks/stack_update_git.go
index 8d0687694..2bdf2b71f 100644
--- a/api/http/handler/stacks/stack_update_git.go
+++ b/api/http/handler/stacks/stack_update_git.go
@@ -19,14 +19,15 @@ import (
 )
 
 type stackGitUpdatePayload struct {
-	AutoUpdate               *portainer.AutoUpdateSettings
-	Env                      []portainer.Pair
-	Prune                    bool
-	RepositoryReferenceName  string
-	RepositoryAuthentication bool
-	RepositoryUsername       string
-	RepositoryPassword       string
-	TLSSkipVerify            bool
+	AutoUpdate                  *portainer.AutoUpdateSettings
+	Env                         []portainer.Pair
+	Prune                       bool
+	RepositoryReferenceName     string
+	RepositoryAuthentication    bool
+	RepositoryUsername          string
+	RepositoryPassword          string
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType
+	TLSSkipVerify               bool
 }
 
 func (payload *stackGitUpdatePayload) Validate(r *http.Request) error {
@@ -151,11 +152,19 @@ func (handler *Handler) stackUpdateGit(w http.ResponseWriter, r *http.Request) *
 		}
 
 		stack.GitConfig.Authentication = &gittypes.GitAuthentication{
-			Username: payload.RepositoryUsername,
-			Password: password,
+			Username:          payload.RepositoryUsername,
+			Password:          password,
+			AuthorizationType: payload.RepositoryAuthorizationType,
 		}
 
-		if _, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, stack.GitConfig.Authentication.Username, stack.GitConfig.Authentication.Password, stack.GitConfig.TLSSkipVerify); err != nil {
+		if _, err := handler.GitService.LatestCommitID(
+			stack.GitConfig.URL,
+			stack.GitConfig.ReferenceName,
+			stack.GitConfig.Authentication.Username,
+			stack.GitConfig.Authentication.Password,
+			stack.GitConfig.Authentication.AuthorizationType,
+			stack.GitConfig.TLSSkipVerify,
+		); err != nil {
 			return httperror.InternalServerError("Unable to fetch git repository", err)
 		}
 	} else {
diff --git a/api/http/handler/stacks/stack_update_git_redeploy.go b/api/http/handler/stacks/stack_update_git_redeploy.go
index e65e1e70c..c595808aa 100644
--- a/api/http/handler/stacks/stack_update_git_redeploy.go
+++ b/api/http/handler/stacks/stack_update_git_redeploy.go
@@ -6,6 +6,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/git"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	httperrors "github.com/portainer/portainer/api/http/errors"
 	"github.com/portainer/portainer/api/http/security"
 	k "github.com/portainer/portainer/api/kubernetes"
@@ -19,12 +20,13 @@ import (
 )
 
 type stackGitRedployPayload struct {
-	RepositoryReferenceName  string
-	RepositoryAuthentication bool
-	RepositoryUsername       string
-	RepositoryPassword       string
-	Env                      []portainer.Pair
-	Prune                    bool
+	RepositoryReferenceName     string
+	RepositoryAuthentication    bool
+	RepositoryUsername          string
+	RepositoryPassword          string
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType
+	Env                         []portainer.Pair
+	Prune                       bool
 	// Force a pulling to current image with the original tag though the image is already the latest
 	PullImage bool `example:"false"`
 
@@ -135,13 +137,16 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 
 	repositoryUsername := ""
 	repositoryPassword := ""
+	repositoryAuthType := gittypes.GitCredentialAuthType_Basic
 	if payload.RepositoryAuthentication {
 		repositoryPassword = payload.RepositoryPassword
+		repositoryAuthType = payload.RepositoryAuthorizationType
 
 		// When the existing stack is using the custom username/password and the password is not updated,
 		// the stack should keep using the saved username/password
 		if repositoryPassword == "" && stack.GitConfig != nil && stack.GitConfig.Authentication != nil {
 			repositoryPassword = stack.GitConfig.Authentication.Password
+			repositoryAuthType = stack.GitConfig.Authentication.AuthorizationType
 		}
 		repositoryUsername = payload.RepositoryUsername
 	}
@@ -152,6 +157,7 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 		ReferenceName: stack.GitConfig.ReferenceName,
 		Username:      repositoryUsername,
 		Password:      repositoryPassword,
+		AuthType:      repositoryAuthType,
 		TLSSkipVerify: stack.GitConfig.TLSSkipVerify,
 	}
 
@@ -166,7 +172,7 @@ func (handler *Handler) stackGitRedeploy(w http.ResponseWriter, r *http.Request)
 		return err
 	}
 
-	newHash, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, repositoryUsername, repositoryPassword, stack.GitConfig.TLSSkipVerify)
+	newHash, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, repositoryUsername, repositoryPassword, repositoryAuthType, stack.GitConfig.TLSSkipVerify)
 	if err != nil {
 		return httperror.InternalServerError("Unable get latest commit id", errors.WithMessagef(err, "failed to fetch latest commit id of the stack %v", stack.ID))
 	}
diff --git a/api/http/handler/stacks/update_kubernetes_stack.go b/api/http/handler/stacks/update_kubernetes_stack.go
index 95195bb10..42ecbaa04 100644
--- a/api/http/handler/stacks/update_kubernetes_stack.go
+++ b/api/http/handler/stacks/update_kubernetes_stack.go
@@ -27,12 +27,13 @@ type kubernetesFileStackUpdatePayload struct {
 }
 
 type kubernetesGitStackUpdatePayload struct {
-	RepositoryReferenceName  string
-	RepositoryAuthentication bool
-	RepositoryUsername       string
-	RepositoryPassword       string
-	AutoUpdate               *portainer.AutoUpdateSettings
-	TLSSkipVerify            bool
+	RepositoryReferenceName     string
+	RepositoryAuthentication    bool
+	RepositoryUsername          string
+	RepositoryPassword          string
+	RepositoryAuthorizationType gittypes.GitCredentialAuthType
+	AutoUpdate                  *portainer.AutoUpdateSettings
+	TLSSkipVerify               bool
 }
 
 func (payload *kubernetesFileStackUpdatePayload) Validate(r *http.Request) error {
@@ -76,11 +77,19 @@ func (handler *Handler) updateKubernetesStack(r *http.Request, stack *portainer.
 			}
 
 			stack.GitConfig.Authentication = &gittypes.GitAuthentication{
-				Username: payload.RepositoryUsername,
-				Password: password,
+				Username:          payload.RepositoryUsername,
+				Password:          password,
+				AuthorizationType: payload.RepositoryAuthorizationType,
 			}
 
-			if _, err := handler.GitService.LatestCommitID(stack.GitConfig.URL, stack.GitConfig.ReferenceName, stack.GitConfig.Authentication.Username, stack.GitConfig.Authentication.Password, stack.GitConfig.TLSSkipVerify); err != nil {
+			if _, err := handler.GitService.LatestCommitID(
+				stack.GitConfig.URL,
+				stack.GitConfig.ReferenceName,
+				stack.GitConfig.Authentication.Username,
+				stack.GitConfig.Authentication.Password,
+				stack.GitConfig.Authentication.AuthorizationType,
+				stack.GitConfig.TLSSkipVerify,
+			); err != nil {
 				return httperror.InternalServerError("Unable to fetch git repository", err)
 			}
 		}
diff --git a/api/http/handler/templates/template_file.go b/api/http/handler/templates/template_file.go
index b834eeed9..f9ec0135c 100644
--- a/api/http/handler/templates/template_file.go
+++ b/api/http/handler/templates/template_file.go
@@ -5,6 +5,7 @@ import (
 	"slices"
 
 	portainer "github.com/portainer/portainer/api"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 	"github.com/portainer/portainer/pkg/libhttp/response"
@@ -71,7 +72,15 @@ func (handler *Handler) templateFile(w http.ResponseWriter, r *http.Request) *ht
 
 	defer handler.cleanUp(projectPath)
 
-	if err := handler.GitService.CloneRepository(projectPath, template.Repository.URL, "", "", "", false); err != nil {
+	if err := handler.GitService.CloneRepository(
+		projectPath,
+		template.Repository.URL,
+		"",
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	); err != nil {
 		return httperror.InternalServerError("Unable to clone git repository", err)
 	}
 
diff --git a/api/http/proxy/factory/docker/transport.go b/api/http/proxy/factory/docker/transport.go
index 49f1cd501..dae72ecc1 100644
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@@ -15,6 +15,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/authorization"
@@ -418,7 +419,14 @@ func (transport *Transport) updateDefaultGitBranch(request *http.Request) error
 	}
 
 	repositoryURL := remote[:len(remote)-4]
-	latestCommitID, err := transport.gitService.LatestCommitID(repositoryURL, "", "", "", false)
+	latestCommitID, err := transport.gitService.LatestCommitID(
+		repositoryURL,
+		"",
+		"",
+		"",
+		gittypes.GitCredentialAuthType_Basic,
+		false,
+	)
 	if err != nil {
 		return err
 	}
diff --git a/api/internal/testhelpers/git_service.go b/api/internal/testhelpers/git_service.go
index 6af1b6459..6b1a352ee 100644
--- a/api/internal/testhelpers/git_service.go
+++ b/api/internal/testhelpers/git_service.go
@@ -1,6 +1,9 @@
 package testhelpers
 
-import portainer "github.com/portainer/portainer/api"
+import (
+	portainer "github.com/portainer/portainer/api"
+	gittypes "github.com/portainer/portainer/api/git/types"
+)
 
 type gitService struct {
 	cloneErr error
@@ -15,18 +18,50 @@ func NewGitService(cloneErr error, id string) portainer.GitService {
 	}
 }
 
-func (g *gitService) CloneRepository(destination, repositoryURL, referenceName, username, password string, tlsSkipVerify bool) error {
+func (g *gitService) CloneRepository(
+	destination,
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) error {
 	return g.cloneErr
 }
 
-func (g *gitService) LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error) {
+func (g *gitService) LatestCommitID(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	tlsSkipVerify bool,
+) (string, error) {
 	return g.id, nil
 }
 
-func (g *gitService) ListRefs(repositoryURL, username, password string, hardRefresh bool, tlsSkipVerify bool) ([]string, error) {
+func (g *gitService) ListRefs(
+	repositoryURL,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	hardRefresh bool,
+	tlsSkipVerify bool,
+) ([]string, error) {
 	return nil, nil
 }
 
-func (g *gitService) ListFiles(repositoryURL, referenceName, username, password string, dirOnly, hardRefresh bool, includedExts []string, tlsSkipVerify bool) ([]string, error) {
+func (g *gitService) ListFiles(
+	repositoryURL,
+	referenceName,
+	username,
+	password string,
+	authType gittypes.GitCredentialAuthType,
+	dirOnly,
+	hardRefresh bool,
+	includedExts []string,
+	tlsSkipVerify bool,
+) ([]string, error) {
 	return nil, nil
 }
diff --git a/api/portainer.go b/api/portainer.go
index 8172f08fa..7c72f9b01 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1538,10 +1538,42 @@ type (
 
 	// GitService represents a service for managing Git
 	GitService interface {
-		CloneRepository(destination string, repositoryURL, referenceName, username, password string, tlsSkipVerify bool) error
-		LatestCommitID(repositoryURL, referenceName, username, password string, tlsSkipVerify bool) (string, error)
-		ListRefs(repositoryURL, username, password string, hardRefresh bool, tlsSkipVerify bool) ([]string, error)
-		ListFiles(repositoryURL, referenceName, username, password string, dirOnly, hardRefresh bool, includeExts []string, tlsSkipVerify bool) ([]string, error)
+		CloneRepository(
+			destination string,
+			repositoryURL,
+			referenceName,
+			username,
+			password string,
+			authType gittypes.GitCredentialAuthType,
+			tlsSkipVerify bool,
+		) error
+		LatestCommitID(
+			repositoryURL,
+			referenceName,
+			username,
+			password string,
+			authType gittypes.GitCredentialAuthType,
+			tlsSkipVerify bool,
+		) (string, error)
+		ListRefs(
+			repositoryURL,
+			username,
+			password string,
+			authType gittypes.GitCredentialAuthType,
+			hardRefresh bool,
+			tlsSkipVerify bool,
+		) ([]string, error)
+		ListFiles(
+			repositoryURL,
+			referenceName,
+			username,
+			password string,
+			authType gittypes.GitCredentialAuthType,
+			dirOnly,
+			hardRefresh bool,
+			includeExts []string,
+			tlsSkipVerify bool,
+		) ([]string, error)
 	}
 
 	// OpenAMTService represents a service for managing OpenAMT
diff --git a/api/stacks/stackutils/gitops.go b/api/stacks/stackutils/gitops.go
index d035b783d..566a2a2e2 100644
--- a/api/stacks/stackutils/gitops.go
+++ b/api/stacks/stackutils/gitops.go
@@ -19,13 +19,23 @@ var (
 func DownloadGitRepository(config gittypes.RepoConfig, gitService portainer.GitService, getProjectPath func() string) (string, error) {
 	username := ""
 	password := ""
+	authType := gittypes.GitCredentialAuthType_Basic
 	if config.Authentication != nil {
 		username = config.Authentication.Username
 		password = config.Authentication.Password
+		authType = config.Authentication.AuthorizationType
 	}
 
 	projectPath := getProjectPath()
-	err := gitService.CloneRepository(projectPath, config.URL, config.ReferenceName, username, password, config.TLSSkipVerify)
+	err := gitService.CloneRepository(
+		projectPath,
+		config.URL,
+		config.ReferenceName,
+		username,
+		password,
+		authType,
+		config.TLSSkipVerify,
+	)
 	if err != nil {
 		if errors.Is(err, gittypes.ErrAuthenticationFailure) {
 			newErr := git.ErrInvalidGitCredential
@@ -36,7 +46,14 @@ func DownloadGitRepository(config gittypes.RepoConfig, gitService portainer.GitS
 		return "", newErr
 	}
 
-	commitID, err := gitService.LatestCommitID(config.URL, config.ReferenceName, username, password, config.TLSSkipVerify)
+	commitID, err := gitService.LatestCommitID(
+		config.URL,
+		config.ReferenceName,
+		username,
+		password,
+		authType,
+		config.TLSSkipVerify,
+	)
 	if err != nil {
 		newErr := fmt.Errorf("unable to fetch git repository id: %w", err)
 		return "", newErr

From 937456596a680b01e5327c5ea555982c7dbbff9b Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 21 Jul 2025 21:31:13 -0300
Subject: [PATCH 192/212] fix(edgegroups): convert the related endpoint IDs to
 roaring bitmaps to increase performance BE-12053 (#903)

---
 api/dataservices/edgegroup/tx.go              |  20 ++-
 api/datastore/migrate_data.go                 |   1 +
 api/datastore/migrator/migrate_2_33_0.go      |  23 +++
 api/datastore/migrator/migrator.go            |   7 +
 .../edgegroups/associated_endpoints.go        |  20 ++-
 .../handler/edgegroups/edgegroup_create.go    |   5 +-
 .../edgegroups/edgegroup_create_test.go       |  62 ++++++++
 .../handler/edgegroups/edgegroup_inspect.go   |   7 +-
 .../edgegroups/edgegroup_inspect_test.go      | 137 +++++++++++++++++
 api/http/handler/edgegroups/edgegroup_list.go |  34 +++-
 .../handler/edgegroups/edgegroup_list_test.go |  67 +++++++-
 .../handler/edgegroups/edgegroup_update.go    |   2 +-
 .../edgegroups/edgegroup_update_test.go       |  70 +++++++++
 .../edgestacks/edgestack_create_test.go       |   5 +-
 api/http/handler/edgestacks/edgestack_test.go |   3 +-
 .../edgestacks/edgestack_update_test.go       |   7 +-
 .../endpointedge_status_inspect_test.go       |   5 +-
 api/http/handler/endpoints/endpoint_delete.go |   5 +-
 .../handler/endpoints/endpoint_delete_test.go |   9 +-
 api/http/handler/endpoints/filter.go          |  63 ++++----
 api/http/handler/endpoints/filter_test.go     | 138 ++++++++++++++++-
 .../endpoints/utils_update_edge_groups.go     |  27 ++--
 .../utils_update_edge_groups_test.go          |  19 +--
 .../endpoints/utils_update_tags_test.go       |   1 -
 api/http/handler/tags/tag_delete_test.go      |  23 ++-
 api/internal/edge/edgegroup.go                |   6 +-
 api/internal/edge/edgegroup_benchmark_test.go | 104 +++++++++++++
 api/portainer.go                              |  26 ++--
 api/roar/roar.go                              | 145 ++++++++++++++++++
 api/roar/roar_test.go                         | 123 +++++++++++++++
 go.mod                                        |   3 +
 go.sum                                        |   7 +
 32 files changed, 1041 insertions(+), 133 deletions(-)
 create mode 100644 api/datastore/migrator/migrate_2_33_0.go
 create mode 100644 api/http/handler/edgegroups/edgegroup_create_test.go
 create mode 100644 api/http/handler/edgegroups/edgegroup_inspect_test.go
 create mode 100644 api/http/handler/edgegroups/edgegroup_update_test.go
 create mode 100644 api/internal/edge/edgegroup_benchmark_test.go
 create mode 100644 api/roar/roar.go
 create mode 100644 api/roar/roar_test.go

diff --git a/api/dataservices/edgegroup/tx.go b/api/dataservices/edgegroup/tx.go
index 19f37e011..2fba688a6 100644
--- a/api/dataservices/edgegroup/tx.go
+++ b/api/dataservices/edgegroup/tx.go
@@ -17,11 +17,29 @@ func (service ServiceTx) UpdateEdgeGroupFunc(ID portainer.EdgeGroupID, updateFun
 }
 
 func (service ServiceTx) Create(group *portainer.EdgeGroup) error {
-	return service.Tx.CreateObject(
+	es := group.Endpoints
+	group.Endpoints = nil // Clear deprecated field
+
+	err := service.Tx.CreateObject(
 		BucketName,
 		func(id uint64) (int, any) {
 			group.ID = portainer.EdgeGroupID(id)
 			return int(group.ID), group
 		},
 	)
+
+	group.Endpoints = es // Restore endpoints after create
+
+	return err
+}
+
+func (service ServiceTx) Update(ID portainer.EdgeGroupID, group *portainer.EdgeGroup) error {
+	es := group.Endpoints
+	group.Endpoints = nil // Clear deprecated field
+
+	err := service.BaseDataServiceTx.Update(ID, group)
+
+	group.Endpoints = es // Restore endpoints after update
+
+	return err
 }
diff --git a/api/datastore/migrate_data.go b/api/datastore/migrate_data.go
index 409936db8..2b53bbb9c 100644
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -85,6 +85,7 @@ func (store *Store) newMigratorParameters(version *models.Version, flags *portai
 		EdgeStackService:        store.EdgeStackService,
 		EdgeStackStatusService:  store.EdgeStackStatusService,
 		EdgeJobService:          store.EdgeJobService,
+		EdgeGroupService:        store.EdgeGroupService,
 		TunnelServerService:     store.TunnelServerService,
 		PendingActionsService:   store.PendingActionsService,
 	}
diff --git a/api/datastore/migrator/migrate_2_33_0.go b/api/datastore/migrator/migrate_2_33_0.go
new file mode 100644
index 000000000..f000a780a
--- /dev/null
+++ b/api/datastore/migrator/migrate_2_33_0.go
@@ -0,0 +1,23 @@
+package migrator
+
+import (
+	"github.com/portainer/portainer/api/roar"
+)
+
+func (m *Migrator) migrateEdgeGroupEndpointsToRoars_2_33_0() error {
+	egs, err := m.edgeGroupService.ReadAll()
+	if err != nil {
+		return err
+	}
+
+	for _, eg := range egs {
+		eg.EndpointIDs = roar.FromSlice(eg.Endpoints)
+		eg.Endpoints = nil
+
+		if err := m.edgeGroupService.Update(eg.ID, &eg); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
diff --git a/api/datastore/migrator/migrator.go b/api/datastore/migrator/migrator.go
index 4c2a50e59..df27cc0cd 100644
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/models"
 	"github.com/portainer/portainer/api/dataservices/dockerhub"
+	"github.com/portainer/portainer/api/dataservices/edgegroup"
 	"github.com/portainer/portainer/api/dataservices/edgejob"
 	"github.com/portainer/portainer/api/dataservices/edgestack"
 	"github.com/portainer/portainer/api/dataservices/edgestackstatus"
@@ -60,6 +61,7 @@ type (
 		edgeStackService        *edgestack.Service
 		edgeStackStatusService  *edgestackstatus.Service
 		edgeJobService          *edgejob.Service
+		edgeGroupService        *edgegroup.Service
 		TunnelServerService     *tunnelserver.Service
 		pendingActionsService   *pendingactions.Service
 	}
@@ -89,6 +91,7 @@ type (
 		EdgeStackService        *edgestack.Service
 		EdgeStackStatusService  *edgestackstatus.Service
 		EdgeJobService          *edgejob.Service
+		EdgeGroupService        *edgegroup.Service
 		TunnelServerService     *tunnelserver.Service
 		PendingActionsService   *pendingactions.Service
 	}
@@ -120,11 +123,13 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		edgeStackService:        parameters.EdgeStackService,
 		edgeStackStatusService:  parameters.EdgeStackStatusService,
 		edgeJobService:          parameters.EdgeJobService,
+		edgeGroupService:        parameters.EdgeGroupService,
 		TunnelServerService:     parameters.TunnelServerService,
 		pendingActionsService:   parameters.PendingActionsService,
 	}
 
 	migrator.initMigrations()
+
 	return migrator
 }
 
@@ -251,6 +256,8 @@ func (m *Migrator) initMigrations() {
 
 	m.addMigrations("2.32.0", m.addEndpointRelationForEdgeAgents_2_32_0)
 
+	m.addMigrations("2.33.0", m.migrateEdgeGroupEndpointsToRoars_2_33_0)
+
 	// Add new migrations above...
 	// One function per migration, each versions migration funcs in the same file.
 }
diff --git a/api/http/handler/edgegroups/associated_endpoints.go b/api/http/handler/edgegroups/associated_endpoints.go
index d03618c56..b26e94d0c 100644
--- a/api/http/handler/edgegroups/associated_endpoints.go
+++ b/api/http/handler/edgegroups/associated_endpoints.go
@@ -4,6 +4,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/roar"
 )
 
 type endpointSetType map[portainer.EndpointID]bool
@@ -49,22 +50,29 @@ func GetEndpointsByTags(tx dataservices.DataStoreTx, tagIDs []portainer.TagID, p
 	return results, nil
 }
 
-func getTrustedEndpoints(tx dataservices.DataStoreTx, endpointIDs []portainer.EndpointID) ([]portainer.EndpointID, error) {
+func getTrustedEndpoints(tx dataservices.DataStoreTx, endpointIDs roar.Roar[portainer.EndpointID]) ([]portainer.EndpointID, error) {
+	var innerErr error
+
 	results := []portainer.EndpointID{}
-	for _, endpointID := range endpointIDs {
+
+	endpointIDs.Iterate(func(endpointID portainer.EndpointID) bool {
 		endpoint, err := tx.Endpoint().Endpoint(endpointID)
 		if err != nil {
-			return nil, err
+			innerErr = err
+
+			return false
 		}
 
 		if !endpoint.UserTrusted {
-			continue
+			return true
 		}
 
 		results = append(results, endpoint.ID)
-	}
 
-	return results, nil
+		return true
+	})
+
+	return results, innerErr
 }
 
 func mapEndpointGroupToEndpoints(endpoints []portainer.Endpoint) map[portainer.EndpointGroupID]endpointSetType {
diff --git a/api/http/handler/edgegroups/edgegroup_create.go b/api/http/handler/edgegroups/edgegroup_create.go
index 3988160f0..c074bffde 100644
--- a/api/http/handler/edgegroups/edgegroup_create.go
+++ b/api/http/handler/edgegroups/edgegroup_create.go
@@ -7,6 +7,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/roar"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 )
@@ -52,6 +53,7 @@ func calculateEndpointsOrTags(tx dataservices.DataStoreTx, edgeGroup *portainer.
 	}
 
 	edgeGroup.Endpoints = endpointIDs
+	edgeGroup.EndpointIDs = roar.FromSlice(endpointIDs)
 
 	return nil
 }
@@ -94,6 +96,7 @@ func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request)
 			Dynamic:      payload.Dynamic,
 			TagIDs:       []portainer.TagID{},
 			Endpoints:    []portainer.EndpointID{},
+			EndpointIDs:  roar.Roar[portainer.EndpointID]{},
 			PartialMatch: payload.PartialMatch,
 		}
 
@@ -108,5 +111,5 @@ func (handler *Handler) edgeGroupCreate(w http.ResponseWriter, r *http.Request)
 		return nil
 	})
 
-	return txResponse(w, edgeGroup, err)
+	return txResponse(w, shadowedEdgeGroup{EdgeGroup: *edgeGroup}, err)
 }
diff --git a/api/http/handler/edgegroups/edgegroup_create_test.go b/api/http/handler/edgegroups/edgegroup_create_test.go
new file mode 100644
index 000000000..e7710432f
--- /dev/null
+++ b/api/http/handler/edgegroups/edgegroup_create_test.go
@@ -0,0 +1,62 @@
+package edgegroups
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEdgeGroupCreateHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodPost,
+		"/edge_groups",
+		strings.NewReader(`{"Name": "New Edge Group", "Endpoints": [1, 2, 3]}`),
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}
diff --git a/api/http/handler/edgegroups/edgegroup_inspect.go b/api/http/handler/edgegroups/edgegroup_inspect.go
index c17ac6b7c..76780ec1d 100644
--- a/api/http/handler/edgegroups/edgegroup_inspect.go
+++ b/api/http/handler/edgegroups/edgegroup_inspect.go
@@ -5,6 +5,7 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/roar"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 )
@@ -33,7 +34,9 @@ func (handler *Handler) edgeGroupInspect(w http.ResponseWriter, r *http.Request)
 		return err
 	})
 
-	return txResponse(w, edgeGroup, err)
+	edgeGroup.Endpoints = edgeGroup.EndpointIDs.ToSlice()
+
+	return txResponse(w, shadowedEdgeGroup{EdgeGroup: *edgeGroup}, err)
 }
 
 func getEdgeGroup(tx dataservices.DataStoreTx, ID portainer.EdgeGroupID) (*portainer.EdgeGroup, error) {
@@ -50,7 +53,7 @@ func getEdgeGroup(tx dataservices.DataStoreTx, ID portainer.EdgeGroupID) (*porta
 			return nil, httperror.InternalServerError("Unable to retrieve environments and environment groups for Edge group", err)
 		}
 
-		edgeGroup.Endpoints = endpoints
+		edgeGroup.EndpointIDs = roar.FromSlice(endpoints)
 	}
 
 	return edgeGroup, err
diff --git a/api/http/handler/edgegroups/edgegroup_inspect_test.go b/api/http/handler/edgegroups/edgegroup_inspect_test.go
new file mode 100644
index 000000000..d7966cf97
--- /dev/null
+++ b/api/http/handler/edgegroups/edgegroup_inspect_test.go
@@ -0,0 +1,137 @@
+package edgegroups
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEdgeGroupInspectHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1, 2, 3}),
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups/1",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	assert.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}
+
+func TestDynamicEdgeGroupInspectHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	err = store.Tag().Create(&portainer.Tag{
+		ID:   1,
+		Name: "Test Tag",
+		Endpoints: map[portainer.EndpointID]bool{
+			1: true,
+			2: true,
+			3: true,
+		},
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:          portainer.EndpointID(i + 1),
+			Name:        "Test Endpoint " + strconv.Itoa(i+1),
+			Type:        portainer.EdgeAgentOnDockerEnvironment,
+			GroupID:     1,
+			TagIDs:      []portainer.TagID{1},
+			UserTrusted: true,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:      1,
+		Name:    "Test Edge Group",
+		Dynamic: true,
+		TagIDs:  []portainer.TagID{1},
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups/1",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}
diff --git a/api/http/handler/edgegroups/edgegroup_list.go b/api/http/handler/edgegroups/edgegroup_list.go
index bc67176fd..87de867eb 100644
--- a/api/http/handler/edgegroups/edgegroup_list.go
+++ b/api/http/handler/edgegroups/edgegroup_list.go
@@ -7,11 +7,17 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/roar"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 )
 
-type decoratedEdgeGroup struct {
+type shadowedEdgeGroup struct {
 	portainer.EdgeGroup
+	EndpointIds int `json:"EndpointIds,omitempty"` // Shadow to avoid exposing in the API
+}
+
+type decoratedEdgeGroup struct {
+	shadowedEdgeGroup
 	HasEdgeStack     bool `json:"HasEdgeStack"`
 	HasEdgeJob       bool `json:"HasEdgeJob"`
 	EndpointTypes    []portainer.EndpointType
@@ -76,8 +82,8 @@ func getEdgeGroupList(tx dataservices.DataStoreTx) ([]decoratedEdgeGroup, error)
 		}
 
 		edgeGroup := decoratedEdgeGroup{
-			EdgeGroup:     orgEdgeGroup,
-			EndpointTypes: []portainer.EndpointType{},
+			shadowedEdgeGroup: shadowedEdgeGroup{EdgeGroup: orgEdgeGroup},
+			EndpointTypes:     []portainer.EndpointType{},
 		}
 		if edgeGroup.Dynamic {
 			endpointIDs, err := GetEndpointsByTags(tx, edgeGroup.TagIDs, edgeGroup.PartialMatch)
@@ -88,15 +94,16 @@ func getEdgeGroupList(tx dataservices.DataStoreTx) ([]decoratedEdgeGroup, error)
 			edgeGroup.Endpoints = endpointIDs
 			edgeGroup.TrustedEndpoints = endpointIDs
 		} else {
-			trustedEndpoints, err := getTrustedEndpoints(tx, edgeGroup.Endpoints)
+			trustedEndpoints, err := getTrustedEndpoints(tx, edgeGroup.EndpointIDs)
 			if err != nil {
 				return nil, httperror.InternalServerError("Unable to retrieve environments for Edge group", err)
 			}
 
+			edgeGroup.Endpoints = edgeGroup.EndpointIDs.ToSlice()
 			edgeGroup.TrustedEndpoints = trustedEndpoints
 		}
 
-		endpointTypes, err := getEndpointTypes(tx, edgeGroup.Endpoints)
+		endpointTypes, err := getEndpointTypes(tx, edgeGroup.EndpointIDs)
 		if err != nil {
 			return nil, httperror.InternalServerError("Unable to retrieve environment types for Edge group", err)
 		}
@@ -111,15 +118,26 @@ func getEdgeGroupList(tx dataservices.DataStoreTx) ([]decoratedEdgeGroup, error)
 	return decoratedEdgeGroups, nil
 }
 
-func getEndpointTypes(tx dataservices.DataStoreTx, endpointIds []portainer.EndpointID) ([]portainer.EndpointType, error) {
+func getEndpointTypes(tx dataservices.DataStoreTx, endpointIds roar.Roar[portainer.EndpointID]) ([]portainer.EndpointType, error) {
+	var innerErr error
+
 	typeSet := map[portainer.EndpointType]bool{}
-	for _, endpointID := range endpointIds {
+
+	endpointIds.Iterate(func(endpointID portainer.EndpointID) bool {
 		endpoint, err := tx.Endpoint().Endpoint(endpointID)
 		if err != nil {
-			return nil, fmt.Errorf("failed fetching environment: %w", err)
+			innerErr = fmt.Errorf("failed fetching environment: %w", err)
+
+			return false
 		}
 
 		typeSet[endpoint.Type] = true
+
+		return true
+	})
+
+	if innerErr != nil {
+		return nil, innerErr
 	}
 
 	endpointTypes := make([]portainer.EndpointType, 0, len(typeSet))
diff --git a/api/http/handler/edgegroups/edgegroup_list_test.go b/api/http/handler/edgegroups/edgegroup_list_test.go
index b77b2966e..bf084c377 100644
--- a/api/http/handler/edgegroups/edgegroup_list_test.go
+++ b/api/http/handler/edgegroups/edgegroup_list_test.go
@@ -1,11 +1,19 @@
 package edgegroups
 
 import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func Test_getEndpointTypes(t *testing.T) {
@@ -38,7 +46,7 @@ func Test_getEndpointTypes(t *testing.T) {
 	}
 
 	for _, test := range tests {
-		ans, err := getEndpointTypes(datastore, test.endpointIds)
+		ans, err := getEndpointTypes(datastore, roar.FromSlice(test.endpointIds))
 		assert.NoError(t, err, "getEndpointTypes shouldn't fail")
 
 		assert.ElementsMatch(t, test.expected, ans, "getEndpointTypes expected to return %b for %v, but returned %b", test.expected, test.endpointIds, ans)
@@ -48,6 +56,61 @@ func Test_getEndpointTypes(t *testing.T) {
 func Test_getEndpointTypes_failWhenEndpointDontExist(t *testing.T) {
 	datastore := testhelpers.NewDatastore(testhelpers.WithEndpoints([]portainer.Endpoint{}))
 
-	_, err := getEndpointTypes(datastore, []portainer.EndpointID{1})
+	_, err := getEndpointTypes(datastore, roar.FromSlice([]portainer.EndpointID{1}))
 	assert.Error(t, err, "getEndpointTypes should fail")
 }
+
+func TestEdgeGroupListHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1, 2, 3}),
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroups []decoratedEdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroups)
+	require.NoError(t, err)
+
+	require.Len(t, responseGroups, 1)
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroups[0].Endpoints)
+	require.Len(t, responseGroups[0].TrustedEndpoints, 0)
+}
diff --git a/api/http/handler/edgegroups/edgegroup_update.go b/api/http/handler/edgegroups/edgegroup_update.go
index a51ae33d4..270bd10df 100644
--- a/api/http/handler/edgegroups/edgegroup_update.go
+++ b/api/http/handler/edgegroups/edgegroup_update.go
@@ -158,7 +158,7 @@ func (handler *Handler) edgeGroupUpdate(w http.ResponseWriter, r *http.Request)
 		return nil
 	})
 
-	return txResponse(w, edgeGroup, err)
+	return txResponse(w, shadowedEdgeGroup{EdgeGroup: *edgeGroup}, err)
 }
 
 func (handler *Handler) updateEndpointStacks(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint, edgeGroups []portainer.EdgeGroup, edgeStacks []portainer.EdgeStack) error {
diff --git a/api/http/handler/edgegroups/edgegroup_update_test.go b/api/http/handler/edgegroups/edgegroup_update_test.go
new file mode 100644
index 000000000..dbecbdfcf
--- /dev/null
+++ b/api/http/handler/edgegroups/edgegroup_update_test.go
@@ -0,0 +1,70 @@
+package edgegroups
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEdgeGroupUpdateHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	for i := range 3 {
+		err = store.Endpoint().Create(&portainer.Endpoint{
+			ID:      portainer.EndpointID(i + 1),
+			Name:    "Test Endpoint " + strconv.Itoa(i+1),
+			Type:    portainer.EdgeAgentOnDockerEnvironment,
+			GroupID: 1,
+		})
+		require.NoError(t, err)
+
+		err = store.EndpointRelation().Create(&portainer.EndpointRelation{
+			EndpointID: portainer.EndpointID(i + 1),
+			EdgeStacks: map[portainer.EdgeStackID]bool{},
+		})
+		require.NoError(t, err)
+	}
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodPut,
+		"/edge_groups/1",
+		strings.NewReader(`{"Endpoints": [1, 2, 3]}`),
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	require.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
+}
diff --git a/api/http/handler/edgestacks/edgestack_create_test.go b/api/http/handler/edgestacks/edgestack_create_test.go
index 486cc09d0..70252c25d 100644
--- a/api/http/handler/edgestacks/edgestack_create_test.go
+++ b/api/http/handler/edgestacks/edgestack_create_test.go
@@ -8,9 +8,10 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/stretchr/testify/require"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
 )
 
 // Create
@@ -24,7 +25,7 @@ func TestCreateAndInspect(t *testing.T) {
 		Name:         "EdgeGroup 1",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{endpoint.ID},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{endpoint.ID}),
 		PartialMatch: false,
 	}
 
diff --git a/api/http/handler/edgestacks/edgestack_test.go b/api/http/handler/edgestacks/edgestack_test.go
index 91600117b..38fd4be55 100644
--- a/api/http/handler/edgestacks/edgestack_test.go
+++ b/api/http/handler/edgestacks/edgestack_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/portainer/portainer/api/internal/edge/edgestacks"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/pkg/errors"
 	"github.com/stretchr/testify/require"
@@ -103,7 +104,7 @@ func createEdgeStack(t *testing.T, store dataservices.DataStore, endpointID port
 		Name:         "EdgeGroup 1",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{endpointID},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{endpointID}),
 		PartialMatch: false,
 	}
 
diff --git a/api/http/handler/edgestacks/edgestack_update_test.go b/api/http/handler/edgestacks/edgestack_update_test.go
index 68baa4129..8040af329 100644
--- a/api/http/handler/edgestacks/edgestack_update_test.go
+++ b/api/http/handler/edgestacks/edgestack_update_test.go
@@ -9,9 +9,10 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/stretchr/testify/require"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/segmentio/encoding/json"
+	"github.com/stretchr/testify/require"
 )
 
 // Update
@@ -43,7 +44,7 @@ func TestUpdateAndInspect(t *testing.T) {
 		Name:         "EdgeGroup 2",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{newEndpoint.ID},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{newEndpoint.ID}),
 		PartialMatch: false,
 	}
 
@@ -112,7 +113,7 @@ func TestUpdateWithInvalidEdgeGroups(t *testing.T) {
 		Name:         "EdgeGroup 2",
 		Dynamic:      false,
 		TagIDs:       nil,
-		Endpoints:    []portainer.EndpointID{8889},
+		EndpointIDs:  roar.FromSlice([]portainer.EndpointID{8889}),
 		PartialMatch: false,
 	}
 
diff --git a/api/http/handler/endpointedge/endpointedge_status_inspect_test.go b/api/http/handler/endpointedge/endpointedge_status_inspect_test.go
index ca9b12723..526fc58de 100644
--- a/api/http/handler/endpointedge/endpointedge_status_inspect_test.go
+++ b/api/http/handler/endpointedge/endpointedge_status_inspect_test.go
@@ -16,6 +16,7 @@ import (
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
@@ -366,8 +367,8 @@ func TestEdgeJobsResponse(t *testing.T) {
 	unrelatedEndpoint := localCreateEndpoint(80, nil)
 
 	staticEdgeGroup := portainer.EdgeGroup{
-		ID:        1,
-		Endpoints: []portainer.EndpointID{endpointFromStaticEdgeGroup.ID},
+		ID:          1,
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{endpointFromStaticEdgeGroup.ID}),
 	}
 	err := handler.DataStore.EdgeGroup().Create(&staticEdgeGroup)
 	require.NoError(t, err)
diff --git a/api/http/handler/endpoints/endpoint_delete.go b/api/http/handler/endpoints/endpoint_delete.go
index f26b9dd13..a9b4ae5dc 100644
--- a/api/http/handler/endpoints/endpoint_delete.go
+++ b/api/http/handler/endpoints/endpoint_delete.go
@@ -3,7 +3,6 @@ package endpoints
 import (
 	"errors"
 	"net/http"
-	"slices"
 	"strconv"
 
 	portainer "github.com/portainer/portainer/api"
@@ -200,9 +199,7 @@ func (handler *Handler) deleteEndpoint(tx dataservices.DataStoreTx, endpointID p
 	}
 
 	for _, edgeGroup := range edgeGroups {
-		edgeGroup.Endpoints = slices.DeleteFunc(edgeGroup.Endpoints, func(e portainer.EndpointID) bool {
-			return e == endpoint.ID
-		})
+		edgeGroup.EndpointIDs.Remove(endpoint.ID)
 
 		if err := tx.EdgeGroup().Update(edgeGroup.ID, &edgeGroup); err != nil {
 			log.Warn().Err(err).Msg("Unable to update edge group")
diff --git a/api/http/handler/endpoints/endpoint_delete_test.go b/api/http/handler/endpoints/endpoint_delete_test.go
index 309b45ffe..559c1b680 100644
--- a/api/http/handler/endpoints/endpoint_delete_test.go
+++ b/api/http/handler/endpoints/endpoint_delete_test.go
@@ -11,6 +11,7 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/proxy"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
 )
 
 func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
@@ -42,9 +43,9 @@ func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
 	}
 
 	if err := store.EdgeGroup().Create(&portainer.EdgeGroup{
-		ID:        1,
-		Name:      "edgegroup-1",
-		Endpoints: endpointIDs,
+		ID:          1,
+		Name:        "edgegroup-1",
+		EndpointIDs: roar.FromSlice(endpointIDs),
 	}); err != nil {
 		t.Fatal("could not create edge group:", err)
 	}
@@ -78,7 +79,7 @@ func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
 		t.Fatal("could not retrieve the edge group:", err)
 	}
 
-	if len(edgeGroup.Endpoints) > 0 {
+	if edgeGroup.EndpointIDs.Len() > 0 {
 		t.Fatal("the edge group is not consistent")
 	}
 }
diff --git a/api/http/handler/endpoints/filter.go b/api/http/handler/endpoints/filter.go
index 7cf7b9760..961cad147 100644
--- a/api/http/handler/endpoints/filter.go
+++ b/api/http/handler/endpoints/filter.go
@@ -14,7 +14,7 @@ import (
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/edge"
 	"github.com/portainer/portainer/api/internal/endpointutils"
-	"github.com/portainer/portainer/api/slicesx"
+	"github.com/portainer/portainer/api/roar"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 
 	"github.com/pkg/errors"
@@ -146,7 +146,9 @@ func (handler *Handler) filterEndpointsByQuery(
 	totalAvailableEndpoints := len(filteredEndpoints)
 
 	if len(query.endpointIds) > 0 {
-		filteredEndpoints = filteredEndpointsByIds(filteredEndpoints, query.endpointIds)
+		endpointIDs := roar.FromSlice(query.endpointIds)
+
+		filteredEndpoints = filteredEndpointsByIds(filteredEndpoints, endpointIDs)
 	}
 
 	if len(query.excludeIds) > 0 {
@@ -275,7 +277,7 @@ func filterEndpointsByEdgeStack(endpoints []portainer.Endpoint, edgeStackId port
 		return nil, errors.WithMessage(err, "Unable to retrieve edge stack from the database")
 	}
 
-	envIds := make([]portainer.EndpointID, 0)
+	envIds := roar.Roar[portainer.EndpointID]{}
 	for _, edgeGroupdId := range stack.EdgeGroups {
 		edgeGroup, err := datastore.EdgeGroup().Read(edgeGroupdId)
 		if err != nil {
@@ -287,32 +289,37 @@ func filterEndpointsByEdgeStack(endpoints []portainer.Endpoint, edgeStackId port
 			if err != nil {
 				return nil, errors.WithMessage(err, "Unable to retrieve environments and environment groups for Edge group")
 			}
-			edgeGroup.Endpoints = endpointIDs
+			edgeGroup.EndpointIDs = roar.FromSlice(endpointIDs)
 		}
 
-		envIds = append(envIds, edgeGroup.Endpoints...)
+		envIds.Union(edgeGroup.EndpointIDs)
 	}
 
 	if statusFilter != nil {
-		n := 0
-		for _, envId := range envIds {
+		var innerErr error
+
+		envIds.Iterate(func(envId portainer.EndpointID) bool {
 			edgeStackStatus, err := datastore.EdgeStackStatus().Read(edgeStackId, envId)
 			if dataservices.IsErrObjectNotFound(err) {
-				continue
+				return true
 			} else if err != nil {
-				return nil, errors.WithMessagef(err, "Unable to retrieve edge stack status for environment %d", envId)
+				innerErr = errors.WithMessagef(err, "Unable to retrieve edge stack status for environment %d", envId)
+				return false
 			}
 
-			if endpointStatusInStackMatchesFilter(edgeStackStatus, envId, *statusFilter) {
-				envIds[n] = envId
-				n++
+			if !endpointStatusInStackMatchesFilter(edgeStackStatus, portainer.EndpointID(envId), *statusFilter) {
+				envIds.Remove(envId)
 			}
+
+			return true
+		})
+
+		if innerErr != nil {
+			return nil, innerErr
 		}
-		envIds = envIds[:n]
 	}
 
-	uniqueIds := slicesx.Unique(envIds)
-	filteredEndpoints := filteredEndpointsByIds(endpoints, uniqueIds)
+	filteredEndpoints := filteredEndpointsByIds(endpoints, envIds)
 
 	return filteredEndpoints, nil
 }
@@ -344,16 +351,14 @@ func filterEndpointsByEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGroups []
 	}
 	edgeGroups = edgeGroups[:n]
 
-	endpointIDSet := make(map[portainer.EndpointID]struct{})
+	endpointIDSet := roar.Roar[portainer.EndpointID]{}
 	for _, edgeGroup := range edgeGroups {
-		for _, endpointID := range edgeGroup.Endpoints {
-			endpointIDSet[endpointID] = struct{}{}
-		}
+		endpointIDSet.Union(edgeGroup.EndpointIDs)
 	}
 
 	n = 0
 	for _, endpoint := range endpoints {
-		if _, exists := endpointIDSet[endpoint.ID]; exists {
+		if endpointIDSet.Contains(endpoint.ID) {
 			endpoints[n] = endpoint
 			n++
 		}
@@ -369,12 +374,11 @@ func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGr
 	}
 
 	n := 0
-	excludeEndpointIDSet := make(map[portainer.EndpointID]struct{})
+	excludeEndpointIDSet := roar.Roar[portainer.EndpointID]{}
+
 	for _, edgeGroup := range edgeGroups {
 		if _, ok := excludeEdgeGroupIDSet[edgeGroup.ID]; ok {
-			for _, endpointID := range edgeGroup.Endpoints {
-				excludeEndpointIDSet[endpointID] = struct{}{}
-			}
+			excludeEndpointIDSet.Union(edgeGroup.EndpointIDs)
 		} else {
 			edgeGroups[n] = edgeGroup
 			n++
@@ -384,7 +388,7 @@ func filterEndpointsByExcludeEdgeGroupIDs(endpoints []portainer.Endpoint, edgeGr
 
 	n = 0
 	for _, endpoint := range endpoints {
-		if _, ok := excludeEndpointIDSet[endpoint.ID]; !ok {
+		if !excludeEndpointIDSet.Contains(endpoint.ID) {
 			endpoints[n] = endpoint
 			n++
 		}
@@ -609,15 +613,10 @@ func endpointFullMatchTags(endpoint portainer.Endpoint, endpointGroup portainer.
 	return len(missingTags) == 0
 }
 
-func filteredEndpointsByIds(endpoints []portainer.Endpoint, ids []portainer.EndpointID) []portainer.Endpoint {
-	idsSet := make(map[portainer.EndpointID]bool, len(ids))
-	for _, id := range ids {
-		idsSet[id] = true
-	}
-
+func filteredEndpointsByIds(endpoints []portainer.Endpoint, ids roar.Roar[portainer.EndpointID]) []portainer.Endpoint {
 	n := 0
 	for _, endpoint := range endpoints {
-		if idsSet[endpoint.ID] {
+		if ids.Contains(endpoint.ID) {
 			endpoints[n] = endpoint
 			n++
 		}
diff --git a/api/http/handler/endpoints/filter_test.go b/api/http/handler/endpoints/filter_test.go
index 8abc76fb7..642448b86 100644
--- a/api/http/handler/endpoints/filter_test.go
+++ b/api/http/handler/endpoints/filter_test.go
@@ -8,9 +8,11 @@ import (
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
 	"github.com/portainer/portainer/api/slicesx"
 
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 type filterTest struct {
@@ -175,7 +177,7 @@ func BenchmarkFilterEndpointsBySearchCriteria_PartialMatch(b *testing.B) {
 		edgeGroups = append(edgeGroups, portainer.EdgeGroup{
 			ID:           portainer.EdgeGroupID(i + 1),
 			Name:         "edge-group-" + strconv.Itoa(i+1),
-			Endpoints:    append([]portainer.EndpointID{}, endpointIDs...),
+			EndpointIDs:  roar.FromSlice(endpointIDs),
 			Dynamic:      true,
 			TagIDs:       []portainer.TagID{1, 2, 3},
 			PartialMatch: true,
@@ -222,11 +224,11 @@ func BenchmarkFilterEndpointsBySearchCriteria_FullMatch(b *testing.B) {
 	edgeGroups := []portainer.EdgeGroup{}
 	for i := range 1000 {
 		edgeGroups = append(edgeGroups, portainer.EdgeGroup{
-			ID:        portainer.EdgeGroupID(i + 1),
-			Name:      "edge-group-" + strconv.Itoa(i+1),
-			Endpoints: append([]portainer.EndpointID{}, endpointIDs...),
-			Dynamic:   true,
-			TagIDs:    []portainer.TagID{1},
+			ID:          portainer.EdgeGroupID(i + 1),
+			Name:        "edge-group-" + strconv.Itoa(i+1),
+			EndpointIDs: roar.FromSlice(endpointIDs),
+			Dynamic:     true,
+			TagIDs:      []portainer.TagID{1},
 		})
 	}
 
@@ -300,3 +302,127 @@ func setupFilterTest(t *testing.T, endpoints []portainer.Endpoint) *Handler {
 
 	return handler
 }
+
+func TestFilterEndpointsByEdgeStack(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	endpoints := []portainer.Endpoint{
+		{ID: 1, Name: "Endpoint 1"},
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	}
+
+	edgeStackId := portainer.EdgeStackID(1)
+
+	err := store.EdgeStack().Create(edgeStackId, &portainer.EdgeStack{
+		ID:         edgeStackId,
+		Name:       "Test Edge Stack",
+		EdgeGroups: []portainer.EdgeGroupID{1, 2},
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Edge Group 1",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          2,
+		Name:        "Edge Group 2",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{2, 3}),
+	})
+	require.NoError(t, err)
+
+	es, err := filterEndpointsByEdgeStack(endpoints, edgeStackId, nil, store)
+	require.NoError(t, err)
+	require.Len(t, es, 3)
+	require.Contains(t, es, endpoints[0])    // Endpoint 1
+	require.Contains(t, es, endpoints[1])    // Endpoint 2
+	require.Contains(t, es, endpoints[2])    // Endpoint 3
+	require.NotContains(t, es, endpoints[3]) // Endpoint 4
+}
+
+func TestFilterEndpointsByEdgeGroup(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	endpoints := []portainer.Endpoint{
+		{ID: 1, Name: "Endpoint 1"},
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	}
+
+	err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Edge Group 1",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          2,
+		Name:        "Edge Group 2",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{2, 3}),
+	})
+	require.NoError(t, err)
+
+	edgeGroups, err := store.EdgeGroup().ReadAll()
+	require.NoError(t, err)
+
+	es, egs := filterEndpointsByEdgeGroupIDs(endpoints, edgeGroups, []portainer.EdgeGroupID{1, 2})
+	require.NoError(t, err)
+
+	require.Len(t, es, 3)
+	require.Contains(t, es, endpoints[0])    // Endpoint 1
+	require.Contains(t, es, endpoints[1])    // Endpoint 2
+	require.Contains(t, es, endpoints[2])    // Endpoint 3
+	require.NotContains(t, es, endpoints[3]) // Endpoint 4
+
+	require.Len(t, egs, 2)
+	require.Equal(t, egs[0].ID, portainer.EdgeGroupID(1))
+	require.Equal(t, egs[1].ID, portainer.EdgeGroupID(2))
+}
+
+func TestFilterEndpointsByExcludeEdgeGroupIDs(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, false, false)
+
+	endpoints := []portainer.Endpoint{
+		{ID: 1, Name: "Endpoint 1"},
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	}
+
+	err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Edge Group 1",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{1}),
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          2,
+		Name:        "Edge Group 2",
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{2, 3}),
+	})
+	require.NoError(t, err)
+
+	edgeGroups, err := store.EdgeGroup().ReadAll()
+	require.NoError(t, err)
+
+	es, egs := filterEndpointsByExcludeEdgeGroupIDs(endpoints, edgeGroups, []portainer.EdgeGroupID{1})
+	require.NoError(t, err)
+
+	require.Len(t, es, 3)
+	require.Equal(t, es, []portainer.Endpoint{
+		{ID: 2, Name: "Endpoint 2"},
+		{ID: 3, Name: "Endpoint 3"},
+		{ID: 4, Name: "Endpoint 4"},
+	})
+
+	require.Len(t, egs, 1)
+	require.Equal(t, egs[0].ID, portainer.EdgeGroupID(2))
+}
diff --git a/api/http/handler/endpoints/utils_update_edge_groups.go b/api/http/handler/endpoints/utils_update_edge_groups.go
index bd9c413d7..6207acbc5 100644
--- a/api/http/handler/endpoints/utils_update_edge_groups.go
+++ b/api/http/handler/endpoints/utils_update_edge_groups.go
@@ -1,12 +1,11 @@
 package endpoints
 
 import (
-	"slices"
-
-	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/set"
+
+	"github.com/pkg/errors"
 )
 
 func updateEnvironmentEdgeGroups(tx dataservices.DataStoreTx, newEdgeGroups []portainer.EdgeGroupID, environmentID portainer.EndpointID) (bool, error) {
@@ -19,10 +18,8 @@ func updateEnvironmentEdgeGroups(tx dataservices.DataStoreTx, newEdgeGroups []po
 
 	environmentEdgeGroupsSet := set.Set[portainer.EdgeGroupID]{}
 	for _, edgeGroup := range edgeGroups {
-		for _, eID := range edgeGroup.Endpoints {
-			if eID == environmentID {
-				environmentEdgeGroupsSet[edgeGroup.ID] = true
-			}
+		if edgeGroup.EndpointIDs.Contains(environmentID) {
+			environmentEdgeGroupsSet[edgeGroup.ID] = true
 		}
 	}
 
@@ -52,20 +49,16 @@ func updateEnvironmentEdgeGroups(tx dataservices.DataStoreTx, newEdgeGroups []po
 	}
 
 	removeEdgeGroups := environmentEdgeGroupsSet.Difference(newEdgeGroupsSet)
-	err = updateSet(removeEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
-		edgeGroup.Endpoints = slices.DeleteFunc(edgeGroup.Endpoints, func(eID portainer.EndpointID) bool {
-			return eID == environmentID
-		})
-	})
-	if err != nil {
+	if err := updateSet(removeEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
+		edgeGroup.EndpointIDs.Remove(environmentID)
+	}); err != nil {
 		return false, err
 	}
 
 	addToEdgeGroups := newEdgeGroupsSet.Difference(environmentEdgeGroupsSet)
-	err = updateSet(addToEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
-		edgeGroup.Endpoints = append(edgeGroup.Endpoints, environmentID)
-	})
-	if err != nil {
+	if err := updateSet(addToEdgeGroups, func(edgeGroup *portainer.EdgeGroup) {
+		edgeGroup.EndpointIDs.Add(environmentID)
+	}); err != nil {
 		return false, err
 	}
 
diff --git a/api/http/handler/endpoints/utils_update_edge_groups_test.go b/api/http/handler/endpoints/utils_update_edge_groups_test.go
index e89d501fb..a57651fae 100644
--- a/api/http/handler/endpoints/utils_update_edge_groups_test.go
+++ b/api/http/handler/endpoints/utils_update_edge_groups_test.go
@@ -6,6 +6,7 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/datastore"
+
 	"github.com/stretchr/testify/assert"
 )
 
@@ -14,10 +15,9 @@ func Test_updateEdgeGroups(t *testing.T) {
 		groups := make([]portainer.EdgeGroup, len(names))
 		for index, name := range names {
 			group := &portainer.EdgeGroup{
-				Name:      name,
-				Dynamic:   false,
-				TagIDs:    make([]portainer.TagID, 0),
-				Endpoints: make([]portainer.EndpointID, 0),
+				Name:    name,
+				Dynamic: false,
+				TagIDs:  make([]portainer.TagID, 0),
 			}
 
 			if err := store.EdgeGroup().Create(group); err != nil {
@@ -35,13 +35,8 @@ func Test_updateEdgeGroups(t *testing.T) {
 			group, err := store.EdgeGroup().Read(groupID)
 			is.NoError(err)
 
-			for _, endpoint := range group.Endpoints {
-				if endpoint == endpointID {
-					return
-				}
-			}
-
-			is.Fail("expected endpoint to be in group")
+			is.True(group.EndpointIDs.Contains(endpointID),
+				"expected endpoint to be in group")
 		}
 	}
 
@@ -81,7 +76,7 @@ func Test_updateEdgeGroups(t *testing.T) {
 
 		endpointGroups := groupsByName(groups, testCase.endpointGroupNames)
 		for _, group := range endpointGroups {
-			group.Endpoints = append(group.Endpoints, testCase.endpoint.ID)
+			group.EndpointIDs.Add(testCase.endpoint.ID)
 
 			err = store.EdgeGroup().Update(group.ID, &group)
 			is.NoError(err)
diff --git a/api/http/handler/endpoints/utils_update_tags_test.go b/api/http/handler/endpoints/utils_update_tags_test.go
index ee42e4e10..527f963a4 100644
--- a/api/http/handler/endpoints/utils_update_tags_test.go
+++ b/api/http/handler/endpoints/utils_update_tags_test.go
@@ -10,7 +10,6 @@ import (
 )
 
 func Test_updateTags(t *testing.T) {
-
 	createTags := func(store *datastore.Store, tagNames []string) ([]portainer.Tag, error) {
 		tags := make([]portainer.Tag, len(tagNames))
 		for index, tagName := range tagNames {
diff --git a/api/http/handler/tags/tag_delete_test.go b/api/http/handler/tags/tag_delete_test.go
index ecced7c0d..c933610c5 100644
--- a/api/http/handler/tags/tag_delete_test.go
+++ b/api/http/handler/tags/tag_delete_test.go
@@ -1,7 +1,6 @@
 package tags
 
 import (
-	"github.com/portainer/portainer/api/dataservices"
 	"net/http"
 	"net/http/httptest"
 	"strconv"
@@ -9,9 +8,11 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/dataservices"
 	portainerDsErrors "github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
 
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -127,9 +128,9 @@ func TestHandler_tagDelete(t *testing.T) {
 		require.NoError(t, store.EdgeGroup().Create(dynamicEdgeGroup))
 
 		staticEdgeGroup := &portainer.EdgeGroup{
-			ID:        2,
-			Name:      "edgegroup-2",
-			Endpoints: []portainer.EndpointID{endpoint2.ID},
+			ID:          2,
+			Name:        "edgegroup-2",
+			EndpointIDs: roar.FromSlice([]portainer.EndpointID{endpoint2.ID}),
 		}
 		require.NoError(t, store.EdgeGroup().Create(staticEdgeGroup))
 
@@ -163,14 +164,14 @@ func TestHandler_tagDelete(t *testing.T) {
 		dynamicEdgeGroup, err = store.EdgeGroup().Read(dynamicEdgeGroup.ID)
 		require.NoError(t, err)
 		assert.Len(t, dynamicEdgeGroup.TagIDs, 0, "dynamic edge group should not have any tags")
-		assert.Len(t, dynamicEdgeGroup.Endpoints, 0, "dynamic edge group should not have any endpoints")
+		assert.Equal(t, 0, dynamicEdgeGroup.EndpointIDs.Len(), "dynamic edge group should not have any endpoints")
 
 		// Check that the static edge group is not updated
 		staticEdgeGroup, err = store.EdgeGroup().Read(staticEdgeGroup.ID)
 		require.NoError(t, err)
 		assert.Len(t, staticEdgeGroup.TagIDs, 0, "static edge group should not have any tags")
-		assert.Len(t, staticEdgeGroup.Endpoints, 1, "static edge group should have one endpoint")
-		assert.Equal(t, endpoint2.ID, staticEdgeGroup.Endpoints[0], "static edge group should have the endpoint-2")
+		assert.Equal(t, 1, staticEdgeGroup.EndpointIDs.Len(), "static edge group should have one endpoint")
+		assert.True(t, staticEdgeGroup.EndpointIDs.Contains(endpoint2.ID), "static edge group should have the endpoint-2")
 	})
 
 	// Test the tx.IsErrObjectNotFound logic when endpoint is not found during cleanup
@@ -185,14 +186,10 @@ func TestHandler_tagDelete(t *testing.T) {
 		}
 
 		err := store.Tag().Create(tag)
-		if err != nil {
-			t.Fatal("could not create tag:", err)
-		}
+		require.NoError(t, err)
 
 		err = deleteTag(store, 1)
-		if err != nil {
-			t.Fatal("could not delete tag:", err)
-		}
+		require.NoError(t, err)
 	})
 }
 
diff --git a/api/internal/edge/edgegroup.go b/api/internal/edge/edgegroup.go
index 64aa296a5..eae4fedce 100644
--- a/api/internal/edge/edgegroup.go
+++ b/api/internal/edge/edgegroup.go
@@ -1,8 +1,6 @@
 package edge
 
 import (
-	"slices"
-
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
@@ -12,7 +10,7 @@ import (
 // EdgeGroupRelatedEndpoints returns a list of environments(endpoints) related to this Edge group
 func EdgeGroupRelatedEndpoints(edgeGroup *portainer.EdgeGroup, endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup) []portainer.EndpointID {
 	if !edgeGroup.Dynamic {
-		return edgeGroup.Endpoints
+		return edgeGroup.EndpointIDs.ToSlice()
 	}
 
 	endpointGroupsMap := map[portainer.EndpointGroupID]*portainer.EndpointGroup{}
@@ -72,7 +70,7 @@ func GetEndpointsFromEdgeGroups(edgeGroupIDs []portainer.EdgeGroupID, datastore
 // edgeGroupRelatedToEndpoint returns true if edgeGroup is associated with environment(endpoint)
 func edgeGroupRelatedToEndpoint(edgeGroup *portainer.EdgeGroup, endpoint *portainer.Endpoint, endpointGroup *portainer.EndpointGroup) bool {
 	if !edgeGroup.Dynamic {
-		return slices.Contains(edgeGroup.Endpoints, endpoint.ID)
+		return edgeGroup.EndpointIDs.Contains(endpoint.ID)
 	}
 
 	endpointTags := tag.Set(endpoint.TagIDs)
diff --git a/api/internal/edge/edgegroup_benchmark_test.go b/api/internal/edge/edgegroup_benchmark_test.go
new file mode 100644
index 000000000..861db09fc
--- /dev/null
+++ b/api/internal/edge/edgegroup_benchmark_test.go
@@ -0,0 +1,104 @@
+package edge
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/require"
+)
+
+const n = 1_000_000
+
+func BenchmarkWriteEdgeGroupOld(b *testing.B) {
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+
+	_, store := datastore.MustNewTestStore(b, false, false)
+
+	var endpointIDs []portainer.EndpointID
+
+	for i := range n {
+		endpointIDs = append(endpointIDs, portainer.EndpointID(i+1))
+	}
+
+	for b.Loop() {
+		err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+			Name:      "Test Edge Group",
+			Endpoints: endpointIDs,
+		})
+		require.NoError(b, err)
+	}
+}
+
+func BenchmarkWriteEdgeGroupNew(b *testing.B) {
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+
+	_, store := datastore.MustNewTestStore(b, false, false)
+
+	var ts []portainer.EndpointID
+
+	for i := range n {
+		ts = append(ts, portainer.EndpointID(i+1))
+	}
+
+	endpointIDs := roar.FromSlice(ts)
+
+	for b.Loop() {
+		err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+			Name:        "Test Edge Group",
+			EndpointIDs: endpointIDs,
+		})
+		require.NoError(b, err)
+	}
+}
+
+func BenchmarkReadEdgeGroupOld(b *testing.B) {
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+
+	_, store := datastore.MustNewTestStore(b, false, false)
+
+	var endpointIDs []portainer.EndpointID
+
+	for i := range n {
+		endpointIDs = append(endpointIDs, portainer.EndpointID(i+1))
+	}
+
+	err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+		Name:      "Test Edge Group",
+		Endpoints: endpointIDs,
+	})
+	require.NoError(b, err)
+
+	for b.Loop() {
+		_, err := store.EdgeGroup().ReadAll()
+		require.NoError(b, err)
+	}
+}
+
+func BenchmarkReadEdgeGroupNew(b *testing.B) {
+	zerolog.SetGlobalLevel(zerolog.ErrorLevel)
+
+	_, store := datastore.MustNewTestStore(b, false, false)
+
+	var ts []portainer.EndpointID
+
+	for i := range n {
+		ts = append(ts, portainer.EndpointID(i+1))
+	}
+
+	endpointIDs := roar.FromSlice(ts)
+
+	err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+		Name:        "Test Edge Group",
+		EndpointIDs: endpointIDs,
+	})
+	require.NoError(b, err)
+
+	for b.Loop() {
+		_, err := store.EdgeGroup().ReadAll()
+		require.NoError(b, err)
+	}
+}
diff --git a/api/portainer.go b/api/portainer.go
index 7c72f9b01..3ccda4107 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -7,17 +7,18 @@ import (
 	"net/http"
 	"time"
 
+	gittypes "github.com/portainer/portainer/api/git/types"
+	models "github.com/portainer/portainer/api/http/models/kubernetes"
+	"github.com/portainer/portainer/api/roar"
+	"github.com/portainer/portainer/pkg/featureflags"
+	httperror "github.com/portainer/portainer/pkg/libhttp/error"
+
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/api/types/network"
 	"github.com/docker/docker/api/types/system"
 	"github.com/docker/docker/api/types/volume"
-	gittypes "github.com/portainer/portainer/api/git/types"
-	models "github.com/portainer/portainer/api/http/models/kubernetes"
-	"github.com/portainer/portainer/pkg/featureflags"
-	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/segmentio/encoding/json"
-
 	"golang.org/x/oauth2"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/version"
@@ -265,12 +266,15 @@ type (
 	// EdgeGroup represents an Edge group
 	EdgeGroup struct {
 		// EdgeGroup Identifier
-		ID           EdgeGroupID  `json:"Id" example:"1"`
-		Name         string       `json:"Name"`
-		Dynamic      bool         `json:"Dynamic"`
-		TagIDs       []TagID      `json:"TagIds"`
-		Endpoints    []EndpointID `json:"Endpoints"`
-		PartialMatch bool         `json:"PartialMatch"`
+		ID           EdgeGroupID           `json:"Id" example:"1"`
+		Name         string                `json:"Name"`
+		Dynamic      bool                  `json:"Dynamic"`
+		TagIDs       []TagID               `json:"TagIds"`
+		EndpointIDs  roar.Roar[EndpointID] `json:"EndpointIds"`
+		PartialMatch bool                  `json:"PartialMatch"`
+
+		// Deprecated: only used for API responses
+		Endpoints []EndpointID `json:"Endpoints"`
 	}
 
 	// EdgeGroupID represents an Edge group identifier
diff --git a/api/roar/roar.go b/api/roar/roar.go
new file mode 100644
index 000000000..c32843ee4
--- /dev/null
+++ b/api/roar/roar.go
@@ -0,0 +1,145 @@
+package roar
+
+import (
+	"fmt"
+
+	"github.com/RoaringBitmap/roaring/v2"
+)
+
+type Roar[T ~int] struct {
+	rb *roaring.Bitmap
+}
+
+// Iterate iterates over the bitmap, calling the given callback with each value in the bitmap.  If the callback returns
+// false, the iteration is halted.
+// The iteration results are undefined if the bitmap is modified (e.g., with Add or Remove).
+// There is no guarantee as to what order the values will be iterated.
+func (r *Roar[T]) Iterate(f func(T) bool) {
+	if r.rb == nil {
+		return
+	}
+
+	r.rb.Iterate(func(e uint32) bool {
+		return f(T(e))
+	})
+}
+
+// Len returns the number of elements contained in the bitmap
+func (r *Roar[T]) Len() int {
+	if r.rb == nil {
+		return 0
+	}
+
+	return int(r.rb.GetCardinality())
+}
+
+// Remove removes the given element from the bitmap
+func (r *Roar[T]) Remove(e T) {
+	if r.rb == nil {
+		return
+	}
+
+	r.rb.Remove(uint32(e))
+}
+
+// Add adds the given element to the bitmap
+func (r *Roar[T]) Add(e T) {
+	if r.rb == nil {
+		r.rb = roaring.New()
+	}
+
+	r.rb.AddInt(int(e))
+}
+
+// Contains returns whether the bitmap contains the given element or not
+func (r *Roar[T]) Contains(e T) bool {
+	if r.rb == nil {
+		return false
+	}
+
+	return r.rb.ContainsInt(int(e))
+}
+
+// Union combines the elements of the given bitmap with this bitmap
+func (r *Roar[T]) Union(other Roar[T]) {
+	if other.rb == nil {
+		return
+	} else if r.rb == nil {
+		r.rb = roaring.New()
+	}
+
+	r.rb.Or(other.rb)
+}
+
+// Intersection modifies this bitmap to only contain elements that are also in the other bitmap
+func (r *Roar[T]) Intersection(other Roar[T]) {
+	if other.rb == nil {
+		if r.rb != nil {
+			r.rb.Clear()
+		}
+
+		return
+	}
+
+	if r.rb == nil {
+		r.rb = roaring.New()
+	}
+
+	r.rb.And(other.rb)
+}
+
+// ToSlice converts the bitmap to a slice of elements
+func (r *Roar[T]) ToSlice() []T {
+	if r.rb == nil {
+		return nil
+	}
+
+	slice := make([]T, 0, r.rb.GetCardinality())
+	r.rb.Iterate(func(e uint32) bool {
+		slice = append(slice, T(e))
+
+		return true
+	})
+
+	return slice
+}
+
+func (r *Roar[T]) MarshalJSON() ([]byte, error) {
+	if r.rb == nil {
+		return []byte("null"), nil
+	}
+
+	r.rb.RunOptimize()
+
+	buf, err := r.rb.ToBase64()
+	if err != nil {
+		return nil, fmt.Errorf("failed to encode roaring bitmap: %w", err)
+	}
+
+	return fmt.Appendf(nil, `"%s"`, buf), nil
+}
+
+func (r *Roar[T]) UnmarshalJSON(data []byte) error {
+	if len(data) == 0 || string(data) == "null" {
+		return nil
+	}
+
+	r.rb = roaring.New()
+
+	_, err := r.rb.FromBase64(string(data[1 : len(data)-1]))
+
+	return err
+}
+
+// FromSlice creates a Roar by adding all elements from the provided slices
+func FromSlice[T ~int](ess ...[]T) Roar[T] {
+	var r Roar[T]
+
+	for _, es := range ess {
+		for _, e := range es {
+			r.Add(e)
+		}
+	}
+
+	return r
+}
diff --git a/api/roar/roar_test.go b/api/roar/roar_test.go
new file mode 100644
index 000000000..ed5103ad5
--- /dev/null
+++ b/api/roar/roar_test.go
@@ -0,0 +1,123 @@
+package roar
+
+import (
+	"slices"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestRoar(t *testing.T) {
+	r := Roar[int]{}
+	require.Equal(t, 0, r.Len())
+
+	r.Add(1)
+	require.Equal(t, 1, r.Len())
+	require.True(t, r.Contains(1))
+	require.False(t, r.Contains(2))
+
+	r.Add(2)
+	require.Equal(t, 2, r.Len())
+	require.True(t, r.Contains(2))
+
+	r.Remove(1)
+	require.Equal(t, 1, r.Len())
+	require.False(t, r.Contains(1))
+
+	s := FromSlice([]int{3, 4, 5})
+	require.Equal(t, 3, s.Len())
+	require.True(t, s.Contains(3))
+	require.True(t, s.Contains(4))
+	require.True(t, s.Contains(5))
+
+	r.Union(s)
+	require.Equal(t, 4, r.Len())
+	require.True(t, r.Contains(2))
+	require.True(t, r.Contains(3))
+	require.True(t, r.Contains(4))
+	require.True(t, r.Contains(5))
+
+	r.Iterate(func(id int) bool {
+		require.True(t, slices.Contains([]int{2, 3, 4, 5}, id))
+
+		return true
+	})
+
+	rSlice := r.ToSlice()
+	require.EqualValues(t, []int{2, 3, 4, 5}, rSlice)
+
+	r.Intersection(FromSlice([]int{4}))
+	require.Equal(t, 1, r.Len())
+	require.True(t, r.Contains(4))
+	require.False(t, r.Contains(2))
+	require.False(t, r.Contains(3))
+	require.False(t, r.Contains(5))
+
+	b, err := r.MarshalJSON()
+	require.NoError(t, err)
+	require.NotEqual(t, "null", string(b))
+	require.True(t, strings.HasPrefix(string(b), `"`))
+	require.True(t, strings.HasSuffix(string(b), `"`))
+}
+
+func TestNilSafety(t *testing.T) {
+	var r, s, u Roar[int]
+
+	r.Iterate(func(id int) bool {
+		require.Fail(t, "should not iterate over nil Roar")
+
+		return true
+	})
+
+	b, err := r.MarshalJSON()
+	require.NoError(t, err)
+	require.Equal(t, "null", string(b))
+
+	err = r.UnmarshalJSON([]byte("null"))
+	require.NoError(t, err)
+	require.Equal(t, 0, r.Len())
+
+	r.Contains(1)
+	r.Remove(1)
+
+	require.Equal(t, 0, r.Len())
+	require.Empty(t, r.ToSlice())
+
+	r.Add(1)
+	require.Equal(t, 1, r.Len())
+	require.False(t, r.Contains(2))
+
+	s.Union(r)
+	require.Equal(t, 1, s.Len())
+	require.True(t, s.Contains(1))
+
+	r.Union(u)
+	require.Equal(t, 1, r.Len())
+	require.True(t, r.Contains(1))
+
+	s.Intersection(u)
+	require.Equal(t, 0, s.Len())
+
+	u.Intersection(r)
+	require.Equal(t, 0, u.Len())
+}
+
+func TestJSON(t *testing.T) {
+	var r, u Roar[int]
+
+	r.Add(1)
+	r.Add(2)
+	r.Add(3)
+
+	b, err := r.MarshalJSON()
+	require.NoError(t, err)
+	require.NotEqual(t, "null", string(b))
+
+	err = u.UnmarshalJSON(b)
+	require.NoError(t, err)
+	require.Equal(t, 3, u.Len())
+	require.True(t, u.Contains(1))
+	require.True(t, u.Contains(2))
+	require.True(t, u.Contains(3))
+}
diff --git a/go.mod b/go.mod
index a7e925466..2ef7032f2 100644
--- a/go.mod
+++ b/go.mod
@@ -5,6 +5,7 @@ go 1.24.4
 require (
 	github.com/Masterminds/semver v1.5.0
 	github.com/Microsoft/go-winio v0.6.2
+	github.com/RoaringBitmap/roaring/v2 v2.5.0
 	github.com/VictoriaMetrics/fastcache v1.12.0
 	github.com/aws/aws-sdk-go-v2 v1.30.3
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.27
@@ -102,6 +103,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bits-and-blooms/bitset v1.12.0 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
 	github.com/buger/goterm v1.0.4 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
@@ -225,6 +227,7 @@ require (
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
+	github.com/mschoch/smat v0.2.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
 	github.com/opencontainers/runtime-spec v1.2.1 // indirect
diff --git a/go.sum b/go.sum
index ad8e48908..e2eb682a8 100644
--- a/go.sum
+++ b/go.sum
@@ -38,6 +38,8 @@ github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63n
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
 github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
 github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
+github.com/RoaringBitmap/roaring/v2 v2.5.0 h1:TJ45qCM7D7fIEBwKd9zhoR0/S1egfnSSIzLU1e1eYLY=
+github.com/RoaringBitmap/roaring/v2 v2.5.0/go.mod h1:FiJcsfkGje/nZBZgCu0ZxCPOKD/hVXDS2dXi7/eUFE0=
 github.com/Shopify/logrus-bugsnag v0.0.0-20170309145241-6dbc35f2c30d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
 github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs=
 github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ=
@@ -100,6 +102,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bitly/go-hostpool v0.1.0/go.mod h1:4gOCgp6+NZnVqlKyZ/iBZFTAJKembaVENUpMkpg42fw=
 github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngEKAMDJEczWVA=
+github.com/bits-and-blooms/bitset v1.12.0 h1:U/q1fAF7xXRhFCrhROzIfffYnu+dlS38vCZtmFVPHmA=
+github.com/bits-and-blooms/bitset v1.12.0/go.mod h1:7hO7Gc7Pp1vODcmWvKMRA9BNmbv6a/7QIWpPxHddWR8=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
 github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
@@ -548,6 +552,8 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
+github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
@@ -945,6 +951,7 @@ gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=

From a4cff13531f374c6990451bc4c5a9784a850ecfc Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 21 Jul 2025 21:32:50 -0300
Subject: [PATCH 193/212] fix(bouncer): add missing domain to CSP header
 BE-12067 (#916)

---
 api/http/security/bouncer.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/http/security/bouncer.go b/api/http/security/bouncer.go
index fa7360f4c..55b7faecc 100644
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -534,7 +534,7 @@ func MWSecureHeaders(next http.Handler, hsts, csp bool) http.Handler {
 		}
 
 		if csp {
-			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud; frame-ancestors 'none';")
+			w.Header().Set("Content-Security-Policy", "script-src 'self' cdn.matomo.cloud js.hsforms.net; frame-ancestors 'none';")
 		}
 
 		w.Header().Set("X-Content-Type-Options", "nosniff")

From 60bc04bc3398450c106a2d1e2e9202fc1c2b10cf Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Wed, 23 Jul 2025 10:52:58 +1200
Subject: [PATCH 194/212] feat(helm): show manifest previews/changes when
 installing and upgrading a helm chart [r8s-405] (#898)

---
 api/http/handler/helm/helm_install.go         |  26 ++-
 .../components/CodeEditor/CodeEditor.test.tsx |   2 +-
 .../CodeEditor/useCodeEditorExtensions.ts     |   2 +-
 .../FormSection/FormSection.tsx               |   7 +-
 .../queries/useDeleteApplicationsMutation.ts  |   2 +-
 .../ChartActions/RollbackButton.tsx           |   2 +-
 .../ChartActions/UninstallButton.tsx          |   2 +-
 .../ChartActions/UpgradeButton.test.tsx       |  74 +++++--
 .../ChartActions/UpgradeButton.tsx            |  19 +-
 .../ChartActions/UpgradeHelmModal.tsx         |  85 +++++---
 .../HelmApplicationView.tsx                   |   4 +-
 .../ReleaseDetails/ReleaseTabs.tsx            |   2 +-
 .../ResourcesTable/ResourcesTable.test.tsx    |   5 +-
 .../ResourcesTable/ResourcesTable.tsx         |   3 +-
 .../ResourcesTable/useResourceRows.ts         |   4 +-
 .../ReleaseDetails/useHelmReleaseToCompare.ts |   2 +-
 .../HelmTemplates/HelmInstallForm.test.tsx    |   5 +-
 .../helm/HelmTemplates/HelmInstallForm.tsx    |   4 +-
 .../HelmTemplates/HelmInstallInnerForm.tsx    |  40 +++-
 .../helm/HelmTemplates/HelmTemplates.tsx      |   4 +-
 .../ManifestPreviewFormSection.test.tsx       | 197 ++++++++++++++++++
 .../components/ManifestPreviewFormSection.tsx | 109 ++++++++++
 .../helm/helmChartSourceQueries/query-keys.ts |  29 +++
 .../useHelmChartList.ts                       |   4 +-
 .../useHelmChartValues.ts                     |  43 ++--
 .../useHelmRepoVersions.ts                    |   6 +-
 .../useHelmRepositories.ts                    |  26 ++-
 .../helm/helmReleaseQueries/query-keys.ts     |  47 +++++
 .../helm/helmReleaseQueries/useHelmDryRun.ts  |  38 ++++
 .../useHelmHistory.ts                         |   6 +-
 .../useHelmRelease.ts                         |  14 +-
 .../useHelmRollbackMutation.ts                |   8 +-
 .../useUninstallHelmAppMutation.ts            |   3 +
 .../useUpdateHelmReleaseMutation.ts           |  30 ++-
 app/react/portainer/account/AccountView/.keep |   0
 .../helm-repositories.service.ts              |  23 +-
 app/setup-tests/mock-codemirror.tsx           |  31 ++-
 app/setup-tests/setup-codemirror.ts           |   5 +
 pkg/libhelm/options/install_options.go        |   1 +
 pkg/libhelm/sdk/install.go                    |   5 +
 pkg/libhelm/sdk/upgrade.go                    |   1 +
 41 files changed, 763 insertions(+), 157 deletions(-)
 create mode 100644 app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx
 create mode 100644 app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx
 create mode 100644 app/react/kubernetes/helm/helmChartSourceQueries/query-keys.ts
 rename app/react/kubernetes/helm/{queries => helmChartSourceQueries}/useHelmChartList.ts (95%)
 rename app/react/kubernetes/helm/{queries => helmChartSourceQueries}/useHelmChartValues.ts (89%)
 rename app/react/kubernetes/helm/{queries => helmChartSourceQueries}/useHelmRepoVersions.ts (94%)
 rename app/react/kubernetes/helm/{queries => helmChartSourceQueries}/useHelmRepositories.ts (75%)
 create mode 100644 app/react/kubernetes/helm/helmReleaseQueries/query-keys.ts
 create mode 100644 app/react/kubernetes/helm/helmReleaseQueries/useHelmDryRun.ts
 rename app/react/kubernetes/helm/{HelmApplicationView/queries => helmReleaseQueries}/useHelmHistory.ts (88%)
 rename app/react/kubernetes/helm/{HelmApplicationView/queries => helmReleaseQueries}/useHelmRelease.ts (91%)
 rename app/react/kubernetes/helm/{HelmApplicationView/queries => helmReleaseQueries}/useHelmRollbackMutation.ts (88%)
 rename app/react/kubernetes/helm/{HelmApplicationView/queries => helmReleaseQueries}/useUninstallHelmAppMutation.ts (94%)
 rename app/react/kubernetes/helm/{queries => helmReleaseQueries}/useUpdateHelmReleaseMutation.ts (63%)
 delete mode 100644 app/react/portainer/account/AccountView/.keep

diff --git a/api/http/handler/helm/helm_install.go b/api/http/handler/helm/helm_install.go
index 83ae0db51..33b0d82cd 100644
--- a/api/http/handler/helm/helm_install.go
+++ b/api/http/handler/helm/helm_install.go
@@ -46,18 +46,24 @@ var errChartNameInvalid = errors.New("invalid chart name. " +
 // @produce json
 // @param id path int true "Environment(Endpoint) identifier"
 // @param payload body installChartPayload true "Chart details"
+// @param dryRun query bool false "Dry run"
 // @success 201 {object} release.Release "Created"
 // @failure 401 "Unauthorized"
 // @failure 404 "Environment(Endpoint) or ServiceAccount not found"
 // @failure 500 "Server error"
 // @router /endpoints/{id}/kubernetes/helm [post]
 func (handler *Handler) helmInstall(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	dryRun, err := request.RetrieveBooleanQueryParameter(r, "dryRun", true)
+	if err != nil {
+		return httperror.BadRequest("Invalid dryRun query parameter", err)
+	}
+
 	var payload installChartPayload
 	if err := request.DecodeAndValidateJSONPayload(r, &payload); err != nil {
 		return httperror.BadRequest("Invalid Helm install payload", err)
 	}
 
-	release, err := handler.installChart(r, payload)
+	release, err := handler.installChart(r, payload, dryRun)
 	if err != nil {
 		return httperror.InternalServerError("Unable to install a chart", err)
 	}
@@ -94,7 +100,7 @@ func (p *installChartPayload) Validate(_ *http.Request) error {
 	return nil
 }
 
-func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*release.Release, error) {
+func (handler *Handler) installChart(r *http.Request, p installChartPayload, dryRun bool) (*release.Release, error) {
 	clusterAccess, httperr := handler.getHelmClusterAccess(r)
 	if httperr != nil {
 		return nil, httperr.Err
@@ -107,6 +113,7 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		Namespace:               p.Namespace,
 		Repo:                    p.Repo,
 		Atomic:                  p.Atomic,
+		DryRun:                  dryRun,
 		KubernetesClusterAccess: clusterAccess,
 	}
 
@@ -134,13 +141,14 @@ func (handler *Handler) installChart(r *http.Request, p installChartPayload) (*r
 		return nil, err
 	}
 
-	manifest, err := handler.applyPortainerLabelsToHelmAppManifest(r, installOpts, release.Manifest)
-	if err != nil {
-		return nil, err
-	}
-
-	if err := handler.updateHelmAppManifest(r, manifest, installOpts.Namespace); err != nil {
-		return nil, err
+	if !installOpts.DryRun {
+		manifest, err := handler.applyPortainerLabelsToHelmAppManifest(r, installOpts, release.Manifest)
+		if err != nil {
+			return nil, err
+		}
+		if err := handler.updateHelmAppManifest(r, manifest, installOpts.Namespace); err != nil {
+			return nil, err
+		}
 	}
 
 	return release, nil
diff --git a/app/react/components/CodeEditor/CodeEditor.test.tsx b/app/react/components/CodeEditor/CodeEditor.test.tsx
index 7b100b0e3..a269cd192 100644
--- a/app/react/components/CodeEditor/CodeEditor.test.tsx
+++ b/app/react/components/CodeEditor/CodeEditor.test.tsx
@@ -122,7 +122,7 @@ test('should apply custom height', async () => {
     <CodeEditor {...defaultProps} height={customHeight} />
   );
 
-  const editor = (await findByRole('textbox')).parentElement?.parentElement;
+  const editor = await findByRole('textbox');
   expect(editor).toHaveStyle({ height: customHeight });
 });
 
diff --git a/app/react/components/CodeEditor/useCodeEditorExtensions.ts b/app/react/components/CodeEditor/useCodeEditorExtensions.ts
index 3b46a543e..8050b59da 100644
--- a/app/react/components/CodeEditor/useCodeEditorExtensions.ts
+++ b/app/react/components/CodeEditor/useCodeEditorExtensions.ts
@@ -48,7 +48,7 @@ function yamlLanguage(schema?: JSONSchema7) {
     syntaxHighlighting(oneDarkHighlightStyle),
     // explicitly setting lineNumbers() as an extension ensures that the gutter order is the same between the diff viewer and the code editor
     lineNumbers(),
-    lintGutter(),
+    !!schema && lintGutter(),
     keymap.of([...defaultKeymap, ...completionKeymap, ...lintKeymap]),
     // only show completions when a schema is provided
     !!schema &&
diff --git a/app/react/components/form-components/FormSection/FormSection.tsx b/app/react/components/form-components/FormSection/FormSection.tsx
index 6ea747762..51dbab534 100644
--- a/app/react/components/form-components/FormSection/FormSection.tsx
+++ b/app/react/components/form-components/FormSection/FormSection.tsx
@@ -12,6 +12,7 @@ interface Props {
   titleClassName?: string;
   className?: string;
   htmlFor?: string;
+  setIsDefaultFolded?: (isDefaultFolded: boolean) => void;
 }
 
 export function FormSection({
@@ -23,6 +24,7 @@ export function FormSection({
   titleClassName,
   className,
   htmlFor = '',
+  setIsDefaultFolded,
 }: PropsWithChildren<Props>) {
   const [isExpanded, setIsExpanded] = useState(!defaultFolded);
   const id = `foldingButton${title}`;
@@ -39,7 +41,10 @@ export function FormSection({
             isExpanded={isExpanded}
             data-cy={id}
             id={id}
-            onClick={() => setIsExpanded((isExpanded) => !isExpanded)}
+            onClick={() => {
+              setIsExpanded((isExpanded) => !isExpanded);
+              setIsDefaultFolded?.(isExpanded);
+            }}
           />
         )}
 
diff --git a/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts b/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts
index fcaf9df8f..8ab241048 100644
--- a/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts
+++ b/app/react/kubernetes/applications/queries/useDeleteApplicationsMutation.ts
@@ -7,7 +7,7 @@ import { getAllSettledItems } from '@/portainer/helpers/promise-utils';
 import { withGlobalError } from '@/react-tools/react-query';
 import { notifyError, notifySuccess } from '@/portainer/services/notifications';
 import { pluralize } from '@/portainer/helpers/strings';
-import { uninstallHelmApplication } from '@/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation';
+import { uninstallHelmApplication } from '@/react/kubernetes/helm/helmReleaseQueries/useUninstallHelmAppMutation';
 
 import { parseKubernetesAxiosError } from '../../axiosError';
 import { ApplicationRowData } from '../ListView/ApplicationsDatatable/types';
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
index ea8a79bac..5fba1b1ae 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/RollbackButton.tsx
@@ -9,7 +9,7 @@ import { buildConfirmButton } from '@@/modals/utils';
 import { confirm } from '@@/modals/confirm';
 import { ModalType } from '@@/modals';
 
-import { useHelmRollbackMutation } from '../queries/useHelmRollbackMutation';
+import { useHelmRollbackMutation } from '../../helmReleaseQueries/useHelmRollbackMutation';
 
 type Props = {
   latestRevision: number;
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx
index fc2c6d5c2..1d694532c 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UninstallButton.tsx
@@ -5,7 +5,7 @@ import { notifySuccess } from '@/portainer/services/notifications';
 
 import { DeleteButton } from '@@/buttons/DeleteButton';
 
-import { useUninstallHelmAppMutation } from '../queries/useUninstallHelmAppMutation';
+import { useUninstallHelmAppMutation } from '../../helmReleaseQueries/useUninstallHelmAppMutation';
 
 export function UninstallButton({
   environmentId,
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
index f05a2d5e8..c5ae16622 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.test.tsx
@@ -9,7 +9,7 @@ import { withUserProvider } from '@/react/test-utils/withUserProvider';
 import {
   useHelmRepoVersions,
   ChartVersion,
-} from '../../queries/useHelmRepoVersions';
+} from '../../helmChartSourceQueries/useHelmRepoVersions';
 import { HelmRelease } from '../../types';
 
 import { openUpgradeHelmModal } from './UpgradeHelmModal';
@@ -25,32 +25,56 @@ vi.mock('@/portainer/services/notifications', () => ({
   notifySuccess: vi.fn(),
 }));
 
-vi.mock('../../queries/useHelmRepositories', () => ({
-  useUserHelmRepositories: vi.fn(() => ({
-    data: ['repo1', 'repo2'],
-    isInitialLoading: false,
-    isError: false,
-  })),
-}));
+vi.mock('../../helmChartSourceQueries/useHelmRepositories', async () => {
+  const actual = await vi.importActual(
+    '../../helmChartSourceQueries/useHelmRepositories'
+  );
+  return {
+    ...actual,
+    useUserHelmRepositories: vi.fn(() => ({
+      data: ['repo1', 'repo2'],
+      isInitialLoading: false,
+      isError: false,
+    })),
+  };
+});
 
-vi.mock('../../queries/useHelmRepoVersions', () => ({
-  useHelmRepoVersions: vi.fn(),
-}));
+vi.mock('../../helmChartSourceQueries/useHelmRepoVersions', async () => {
+  const actual = await vi.importActual(
+    '../../helmChartSourceQueries/useHelmRepoVersions'
+  );
+  return {
+    ...actual,
+    useHelmRepoVersions: vi.fn(),
+  };
+});
 
 // Mock the useHelmRelease hook
-vi.mock('../queries/useHelmRelease', () => ({
-  useHelmRelease: vi.fn(() => ({
-    data: '1.0.0',
-  })),
-}));
+vi.mock('../../helmReleaseQueries/useHelmRelease', async () => {
+  const actual = await vi.importActual(
+    '../../helmReleaseQueries/useHelmRelease'
+  );
+  return {
+    ...actual,
+    useHelmRelease: vi.fn(() => ({
+      data: '1.0.0',
+    })),
+  };
+});
 
 // Mock the useUpdateHelmReleaseMutation hook
-vi.mock('../../queries/useUpdateHelmReleaseMutation', () => ({
-  useUpdateHelmReleaseMutation: vi.fn(() => ({
-    mutate: vi.fn(),
-    isLoading: false,
-  })),
-}));
+vi.mock('../../helmReleaseQueries/useUpdateHelmReleaseMutation', async () => {
+  const actual = await vi.importActual(
+    '../../helmReleaseQueries/useUpdateHelmReleaseMutation'
+  );
+  return {
+    ...actual,
+    useUpdateHelmReleaseMutation: vi.fn(() => ({
+      mutate: vi.fn(),
+      isLoading: false,
+    })),
+  };
+});
 
 function renderButton(props = {}) {
   const defaultProps = {
@@ -157,12 +181,14 @@ describe('UpgradeButton', () => {
         metadata: {
           name: 'test-chart',
           version: '1.0.0',
+          appVersion: '1.0.0',
         },
       },
       values: {
         userSuppliedValues: '{}',
       },
       manifest: '',
+      namespace: 'default',
     } as HelmRelease;
 
     vi.mocked(useHelmRepoVersions).mockReturnValue({
@@ -193,7 +219,9 @@ describe('UpgradeButton', () => {
         expect.arrayContaining([
           { Version: '1.0.0', Repo: 'stable' },
           { Version: '1.1.0', Repo: 'stable' },
-        ])
+        ]),
+        '', // releaseManifest
+        1 // environmentId
       );
     });
   });
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
index 0e3e634fc..90d142394 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeButton.tsx
@@ -12,10 +12,13 @@ import { Tooltip } from '@@/Tip/Tooltip';
 import { Link } from '@@/Link';
 
 import { HelmRelease, UpdateHelmReleasePayload } from '../../types';
-import { useUpdateHelmReleaseMutation } from '../../queries/useUpdateHelmReleaseMutation';
-import { useHelmRepoVersions } from '../../queries/useHelmRepoVersions';
-import { useHelmRelease } from '../queries/useHelmRelease';
-import { useUserHelmRepositories } from '../../queries/useHelmRepositories';
+import { useUpdateHelmReleaseMutation } from '../../helmReleaseQueries/useUpdateHelmReleaseMutation';
+import { useHelmRepoVersions } from '../../helmChartSourceQueries/useHelmRepoVersions';
+import { useHelmRelease } from '../../helmReleaseQueries/useHelmRelease';
+import {
+  flattenHelmRegistries,
+  useUserHelmRepositories,
+} from '../../helmChartSourceQueries/useHelmRepositories';
 
 import { openUpgradeHelmModal } from './UpgradeHelmModal';
 
@@ -36,7 +39,9 @@ export function UpgradeButton({
   const [useCache, setUseCache] = useState(true);
   const updateHelmReleaseMutation = useUpdateHelmReleaseMutation(environmentId);
 
-  const userRepositoriesQuery = useUserHelmRepositories();
+  const userRepositoriesQuery = useUserHelmRepositories({
+    select: flattenHelmRegistries,
+  });
   const helmRepoVersionsQuery = useHelmRepoVersions(
     release?.chart.metadata?.name || '',
     60 * 60 * 1000, // 1 hour
@@ -164,7 +169,9 @@ export function UpgradeButton({
   async function handleUpgrade() {
     const submittedUpgradeValues = await openUpgradeHelmModal(
       editableHelmRelease,
-      filteredVersions
+      filteredVersions,
+      release?.manifest || '',
+      environmentId
     );
 
     if (submittedUpgradeValues) {
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
index a1382bfd3..7be9f0b9c 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
@@ -1,9 +1,10 @@
-import { useState } from 'react';
+import { useMemo, useState } from 'react';
 import { ArrowUp } from 'lucide-react';
 
 import { withReactQuery } from '@/react-tools/withReactQuery';
 import { withCurrentUser } from '@/react-tools/withCurrentUser';
-import { ChartVersion } from '@/react/kubernetes/helm/queries/useHelmRepoVersions';
+import { ChartVersion } from '@/react/kubernetes/helm/helmChartSourceQueries/useHelmRepoVersions';
+import { EnvironmentId } from '@/react/portainer/environments/types';
 
 import { Modal, OnSubmit, openModal } from '@@/modals';
 import { Button } from '@@/buttons';
@@ -15,26 +16,32 @@ import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
 
 import { UpdateHelmReleasePayload } from '../../types';
 import { HelmValuesInput } from '../../components/HelmValuesInput';
-import { useHelmChartValues } from '../../queries/useHelmChartValues';
+import { useHelmChartValues } from '../../helmChartSourceQueries/useHelmChartValues';
+import { ManifestPreviewFormSection } from '../../components/ManifestPreviewFormSection';
 
 interface Props {
   onSubmit: OnSubmit<UpdateHelmReleasePayload>;
-  payload: UpdateHelmReleasePayload;
+  helmReleaseInitialValues: UpdateHelmReleasePayload;
+  releaseManifest: string;
   versions: ChartVersion[];
   chartName: string;
+  environmentId: EnvironmentId;
 }
 
 export function UpgradeHelmModal({
-  payload,
+  helmReleaseInitialValues,
+  releaseManifest,
   versions,
   onSubmit,
   chartName,
+  environmentId,
 }: Props) {
   const versionOptions: Option<ChartVersion>[] = versions.map((version) => {
-    const repo = payload.repo === version.Repo ? version.Repo : '';
+    const repo =
+      helmReleaseInitialValues.repo === version.Repo ? version.Repo : '';
     const isCurrentVersion =
-      version.AppVersion === payload.appVersion &&
-      version.Version === payload.version;
+      version.AppVersion === helmReleaseInitialValues.appVersion &&
+      version.Version === helmReleaseInitialValues.version;
 
     const label = `${repo}@${version.Version}${
       isCurrentVersion ? ' (current)' : ''
@@ -50,13 +57,16 @@ export function UpgradeHelmModal({
   const defaultVersion =
     versionOptions.find(
       (v) =>
-        v.value.AppVersion === payload.appVersion &&
-        v.value.Version === payload.version &&
-        v.value.Repo === payload.repo
+        v.value.AppVersion === helmReleaseInitialValues.appVersion &&
+        v.value.Version === helmReleaseInitialValues.version &&
+        v.value.Repo === helmReleaseInitialValues.repo
     )?.value || versionOptions[0]?.value;
   const [version, setVersion] = useState<ChartVersion>(defaultVersion);
-  const [userValues, setUserValues] = useState<string>(payload.values || '');
+  const [userValues, setUserValues] = useState<string>(
+    helmReleaseInitialValues.values || ''
+  );
   const [atomic, setAtomic] = useState<boolean>(true);
+  const [previewIsValid, setPreviewIsValid] = useState<boolean>(false);
 
   const chartValuesRefQuery = useHelmChartValues({
     chart: chartName,
@@ -64,6 +74,19 @@ export function UpgradeHelmModal({
     version: version.Version,
   });
 
+  const submitPayload = useMemo(
+    () => ({
+      name: helmReleaseInitialValues.name,
+      values: userValues,
+      namespace: helmReleaseInitialValues.namespace,
+      chart: helmReleaseInitialValues.chart,
+      repo: version.Repo,
+      version: version.Version,
+      atomic,
+    }),
+    [helmReleaseInitialValues, userValues, version, atomic]
+  );
+
   return (
     <Modal
       onDismiss={() => onSubmit()}
@@ -84,7 +107,7 @@ export function UpgradeHelmModal({
             >
               <Input
                 id="release-name-input"
-                value={payload.name}
+                value={helmReleaseInitialValues.name}
                 readOnly
                 disabled
                 data-cy="helm-release-name-input"
@@ -97,7 +120,7 @@ export function UpgradeHelmModal({
             >
               <Input
                 id="namespace-input"
-                value={payload.namespace}
+                value={helmReleaseInitialValues.namespace}
                 readOnly
                 disabled
                 data-cy="helm-namespace-input"
@@ -134,6 +157,15 @@ export function UpgradeHelmModal({
               valuesRef={chartValuesRefQuery.data?.values ?? ''}
               isValuesRefLoading={chartValuesRefQuery.isInitialLoading}
             />
+            <div className="mb-10">
+              <ManifestPreviewFormSection
+                payload={submitPayload}
+                onChangePreviewValidation={setPreviewIsValid}
+                title="Manifest changes"
+                currentManifest={releaseManifest}
+                environmentId={environmentId}
+              />
+            </div>
           </div>
         </Modal.Body>
       </div>
@@ -149,17 +181,8 @@ export function UpgradeHelmModal({
             Cancel
           </Button>
           <Button
-            onClick={() =>
-              onSubmit({
-                name: payload.name,
-                values: userValues,
-                namespace: payload.namespace,
-                chart: payload.chart,
-                repo: version.Repo,
-                version: version.Version,
-                atomic,
-              })
-            }
+            onClick={() => onSubmit(submitPayload)}
+            disabled={!previewIsValid}
             color="primary"
             key="update-button"
             size="medium"
@@ -174,12 +197,16 @@ export function UpgradeHelmModal({
 }
 
 export async function openUpgradeHelmModal(
-  payload: UpdateHelmReleasePayload,
-  versions: ChartVersion[]
+  helmReleaseInitialValues: UpdateHelmReleasePayload,
+  versions: ChartVersion[],
+  releaseManifest: string,
+  environmentId: EnvironmentId
 ) {
   return openModal(withReactQuery(withCurrentUser(UpgradeHelmModal)), {
-    payload,
+    helmReleaseInitialValues,
     versions,
-    chartName: payload.chart,
+    chartName: helmReleaseInitialValues.chart,
+    releaseManifest,
+    environmentId,
   });
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
index b73be1a7c..f063c06d4 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/HelmApplicationView.tsx
@@ -12,14 +12,14 @@ import { Alert } from '@@/Alert';
 
 import { HelmRelease } from '../types';
 import { useIsSystemNamespace } from '../../namespaces/queries/useIsSystemNamespace';
+import { useHelmRelease } from '../helmReleaseQueries/useHelmRelease';
+import { useHelmHistory } from '../helmReleaseQueries/useHelmHistory';
 
 import { HelmSummary } from './HelmSummary';
 import { ReleaseTabs } from './ReleaseDetails/ReleaseTabs';
-import { useHelmRelease } from './queries/useHelmRelease';
 import { ChartActions } from './ChartActions/ChartActions';
 import { HelmRevisionList } from './HelmRevisionList';
 import { HelmRevisionListSheet } from './HelmRevisionListSheet';
-import { useHelmHistory } from './queries/useHelmHistory';
 
 export function HelmApplicationView() {
   const environmentId = useEnvironmentId();
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
index 0aa05960c..d8a84a214 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ReleaseTabs.tsx
@@ -11,7 +11,7 @@ import { Badge } from '@@/Badge';
 import { Icon } from '@@/Icon';
 
 import { HelmRelease } from '../../types';
-import { useHelmHistory } from '../queries/useHelmHistory';
+import { useHelmHistory } from '../../helmReleaseQueries/useHelmHistory';
 
 import { ManifestDetails } from './ManifestDetails';
 import { NotesDetails } from './NotesDetails';
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
index 1bae99912..100b68fc0 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.test.tsx
@@ -3,8 +3,7 @@ import { describe, it, expect, vi, afterEach } from 'vitest';
 
 import { withTestRouter } from '@/react/test-utils/withRouter';
 import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
-
-import { GenericResource } from '../../../types';
+import { GenericResource } from '@/react/kubernetes/helm/types';
 
 import { ResourcesTable } from './ResourcesTable';
 
@@ -22,7 +21,7 @@ vi.mock('@/react/hooks/useEnvironmentId', () => ({
   useEnvironmentId: () => mockUseEnvironmentId(),
 }));
 
-vi.mock('../../queries/useHelmRelease', () => ({
+vi.mock('@/react/kubernetes/helm/helmReleaseQueries/useHelmRelease', () => ({
   useHelmRelease: () => mockUseHelmRelease(),
 }));
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
index 1757535ba..e661e964c 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/ResourcesTable.tsx
@@ -1,6 +1,7 @@
 import { useCurrentStateAndParams } from '@uirouter/react';
 
 import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
+import { useHelmRelease } from '@/react/kubernetes/helm/helmReleaseQueries/useHelmRelease';
 
 import { Datatable, TableSettingsMenu } from '@@/datatables';
 import {
@@ -13,8 +14,6 @@ import { Widget } from '@@/Widget';
 import { TableSettingsMenuAutoRefresh } from '@@/datatables/TableSettingsMenuAutoRefresh';
 import { TextTip } from '@@/Tip/TextTip';
 
-import { useHelmRelease } from '../../queries/useHelmRelease';
-
 import { columns } from './columns';
 import { useResourceRows } from './useResourceRows';
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
index ac90271f8..c16b0e885 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/ResourcesTable/useResourceRows.ts
@@ -1,8 +1,8 @@
 import { useMemo } from 'react';
 
-import { StatusBadgeType } from '@@/StatusBadge';
+import { GenericResource } from '@/react/kubernetes/helm/types';
 
-import { GenericResource } from '../../../types';
+import { StatusBadgeType } from '@@/StatusBadge';
 
 import { ResourceLink, ResourceRow } from './types';
 
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts
index 814f03a6a..e15e189fa 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts
+++ b/app/react/kubernetes/helm/HelmApplicationView/ReleaseDetails/useHelmReleaseToCompare.ts
@@ -1,7 +1,7 @@
 import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
 
 import { HelmRelease } from '../../types';
-import { useHelmRelease } from '../queries/useHelmRelease';
+import { useHelmRelease } from '../../helmReleaseQueries/useHelmRelease';
 
 import { DiffViewMode } from './DiffControl';
 
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
index 9eeead61e..ca3aa4c3a 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.test.tsx
@@ -36,14 +36,15 @@ vi.mock('@/portainer/services/notifications', () => ({
   ),
 }));
 
-vi.mock('../queries/useUpdateHelmReleaseMutation', () => ({
+vi.mock('../helmReleaseQueries/useUpdateHelmReleaseMutation', () => ({
   useUpdateHelmReleaseMutation: vi.fn(() => ({
     mutateAsync: vi.fn((...args) => mockMutate(...args)),
     isLoading: false,
   })),
+  updateHelmRelease: vi.fn(() => Promise.resolve({})),
 }));
 
-vi.mock('../queries/useHelmRepoVersions', () => ({
+vi.mock('../helmChartSourceQueries/useHelmRepoVersions', () => ({
   useHelmRepoVersions: vi.fn(() => ({
     data: [
       { Version: '1.0.0', AppVersion: '1.0.0' },
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
index 824b9e32c..2bed5b58f 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
@@ -11,11 +11,11 @@ import { confirmGenericDiscard } from '@@/modals/confirm';
 import { Option } from '@@/form-components/PortainerSelect';
 
 import { Chart } from '../types';
-import { useUpdateHelmReleaseMutation } from '../queries/useUpdateHelmReleaseMutation';
+import { useUpdateHelmReleaseMutation } from '../helmReleaseQueries/useUpdateHelmReleaseMutation';
 import {
   ChartVersion,
   useHelmRepoVersions,
-} from '../queries/useHelmRepoVersions';
+} from '../helmChartSourceQueries/useHelmRepoVersions';
 
 import { HelmInstallInnerForm } from './HelmInstallInnerForm';
 import { HelmInstallFormValues } from './types';
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
index 9153c566e..77ba91ca1 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
@@ -1,5 +1,7 @@
 import { Form, useFormikContext } from 'formik';
-import { useMemo } from 'react';
+import { useMemo, useState } from 'react';
+
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
 
 import { FormControl } from '@@/form-components/FormControl';
 import { Option, PortainerSelect } from '@@/form-components/PortainerSelect';
@@ -7,9 +9,10 @@ import { FormSection } from '@@/form-components/FormSection';
 import { LoadingButton } from '@@/buttons';
 
 import { Chart } from '../types';
-import { useHelmChartValues } from '../queries/useHelmChartValues';
+import { useHelmChartValues } from '../helmChartSourceQueries/useHelmChartValues';
 import { HelmValuesInput } from '../components/HelmValuesInput';
-import { ChartVersion } from '../queries/useHelmRepoVersions';
+import { ChartVersion } from '../helmChartSourceQueries/useHelmRepoVersions';
+import { ManifestPreviewFormSection } from '../components/ManifestPreviewFormSection';
 
 import { HelmInstallFormValues } from './types';
 
@@ -30,6 +33,8 @@ export function HelmInstallInnerForm({
   isVersionsLoading,
   isRepoAvailable,
 }: Props) {
+  const environmentId = useEnvironmentId();
+  const [previewIsValid, setPreviewIsValid] = useState(false);
   const { values, setFieldValue, isSubmitting } =
     useFormikContext<HelmInstallFormValues>();
 
@@ -62,6 +67,25 @@ export function HelmInstallInnerForm({
     isLatestVersionFetched
   );
 
+  const payload = useMemo(
+    () => ({
+      name: name || '',
+      namespace: namespace || '',
+      chart: selectedChart.name,
+      version: values?.version,
+      repo: selectedChart.repo,
+      values: values.values,
+    }),
+    [
+      name,
+      namespace,
+      selectedChart.name,
+      values?.version,
+      selectedChart.repo,
+      values.values,
+    ]
+  );
+
   return (
     <Form className="form-horizontal">
       <div className="form-group !m-0">
@@ -93,13 +117,19 @@ export function HelmInstallInnerForm({
             isValuesRefLoading={chartValuesRefQuery.isInitialLoading}
           />
         </FormSection>
+        <ManifestPreviewFormSection
+          payload={payload}
+          onChangePreviewValidation={setPreviewIsValid}
+          title="Manifest preview"
+          environmentId={environmentId}
+        />
       </div>
 
       <LoadingButton
-        className="!ml-0"
+        className="!ml-0 mt-5"
         loadingText="Installing Helm chart"
         isLoading={isSubmitting}
-        disabled={!namespace || !name || !isRepoAvailable}
+        disabled={!namespace || !name || !isRepoAvailable || !previewIsValid}
         data-cy="helm-install"
       >
         Install
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
index cca219fbc..5675ff5d7 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplates.tsx
@@ -4,13 +4,13 @@ import { useCurrentUser } from '@/react/hooks/useUser';
 
 import { FormSection } from '@@/form-components/FormSection';
 
-import { useHelmHTTPChartList } from '../queries/useHelmChartList';
+import { useHelmHTTPChartList } from '../helmChartSourceQueries/useHelmChartList';
 import { Chart } from '../types';
 import {
   HelmRegistrySelect,
   RepoValue,
 } from '../components/HelmRegistrySelect';
-import { useHelmRepoOptions } from '../queries/useHelmRepositories';
+import { useHelmRepoOptions } from '../helmChartSourceQueries/useHelmRepositories';
 
 import { HelmInstallForm } from './HelmInstallForm';
 import { HelmTemplatesSelectedItem } from './HelmTemplatesSelectedItem';
diff --git a/app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx
new file mode 100644
index 000000000..6ca6f2841
--- /dev/null
+++ b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx
@@ -0,0 +1,197 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi } from 'vitest';
+
+import { withTestQueryProvider } from '@/react/test-utils/withTestQuery';
+import { withUserProvider } from '@/react/test-utils/withUserProvider';
+import { withTestRouter } from '@/react/test-utils/withRouter';
+import { UserViewModel } from '@/portainer/models/user';
+
+import { ManifestPreviewFormSection } from './ManifestPreviewFormSection';
+
+// Mock the necessary hooks
+const mockUseHelmDryRun = vi.fn();
+const mockUseDebouncedValue = vi.fn();
+
+vi.mock('../helmReleaseQueries/useHelmDryRun', () => ({
+  useHelmDryRun: (...args: unknown[]) => mockUseHelmDryRun(...args),
+}));
+
+vi.mock('@/react/hooks/useDebouncedValue', () => ({
+  useDebouncedValue: (value: unknown, delay: number) =>
+    mockUseDebouncedValue(value, delay),
+}));
+
+// Mock the CodeEditor and DiffViewer components
+vi.mock('@@/CodeEditor', () => ({
+  CodeEditor: ({
+    'data-cy': dataCy,
+    value,
+  }: {
+    'data-cy'?: string;
+    value: string;
+  }) => (
+    <div data-cy={dataCy} data-testid="code-editor">
+      {value}
+    </div>
+  ),
+}));
+
+vi.mock('@@/CodeEditor/DiffViewer', () => ({
+  DiffViewer: ({
+    'data-cy': dataCy,
+    originalCode,
+    newCode,
+  }: {
+    'data-cy'?: string;
+    originalCode: string;
+    newCode: string;
+  }) => (
+    <div data-cy={dataCy} data-testid="diff-viewer">
+      <div data-testid="original-code">{originalCode}</div>
+      <div data-testid="new-code">{newCode}</div>
+    </div>
+  ),
+}));
+
+const mockOnChangePreviewValidation = vi.fn();
+
+const defaultProps = {
+  payload: {
+    name: 'test-release',
+    namespace: 'test-namespace',
+    chart: 'test-chart',
+    version: '1.0.0',
+    repo: 'test-repo',
+  },
+  onChangePreviewValidation: mockOnChangePreviewValidation,
+  title: 'Manifest Preview',
+  environmentId: 1,
+};
+
+function renderComponent(props = {}) {
+  const user = new UserViewModel({ Username: 'user', Role: 1 });
+
+  const Component = withTestQueryProvider(
+    withUserProvider(
+      withTestRouter(() => (
+        <ManifestPreviewFormSection {...defaultProps} {...props} />
+      )),
+      user
+    )
+  );
+
+  return render(<Component />);
+}
+
+describe('ManifestPreviewFormSection', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    // Default mock for useDebouncedValue - returns the value as-is
+    mockUseDebouncedValue.mockImplementation((value) => value);
+  });
+
+  it('should show loading and no form section when loading', () => {
+    mockUseHelmDryRun.mockReturnValue({
+      isInitialLoading: true,
+      isError: false,
+      data: undefined,
+    });
+
+    renderComponent();
+
+    expect(
+      screen.getByText('Generating manifest preview...')
+    ).toBeInTheDocument();
+    expect(screen.queryByText('Manifest Preview')).not.toBeInTheDocument();
+  });
+
+  it('should show error and no form section when error', () => {
+    mockUseHelmDryRun.mockReturnValue({
+      isInitialLoading: false,
+      isError: true,
+      error: { message: 'Invalid chart configuration' },
+      data: undefined,
+    });
+
+    renderComponent();
+
+    expect(
+      screen.getByText('Error with Helm chart configuration')
+    ).toBeInTheDocument();
+    expect(screen.getByText('Invalid chart configuration')).toBeInTheDocument();
+    expect(screen.queryByText('Manifest Preview')).not.toBeInTheDocument();
+  });
+
+  it('should show single code editor when only the generated manifest is available', async () => {
+    const mockManifest = 'apiVersion: v1\nkind: Pod\nmetadata:\n  name: test';
+
+    mockUseHelmDryRun.mockReturnValue({
+      isInitialLoading: false,
+      isError: false,
+      data: { manifest: mockManifest },
+    });
+
+    renderComponent();
+
+    expect(screen.getByText('Manifest Preview')).toBeInTheDocument();
+
+    // Expand the FormSection to see the content
+    const expandButton = screen.getByLabelText('Expand');
+    await userEvent.click(expandButton);
+
+    // Check that the manifest content is rendered (from the HTML, we can see it's there)
+    expect(
+      screen.getByText(/apiVersion/, { exact: false })
+    ).toBeInTheDocument();
+    expect(screen.getByText(/test/, { exact: false })).toBeInTheDocument();
+  });
+
+  it('should show the diff when the current and generated manifest are available', async () => {
+    const currentManifest = 'apiVersion: v1\nkind: Pod\nmetadata:\n  name: old';
+    const newManifest = 'apiVersion: v1\nkind: Pod\nmetadata:\n  name: new';
+
+    mockUseHelmDryRun.mockReturnValue({
+      isInitialLoading: false,
+      isError: false,
+      data: { manifest: newManifest },
+    });
+
+    renderComponent({ currentManifest });
+
+    expect(screen.getByText('Manifest Preview')).toBeInTheDocument();
+
+    // Expand the FormSection to see the content
+    const expandButton = screen.getByLabelText('Expand');
+    await userEvent.click(expandButton);
+
+    // Check that both old and new manifest content is rendered
+    expect(screen.getByText(/old/, { exact: false })).toBeInTheDocument();
+    expect(screen.getByText(/new/, { exact: false })).toBeInTheDocument();
+  });
+
+  it('should call onChangePreviewValidation with correct validation state', () => {
+    mockUseHelmDryRun.mockReturnValue({
+      isInitialLoading: false,
+      isError: false,
+      data: { manifest: 'test' },
+    });
+
+    renderComponent();
+
+    expect(mockOnChangePreviewValidation).toHaveBeenCalledWith(true);
+  });
+
+  it('should call onChangePreviewValidation with false when error occurs', () => {
+    mockUseHelmDryRun.mockReturnValue({
+      isInitialLoading: false,
+      isError: true,
+      error: { message: 'Error' },
+      data: undefined,
+    });
+
+    renderComponent();
+
+    expect(mockOnChangePreviewValidation).toHaveBeenCalledWith(false);
+  });
+});
diff --git a/app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx
new file mode 100644
index 000000000..fa651fe1a
--- /dev/null
+++ b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx
@@ -0,0 +1,109 @@
+import { useEffect, useState } from 'react';
+
+import { useDebouncedValue } from '@/react/hooks/useDebouncedValue';
+import { EnvironmentId } from '@/react/portainer/environments/types';
+
+import { FormSection } from '@@/form-components/FormSection';
+import { CodeEditor } from '@@/CodeEditor';
+import { DiffViewer } from '@@/CodeEditor/DiffViewer';
+import { InlineLoader } from '@@/InlineLoader';
+import { Alert } from '@@/Alert';
+import { TextTip } from '@@/Tip/TextTip';
+
+import { useHelmDryRun } from '../helmReleaseQueries/useHelmDryRun';
+import { UpdateHelmReleasePayload } from '../types';
+
+type Props = {
+  payload: UpdateHelmReleasePayload;
+  onChangePreviewValidation: (isValid: boolean) => void;
+  currentManifest?: string; // only true on upgrade, not install
+  title: string;
+  environmentId: EnvironmentId;
+};
+
+export function ManifestPreviewFormSection({
+  payload,
+  currentManifest,
+  onChangePreviewValidation,
+  title,
+  environmentId,
+}: Props) {
+  const debouncedPayload = useDebouncedValue(payload, 500);
+  const manifestPreviewQuery = useHelmDryRun(environmentId, debouncedPayload);
+  const [isFolded, setIsFolded] = useState(true);
+
+  useEffect(() => {
+    onChangePreviewValidation(!manifestPreviewQuery.isError);
+  }, [manifestPreviewQuery.isError, onChangePreviewValidation]);
+
+  if (
+    !debouncedPayload.name ||
+    !debouncedPayload.namespace ||
+    !debouncedPayload.chart
+  ) {
+    return null;
+  }
+
+  // only show loading state or the error to keep the view simple (omitting the preview section because there is nothing to preview)
+  if (manifestPreviewQuery.isInitialLoading) {
+    return <InlineLoader>Generating manifest preview...</InlineLoader>;
+  }
+
+  if (manifestPreviewQuery.isError) {
+    return (
+      <Alert color="error" title="Error with Helm chart configuration">
+        {manifestPreviewQuery.error?.message ||
+          'Error generating manifest preview'}
+      </Alert>
+    );
+  }
+
+  return (
+    <FormSection
+      title={title}
+      isFoldable
+      defaultFolded={isFolded}
+      setIsDefaultFolded={setIsFolded}
+    >
+      <ManifestPreview
+        currentManifest={currentManifest}
+        newManifest={manifestPreviewQuery.data?.manifest ?? ''}
+      />
+    </FormSection>
+  );
+}
+
+function ManifestPreview({
+  currentManifest,
+  newManifest,
+}: {
+  currentManifest?: string;
+  newManifest: string;
+}) {
+  if (!newManifest) {
+    return <TextTip color="blue">No manifest preview available</TextTip>;
+  }
+
+  if (currentManifest) {
+    return (
+      <DiffViewer
+        originalCode={currentManifest}
+        newCode={newManifest}
+        id="manifest-preview"
+        data-cy="manifest-diff-preview"
+        type="yaml"
+      />
+    );
+  }
+
+  return (
+    <CodeEditor
+      id="manifest-preview"
+      value={newManifest}
+      data-cy="manifest-preview"
+      type="yaml"
+      readonly
+      showToolbar={false}
+    />
+  );
+}
diff --git a/app/react/kubernetes/helm/helmChartSourceQueries/query-keys.ts b/app/react/kubernetes/helm/helmChartSourceQueries/query-keys.ts
new file mode 100644
index 000000000..d9b75313c
--- /dev/null
+++ b/app/react/kubernetes/helm/helmChartSourceQueries/query-keys.ts
@@ -0,0 +1,29 @@
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { UserId } from '@/portainer/users/types';
+
+export const queryKeys = {
+  // Environment-scoped Helm queries (following kubernetes pattern)
+  base: (environmentId: EnvironmentId) =>
+    ['environments', environmentId, 'kubernetes', 'helm'] as const,
+
+  // User's helm repositories/registries
+  registries: (userId: UserId) => ['helm', 'registries', userId] as const,
+
+  // Chart repository searches (global, not environment-specific)
+  repositories: (chart: string, repo?: string, useCache?: boolean) =>
+    ['helm', 'repositories', chart, repo, useCache] as const,
+
+  // Chart listings from repositories (user-specific)
+  charts: (userId: UserId, repository: string) =>
+    ['helm', 'charts', userId, repository] as const,
+
+  // Chart values (global, cached by chart/version)
+  chartValues: (repo: string, chart: string, version: string | 'latest') =>
+    ['helm', 'chart-values', repo, chart, version] as const,
+
+  chartVersions: (
+    sourceId: number | string,
+    chart: string,
+    useCache?: boolean
+  ) => ['helm', 'registries', sourceId, chart, 'versions', useCache] as const,
+};
diff --git a/app/react/kubernetes/helm/queries/useHelmChartList.ts b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmChartList.ts
similarity index 95%
rename from app/react/kubernetes/helm/queries/useHelmChartList.ts
rename to app/react/kubernetes/helm/helmChartSourceQueries/useHelmChartList.ts
index b2cc82b9d..5d15d8945 100644
--- a/app/react/kubernetes/helm/queries/useHelmChartList.ts
+++ b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmChartList.ts
@@ -6,6 +6,8 @@ import { withGlobalError } from '@/react-tools/react-query';
 
 import { Chart, HelmChartsResponse } from '../types';
 
+import { queryKeys } from './query-keys';
+
 /**
  * React hook to fetch helm charts from the provided HTTP repository.
  * Charts are loaded from the specified repository URL.
@@ -21,7 +23,7 @@ export function useHelmHTTPChartList(
   enabled: boolean
 ) {
   return useQuery({
-    queryKey: [userId, repository, 'helm-charts'],
+    queryKey: queryKeys.charts(userId, repository),
     queryFn: () => getChartsFromRepo(repository),
     enabled: !!userId && !!repository && enabled,
     // one request takes a long time, so fail early to get feedback to the user faster
diff --git a/app/react/kubernetes/helm/queries/useHelmChartValues.ts b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmChartValues.ts
similarity index 89%
rename from app/react/kubernetes/helm/queries/useHelmChartValues.ts
rename to app/react/kubernetes/helm/helmChartSourceQueries/useHelmChartValues.ts
index 81e9cd9c2..04fa071f6 100644
--- a/app/react/kubernetes/helm/queries/useHelmChartValues.ts
+++ b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmChartValues.ts
@@ -3,6 +3,8 @@ import { useQuery } from '@tanstack/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 import { withGlobalError } from '@/react-tools/react-query';
 
+import { queryKeys } from './query-keys';
+
 type Params = {
   /** The name of the chart to get the values for */
   chart: string;
@@ -12,6 +14,26 @@ type Params = {
   version?: string;
 };
 
+export function useHelmChartValues(params: Params, isLatestVersion = false) {
+  const hasValidRepoUrl = !!params.repo;
+  return useQuery({
+    queryKey: queryKeys.chartValues(
+      params.repo,
+      params.chart,
+      // if the latest version is fetched, use the latest version key to cache the latest version
+      isLatestVersion ? 'latest' : params.version || 'latest'
+    ),
+    queryFn: () => getHelmChartValues(params),
+    enabled: !!params.chart && hasValidRepoUrl,
+    select: (data) => ({
+      values: data,
+    }),
+    retry: 1,
+    staleTime: 60 * 1000 * 20, // 60 minutes, because values are not expected to change often
+    ...withGlobalError('Unable to get Helm chart values'),
+  });
+}
+
 async function getHelmChartValues(params: Params) {
   try {
     const response = await axios.get<string>(`/templates/helm/values`, {
@@ -22,24 +44,3 @@ async function getHelmChartValues(params: Params) {
     throw parseAxiosError(err, 'Unable to get Helm chart values');
   }
 }
-
-export function useHelmChartValues(params: Params, isLatestVersion = false) {
-  const hasValidRepoUrl = !!params.repo;
-  return useQuery({
-    queryKey: [
-      'helm-chart-values',
-      params.repo,
-      params.chart,
-      // if the latest version is fetched, use the latest version key to cache the latest version
-      isLatestVersion ? 'latest' : params.version,
-    ],
-    queryFn: () => getHelmChartValues(params),
-    enabled: !!params.chart && hasValidRepoUrl,
-    select: (data) => ({
-      values: data,
-    }),
-    retry: 1,
-    staleTime: 60 * 1000 * 20, // 60 minutes, because values are not expected to change often
-    ...withGlobalError('Unable to get Helm chart values'),
-  });
-}
diff --git a/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmRepoVersions.ts
similarity index 94%
rename from app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
rename to app/react/kubernetes/helm/helmChartSourceQueries/useHelmRepoVersions.ts
index 98b7c3c99..6245243cd 100644
--- a/app/react/kubernetes/helm/queries/useHelmRepoVersions.ts
+++ b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmRepoVersions.ts
@@ -5,6 +5,8 @@ import { compact, flatMap } from 'lodash';
 import { withGlobalError } from '@/react-tools/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 
+import { queryKeys } from './query-keys';
+
 interface HelmSearch {
   entries: Entries;
 }
@@ -44,9 +46,9 @@ export function useHelmRepoVersions(
     queries: useMemo(
       () =>
         repoSources.map(({ repo }) => ({
-          queryKey: ['helm', 'repositories', chart, repo, useCache],
+          queryKey: queryKeys.chartVersions(repo || '', chart),
           queryFn: () => getSearchHelmRepo({ repo, chart, useCache }),
-          enabled: !!chart && repoSources.length > 0,
+          enabled: !!chart && !!repo,
           staleTime,
           ...withGlobalError(`Unable to retrieve versions from ${repo}`),
         })),
diff --git a/app/react/kubernetes/helm/queries/useHelmRepositories.ts b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmRepositories.ts
similarity index 75%
rename from app/react/kubernetes/helm/queries/useHelmRepositories.ts
rename to app/react/kubernetes/helm/helmChartSourceQueries/useHelmRepositories.ts
index 32a054325..e382164cb 100644
--- a/app/react/kubernetes/helm/queries/useHelmRepositories.ts
+++ b/app/react/kubernetes/helm/helmChartSourceQueries/useHelmRepositories.ts
@@ -10,17 +10,19 @@ import { Option } from '@/react/components/form-components/PortainerSelect';
 import { HelmRegistriesResponse } from '../types';
 import { RepoValue } from '../components/HelmRegistrySelect';
 
+import { queryKeys } from './query-keys';
+
 /**
  * Hook to fetch all Helm registries for the current user
  */
 export function useUserHelmRepositories<T = string[]>({
   select,
 }: {
-  select?: (registries: string[]) => T;
+  select?: (registries: HelmRegistriesResponse) => T;
 } = {}) {
   const { user } = useCurrentUser();
   return useQuery(
-    ['helm', 'registries'],
+    queryKeys.registries(user.Id),
     async () => getUserHelmRepositories(user.Id),
     {
       enabled: !!user.Id,
@@ -33,7 +35,8 @@ export function useUserHelmRepositories<T = string[]>({
 export function useHelmRepoOptions() {
   return useUserHelmRepositories({
     select: (registries) => {
-      const repoOptions = registries
+      const registryArray = flattenHelmRegistries(registries);
+      const repoOptions = registryArray
         .map<Option<RepoValue>>((registry) => ({
           label: registry,
           value: {
@@ -72,13 +75,18 @@ async function getUserHelmRepositories(userId: UserId) {
     const { data } = await axios.get<HelmRegistriesResponse>(
       `users/${userId}/helm/repositories`
     );
-    // compact will remove the global repository if it's empty
-    const repos = compact([
-      data.GlobalRepository.toLowerCase(),
-      ...data.UserRepositories.map((repo) => repo.URL.toLowerCase()),
-    ]);
-    return [...new Set(repos)];
+    return data;
   } catch (err) {
     throw parseAxiosError(err, 'Unable to retrieve helm repositories for user');
   }
 }
+
+/** get the unique global and user registries in one array */
+export function flattenHelmRegistries(registries: HelmRegistriesResponse) {
+  // compact will remove the global repository if it's empty
+  const repos = compact([
+    registries.GlobalRepository.toLowerCase(),
+    ...registries.UserRepositories.map((repo) => repo.URL.toLowerCase()),
+  ]);
+  return [...new Set(repos)];
+}
diff --git a/app/react/kubernetes/helm/helmReleaseQueries/query-keys.ts b/app/react/kubernetes/helm/helmReleaseQueries/query-keys.ts
new file mode 100644
index 000000000..c12ad5c96
--- /dev/null
+++ b/app/react/kubernetes/helm/helmReleaseQueries/query-keys.ts
@@ -0,0 +1,47 @@
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import { environmentQueryKeys } from '@/react/portainer/environments/queries/query-keys';
+
+import { UpdateHelmReleasePayload } from '../types';
+
+export const queryKeys = {
+  // Environment-scoped Helm queries (following kubernetes pattern)
+  base: (environmentId: EnvironmentId) =>
+    [
+      ...environmentQueryKeys.item(environmentId),
+      'kubernetes',
+      'helm',
+    ] as const,
+
+  // Helm releases (environment-specific)
+  releases: (environmentId: EnvironmentId) =>
+    [...queryKeys.base(environmentId), 'releases'] as const,
+
+  release: (
+    environmentId: EnvironmentId,
+    namespace: string,
+    name: string,
+    revision?: number,
+    showResources?: boolean
+  ) =>
+    [
+      ...queryKeys.releases(environmentId),
+      namespace,
+      name,
+      revision,
+      showResources,
+    ] as const,
+
+  releaseHistory: (
+    environmentId: EnvironmentId,
+    namespace: string,
+    name: string
+  ) =>
+    [...queryKeys.release(environmentId, namespace, name), 'history'] as const,
+
+  // Environment-specific install operations
+  installDryRun: (
+    environmentId: EnvironmentId,
+    payload: UpdateHelmReleasePayload
+  ) =>
+    [...queryKeys.base(environmentId), 'install', 'dry-run', payload] as const,
+};
diff --git a/app/react/kubernetes/helm/helmReleaseQueries/useHelmDryRun.ts b/app/react/kubernetes/helm/helmReleaseQueries/useHelmDryRun.ts
new file mode 100644
index 000000000..f36c4204d
--- /dev/null
+++ b/app/react/kubernetes/helm/helmReleaseQueries/useHelmDryRun.ts
@@ -0,0 +1,38 @@
+import { useQuery, UseQueryResult } from '@tanstack/react-query';
+
+import { EnvironmentId } from '@/react/portainer/environments/types';
+import PortainerError from '@/portainer/error';
+
+import { HelmRelease, UpdateHelmReleasePayload } from '../types';
+
+import { updateHelmRelease } from './useUpdateHelmReleaseMutation';
+import { queryKeys } from './query-keys';
+
+export function useHelmDryRun(
+  environmentId: EnvironmentId,
+  payload: UpdateHelmReleasePayload
+): UseQueryResult<HelmRelease, PortainerError> {
+  return useQuery({
+    queryKey: queryKeys.installDryRun(environmentId, payload),
+    queryFn: () =>
+      // use updateHelmRelease as if it were a get request with dryRun. The payload is debounced to prevent too many requests.
+      updateHelmRelease(
+        environmentId,
+        payload,
+        { dryRun: true },
+        {
+          errorMessage: 'Unable to get Helm manifest preview',
+        }
+      ),
+    // don't display error toast, handle it within the component
+    enabled:
+      !!payload.repo &&
+      !!payload.chart &&
+      !!payload.name &&
+      !!payload.namespace &&
+      !!payload.version,
+    retry: false,
+    refetchOnWindowFocus: false,
+    staleTime: 1000 * 60, // small 1 minute stale time to reduce the number of requests
+  });
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmHistory.ts b/app/react/kubernetes/helm/helmReleaseQueries/useHelmHistory.ts
similarity index 88%
rename from app/react/kubernetes/helm/HelmApplicationView/queries/useHelmHistory.ts
rename to app/react/kubernetes/helm/helmReleaseQueries/useHelmHistory.ts
index 41d6ab375..1f69a8a5b 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmHistory.ts
+++ b/app/react/kubernetes/helm/helmReleaseQueries/useHelmHistory.ts
@@ -4,7 +4,9 @@ import { EnvironmentId } from '@/react/portainer/environments/types';
 import { withGlobalError } from '@/react-tools/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 
-import { HelmRelease } from '../../types';
+import { HelmRelease } from '../types';
+
+import { queryKeys } from './query-keys';
 
 export function useHelmHistory(
   environmentId: EnvironmentId,
@@ -12,7 +14,7 @@ export function useHelmHistory(
   namespace: string
 ) {
   return useQuery(
-    [environmentId, 'helm', 'releases', namespace, name, 'history'],
+    queryKeys.releaseHistory(environmentId, namespace, name),
     () => getHelmHistory(environmentId, name, namespace),
     {
       enabled: !!environmentId && !!name && !!namespace,
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts b/app/react/kubernetes/helm/helmReleaseQueries/useHelmRelease.ts
similarity index 91%
rename from app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
rename to app/react/kubernetes/helm/helmReleaseQueries/useHelmRelease.ts
index cdf465c16..4f377fb7a 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRelease.ts
+++ b/app/react/kubernetes/helm/helmReleaseQueries/useHelmRelease.ts
@@ -4,7 +4,9 @@ import { EnvironmentId } from '@/react/portainer/environments/types';
 import { withGlobalError } from '@/react-tools/react-query';
 import axios, { parseAxiosError } from '@/portainer/services/axios';
 
-import { HelmRelease } from '../../types';
+import { HelmRelease } from '../types';
+
+import { queryKeys } from './query-keys';
 
 type Options<T> = {
   select?: (data: HelmRelease) => T;
@@ -27,15 +29,7 @@ export function useHelmRelease<T = HelmRelease>(
   const { select, showResources, refetchInterval, revision, staleTime } =
     options;
   return useQuery(
-    [
-      environmentId,
-      'helm',
-      'releases',
-      namespace,
-      name,
-      revision,
-      showResources,
-    ],
+    queryKeys.release(environmentId, namespace, name, revision, showResources),
     () =>
       getHelmRelease(environmentId, name, {
         namespace,
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRollbackMutation.ts b/app/react/kubernetes/helm/helmReleaseQueries/useHelmRollbackMutation.ts
similarity index 88%
rename from app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRollbackMutation.ts
rename to app/react/kubernetes/helm/helmReleaseQueries/useHelmRollbackMutation.ts
index 6aea3ad29..81b1bff39 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useHelmRollbackMutation.ts
+++ b/app/react/kubernetes/helm/helmReleaseQueries/useHelmRollbackMutation.ts
@@ -7,7 +7,9 @@ import {
   withGlobalError,
 } from '@/react-tools/react-query';
 import axios from '@/portainer/services/axios';
-import { queryKeys } from '@/react/kubernetes/applications/queries/query-keys';
+import { queryKeys as applicationsQueryKeys } from '@/react/kubernetes/applications/queries/query-keys';
+
+import { queryKeys } from './query-keys';
 
 /**
  * Parameters for helm rollback operation
@@ -54,8 +56,8 @@ export function useHelmRollbackMutation(environmentId: EnvironmentId) {
       rollbackRelease({ releaseName, params, environmentId }),
     ...withGlobalError('Unable to rollback Helm release'),
     ...withInvalidate(queryClient, [
-      [environmentId, 'helm', 'releases'],
-      queryKeys.applications(environmentId),
+      queryKeys.releases(environmentId),
+      applicationsQueryKeys.applications(environmentId),
     ]),
   });
 }
diff --git a/app/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation.ts b/app/react/kubernetes/helm/helmReleaseQueries/useUninstallHelmAppMutation.ts
similarity index 94%
rename from app/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation.ts
rename to app/react/kubernetes/helm/helmReleaseQueries/useUninstallHelmAppMutation.ts
index 7daa5835c..16341eb76 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/queries/useUninstallHelmAppMutation.ts
+++ b/app/react/kubernetes/helm/helmReleaseQueries/useUninstallHelmAppMutation.ts
@@ -5,6 +5,8 @@ import { withGlobalError, withInvalidate } from '@/react-tools/react-query';
 import { queryKeys as applicationsQueryKeys } from '@/react/kubernetes/applications/queries/query-keys';
 import { EnvironmentId } from '@/react/portainer/environments/types';
 
+import { queryKeys } from './query-keys';
+
 export function useUninstallHelmAppMutation(environmentId: EnvironmentId) {
   const queryClient = useQueryClient();
   return useMutation({
@@ -16,6 +18,7 @@ export function useUninstallHelmAppMutation(environmentId: EnvironmentId) {
       namespace?: string;
     }) => uninstallHelmApplication(environmentId, releaseName, namespace),
     ...withInvalidate(queryClient, [
+      queryKeys.releases(environmentId),
       applicationsQueryKeys.applications(environmentId),
     ]),
     ...withGlobalError('Unable to uninstall helm application'),
diff --git a/app/react/kubernetes/helm/queries/useUpdateHelmReleaseMutation.ts b/app/react/kubernetes/helm/helmReleaseQueries/useUpdateHelmReleaseMutation.ts
similarity index 63%
rename from app/react/kubernetes/helm/queries/useUpdateHelmReleaseMutation.ts
rename to app/react/kubernetes/helm/helmReleaseQueries/useUpdateHelmReleaseMutation.ts
index f2278ae58..689ebac3a 100644
--- a/app/react/kubernetes/helm/queries/useUpdateHelmReleaseMutation.ts
+++ b/app/react/kubernetes/helm/helmReleaseQueries/useUpdateHelmReleaseMutation.ts
@@ -7,30 +7,48 @@ import { EnvironmentId } from '@/react/portainer/environments/types';
 
 import { HelmRelease, UpdateHelmReleasePayload } from '../types';
 
+import { queryKeys } from './query-keys';
+
 export function useUpdateHelmReleaseMutation(environmentId: EnvironmentId) {
   const queryClient = useQueryClient();
   return useMutation({
     mutationFn: (payload: UpdateHelmReleasePayload) =>
       updateHelmRelease(environmentId, payload),
     ...withInvalidate(queryClient, [
-      [environmentId, 'helm', 'releases'],
+      queryKeys.releases(environmentId),
       applicationsQueryKeys.applications(environmentId),
     ]),
-    ...withGlobalError('Unable to uninstall helm application'),
+    ...withGlobalError('Unable to update Helm release'),
   });
 }
 
-async function updateHelmRelease(
+type UpdateHelmReleaseParams = {
+  dryRun?: boolean;
+};
+
+type UpdateHelmReleaseOptions = {
+  errorMessage?: string;
+};
+
+export async function updateHelmRelease(
   environmentId: EnvironmentId,
-  payload: UpdateHelmReleasePayload
+  payload: UpdateHelmReleasePayload,
+  params: UpdateHelmReleaseParams = {},
+  options: UpdateHelmReleaseOptions = {}
 ) {
   try {
     const { data } = await axios.post<HelmRelease>(
       `endpoints/${environmentId}/kubernetes/helm`,
-      payload
+      payload,
+      {
+        params,
+      }
     );
     return data;
   } catch (err) {
-    throw parseAxiosError(err, 'Unable to update helm release');
+    throw parseAxiosError(
+      err,
+      options.errorMessage ?? 'Unable to update helm release'
+    );
   }
 }
diff --git a/app/react/portainer/account/AccountView/.keep b/app/react/portainer/account/AccountView/.keep
deleted file mode 100644
index e69de29bb..000000000
diff --git a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
index c12ed9ffa..8916dfb41 100644
--- a/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
+++ b/app/react/portainer/account/AccountView/HelmRepositoryDatatable/helm-repositories.service.ts
@@ -4,6 +4,8 @@ import axios, { parseAxiosError } from '@/portainer/services/axios';
 import { success as notifySuccess } from '@/portainer/services/notifications';
 import { withError } from '@/react-tools/react-query';
 import { pluralize } from '@/portainer/helpers/strings';
+import { queryKeys } from '@/react/kubernetes/helm/helmChartSourceQueries/query-keys';
+import { useCurrentUser } from '@/react/hooks/useUser';
 
 import {
   CreateHelmRepositoryPayload,
@@ -52,11 +54,12 @@ export async function deleteHelmRepositories(repos: HelmRepository[]) {
 
 export function useDeleteHelmRepositoryMutation() {
   const queryClient = useQueryClient();
+  const { user } = useCurrentUser();
 
   return useMutation(deleteHelmRepository, {
     onSuccess: (_, helmRepository) => {
       notifySuccess('Helm repository deleted successfully', helmRepository.URL);
-      return queryClient.invalidateQueries(['helmrepositories']);
+      return queryClient.invalidateQueries(queryKeys.registries(user.Id));
     },
     ...withError('Unable to delete Helm repository'),
   });
@@ -64,6 +67,7 @@ export function useDeleteHelmRepositoryMutation() {
 
 export function useDeleteHelmRepositoriesMutation() {
   const queryClient = useQueryClient();
+  const { user } = useCurrentUser();
 
   return useMutation(deleteHelmRepositories, {
     onSuccess: () => {
@@ -75,26 +79,31 @@ export function useDeleteHelmRepositoriesMutation() {
           'repositories'
         )} deleted successfully`
       );
-      return queryClient.invalidateQueries(['helmrepositories']);
+      return queryClient.invalidateQueries(queryKeys.registries(user.Id));
     },
     ...withError('Unable to delete Helm repositories'),
   });
 }
 
 export function useHelmRepositories(userId: number) {
-  return useQuery(['helmrepositories'], () => getHelmRepositories(userId), {
-    staleTime: 20,
-    ...withError('Unable to retrieve Helm repositories'),
-  });
+  return useQuery(
+    queryKeys.registries(userId),
+    () => getHelmRepositories(userId),
+    {
+      staleTime: 20,
+      ...withError('Unable to retrieve Helm repositories'),
+    }
+  );
 }
 
 export function useCreateHelmRepositoryMutation() {
   const queryClient = useQueryClient();
+  const { user } = useCurrentUser();
 
   return useMutation(createHelmRepository, {
     onSuccess: (_, payload) => {
       notifySuccess('Helm repository created successfully', payload.URL);
-      return queryClient.invalidateQueries(['helmrepositories']);
+      return queryClient.invalidateQueries(queryKeys.registries(user.Id));
     },
     ...withError('Unable to create Helm repository'),
   });
diff --git a/app/setup-tests/mock-codemirror.tsx b/app/setup-tests/mock-codemirror.tsx
index 5c96025b8..10dcfa11c 100644
--- a/app/setup-tests/mock-codemirror.tsx
+++ b/app/setup-tests/mock-codemirror.tsx
@@ -1,7 +1,36 @@
 export function mockCodeMirror() {
   vi.mock('@uiw/react-codemirror', () => ({
     __esModule: true,
-    default: () => <div />,
+    default: ({
+      value,
+      onChange,
+      readOnly,
+      placeholder,
+      height,
+      className,
+      id,
+      'data-cy': dataCy,
+    }: {
+      value?: string;
+      onChange?: (value: string) => void;
+      readOnly?: boolean;
+      placeholder?: string;
+      height?: string;
+      className?: string;
+      id?: string;
+      'data-cy'?: string;
+    }) => (
+      <textarea
+        value={value}
+        onChange={(e) => onChange?.(e.target.value)}
+        readOnly={readOnly}
+        placeholder={placeholder}
+        style={height ? { height } : undefined}
+        className={className}
+        id={id}
+        data-cy={dataCy}
+      />
+    ),
     oneDarkHighlightStyle: {},
     keymap: {
       of: () => ({}),
diff --git a/app/setup-tests/setup-codemirror.ts b/app/setup-tests/setup-codemirror.ts
index e5f83fffc..6f0514710 100644
--- a/app/setup-tests/setup-codemirror.ts
+++ b/app/setup-tests/setup-codemirror.ts
@@ -1,5 +1,10 @@
 import 'vitest-dom/extend-expect';
 
+import { mockCodeMirror } from './mock-codemirror';
+
+// Initialize CodeMirror module mocks
+mockCodeMirror();
+
 // Mock Range APIs that CodeMirror needs but JSDOM doesn't provide
 Range.prototype.getBoundingClientRect = () => ({
   bottom: 0,
diff --git a/pkg/libhelm/options/install_options.go b/pkg/libhelm/options/install_options.go
index 60b14cf0f..7873066b2 100644
--- a/pkg/libhelm/options/install_options.go
+++ b/pkg/libhelm/options/install_options.go
@@ -17,6 +17,7 @@ type InstallOptions struct {
 	ValuesFile              string
 	PostRenderer            string
 	Atomic                  bool
+	DryRun                  bool
 	Timeout                 time.Duration
 	KubernetesClusterAccess *KubernetesClusterAccess
 
diff --git a/pkg/libhelm/sdk/install.go b/pkg/libhelm/sdk/install.go
index 08c563559..4b172efaa 100644
--- a/pkg/libhelm/sdk/install.go
+++ b/pkg/libhelm/sdk/install.go
@@ -113,6 +113,10 @@ func (hspm *HelmSDKPackageManager) install(installOpts options.InstallOptions) (
 			Str("namespace", installOpts.Namespace).
 			Err(err).
 			Msg("Failed to install helm chart for helm release installation")
+		if installOpts.DryRun {
+			// remove installation wording for dry run. The inner error has enough context.
+			return nil, errors.Wrap(err, "dry-run failed")
+		}
 		return nil, errors.Wrap(err, "helm was not able to install the chart for helm release installation")
 	}
 
@@ -142,6 +146,7 @@ func initInstallClient(actionConfig *action.Configuration, installOpts options.I
 	installClient.Wait = installOpts.Wait
 	installClient.Timeout = installOpts.Timeout
 	installClient.Version = installOpts.Version
+	installClient.DryRun = installOpts.DryRun
 	err := configureChartPathOptions(&installClient.ChartPathOptions, installOpts.Version, installOpts.Repo, installOpts.Registry)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to configure chart path options for helm release installation")
diff --git a/pkg/libhelm/sdk/upgrade.go b/pkg/libhelm/sdk/upgrade.go
index 1e2a1a5c2..698a3e374 100644
--- a/pkg/libhelm/sdk/upgrade.go
+++ b/pkg/libhelm/sdk/upgrade.go
@@ -165,6 +165,7 @@ func initUpgradeClient(actionConfig *action.Configuration, upgradeOpts options.I
 	upgradeClient.Atomic = upgradeOpts.Atomic
 	upgradeClient.Wait = upgradeOpts.Wait
 	upgradeClient.Version = upgradeOpts.Version
+	upgradeClient.DryRun = upgradeOpts.DryRun
 	err := configureChartPathOptions(&upgradeClient.ChartPathOptions, upgradeOpts.Version, upgradeOpts.Repo, upgradeOpts.Registry)
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to configure chart path options for helm release upgrade")

From bba37512684affd8b3a70ab0896050a7ae59b970 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Wed, 23 Jul 2025 14:06:20 -0300
Subject: [PATCH 195/212] fix(roar): return empty slices instead of nil for
 easier API compatibility BE-12053 (#932)

---
 .../edgegroups/edgegroup_inspect_test.go      | 39 +++++++++++++++++++
 api/roar/roar.go                              |  2 +-
 2 files changed, 40 insertions(+), 1 deletion(-)

diff --git a/api/http/handler/edgegroups/edgegroup_inspect_test.go b/api/http/handler/edgegroups/edgegroup_inspect_test.go
index d7966cf97..5af282372 100644
--- a/api/http/handler/edgegroups/edgegroup_inspect_test.go
+++ b/api/http/handler/edgegroups/edgegroup_inspect_test.go
@@ -69,6 +69,45 @@ func TestEdgeGroupInspectHandler(t *testing.T) {
 	assert.ElementsMatch(t, []portainer.EndpointID{1, 2, 3}, responseGroup.Endpoints)
 }
 
+func TestEmptyEdgeGroupInspectHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, true)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	err := store.EndpointGroup().Create(&portainer.EndpointGroup{
+		ID:   1,
+		Name: "Test Group",
+	})
+	require.NoError(t, err)
+
+	err = store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          1,
+		Name:        "Test Edge Group",
+		EndpointIDs: roar.Roar[portainer.EndpointID]{},
+	})
+	require.NoError(t, err)
+
+	rr := httptest.NewRecorder()
+
+	req := httptest.NewRequest(
+		http.MethodGet,
+		"/edge_groups/1",
+		nil,
+	)
+
+	handler.ServeHTTP(rr, req)
+	require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+	var responseGroup portainer.EdgeGroup
+	err = json.NewDecoder(rr.Body).Decode(&responseGroup)
+	require.NoError(t, err)
+
+	// Make sure the frontend does not get a null value but a [] instead
+	require.NotNil(t, responseGroup.Endpoints)
+	require.Len(t, responseGroup.Endpoints, 0)
+}
+
 func TestDynamicEdgeGroupInspectHandler(t *testing.T) {
 	_, store := datastore.MustNewTestStore(t, true, true)
 
diff --git a/api/roar/roar.go b/api/roar/roar.go
index c32843ee4..6edc67f75 100644
--- a/api/roar/roar.go
+++ b/api/roar/roar.go
@@ -91,7 +91,7 @@ func (r *Roar[T]) Intersection(other Roar[T]) {
 // ToSlice converts the bitmap to a slice of elements
 func (r *Roar[T]) ToSlice() []T {
 	if r.rb == nil {
-		return nil
+		return make([]T, 0)
 	}
 
 	slice := make([]T, 0, r.rb.GetCardinality())

From bdb2e2f4174c6841d67b5f7ab61ba7da8bed2dd2 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Thu, 24 Jul 2025 13:11:13 +1200
Subject: [PATCH 196/212] fix(transport): portainer generated kubeconfig causes
 kubectl exec fail [R8S-430] (#929)

---
 api/cmd/portainer/main.go                     |   2 +-
 .../handler/endpoints/endpoint_delete_test.go |   2 +-
 api/http/proxy/factory/factory.go             |   4 +-
 api/http/proxy/factory/kubernetes.go          |   6 +-
 .../factory/kubernetes/agent_transport.go     |   3 +-
 .../factory/kubernetes/edge_transport.go      |   3 +-
 .../factory/kubernetes/local_transport.go     |   3 +-
 api/http/proxy/factory/kubernetes/pods.go     |   8 +-
 .../proxy/factory/kubernetes/transport.go     |  23 +-
 .../factory/kubernetes/transport_test.go      | 359 ++++++++++++++++++
 api/http/proxy/factory/reverse_proxy.go       |  25 +-
 api/http/proxy/manager.go                     |   4 +-
 12 files changed, 417 insertions(+), 25 deletions(-)
 create mode 100644 api/http/proxy/factory/kubernetes/transport_test.go

diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 30493a3da..818025bdf 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -451,7 +451,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 
 	snapshotService.Start()
 
-	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
+	proxyManager.NewProxyFactory(dataStore, signatureService, reverseTunnelService, dockerClientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService, jwtService)
 
 	helmPackageManager, err := initHelmPackageManager()
 	if err != nil {
diff --git a/api/http/handler/endpoints/endpoint_delete_test.go b/api/http/handler/endpoints/endpoint_delete_test.go
index 559c1b680..73b2b878b 100644
--- a/api/http/handler/endpoints/endpoint_delete_test.go
+++ b/api/http/handler/endpoints/endpoint_delete_test.go
@@ -22,7 +22,7 @@ func TestEndpointDeleteEdgeGroupsConcurrently(t *testing.T) {
 	handler := NewHandler(testhelpers.NewTestRequestBouncer())
 	handler.DataStore = store
 	handler.ProxyManager = proxy.NewManager(nil)
-	handler.ProxyManager.NewProxyFactory(nil, nil, nil, nil, nil, nil, nil, nil)
+	handler.ProxyManager.NewProxyFactory(nil, nil, nil, nil, nil, nil, nil, nil, nil)
 
 	// Create all the environments and add them to the same edge group
 
diff --git a/api/http/proxy/factory/factory.go b/api/http/proxy/factory/factory.go
index 28d05dec5..b45629630 100644
--- a/api/http/proxy/factory/factory.go
+++ b/api/http/proxy/factory/factory.go
@@ -24,11 +24,12 @@ type (
 		kubernetesTokenCacheManager *kubernetes.TokenCacheManager
 		gitService                  portainer.GitService
 		snapshotService             portainer.SnapshotService
+		jwtService                  portainer.JWTService
 	}
 )
 
 // NewProxyFactory returns a pointer to a new instance of a ProxyFactory
-func NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService) *ProxyFactory {
+func NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService, jwtService portainer.JWTService) *ProxyFactory {
 	return &ProxyFactory{
 		dataStore:                   dataStore,
 		signatureService:            signatureService,
@@ -38,6 +39,7 @@ func NewProxyFactory(dataStore dataservices.DataStore, signatureService portaine
 		kubernetesTokenCacheManager: kubernetesTokenCacheManager,
 		gitService:                  gitService,
 		snapshotService:             snapshotService,
+		jwtService:                  jwtService,
 	}
 }
 
diff --git a/api/http/proxy/factory/kubernetes.go b/api/http/proxy/factory/kubernetes.go
index eceee181a..ea08467e5 100644
--- a/api/http/proxy/factory/kubernetes.go
+++ b/api/http/proxy/factory/kubernetes.go
@@ -38,7 +38,7 @@ func (factory *ProxyFactory) newKubernetesLocalProxy(endpoint *portainer.Endpoin
 		return nil, err
 	}
 
-	transport, err := kubernetes.NewLocalTransport(tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore)
+	transport, err := kubernetes.NewLocalTransport(tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
 	if err != nil {
 		return nil, err
 	}
@@ -74,7 +74,7 @@ func (factory *ProxyFactory) newKubernetesEdgeHTTPProxy(endpoint *portainer.Endp
 
 	endpointURL.Scheme = "http"
 	proxy := NewSingleHostReverseProxyWithHostHeader(endpointURL)
-	proxy.Transport = kubernetes.NewEdgeTransport(factory.dataStore, factory.signatureService, factory.reverseTunnelService, endpoint, tokenManager, factory.kubernetesClientFactory)
+	proxy.Transport = kubernetes.NewEdgeTransport(factory.dataStore, factory.signatureService, factory.reverseTunnelService, endpoint, tokenManager, factory.kubernetesClientFactory, factory.jwtService)
 
 	return proxy, nil
 }
@@ -105,7 +105,7 @@ func (factory *ProxyFactory) newKubernetesAgentHTTPSProxy(endpoint *portainer.En
 	}
 
 	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
-	proxy.Transport = kubernetes.NewAgentTransport(factory.signatureService, tlsConfig, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore)
+	proxy.Transport = kubernetes.NewAgentTransport(factory.signatureService, tlsConfig, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
 
 	return proxy, nil
 }
diff --git a/api/http/proxy/factory/kubernetes/agent_transport.go b/api/http/proxy/factory/kubernetes/agent_transport.go
index b6ab548ae..b127b85fd 100644
--- a/api/http/proxy/factory/kubernetes/agent_transport.go
+++ b/api/http/proxy/factory/kubernetes/agent_transport.go
@@ -16,7 +16,7 @@ type agentTransport struct {
 }
 
 // NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer agent
-func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore) *agentTransport {
+func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) *agentTransport {
 	transport := &agentTransport{
 		baseTransport: newBaseTransport(
 			&http.Transport{
@@ -26,6 +26,7 @@ func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsCo
 			endpoint,
 			k8sClientFactory,
 			dataStore,
+			jwtService,
 		),
 		signatureService: signatureService,
 	}
diff --git a/api/http/proxy/factory/kubernetes/edge_transport.go b/api/http/proxy/factory/kubernetes/edge_transport.go
index 4eed6934a..73946114e 100644
--- a/api/http/proxy/factory/kubernetes/edge_transport.go
+++ b/api/http/proxy/factory/kubernetes/edge_transport.go
@@ -16,7 +16,7 @@ type edgeTransport struct {
 }
 
 // NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer Edge agent
-func NewEdgeTransport(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, endpoint *portainer.Endpoint, tokenManager *tokenManager, k8sClientFactory *cli.ClientFactory) *edgeTransport {
+func NewEdgeTransport(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, reverseTunnelService portainer.ReverseTunnelService, endpoint *portainer.Endpoint, tokenManager *tokenManager, k8sClientFactory *cli.ClientFactory, jwtService portainer.JWTService) *edgeTransport {
 	transport := &edgeTransport{
 		reverseTunnelService: reverseTunnelService,
 		signatureService:     signatureService,
@@ -26,6 +26,7 @@ func NewEdgeTransport(dataStore dataservices.DataStore, signatureService portain
 			endpoint,
 			k8sClientFactory,
 			dataStore,
+			jwtService,
 		),
 	}
 
diff --git a/api/http/proxy/factory/kubernetes/local_transport.go b/api/http/proxy/factory/kubernetes/local_transport.go
index 4ae4082d9..6fe255ff6 100644
--- a/api/http/proxy/factory/kubernetes/local_transport.go
+++ b/api/http/proxy/factory/kubernetes/local_transport.go
@@ -14,7 +14,7 @@ type localTransport struct {
 }
 
 // NewLocalTransport returns a new transport that can be used to send requests to the local Kubernetes API
-func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore) (*localTransport, error) {
+func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) (*localTransport, error) {
 	config, err := crypto.CreateTLSConfigurationFromBytes(nil, nil, nil, true, true)
 	if err != nil {
 		return nil, err
@@ -29,6 +29,7 @@ func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint,
 			endpoint,
 			k8sClientFactory,
 			dataStore,
+			jwtService,
 		),
 	}
 
diff --git a/api/http/proxy/factory/kubernetes/pods.go b/api/http/proxy/factory/kubernetes/pods.go
index 6c36e079a..a2e5f1860 100644
--- a/api/http/proxy/factory/kubernetes/pods.go
+++ b/api/http/proxy/factory/kubernetes/pods.go
@@ -2,12 +2,18 @@ package kubernetes
 
 import (
 	"net/http"
+	"strings"
 )
 
-func (transport *baseTransport) proxyPodsRequest(request *http.Request, namespace, requestPath string) (*http.Response, error) {
+func (transport *baseTransport) proxyPodsRequest(request *http.Request, namespace string) (*http.Response, error) {
 	if request.Method == http.MethodDelete {
 		transport.refreshRegistry(request, namespace)
 	}
 
+	if request.Method == http.MethodPost && strings.Contains(request.URL.Path, "/exec") {
+		if err := transport.addTokenForExec(request); err != nil {
+			return nil, err
+		}
+	}
 	return transport.executeKubernetesRequest(request)
 }
diff --git a/api/http/proxy/factory/kubernetes/transport.go b/api/http/proxy/factory/kubernetes/transport.go
index ddab7a096..b4d06bcce 100644
--- a/api/http/proxy/factory/kubernetes/transport.go
+++ b/api/http/proxy/factory/kubernetes/transport.go
@@ -26,15 +26,17 @@ type baseTransport struct {
 	endpoint         *portainer.Endpoint
 	k8sClientFactory *cli.ClientFactory
 	dataStore        dataservices.DataStore
+	jwtService       portainer.JWTService
 }
 
-func newBaseTransport(httpTransport *http.Transport, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore) *baseTransport {
+func newBaseTransport(httpTransport *http.Transport, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) *baseTransport {
 	return &baseTransport{
 		httpTransport:    httpTransport,
 		tokenManager:     tokenManager,
 		endpoint:         endpoint,
 		k8sClientFactory: k8sClientFactory,
 		dataStore:        dataStore,
+		jwtService:       jwtService,
 	}
 }
 
@@ -82,7 +84,7 @@ func (transport *baseTransport) proxyNamespacedRequest(request *http.Request, fu
 
 	switch {
 	case strings.HasPrefix(requestPath, "pods"):
-		return transport.proxyPodsRequest(request, namespace, requestPath)
+		return transport.proxyPodsRequest(request, namespace)
 	case strings.HasPrefix(requestPath, "deployments"):
 		return transport.proxyDeploymentsRequest(request, namespace, requestPath)
 	case requestPath == "" && request.Method == "DELETE":
@@ -92,6 +94,23 @@ func (transport *baseTransport) proxyNamespacedRequest(request *http.Request, fu
 	}
 }
 
+// addTokenForExec injects a kubeconfig token into the request header
+// this is only used with kubeconfig for kubectl exec requests
+func (transport *baseTransport) addTokenForExec(request *http.Request) error {
+	tokenData, err := security.RetrieveTokenData(request)
+	if err != nil {
+		return err
+	}
+
+	token, err := transport.jwtService.GenerateTokenForKubeconfig(tokenData)
+	if err != nil {
+		return err
+	}
+
+	request.Header.Set("Authorization", "Bearer "+token)
+	return nil
+}
+
 func (transport *baseTransport) executeKubernetesRequest(request *http.Request) (*http.Response, error) {
 
 	resp, err := transport.httpTransport.RoundTrip(request)
diff --git a/api/http/proxy/factory/kubernetes/transport_test.go b/api/http/proxy/factory/kubernetes/transport_test.go
new file mode 100644
index 000000000..713714d93
--- /dev/null
+++ b/api/http/proxy/factory/kubernetes/transport_test.go
@@ -0,0 +1,359 @@
+package kubernetes
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/http/security"
+	"github.com/portainer/portainer/api/jwt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// MockJWTService implements portainer.JWTService for testing
+type MockJWTService struct {
+	generateTokenFunc func(data *portainer.TokenData) (string, error)
+}
+
+func (m *MockJWTService) GenerateToken(data *portainer.TokenData) (string, time.Time, error) {
+	if m.generateTokenFunc != nil {
+		token, err := m.generateTokenFunc(data)
+		return token, time.Now().Add(24 * time.Hour), err
+	}
+	return "mock-token", time.Now().Add(24 * time.Hour), nil
+}
+
+func (m *MockJWTService) GenerateTokenForKubeconfig(data *portainer.TokenData) (string, error) {
+	if m.generateTokenFunc != nil {
+		return m.generateTokenFunc(data)
+	}
+	return "mock-kubeconfig-token", nil
+}
+
+func (m *MockJWTService) ParseAndVerifyToken(token string) (*portainer.TokenData, string, time.Time, error) {
+	return &portainer.TokenData{ID: 1, Username: "mock", Role: portainer.AdministratorRole}, "mock-id", time.Now().Add(24 * time.Hour), nil
+}
+
+func (m *MockJWTService) SetUserSessionDuration(userSessionDuration time.Duration) {
+	// Mock implementation - not used in tests
+}
+
+func TestBaseTransport_AddTokenForExec(t *testing.T) {
+	// Setup test store and JWT service
+	_, store := datastore.MustNewTestStore(t, true, false)
+
+	// Create test users
+	adminUser := &portainer.User{
+		ID:       1,
+		Username: "admin",
+		Role:     portainer.AdministratorRole,
+	}
+	err := store.User().Create(adminUser)
+	require.NoError(t, err)
+
+	standardUser := &portainer.User{
+		ID:       2,
+		Username: "standard",
+		Role:     portainer.StandardUserRole,
+	}
+	err = store.User().Create(standardUser)
+	require.NoError(t, err)
+
+	// Create JWT service
+	jwtService, err := jwt.NewService("24h", store)
+	require.NoError(t, err)
+
+	// Create base transport
+	transport := &baseTransport{
+		jwtService: jwtService,
+	}
+
+	tests := []struct {
+		name           string
+		tokenData      *portainer.TokenData
+		setupRequest   func(*http.Request) *http.Request
+		expectError    bool
+		errorMsg       string
+		expectPanic    bool
+		verifyResponse func(*testing.T, *http.Request, *portainer.TokenData)
+	}{
+		{
+			name: "admin user - successful token generation",
+			tokenData: &portainer.TokenData{
+				ID:       adminUser.ID,
+				Username: adminUser.Username,
+				Role:     adminUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       adminUser.ID,
+					Username: adminUser.Username,
+					Role:     adminUser.Role,
+				}))
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEmpty(t, authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				parsedTokenData, _, _, err := jwtService.ParseAndVerifyToken(token)
+				assert.NoError(t, err)
+				assert.Equal(t, tokenData.ID, parsedTokenData.ID)
+				assert.Equal(t, tokenData.Username, parsedTokenData.Username)
+				assert.Equal(t, tokenData.Role, parsedTokenData.Role)
+			},
+		},
+		{
+			name: "standard user - successful token generation",
+			tokenData: &portainer.TokenData{
+				ID:       standardUser.ID,
+				Username: standardUser.Username,
+				Role:     standardUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       standardUser.ID,
+					Username: standardUser.Username,
+					Role:     standardUser.Role,
+				}))
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEmpty(t, authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				parsedTokenData, _, _, err := jwtService.ParseAndVerifyToken(token)
+				assert.NoError(t, err)
+				assert.Equal(t, tokenData.ID, parsedTokenData.ID)
+				assert.Equal(t, tokenData.Username, parsedTokenData.Username)
+				assert.Equal(t, tokenData.Role, parsedTokenData.Role)
+			},
+		},
+		{
+			name:      "request without token data in context",
+			tokenData: nil,
+			setupRequest: func(req *http.Request) *http.Request {
+				return req // Don't add token data to context
+			},
+			expectError: true,
+			errorMsg:    "Unable to find JWT data in request context",
+		},
+		{
+			name:      "request with nil token data",
+			tokenData: nil,
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, nil))
+			},
+			expectPanic: true,
+		},
+		{
+			name: "JWT service failure",
+			tokenData: &portainer.TokenData{
+				ID:       1,
+				Username: "test",
+				Role:     portainer.AdministratorRole,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       1,
+					Username: "test",
+					Role:     portainer.AdministratorRole,
+				}))
+			},
+			expectPanic: true,
+		},
+		{
+			name: "verify authorization header format",
+			tokenData: &portainer.TokenData{
+				ID:       adminUser.ID,
+				Username: adminUser.Username,
+				Role:     adminUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				return req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       adminUser.ID,
+					Username: adminUser.Username,
+					Role:     adminUser.Role,
+				}))
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEmpty(t, authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				assert.NotEmpty(t, token)
+				assert.Greater(t, len(token), 0, "Token should not be empty")
+			},
+		},
+		{
+			name: "verify header is overwritten on subsequent calls",
+			tokenData: &portainer.TokenData{
+				ID:       adminUser.ID,
+				Username: adminUser.Username,
+				Role:     adminUser.Role,
+			},
+			setupRequest: func(req *http.Request) *http.Request {
+				req = req.WithContext(security.StoreTokenData(req, &portainer.TokenData{
+					ID:       adminUser.ID,
+					Username: adminUser.Username,
+					Role:     adminUser.Role,
+				}))
+				// Set an existing Authorization header
+				req.Header.Set("Authorization", "Bearer old-token")
+				return req
+			},
+			expectError: false,
+			verifyResponse: func(t *testing.T, req *http.Request, tokenData *portainer.TokenData) {
+				authHeader := req.Header.Get("Authorization")
+				assert.NotEqual(t, "Bearer old-token", authHeader)
+				assert.True(t, strings.HasPrefix(authHeader, "Bearer "))
+
+				token := authHeader[7:] // Remove "Bearer " prefix
+				parsedTokenData, _, _, err := jwtService.ParseAndVerifyToken(token)
+				assert.NoError(t, err)
+				assert.Equal(t, tokenData.ID, parsedTokenData.ID)
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create request
+			request := httptest.NewRequest("GET", "/", nil)
+			request = tt.setupRequest(request)
+
+			// Determine which transport to use based on test case
+			var testTransport *baseTransport
+			if tt.name == "JWT service failure" {
+				testTransport = &baseTransport{
+					jwtService: nil,
+				}
+			} else {
+				testTransport = transport
+			}
+
+			// Call the function
+			if tt.expectPanic {
+				assert.Panics(t, func() {
+					_ = testTransport.addTokenForExec(request)
+				})
+				return
+			}
+
+			err := testTransport.addTokenForExec(request)
+
+			// Check results
+			if tt.expectError {
+				assert.Error(t, err)
+				if tt.errorMsg != "" {
+					assert.Contains(t, err.Error(), tt.errorMsg)
+				}
+			} else {
+				assert.NoError(t, err)
+				if tt.verifyResponse != nil {
+					tt.verifyResponse(t, request, tt.tokenData)
+				}
+			}
+		})
+	}
+}
+
+func TestBaseTransport_AddTokenForExec_Integration(t *testing.T) {
+	// Create a test HTTP server to capture requests
+	var capturedRequest *http.Request
+	var capturedHeaders http.Header
+
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		capturedRequest = r
+		capturedHeaders = r.Header.Clone()
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte("success"))
+	}))
+	defer testServer.Close()
+
+	// Create mock JWT service
+	mockJWTService := &MockJWTService{
+		generateTokenFunc: func(data *portainer.TokenData) (string, error) {
+			return "mock-token-" + data.Username, nil
+		},
+	}
+
+	// Create base transport
+	transport := &baseTransport{
+		httpTransport: &http.Transport{},
+		jwtService:    mockJWTService,
+	}
+
+	tests := []struct {
+		name          string
+		tokenData     *portainer.TokenData
+		requestPath   string
+		expectedToken string
+	}{
+		{
+			name: "admin user exec request",
+			tokenData: &portainer.TokenData{
+				ID:       1,
+				Username: "admin",
+				Role:     portainer.AdministratorRole,
+			},
+			requestPath:   "/api/endpoints/1/kubernetes/api/v1/namespaces/default/pods/test-pod/exec",
+			expectedToken: "mock-token-admin",
+		},
+		{
+			name: "standard user exec request",
+			tokenData: &portainer.TokenData{
+				ID:       2,
+				Username: "standard",
+				Role:     portainer.StandardUserRole,
+			},
+			requestPath:   "/api/endpoints/1/kubernetes/api/v1/namespaces/default/pods/test-pod/exec",
+			expectedToken: "mock-token-standard",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Reset captured data
+			capturedRequest = nil
+			capturedHeaders = nil
+
+			// Create request to the test server
+			request, err := http.NewRequest("POST", testServer.URL+tt.requestPath, strings.NewReader(""))
+			require.NoError(t, err)
+
+			// Add token data to request context
+			request = request.WithContext(security.StoreTokenData(request, tt.tokenData))
+
+			// Call proxyPodsRequest which triggers addTokenForExec for POST /exec requests
+			resp, err := transport.proxyPodsRequest(request, "default")
+			require.NoError(t, err)
+			defer resp.Body.Close()
+
+			// Verify the response
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			// Verify the request was captured
+			assert.NotNil(t, capturedRequest)
+			assert.Equal(t, "POST", capturedRequest.Method)
+			assert.Equal(t, tt.requestPath, capturedRequest.URL.Path)
+
+			// Verify the authorization header was set correctly
+			capturedAuthHeader := capturedHeaders.Get("Authorization")
+			assert.NotEmpty(t, capturedAuthHeader)
+			assert.True(t, strings.HasPrefix(capturedAuthHeader, "Bearer "))
+			assert.Equal(t, "Bearer "+tt.expectedToken, capturedAuthHeader)
+		})
+	}
+}
diff --git a/api/http/proxy/factory/reverse_proxy.go b/api/http/proxy/factory/reverse_proxy.go
index c40e6c485..a1bb3fa28 100644
--- a/api/http/proxy/factory/reverse_proxy.go
+++ b/api/http/proxy/factory/reverse_proxy.go
@@ -9,17 +9,20 @@ import (
 
 // Note that we discard any non-canonical headers by design
 var allowedHeaders = map[string]struct{}{
-	"Accept":                  {},
-	"Accept-Encoding":         {},
-	"Accept-Language":         {},
-	"Cache-Control":           {},
-	"Content-Length":          {},
-	"Content-Type":            {},
-	"Private-Token":           {},
-	"User-Agent":              {},
-	"X-Portaineragent-Target": {},
-	"X-Portainer-Volumename":  {},
-	"X-Registry-Auth":         {},
+	"Accept":                    {},
+	"Accept-Encoding":           {},
+	"Accept-Language":           {},
+	"Cache-Control":             {},
+	"Connection":                {},
+	"Content-Length":            {},
+	"Content-Type":              {},
+	"Private-Token":             {},
+	"Upgrade":                   {},
+	"User-Agent":                {},
+	"X-Portaineragent-Target":   {},
+	"X-Portainer-Volumename":    {},
+	"X-Registry-Auth":           {},
+	"X-Stream-Protocol-Version": {},
 }
 
 // newSingleHostReverseProxyWithHostHeader is based on NewSingleHostReverseProxy
diff --git a/api/http/proxy/manager.go b/api/http/proxy/manager.go
index 16f822028..477bc547b 100644
--- a/api/http/proxy/manager.go
+++ b/api/http/proxy/manager.go
@@ -32,8 +32,8 @@ func NewManager(kubernetesClientFactory *cli.ClientFactory) *Manager {
 	}
 }
 
-func (manager *Manager) NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService) {
-	manager.proxyFactory = factory.NewProxyFactory(dataStore, signatureService, tunnelService, clientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService)
+func (manager *Manager) NewProxyFactory(dataStore dataservices.DataStore, signatureService portainer.DigitalSignatureService, tunnelService portainer.ReverseTunnelService, clientFactory *dockerclient.ClientFactory, kubernetesClientFactory *cli.ClientFactory, kubernetesTokenCacheManager *kubernetes.TokenCacheManager, gitService portainer.GitService, snapshotService portainer.SnapshotService, jwtService portainer.JWTService) {
+	manager.proxyFactory = factory.NewProxyFactory(dataStore, signatureService, tunnelService, clientFactory, kubernetesClientFactory, kubernetesTokenCacheManager, gitService, snapshotService, jwtService)
 }
 
 // CreateAndRegisterEndpointProxy creates a new HTTP reverse proxy based on environment(endpoint) properties and adds it to the registered proxies.

From 1afae9934539b4025b03beb135480f64b0a58116 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Thu, 24 Jul 2025 03:30:37 +0100
Subject: [PATCH 197/212] Updates for release 2.32.0 (#936)

---
 .github/ISSUE_TEMPLATE/bug_report.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 4b58737c3..75414fa04 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -94,6 +94,7 @@ body:
       description: We only provide support for current versions of Portainer as per the lifecycle policy linked above. If you are on an older version of Portainer we recommend [updating first](https://docs.portainer.io/start/upgrade) in case your bug has already been fixed.
       multiple: false
       options:
+        - '2.32.0'
         - '2.31.3'
         - '2.31.2'
         - '2.31.1'

From e7d97d7a2b32d7835f7162e153a24449aabeb137 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Thu, 24 Jul 2025 16:37:07 +0200
Subject: [PATCH 198/212] fix(app/edge-configs): high numbers UI overlap (#931)

---
 app/react/common/utils/numbers.test.ts | 75 ++++++++++++++++++++++++++
 app/react/common/utils/numbers.ts      | 45 ++++++++++++++++
 2 files changed, 120 insertions(+)
 create mode 100644 app/react/common/utils/numbers.test.ts
 create mode 100644 app/react/common/utils/numbers.ts

diff --git a/app/react/common/utils/numbers.test.ts b/app/react/common/utils/numbers.test.ts
new file mode 100644
index 000000000..0cd6004a5
--- /dev/null
+++ b/app/react/common/utils/numbers.test.ts
@@ -0,0 +1,75 @@
+/* eslint-disable @typescript-eslint/no-loss-of-precision */
+
+import { abbreviateNumber } from './numbers';
+
+describe('abbreviateNumber', () => {
+  test('errors', () => {
+    expect(() => abbreviateNumber(Number.NaN)).toThrowError();
+    expect(() => abbreviateNumber(1, -1)).toThrowError();
+    expect(() => abbreviateNumber(1, 21)).toThrowError();
+  });
+
+  test('zero', () => {
+    expect(abbreviateNumber(0)).toBe('0');
+    expect(abbreviateNumber(-0)).toBe('0');
+  });
+
+  test('decimals=0', () => {
+    const cases: [number, string][] = [
+      [123, '123'],
+      [123_123, '123k'],
+      [123_123_123, '123M'],
+      [123_123_123_123, '123G'],
+      [123_123_123_123_123, '123T'],
+      [123_123_123_123_123_123, '123P'],
+      [123_123_123_123_123_123_123, '123E'],
+      [123_123_123_123_123_123_123_123, '123Z'],
+      [123_123_123_123_123_123_123_123_123, '123Y'],
+      [123_123_123_123_123_123_123_123_123_123, '123123Y'],
+    ];
+    cases.forEach(([num, str]) => {
+      expect(abbreviateNumber(num, 0)).toBe(str);
+      expect(abbreviateNumber(-num, 0)).toBe(`-${str}`);
+    });
+  });
+
+  test('decimals=1 (default)', () => {
+    const cases: [number, string][] = [
+      [123, '123'],
+      [123_123, '123.1k'],
+      [123_123_123, '123.1M'],
+      [123_123_123_123, '123.1G'],
+      [123_123_123_123_123, '123.1T'],
+      [123_123_123_123_123_123, '123.1P'],
+      [123_123_123_123_123_123_123, '123.1E'],
+      [123_123_123_123_123_123_123_123, '123.1Z'],
+      [123_123_123_123_123_123_123_123_123, '123.1Y'],
+      [123_123_123_123_123_123_123_123_123_123, '123123.1Y'],
+    ];
+    cases.forEach(([num, str]) => {
+      expect(abbreviateNumber(num)).toBe(str);
+      expect(abbreviateNumber(-num)).toBe(`-${str}`);
+    });
+  });
+
+  test('decimals=10', () => {
+    const cases: [number, string][] = [
+      [123, '123'],
+      [123_123, '123.123k'],
+      [123_123_123, '123.123123M'],
+      [123_123_123_123, '123.123123123G'],
+      [123_123_123_123_123, '123.1231231231T'],
+      [123_123_123_123_123_123, '123.1231231231P'],
+      [123_123_123_123_123_123_123, '123.1231231231E'],
+      [123_123_123_123_123_123_123_123, '123.1231231231Z'],
+      [123_123_123_123_123_123_123_123_123, '123.1231231231Y'],
+      [123_123_123_123_123_123_123_123_123_123, '123123.1231231231Y'],
+    ];
+    cases.forEach(([num, str]) => {
+      expect(abbreviateNumber(num, 10)).toBe(str);
+      expect(abbreviateNumber(-num, 10)).toBe(`-${str}`);
+    });
+  });
+});
+
+/* eslint-enable @typescript-eslint/no-loss-of-precision */
diff --git a/app/react/common/utils/numbers.ts b/app/react/common/utils/numbers.ts
new file mode 100644
index 000000000..617da47ae
--- /dev/null
+++ b/app/react/common/utils/numbers.ts
@@ -0,0 +1,45 @@
+const suffixes = ['', 'k', 'M', 'G', 'T', 'P', 'E', 'Z', 'Y'];
+
+/**
+ * Converts a number to a human-readable abbreviated format
+ * Uses base 10 and standard SI prefixes
+ *
+ * @param num - The number to abbreviate
+ * @param decimals - Number of decimal places (default: 1)
+ * @returns Abbreviated number as string (e.g., "90k", "123M")
+ */
+export function abbreviateNumber(num: number, decimals: number = 1): string {
+  if (Number.isNaN(num)) {
+    throw new Error('Invalid number');
+  }
+
+  if (decimals < 0 || decimals > 20) {
+    throw new Error('Invalid decimals. Must be in [0;20] range');
+  }
+
+  const isNegative = num < 0;
+  const absNum = Math.abs(num);
+
+  if (absNum === 0) {
+    return '0';
+  }
+
+  let exponent = Math.floor(Math.log10(absNum) / 3);
+
+  if (exponent > suffixes.length - 1) {
+    exponent = suffixes.length - 1;
+  }
+
+  if (exponent < 0) {
+    exponent = 0;
+  }
+
+  const value = absNum / 1000 ** exponent;
+
+  const roundedValue =
+    exponent > 0 ? Number(value.toFixed(decimals)) : Math.floor(value);
+
+  const finalValue = isNegative ? -roundedValue : roundedValue;
+
+  return `${finalValue}${suffixes[exponent]}`;
+}

From 7bcb37c761628ca35ef988a5dca22ebf681a079b Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Fri, 25 Jul 2025 15:24:32 +1200
Subject: [PATCH 199/212] feat(app/kubernetes): Popout kubectl shell into new
 window [r8s-307] (#922)

---
 app/index.html                                |   4 +-
 app/kubernetes/__module.js                    |  24 +
 app/kubernetes/react/views/index.ts           |   5 +
 .../KubectlShell/KubectlShellView.test.tsx    | 456 ++++++++++++++++++
 .../KubectlShell/KubectlShellView.tsx}        | 140 ++----
 .../KubectlShell/KubectlShell.module.css      |  47 --
 .../KubernetesSidebar/KubectlShell/index.ts   |   1 -
 .../KubectlShellButton.test.tsx               | 127 +++++
 .../{KubectlShell => }/KubectlShellButton.tsx |  29 +-
 .../KubernetesSidebar/KubernetesSidebar.tsx   |   2 +-
 10 files changed, 677 insertions(+), 158 deletions(-)
 create mode 100644 app/react/kubernetes/cluster/KubectlShell/KubectlShellView.test.tsx
 rename app/react/{sidebar/KubernetesSidebar/KubectlShell/KubectlShell.tsx => kubernetes/cluster/KubectlShell/KubectlShellView.tsx} (52%)
 delete mode 100644 app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShell.module.css
 delete mode 100644 app/react/sidebar/KubernetesSidebar/KubectlShell/index.ts
 create mode 100644 app/react/sidebar/KubernetesSidebar/KubectlShellButton.test.tsx
 rename app/react/sidebar/KubernetesSidebar/{KubectlShell => }/KubectlShellButton.tsx (69%)

diff --git a/app/index.html b/app/index.html
index 52b9b5d10..3045fe547 100644
--- a/app/index.html
+++ b/app/index.html
@@ -31,8 +31,8 @@
     <div
       id="page-wrapper"
       ng-class="{
-        open: isSidebarOpen() && ['portainer.auth', 'portainer.init.admin'].indexOf($state.current.name) === -1,
-        nopadding: ['portainer.auth', 'portainer.init.admin', 'portainer.logout'].indexOf($state.current.name) > -1 || applicationState.loading
+        open: isSidebarOpen() && ['portainer.auth', 'portainer.init.admin', 'kubernetes.kubectlshell'].indexOf($state.current.name) === -1,
+        nopadding: ['portainer.auth', 'portainer.init.admin', 'portainer.logout', 'kubernetes.kubectlshell'].indexOf($state.current.name) > -1 || applicationState.loading
       }"
       ng-cloak
     >
diff --git a/app/kubernetes/__module.js b/app/kubernetes/__module.js
index adb937cce..5fb223a40 100644
--- a/app/kubernetes/__module.js
+++ b/app/kubernetes/__module.js
@@ -83,6 +83,13 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
             });
           }
 
+          // EE-5842: do not redirect shell views when the env is removed
+          const nextTransition = $state.transition && $state.transition.to();
+          const nextTransitionName = nextTransition ? nextTransition.name : '';
+          if (nextTransitionName === 'kubernetes.kubectlshell' && !endpoint) {
+            return;
+          }
+
           const kubeTypes = [
             PortainerEndpointTypes.KubernetesLocalEnvironment,
             PortainerEndpointTypes.AgentOnKubernetesEnvironment,
@@ -120,6 +127,11 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
               EndpointProvider.clean();
               Notifications.error('Failed loading environment', e);
             }
+            // Prevent redirect to home for shell views when environment is unreachable
+            // Show toast error instead (handled above in Notifications.error)
+            if (nextTransitionName === 'kubernetes.kubectlshell') {
+              return;
+            }
             $state.go('portainer.home', params, { reload: true, inherit: false });
             return false;
           }
@@ -424,6 +436,17 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
       },
     };
 
+    const kubectlShell = {
+      name: 'kubernetes.kubectlshell',
+      url: '/kubectl-shell',
+      views: {
+        'content@': {
+          component: 'kubectlShellView',
+        },
+        'sidebar@': {},
+      },
+    };
+
     const dashboard = {
       name: 'kubernetes.dashboard',
       url: '/dashboard',
@@ -657,6 +680,7 @@ angular.module('portainer.kubernetes', ['portainer.app', registriesModule, custo
     $stateRegistryProvider.register(deploy);
     $stateRegistryProvider.register(node);
     $stateRegistryProvider.register(nodeStats);
+    $stateRegistryProvider.register(kubectlShell);
     $stateRegistryProvider.register(resourcePools);
     $stateRegistryProvider.register(namespaceCreation);
     $stateRegistryProvider.register(resourcePool);
diff --git a/app/kubernetes/react/views/index.ts b/app/kubernetes/react/views/index.ts
index e4043985f..aeb161dcd 100644
--- a/app/kubernetes/react/views/index.ts
+++ b/app/kubernetes/react/views/index.ts
@@ -24,6 +24,7 @@ import { AccessView } from '@/react/kubernetes/namespaces/AccessView/AccessView'
 import { JobsView } from '@/react/kubernetes/more-resources/JobsView/JobsView';
 import { ClusterView } from '@/react/kubernetes/cluster/ClusterView';
 import { HelmApplicationView } from '@/react/kubernetes/helm/HelmApplicationView';
+import { KubectlShellView } from '@/react/kubernetes/cluster/KubectlShell/KubectlShellView';
 
 export const viewsModule = angular
   .module('portainer.kubernetes.react.views', [])
@@ -84,6 +85,10 @@ export const viewsModule = angular
     'kubernetesHelmApplicationView',
     r2a(withUIRouter(withReactQuery(withCurrentUser(HelmApplicationView))), [])
   )
+  .component(
+    'kubectlShellView',
+    r2a(withUIRouter(withReactQuery(withCurrentUser(KubectlShellView))), [])
+  )
   .component(
     'kubernetesClusterView',
     r2a(withUIRouter(withReactQuery(withCurrentUser(ClusterView))), [])
diff --git a/app/react/kubernetes/cluster/KubectlShell/KubectlShellView.test.tsx b/app/react/kubernetes/cluster/KubectlShell/KubectlShellView.test.tsx
new file mode 100644
index 000000000..e8bd53818
--- /dev/null
+++ b/app/react/kubernetes/cluster/KubectlShell/KubectlShellView.test.tsx
@@ -0,0 +1,456 @@
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi, type Mock } from 'vitest';
+import { Terminal } from 'xterm';
+import { fit } from 'xterm/lib/addons/fit/fit';
+
+import { terminalClose } from '@/portainer/services/terminal-window';
+import { error as notifyError } from '@/portainer/services/notifications';
+
+import { KubectlShellView } from './KubectlShellView';
+
+// Mock modules first
+vi.mock('xterm', () => ({
+  Terminal: vi.fn(() => ({
+    open: vi.fn(),
+    setOption: vi.fn(),
+    focus: vi.fn(),
+    writeln: vi.fn(),
+    writeUtf8: vi.fn(),
+    onData: vi.fn(),
+    onKey: vi.fn(),
+    dispose: vi.fn(),
+  })),
+}));
+
+vi.mock('xterm/lib/addons/fit/fit', () => ({
+  fit: vi.fn(),
+}));
+
+vi.mock('@/react/hooks/useEnvironmentId', () => ({
+  useEnvironmentId: () => 1,
+}));
+
+vi.mock('@/portainer/helpers/pathHelper', () => ({
+  baseHref: vi.fn().mockReturnValue('/portainer/'),
+}));
+
+vi.mock('@/portainer/services/terminal-window', () => ({
+  terminalClose: vi.fn(),
+}));
+
+vi.mock('@/portainer/services/notifications', () => ({
+  error: vi.fn(),
+}));
+
+// Mock WebSocket globally
+const originalWebSocket = global.WebSocket;
+let mockWebSocket: {
+  send: Mock;
+  close: Mock;
+  addEventListener: Mock;
+  removeEventListener: Mock;
+  readyState: number;
+};
+let mockTerminalInstance: Partial<Terminal>;
+
+beforeEach(() => {
+  vi.clearAllMocks();
+
+  // Create mock terminal instance
+  mockTerminalInstance = {
+    open: vi.fn(),
+    setOption: vi.fn(),
+    focus: vi.fn(),
+    writeln: vi.fn(),
+    writeUtf8: vi.fn(),
+    onData: vi.fn(),
+    onKey: vi.fn(),
+    dispose: vi.fn(),
+  };
+
+  // Mock Terminal constructor to return our mock instance
+  vi.mocked(Terminal).mockImplementation(
+    () => mockTerminalInstance as Terminal
+  );
+
+  // Create mock WebSocket instance
+  mockWebSocket = {
+    send: vi.fn(),
+    close: vi.fn(),
+    addEventListener: vi.fn(),
+    removeEventListener: vi.fn(),
+    readyState: WebSocket.OPEN,
+  };
+
+  global.WebSocket = vi.fn(() => mockWebSocket) as unknown as typeof WebSocket;
+
+  // Reset window methods
+  Object.defineProperty(window, 'location', {
+    value: {
+      protocol: 'https:',
+      host: 'localhost:3000',
+    },
+    writable: true,
+  });
+
+  Object.defineProperty(window, 'addEventListener', {
+    value: vi.fn(),
+    writable: true,
+  });
+
+  Object.defineProperty(window, 'removeEventListener', {
+    value: vi.fn(),
+    writable: true,
+  });
+});
+
+afterEach(() => {
+  global.WebSocket = originalWebSocket;
+});
+
+describe('KubectlShellView', () => {
+  it('renders loading state initially', () => {
+    render(<KubectlShellView />);
+
+    expect(screen.getByText('Loading Terminal...')).toBeInTheDocument();
+  });
+
+  it('creates WebSocket connection with correct URL', () => {
+    render(<KubectlShellView />);
+
+    expect(global.WebSocket).toHaveBeenCalledWith(
+      'wss://localhost:3000/portainer/api/websocket/kubernetes-shell?endpointId=1'
+    );
+  });
+
+  it('creates WebSocket connection with ws protocol when location is http', () => {
+    Object.defineProperty(window, 'location', {
+      value: {
+        protocol: 'http:',
+        host: 'localhost:3000',
+      },
+      writable: true,
+    });
+
+    render(<KubectlShellView />);
+
+    expect(global.WebSocket).toHaveBeenCalledWith(
+      'ws://localhost:3000/portainer/api/websocket/kubernetes-shell?endpointId=1'
+    );
+  });
+
+  it('sets up terminal event handlers on mount', () => {
+    render(<KubectlShellView />);
+
+    expect(mockTerminalInstance.onData).toHaveBeenCalled();
+    expect(mockTerminalInstance.onKey).toHaveBeenCalled();
+  });
+
+  it('adds window resize listener on mount', () => {
+    render(<KubectlShellView />);
+
+    expect(window.addEventListener).toHaveBeenCalledWith(
+      'resize',
+      expect.any(Function)
+    );
+  });
+
+  it('sends terminal data to WebSocket when terminal data event fires', () => {
+    render(<KubectlShellView />);
+
+    const onDataCallback = (mockTerminalInstance.onData as Mock).mock
+      .calls[0][0] as (data: string) => void;
+    onDataCallback('test data');
+
+    expect(mockWebSocket.send).toHaveBeenCalledWith('test data');
+  });
+
+  it('closes WebSocket and disposes terminal when Ctrl+D is pressed', () => {
+    render(<KubectlShellView />);
+
+    const onKeyCallback = (mockTerminalInstance.onKey as Mock).mock
+      .calls[0][0] as (event: { domEvent: KeyboardEvent }) => void;
+    onKeyCallback({
+      domEvent: {
+        ctrlKey: true,
+        code: 'KeyD',
+      } as KeyboardEvent,
+    });
+
+    expect(mockWebSocket.close).toHaveBeenCalled();
+    expect(mockTerminalInstance.dispose).toHaveBeenCalled();
+  });
+
+  it('handles user typing in terminal', () => {
+    render(<KubectlShellView />);
+
+    const onDataCallback = (mockTerminalInstance.onData as Mock).mock
+      .calls[0][0] as (data: string) => void;
+
+    // Simulate user typing a kubectl command
+    const userInput = 'kubectl get pods';
+    onDataCallback(userInput);
+
+    expect(mockWebSocket.send).toHaveBeenCalledWith(userInput);
+  });
+
+  it('handles Enter key in terminal', () => {
+    render(<KubectlShellView />);
+
+    const onDataCallback = (mockTerminalInstance.onData as Mock).mock
+      .calls[0][0] as (data: string) => void;
+
+    // Simulate user pressing Enter key
+    const enterKey = '\r';
+    onDataCallback(enterKey);
+
+    expect(mockWebSocket.send).toHaveBeenCalledWith(enterKey);
+  });
+
+  it('sets up WebSocket event listeners when socket is created', () => {
+    render(<KubectlShellView />);
+
+    expect(mockWebSocket.addEventListener).toHaveBeenCalledWith(
+      'open',
+      expect.any(Function)
+    );
+    expect(mockWebSocket.addEventListener).toHaveBeenCalledWith(
+      'message',
+      expect.any(Function)
+    );
+    expect(mockWebSocket.addEventListener).toHaveBeenCalledWith(
+      'close',
+      expect.any(Function)
+    );
+    expect(mockWebSocket.addEventListener).toHaveBeenCalledWith(
+      'error',
+      expect.any(Function)
+    );
+  });
+
+  it('opens terminal when WebSocket connection opens', () => {
+    render(<KubectlShellView />);
+
+    const openCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'open'
+    )![1] as () => void;
+
+    openCallback();
+
+    expect(mockTerminalInstance.open).toHaveBeenCalled();
+    expect(mockTerminalInstance.setOption).toHaveBeenCalledWith(
+      'cursorBlink',
+      true
+    );
+    expect(mockTerminalInstance.focus).toHaveBeenCalled();
+    expect(vi.mocked(fit)).toHaveBeenCalledWith(mockTerminalInstance);
+    expect(mockTerminalInstance.writeln).toHaveBeenCalledWith(
+      '#Run kubectl commands inside here'
+    );
+    expect(mockTerminalInstance.writeln).toHaveBeenCalledWith(
+      '#e.g. kubectl get all'
+    );
+    expect(mockTerminalInstance.writeln).toHaveBeenCalledWith('');
+  });
+
+  it('writes WebSocket message data to terminal', () => {
+    render(<KubectlShellView />);
+
+    const messageCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'message'
+    )![1] as (event: MessageEvent) => void;
+
+    const mockEvent = { data: 'terminal output' } as MessageEvent;
+    messageCallback(mockEvent);
+
+    expect(mockTerminalInstance.writeUtf8).toHaveBeenCalled();
+  });
+
+  it('shows disconnected state when WebSocket closes', async () => {
+    render(<KubectlShellView />);
+
+    const closeCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'close'
+    )![1] as () => void;
+
+    closeCallback();
+
+    await waitFor(() => {
+      expect(screen.getByText('Console disconnected')).toBeInTheDocument();
+    });
+
+    expect(vi.mocked(terminalClose)).toHaveBeenCalled();
+    expect(mockWebSocket.close).toHaveBeenCalled();
+    expect(mockTerminalInstance.dispose).toHaveBeenCalled();
+  });
+
+  it('shows disconnected state when WebSocket errors', async () => {
+    render(<KubectlShellView />);
+
+    const errorCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'error'
+    )![1] as (event: Event) => void;
+
+    const mockError = new Event('error');
+    errorCallback(mockError);
+
+    await waitFor(() => {
+      expect(screen.getByText('Console disconnected')).toBeInTheDocument();
+    });
+
+    expect(vi.mocked(terminalClose)).toHaveBeenCalled();
+    expect(mockWebSocket.close).toHaveBeenCalled();
+    expect(mockTerminalInstance.dispose).toHaveBeenCalled();
+  });
+
+  it('does not show error notification when WebSocket error occurs and socket is closed', () => {
+    render(<KubectlShellView />);
+
+    // Set the WebSocket state to CLOSED
+    mockWebSocket.readyState = WebSocket.CLOSED;
+
+    const errorCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'error'
+    )![1] as (event: Event) => void;
+
+    const mockError = new Event('error');
+    errorCallback(mockError);
+
+    expect(vi.mocked(notifyError)).not.toHaveBeenCalled();
+  });
+
+  it('renders reload button in disconnected state', async () => {
+    render(<KubectlShellView />);
+
+    const closeCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'close'
+    )![1] as () => void;
+
+    closeCallback();
+
+    await waitFor(() => {
+      const reloadButton = screen.getByTestId('k8sShell-reloadButton');
+      expect(reloadButton).toBeInTheDocument();
+      expect(reloadButton).toHaveTextContent('Reload');
+    });
+  });
+
+  it('renders close button in disconnected state', async () => {
+    render(<KubectlShellView />);
+
+    const closeCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'close'
+    )![1] as () => void;
+
+    closeCallback();
+
+    await waitFor(() => {
+      const closeButton = screen.getByTestId('k8sShell-closeButton');
+      expect(closeButton).toBeInTheDocument();
+      expect(closeButton).toHaveTextContent('Close');
+    });
+  });
+
+  it('reloads window when reload button is clicked', async () => {
+    const user = userEvent.setup();
+    const mockReload = vi.fn();
+    Object.defineProperty(window, 'location', {
+      value: { reload: mockReload },
+      writable: true,
+    });
+
+    render(<KubectlShellView />);
+
+    const closeCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'close'
+    )![1] as () => void;
+
+    closeCallback();
+
+    // Wait for button to appear in disconnected state
+    const reloadButton = await screen.findByTestId('k8sShell-reloadButton');
+    expect(reloadButton).toHaveTextContent('Reload');
+
+    // Click the button
+    await user.click(reloadButton);
+    expect(mockReload).toHaveBeenCalled();
+  });
+
+  it('closes window when close button is clicked', async () => {
+    const user = userEvent.setup();
+    const mockClose = vi.fn();
+    Object.defineProperty(window, 'close', {
+      value: mockClose,
+      writable: true,
+    });
+
+    render(<KubectlShellView />);
+
+    const closeCallback = mockWebSocket.addEventListener.mock.calls.find(
+      (call: unknown[]) => call[0] === 'close'
+    )![1] as () => void;
+
+    closeCallback();
+
+    // Wait for button to appear in disconnected state
+    const closeButton = await screen.findByTestId('k8sShell-closeButton');
+    expect(closeButton).toHaveTextContent('Close');
+
+    // Click the button
+    await user.click(closeButton);
+    expect(mockClose).toHaveBeenCalled();
+  });
+
+  it('removes event listeners on unmount', () => {
+    const { unmount } = render(<KubectlShellView />);
+
+    unmount();
+
+    expect(mockWebSocket.removeEventListener).toHaveBeenCalledWith(
+      'open',
+      expect.any(Function)
+    );
+    expect(mockWebSocket.removeEventListener).toHaveBeenCalledWith(
+      'message',
+      expect.any(Function)
+    );
+    expect(mockWebSocket.removeEventListener).toHaveBeenCalledWith(
+      'close',
+      expect.any(Function)
+    );
+    expect(mockWebSocket.removeEventListener).toHaveBeenCalledWith(
+      'error',
+      expect.any(Function)
+    );
+    expect(window.removeEventListener).toHaveBeenCalledWith(
+      'resize',
+      expect.any(Function)
+    );
+  });
+
+  it('fits terminal on window resize', () => {
+    render(<KubectlShellView />);
+
+    const resizeCallback = (window.addEventListener as Mock).mock.calls.find(
+      (call: unknown[]) => call[0] === 'resize'
+    )![1] as () => void;
+
+    resizeCallback();
+
+    expect(vi.mocked(fit)).toHaveBeenCalledWith(mockTerminalInstance);
+  });
+
+  it('cleans up resources on unmount', () => {
+    const { unmount } = render(<KubectlShellView />);
+
+    unmount();
+
+    expect(mockWebSocket.close).toHaveBeenCalled();
+    expect(mockTerminalInstance.dispose).toHaveBeenCalled();
+    expect(window.removeEventListener).toHaveBeenCalledWith(
+      'resize',
+      expect.any(Function)
+    );
+  });
+});
diff --git a/app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShell.tsx b/app/react/kubernetes/cluster/KubectlShell/KubectlShellView.tsx
similarity index 52%
rename from app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShell.tsx
rename to app/react/kubernetes/cluster/KubectlShell/KubectlShellView.tsx
index ac609983e..521d873ea 100644
--- a/app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShell.tsx
+++ b/app/react/kubernetes/cluster/KubectlShell/KubectlShellView.tsx
@@ -1,56 +1,39 @@
 import { Terminal } from 'xterm';
 import { fit } from 'xterm/lib/addons/fit/fit';
 import { useCallback, useEffect, useRef, useState } from 'react';
-import clsx from 'clsx';
-import { RotateCw, X, Terminal as TerminalIcon } from 'lucide-react';
 
+import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
 import { baseHref } from '@/portainer/helpers/pathHelper';
-import {
-  terminalClose,
-  terminalResize,
-} from '@/portainer/services/terminal-window';
+import { terminalClose } from '@/portainer/services/terminal-window';
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { error as notifyError } from '@/portainer/services/notifications';
 
-import { Icon } from '@@/Icon';
+import { Alert } from '@@/Alert';
 import { Button } from '@@/buttons';
 
-import styles from './KubectlShell.module.css';
+type Socket = WebSocket | null;
+type ShellState = 'loading' | 'connected' | 'disconnected';
 
-interface ShellState {
-  socket: WebSocket | null;
-  minimized: boolean;
-}
-
-interface Props {
-  environmentId: EnvironmentId;
-  onClose(): void;
-}
-
-export function KubeCtlShell({ environmentId, onClose }: Props) {
+export function KubectlShellView() {
+  const environmentId = useEnvironmentId();
   const [terminal] = useState(new Terminal());
 
-  const [shell, setShell] = useState<ShellState>({
-    socket: null,
-    minimized: false,
-  });
-
-  const { socket } = shell;
+  const [socket, setSocket] = useState<Socket>(null);
+  const [shellState, setShellState] = useState<ShellState>('loading');
 
   const terminalElem = useRef(null);
 
-  const handleClose = useCallback(() => {
+  const closeTerminal = useCallback(() => {
     terminalClose(); // only css trick
     socket?.close();
     terminal.dispose();
-    onClose();
-  }, [onClose, terminal, socket]);
+    setShellState('disconnected');
+  }, [terminal, socket]);
 
   const openTerminal = useCallback(() => {
     if (!terminalElem.current) {
       return;
     }
-
     terminal.open(terminalElem.current);
     terminal.setOption('cursorBlink', true);
     terminal.focus();
@@ -58,6 +41,11 @@ export function KubeCtlShell({ environmentId, onClose }: Props) {
     terminal.writeln('#Run kubectl commands inside here');
     terminal.writeln('#e.g. kubectl get all');
     terminal.writeln('');
+    setShellState('connected');
+  }, [terminal]);
+
+  const resizeTerminal = useCallback(() => {
+    fit(terminal);
   }, [terminal]);
 
   // refresh socket listeners on socket updates
@@ -73,10 +61,10 @@ export function KubeCtlShell({ environmentId, onClose }: Props) {
       terminal.writeUtf8(encoded);
     }
     function onClose() {
-      handleClose();
+      closeTerminal();
     }
     function onError(e: Event) {
-      handleClose();
+      closeTerminal();
       if (socket?.readyState !== WebSocket.CLOSED) {
         notifyError(
           'Failure',
@@ -97,89 +85,63 @@ export function KubeCtlShell({ environmentId, onClose }: Props) {
       socket.removeEventListener('close', onClose);
       socket.removeEventListener('error', onError);
     };
-  }, [handleClose, openTerminal, socket, terminal]);
+  }, [closeTerminal, openTerminal, socket, terminal]);
 
   // on component load/destroy
   useEffect(() => {
     const socket = new WebSocket(buildUrl(environmentId));
-    setShell((shell) => ({ ...shell, socket }));
+    setSocket(socket);
+    setShellState('loading');
 
     terminal.onData((data) => socket.send(data));
     terminal.onKey(({ domEvent }) => {
       if (domEvent.ctrlKey && domEvent.code === 'KeyD') {
         close();
+        setShellState('disconnected');
       }
     });
 
-    window.addEventListener('resize', () => terminalResize());
+    window.addEventListener('resize', resizeTerminal);
 
     function close() {
       socket.close();
       terminal.dispose();
-      window.removeEventListener('resize', terminalResize);
+      window.removeEventListener('resize', resizeTerminal);
     }
 
     return close;
-  }, [environmentId, terminal]);
+  }, [environmentId, terminal, resizeTerminal]);
 
   return (
-    <div className={clsx(styles.root, { [styles.minimized]: shell.minimized })}>
-      <div className={styles.header}>
-        <div className={clsx(styles.title, 'vertical-center')}>
-          <Icon icon={TerminalIcon} />
-          kubectl shell
+    <div className="fixed bottom-0 left-0 right-0 top-0 z-[10000] bg-black text-white">
+      {shellState === 'loading' && (
+        <div className="px-4 pt-2">Loading Terminal...</div>
+      )}
+      {shellState === 'disconnected' && (
+        <div className="p-4">
+          <Alert color="info" title="Console disconnected">
+            <div className="mt-4 flex items-center gap-2">
+              <Button
+                onClick={() => window.location.reload()}
+                data-cy="k8sShell-reloadButton"
+              >
+                Reload
+              </Button>
+              <Button
+                onClick={() => window.close()}
+                color="default"
+                data-cy="k8sShell-closeButton"
+              >
+                Close
+              </Button>
+            </div>
+          </Alert>
         </div>
-        <div className={clsx(styles.actions, 'space-x-8')}>
-          <Button
-            color="link"
-            onClick={clearScreen}
-            data-cy="k8sShell-refreshButton"
-          >
-            <Icon icon={RotateCw} size="md" />
-          </Button>
-          <Button
-            color="link"
-            onClick={toggleMinimize}
-            data-cy={shell.minimized ? 'k8sShell-restore' : 'k8sShell-minimise'}
-          >
-            <Icon
-              icon={shell.minimized ? 'maximize-2' : 'minimize-2'}
-              size="md"
-              data-cy={
-                shell.minimized ? 'k8sShell-restore' : 'k8sShell-minimise'
-              }
-            />
-          </Button>
-          <Button
-            color="link"
-            onClick={handleClose}
-            data-cy="k8sShell-closeButton"
-          >
-            <Icon icon={X} size="md" />
-          </Button>
-        </div>
-      </div>
-
-      <div className={styles.terminalContainer} ref={terminalElem}>
-        <div className={styles.loadingMessage}>Loading Terminal...</div>
-      </div>
+      )}
+      <div className="h-full" ref={terminalElem} />
     </div>
   );
 
-  function clearScreen() {
-    terminal.clear();
-  }
-
-  function toggleMinimize() {
-    if (shell.minimized) {
-      terminalResize();
-      setShell((shell) => ({ ...shell, minimized: false }));
-    } else {
-      terminalClose();
-      setShell((shell) => ({ ...shell, minimized: true }));
-    }
-  }
-
   function buildUrl(environmentId: EnvironmentId) {
     const params = {
       endpointId: environmentId,
diff --git a/app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShell.module.css b/app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShell.module.css
deleted file mode 100644
index ae491fa46..000000000
--- a/app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShell.module.css
+++ /dev/null
@@ -1,47 +0,0 @@
-.root {
-  position: fixed;
-  background: #000;
-  bottom: 0;
-  left: 0;
-  width: 100vw;
-  z-index: 1000;
-  height: 495px;
-  border-top-left-radius: 8px;
-  border-top-right-radius: 8px;
-}
-
-.root.minimized {
-  height: 35px;
-  border-top-left-radius: 8px;
-  border-top-right-radius: 8px;
-}
-
-.header {
-  height: 35px;
-  border-top-left-radius: 8px;
-  border-top-right-radius: 8px;
-  display: flex;
-  justify-content: space-between;
-  align-items: center;
-  color: #424242;
-  background: rgb(245, 245, 245);
-  border-top: 1px solid rgb(190, 190, 190);
-
-  padding: 0 16px;
-}
-
-.title {
-  font-weight: 500;
-  font-size: 14px;
-}
-
-.actions button {
-  padding: 0;
-  border: 0;
-}
-
-.terminal-container .loading-message {
-  position: fixed;
-  padding: 10px 16px 0px 16px;
-  color: #fff;
-}
diff --git a/app/react/sidebar/KubernetesSidebar/KubectlShell/index.ts b/app/react/sidebar/KubernetesSidebar/KubectlShell/index.ts
deleted file mode 100644
index 541c38e1f..000000000
--- a/app/react/sidebar/KubernetesSidebar/KubectlShell/index.ts
+++ /dev/null
@@ -1 +0,0 @@
-export { KubectlShellButton } from './KubectlShellButton';
diff --git a/app/react/sidebar/KubernetesSidebar/KubectlShellButton.test.tsx b/app/react/sidebar/KubernetesSidebar/KubectlShellButton.test.tsx
new file mode 100644
index 000000000..785015347
--- /dev/null
+++ b/app/react/sidebar/KubernetesSidebar/KubectlShellButton.test.tsx
@@ -0,0 +1,127 @@
+import { render, fireEvent, screen } from '@testing-library/react';
+import { vi } from 'vitest';
+import { PropsWithChildren, useMemo } from 'react';
+
+import { useAnalytics } from '@/react/hooks/useAnalytics';
+
+import { Context } from '../useSidebarState';
+
+import { KubectlShellButton } from './KubectlShellButton';
+
+vi.mock('@/react/hooks/useAnalytics', () => ({
+  useAnalytics: vi.fn().mockReturnValue({
+    trackEvent: vi.fn(),
+  }),
+}));
+
+vi.mock('@/portainer/helpers/pathHelper', () => ({
+  baseHref: vi.fn().mockReturnValue('/portainer'),
+}));
+
+const mockWindowOpen = vi.fn();
+const originalWindowOpen = window.open;
+
+beforeEach(() => {
+  window.open = mockWindowOpen;
+  mockWindowOpen.mockClear();
+});
+
+afterEach(() => {
+  window.open = originalWindowOpen;
+});
+
+function MockSidebarProvider({
+  children,
+  isOpen = true,
+}: PropsWithChildren<{ isOpen?: boolean }>) {
+  const state = useMemo(() => ({ isOpen, toggle: vi.fn() }), [isOpen]);
+
+  return <Context.Provider value={state}>{children}</Context.Provider>;
+}
+
+function renderComponent(environmentId = 1, isSidebarOpen = true) {
+  return render(
+    <MockSidebarProvider isOpen={isSidebarOpen}>
+      <KubectlShellButton environmentId={environmentId} />
+    </MockSidebarProvider>
+  );
+}
+
+describe('KubectlShellButton', () => {
+  test('should render button with text when sidebar is open', () => {
+    renderComponent();
+
+    const button = screen.getByTestId('k8sSidebar-shellButton');
+    expect(button).toBeVisible();
+    expect(button).toHaveTextContent('kubectl shell');
+  });
+
+  test('should render button without text when sidebar is closed', () => {
+    renderComponent(1, false);
+
+    const button = screen.getByTestId('k8sSidebar-shellButton');
+    expect(button).toBeVisible();
+    expect(button).not.toHaveTextContent('kubectl shell');
+    expect(button).toHaveClass('!p-1');
+  });
+
+  test('should wrap button in tooltip when sidebar is closed', () => {
+    renderComponent(1, false);
+
+    // When sidebar is closed, the button is wrapped in a span with flex classes
+    const button = screen.getByTestId('k8sSidebar-shellButton');
+    const wrapperSpan = button.parentElement;
+    expect(wrapperSpan).toHaveClass('flex', 'w-full', 'justify-center');
+
+    // The button should have the !p-1 class when sidebar is closed
+    expect(button).toHaveClass('!p-1');
+  });
+
+  test('should open new window with correct URL when button is clicked', () => {
+    const environmentId = 5;
+    renderComponent(environmentId);
+
+    const button = screen.getByTestId('k8sSidebar-shellButton');
+    fireEvent.click(button);
+
+    expect(mockWindowOpen).toHaveBeenCalledTimes(1);
+    const [url, windowName, windowFeatures] = mockWindowOpen.mock.calls[0];
+
+    expect(url).toBe(
+      `${window.location.origin}/portainer#!/${environmentId}/kubernetes/kubectl-shell`
+    );
+    expect(windowName).toMatch(/^kubectl-shell-5-[a-f0-9-]+$/);
+    expect(windowFeatures).toBe('width=800,height=600');
+  });
+
+  test('should track analytics event when button is clicked', () => {
+    const mockTrackEvent = vi.fn();
+    vi.mocked(useAnalytics).mockReturnValue({ trackEvent: mockTrackEvent });
+
+    renderComponent();
+
+    const button = screen.getByRole('button');
+    fireEvent.click(button);
+
+    expect(mockTrackEvent).toHaveBeenCalledWith('kubernetes-kubectl-shell', {
+      category: 'kubernetes',
+    });
+  });
+
+  test('should generate unique window names for multiple clicks', () => {
+    renderComponent();
+
+    const button = screen.getByRole('button');
+
+    // Click multiple times
+    fireEvent.click(button);
+    fireEvent.click(button);
+
+    expect(mockWindowOpen).toHaveBeenCalledTimes(2);
+
+    const windowName1 = mockWindowOpen.mock.calls[0][1];
+    const windowName2 = mockWindowOpen.mock.calls[1][1];
+
+    expect(windowName1).not.toBe(windowName2);
+  });
+});
diff --git a/app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShellButton.tsx b/app/react/sidebar/KubernetesSidebar/KubectlShellButton.tsx
similarity index 69%
rename from app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShellButton.tsx
rename to app/react/sidebar/KubernetesSidebar/KubectlShellButton.tsx
index 0d08a03c8..1745c6a3e 100644
--- a/app/react/sidebar/KubernetesSidebar/KubectlShell/KubectlShellButton.tsx
+++ b/app/react/sidebar/KubernetesSidebar/KubectlShellButton.tsx
@@ -1,32 +1,27 @@
-import { useState } from 'react';
-import { createPortal } from 'react-dom';
 import { Terminal } from 'lucide-react';
 import clsx from 'clsx';
+import { v4 as uuidv4 } from 'uuid';
 
 import { EnvironmentId } from '@/react/portainer/environments/types';
 import { useAnalytics } from '@/react/hooks/useAnalytics';
+import { baseHref } from '@/portainer/helpers/pathHelper';
 
 import { Button } from '@@/buttons';
 
-import { useSidebarState } from '../../useSidebarState';
-import { SidebarTooltip } from '../../SidebarItem/SidebarTooltip';
-
-import { KubeCtlShell } from './KubectlShell';
+import { useSidebarState } from '../useSidebarState';
+import { SidebarTooltip } from '../SidebarItem/SidebarTooltip';
 
 interface Props {
   environmentId: EnvironmentId;
 }
 export function KubectlShellButton({ environmentId }: Props) {
   const { isOpen: isSidebarOpen } = useSidebarState();
-
-  const [open, setOpen] = useState(false);
   const { trackEvent } = useAnalytics();
 
   const button = (
     <Button
       color="primary"
       size="small"
-      disabled={open}
       data-cy="k8sSidebar-shellButton"
       onClick={() => handleOpen()}
       className={clsx('sidebar', !isSidebarOpen && '!p-1')}
@@ -48,19 +43,17 @@ export function KubectlShellButton({ environmentId }: Props) {
         </SidebarTooltip>
       )}
       {isSidebarOpen && button}
-      {open &&
-        createPortal(
-          <KubeCtlShell
-            environmentId={environmentId}
-            onClose={() => setOpen(false)}
-          />,
-          document.body
-        )}
     </>
   );
 
   function handleOpen() {
-    setOpen(true);
+    const url = window.location.origin + baseHref();
+    window.open(
+      `${url}#!/${environmentId}/kubernetes/kubectl-shell`,
+      // give the window a unique name so that more than one can be opened
+      `kubectl-shell-${environmentId}-${uuidv4()}`,
+      'width=800,height=600'
+    );
 
     trackEvent('kubernetes-kubectl-shell', { category: 'kubernetes' });
   }
diff --git a/app/react/sidebar/KubernetesSidebar/KubernetesSidebar.tsx b/app/react/sidebar/KubernetesSidebar/KubernetesSidebar.tsx
index 4d260c340..3c0be3ce5 100644
--- a/app/react/sidebar/KubernetesSidebar/KubernetesSidebar.tsx
+++ b/app/react/sidebar/KubernetesSidebar/KubernetesSidebar.tsx
@@ -17,7 +17,7 @@ import { SidebarItem } from '../SidebarItem';
 import { VolumesLink } from '../items/VolumesLink';
 import { SidebarParent } from '../SidebarItem/SidebarParent';
 
-import { KubectlShellButton } from './KubectlShell';
+import { KubectlShellButton } from './KubectlShellButton';
 
 interface Props {
   environmentId: EnvironmentId;

From 6481483074583b42568501f571bec4b20ece6452 Mon Sep 17 00:00:00 2001
From: James Player <james.player@portainer.io>
Date: Fri, 25 Jul 2025 15:29:06 +1200
Subject: [PATCH 200/212] fix(app/sidebar): Custom logo UI issue [r8s-435]
 (#939)

---
 app/react/sidebar/Header.test.tsx | 143 ++++++++++++++++++++++++++++++
 app/react/sidebar/Header.tsx      |   6 +-
 2 files changed, 148 insertions(+), 1 deletion(-)
 create mode 100644 app/react/sidebar/Header.test.tsx

diff --git a/app/react/sidebar/Header.test.tsx b/app/react/sidebar/Header.test.tsx
new file mode 100644
index 000000000..e8fc9104a
--- /dev/null
+++ b/app/react/sidebar/Header.test.tsx
@@ -0,0 +1,143 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+
+import { withTestRouter } from '@/react/test-utils/withRouter';
+
+import { Context } from './useSidebarState';
+import { Header } from './Header';
+
+vi.mock('@/react/portainer/feature-flags/feature-flags.service', () => ({
+  isBE: false,
+}));
+
+function renderComponent(
+  props = {},
+  sidebarState = { isOpen: true, toggle: vi.fn() }
+) {
+  const Wrapped = withTestRouter(Header);
+
+  return render(
+    <Context.Provider value={sidebarState}>
+      <Wrapped {...props} />
+    </Context.Provider>
+  );
+}
+
+describe('Header', () => {
+  it('should render with default logo when no custom logo provided', () => {
+    renderComponent();
+
+    const logo = screen.getByAltText('Logo');
+    expect(logo).toBeInTheDocument();
+    expect(logo).toHaveAttribute(
+      'src',
+      expect.stringContaining('portainer_logo-CE.svg')
+    );
+  });
+
+  it('should render with custom logo when provided', () => {
+    const customLogo = 'https://example.com/custom-logo.png';
+    renderComponent({ logo: customLogo });
+
+    const logo = screen.getByAltText('Logo');
+    expect(logo).toBeInTheDocument();
+    expect(logo).toHaveAttribute('src', customLogo);
+  });
+
+  it('should show "Powered by" section when sidebar is open and custom logo is provided', () => {
+    const customLogo = 'https://example.com/custom-logo.png';
+    renderComponent({ logo: customLogo });
+
+    expect(screen.getByText('Powered by')).toBeInTheDocument();
+    expect(screen.getByText('portainer community')).toBeInTheDocument();
+  });
+
+  it('should not show "Powered by" section when no custom logo', () => {
+    renderComponent();
+
+    expect(screen.queryByText('Powered by')).not.toBeInTheDocument();
+  });
+
+  it('should not show "Powered by" section when sidebar is closed', () => {
+    const customLogo = 'https://example.com/custom-logo.png';
+    renderComponent({ logo: customLogo }, { isOpen: false, toggle: vi.fn() });
+
+    expect(screen.queryByText('Powered by')).not.toBeInTheDocument();
+  });
+
+  it('should apply flex-wrap class to logo container', () => {
+    renderComponent();
+
+    const logoContainer = screen.getByTestId(
+      'portainerSidebar-homeImage'
+    ).parentElement;
+    expect(logoContainer).toHaveClass('flex-wrap');
+  });
+
+  it('should apply justify-center class when sidebar is closed', () => {
+    renderComponent({}, { isOpen: false, toggle: vi.fn() });
+
+    const logoContainer = screen.getByTestId(
+      'portainerSidebar-homeImage'
+    ).parentElement;
+    expect(logoContainer).toHaveClass('justify-center');
+  });
+
+  it('should not apply justify-center class when sidebar is open', () => {
+    renderComponent();
+
+    const logoContainer = screen.getByTestId(
+      'portainerSidebar-homeImage'
+    ).parentElement;
+    expect(logoContainer).not.toHaveClass('justify-center');
+  });
+
+  it('should toggle sidebar when toggle button is clicked', async () => {
+    const user = userEvent.setup();
+    const mockToggle = vi.fn();
+    renderComponent({}, { isOpen: true, toggle: mockToggle });
+
+    const toggleButton = screen.getByRole('button', { name: 'Toggle Sidebar' });
+    await user.click(toggleButton);
+
+    expect(mockToggle).toHaveBeenCalledTimes(1);
+  });
+
+  it('should show chevron left icon when sidebar is open', () => {
+    renderComponent();
+
+    const toggleButton = screen.getByRole('button', { name: 'Toggle Sidebar' });
+    expect(toggleButton).toBeInTheDocument();
+  });
+
+  it('should show chevron right icon when sidebar is closed', () => {
+    renderComponent({}, { isOpen: false, toggle: vi.fn() });
+
+    const toggleButton = screen.getByRole('button', { name: 'Toggle Sidebar' });
+    expect(toggleButton).toBeInTheDocument();
+  });
+
+  it('should use small logo when sidebar is closed', () => {
+    renderComponent({}, { isOpen: false, toggle: vi.fn() });
+
+    const logo = screen.getByAltText('Logo');
+    expect(logo).toHaveAttribute(
+      'src',
+      expect.stringContaining('logomark-CE.svg')
+    );
+  });
+
+  it('should apply max-height class to logo when sidebar is closed', () => {
+    renderComponent({}, { isOpen: false, toggle: vi.fn() });
+
+    const logo = screen.getByAltText('Logo');
+    expect(logo).toHaveClass('!max-h-[27px]');
+  });
+
+  it('should not apply max-height class to logo when sidebar is open', () => {
+    renderComponent();
+
+    const logo = screen.getByAltText('Logo');
+    expect(logo).not.toHaveClass('!max-h-[27px]');
+  });
+});
diff --git a/app/react/sidebar/Header.tsx b/app/react/sidebar/Header.tsx
index b69aa7d3a..4a4a5036c 100644
--- a/app/react/sidebar/Header.tsx
+++ b/app/react/sidebar/Header.tsx
@@ -21,7 +21,11 @@ export function Header({ logo: customLogo }: Props) {
 
   return (
     <div className="flex">
-      <div className={clsx('pr-5 w-full flex', { 'justify-center': !isOpen })}>
+      <div
+        className={clsx('pr-5 w-full flex flex-wrap', {
+          'justify-center': !isOpen,
+        })}
+      >
         <Link
           to="portainer.home"
           data-cy="portainerSidebar-homeImage"

From 5e271fd4a4e8b84a8bb40cbbb238afb6629fe2f1 Mon Sep 17 00:00:00 2001
From: Steven Kang <skan070@gmail.com>
Date: Mon, 28 Jul 2025 15:41:12 +1200
Subject: [PATCH 201/212] feat(ui): reordered kubernetes create from code
 options [R8S-429] (#951)

---
 app/kubernetes/views/deploy/deployController.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/kubernetes/views/deploy/deployController.js b/app/kubernetes/views/deploy/deployController.js
index b44d3d7bb..9f17d214e 100644
--- a/app/kubernetes/views/deploy/deployController.js
+++ b/app/kubernetes/views/deploy/deployController.js
@@ -34,10 +34,10 @@ class KubernetesDeployController {
 
     this.methodOptions = [
       { ...git, value: KubernetesDeployBuildMethods.GIT },
+      { ...helm, value: KubernetesDeployBuildMethods.HELM },
       { ...editor, value: KubernetesDeployBuildMethods.WEB_EDITOR },
       { ...url, value: KubernetesDeployBuildMethods.URL },
       { ...customTemplate, value: KubernetesDeployBuildMethods.CUSTOM_TEMPLATE },
-      { ...helm, value: KubernetesDeployBuildMethods.HELM },
     ];
 
     let buildMethod = Number(this.$state.params.buildMethod) || KubernetesDeployBuildMethods.GIT;

From a46db61c4c7a3570b0495cc2caa8df4ddc7b9fa5 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 28 Jul 2025 13:19:05 -0300
Subject: [PATCH 202/212] fix(endpointrelation): optimize
 updateEdgeStacksAfterRelationChange() BE-12092 (#941)

---
 api/dataservices/edgestack/edgestack_test.go  |  50 +++++++++
 .../endpointrelation/endpointrelation.go      |  97 +---------------
 .../endpointrelation/endpointrelation_test.go | 104 ++++++++++++++++++
 api/dataservices/endpointrelation/tx.go       |  66 ++++++-----
 api/datastore/services.go                     |   2 +-
 5 files changed, 192 insertions(+), 127 deletions(-)
 create mode 100644 api/dataservices/edgestack/edgestack_test.go
 create mode 100644 api/dataservices/endpointrelation/endpointrelation_test.go

diff --git a/api/dataservices/edgestack/edgestack_test.go b/api/dataservices/edgestack/edgestack_test.go
new file mode 100644
index 000000000..debb4652e
--- /dev/null
+++ b/api/dataservices/edgestack/edgestack_test.go
@@ -0,0 +1,50 @@
+package edgestack
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/boltdb"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestUpdate(t *testing.T) {
+	var conn portainer.Connection = &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+
+	defer conn.Close()
+
+	service, err := NewService(conn, func(portainer.Transaction, portainer.EdgeStackID) {})
+	require.NoError(t, err)
+
+	const edgeStackID = 1
+	edgeStack := &portainer.EdgeStack{
+		ID:   edgeStackID,
+		Name: "Test Stack",
+	}
+
+	err = service.Create(edgeStackID, edgeStack)
+	require.NoError(t, err)
+
+	err = service.UpdateEdgeStackFunc(edgeStackID, func(edgeStack *portainer.EdgeStack) {
+		edgeStack.Name = "Updated Stack"
+	})
+	require.NoError(t, err)
+
+	updatedStack, err := service.EdgeStack(edgeStackID)
+	require.NoError(t, err)
+	require.Equal(t, "Updated Stack", updatedStack.Name)
+
+	err = conn.UpdateTx(func(tx portainer.Transaction) error {
+		return service.UpdateEdgeStackFuncTx(tx, edgeStackID, func(edgeStack *portainer.EdgeStack) {
+			edgeStack.Name = "Updated Stack Again"
+		})
+	})
+	require.NoError(t, err)
+
+	updatedStack, err = service.EdgeStack(edgeStackID)
+	require.NoError(t, err)
+	require.Equal(t, "Updated Stack Again", updatedStack.Name)
+}
diff --git a/api/dataservices/endpointrelation/endpointrelation.go b/api/dataservices/endpointrelation/endpointrelation.go
index 556a046bb..91c00f05a 100644
--- a/api/dataservices/endpointrelation/endpointrelation.go
+++ b/api/dataservices/endpointrelation/endpointrelation.go
@@ -6,8 +6,6 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/edge/cache"
-
-	"github.com/rs/zerolog/log"
 )
 
 // BucketName represents the name of the bucket where this service stores data.
@@ -16,7 +14,6 @@ const BucketName = "endpoint_relations"
 // Service represents a service for managing environment(endpoint) relation data.
 type Service struct {
 	connection             portainer.Connection
-	updateStackFn          func(ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
 	updateStackFnTx        func(tx portainer.Transaction, ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error
 	endpointRelationsCache []portainer.EndpointRelation
 	mu                     sync.Mutex
@@ -29,10 +26,8 @@ func (service *Service) BucketName() string {
 }
 
 func (service *Service) RegisterUpdateStackFunction(
-	updateFunc func(portainer.EdgeStackID, func(*portainer.EdgeStack)) error,
 	updateFuncTx func(portainer.Transaction, portainer.EdgeStackID, func(*portainer.EdgeStack)) error,
 ) {
-	service.updateStackFn = updateFunc
 	service.updateStackFnTx = updateFuncTx
 }
 
@@ -91,24 +86,9 @@ func (service *Service) Create(endpointRelation *portainer.EndpointRelation) err
 
 // UpdateEndpointRelation updates an Environment(Endpoint) relation object
 func (service *Service) UpdateEndpointRelation(endpointID portainer.EndpointID, endpointRelation *portainer.EndpointRelation) error {
-	previousRelationState, _ := service.EndpointRelation(endpointID)
-
-	identifier := service.connection.ConvertToKey(int(endpointID))
-	err := service.connection.UpdateObject(BucketName, identifier, endpointRelation)
-	cache.Del(endpointID)
-	if err != nil {
-		return err
-	}
-
-	updatedRelationState, _ := service.EndpointRelation(endpointID)
-
-	service.mu.Lock()
-	service.endpointRelationsCache = nil
-	service.mu.Unlock()
-
-	service.updateEdgeStacksAfterRelationChange(previousRelationState, updatedRelationState)
-
-	return nil
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).UpdateEndpointRelation(endpointID, endpointRelation)
+	})
 }
 
 func (service *Service) AddEndpointRelationsForEdgeStack(endpointIDs []portainer.EndpointID, edgeStackID portainer.EdgeStackID) error {
@@ -125,72 +105,7 @@ func (service *Service) RemoveEndpointRelationsForEdgeStack(endpointIDs []portai
 
 // DeleteEndpointRelation deletes an Environment(Endpoint) relation object
 func (service *Service) DeleteEndpointRelation(endpointID portainer.EndpointID) error {
-	deletedRelation, _ := service.EndpointRelation(endpointID)
-
-	identifier := service.connection.ConvertToKey(int(endpointID))
-	err := service.connection.DeleteObject(BucketName, identifier)
-	cache.Del(endpointID)
-	if err != nil {
-		return err
-	}
-
-	service.mu.Lock()
-	service.endpointRelationsCache = nil
-	service.mu.Unlock()
-
-	service.updateEdgeStacksAfterRelationChange(deletedRelation, nil)
-
-	return nil
-}
-
-func (service *Service) updateEdgeStacksAfterRelationChange(previousRelationState *portainer.EndpointRelation, updatedRelationState *portainer.EndpointRelation) {
-	relations, _ := service.EndpointRelations()
-
-	stacksToUpdate := map[portainer.EdgeStackID]bool{}
-
-	if previousRelationState != nil {
-		for stackId, enabled := range previousRelationState.EdgeStacks {
-			// flag stack for update if stack is not in the updated relation state
-			// = stack has been removed for this relation
-			// or this relation has been deleted
-			if enabled && (updatedRelationState == nil || !updatedRelationState.EdgeStacks[stackId]) {
-				stacksToUpdate[stackId] = true
-			}
-		}
-	}
-
-	if updatedRelationState != nil {
-		for stackId, enabled := range updatedRelationState.EdgeStacks {
-			// flag stack for update if stack is not in the previous relation state
-			// = stack has been added for this relation
-			if enabled && (previousRelationState == nil || !previousRelationState.EdgeStacks[stackId]) {
-				stacksToUpdate[stackId] = true
-			}
-		}
-	}
-
-	// for each stack referenced by the updated relation
-	// list how many time this stack is referenced in all relations
-	// in order to update the stack deployments count
-	for refStackId, refStackEnabled := range stacksToUpdate {
-		if !refStackEnabled {
-			continue
-		}
-
-		numDeployments := 0
-
-		for _, r := range relations {
-			for sId, enabled := range r.EdgeStacks {
-				if enabled && sId == refStackId {
-					numDeployments += 1
-				}
-			}
-		}
-
-		if err := service.updateStackFn(refStackId, func(edgeStack *portainer.EdgeStack) {
-			edgeStack.NumDeployments = numDeployments
-		}); err != nil {
-			log.Error().Err(err).Msg("could not update the number of deployments")
-		}
-	}
+	return service.connection.UpdateTx(func(tx portainer.Transaction) error {
+		return service.Tx(tx).DeleteEndpointRelation(endpointID)
+	})
 }
diff --git a/api/dataservices/endpointrelation/endpointrelation_test.go b/api/dataservices/endpointrelation/endpointrelation_test.go
new file mode 100644
index 000000000..f1ead0919
--- /dev/null
+++ b/api/dataservices/endpointrelation/endpointrelation_test.go
@@ -0,0 +1,104 @@
+package endpointrelation
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database/boltdb"
+	"github.com/portainer/portainer/api/internal/edge/cache"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestUpdateRelation(t *testing.T) {
+	const endpointID = 1
+	const edgeStackID1 = 1
+	const edgeStackID2 = 2
+
+	var conn portainer.Connection = &boltdb.DbConnection{Path: t.TempDir()}
+	err := conn.Open()
+	require.NoError(t, err)
+
+	defer conn.Close()
+
+	service, err := NewService(conn)
+	require.NoError(t, err)
+
+	updateStackFnTxCalled := false
+
+	edgeStacks := make(map[portainer.EdgeStackID]portainer.EdgeStack)
+	edgeStacks[edgeStackID1] = portainer.EdgeStack{ID: edgeStackID1}
+	edgeStacks[edgeStackID2] = portainer.EdgeStack{ID: edgeStackID2}
+
+	service.RegisterUpdateStackFunction(func(tx portainer.Transaction, ID portainer.EdgeStackID, updateFunc func(edgeStack *portainer.EdgeStack)) error {
+		updateStackFnTxCalled = true
+
+		s, ok := edgeStacks[ID]
+		require.True(t, ok)
+
+		updateFunc(&s)
+		edgeStacks[ID] = s
+
+		return nil
+	})
+
+	// Nil relation
+
+	cache.Set(endpointID, []byte("value"))
+
+	err = service.UpdateEndpointRelation(endpointID, nil)
+	_, cacheKeyExists := cache.Get(endpointID)
+	require.NoError(t, err)
+	require.False(t, updateStackFnTxCalled)
+	require.False(t, cacheKeyExists)
+
+	// Add a relation to two edge stacks
+
+	cache.Set(endpointID, []byte("value"))
+
+	err = service.UpdateEndpointRelation(endpointID, &portainer.EndpointRelation{
+		EndpointID: endpointID,
+		EdgeStacks: map[portainer.EdgeStackID]bool{
+			edgeStackID1: true,
+			edgeStackID2: true,
+		},
+	})
+	_, cacheKeyExists = cache.Get(endpointID)
+	require.NoError(t, err)
+	require.True(t, updateStackFnTxCalled)
+	require.False(t, cacheKeyExists)
+	require.Equal(t, 1, edgeStacks[edgeStackID1].NumDeployments)
+	require.Equal(t, 1, edgeStacks[edgeStackID2].NumDeployments)
+
+	// Remove a relation to one edge stack
+
+	updateStackFnTxCalled = false
+	cache.Set(endpointID, []byte("value"))
+
+	err = service.UpdateEndpointRelation(endpointID, &portainer.EndpointRelation{
+		EndpointID: endpointID,
+		EdgeStacks: map[portainer.EdgeStackID]bool{
+			2: true,
+		},
+	})
+	_, cacheKeyExists = cache.Get(endpointID)
+	require.NoError(t, err)
+	require.True(t, updateStackFnTxCalled)
+	require.False(t, cacheKeyExists)
+	require.Equal(t, 0, edgeStacks[edgeStackID1].NumDeployments)
+	require.Equal(t, 1, edgeStacks[edgeStackID2].NumDeployments)
+
+	// Delete the relation
+
+	updateStackFnTxCalled = false
+	cache.Set(endpointID, []byte("value"))
+
+	err = service.DeleteEndpointRelation(endpointID)
+
+	_, cacheKeyExists = cache.Get(endpointID)
+	require.NoError(t, err)
+	require.True(t, updateStackFnTxCalled)
+	require.False(t, cacheKeyExists)
+	require.Equal(t, 0, edgeStacks[edgeStackID1].NumDeployments)
+	require.Equal(t, 0, edgeStacks[edgeStackID2].NumDeployments)
+}
diff --git a/api/dataservices/endpointrelation/tx.go b/api/dataservices/endpointrelation/tx.go
index bc58678fd..54e66a31b 100644
--- a/api/dataservices/endpointrelation/tx.go
+++ b/api/dataservices/endpointrelation/tx.go
@@ -186,53 +186,49 @@ func (service ServiceTx) cachedEndpointRelations() ([]portainer.EndpointRelation
 }
 
 func (service ServiceTx) updateEdgeStacksAfterRelationChange(previousRelationState *portainer.EndpointRelation, updatedRelationState *portainer.EndpointRelation) {
-	relations, _ := service.EndpointRelations()
-
-	stacksToUpdate := map[portainer.EdgeStackID]bool{}
-
 	if previousRelationState != nil {
 		for stackId, enabled := range previousRelationState.EdgeStacks {
 			// flag stack for update if stack is not in the updated relation state
 			// = stack has been removed for this relation
 			// or this relation has been deleted
 			if enabled && (updatedRelationState == nil || !updatedRelationState.EdgeStacks[stackId]) {
-				stacksToUpdate[stackId] = true
-			}
-		}
-	}
+				if err := service.service.updateStackFnTx(service.tx, stackId, func(edgeStack *portainer.EdgeStack) {
+					// Sanity check
+					if edgeStack.NumDeployments <= 0 {
+						log.Error().
+							Int("edgestack_id", int(edgeStack.ID)).
+							Int("endpoint_id", int(previousRelationState.EndpointID)).
+							Int("num_deployments", edgeStack.NumDeployments).
+							Msg("cannot decrement the number of deployments for an edge stack with zero deployments")
 
-	if updatedRelationState != nil {
-		for stackId, enabled := range updatedRelationState.EdgeStacks {
-			// flag stack for update if stack is not in the previous relation state
-			// = stack has been added for this relation
-			if enabled && (previousRelationState == nil || !previousRelationState.EdgeStacks[stackId]) {
-				stacksToUpdate[stackId] = true
-			}
-		}
-	}
+						return
+					}
 
-	// for each stack referenced by the updated relation
-	// list how many time this stack is referenced in all relations
-	// in order to update the stack deployments count
-	for refStackId, refStackEnabled := range stacksToUpdate {
-		if !refStackEnabled {
-			continue
-		}
-
-		numDeployments := 0
-
-		for _, r := range relations {
-			for sId, enabled := range r.EdgeStacks {
-				if enabled && sId == refStackId {
-					numDeployments += 1
+					edgeStack.NumDeployments--
+				}); err != nil {
+					log.Error().Err(err).Msg("could not update the number of deployments")
 				}
+
+				cache.Del(previousRelationState.EndpointID)
 			}
 		}
+	}
 
-		if err := service.service.updateStackFnTx(service.tx, refStackId, func(edgeStack *portainer.EdgeStack) {
-			edgeStack.NumDeployments = numDeployments
-		}); err != nil {
-			log.Error().Err(err).Msg("could not update the number of deployments")
+	if updatedRelationState == nil {
+		return
+	}
+
+	for stackId, enabled := range updatedRelationState.EdgeStacks {
+		// flag stack for update if stack is not in the previous relation state
+		// = stack has been added for this relation
+		if enabled && (previousRelationState == nil || !previousRelationState.EdgeStacks[stackId]) {
+			if err := service.service.updateStackFnTx(service.tx, stackId, func(edgeStack *portainer.EdgeStack) {
+				edgeStack.NumDeployments++
+			}); err != nil {
+				log.Error().Err(err).Msg("could not update the number of deployments")
+			}
+
+			cache.Del(updatedRelationState.EndpointID)
 		}
 	}
 }
diff --git a/api/datastore/services.go b/api/datastore/services.go
index b0570fa67..7413d6c03 100644
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -111,7 +111,7 @@ func (store *Store) initServices() error {
 		return err
 	}
 	store.EdgeStackService = edgeStackService
-	endpointRelationService.RegisterUpdateStackFunction(edgeStackService.UpdateEdgeStackFunc, edgeStackService.UpdateEdgeStackFuncTx)
+	endpointRelationService.RegisterUpdateStackFunction(edgeStackService.UpdateEdgeStackFuncTx)
 
 	edgeStackStatusService, err := edgestackstatus.NewService(store.connection)
 	if err != nil {

From e9ce3d22134068abf92c031d92cefdd2116d30aa Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Mon, 28 Jul 2025 19:19:07 -0300
Subject: [PATCH 203/212] fix(endpointedge): optimize buildSchedules() BE-12099
 (#955)

---
 .../endpointedge_status_inspect.go            | 19 +++--
 api/internal/edge/edgegroup.go                | 11 ++-
 api/internal/edge/endpoint.go                 | 28 +++----
 api/internal/edge/endpoint_test.go            | 82 +++++++++++++++++++
 4 files changed, 114 insertions(+), 26 deletions(-)
 create mode 100644 api/internal/edge/endpoint_test.go

diff --git a/api/http/handler/endpointedge/endpointedge_status_inspect.go b/api/http/handler/endpointedge/endpointedge_status_inspect.go
index 9bd341561..9c4e4bbe1 100644
--- a/api/http/handler/endpointedge/endpointedge_status_inspect.go
+++ b/api/http/handler/endpointedge/endpointedge_status_inspect.go
@@ -170,7 +170,7 @@ func (handler *Handler) inspectStatus(tx dataservices.DataStoreTx, r *http.Reque
 		Credentials:     tunnel.Credentials,
 	}
 
-	schedules, handlerErr := handler.buildSchedules(tx, endpoint.ID)
+	schedules, handlerErr := handler.buildSchedules(tx, endpoint)
 	if handlerErr != nil {
 		return nil, handlerErr
 	}
@@ -208,7 +208,7 @@ func parseAgentPlatform(r *http.Request) (portainer.EndpointType, error) {
 	}
 }
 
-func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID portainer.EndpointID) ([]edgeJobResponse, *httperror.HandlerError) {
+func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpoint *portainer.Endpoint) ([]edgeJobResponse, *httperror.HandlerError) {
 	schedules := []edgeJobResponse{}
 
 	edgeJobs, err := tx.EdgeJob().ReadAll()
@@ -216,11 +216,16 @@ func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID p
 		return nil, httperror.InternalServerError("Unable to retrieve Edge Jobs", err)
 	}
 
+	endpointGroups, err := tx.EndpointGroup().ReadAll()
+	if err != nil {
+		return nil, httperror.InternalServerError("Unable to retrieve endpoint groups", err)
+	}
+
 	for _, job := range edgeJobs {
-		_, endpointHasJob := job.Endpoints[endpointID]
+		_, endpointHasJob := job.Endpoints[endpoint.ID]
 		if !endpointHasJob {
 			for _, edgeGroupID := range job.EdgeGroups {
-				member, _, err := edge.EndpointInEdgeGroup(tx, endpointID, edgeGroupID)
+				member, _, err := edge.EndpointInEdgeGroup(tx, endpoint, edgeGroupID, endpointGroups)
 				if err != nil {
 					return nil, httperror.InternalServerError("Unable to retrieve relations", err)
 				} else if member {
@@ -236,10 +241,10 @@ func (handler *Handler) buildSchedules(tx dataservices.DataStoreTx, endpointID p
 		}
 
 		var collectLogs bool
-		if _, ok := job.GroupLogsCollection[endpointID]; ok {
-			collectLogs = job.GroupLogsCollection[endpointID].CollectLogs
+		if _, ok := job.GroupLogsCollection[endpoint.ID]; ok {
+			collectLogs = job.GroupLogsCollection[endpoint.ID].CollectLogs
 		} else {
-			collectLogs = job.Endpoints[endpointID].CollectLogs
+			collectLogs = job.Endpoints[endpoint.ID].CollectLogs
 		}
 
 		schedule := edgeJobResponse{
diff --git a/api/internal/edge/edgegroup.go b/api/internal/edge/edgegroup.go
index eae4fedce..b9a1b899d 100644
--- a/api/internal/edge/edgegroup.go
+++ b/api/internal/edge/edgegroup.go
@@ -4,13 +4,22 @@ import (
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/internal/endpointutils"
+	"github.com/portainer/portainer/api/roar"
 	"github.com/portainer/portainer/api/tag"
 )
 
 // EdgeGroupRelatedEndpoints returns a list of environments(endpoints) related to this Edge group
 func EdgeGroupRelatedEndpoints(edgeGroup *portainer.EdgeGroup, endpoints []portainer.Endpoint, endpointGroups []portainer.EndpointGroup) []portainer.EndpointID {
 	if !edgeGroup.Dynamic {
-		return edgeGroup.EndpointIDs.ToSlice()
+		var r roar.Roar[portainer.EndpointID]
+
+		for _, endpoint := range endpoints {
+			if edgeGroup.EndpointIDs.Contains(endpoint.ID) {
+				r.Add(endpoint.ID)
+			}
+		}
+
+		return r.ToSlice()
 	}
 
 	endpointGroupsMap := map[portainer.EndpointGroupID]*portainer.EndpointGroup{}
diff --git a/api/internal/edge/endpoint.go b/api/internal/edge/endpoint.go
index 27cc50b3b..7901b0e88 100644
--- a/api/internal/edge/endpoint.go
+++ b/api/internal/edge/endpoint.go
@@ -1,12 +1,9 @@
 package edge
 
 import (
-	"slices"
-
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
-
-	"github.com/rs/zerolog/log"
+	"github.com/portainer/portainer/api/internal/endpointutils"
 )
 
 // EndpointRelatedEdgeStacks returns a list of Edge stacks related to this Environment(Endpoint)
@@ -47,27 +44,22 @@ func EffectiveCheckinInterval(tx dataservices.DataStoreTx, endpoint *portainer.E
 // EndpointInEdgeGroup returns true and the edge group name if the endpoint is in the edge group
 func EndpointInEdgeGroup(
 	tx dataservices.DataStoreTx,
-	endpointID portainer.EndpointID,
+	endpoint *portainer.Endpoint,
 	edgeGroupID portainer.EdgeGroupID,
+	endpointGroups []portainer.EndpointGroup,
 ) (bool, string, error) {
-	endpointIDs, err := GetEndpointsFromEdgeGroups(
-		[]portainer.EdgeGroupID{edgeGroupID}, tx,
-	)
+	if !endpointutils.IsEdgeEndpoint(endpoint) || !endpoint.UserTrusted {
+		return false, "", nil
+	}
+
+	edgeGroup, err := tx.EdgeGroup().Read(edgeGroupID)
 	if err != nil {
 		return false, "", err
 	}
 
-	if slices.Contains(endpointIDs, endpointID) {
-		edgeGroup, err := tx.EdgeGroup().Read(edgeGroupID)
-		if err != nil {
-			log.Warn().
-				Err(err).
-				Int("edgeGroupID", int(edgeGroupID)).
-				Msg("Unable to retrieve edge group")
-
-			return false, "", err
-		}
+	r := EdgeGroupRelatedEndpoints(edgeGroup, []portainer.Endpoint{*endpoint}, endpointGroups)
 
+	if len(r) > 0 {
 		return true, edgeGroup.Name, nil
 	}
 
diff --git a/api/internal/edge/endpoint_test.go b/api/internal/edge/endpoint_test.go
new file mode 100644
index 000000000..241408515
--- /dev/null
+++ b/api/internal/edge/endpoint_test.go
@@ -0,0 +1,82 @@
+package edge
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/roar"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestEndpointInEdgeGroup(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, false)
+
+	endpointGroups := []portainer.EndpointGroup{{ID: 1, Name: "test-group"}}
+
+	endpoint := &portainer.Endpoint{
+		ID:          1,
+		Name:        "test-endpoint",
+		Type:        portainer.EdgeAgentOnDockerEnvironment,
+		UserTrusted: true,
+		GroupID:     endpointGroups[0].ID,
+	}
+	edgeGroupID := portainer.EdgeGroupID(1)
+
+	untrustedEndpoint := &portainer.Endpoint{
+		ID:          2,
+		Name:        "untrusted-endpoint",
+		Type:        portainer.EdgeAgentOnDockerEnvironment,
+		UserTrusted: false,
+		GroupID:     endpointGroups[0].ID,
+	}
+
+	nonEdgeEndpoint := &portainer.Endpoint{
+		ID:          2,
+		Name:        "untrusted-endpoint",
+		Type:        portainer.AgentOnDockerEnvironment,
+		UserTrusted: true,
+		GroupID:     endpointGroups[0].ID,
+	}
+
+	err := store.EdgeGroup().Create(&portainer.EdgeGroup{
+		ID:          edgeGroupID,
+		Name:        "test-edge-group",
+		Dynamic:     false,
+		EndpointIDs: roar.FromSlice([]portainer.EndpointID{endpoint.ID, untrustedEndpoint.ID}),
+	})
+	require.NoError(t, err)
+
+	// Related endpoint in a static edge group
+
+	inEdgeGroup, _, err := EndpointInEdgeGroup(store, endpoint, edgeGroupID, endpointGroups)
+	require.NoError(t, err)
+	require.True(t, inEdgeGroup)
+
+	// Unrelated endpoint in a static edge group
+
+	unrelatedEndpoint := &portainer.Endpoint{
+		ID:          3,
+		Name:        "unrelated-endpoint",
+		Type:        portainer.EdgeAgentOnDockerEnvironment,
+		UserTrusted: true,
+		GroupID:     0,
+	}
+
+	inEdgeGroup, _, err = EndpointInEdgeGroup(store, unrelatedEndpoint, edgeGroupID, endpointGroups)
+	require.NoError(t, err)
+	require.False(t, inEdgeGroup)
+
+	// Untrusted endpoint
+
+	inEdgeGroup, _, err = EndpointInEdgeGroup(store, untrustedEndpoint, edgeGroupID, endpointGroups)
+	require.NoError(t, err)
+	require.False(t, inEdgeGroup)
+
+	// Non-edge endpoint
+
+	inEdgeGroup, _, err = EndpointInEdgeGroup(store, nonEdgeEndpoint, edgeGroupID, endpointGroups)
+	require.NoError(t, err)
+	require.False(t, inEdgeGroup)
+}

From ef53354193934bff70768f1e47b1d72c7b3050d8 Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Tue, 29 Jul 2025 22:51:05 +1200
Subject: [PATCH 204/212] fix(snapshot): show snapshot stats [r8s-432] (#952)

---
 pkg/snapshot/kubernetes.go      | 102 ++++++----
 pkg/snapshot/kubernetes_test.go | 325 +++++++++++++++++++++++++++++---
 2 files changed, 372 insertions(+), 55 deletions(-)

diff --git a/pkg/snapshot/kubernetes.go b/pkg/snapshot/kubernetes.go
index 77fda14bd..feb350adf 100644
--- a/pkg/snapshot/kubernetes.go
+++ b/pkg/snapshot/kubernetes.go
@@ -40,8 +40,8 @@ func CreateKubernetesSnapshot(cli *kubernetes.Clientset) (*portainer.KubernetesS
 	return kubernetesSnapshot, nil
 }
 
-func kubernetesSnapshotVersion(snapshot *portainer.KubernetesSnapshot, cli *kubernetes.Clientset) error {
-	versionInfo, err := cli.ServerVersion()
+func kubernetesSnapshotVersion(snapshot *portainer.KubernetesSnapshot, cli kubernetes.Interface) error {
+	versionInfo, err := cli.Discovery().ServerVersion()
 	if err != nil {
 		return err
 	}
@@ -50,7 +50,7 @@ func kubernetesSnapshotVersion(snapshot *portainer.KubernetesSnapshot, cli *kube
 	return nil
 }
 
-func kubernetesSnapshotNodes(snapshot *portainer.KubernetesSnapshot, cli *kubernetes.Clientset) error {
+func kubernetesSnapshotNodes(snapshot *portainer.KubernetesSnapshot, cli kubernetes.Interface) error {
 	nodeList, err := cli.CoreV1().Nodes().List(context.TODO(), metav1.ListOptions{})
 	if err != nil {
 		return err
@@ -61,6 +61,32 @@ func kubernetesSnapshotNodes(snapshot *portainer.KubernetesSnapshot, cli *kubern
 	}
 
 	var totalCPUs, totalMemory int64
+	for _, node := range nodeList.Items {
+		totalCPUs += node.Status.Capacity.Cpu().Value()
+		totalMemory += node.Status.Capacity.Memory().Value()
+	}
+	snapshot.TotalCPU = totalCPUs
+	snapshot.TotalMemory = totalMemory
+	snapshot.NodeCount = len(nodeList.Items)
+
+	// Collect performance metrics if we have a real client, otherwise use zero values
+	if clientset, ok := cli.(*kubernetes.Clientset); ok {
+		kubernetesSnapshotPerformanceMetricsWithClient(nodeList, clientset, snapshot)
+	} else {
+		snapshot.PerformanceMetrics = &portainer.PerformanceMetrics{
+			CPUUsage:     0,
+			MemoryUsage:  0,
+			NetworkUsage: 0,
+		}
+	}
+	return nil
+}
+
+func kubernetesSnapshotPerformanceMetricsWithClient(
+	nodeList *corev1.NodeList,
+	cli *kubernetes.Clientset,
+	snapshot *portainer.KubernetesSnapshot,
+) {
 	performanceMetrics := &portainer.PerformanceMetrics{
 		CPUUsage:     0,
 		MemoryUsage:  0,
@@ -68,22 +94,18 @@ func kubernetesSnapshotNodes(snapshot *portainer.KubernetesSnapshot, cli *kubern
 	}
 
 	for _, node := range nodeList.Items {
-		totalCPUs += node.Status.Capacity.Cpu().Value()
-		totalMemory += node.Status.Capacity.Memory().Value()
-
-		performanceMetrics, err = kubernetesSnapshotNodePerformanceMetrics(cli, node, performanceMetrics)
+		nodeMetrics, err := kubernetesSnapshotNodePerformanceMetrics(cli, node, nil)
 		if err != nil {
-			return fmt.Errorf("failed to get node performance metrics: %w", err)
+			log.Warn().Err(err).Msgf("failed to snapshot performance metrics for node %s", node.Name)
+			continue
 		}
-		if performanceMetrics != nil {
-			snapshot.PerformanceMetrics = performanceMetrics
+		if nodeMetrics != nil {
+			performanceMetrics.CPUUsage += nodeMetrics.CPUUsage
+			performanceMetrics.MemoryUsage += nodeMetrics.MemoryUsage
+			performanceMetrics.NetworkUsage += nodeMetrics.NetworkUsage
 		}
 	}
-
-	snapshot.TotalCPU = totalCPUs
-	snapshot.TotalMemory = totalMemory
-	snapshot.NodeCount = len(nodeList.Items)
-	return nil
+	snapshot.PerformanceMetrics = performanceMetrics
 }
 
 // KubernetesSnapshotDiagnostics returns the diagnostics data for the agent
@@ -143,7 +165,7 @@ func kubernetesSnapshotPodErrorLogs(snapshot *portainer.KubernetesSnapshot, cli
 	return nil
 }
 
-func kubernetesSnapshotNodePerformanceMetrics(cli *kubernetes.Clientset, node corev1.Node, performanceMetrics *portainer.PerformanceMetrics) (*portainer.PerformanceMetrics, error) {
+func kubernetesSnapshotNodePerformanceMetrics(cli *kubernetes.Clientset, node corev1.Node, _ *portainer.PerformanceMetrics) (*portainer.PerformanceMetrics, error) {
 	result := cli.RESTClient().Get().AbsPath(fmt.Sprintf("/api/v1/nodes/%s/proxy/stats/summary", node.Name)).Do(context.TODO())
 	if result.Error() != nil {
 		return nil, fmt.Errorf("failed to get node performance metrics: %w", result.Error())
@@ -161,24 +183,40 @@ func kubernetesSnapshotNodePerformanceMetrics(cli *kubernetes.Clientset, node co
 	}
 
 	nodeStats := stats.Node
-	if reflect.DeepEqual(nodeStats, statsapi.NodeStats{}) {
-		return nil, nil
-	}
-
-	if nodeStats.CPU != nil && nodeStats.CPU.UsageNanoCores != nil {
-		performanceMetrics.CPUUsage += math.Round(float64(*nodeStats.CPU.UsageNanoCores) / float64(node.Status.Capacity.Cpu().Value()*1000000000) * 100)
-	}
-	if nodeStats.Memory != nil && nodeStats.Memory.WorkingSetBytes != nil {
-		performanceMetrics.MemoryUsage += math.Round(float64(*nodeStats.Memory.WorkingSetBytes) / float64(node.Status.Capacity.Memory().Value()) * 100)
-	}
-	if nodeStats.Network != nil && nodeStats.Network.RxBytes != nil && nodeStats.Network.TxBytes != nil {
-		performanceMetrics.NetworkUsage += math.Round((float64(*nodeStats.Network.RxBytes) + float64(*nodeStats.Network.TxBytes)) / 1024 / 1024) // MB
-	}
-	return performanceMetrics, nil
+	metrics := calculateNodeMetrics(nodeStats, node)
+	return metrics, nil
+}
+
+// calculateNodeMetrics calculates performance metrics from node stats - extracted for testability
+func calculateNodeMetrics(nodeStats statsapi.NodeStats, node corev1.Node) *portainer.PerformanceMetrics {
+	if reflect.DeepEqual(nodeStats, statsapi.NodeStats{}) {
+		return nil
+	}
+
+	metrics := &portainer.PerformanceMetrics{}
+
+	// Calculate CPU usage percentage
+	if nodeStats.CPU != nil && nodeStats.CPU.UsageNanoCores != nil {
+		totalCapacityNanoCores := node.Status.Capacity.Cpu().Value() * 1_000_000_000
+		metrics.CPUUsage = math.Round(float64(*nodeStats.CPU.UsageNanoCores) / float64(totalCapacityNanoCores) * 100)
+	}
+
+	// Calculate Memory usage percentage
+	if nodeStats.Memory != nil && nodeStats.Memory.WorkingSetBytes != nil {
+		totalCapacityBytes := node.Status.Capacity.Memory().Value()
+		metrics.MemoryUsage = math.Round(float64(*nodeStats.Memory.WorkingSetBytes) / float64(totalCapacityBytes) * 100)
+	}
+
+	// Calculate Network usage in MB
+	if nodeStats.Network != nil && nodeStats.Network.RxBytes != nil && nodeStats.Network.TxBytes != nil {
+		totalBytes := float64(*nodeStats.Network.RxBytes) + float64(*nodeStats.Network.TxBytes)
+		const bytesToMB = 1024 * 1024
+		metrics.NetworkUsage = math.Round(totalBytes / bytesToMB)
+	}
+
+	return metrics
 }
 
-// filterLogsByPattern filters the logs by the given patterns and returns a list of logs that match the patterns
-// the logs are returned as a list of maps with the keys "timestamp" and "message"
 func filterLogsByPattern(logBytes []byte, patterns []string) []map[string]string {
 	logs := []map[string]string{}
 	for _, line := range strings.Split(strings.TrimSpace(string(logBytes)), "\n") {
diff --git a/pkg/snapshot/kubernetes_test.go b/pkg/snapshot/kubernetes_test.go
index 142241a5c..58abb98a6 100644
--- a/pkg/snapshot/kubernetes_test.go
+++ b/pkg/snapshot/kubernetes_test.go
@@ -2,43 +2,322 @@ package snapshot
 
 import (
 	"context"
+	"errors"
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	kfake "k8s.io/client-go/kubernetes/fake"
+	ktesting "k8s.io/client-go/testing"
+	statsapi "k8s.io/kubelet/pkg/apis/stats/v1alpha1"
 )
 
-func TestCreateKubernetesSnapshot(t *testing.T) {
-	cli := kfake.NewSimpleClientset()
-	kubernetesSnapshot := &portainer.KubernetesSnapshot{}
+func TestKubernetesSnapshotNodes(t *testing.T) {
+	// Create a fake client
+	fakeClient := kfake.NewClientset()
 
-	serverInfo, err := cli.Discovery().ServerVersion()
-	if err != nil {
-		t.Fatalf("error getting the kubernetesserver version: %v", err)
+	// Create test nodes with specific resource values
+	node1 := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-node-1",
+		},
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("6"),    // 6 CPU cores
+				corev1.ResourceMemory: resource.MustParse("12Gi"), // 12GB memory
+			},
+		},
 	}
 
-	kubernetesSnapshot.KubernetesVersion = serverInfo.GitVersion
-	require.Equal(t, kubernetesSnapshot.KubernetesVersion, serverInfo.GitVersion)
-
-	nodeList, err := cli.CoreV1().Nodes().List(context.TODO(), metav1.ListOptions{})
-	if err != nil {
-		t.Fatalf("error listing kubernetes nodes: %v", err)
+	node2 := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-node-2",
+		},
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("4"),   // 4 CPU cores
+				corev1.ResourceMemory: resource.MustParse("8Gi"), // 8GB memory
+			},
+		},
 	}
 
-	var totalCPUs, totalMemory int64
-	for _, node := range nodeList.Items {
-		totalCPUs += node.Status.Capacity.Cpu().Value()
-		totalMemory += node.Status.Capacity.Memory().Value()
+	node3 := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "test-node-3",
+		},
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("2"),   // 2 CPU cores
+				corev1.ResourceMemory: resource.MustParse("4Gi"), // 4GB memory
+			},
+		},
 	}
 
-	kubernetesSnapshot.TotalCPU = totalCPUs
-	kubernetesSnapshot.TotalMemory = totalMemory
-	kubernetesSnapshot.NodeCount = len(nodeList.Items)
-	require.Equal(t, kubernetesSnapshot.TotalCPU, totalCPUs)
-	require.Equal(t, kubernetesSnapshot.TotalMemory, totalMemory)
-	require.Equal(t, kubernetesSnapshot.NodeCount, len(nodeList.Items))
+	// Add nodes to fake client
+	_, err := fakeClient.CoreV1().Nodes().Create(context.TODO(), node1, metav1.CreateOptions{})
+	require.NoError(t, err)
+	_, err = fakeClient.CoreV1().Nodes().Create(context.TODO(), node2, metav1.CreateOptions{})
+	require.NoError(t, err)
+	_, err = fakeClient.CoreV1().Nodes().Create(context.TODO(), node3, metav1.CreateOptions{})
+	require.NoError(t, err)
 
-	t.Logf("Kubernetes snapshot: %+v", kubernetesSnapshot)
+	snapshot := &portainer.KubernetesSnapshot{}
+
+	// Use the actual function now that it accepts kubernetes.Interface
+	err = kubernetesSnapshotNodes(snapshot, fakeClient)
+	require.NoError(t, err)
+
+	// Verify the results - these should match what kubernetesSnapshotNodes would produce
+	require.Equal(t, 3, snapshot.NodeCount)                    // 3 nodes
+	require.Equal(t, int64(12), snapshot.TotalCPU)             // 6 + 4 + 2 = 12 CPUs
+	require.Equal(t, int64(25769803776), snapshot.TotalMemory) // 12GB + 8GB + 4GB = 24GB in bytes
+	require.NotNil(t, snapshot.PerformanceMetrics)             // Performance metrics should be initialized
+
+	t.Logf("kubernetesSnapshotNodes test result: Nodes=%d, CPUs=%d, Memory=%d bytes",
+		snapshot.NodeCount, snapshot.TotalCPU, snapshot.TotalMemory)
+}
+
+func TestKubernetesSnapshotNodesEmptyCluster(t *testing.T) {
+	// Test with no nodes to verify early return behavior
+	fakeClient := kfake.NewClientset()
+	snapshot := &portainer.KubernetesSnapshot{}
+
+	err := kubernetesSnapshotNodes(snapshot, fakeClient)
+	require.NoError(t, err)
+
+	// Values should remain at their zero state when no nodes exist
+	require.Equal(t, 0, snapshot.NodeCount)
+	require.Equal(t, int64(0), snapshot.TotalCPU)
+	require.Equal(t, int64(0), snapshot.TotalMemory)
+	require.Nil(t, snapshot.PerformanceMetrics) // Performance metrics should not be set for empty cluster
+
+	t.Log("Empty cluster test passed - no nodes found, early return behavior confirmed")
+}
+
+func TestCreateKubernetesSnapshotIntegration(t *testing.T) {
+	// Integration test to verify CreateKubernetesSnapshot calls kubernetesSnapshotNodes correctly
+	fakeClient := kfake.NewClientset()
+
+	// Create test nodes
+	node1 := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "integration-node-1",
+		},
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("8"),    // 8 CPU cores
+				corev1.ResourceMemory: resource.MustParse("16Gi"), // 16GB memory
+			},
+		},
+	}
+
+	node2 := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "integration-node-2",
+		},
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("4"),   // 4 CPU cores
+				corev1.ResourceMemory: resource.MustParse("8Gi"), // 8GB memory
+			},
+		},
+	}
+
+	// Add nodes to fake client
+	_, err := fakeClient.CoreV1().Nodes().Create(context.TODO(), node1, metav1.CreateOptions{})
+	require.NoError(t, err)
+	_, err = fakeClient.CoreV1().Nodes().Create(context.TODO(), node2, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	// Test that kubernetesSnapshotVersion would work
+	serverInfo, err := fakeClient.Discovery().ServerVersion()
+	require.NoError(t, err)
+	require.NotEmpty(t, serverInfo.GitVersion)
+
+	// Test that kubernetesSnapshotNodes logic works
+	snapshot := &portainer.KubernetesSnapshot{}
+	err = kubernetesSnapshotNodes(snapshot, fakeClient)
+	require.NoError(t, err)
+
+	// Verify the integration results
+	require.Equal(t, 2, snapshot.NodeCount)
+	require.Equal(t, int64(12), snapshot.TotalCPU)             // 8 + 4 = 12 CPUs
+	require.Equal(t, int64(25769803776), snapshot.TotalMemory) // 16GB + 8GB = 24GB in bytes
+	require.NotNil(t, snapshot.PerformanceMetrics)
+
+	// Manually set the version to complete the integration test
+	snapshot.KubernetesVersion = serverInfo.GitVersion
+	require.NotEmpty(t, snapshot.KubernetesVersion)
+
+	t.Logf("Integration test result: Version=%s, Nodes=%d, CPUs=%d, Memory=%d bytes",
+		snapshot.KubernetesVersion, snapshot.NodeCount, snapshot.TotalCPU, snapshot.TotalMemory)
+}
+
+func TestKubernetesSnapshotNodesWithAPIError(t *testing.T) {
+	// Test error handling when the Kubernetes API returns an error
+	fakeClient := kfake.NewClientset()
+
+	// Add a reactor to simulate API error
+	fakeClient.Fake.PrependReactor("list", "nodes", func(action ktesting.Action) (handled bool, ret runtime.Object, err error) {
+		return true, nil, errors.New("simulated API error")
+	})
+
+	snapshot := &portainer.KubernetesSnapshot{}
+	err := kubernetesSnapshotNodes(snapshot, fakeClient)
+
+	// Should return the API error
+	require.Error(t, err)
+	require.Contains(t, err.Error(), "simulated API error")
+
+	// Snapshot should remain unchanged
+	require.Equal(t, 0, snapshot.NodeCount)
+	require.Equal(t, int64(0), snapshot.TotalCPU)
+	require.Equal(t, int64(0), snapshot.TotalMemory)
+	require.Nil(t, snapshot.PerformanceMetrics)
+
+	t.Log("API error test passed - error handling works correctly")
+}
+
+func TestKubernetesSnapshotNodesSingleNode(t *testing.T) {
+	// Test with a single node to verify calculations work for edge case
+	fakeClient := kfake.NewClientset()
+
+	node := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "single-node",
+		},
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("1"),   // 1 CPU core
+				corev1.ResourceMemory: resource.MustParse("1Gi"), // 1GB memory
+			},
+		},
+	}
+
+	_, err := fakeClient.CoreV1().Nodes().Create(context.TODO(), node, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	snapshot := &portainer.KubernetesSnapshot{}
+	err = kubernetesSnapshotNodes(snapshot, fakeClient)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, snapshot.NodeCount)
+	require.Equal(t, int64(1), snapshot.TotalCPU)
+	require.Equal(t, int64(1073741824), snapshot.TotalMemory) // 1GB in bytes
+	require.NotNil(t, snapshot.PerformanceMetrics)
+
+	t.Logf("Single node test result: Nodes=%d, CPUs=%d, Memory=%d bytes",
+		snapshot.NodeCount, snapshot.TotalCPU, snapshot.TotalMemory)
+}
+
+func TestKubernetesSnapshotNodesZeroResources(t *testing.T) {
+	// Test with nodes that have zero or very small resources
+	fakeClient := kfake.NewClientset()
+
+	node := &corev1.Node{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "zero-resource-node",
+		},
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("0m"),  // 0 millicores
+				corev1.ResourceMemory: resource.MustParse("0Ki"), // 0 kilobytes
+			},
+		},
+	}
+
+	_, err := fakeClient.CoreV1().Nodes().Create(context.TODO(), node, metav1.CreateOptions{})
+	require.NoError(t, err)
+
+	snapshot := &portainer.KubernetesSnapshot{}
+	err = kubernetesSnapshotNodes(snapshot, fakeClient)
+	require.NoError(t, err)
+
+	require.Equal(t, 1, snapshot.NodeCount)
+	require.Equal(t, int64(0), snapshot.TotalCPU)
+	require.Equal(t, int64(0), snapshot.TotalMemory)
+	require.NotNil(t, snapshot.PerformanceMetrics)
+
+	t.Log("Zero resources test passed - handles edge case correctly")
+}
+
+func TestCalculateNodeMetrics(t *testing.T) {
+	// Create a test node with specific capacity
+	node := corev1.Node{
+		Status: corev1.NodeStatus{
+			Capacity: corev1.ResourceList{
+				corev1.ResourceCPU:    resource.MustParse("4"),   // 4 CPU cores
+				corev1.ResourceMemory: resource.MustParse("8Gi"), // 8GB memory
+			},
+		},
+	}
+
+	t.Run("CalculatesCorrectCPUPercentage", func(t *testing.T) {
+		usageNanoCores := uint64(2_000_000_000) // 2 cores worth of nanocores
+		nodeStats := statsapi.NodeStats{
+			CPU: &statsapi.CPUStats{
+				UsageNanoCores: &usageNanoCores,
+			},
+		}
+
+		metrics := calculateNodeMetrics(nodeStats, node)
+		require.NotNil(t, metrics)
+		require.Equal(t, float64(50), metrics.CPUUsage) // 2/4 = 50%
+	})
+
+	t.Run("CalculatesCorrectMemoryPercentage", func(t *testing.T) {
+		workingSetBytes := uint64(4 * 1024 * 1024 * 1024) // 4GB
+		nodeStats := statsapi.NodeStats{
+			Memory: &statsapi.MemoryStats{
+				WorkingSetBytes: &workingSetBytes,
+			},
+		}
+
+		metrics := calculateNodeMetrics(nodeStats, node)
+		require.NotNil(t, metrics)
+		require.Equal(t, float64(50), metrics.MemoryUsage) // 4GB/8GB = 50%
+	})
+
+	t.Run("CalculatesCorrectNetworkUsage", func(t *testing.T) {
+		rxBytes := uint64(1024 * 1024 * 1024) // 1GB
+		txBytes := uint64(1024 * 1024 * 1024) // 1GB
+		nodeStats := statsapi.NodeStats{
+			Network: &statsapi.NetworkStats{
+				InterfaceStats: statsapi.InterfaceStats{
+					RxBytes: &rxBytes,
+					TxBytes: &txBytes,
+				},
+			},
+		}
+
+		metrics := calculateNodeMetrics(nodeStats, node)
+		require.NotNil(t, metrics)
+		require.Equal(t, float64(2048), metrics.NetworkUsage) // 2GB = 2048MB
+	})
+
+	t.Run("HandlesEmptyStats", func(t *testing.T) {
+		nodeStats := statsapi.NodeStats{}
+		metrics := calculateNodeMetrics(nodeStats, node)
+		require.Nil(t, metrics)
+	})
+
+	t.Run("HandlesPartialStats", func(t *testing.T) {
+		usageNanoCores := uint64(1_000_000_000) // 1 core
+		nodeStats := statsapi.NodeStats{
+			CPU: &statsapi.CPUStats{
+				UsageNanoCores: &usageNanoCores,
+			},
+			// Memory and Network are nil
+		}
+
+		metrics := calculateNodeMetrics(nodeStats, node)
+		require.NotNil(t, metrics)
+		require.Equal(t, float64(25), metrics.CPUUsage) // 1/4 = 25%
+		require.Equal(t, float64(0), metrics.MemoryUsage)
+		require.Equal(t, float64(0), metrics.NetworkUsage)
+	})
 }

From da30780ac2ab2a332a2bf57b1fa7b5c22cedcc4e Mon Sep 17 00:00:00 2001
From: Viktor Pettersson <viktor.pettersson@portainer.io>
Date: Wed, 30 Jul 2025 15:57:32 +1200
Subject: [PATCH 205/212] feat(autopatch): implement patch finder for
 retrieving latest patches from GitHub (#957) BE-12085

---
 api/portainer.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/api/portainer.go b/api/portainer.go
index 3ccda4107..3d9b6be4b 100644
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -1794,8 +1794,10 @@ const (
 	AssetsServerURL = "https://portainer-io-assets.sfo2.digitaloceanspaces.com"
 	// MessageOfTheDayURL represents the URL where Portainer MOTD message can be retrieved
 	MessageOfTheDayURL = AssetsServerURL + "/motd.json"
+	// ReleasesURL represents the URL used to retrieve all releases of Portainer
+	ReleasesURL = "https://api.github.com/repos/portainer/portainer/releases"
 	// VersionCheckURL represents the URL used to retrieve the latest version of Portainer
-	VersionCheckURL = "https://api.github.com/repos/portainer/portainer/releases/latest"
+	VersionCheckURL = ReleasesURL + "/latest"
 	// PortainerAgentHeader represents the name of the header available in any agent response
 	PortainerAgentHeader = "Portainer-Agent"
 	// PortainerAgentEdgeIDHeader represent the name of the header containing the Edge ID associated to an agent/agent cluster

From 3eab294908940b99fbfa23ae537dea9876564201 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Wed, 30 Jul 2025 11:35:30 -0300
Subject: [PATCH 206/212] fix(linters): add the bodyclose linter BE-12112
 (#959)

---
 .golangci.yaml                         |  1 +
 api/http/security/rate_limiter_test.go |  7 ++++-
 pkg/libhelm/validate_repo.go           |  2 ++
 pkg/libhelm/validate_repo_test.go      | 41 ++++++++++++++++++++++++++
 4 files changed, 50 insertions(+), 1 deletion(-)

diff --git a/.golangci.yaml b/.golangci.yaml
index b3d9bbfe3..ea958e528 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -13,6 +13,7 @@ linters:
     - intrange
     - perfsprint
     - ineffassign
+    - bodyclose
 
 linters-settings:
   depguard:
diff --git a/api/http/security/rate_limiter_test.go b/api/http/security/rate_limiter_test.go
index 351eb6577..6f63028ac 100644
--- a/api/http/security/rate_limiter_test.go
+++ b/api/http/security/rate_limiter_test.go
@@ -33,8 +33,13 @@ func TestLimitAccess(t *testing.T) {
 
 		ts := httptest.NewServer(handler)
 		defer ts.Close()
-		http.Get(ts.URL)
+
 		resp, err := http.Get(ts.URL)
+		if err == nil {
+			resp.Body.Close()
+		}
+
+		resp, err = http.Get(ts.URL)
 		if err != nil {
 			t.Fatal(err)
 		}
diff --git a/pkg/libhelm/validate_repo.go b/pkg/libhelm/validate_repo.go
index 1b4de5dc5..163b414e4 100644
--- a/pkg/libhelm/validate_repo.go
+++ b/pkg/libhelm/validate_repo.go
@@ -42,6 +42,8 @@ func ValidateHelmRepositoryURL(repoUrl string, client *http.Client) error {
 		return fmt.Errorf("%s is not a valid chart repository or cannot be reached: %w", repoUrl, err)
 	}
 
+	response.Body.Close()
+
 	// Success is indicated with 2xx status codes. 3xx status codes indicate a redirect.
 	statusOK := response.StatusCode >= 200 && response.StatusCode < 300
 	if !statusOK {
diff --git a/pkg/libhelm/validate_repo_test.go b/pkg/libhelm/validate_repo_test.go
index 55d9d4736..8b98befb7 100644
--- a/pkg/libhelm/validate_repo_test.go
+++ b/pkg/libhelm/validate_repo_test.go
@@ -1,10 +1,13 @@
 package libhelm
 
 import (
+	"net/http"
+	"net/http/httptest"
 	"testing"
 
 	"github.com/portainer/portainer/pkg/libhelm/test"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func Test_ValidateHelmRepositoryURL(t *testing.T) {
@@ -49,3 +52,41 @@ func Test_ValidateHelmRepositoryURL(t *testing.T) {
 		}(test)
 	}
 }
+
+func TestValidateHelmRepositoryURL(t *testing.T) {
+	var fail bool
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if fail {
+			w.WriteHeader(http.StatusNotFound)
+
+			return
+		}
+
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+
+	// Success
+	err := ValidateHelmRepositoryURL(srv.URL, nil)
+	require.NoError(t, err)
+
+	// Failure
+	fail = true
+
+	var failureURLs = []string{
+		"",
+		"!",
+		"oci://example.com",
+		"ftp://example.com",
+		srv.URL,
+	}
+
+	for _, url := range failureURLs {
+		err = ValidateHelmRepositoryURL(url, nil)
+		require.Error(t, err)
+
+		err = ValidateHelmRepositoryURL(srv.URL, nil)
+		require.Error(t, err)
+	}
+}

From 163aa57e5c28fcdbfd63915ca198fa6c7ec43c87 Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Fri, 1 Aug 2025 22:23:59 -0300
Subject: [PATCH 207/212] fix(tls): centralize the TLS configuration to ensure
 FIPS compliance BE-11979 (#960)

---
 .golangci.yaml                                |  5 ++
 api/agent/version.go                          |  2 +-
 api/crypto/tls.go                             | 75 ++++++++++++++----
 api/crypto/tls_test.go                        | 79 +++++++++++++++++++
 api/docker/client/client.go                   |  3 +-
 api/docker/client/client_test.go              | 26 ++++++
 api/http/client/client.go                     | 15 +++-
 api/http/client/client_test.go                | 31 ++++++++
 api/http/handler/endpoints/endpoint_create.go | 12 +--
 api/http/handler/websocket/initdial.go        | 16 ++--
 api/http/handler/websocket/initdial_test.go   | 64 +++++++++++++++
 api/http/proxy/factory/agent.go               |  2 +-
 api/http/proxy/factory/docker.go              |  2 +-
 api/http/proxy/factory/kubernetes.go          | 13 ++-
 .../factory/kubernetes/agent_transport.go     | 11 ++-
 .../factory/kubernetes/local_transport.go     |  2 +-
 .../kubernetes/local_transport_test.go        | 13 +++
 api/internal/endpointutils/endpoint_setup.go  | 10 +--
 .../endpointutils/endpoint_setup_test.go      | 12 +++
 api/internal/snapshot/snapshot.go             | 12 +--
 api/ldap/ldap.go                              | 61 ++++++++------
 api/ldap/ldap_test.go                         | 72 +++++++++++++++++
 api/stacks/deployments/deploy.go              | 11 +--
 api/stacks/deployments/deploy_test.go         |  6 +-
 pkg/networking/diagnostics.go                 | 11 ++-
 25 files changed, 454 insertions(+), 112 deletions(-)
 create mode 100644 api/crypto/tls_test.go
 create mode 100644 api/docker/client/client_test.go
 create mode 100644 api/http/client/client_test.go
 create mode 100644 api/http/handler/websocket/initdial_test.go
 create mode 100644 api/http/proxy/factory/kubernetes/local_transport_test.go
 create mode 100644 api/internal/endpointutils/endpoint_setup_test.go
 create mode 100644 api/ldap/ldap_test.go

diff --git a/.golangci.yaml b/.golangci.yaml
index ea958e528..c3a176c27 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -14,8 +14,13 @@ linters:
     - perfsprint
     - ineffassign
     - bodyclose
+    - forbidigo
 
 linters-settings:
+  forbidigo:
+    forbid:
+      - p: ^tls\.Config$
+        msg: 'Use crypto.CreateTLSConfiguration() instead'
   depguard:
     rules:
       main:
diff --git a/api/agent/version.go b/api/agent/version.go
index a9480850a..7e6885351 100644
--- a/api/agent/version.go
+++ b/api/agent/version.go
@@ -16,7 +16,7 @@ import (
 // GetAgentVersionAndPlatform returns the agent version and platform
 //
 // it sends a ping to the agent and parses the version and platform from the headers
-func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (portainer.AgentPlatform, string, error) {
+func GetAgentVersionAndPlatform(endpointUrl string, tlsConfig *tls.Config) (portainer.AgentPlatform, string, error) { //nolint:forbidigo
 	httpCli := &http.Client{
 		Timeout: 3 * time.Second,
 	}
diff --git a/api/crypto/tls.go b/api/crypto/tls.go
index 54e4cd43a..d06108ae4 100644
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -1,14 +1,36 @@
 package crypto
 
 import (
+	"crypto/fips140"
 	"crypto/tls"
 	"crypto/x509"
 	"os"
+
+	portainer "github.com/portainer/portainer/api"
 )
 
 // CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings
-func CreateTLSConfiguration() *tls.Config {
-	return &tls.Config{
+func CreateTLSConfiguration() *tls.Config { //nolint:forbidigo
+	// TODO: use fips.FIPSMode() instead
+	return createTLSConfiguration(fips140.Enabled())
+}
+
+func createTLSConfiguration(fipsEnabled bool) *tls.Config { //nolint:forbidigo
+	if fipsEnabled {
+		return &tls.Config{ //nolint:forbidigo
+			MinVersion: tls.VersionTLS12,
+			MaxVersion: tls.VersionTLS13,
+			CipherSuites: []uint16{
+				tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+				tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+			},
+			CurvePreferences: []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521},
+		}
+	}
+
+	return &tls.Config{ //nolint:forbidigo
 		MinVersion: tls.VersionTLS12,
 		CipherSuites: []uint16{
 			tls.TLS_AES_128_GCM_SHA256,
@@ -34,19 +56,29 @@ func CreateTLSConfiguration() *tls.Config {
 
 // CreateTLSConfigurationFromBytes initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from memory.
-func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) {
-	config := CreateTLSConfiguration()
-	config.InsecureSkipVerify = skipServerVerification
+func CreateTLSConfigurationFromBytes(useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo
+	// TODO: use fips.FIPSMode() instead
+	return createTLSConfigurationFromBytes(fips140.Enabled(), useTLS, caCert, cert, key, skipClientVerification, skipServerVerification)
+}
 
-	if !skipClientVerification {
+func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key []byte, skipClientVerification, skipServerVerification bool) (*tls.Config, error) { //nolint:forbidigo
+	if !useTLS {
+		return nil, nil
+	}
+
+	config := CreateTLSConfiguration()
+	config.InsecureSkipVerify = skipServerVerification && !fipsEnabled
+
+	if !skipClientVerification || fipsEnabled {
 		certificate, err := tls.X509KeyPair(cert, key)
 		if err != nil {
 			return nil, err
 		}
+
 		config.Certificates = []tls.Certificate{certificate}
 	}
 
-	if !skipServerVerification {
+	if !skipServerVerification || fipsEnabled {
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM(caCert)
 		config.RootCAs = caCertPool
@@ -57,29 +89,38 @@ func CreateTLSConfigurationFromBytes(caCert, cert, key []byte, skipClientVerific
 
 // CreateTLSConfigurationFromDisk initializes a tls.Config using a CA certificate, a certificate and a key
 // loaded from disk.
-func CreateTLSConfigurationFromDisk(caCertPath, certPath, keyPath string, skipServerVerification bool) (*tls.Config, error) {
-	config := CreateTLSConfiguration()
-	config.InsecureSkipVerify = skipServerVerification
+func CreateTLSConfigurationFromDisk(config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
+	// TODO: use fips.FIPSMode() instead
+	return createTLSConfigurationFromDisk(fips140.Enabled(), config)
+}
 
-	if certPath != "" && keyPath != "" {
-		cert, err := tls.LoadX509KeyPair(certPath, keyPath)
+func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfiguration) (*tls.Config, error) { //nolint:forbidigo
+	if !config.TLS {
+		return nil, nil
+	}
+
+	tlsConfig := CreateTLSConfiguration()
+	tlsConfig.InsecureSkipVerify = config.TLSSkipVerify && !fipsEnabled
+
+	if config.TLSCertPath != "" && config.TLSKeyPath != "" {
+		cert, err := tls.LoadX509KeyPair(config.TLSCertPath, config.TLSKeyPath)
 		if err != nil {
 			return nil, err
 		}
 
-		config.Certificates = []tls.Certificate{cert}
+		tlsConfig.Certificates = []tls.Certificate{cert}
 	}
 
-	if !skipServerVerification && caCertPath != "" {
-		caCert, err := os.ReadFile(caCertPath)
+	if !tlsConfig.InsecureSkipVerify && config.TLSCACertPath != "" {
+		caCert, err := os.ReadFile(config.TLSCACertPath)
 		if err != nil {
 			return nil, err
 		}
 
 		caCertPool := x509.NewCertPool()
 		caCertPool.AppendCertsFromPEM(caCert)
-		config.RootCAs = caCertPool
+		tlsConfig.RootCAs = caCertPool
 	}
 
-	return config, nil
+	return tlsConfig, nil
 }
diff --git a/api/crypto/tls_test.go b/api/crypto/tls_test.go
new file mode 100644
index 000000000..551397fce
--- /dev/null
+++ b/api/crypto/tls_test.go
@@ -0,0 +1,79 @@
+package crypto
+
+import (
+	"crypto/tls"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateTLSConfiguration(t *testing.T) {
+	config := CreateTLSConfiguration()
+	require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12))
+}
+
+func TestCreateTLSConfigurationFIPS(t *testing.T) {
+	fips := true
+
+	fipsCipherSuites := []uint16{
+		tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+		tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	}
+
+	fipsCurvePreferences := []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}
+
+	config := createTLSConfiguration(fips)
+	require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12))
+	require.Equal(t, config.MaxVersion, uint16(tls.VersionTLS13))
+	require.Equal(t, config.CipherSuites, fipsCipherSuites)
+	require.Equal(t, config.CurvePreferences, fipsCurvePreferences)
+}
+
+func TestCreateTLSConfigurationFromBytes(t *testing.T) {
+	// No TLS
+	config, err := CreateTLSConfigurationFromBytes(false, nil, nil, nil, false, false)
+	require.Nil(t, err)
+	require.Nil(t, config)
+
+	// Skip TLS client/server verifications
+	config, err = CreateTLSConfigurationFromBytes(true, nil, nil, nil, true, true)
+	require.NoError(t, err)
+	require.NotNil(t, config)
+
+	// Empty TLS
+	config, err = CreateTLSConfigurationFromBytes(true, nil, nil, nil, false, false)
+	require.Error(t, err)
+	require.Nil(t, config)
+}
+
+func TestCreateTLSConfigurationFromDisk(t *testing.T) {
+	// No TLS
+	config, err := CreateTLSConfigurationFromDisk(portainer.TLSConfiguration{})
+	require.Nil(t, err)
+	require.Nil(t, config)
+
+	// Skip TLS verifications
+	config, err = CreateTLSConfigurationFromDisk(portainer.TLSConfiguration{
+		TLS:           true,
+		TLSSkipVerify: true,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, config)
+}
+
+func TestCreateTLSConfigurationFromDiskFIPS(t *testing.T) {
+	fips := true
+
+	// Skipping TLS verifications cannot be done in FIPS mode
+	config, err := createTLSConfigurationFromDisk(fips, portainer.TLSConfiguration{
+		TLS:           true,
+		TLSSkipVerify: true,
+	})
+	require.NoError(t, err)
+	require.NotNil(t, config)
+	require.False(t, config.InsecureSkipVerify)
+}
diff --git a/api/docker/client/client.go b/api/docker/client/client.go
index d1a2a394a..9648656a0 100644
--- a/api/docker/client/client.go
+++ b/api/docker/client/client.go
@@ -181,10 +181,11 @@ func httpClient(endpoint *portainer.Endpoint, timeout *time.Duration) (*http.Cli
 	}
 
 	if endpoint.TLSConfig.TLS {
-		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
 		if err != nil {
 			return nil, err
 		}
+
 		transport.TLSClientConfig = tlsConfig
 	}
 
diff --git a/api/docker/client/client_test.go b/api/docker/client/client_test.go
new file mode 100644
index 000000000..4d7f767e0
--- /dev/null
+++ b/api/docker/client/client_test.go
@@ -0,0 +1,26 @@
+package client
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHttpClient(t *testing.T) {
+	// Valid TLS configuration
+	endpoint := &portainer.Endpoint{}
+	endpoint.TLSConfig = portainer.TLSConfiguration{TLS: true}
+
+	cli, err := httpClient(endpoint, nil)
+	require.NoError(t, err)
+	require.NotNil(t, cli)
+
+	// Invalid TLS configuration
+	endpoint.TLSConfig.TLSCertPath = "/invalid/path/client.crt"
+	endpoint.TLSConfig.TLSKeyPath = "/invalid/path/client.key"
+
+	cli, err = httpClient(endpoint, nil)
+	require.Error(t, err)
+	require.Nil(t, cli)
+}
diff --git a/api/http/client/client.go b/api/http/client/client.go
index 2a7d0bf9b..ba253162f 100644
--- a/api/http/client/client.go
+++ b/api/http/client/client.go
@@ -1,7 +1,6 @@
 package client
 
 import (
-	"crypto/tls"
 	"errors"
 	"fmt"
 	"io"
@@ -11,6 +10,7 @@ import (
 	"time"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
 
 	"github.com/rs/zerolog/log"
 	"github.com/segmentio/encoding/json"
@@ -105,21 +105,28 @@ func Get(url string, timeout int) ([]byte, error) {
 // ExecutePingOperation will send a SystemPing operation HTTP request to a Docker environment(endpoint)
 // using the specified host and optional TLS configuration.
 // It uses a new Http.Client for each operation.
-func ExecutePingOperation(host string, tlsConfig *tls.Config) (bool, error) {
+func ExecutePingOperation(host string, tlsConfiguration portainer.TLSConfiguration) (bool, error) {
 	transport := &http.Transport{}
 
 	scheme := "http"
-	if tlsConfig != nil {
+
+	if tlsConfiguration.TLS {
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(tlsConfiguration)
+		if err != nil {
+			return false, err
+		}
+
 		transport.TLSClientConfig = tlsConfig
 		scheme = "https"
 	}
 
 	client := &http.Client{
-		Timeout:   time.Second * 3,
+		Timeout:   3 * time.Second,
 		Transport: transport,
 	}
 
 	target := strings.Replace(host, "tcp://", scheme+"://", 1)
+
 	return pingOperation(client, target)
 }
 
diff --git a/api/http/client/client_test.go b/api/http/client/client_test.go
new file mode 100644
index 000000000..d7ffe99ff
--- /dev/null
+++ b/api/http/client/client_test.go
@@ -0,0 +1,31 @@
+package client
+
+import (
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestExecutePingOperationFailure(t *testing.T) {
+	host := "http://localhost:1"
+	config := portainer.TLSConfiguration{
+		TLS:           true,
+		TLSSkipVerify: true,
+	}
+
+	// Invalid host
+	ok, err := ExecutePingOperation(host, config)
+	require.False(t, ok)
+	require.Error(t, err)
+
+	// Invalid TLS configuration
+	config.TLSCertPath = "/invalid/path/to/cert"
+	config.TLSKeyPath = "/invalid/path/to/key"
+
+	ok, err = ExecutePingOperation(host, config)
+	require.False(t, ok)
+	require.Error(t, err)
+
+}
diff --git a/api/http/handler/endpoints/endpoint_create.go b/api/http/handler/endpoints/endpoint_create.go
index 3cfe934bc..03f2bee44 100644
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@@ -1,7 +1,6 @@
 package endpoints
 
 import (
-	"crypto/tls"
 	"errors"
 	"net/http"
 	"runtime"
@@ -285,8 +284,6 @@ func (handler *Handler) endpointCreate(w http.ResponseWriter, r *http.Request) *
 }
 
 func (handler *Handler) createEndpoint(tx dataservices.DataStoreTx, payload *endpointCreatePayload) (*portainer.Endpoint, *httperror.HandlerError) {
-	var err error
-
 	switch payload.EndpointCreationType {
 	case azureEnvironment:
 		return handler.createAzureEndpoint(tx, payload)
@@ -301,12 +298,9 @@ func (handler *Handler) createEndpoint(tx dataservices.DataStoreTx, payload *end
 	endpointType := portainer.DockerEnvironment
 	var agentVersion string
 	if payload.EndpointCreationType == agentEnvironment {
-		var tlsConfig *tls.Config
-		if payload.TLS {
-			tlsConfig, err = crypto.CreateTLSConfigurationFromBytes(payload.TLSCACertFile, payload.TLSCertFile, payload.TLSKeyFile, payload.TLSSkipVerify, payload.TLSSkipClientVerify)
-			if err != nil {
-				return nil, httperror.InternalServerError("Unable to create TLS configuration", err)
-			}
+		tlsConfig, err := crypto.CreateTLSConfigurationFromBytes(payload.TLS, payload.TLSCACertFile, payload.TLSCertFile, payload.TLSKeyFile, payload.TLSSkipVerify, payload.TLSSkipClientVerify)
+		if err != nil {
+			return nil, httperror.InternalServerError("Unable to create TLS configuration", err)
 		}
 
 		agentPlatform, version, err := agent.GetAgentVersionAndPlatform(payload.URL, tlsConfig)
diff --git a/api/http/handler/websocket/initdial.go b/api/http/handler/websocket/initdial.go
index e9160ccf1..1be0e496f 100644
--- a/api/http/handler/websocket/initdial.go
+++ b/api/http/handler/websocket/initdial.go
@@ -21,16 +21,14 @@ func initDial(endpoint *portainer.Endpoint) (net.Conn, error) {
 		host = url.Path
 	}
 
-	if endpoint.TLSConfig.TLS {
-		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-		if err != nil {
-			return nil, err
-		}
-
-		return tls.Dial(url.Scheme, host, tlsConfig)
+	if !endpoint.TLSConfig.TLS {
+		return createDial(url.Scheme, host)
 	}
 
-	con, err := createDial(url.Scheme, host)
+	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+	if err != nil {
+		return nil, err
+	}
 
-	return con, err
+	return tls.Dial(url.Scheme, host, tlsConfig)
 }
diff --git a/api/http/handler/websocket/initdial_test.go b/api/http/handler/websocket/initdial_test.go
new file mode 100644
index 000000000..3179389f0
--- /dev/null
+++ b/api/http/handler/websocket/initdial_test.go
@@ -0,0 +1,64 @@
+package websocket
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestInitDial(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+
+	tlsSrv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer tlsSrv.Close()
+
+	f := func(srvURL string) {
+		u, err := url.Parse(srvURL)
+		require.NoError(t, err)
+
+		isTLS := u.Scheme == "https"
+
+		u.Scheme = "tcp"
+
+		endpoint := &portainer.Endpoint{
+			URL: u.String(),
+			TLSConfig: portainer.TLSConfiguration{
+				TLS:           isTLS,
+				TLSSkipVerify: true,
+			},
+		}
+
+		// Valid configuration
+		conn, err := initDial(endpoint)
+		require.NoError(t, err)
+		require.NotNil(t, conn)
+
+		err = conn.Close()
+		require.NoError(t, err)
+
+		if !isTLS {
+			return
+		}
+
+		// Invalid TLS configuration
+		endpoint.TLSConfig.TLSCertPath = "/invalid/path/client.crt"
+		endpoint.TLSConfig.TLSKeyPath = "/invalid/path/client.key"
+
+		conn, err = initDial(endpoint)
+		require.Error(t, err)
+		require.Nil(t, conn)
+	}
+
+	f(srv.URL)
+	f(tlsSrv.URL)
+}
diff --git a/api/http/proxy/factory/agent.go b/api/http/proxy/factory/agent.go
index 60323a195..ca74d2228 100644
--- a/api/http/proxy/factory/agent.go
+++ b/api/http/proxy/factory/agent.go
@@ -43,7 +43,7 @@ func (factory *ProxyFactory) NewAgentProxy(endpoint *portainer.Endpoint) (*Proxy
 	httpTransport := &http.Transport{}
 
 	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
-		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
+		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
 		if err != nil {
 			return nil, errors.WithMessage(err, "failed generating tls configuration")
 		}
diff --git a/api/http/proxy/factory/docker.go b/api/http/proxy/factory/docker.go
index 31d183c9b..d832b3678 100644
--- a/api/http/proxy/factory/docker.go
+++ b/api/http/proxy/factory/docker.go
@@ -50,7 +50,7 @@ func (factory *ProxyFactory) newDockerHTTPProxy(endpoint *portainer.Endpoint) (h
 	httpTransport := &http.Transport{}
 
 	if endpoint.TLSConfig.TLS || endpoint.TLSConfig.TLSSkipVerify {
-		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
+		config, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
 		if err != nil {
 			return nil, err
 		}
diff --git a/api/http/proxy/factory/kubernetes.go b/api/http/proxy/factory/kubernetes.go
index ea08467e5..43ed7d5b3 100644
--- a/api/http/proxy/factory/kubernetes.go
+++ b/api/http/proxy/factory/kubernetes.go
@@ -7,7 +7,6 @@ import (
 	"github.com/portainer/portainer/api/http/proxy/factory/kubernetes"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/crypto"
 )
 
 func (factory *ProxyFactory) newKubernetesProxy(endpoint *portainer.Endpoint) (http.Handler, error) {
@@ -93,19 +92,19 @@ func (factory *ProxyFactory) newKubernetesAgentHTTPSProxy(endpoint *portainer.En
 		return nil, err
 	}
 
-	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-	if err != nil {
-		return nil, err
-	}
-
 	tokenCache := factory.kubernetesTokenCacheManager.GetOrCreateTokenCache(endpoint.ID)
 	tokenManager, err := kubernetes.NewTokenManager(kubecli, factory.dataStore, tokenCache, false)
 	if err != nil {
 		return nil, err
 	}
 
+	transport, err := kubernetes.NewAgentTransport(factory.signatureService, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
+	if err != nil {
+		return nil, err
+	}
+
 	proxy := NewSingleHostReverseProxyWithHostHeader(remoteURL)
-	proxy.Transport = kubernetes.NewAgentTransport(factory.signatureService, tlsConfig, tokenManager, endpoint, factory.kubernetesClientFactory, factory.dataStore, factory.jwtService)
+	proxy.Transport = transport
 
 	return proxy, nil
 }
diff --git a/api/http/proxy/factory/kubernetes/agent_transport.go b/api/http/proxy/factory/kubernetes/agent_transport.go
index b127b85fd..4a62e2367 100644
--- a/api/http/proxy/factory/kubernetes/agent_transport.go
+++ b/api/http/proxy/factory/kubernetes/agent_transport.go
@@ -1,11 +1,11 @@
 package kubernetes
 
 import (
-	"crypto/tls"
 	"net/http"
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/kubernetes/cli"
 )
@@ -16,7 +16,12 @@ type agentTransport struct {
 }
 
 // NewAgentTransport returns a new transport that can be used to send signed requests to a Portainer agent
-func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsConfig *tls.Config, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) *agentTransport {
+func NewAgentTransport(signatureService portainer.DigitalSignatureService, tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) (*agentTransport, error) {
+	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+	if err != nil {
+		return nil, err
+	}
+
 	transport := &agentTransport{
 		baseTransport: newBaseTransport(
 			&http.Transport{
@@ -31,7 +36,7 @@ func NewAgentTransport(signatureService portainer.DigitalSignatureService, tlsCo
 		signatureService: signatureService,
 	}
 
-	return transport
+	return transport, nil
 }
 
 // RoundTrip is the implementation of the the http.RoundTripper interface
diff --git a/api/http/proxy/factory/kubernetes/local_transport.go b/api/http/proxy/factory/kubernetes/local_transport.go
index 6fe255ff6..bc832f35c 100644
--- a/api/http/proxy/factory/kubernetes/local_transport.go
+++ b/api/http/proxy/factory/kubernetes/local_transport.go
@@ -15,7 +15,7 @@ type localTransport struct {
 
 // NewLocalTransport returns a new transport that can be used to send requests to the local Kubernetes API
 func NewLocalTransport(tokenManager *tokenManager, endpoint *portainer.Endpoint, k8sClientFactory *cli.ClientFactory, dataStore dataservices.DataStore, jwtService portainer.JWTService) (*localTransport, error) {
-	config, err := crypto.CreateTLSConfigurationFromBytes(nil, nil, nil, true, true)
+	config, err := crypto.CreateTLSConfigurationFromBytes(true, nil, nil, nil, true, true)
 	if err != nil {
 		return nil, err
 	}
diff --git a/api/http/proxy/factory/kubernetes/local_transport_test.go b/api/http/proxy/factory/kubernetes/local_transport_test.go
new file mode 100644
index 000000000..a22b1e1c3
--- /dev/null
+++ b/api/http/proxy/factory/kubernetes/local_transport_test.go
@@ -0,0 +1,13 @@
+package kubernetes
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewLocalTransport(t *testing.T) {
+	transport, err := NewLocalTransport(nil, nil, nil, nil, nil)
+	require.NoError(t, err)
+	require.True(t, transport.baseTransport.httpTransport.TLSClientConfig.InsecureSkipVerify)
+}
diff --git a/api/internal/endpointutils/endpoint_setup.go b/api/internal/endpointutils/endpoint_setup.go
index 3242d8875..0f6a7ca7f 100644
--- a/api/internal/endpointutils/endpoint_setup.go
+++ b/api/internal/endpointutils/endpoint_setup.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 
 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/client"
 
@@ -108,12 +107,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore dataservices.
 	}
 
 	if strings.HasPrefix(endpoint.URL, "tcp://") {
-		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(tlsConfiguration.TLSCACertPath, tlsConfiguration.TLSCertPath, tlsConfiguration.TLSKeyPath, tlsConfiguration.TLSSkipVerify)
-		if err != nil {
-			return err
-		}
-
-		agentOnDockerEnvironment, err := client.ExecutePingOperation(endpoint.URL, tlsConfig)
+		agentOnDockerEnvironment, err := client.ExecutePingOperation(endpoint.URL, tlsConfiguration)
 		if err != nil {
 			return err
 		}
@@ -136,7 +130,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore dataservices.
 
 func createUnsecuredEndpoint(endpointURL string, dataStore dataservices.DataStore, snapshotService portainer.SnapshotService) error {
 	if strings.HasPrefix(endpointURL, "tcp://") {
-		if _, err := client.ExecutePingOperation(endpointURL, nil); err != nil {
+		if _, err := client.ExecutePingOperation(endpointURL, portainer.TLSConfiguration{}); err != nil {
 			return err
 		}
 	}
diff --git a/api/internal/endpointutils/endpoint_setup_test.go b/api/internal/endpointutils/endpoint_setup_test.go
new file mode 100644
index 000000000..64be9e254
--- /dev/null
+++ b/api/internal/endpointutils/endpoint_setup_test.go
@@ -0,0 +1,12 @@
+package endpointutils
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateOfflineUnsecuredEndpoint(t *testing.T) {
+	err := createUnsecuredEndpoint("tcp://localhost:1", nil, nil)
+	require.Error(t, err)
+}
diff --git a/api/internal/snapshot/snapshot.go b/api/internal/snapshot/snapshot.go
index 7bc109459..205a82216 100644
--- a/api/internal/snapshot/snapshot.go
+++ b/api/internal/snapshot/snapshot.go
@@ -2,7 +2,6 @@ package snapshot
 
 import (
 	"context"
-	"crypto/tls"
 	"errors"
 	"time"
 
@@ -138,14 +137,9 @@ func SupportDirectSnapshot(endpoint *portainer.Endpoint) bool {
 // If the snapshot is a success, it will be associated to the environment(endpoint).
 func (service *Service) SnapshotEndpoint(endpoint *portainer.Endpoint) error {
 	if endpoint.Type == portainer.AgentOnDockerEnvironment || endpoint.Type == portainer.AgentOnKubernetesEnvironment {
-		var err error
-		var tlsConfig *tls.Config
-
-		if endpoint.TLSConfig.TLS {
-			tlsConfig, err = crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-			if err != nil {
-				return err
-			}
+		tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+		if err != nil {
+			return err
 		}
 
 		_, version, err := agent.GetAgentVersionAndPlatform(endpoint.URL, tlsConfig)
diff --git a/api/ldap/ldap.go b/api/ldap/ldap.go
index 09e8e6450..5037666b9 100644
--- a/api/ldap/ldap.go
+++ b/api/ldap/ldap.go
@@ -4,11 +4,12 @@ import (
 	"fmt"
 	"strings"
 
-	ldap "github.com/go-ldap/ldap/v3"
-	"github.com/pkg/errors"
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/crypto"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+
+	ldap "github.com/go-ldap/ldap/v3"
+	"github.com/pkg/errors"
 )
 
 var (
@@ -30,36 +31,44 @@ func createConnection(settings *portainer.LDAPSettings) (*ldap.Conn, error) {
 }
 
 func createConnectionForURL(url string, settings *portainer.LDAPSettings) (*ldap.Conn, error) {
-	if settings.TLSConfig.TLS || settings.StartTLS {
-		config, err := crypto.CreateTLSConfigurationFromDisk(settings.TLSConfig.TLSCACertPath, settings.TLSConfig.TLSCertPath, settings.TLSConfig.TLSKeyPath, settings.TLSConfig.TLSSkipVerify)
-		if err != nil {
-			return nil, err
-		}
-		config.ServerName = strings.Split(url, ":")[0]
-
-		if settings.TLSConfig.TLS {
-			return ldap.DialTLS("tcp", url, config)
-		}
-
-		conn, err := ldap.Dial("tcp", url)
-		if err != nil {
-			return nil, err
-		}
-
-		err = conn.StartTLS(config)
-		if err != nil {
-			return nil, err
-		}
-
-		return conn, nil
+	if !settings.TLSConfig.TLS && !settings.StartTLS {
+		return ldap.Dial("tcp", url)
 	}
 
-	return ldap.Dial("tcp", url)
+	// Store the original value to ensure the TLSConfig is created
+	t := settings.TLSConfig.TLS
+	settings.TLSConfig.TLS = settings.TLSConfig.TLS || settings.StartTLS
+
+	config, err := crypto.CreateTLSConfigurationFromDisk(settings.TLSConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	// Restore the original value
+	settings.TLSConfig.TLS = t
+
+	if settings.TLSConfig.TLS || settings.StartTLS {
+		config.ServerName = strings.Split(url, ":")[0]
+	}
+
+	if settings.TLSConfig.TLS {
+		return ldap.DialTLS("tcp", url, config)
+	}
+
+	conn, err := ldap.Dial("tcp", url)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := conn.StartTLS(config); err != nil {
+		return nil, err
+	}
+
+	return conn, nil
 }
 
 // AuthenticateUser is used to authenticate a user against a LDAP/AD.
 func (*Service) AuthenticateUser(username, password string, settings *portainer.LDAPSettings) error {
-
 	connection, err := createConnection(settings)
 	if err != nil {
 		return err
diff --git a/api/ldap/ldap_test.go b/api/ldap/ldap_test.go
new file mode 100644
index 000000000..1d16d2d0e
--- /dev/null
+++ b/api/ldap/ldap_test.go
@@ -0,0 +1,72 @@
+package ldap
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateConnectionForURL(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer srv.Close()
+
+	tlsSrv := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer tlsSrv.Close()
+
+	srvURL, err := url.Parse(tlsSrv.URL)
+	require.NoError(t, err)
+
+	// TCP
+
+	settings := &portainer.LDAPSettings{
+		URL: srvURL.Host,
+	}
+
+	conn, err := createConnectionForURL(settings.URL, settings)
+	require.NoError(t, err)
+	require.NotNil(t, conn)
+	conn.Close()
+
+	// TLS
+
+	settings.TLSConfig = portainer.TLSConfiguration{
+		TLS:           true,
+		TLSSkipVerify: true,
+	}
+
+	conn, err = createConnectionForURL(settings.URL, settings)
+	require.NoError(t, err)
+	require.NotNil(t, conn)
+	conn.Close()
+
+	// Invalid TLS
+
+	settings.TLSConfig = portainer.TLSConfiguration{
+		TLS:           true,
+		TLSSkipVerify: true,
+		TLSCertPath:   "/invalid/path/cert",
+		TLSKeyPath:    "/invalid/path/key",
+	}
+
+	conn, err = createConnectionForURL(settings.URL, settings)
+	require.Error(t, err)
+	require.Nil(t, conn)
+
+	// StartTLS
+
+	settings.TLSConfig.TLS = false
+	settings.StartTLS = true
+
+	conn, err = createConnectionForURL(settings.URL, settings)
+	require.Error(t, err)
+	require.Nil(t, conn)
+}
diff --git a/api/stacks/deployments/deploy.go b/api/stacks/deployments/deploy.go
index d963e8686..627c3012a 100644
--- a/api/stacks/deployments/deploy.go
+++ b/api/stacks/deployments/deploy.go
@@ -2,7 +2,6 @@ package deployments
 
 import (
 	"cmp"
-	"crypto/tls"
 	"fmt"
 	"strconv"
 	"time"
@@ -215,13 +214,9 @@ func isEnvironmentOnline(endpoint *portainer.Endpoint) bool {
 		return true
 	}
 
-	var err error
-	var tlsConfig *tls.Config
-	if endpoint.TLSConfig.TLS {
-		tlsConfig, err = crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig.TLSCACertPath, endpoint.TLSConfig.TLSCertPath, endpoint.TLSConfig.TLSKeyPath, endpoint.TLSConfig.TLSSkipVerify)
-		if err != nil {
-			return false
-		}
+	tlsConfig, err := crypto.CreateTLSConfigurationFromDisk(endpoint.TLSConfig)
+	if err != nil {
+		return false
 	}
 
 	_, _, err = agent.GetAgentVersionAndPlatform(endpoint.URL, tlsConfig)
diff --git a/api/stacks/deployments/deploy_test.go b/api/stacks/deployments/deploy_test.go
index d45313cb9..9d13f22a5 100644
--- a/api/stacks/deployments/deploy_test.go
+++ b/api/stacks/deployments/deploy_test.go
@@ -10,6 +10,7 @@ import (
 	"testing"
 
 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/datastore"
 	gittypes "github.com/portainer/portainer/api/git/types"
 	"github.com/portainer/portainer/api/internal/testhelpers"
@@ -127,9 +128,8 @@ func agentServer(t *testing.T) string {
 	cert, err := tls.X509KeyPair([]byte(localhostCert), []byte(localhostKey))
 	require.NoError(t, err)
 
-	tlsConfig := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-	}
+	tlsConfig := crypto.CreateTLSConfiguration()
+	tlsConfig.Certificates = []tls.Certificate{cert}
 
 	l, err := tls.Listen("tcp", "127.0.0.1:0", tlsConfig)
 	require.NoError(t, err)
diff --git a/pkg/networking/diagnostics.go b/pkg/networking/diagnostics.go
index 2c0e19f1d..bf1b05f6b 100644
--- a/pkg/networking/diagnostics.go
+++ b/pkg/networking/diagnostics.go
@@ -1,7 +1,7 @@
 package networking
 
 import (
-	"crypto/tls"
+	"crypto/fips140"
 	"fmt"
 	"net"
 	"net/http"
@@ -9,6 +9,8 @@ import (
 	"strings"
 	"time"
 
+	"github.com/portainer/portainer/api/crypto"
+
 	"github.com/segmentio/encoding/json"
 )
 
@@ -71,13 +73,14 @@ func ProbeTelnetConnection(url string) string {
 func DetectProxy(url string) string {
 	client := &http.Client{
 		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{
-				InsecureSkipVerify: true,
-			},
+			TLSClientConfig: crypto.CreateTLSConfiguration(),
 		},
 		Timeout: 10 * time.Second,
 	}
 
+	// TODO: use fips.CanTLSSkipVerify() instead
+	client.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = !fips140.Enabled()
+
 	result := map[string]string{
 		"operation":      "proxy detection",
 		"local_address":  "unknown",

From d306d7a983c4a09ab2fb37c6d35a6ed0d016e73e Mon Sep 17 00:00:00 2001
From: Malcolm Lockyer <segfault88@users.noreply.github.com>
Date: Mon, 4 Aug 2025 17:04:03 +1200
Subject: [PATCH 208/212] fix(encryption): replace encryption related methods
 for fips mode [be-11933] (#919)

Co-authored-by: andres-portainer <andres-portainer@users.noreply.github.com>
---
 api/chisel/service_test.go                    |   5 +
 api/cmd/portainer/main.go                     |   4 +
 api/crypto/aes.go                             | 168 +++++++-
 api/crypto/aes_test.go                        | 358 +++++++++++-------
 api/crypto/ecdsa.go                           |   2 +-
 api/crypto/ecdsa_test.go                      |  22 ++
 api/crypto/nonce.go                           |   2 +-
 api/database/boltdb/json.go                   |  22 +-
 api/database/boltdb/json_test.go              | 100 ++++-
 api/http/handler/backup/backup_test.go        |   5 +
 .../customtemplate_git_fetch_test.go          |   5 +
 api/http/handler/motd/motd.go                 |   2 +-
 go.mod                                        |   1 +
 pkg/fips/fips.go                              |  39 ++
 pkg/fips/fips_test.go                         |  15 +
 pkg/libcrypto/decrypt.go                      |  21 +-
 pkg/libcrypto/encrypt.go                      |  25 +-
 pkg/libcrypto/encrypt_test.go                 |  56 +++
 pkg/libcrypto/hash.go                         |  18 +-
 19 files changed, 701 insertions(+), 169 deletions(-)
 create mode 100644 api/crypto/ecdsa_test.go
 create mode 100644 pkg/fips/fips.go
 create mode 100644 pkg/fips/fips_test.go
 create mode 100644 pkg/libcrypto/encrypt_test.go

diff --git a/api/chisel/service_test.go b/api/chisel/service_test.go
index 918c7bf1e..e8fa71a5a 100644
--- a/api/chisel/service_test.go
+++ b/api/chisel/service_test.go
@@ -9,10 +9,15 @@ import (
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/pkg/fips"
 
 	"github.com/stretchr/testify/require"
 )
 
+func init() {
+	fips.InitFIPS(false)
+}
+
 func TestPingAgentPanic(t *testing.T) {
 	endpoint := &portainer.Endpoint{
 		ID:          1,
diff --git a/api/cmd/portainer/main.go b/api/cmd/portainer/main.go
index 818025bdf..08a99c603 100644
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -49,6 +49,7 @@ import (
 	"github.com/portainer/portainer/api/stacks/deployments"
 	"github.com/portainer/portainer/pkg/build"
 	"github.com/portainer/portainer/pkg/featureflags"
+	"github.com/portainer/portainer/pkg/fips"
 	"github.com/portainer/portainer/pkg/libhelm"
 	libhelmtypes "github.com/portainer/portainer/pkg/libhelm/types"
 	"github.com/portainer/portainer/pkg/libstack/compose"
@@ -343,6 +344,9 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 		}
 	}
 
+	// -ce can not ever be run in FIPS mode
+	fips.InitFIPS(false)
+
 	fileService := initFileService(*flags.Data)
 	encryptionKey := loadEncryptionSecretKey(*flags.SecretKeyName)
 	if encryptionKey == nil {
diff --git a/api/crypto/aes.go b/api/crypto/aes.go
index 922cdfd75..b63e8ffa0 100644
--- a/api/crypto/aes.go
+++ b/api/crypto/aes.go
@@ -6,11 +6,15 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"crypto/rand"
+	"crypto/sha256"
 	"errors"
 	"fmt"
 	"io"
+	"strings"
 
+	"github.com/portainer/portainer/pkg/fips"
 	"golang.org/x/crypto/argon2"
+	"golang.org/x/crypto/pbkdf2"
 	"golang.org/x/crypto/scrypt"
 )
 
@@ -19,20 +23,32 @@ const (
 	aesGcmHeader    = "AES256-GCM" // The encrypted file header
 	aesGcmBlockSize = 1024 * 1024  // 1MB block for aes gcm
 
+	aesGcmFIPSHeader    = "FIPS-AES256-GCM"
+	aesGcmFIPSBlockSize = 16 * 1024 * 1024 // 16MB block for aes gcm
+
 	// Argon2 settings
-	// Recommded settings lower memory hardware according to current OWASP recommendations
+	// Recommended settings lower memory hardware according to current OWASP recommendations
 	// Considering some people run portainer on a NAS I think it's prudent not to assume we're on server grade hardware
 	// https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
 	argon2MemoryCost = 12 * 1024
 	argon2TimeCost   = 3
 	argon2Threads    = 1
 	argon2KeyLength  = 32
+
+	pbkdf2Iterations = 600_000 // use recommended iterations from https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 a little overkill for this use
+	pbkdf2SaltLength = 32
 )
 
 // AesEncrypt reads from input, encrypts with AES-256 and writes to output. passphrase is used to generate an encryption key
 func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
-	if err := aesEncryptGCM(input, output, passphrase); err != nil {
-		return fmt.Errorf("error encrypting file: %w", err)
+	if fips.FIPSMode() {
+		if err := aesEncryptGCMFIPS(input, output, passphrase); err != nil {
+			return fmt.Errorf("error encrypting file: %w", err)
+		}
+	} else {
+		if err := aesEncryptGCM(input, output, passphrase); err != nil {
+			return fmt.Errorf("error encrypting file: %w", err)
+		}
 	}
 
 	return nil
@@ -40,14 +56,36 @@ func AesEncrypt(input io.Reader, output io.Writer, passphrase []byte) error {
 
 // AesDecrypt reads from input, decrypts with AES-256 and returns the reader to read the decrypted content from
 func AesDecrypt(input io.Reader, passphrase []byte) (io.Reader, error) {
+	fipsMode := fips.FIPSMode()
+	return aesDecrypt(input, passphrase, fipsMode)
+}
+
+func aesDecrypt(input io.Reader, passphrase []byte, fipsMode bool) (io.Reader, error) {
 	// Read file header to determine how it was encrypted
 	inputReader := bufio.NewReader(input)
-	header, err := inputReader.Peek(len(aesGcmHeader))
+	header, err := inputReader.Peek(len(aesGcmFIPSHeader))
 	if err != nil {
 		return nil, fmt.Errorf("error reading encrypted backup file header: %w", err)
 	}
 
-	if string(header) == aesGcmHeader {
+	if strings.HasPrefix(string(header), aesGcmFIPSHeader) {
+		if !fipsMode {
+			return nil, errors.New("fips encrypted file detected but fips mode is not enabled")
+		}
+
+		reader, err := aesDecryptGCMFIPS(inputReader, passphrase)
+		if err != nil {
+			return nil, fmt.Errorf("error decrypting file: %w", err)
+		}
+
+		return reader, nil
+	}
+
+	if strings.HasPrefix(string(header), aesGcmHeader) {
+		if fipsMode {
+			return nil, errors.New("fips mode is enabled but non-fips encrypted file detected")
+		}
+
 		reader, err := aesDecryptGCM(inputReader, passphrase)
 		if err != nil {
 			return nil, fmt.Errorf("error decrypting file: %w", err)
@@ -203,6 +241,126 @@ func aesDecryptGCM(input io.Reader, passphrase []byte) (io.Reader, error) {
 	return &buf, nil
 }
 
+// aesEncryptGCMFIPS reads from input, encrypts with AES-256 in a fips compliant
+// way and writes to output. passphrase is used to generate an encryption key.
+func aesEncryptGCMFIPS(input io.Reader, output io.Writer, passphrase []byte) error {
+	salt := make([]byte, pbkdf2SaltLength)
+	if _, err := io.ReadFull(rand.Reader, salt); err != nil {
+		return err
+	}
+
+	key := pbkdf2.Key(passphrase, salt, pbkdf2Iterations, 32, sha256.New)
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return err
+	}
+
+	// write the header
+	if _, err := output.Write([]byte(aesGcmFIPSHeader)); err != nil {
+		return err
+	}
+
+	// Write nonce and salt to the output file
+	if _, err := output.Write(salt); err != nil {
+		return err
+	}
+
+	// Buffer for reading plaintext blocks
+	buf := make([]byte, aesGcmFIPSBlockSize)
+
+	// Encrypt plaintext in blocks
+	for {
+		// new random nonce for each block
+		aesgcm, err := cipher.NewGCMWithRandomNonce(block)
+		if err != nil {
+			return fmt.Errorf("error creating gcm: %w", err)
+		}
+
+		n, err := io.ReadFull(input, buf)
+		if n == 0 {
+			break // end of plaintext input
+		}
+
+		if err != nil && !(errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)) {
+			return err
+		}
+
+		// Seal encrypts the plaintext
+		ciphertext := aesgcm.Seal(nil, nil, buf[:n], nil)
+
+		_, err = output.Write(ciphertext)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// aesDecryptGCMFIPS reads from input, decrypts with AES-256 in a fips compliant
+// way and returns the reader to read the decrypted content from.
+func aesDecryptGCMFIPS(input io.Reader, passphrase []byte) (io.Reader, error) {
+	// Reader & verify header
+	header := make([]byte, len(aesGcmFIPSHeader))
+	if _, err := io.ReadFull(input, header); err != nil {
+		return nil, err
+	}
+
+	if string(header) != aesGcmFIPSHeader {
+		return nil, errors.New("invalid header")
+	}
+
+	// Read salt
+	salt := make([]byte, pbkdf2SaltLength)
+	if _, err := io.ReadFull(input, salt); err != nil {
+		return nil, err
+	}
+
+	key := pbkdf2.Key(passphrase, salt, pbkdf2Iterations, 32, sha256.New)
+
+	// Initialize AES cipher block
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return nil, err
+	}
+
+	// Initialize a buffer to store decrypted data
+	buf := bytes.Buffer{}
+
+	// Decrypt the ciphertext in blocks
+	for {
+		// Create GCM mode with the cipher block
+		aesgcm, err := cipher.NewGCMWithRandomNonce(block)
+		if err != nil {
+			return nil, err
+		}
+
+		// Read a block of ciphertext from the input reader
+		ciphertextBlock := make([]byte, aesGcmFIPSBlockSize+aesgcm.Overhead())
+		n, err := io.ReadFull(input, ciphertextBlock)
+		if n == 0 {
+			break // end of ciphertext
+		}
+
+		if err != nil && !(errors.Is(err, io.EOF) || errors.Is(err, io.ErrUnexpectedEOF)) {
+			return nil, err
+		}
+
+		// Decrypt the block of ciphertext
+		plaintext, err := aesgcm.Open(nil, nil, ciphertextBlock[:n], nil)
+		if err != nil {
+			return nil, err
+		}
+
+		if _, err := buf.Write(plaintext); err != nil {
+			return nil, err
+		}
+	}
+
+	return &buf, nil
+}
+
 // aesDecryptOFB reads from input, decrypts with AES-256 and returns the reader to a read decrypted content from.
 // passphrase is used to generate an encryption key.
 // note: This function used to decrypt files that were encrypted without a header i.e. old archives
diff --git a/api/crypto/aes_test.go b/api/crypto/aes_test.go
index e03a9917e..de39a69fe 100644
--- a/api/crypto/aes_test.go
+++ b/api/crypto/aes_test.go
@@ -7,9 +7,15 @@ import (
 	"path/filepath"
 	"testing"
 
+	"github.com/portainer/portainer/pkg/fips"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
+func init() {
+	fips.InitFIPS(false)
+}
+
 const letterBytes = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
 
 func randBytes(n int) []byte {
@@ -20,198 +26,296 @@ func randBytes(n int) []byte {
 	return b
 }
 
+type encryptFunc func(input io.Reader, output io.Writer, passphrase []byte) error
+type decryptFunc func(input io.Reader, passphrase []byte) (io.Reader, error)
+
 func Test_encryptAndDecrypt_withTheSamePassword(t *testing.T) {
 	const passphrase = "passphrase"
 
-	tmpdir := t.TempDir()
+	testFunc := func(t *testing.T, encrypt encryptFunc, decrypt decryptFunc, decryptShouldSucceed bool) {
+		tmpdir := t.TempDir()
 
-	var (
-		originFilePath    = filepath.Join(tmpdir, "origin")
-		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
-		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
-	)
+		var (
+			originFilePath    = filepath.Join(tmpdir, "origin")
+			encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+			decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+		)
 
-	content := randBytes(1024*1024*100 + 523)
-	os.WriteFile(originFilePath, content, 0600)
+		content := randBytes(1024*1024*100 + 523)
+		os.WriteFile(originFilePath, content, 0600)
 
-	originFile, _ := os.Open(originFilePath)
-	defer originFile.Close()
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()
 
-	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)
 
-	err := AesEncrypt(originFile, encryptedFileWriter, []byte(passphrase))
-	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedFileWriter.Close()
+		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		require.Nil(t, err, "Failed to encrypt a file")
+		encryptedFileWriter.Close()
 
-	encryptedContent, err := os.ReadFile(encryptedFilePath)
-	assert.Nil(t, err, "Couldn't read encrypted file")
-	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+		encryptedContent, err := os.ReadFile(encryptedFilePath)
+		require.Nil(t, err, "Couldn't read encrypted file")
+		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
-	encryptedFileReader, _ := os.Open(encryptedFilePath)
-	defer encryptedFileReader.Close()
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()
 
-	decryptedFileWriter, _ := os.Create(decryptedFilePath)
-	defer decryptedFileWriter.Close()
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()
 
-	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte(passphrase))
-	assert.Nil(t, err, "Failed to decrypt file")
+		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
+		if !decryptShouldSucceed {
+			require.Error(t, err, "Failed to decrypt file as indicated by decryptShouldSucceed")
+		} else {
+			require.NoError(t, err, "Failed to decrypt file indicated by decryptShouldSucceed")
 
-	io.Copy(decryptedFileWriter, decryptedReader)
+			io.Copy(decryptedFileWriter, decryptedReader)
 
-	decryptedContent, _ := os.ReadFile(decryptedFilePath)
-	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+			decryptedContent, _ := os.ReadFile(decryptedFilePath)
+			assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+		}
+	}
+
+	t.Run("fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCMFIPS, aesDecryptGCMFIPS, true)
+	})
+
+	t.Run("non_fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCM, aesDecryptGCM, true)
+	})
+
+	t.Run("system_fips_mode_public_entry_points", func(t *testing.T) {
+		// use the init mode, public entry points
+		testFunc(t, AesEncrypt, AesDecrypt, true)
+	})
+
+	t.Run("fips_encrypted_file_header_fails_in_non_fips_mode", func(t *testing.T) {
+		// use aesDecrypt which checks the header, confirm that it fails
+		decrypt := func(input io.Reader, passphrase []byte) (io.Reader, error) {
+			return aesDecrypt(input, passphrase, false)
+		}
+
+		testFunc(t, aesEncryptGCMFIPS, decrypt, false)
+	})
+
+	t.Run("non_fips_encrypted_file_header_fails_in_fips_mode", func(t *testing.T) {
+		// use aesDecrypt which checks the header, confirm that it fails
+		decrypt := func(input io.Reader, passphrase []byte) (io.Reader, error) {
+			return aesDecrypt(input, passphrase, true)
+		}
+
+		testFunc(t, aesEncryptGCM, decrypt, false)
+	})
+
+	t.Run("fips_encrypted_file_fails_in_non_fips_mode", func(t *testing.T) {
+		testFunc(t, aesEncryptGCMFIPS, aesDecryptGCM, false)
+	})
+
+	t.Run("non_fips_encrypted_file_with_fips_mode_should_fail", func(t *testing.T) {
+		testFunc(t, aesEncryptGCM, aesDecryptGCMFIPS, false)
+	})
+
+	t.Run("fips_with_base_aesDecrypt", func(t *testing.T) {
+		// maximize coverage, use the base aesDecrypt function with valid fips mode
+		decrypt := func(input io.Reader, passphrase []byte) (io.Reader, error) {
+			return aesDecrypt(input, passphrase, true)
+		}
+
+		testFunc(t, aesEncryptGCMFIPS, decrypt, true)
+	})
 }
 
 func Test_encryptAndDecrypt_withStrongPassphrase(t *testing.T) {
 	const passphrase = "A strong passphrase with special characters: !@#$%^&*()_+"
-	tmpdir := t.TempDir()
 
-	var (
-		originFilePath    = filepath.Join(tmpdir, "origin2")
-		encryptedFilePath = filepath.Join(tmpdir, "encrypted2")
-		decryptedFilePath = filepath.Join(tmpdir, "decrypted2")
-	)
+	testFunc := func(t *testing.T, encrypt encryptFunc, decrypt decryptFunc) {
+		tmpdir := t.TempDir()
 
-	content := randBytes(500)
-	os.WriteFile(originFilePath, content, 0600)
+		var (
+			originFilePath    = filepath.Join(tmpdir, "origin2")
+			encryptedFilePath = filepath.Join(tmpdir, "encrypted2")
+			decryptedFilePath = filepath.Join(tmpdir, "decrypted2")
+		)
 
-	originFile, _ := os.Open(originFilePath)
-	defer originFile.Close()
+		content := randBytes(500)
+		os.WriteFile(originFilePath, content, 0600)
 
-	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()
 
-	err := AesEncrypt(originFile, encryptedFileWriter, []byte(passphrase))
-	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedFileWriter.Close()
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)
 
-	encryptedContent, err := os.ReadFile(encryptedFilePath)
-	assert.Nil(t, err, "Couldn't read encrypted file")
-	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+		err := encrypt(originFile, encryptedFileWriter, []byte(passphrase))
+		assert.Nil(t, err, "Failed to encrypt a file")
+		encryptedFileWriter.Close()
 
-	encryptedFileReader, _ := os.Open(encryptedFilePath)
-	defer encryptedFileReader.Close()
+		encryptedContent, err := os.ReadFile(encryptedFilePath)
+		assert.Nil(t, err, "Couldn't read encrypted file")
+		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
-	decryptedFileWriter, _ := os.Create(decryptedFilePath)
-	defer decryptedFileWriter.Close()
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()
 
-	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte(passphrase))
-	assert.Nil(t, err, "Failed to decrypt file")
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()
 
-	io.Copy(decryptedFileWriter, decryptedReader)
+		decryptedReader, err := decrypt(encryptedFileReader, []byte(passphrase))
+		assert.Nil(t, err, "Failed to decrypt file")
 
-	decryptedContent, _ := os.ReadFile(decryptedFilePath)
-	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+		io.Copy(decryptedFileWriter, decryptedReader)
+
+		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+	}
+
+	t.Run("fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCMFIPS, aesDecryptGCMFIPS)
+	})
+
+	t.Run("non_fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCM, aesDecryptGCM)
+	})
 }
 
 func Test_encryptAndDecrypt_withTheSamePasswordSmallFile(t *testing.T) {
-	tmpdir := t.TempDir()
+	testFunc := func(t *testing.T, encrypt encryptFunc, decrypt decryptFunc) {
+		tmpdir := t.TempDir()
 
-	var (
-		originFilePath    = filepath.Join(tmpdir, "origin2")
-		encryptedFilePath = filepath.Join(tmpdir, "encrypted2")
-		decryptedFilePath = filepath.Join(tmpdir, "decrypted2")
-	)
+		var (
+			originFilePath    = filepath.Join(tmpdir, "origin2")
+			encryptedFilePath = filepath.Join(tmpdir, "encrypted2")
+			decryptedFilePath = filepath.Join(tmpdir, "decrypted2")
+		)
 
-	content := randBytes(500)
-	os.WriteFile(originFilePath, content, 0600)
+		content := randBytes(500)
+		os.WriteFile(originFilePath, content, 0600)
 
-	originFile, _ := os.Open(originFilePath)
-	defer originFile.Close()
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()
 
-	encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)
 
-	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedFileWriter.Close()
+		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		assert.Nil(t, err, "Failed to encrypt a file")
+		encryptedFileWriter.Close()
 
-	encryptedContent, err := os.ReadFile(encryptedFilePath)
-	assert.Nil(t, err, "Couldn't read encrypted file")
-	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+		encryptedContent, err := os.ReadFile(encryptedFilePath)
+		assert.Nil(t, err, "Couldn't read encrypted file")
+		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
-	encryptedFileReader, _ := os.Open(encryptedFilePath)
-	defer encryptedFileReader.Close()
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()
 
-	decryptedFileWriter, _ := os.Create(decryptedFilePath)
-	defer decryptedFileWriter.Close()
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()
 
-	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte("passphrase"))
-	assert.Nil(t, err, "Failed to decrypt file")
+		decryptedReader, err := decrypt(encryptedFileReader, []byte("passphrase"))
+		assert.Nil(t, err, "Failed to decrypt file")
 
-	io.Copy(decryptedFileWriter, decryptedReader)
+		io.Copy(decryptedFileWriter, decryptedReader)
 
-	decryptedContent, _ := os.ReadFile(decryptedFilePath)
-	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+	}
+
+	t.Run("fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCMFIPS, aesDecryptGCMFIPS)
+	})
+
+	t.Run("non_fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCM, aesDecryptGCM)
+	})
 }
 
 func Test_encryptAndDecrypt_withEmptyPassword(t *testing.T) {
-	tmpdir := t.TempDir()
+	testFunc := func(t *testing.T, encrypt encryptFunc, decrypt decryptFunc) {
+		tmpdir := t.TempDir()
 
-	var (
-		originFilePath    = filepath.Join(tmpdir, "origin")
-		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
-		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
-	)
+		var (
+			originFilePath    = filepath.Join(tmpdir, "origin")
+			encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+			decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+		)
 
-	content := randBytes(1024 * 50)
-	os.WriteFile(originFilePath, content, 0600)
+		content := randBytes(1024 * 50)
+		os.WriteFile(originFilePath, content, 0600)
 
-	originFile, _ := os.Open(originFilePath)
-	defer originFile.Close()
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()
 
-	encryptedFileWriter, _ := os.Create(encryptedFilePath)
-	defer encryptedFileWriter.Close()
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		defer encryptedFileWriter.Close()
 
-	err := AesEncrypt(originFile, encryptedFileWriter, []byte(""))
-	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedContent, err := os.ReadFile(encryptedFilePath)
-	assert.Nil(t, err, "Couldn't read encrypted file")
-	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+		err := encrypt(originFile, encryptedFileWriter, []byte(""))
+		assert.Nil(t, err, "Failed to encrypt a file")
+		encryptedContent, err := os.ReadFile(encryptedFilePath)
+		assert.Nil(t, err, "Couldn't read encrypted file")
+		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
-	encryptedFileReader, _ := os.Open(encryptedFilePath)
-	defer encryptedFileReader.Close()
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()
 
-	decryptedFileWriter, _ := os.Create(decryptedFilePath)
-	defer decryptedFileWriter.Close()
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()
 
-	decryptedReader, err := AesDecrypt(encryptedFileReader, []byte(""))
-	assert.Nil(t, err, "Failed to decrypt file")
+		decryptedReader, err := decrypt(encryptedFileReader, []byte(""))
+		assert.Nil(t, err, "Failed to decrypt file")
 
-	io.Copy(decryptedFileWriter, decryptedReader)
+		io.Copy(decryptedFileWriter, decryptedReader)
 
-	decryptedContent, _ := os.ReadFile(decryptedFilePath)
-	assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+		decryptedContent, _ := os.ReadFile(decryptedFilePath)
+		assert.Equal(t, content, decryptedContent, "Original and decrypted content should match")
+	}
+
+	t.Run("fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCMFIPS, aesDecryptGCMFIPS)
+	})
+
+	t.Run("non_fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCM, aesDecryptGCM)
+	})
 }
 
 func Test_decryptWithDifferentPassphrase_shouldProduceWrongResult(t *testing.T) {
-	tmpdir := t.TempDir()
+	testFunc := func(t *testing.T, encrypt encryptFunc, decrypt decryptFunc) {
+		tmpdir := t.TempDir()
 
-	var (
-		originFilePath    = filepath.Join(tmpdir, "origin")
-		encryptedFilePath = filepath.Join(tmpdir, "encrypted")
-		decryptedFilePath = filepath.Join(tmpdir, "decrypted")
-	)
+		var (
+			originFilePath    = filepath.Join(tmpdir, "origin")
+			encryptedFilePath = filepath.Join(tmpdir, "encrypted")
+			decryptedFilePath = filepath.Join(tmpdir, "decrypted")
+		)
 
-	content := randBytes(1034)
-	os.WriteFile(originFilePath, content, 0600)
+		content := randBytes(1034)
+		os.WriteFile(originFilePath, content, 0600)
 
-	originFile, _ := os.Open(originFilePath)
-	defer originFile.Close()
+		originFile, _ := os.Open(originFilePath)
+		defer originFile.Close()
 
-	encryptedFileWriter, _ := os.Create(encryptedFilePath)
-	defer encryptedFileWriter.Close()
+		encryptedFileWriter, _ := os.Create(encryptedFilePath)
+		defer encryptedFileWriter.Close()
 
-	err := AesEncrypt(originFile, encryptedFileWriter, []byte("passphrase"))
-	assert.Nil(t, err, "Failed to encrypt a file")
-	encryptedContent, err := os.ReadFile(encryptedFilePath)
-	assert.Nil(t, err, "Couldn't read encrypted file")
-	assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
+		err := encrypt(originFile, encryptedFileWriter, []byte("passphrase"))
+		assert.Nil(t, err, "Failed to encrypt a file")
+		encryptedContent, err := os.ReadFile(encryptedFilePath)
+		assert.Nil(t, err, "Couldn't read encrypted file")
+		assert.NotEqual(t, encryptedContent, content, "Content wasn't encrypted")
 
-	encryptedFileReader, _ := os.Open(encryptedFilePath)
-	defer encryptedFileReader.Close()
+		encryptedFileReader, _ := os.Open(encryptedFilePath)
+		defer encryptedFileReader.Close()
 
-	decryptedFileWriter, _ := os.Create(decryptedFilePath)
-	defer decryptedFileWriter.Close()
+		decryptedFileWriter, _ := os.Create(decryptedFilePath)
+		defer decryptedFileWriter.Close()
 
-	_, err = AesDecrypt(encryptedFileReader, []byte("garbage"))
-	assert.NotNil(t, err, "Should not allow decrypt with wrong passphrase")
+		_, err = decrypt(encryptedFileReader, []byte("garbage"))
+		assert.NotNil(t, err, "Should not allow decrypt with wrong passphrase")
+	}
+
+	t.Run("fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCMFIPS, aesDecryptGCMFIPS)
+	})
+
+	t.Run("non_fips", func(t *testing.T) {
+		testFunc(t, aesEncryptGCM, aesDecryptGCM)
+	})
 }
diff --git a/api/crypto/ecdsa.go b/api/crypto/ecdsa.go
index 1279c06e1..e7eabdd1d 100644
--- a/api/crypto/ecdsa.go
+++ b/api/crypto/ecdsa.go
@@ -112,7 +112,7 @@ func (service *ECDSAService) CreateSignature(message string) (string, error) {
 		message = service.secret
 	}
 
-	hash := libcrypto.HashFromBytes([]byte(message))
+	hash := libcrypto.InsecureHashFromBytes([]byte(message))
 
 	r, s, err := ecdsa.Sign(rand.Reader, service.privateKey, hash)
 	if err != nil {
diff --git a/api/crypto/ecdsa_test.go b/api/crypto/ecdsa_test.go
new file mode 100644
index 000000000..62141268a
--- /dev/null
+++ b/api/crypto/ecdsa_test.go
@@ -0,0 +1,22 @@
+package crypto
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCreateSignature(t *testing.T) {
+	var s = NewECDSAService("secret")
+
+	privKey, pubKey, err := s.GenerateKeyPair()
+	require.NoError(t, err)
+	require.Greater(t, len(privKey), 0)
+	require.Greater(t, len(pubKey), 0)
+
+	m := "test message"
+	r, err := s.CreateSignature(m)
+	require.NoError(t, err)
+	require.NotEqual(t, r, m)
+	require.Greater(t, len(r), 0)
+}
diff --git a/api/crypto/nonce.go b/api/crypto/nonce.go
index 571a9ba71..af1cc898b 100644
--- a/api/crypto/nonce.go
+++ b/api/crypto/nonce.go
@@ -15,7 +15,7 @@ func NewNonce(size int) *Nonce {
 }
 
 // NewRandomNonce generates a new initial nonce with the lower byte set to a random value
-// This ensures there are plenty of nonce values availble before rolling over
+// This ensures there are plenty of nonce values available before rolling over
 // Based on ideas from the Secure Programming Cookbook for C and C++ by John Viega, Matt Messier
 // https://www.oreilly.com/library/view/secure-programming-cookbook/0596003943/ch04s09.html
 func NewRandomNonce(size int) (*Nonce, error) {
diff --git a/api/database/boltdb/json.go b/api/database/boltdb/json.go
index b9ce97213..363e0ad7d 100644
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -4,8 +4,6 @@ import (
 	"bytes"
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/rand"
-	"io"
 
 	"github.com/pkg/errors"
 	"github.com/segmentio/encoding/json"
@@ -65,18 +63,18 @@ func (connection *DbConnection) UnmarshalObject(data []byte, object any) error {
 // https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a#symmetric-encryption
 
 func encrypt(plaintext []byte, passphrase []byte) (encrypted []byte, err error) {
-	block, _ := aes.NewCipher(passphrase)
-	gcm, err := cipher.NewGCM(block)
+	block, err := aes.NewCipher(passphrase)
 	if err != nil {
 		return encrypted, err
 	}
 
-	nonce := make([]byte, gcm.NonceSize())
-	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+	// NewGCMWithRandomNonce in go 1.24 handles setting up the nonce and adding it to the encrypted output
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
+	if err != nil {
 		return encrypted, err
 	}
 
-	return gcm.Seal(nonce, nonce, plaintext, nil), nil
+	return gcm.Seal(nil, nil, plaintext, nil), nil
 }
 
 func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err error) {
@@ -89,19 +87,17 @@ func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err err
 		return encrypted, errors.Wrap(err, "Error creating cypher block")
 	}
 
-	gcm, err := cipher.NewGCM(block)
+	// NewGCMWithRandomNonce in go 1.24 handles reading the nonce from the encrypted input for us
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error creating GCM")
 	}
 
-	nonceSize := gcm.NonceSize()
-	if len(encrypted) < nonceSize {
+	if len(encrypted) < gcm.NonceSize() {
 		return encrypted, errEncryptedStringTooShort
 	}
 
-	nonce, ciphertextByteClean := encrypted[:nonceSize], encrypted[nonceSize:]
-
-	plaintextByte, err = gcm.Open(nil, nonce, ciphertextByteClean, nil)
+	plaintextByte, err = gcm.Open(nil, nil, encrypted, nil)
 	if err != nil {
 		return encrypted, errors.Wrap(err, "Error decrypting text")
 	}
diff --git a/api/database/boltdb/json_test.go b/api/database/boltdb/json_test.go
index 577aa2cfd..32813f907 100644
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -1,12 +1,19 @@
 package boltdb
 
 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
 	"crypto/sha256"
+	"encoding/base64"
 	"fmt"
+	"io"
 	"testing"
 
 	"github.com/gofrs/uuid"
+	"github.com/pkg/errors"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 const (
@@ -160,7 +167,7 @@ func Test_ObjectMarshallingEncrypted(t *testing.T) {
 	}
 
 	key := secretToEncryptionKey(passphrase)
-	conn := DbConnection{EncryptionKey: key}
+	conn := DbConnection{EncryptionKey: key, isEncrypted: true}
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 
@@ -175,3 +182,94 @@ func Test_ObjectMarshallingEncrypted(t *testing.T) {
 		})
 	}
 }
+
+func Test_NonceSources(t *testing.T) {
+	// ensure that the new go 1.24 NewGCMWithRandomNonce works correctly with
+	// the old way of creating and including the nonce
+
+	encryptOldFn := func(plaintext []byte, passphrase []byte) (encrypted []byte, err error) {
+		block, _ := aes.NewCipher(passphrase)
+		gcm, err := cipher.NewGCM(block)
+		if err != nil {
+			return encrypted, err
+		}
+
+		nonce := make([]byte, gcm.NonceSize())
+		if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+			return encrypted, err
+		}
+
+		return gcm.Seal(nonce, nonce, plaintext, nil), nil
+	}
+
+	decryptOldFn := func(encrypted []byte, passphrase []byte) (plaintext []byte, err error) {
+		block, err := aes.NewCipher(passphrase)
+		if err != nil {
+			return encrypted, errors.Wrap(err, "Error creating cypher block")
+		}
+
+		gcm, err := cipher.NewGCM(block)
+		if err != nil {
+			return encrypted, errors.Wrap(err, "Error creating GCM")
+		}
+
+		nonceSize := gcm.NonceSize()
+		if len(encrypted) < nonceSize {
+			return encrypted, errEncryptedStringTooShort
+		}
+
+		nonce, ciphertextByteClean := encrypted[:nonceSize], encrypted[nonceSize:]
+
+		plaintext, err = gcm.Open(nil, nonce, ciphertextByteClean, nil)
+		if err != nil {
+			return encrypted, errors.Wrap(err, "Error decrypting text")
+		}
+
+		return plaintext, err
+	}
+
+	encryptNewFn := encrypt
+	decryptNewFn := decrypt
+
+	passphrase := make([]byte, 32)
+	_, err := io.ReadFull(rand.Reader, passphrase)
+	require.NoError(t, err)
+
+	junk := make([]byte, 1024)
+	_, err = io.ReadFull(rand.Reader, junk)
+	require.NoError(t, err)
+
+	junkEnc := make([]byte, base64.StdEncoding.EncodedLen(len(junk)))
+	base64.StdEncoding.Encode(junkEnc, junk)
+
+	cases := [][]byte{
+		[]byte("test"),
+		[]byte("35"),
+		[]byte("9ca4a1dd-a439-4593-b386-a7dfdc2e9fc6"),
+		[]byte(jsonobject),
+		passphrase,
+		junk,
+		junkEnc,
+	}
+
+	for _, plain := range cases {
+		var enc, dec []byte
+		var err error
+
+		enc, err = encryptOldFn(plain, passphrase)
+		require.NoError(t, err)
+
+		dec, err = decryptNewFn(enc, passphrase)
+		require.NoError(t, err)
+
+		require.Equal(t, plain, dec)
+
+		enc, err = encryptNewFn(plain, passphrase)
+		require.NoError(t, err)
+
+		dec, err = decryptOldFn(enc, passphrase)
+		require.NoError(t, err)
+
+		require.Equal(t, plain, dec)
+	}
+}
diff --git a/api/http/handler/backup/backup_test.go b/api/http/handler/backup/backup_test.go
index 51fdf3e95..2755e1fd8 100644
--- a/api/http/handler/backup/backup_test.go
+++ b/api/http/handler/backup/backup_test.go
@@ -18,10 +18,15 @@ import (
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/http/offlinegate"
 	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/pkg/fips"
 
 	"github.com/stretchr/testify/assert"
 )
 
+func init() {
+	fips.InitFIPS(false)
+}
+
 func listFiles(dir string) []string {
 	items := make([]string, 0)
 	filepath.Walk(dir, func(path string, info os.FileInfo, err error) error {
diff --git a/api/http/handler/customtemplates/customtemplate_git_fetch_test.go b/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
index b63db356d..6cb614449 100644
--- a/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
+++ b/api/http/handler/customtemplates/customtemplate_git_fetch_test.go
@@ -20,12 +20,17 @@ import (
 	"github.com/portainer/portainer/api/internal/authorization"
 	"github.com/portainer/portainer/api/internal/testhelpers"
 	"github.com/portainer/portainer/api/jwt"
+	"github.com/portainer/portainer/pkg/fips"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 
 	"github.com/segmentio/encoding/json"
 	"github.com/stretchr/testify/assert"
 )
 
+func init() {
+	fips.InitFIPS(false)
+}
+
 var testFileContent = "abcdefg"
 
 type TestGitService struct {
diff --git a/api/http/handler/motd/motd.go b/api/http/handler/motd/motd.go
index 4117de830..2865db245 100644
--- a/api/http/handler/motd/motd.go
+++ b/api/http/handler/motd/motd.go
@@ -60,7 +60,7 @@ func (handler *Handler) motd(w http.ResponseWriter, r *http.Request) {
 
 	message := strings.Join(data.Message, "\n")
 
-	hash := libcrypto.HashFromBytes([]byte(message))
+	hash := libcrypto.InsecureHashFromBytes([]byte(message))
 	resp := motdResponse{
 		Title:         data.Title,
 		Message:       message,
diff --git a/go.mod b/go.mod
index 2ef7032f2..2966d54f1 100644
--- a/go.mod
+++ b/go.mod
@@ -236,6 +236,7 @@ require (
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/portainer/agent v0.0.0-20250713222305-88cd348ec200 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
diff --git a/pkg/fips/fips.go b/pkg/fips/fips.go
new file mode 100644
index 000000000..a10ea1352
--- /dev/null
+++ b/pkg/fips/fips.go
@@ -0,0 +1,39 @@
+package fips
+
+import (
+	"crypto/fips140"
+	"sync"
+
+	"github.com/rs/zerolog/log"
+)
+
+var fipsMode, isInitialised bool
+
+var once sync.Once
+
+func InitFIPS(enabled bool) {
+	once.Do(func() {
+		isInitialised = true
+		fipsMode = enabled
+
+		if enabled && !fips140.Enabled() {
+			log.Fatal().Msg("If FIPS mode is enabled then the fips140 GODEBUG environment variable must be set")
+		}
+	})
+}
+
+func FIPSMode() bool {
+	if !isInitialised {
+		log.Fatal().Msg("Could not determine if FIPS mode is enabled because InitFIPS was never called")
+	}
+
+	return fipsMode
+}
+
+func CanTLSSkipVerify() bool {
+	if !isInitialised {
+		log.Fatal().Msg("Could not determine if FIPS mode is enabled because InitFIPS was never called")
+	}
+
+	return !fipsMode
+}
diff --git a/pkg/fips/fips_test.go b/pkg/fips/fips_test.go
new file mode 100644
index 000000000..c19a5210f
--- /dev/null
+++ b/pkg/fips/fips_test.go
@@ -0,0 +1,15 @@
+package fips
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestInitFIPS(t *testing.T) {
+	InitFIPS(false)
+
+	require.False(t, FIPSMode())
+
+	require.True(t, CanTLSSkipVerify())
+}
diff --git a/pkg/libcrypto/decrypt.go b/pkg/libcrypto/decrypt.go
index ef0eb9d41..f57c0939d 100644
--- a/pkg/libcrypto/decrypt.go
+++ b/pkg/libcrypto/decrypt.go
@@ -4,6 +4,8 @@ import (
 	"crypto/aes"
 	"crypto/cipher"
 	"errors"
+
+	"github.com/portainer/portainer/pkg/fips"
 )
 
 // Decrypt decrypts data using 256-bit AES-GCM.  This both hides the content of
@@ -11,14 +13,25 @@ import (
 // form nonce|ciphertext|tag where '|' indicates concatenation.
 // Creates a 32bit hash of the key before decrypting the data.
 func Decrypt(data []byte, key []byte) ([]byte, error) {
-	hashKey := Hash32Bit(key)
+	return decrypt(data, key, fips.FIPSMode())
+}
+
+func decrypt(data []byte, key []byte, fips bool) ([]byte, error) {
+	var hashKey []byte
+	if fips {
+		// sha256 hash 32 bytes
+		hashKey = HashFromBytes(key)
+	} else {
+		// 16 byte hash, hex encoded is 32 bytes
+		hashKey = InsecureHash32Bytes(key)
+	}
 
 	block, err := aes.NewCipher(hashKey)
 	if err != nil {
 		return nil, err
 	}
 
-	gcm, err := cipher.NewGCM(block)
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
 	if err != nil {
 		return nil, err
 	}
@@ -28,8 +41,8 @@ func Decrypt(data []byte, key []byte) ([]byte, error) {
 	}
 
 	return gcm.Open(nil,
-		data[:gcm.NonceSize()],
-		data[gcm.NonceSize():],
+		nil,
+		data,
 		nil,
 	)
 }
diff --git a/pkg/libcrypto/encrypt.go b/pkg/libcrypto/encrypt.go
index c397155cb..a0ca2e981 100644
--- a/pkg/libcrypto/encrypt.go
+++ b/pkg/libcrypto/encrypt.go
@@ -3,8 +3,8 @@ package libcrypto
 import (
 	"crypto/aes"
 	"crypto/cipher"
-	"crypto/rand"
-	"io"
+
+	"github.com/portainer/portainer/pkg/fips"
 )
 
 // Encrypt encrypts data using 256-bit AES-GCM.  This both hides the content of
@@ -12,23 +12,26 @@ import (
 // form nonce|ciphertext|tag where '|' indicates concatenation.
 // Creates a 32bit hash of the key before encrypting the data.
 func Encrypt(data, key []byte) ([]byte, error) {
-	hashKey := Hash32Bit(key)
+	return encrypt(data, key, fips.FIPSMode())
+}
+
+func encrypt(data, key []byte, fips bool) ([]byte, error) {
+	var hashKey []byte
+	if fips {
+		hashKey = HashFromBytes(key)
+	} else {
+		hashKey = InsecureHash32Bytes(key)
+	}
 
 	block, err := aes.NewCipher(hashKey)
 	if err != nil {
 		return nil, err
 	}
 
-	gcm, err := cipher.NewGCM(block)
+	gcm, err := cipher.NewGCMWithRandomNonce(block)
 	if err != nil {
 		return nil, err
 	}
 
-	nonce := make([]byte, gcm.NonceSize())
-	_, err = io.ReadFull(rand.Reader, nonce)
-	if err != nil {
-		return nil, err
-	}
-
-	return gcm.Seal(nonce, nonce, data, nil), nil
+	return gcm.Seal(nil, nil, data, nil), nil
 }
diff --git a/pkg/libcrypto/encrypt_test.go b/pkg/libcrypto/encrypt_test.go
new file mode 100644
index 000000000..06d6d044b
--- /dev/null
+++ b/pkg/libcrypto/encrypt_test.go
@@ -0,0 +1,56 @@
+package libcrypto
+
+import (
+	"crypto/rand"
+	"io"
+	"testing"
+
+	"github.com/portainer/portainer/pkg/fips"
+	"github.com/stretchr/testify/require"
+)
+
+func init() {
+	fips.InitFIPS(false)
+}
+
+func TestEncryptDecrypt(t *testing.T) {
+	dataFn := func() []byte {
+		data := make([]byte, 1024)
+		_, err := io.ReadFull(rand.Reader, data)
+		require.NoError(t, err)
+
+		return data
+	}
+
+	fn := func(t *testing.T, fips bool) {
+		data := dataFn()
+
+		encrypted, err := encrypt(data, []byte("test"), fips)
+		require.NoError(t, err)
+
+		decrypted, err := decrypt(encrypted, []byte("test"), fips)
+		require.NoError(t, err)
+
+		require.Equal(t, data, decrypted)
+	}
+
+	t.Run("fips", func(t *testing.T) {
+		fn(t, true)
+	})
+
+	t.Run("non-fips", func(t *testing.T) {
+		fn(t, false)
+	})
+
+	t.Run("system_fips_mode", func(t *testing.T) {
+		data := dataFn()
+
+		encrypted, err := Encrypt(data, []byte("test"))
+		require.NoError(t, err)
+
+		decrypted, err := Decrypt(encrypted, []byte("test"))
+		require.NoError(t, err)
+
+		require.Equal(t, data, decrypted)
+	})
+}
diff --git a/pkg/libcrypto/hash.go b/pkg/libcrypto/hash.go
index 6047e2dc7..143f1489e 100644
--- a/pkg/libcrypto/hash.go
+++ b/pkg/libcrypto/hash.go
@@ -2,18 +2,26 @@ package libcrypto
 
 import (
 	"crypto/md5"
+	"crypto/sha256"
 	"encoding/hex"
 )
 
-// HashFromBytes returns the hash of the specified data
-func HashFromBytes(data []byte) []byte {
+// InsecureHashFromBytes returns the 16 byte md5 hash of the specified data
+func InsecureHashFromBytes(data []byte) []byte {
 	digest := md5.New()
 	digest.Write(data)
 	return digest.Sum(nil)
 }
 
-// Hash32Bit returns a hexadecimal encoded hash
-func Hash32Bit(data []byte) []byte {
-	hash := HashFromBytes(data)
+// InsecureHash32Bytes returns a hexadecimal encoded hash to make a 16 byte md5 hash into 32 bytes
+func InsecureHash32Bytes(data []byte) []byte {
+	hash := InsecureHashFromBytes(data)
 	return []byte(hex.EncodeToString(hash))
 }
+
+// HashFromBytes returns the 32 byte sha256 hash of the specified data
+func HashFromBytes(data []byte) []byte {
+	hash := sha256.New()
+	hash.Write(data)
+	return hash.Sum(nil)
+}

From a472de19197a2ee7ce29c45b3c15c9e8cad841f4 Mon Sep 17 00:00:00 2001
From: LP B <xAt0mZ@users.noreply.github.com>
Date: Mon, 4 Aug 2025 17:10:46 +0200
Subject: [PATCH 209/212] fix(app/edge-jobs): edge job results page crash at
 scale (#954)

---
 .../handler/edgejobs/edgejob_tasks_list.go    |  68 ++-
 .../edgejobs/edgejob_tasks_list_test.go       | 131 +++++
 api/http/utils/filters/filters.go             |  38 ++
 api/http/utils/filters/filters_test.go        | 465 ++++++++++++++++++
 api/http/utils/filters/pagination.go          |  22 +
 api/http/utils/filters/pagination_test.go     | 245 +++++++++
 api/http/utils/filters/query_params.go        |  38 ++
 api/http/utils/filters/query_params_test.go   | 300 +++++++++++
 api/http/utils/filters/search.go              |  36 ++
 api/http/utils/filters/search_test.go         | 283 +++++++++++
 api/http/utils/filters/sort.go                |  40 ++
 api/http/utils/filters/sort_test.go           | 287 +++++++++++
 api/http/utils/filters/types_test.go          |  63 +++
 app/react/common/api/common.test.ts           | 117 +++++
 app/react/common/api/listQueryParams.ts       |  65 +++
 app/react/common/api/pagination.types.ts      | 114 +++++
 app/react/common/api/search.types.ts          |  47 ++
 app/react/common/api/sort.types.ts            | 139 ++++++
 app/react/components/datatables/Datatable.tsx |  10 +-
 app/react/components/datatables/types.ts      |  35 +-
 .../form-components/Input/Select.tsx.rej      |  10 -
 .../ResultsDatatable/ResultsDatatable.tsx     |  64 +--
 .../ItemView/ResultsDatatable/columns.tsx     |  20 +-
 .../ResultsDatatable/datatable-store.ts       |   8 +-
 .../ItemView/ResultsDatatable/types.ts        |   8 +-
 .../queries/jobResults/useJobResults.ts       |  43 +-
 app/react/edge/edge-jobs/types.ts             |   6 +-
 27 files changed, 2595 insertions(+), 107 deletions(-)
 create mode 100644 api/http/handler/edgejobs/edgejob_tasks_list_test.go
 create mode 100644 api/http/utils/filters/filters.go
 create mode 100644 api/http/utils/filters/filters_test.go
 create mode 100644 api/http/utils/filters/pagination.go
 create mode 100644 api/http/utils/filters/pagination_test.go
 create mode 100644 api/http/utils/filters/query_params.go
 create mode 100644 api/http/utils/filters/query_params_test.go
 create mode 100644 api/http/utils/filters/search.go
 create mode 100644 api/http/utils/filters/search_test.go
 create mode 100644 api/http/utils/filters/sort.go
 create mode 100644 api/http/utils/filters/sort_test.go
 create mode 100644 api/http/utils/filters/types_test.go
 create mode 100644 app/react/common/api/common.test.ts
 create mode 100644 app/react/common/api/listQueryParams.ts
 create mode 100644 app/react/common/api/pagination.types.ts
 create mode 100644 app/react/common/api/search.types.ts
 create mode 100644 app/react/common/api/sort.types.ts
 delete mode 100644 app/react/components/form-components/Input/Select.tsx.rej

diff --git a/api/http/handler/edgejobs/edgejob_tasks_list.go b/api/http/handler/edgejobs/edgejob_tasks_list.go
index 70918f69d..64d50137b 100644
--- a/api/http/handler/edgejobs/edgejob_tasks_list.go
+++ b/api/http/handler/edgejobs/edgejob_tasks_list.go
@@ -1,21 +1,25 @@
 package edgejobs
 
 import (
+	"errors"
 	"fmt"
 	"maps"
 	"net/http"
+	"strings"
 
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	"github.com/portainer/portainer/api/http/utils/filters"
 	"github.com/portainer/portainer/api/internal/edge"
 	httperror "github.com/portainer/portainer/pkg/libhttp/error"
 	"github.com/portainer/portainer/pkg/libhttp/request"
 )
 
 type taskContainer struct {
-	ID         string                      `json:"Id"`
-	EndpointID portainer.EndpointID        `json:"EndpointId"`
-	LogsStatus portainer.EdgeJobLogsStatus `json:"LogsStatus"`
+	ID           string                      `json:"Id"`
+	EndpointID   portainer.EndpointID        `json:"EndpointId"`
+	EndpointName string                      `json:"EndpointName"`
+	LogsStatus   portainer.EdgeJobLogsStatus `json:"LogsStatus"`
 }
 
 // @id EdgeJobTasksList
@@ -37,16 +41,42 @@ func (handler *Handler) edgeJobTasksList(w http.ResponseWriter, r *http.Request)
 		return httperror.BadRequest("Invalid Edge job identifier route variable", err)
 	}
 
-	var tasks []taskContainer
-	err = handler.DataStore.UpdateTx(func(tx dataservices.DataStoreTx) error {
+	params := filters.ExtractListModifiersQueryParams(r)
+
+	var tasks []*taskContainer
+	err = handler.DataStore.ViewTx(func(tx dataservices.DataStoreTx) error {
 		tasks, err = listEdgeJobTasks(tx, portainer.EdgeJobID(edgeJobID))
 		return err
 	})
 
-	return txResponse(w, tasks, err)
+	results := filters.SearchOrderAndPaginate(tasks, params, filters.Config[*taskContainer]{
+		SearchAccessors: []filters.SearchAccessor[*taskContainer]{
+			func(tc *taskContainer) (string, error) {
+				switch tc.LogsStatus {
+				case portainer.EdgeJobLogsStatusPending:
+					return "pending", nil
+				case 0, portainer.EdgeJobLogsStatusIdle:
+					return "idle", nil
+				case portainer.EdgeJobLogsStatusCollected:
+					return "collected", nil
+				}
+				return "", errors.New("unknown state")
+			},
+			func(tc *taskContainer) (string, error) {
+				return tc.EndpointName, nil
+			},
+		},
+		SortBindings: []filters.SortBinding[*taskContainer]{
+			{Key: "EndpointName", Fn: func(a, b *taskContainer) int { return strings.Compare(a.EndpointName, b.EndpointName) }},
+		},
+	})
+
+	filters.ApplyFilterResultsHeaders(&w, results)
+
+	return txResponse(w, results.Items, err)
 }
 
-func listEdgeJobTasks(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID) ([]taskContainer, error) {
+func listEdgeJobTasks(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID) ([]*taskContainer, error) {
 	edgeJob, err := tx.EdgeJob().Read(edgeJobID)
 	if tx.IsErrObjectNotFound(err) {
 		return nil, httperror.NotFound("Unable to find an Edge job with the specified identifier inside the database", err)
@@ -54,7 +84,12 @@ func listEdgeJobTasks(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID
 		return nil, httperror.InternalServerError("Unable to find an Edge job with the specified identifier inside the database", err)
 	}
 
-	tasks := make([]taskContainer, 0)
+	endpoints, err := tx.Endpoint().Endpoints()
+	if err != nil {
+		return nil, err
+	}
+
+	tasks := make([]*taskContainer, 0)
 
 	endpointsMap := map[portainer.EndpointID]portainer.EdgeJobEndpointMeta{}
 	if len(edgeJob.EdgeGroups) > 0 {
@@ -70,10 +105,19 @@ func listEdgeJobTasks(tx dataservices.DataStoreTx, edgeJobID portainer.EdgeJobID
 	maps.Copy(endpointsMap, edgeJob.Endpoints)
 
 	for endpointID, meta := range endpointsMap {
-		tasks = append(tasks, taskContainer{
-			ID:         fmt.Sprintf("edgejob_task_%d_%d", edgeJob.ID, endpointID),
-			EndpointID: endpointID,
-			LogsStatus: meta.LogsStatus,
+
+		endpointName := ""
+		for idx := range endpoints {
+			if endpoints[idx].ID == endpointID {
+				endpointName = endpoints[idx].Name
+			}
+		}
+
+		tasks = append(tasks, &taskContainer{
+			ID:           fmt.Sprintf("edgejob_task_%d_%d", edgeJob.ID, endpointID),
+			EndpointID:   endpointID,
+			EndpointName: endpointName,
+			LogsStatus:   meta.LogsStatus,
 		})
 	}
 
diff --git a/api/http/handler/edgejobs/edgejob_tasks_list_test.go b/api/http/handler/edgejobs/edgejob_tasks_list_test.go
new file mode 100644
index 000000000..6224ed628
--- /dev/null
+++ b/api/http/handler/edgejobs/edgejob_tasks_list_test.go
@@ -0,0 +1,131 @@
+package edgejobs
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"testing"
+
+	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/datastore"
+	"github.com/portainer/portainer/api/internal/testhelpers"
+	"github.com/portainer/portainer/api/roar"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func Test_EdgeJobTasksListHandler(t *testing.T) {
+	_, store := datastore.MustNewTestStore(t, true, false)
+
+	handler := NewHandler(testhelpers.NewTestRequestBouncer())
+	handler.DataStore = store
+
+	addEnv := func(env *portainer.Endpoint) {
+		err := store.EndpointService.Create(env)
+		require.NoError(t, err)
+	}
+
+	addEdgeGroup := func(group *portainer.EdgeGroup) {
+		err := store.EdgeGroupService.Create(group)
+		require.NoError(t, err)
+	}
+
+	addJob := func(job *portainer.EdgeJob) {
+		err := store.EdgeJobService.Create(job)
+		require.NoError(t, err)
+	}
+
+	envCount := 6
+
+	for i := range envCount {
+		addEnv(&portainer.Endpoint{ID: portainer.EndpointID(i + 1), Name: "env_" + strconv.Itoa(i+1)})
+	}
+
+	addEdgeGroup(&portainer.EdgeGroup{ID: 1, Name: "edge_group_1", EndpointIDs: roar.FromSlice([]portainer.EndpointID{5, 6})})
+
+	addJob(&portainer.EdgeJob{
+		ID: 1,
+		Endpoints: map[portainer.EndpointID]portainer.EdgeJobEndpointMeta{
+			1: {},
+			2: {LogsStatus: portainer.EdgeJobLogsStatusIdle},
+			3: {LogsStatus: portainer.EdgeJobLogsStatusPending},
+			4: {LogsStatus: portainer.EdgeJobLogsStatusCollected}},
+		EdgeGroups: []portainer.EdgeGroupID{1},
+	})
+
+	test := func(params string, expect []taskContainer, expectedCount int) {
+		rr := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/edge_jobs/1/tasks"+params, nil)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, http.StatusOK, rr.Result().StatusCode)
+
+		var response []taskContainer
+		err := json.NewDecoder(rr.Body).Decode(&response)
+		require.NoError(t, err)
+
+		assert.ElementsMatch(t, expect, response)
+
+		tcStr := rr.Header().Get("x-total-count")
+		assert.NotEmpty(t, tcStr)
+		totalCount, err := strconv.Atoi(tcStr)
+		assert.NoError(t, err)
+		assert.Equal(t, expectedCount, totalCount)
+
+		taStr := rr.Header().Get("x-total-available")
+		assert.NotEmpty(t, taStr)
+		totalAvailable, err := strconv.Atoi(taStr)
+		assert.NoError(t, err)
+		assert.Equal(t, envCount, totalAvailable)
+
+	}
+
+	tasks := []taskContainer{
+		{},
+		{"edgejob_task_1_1", 1, "env_1", 0},
+		{"edgejob_task_1_2", 2, "env_2", portainer.EdgeJobLogsStatusIdle},
+		{"edgejob_task_1_3", 3, "env_3", portainer.EdgeJobLogsStatusPending},
+		{"edgejob_task_1_4", 4, "env_4", portainer.EdgeJobLogsStatusCollected},
+		{"edgejob_task_1_5", 5, "env_5", 0},
+		{"edgejob_task_1_6", 6, "env_6", 0},
+	}
+
+	t.Run("should return no results", func(t *testing.T) {
+		test("?search=foo", []taskContainer{}, 0)        // unknown search
+		test("?start=100&limit=1", []taskContainer{}, 6) // overflowing start. Still return the correct count header
+	})
+
+	t.Run("should return one element", func(t *testing.T) {
+		// limit the *returned* results but not the total count
+		test("?start=0&limit=1&sort=EndpointName&order=asc", []taskContainer{tasks[1]}, envCount)  // limit
+		test("?start=5&limit=10&sort=EndpointName&order=asc", []taskContainer{tasks[6]}, envCount) // start = last element + overflowing limit
+		// limit the number of results
+		test("?search=env_1", []taskContainer{tasks[1]}, 1) // only 1 result
+	})
+
+	t.Run("should filter by status", func(t *testing.T) {
+		test("?search=idle", []taskContainer{tasks[1], tasks[2], tasks[5], tasks[6]}, 4) // 0 (default value) is IDLE
+		test("?search=pending", []taskContainer{tasks[3]}, 1)
+		test("?search=collected", []taskContainer{tasks[4]}, 1)
+	})
+
+	t.Run("should return all elements", func(t *testing.T) {
+		test("", tasks[1:], envCount)                    // default
+		test("?some=invalid_param", tasks[1:], envCount) // unknown query params
+		test("?limit=-1", tasks[1:], envCount)           // underflowing limit
+		test("?start=100", tasks[1:], envCount)          // overflowing start without limit
+		test("?search=env", tasks[1:], envCount)         // search in a match-all keyword
+	})
+
+	testError := func(params string, status int) {
+		rr := httptest.NewRecorder()
+		req := httptest.NewRequest(http.MethodGet, "/edge_jobs/2/tasks"+params, nil)
+		handler.ServeHTTP(rr, req)
+		require.Equal(t, status, rr.Result().StatusCode)
+	}
+
+	t.Run("errors", func(t *testing.T) {
+		testError("", http.StatusNotFound) // unknown job id
+	})
+
+}
diff --git a/api/http/utils/filters/filters.go b/api/http/utils/filters/filters.go
new file mode 100644
index 000000000..2e22d19a2
--- /dev/null
+++ b/api/http/utils/filters/filters.go
@@ -0,0 +1,38 @@
+package filters
+
+import (
+	"net/http"
+	"strconv"
+)
+
+type FilterResult[T any] struct {
+	Items          []T
+	TotalCount     int
+	TotalAvailable int
+}
+
+type Config[T any] struct {
+	SearchAccessors []SearchAccessor[T]
+	SortBindings    []SortBinding[T]
+}
+
+func SearchOrderAndPaginate[T any](items []T, params QueryParams, searchConfig Config[T]) FilterResult[T] {
+	totalAvailable := len(items)
+
+	items = searchFn(items, params.SearchQueryParams, searchConfig.SearchAccessors)
+	items = sortFn(items, params.SortQueryParams, searchConfig.SortBindings)
+
+	totalCount := len(items)
+	items = paginateFn(items, params.PaginationQueryParams)
+
+	return FilterResult[T]{
+		Items:          items,
+		TotalCount:     totalCount,
+		TotalAvailable: totalAvailable,
+	}
+}
+
+func ApplyFilterResultsHeaders[T any](w *http.ResponseWriter, result FilterResult[T]) {
+	(*w).Header().Set("X-Total-Count", strconv.Itoa(result.TotalCount))
+	(*w).Header().Set("X-Total-Available", strconv.Itoa(result.TotalAvailable))
+}
diff --git a/api/http/utils/filters/filters_test.go b/api/http/utils/filters/filters_test.go
new file mode 100644
index 000000000..0b0780fdf
--- /dev/null
+++ b/api/http/utils/filters/filters_test.go
@@ -0,0 +1,465 @@
+package filters
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Helper functions for creating test data
+func createUsers() []User {
+	return []User{
+		{ID: 1, Name: "Alice Johnson", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Smith", Email: "bob@example.com", Age: 30},
+		{ID: 3, Name: "Charlie Brown", Email: "charlie@example.com", Age: 35},
+		{ID: 4, Name: "Diana Prince", Email: "diana@example.com", Age: 28},
+		{ID: 5, Name: "Eve Adams", Email: "eve@example.com", Age: 22},
+	}
+}
+
+func createProducts() []Product {
+	return []Product{
+		{ID: 1, Name: "Laptop", Description: "High-performance laptop", Price: 999, Category: "Electronics"},
+		{ID: 2, Name: "Mouse", Description: "Wireless mouse", Price: 29, Category: "Electronics"},
+		{ID: 3, Name: "Book", Description: "Programming book", Price: 49, Category: "Books"},
+		{ID: 4, Name: "Keyboard", Description: "Mechanical keyboard", Price: 129, Category: "Electronics"},
+		{ID: 5, Name: "Chair", Description: "Office chair", Price: 199, Category: "Furniture"},
+	}
+}
+
+// Sort functions
+func userNameSort(a, b User) int {
+	return strings.Compare(a.Name, b.Name)
+}
+
+func userAgeSort(a, b User) int {
+	return a.Age - b.Age
+}
+
+func productPriceSort(a, b Product) int {
+	if a.Price < b.Price {
+		return -1
+	}
+	if a.Price > b.Price {
+		return 1
+	}
+	return 0
+}
+
+func productNameSort(a, b Product) int {
+	return strings.Compare(a.Name, b.Name)
+}
+
+func TestSearchOrderAndPaginate(t *testing.T) {
+	users := createUsers()
+	products := createProducts()
+
+	userConfig := Config[User]{
+		SearchAccessors: []SearchAccessor[User]{userNameAccessor, userEmailAccessor},
+		SortBindings: []SortBinding[User]{
+			{Key: "name", Fn: userNameSort},
+			{Key: "age", Fn: userAgeSort},
+		},
+	}
+
+	productConfig := Config[Product]{
+		SearchAccessors: []SearchAccessor[Product]{productNameAccessor, productDescriptionAccessor, productCategoryAccessor},
+		SortBindings: []SortBinding[Product]{
+			{Key: "price", Fn: productPriceSort},
+			{Key: "name", Fn: productNameSort},
+		},
+	}
+
+	t.Run("no filters applied", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 5, len(result.Items), "Should return all items when no filters applied")
+		require.Equal(t, 5, result.TotalCount, "TotalCount should equal filtered items")
+		require.Equal(t, 5, result.TotalAvailable, "TotalAvailable should equal original items")
+		require.Equal(t, users, result.Items, "Items should be unchanged")
+	})
+
+	t.Run("search only", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "alice"},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 1, len(result.Items), "Should find one user matching 'alice'")
+		require.Equal(t, 1, result.TotalCount, "TotalCount should reflect filtered items")
+		require.Equal(t, 5, result.TotalAvailable, "TotalAvailable should be original count")
+		require.Equal(t, "Alice Johnson", result.Items[0].Name, "Should return Alice")
+	})
+
+	t.Run("search case insensitive", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "ALICE"},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 1, len(result.Items), "Search should be case insensitive")
+		require.Equal(t, "Alice Johnson", result.Items[0].Name, "Should return Alice")
+	})
+
+	t.Run("search by email", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "bob@example"},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 1, len(result.Items), "Should find user by email")
+		require.Equal(t, "Bob Smith", result.Items[0].Name, "Should return Bob")
+	})
+
+	t.Run("search no matches", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "nonexistent"},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 0, len(result.Items), "Should return empty when no matches")
+		require.Equal(t, 0, result.TotalCount, "TotalCount should be 0")
+		require.Equal(t, 5, result.TotalAvailable, "TotalAvailable should remain original count")
+	})
+
+	t.Run("search with whitespace", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "  alice  "},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 1, len(result.Items), "Should trim whitespace from search")
+		require.Equal(t, "Alice Johnson", result.Items[0].Name, "Should return Alice")
+	})
+
+	t.Run("sort ascending", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "name", order: SortAsc},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 5, len(result.Items), "Should return all items")
+		require.Equal(t, "Alice Johnson", result.Items[0].Name, "First should be Alice")
+		require.Equal(t, "Eve Adams", result.Items[4].Name, "Last should be Eve")
+	})
+
+	t.Run("sort descending", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "name", order: SortDesc},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 5, len(result.Items), "Should return all items")
+		require.Equal(t, "Eve Adams", result.Items[0].Name, "First should be Eve (desc order)")
+		require.Equal(t, "Alice Johnson", result.Items[4].Name, "Last should be Alice (desc order)")
+	})
+
+	t.Run("sort by age", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "age", order: SortAsc},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 5, len(result.Items), "Should return all items")
+		require.Equal(t, 22, result.Items[0].Age, "First should be youngest (22)")
+		require.Equal(t, 35, result.Items[4].Age, "Last should be oldest (35)")
+	})
+
+	t.Run("sort invalid key", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "invalid", order: SortAsc},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 5, len(result.Items), "Should return all items")
+		// Items should remain in original order since no valid sort key
+		require.Equal(t, users, result.Items, "Should maintain original order with invalid sort key")
+	})
+
+	t.Run("pagination basic", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 1, limit: 2},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 2, len(result.Items), "Should return 2 items")
+		require.Equal(t, 5, result.TotalCount, "TotalCount should be all items")
+		require.Equal(t, 5, result.TotalAvailable, "TotalAvailable should be original count")
+		require.Equal(t, users[1], result.Items[0], "Should start from index 1")
+		require.Equal(t, users[2], result.Items[1], "Should include index 2")
+	})
+
+	t.Run("pagination zero limit", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 1, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 5, len(result.Items), "Should return all items when limit is 0")
+		require.Equal(t, users, result.Items, "Should return all original items")
+	})
+
+	t.Run("pagination negative limit", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 1, limit: -1},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 5, len(result.Items), "Should return all items when limit is negative")
+	})
+
+	t.Run("pagination start beyond length", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 10, limit: 2},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 0, len(result.Items), "Should return empty slice when start is beyond length")
+		require.Equal(t, 5, result.TotalCount, "TotalCount should still be original count")
+	})
+
+	t.Run("pagination negative start", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: ""},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: -1, limit: 2},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		require.Equal(t, 2, len(result.Items), "Should return 2 items starting from 0")
+		require.Equal(t, users[0], result.Items[0], "Should start from index 0")
+		require.Equal(t, users[1], result.Items[1], "Should include index 1")
+	})
+
+	t.Run("combined search sort and pagination", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "example.com"},
+			SortQueryParams:       SortQueryParams{sort: "age", order: SortAsc},
+			PaginationQueryParams: PaginationQueryParams{start: 1, limit: 2},
+		}
+
+		result := SearchOrderAndPaginate(users, params, userConfig)
+
+		// All users have "example.com" in email, so all 5 should match search
+		// Then sorted by age: Eve(22), Alice(25), Diana(28), Bob(30), Charlie(35)
+		// Then paginated: start=1, limit=2 should give Alice(25), Diana(28)
+		require.Equal(t, 2, len(result.Items), "Should return 2 items after pagination")
+		require.Equal(t, 5, result.TotalCount, "TotalCount should be all filtered items")
+		require.Equal(t, 5, result.TotalAvailable, "TotalAvailable should be original count")
+		require.Equal(t, 25, result.Items[0].Age, "First item should be Alice (age 25)")
+		require.Equal(t, 28, result.Items[1].Age, "Second item should be Diana (age 28)")
+	})
+
+	t.Run("products test", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "electronics"},
+			SortQueryParams:       SortQueryParams{sort: "price", order: SortAsc},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 2},
+		}
+
+		result := SearchOrderAndPaginate(products, params, productConfig)
+
+		// Should find 3 electronics, sorted by price: Mouse(29.99), Keyboard(129.99), Laptop(999.99)
+		// Paginated to first 2: Mouse, Keyboard
+		require.Equal(t, 2, len(result.Items), "Should return 2 items")
+		require.Equal(t, 3, result.TotalCount, "Should find 3 electronics items")
+		require.Equal(t, 5, result.TotalAvailable, "Should have 5 total products")
+		require.Equal(t, "Mouse", result.Items[0].Name, "First should be Mouse (cheapest)")
+		require.Equal(t, "Keyboard", result.Items[1].Name, "Second should be Keyboard")
+	})
+
+	t.Run("empty input slice", func(t *testing.T) {
+		emptyUsers := []User{}
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "test"},
+			SortQueryParams:       SortQueryParams{sort: "name", order: SortAsc},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 10},
+		}
+
+		result := SearchOrderAndPaginate(emptyUsers, params, userConfig)
+
+		require.Equal(t, 0, len(result.Items), "Should return empty slice")
+		require.Equal(t, 0, result.TotalCount, "TotalCount should be 0")
+		require.Equal(t, 0, result.TotalAvailable, "TotalAvailable should be 0")
+	})
+}
+
+func TestSearchOrderAndPaginateWithErrors(t *testing.T) {
+	users := createUsers()
+
+	// Config with error-prone accessor
+	errorConfig := Config[User]{
+		SearchAccessors: []SearchAccessor[User]{errorAccessor[User], userNameAccessor},
+		SortBindings: []SortBinding[User]{
+			{Key: "name", Fn: userNameSort},
+		},
+	}
+
+	t.Run("search with accessor errors", func(t *testing.T) {
+		params := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "alice"},
+			SortQueryParams:       SortQueryParams{sort: "", order: ""},
+			PaginationQueryParams: PaginationQueryParams{start: 0, limit: 0},
+		}
+
+		result := SearchOrderAndPaginate(users, params, errorConfig)
+
+		// Should still find Alice through the working accessor
+		require.Equal(t, 1, len(result.Items), "Should find user despite error in first accessor")
+		require.Equal(t, "Alice Johnson", result.Items[0].Name, "Should return Alice")
+	})
+}
+
+func TestApplyFilterResultsHeaders(t *testing.T) {
+	t.Run("sets headers correctly", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		var responseWriter http.ResponseWriter = w
+		result := FilterResult[User]{
+			Items:          createUsers()[:3],
+			TotalCount:     10,
+			TotalAvailable: 25,
+		}
+
+		ApplyFilterResultsHeaders(&responseWriter, result)
+
+		require.Equal(t, "10", w.Header().Get("X-Total-Count"), "Should set X-Total-Count header")
+		require.Equal(t, "25", w.Header().Get("X-Total-Available"), "Should set X-Total-Available header")
+	})
+
+	t.Run("sets headers with zero values", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		var responseWriter http.ResponseWriter = w
+		result := FilterResult[User]{
+			Items:          []User{},
+			TotalCount:     0,
+			TotalAvailable: 0,
+		}
+
+		ApplyFilterResultsHeaders(&responseWriter, result)
+
+		require.Equal(t, "0", w.Header().Get("X-Total-Count"), "Should set X-Total-Count to 0")
+		require.Equal(t, "0", w.Header().Get("X-Total-Available"), "Should set X-Total-Available to 0")
+	})
+
+	t.Run("overwrites existing headers", func(t *testing.T) {
+		w := httptest.NewRecorder()
+		var responseWriter http.ResponseWriter = w
+		w.Header().Set("X-Total-Count", "999")
+		w.Header().Set("X-Total-Available", "999")
+
+		result := FilterResult[User]{
+			Items:          createUsers()[:2],
+			TotalCount:     5,
+			TotalAvailable: 15,
+		}
+
+		ApplyFilterResultsHeaders(&responseWriter, result)
+
+		require.Equal(t, "5", w.Header().Get("X-Total-Count"), "Should overwrite existing X-Total-Count")
+		require.Equal(t, "15", w.Header().Get("X-Total-Available"), "Should overwrite existing X-Total-Available")
+	})
+
+	t.Run("simulates real handler usage", func(t *testing.T) {
+		// Simulate how it's actually used in handlers
+		handler := func(w http.ResponseWriter, r *http.Request) {
+			result := FilterResult[Product]{
+				Items:          createProducts(),
+				TotalCount:     5,
+				TotalAvailable: 10,
+			}
+			ApplyFilterResultsHeaders(&w, result)
+		}
+
+		w := httptest.NewRecorder()
+		req := httptest.NewRequest("GET", "/test", nil)
+
+		handler(w, req)
+
+		require.Equal(t, "5", w.Header().Get("X-Total-Count"), "Should work in handler context")
+		require.Equal(t, "10", w.Header().Get("X-Total-Available"), "Should work in handler context")
+	})
+}
+
+// Benchmark tests
+func BenchmarkSearchOrderAndPaginate(b *testing.B) {
+	users := createUsers()
+	config := Config[User]{
+		SearchAccessors: []SearchAccessor[User]{userNameAccessor, userEmailAccessor},
+		SortBindings: []SortBinding[User]{
+			{Key: "name", Fn: userNameSort},
+			{Key: "age", Fn: userAgeSort},
+		},
+	}
+	params := QueryParams{
+		SearchQueryParams:     SearchQueryParams{search: "example"},
+		SortQueryParams:       SortQueryParams{sort: "name", order: SortAsc},
+		PaginationQueryParams: PaginationQueryParams{start: 0, limit: 10},
+	}
+
+	for b.Loop() {
+		SearchOrderAndPaginate(users, params, config)
+	}
+}
+
+func BenchmarkApplyFilterResultsHeaders(b *testing.B) {
+	w := httptest.NewRecorder()
+	var responseWriter http.ResponseWriter = w
+	result := FilterResult[User]{
+		Items:          createUsers(),
+		TotalCount:     100,
+		TotalAvailable: 500,
+	}
+
+	for b.Loop() {
+		ApplyFilterResultsHeaders(&responseWriter, result)
+	}
+}
diff --git a/api/http/utils/filters/pagination.go b/api/http/utils/filters/pagination.go
new file mode 100644
index 000000000..fd01eb89a
--- /dev/null
+++ b/api/http/utils/filters/pagination.go
@@ -0,0 +1,22 @@
+package filters
+
+type PaginationQueryParams struct {
+	start int
+	limit int
+}
+
+func paginateFn[T any](items []T, params PaginationQueryParams) []T {
+	if params.limit <= 0 {
+		return items
+	}
+
+	itemsCount := len(items)
+
+	// enforce start in [0, len(items)]
+	start := min(max(params.start, 0), itemsCount)
+
+	// enforce end <= len(items) (max is unnecessary since limit > 0 and start >= 0)
+	end := min(start+params.limit, itemsCount)
+
+	return items[start:end]
+}
diff --git a/api/http/utils/filters/pagination_test.go b/api/http/utils/filters/pagination_test.go
new file mode 100644
index 000000000..4b09ac9aa
--- /dev/null
+++ b/api/http/utils/filters/pagination_test.go
@@ -0,0 +1,245 @@
+package filters
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestPaginateFn_BasicPagination(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}
+
+	// First page
+	params := PaginationQueryParams{start: 0, limit: 3}
+	result := paginateFn(items, params)
+	require.Equal(t, []int{1, 2, 3}, result)
+
+	// Second page
+	params = PaginationQueryParams{start: 3, limit: 3}
+	result = paginateFn(items, params)
+	require.Equal(t, []int{4, 5, 6}, result)
+
+	// Third page
+	params = PaginationQueryParams{start: 6, limit: 3}
+	result = paginateFn(items, params)
+	require.Equal(t, []int{7, 8, 9}, result)
+
+	// Last partial page
+	params = PaginationQueryParams{start: 9, limit: 3}
+	result = paginateFn(items, params)
+	require.Equal(t, []int{10}, result)
+}
+
+func TestPaginateFn_ZeroLimit(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	params := PaginationQueryParams{start: 2, limit: 0}
+	result := paginateFn(items, params)
+
+	// Should return all items when limit is 0
+	require.Equal(t, items, result)
+}
+
+func TestPaginateFn_NegativeLimit(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	params := PaginationQueryParams{start: 2, limit: -5}
+	result := paginateFn(items, params)
+
+	// Should return all items when limit is negative
+	require.Equal(t, items, result)
+}
+
+func TestPaginateFn_NegativeStart(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	params := PaginationQueryParams{start: -3, limit: 2}
+	result := paginateFn(items, params)
+
+	// Should start from index 0 when start is negative
+	require.Equal(t, []int{1, 2}, result)
+}
+
+func TestPaginateFn_StartBeyondLength(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	params := PaginationQueryParams{start: 10, limit: 3}
+	result := paginateFn(items, params)
+
+	// Should return empty slice when start is beyond length
+	require.Empty(t, result)
+}
+
+func TestPaginateFn_StartAtLength(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	params := PaginationQueryParams{start: 5, limit: 3}
+	result := paginateFn(items, params)
+
+	// Should return empty slice when start equals length
+	require.Empty(t, result)
+}
+
+func TestPaginateFn_LimitLargerThanRemaining(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	params := PaginationQueryParams{start: 3, limit: 10}
+	result := paginateFn(items, params)
+
+	// Should return remaining items when limit exceeds available items
+	require.Equal(t, []int{4, 5}, result)
+}
+
+func TestPaginateFn_EmptySlice(t *testing.T) {
+	items := []int{}
+
+	params := PaginationQueryParams{start: 0, limit: 5}
+	result := paginateFn(items, params)
+
+	// Should return empty slice
+	require.Empty(t, result)
+}
+
+func TestPaginateFn_EmptySliceWithNegativeStart(t *testing.T) {
+	items := []int{}
+
+	params := PaginationQueryParams{start: -5, limit: 3}
+	result := paginateFn(items, params)
+
+	// Should return empty slice
+	require.Empty(t, result)
+}
+
+func TestPaginateFn_SingleElement(t *testing.T) {
+	items := []int{42}
+
+	// Take the single element
+	params := PaginationQueryParams{start: 0, limit: 1}
+	result := paginateFn(items, params)
+	require.Equal(t, []int{42}, result)
+
+	// Start beyond the single element
+	params = PaginationQueryParams{start: 1, limit: 1}
+	result = paginateFn(items, params)
+	require.Empty(t, result)
+}
+
+func TestPaginateFn_LimitOfOne(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	results := [][]int{}
+	for i := range items {
+		params := PaginationQueryParams{start: i, limit: 1}
+		result := paginateFn(items, params)
+		results = append(results, result)
+	}
+
+	expected := [][]int{
+		{1}, {2}, {3}, {4}, {5},
+	}
+	require.Equal(t, expected, results)
+}
+
+func TestPaginateFn_StringSlice(t *testing.T) {
+	items := []string{"apple", "banana", "cherry", "date", "elderberry"}
+
+	params := PaginationQueryParams{start: 1, limit: 3}
+	result := paginateFn(items, params)
+
+	require.Equal(t, []string{"banana", "cherry", "date"}, result)
+}
+
+func TestPaginateFn_StructSlice(t *testing.T) {
+	type User struct {
+		ID   int
+		Name string
+	}
+
+	users := []User{
+		{ID: 1, Name: "Alice"},
+		{ID: 2, Name: "Bob"},
+		{ID: 3, Name: "Charlie"},
+		{ID: 4, Name: "David"},
+	}
+
+	params := PaginationQueryParams{start: 1, limit: 2}
+	result := paginateFn(users, params)
+
+	expected := []User{
+		{ID: 2, Name: "Bob"},
+		{ID: 3, Name: "Charlie"},
+	}
+	require.Equal(t, expected, result)
+}
+
+func TestPaginateFn_BoundaryConditions(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	testCases := []struct {
+		name     string
+		start    int
+		limit    int
+		expected []int
+	}{
+		{"start=0, limit=0", 0, 0, []int{1, 2, 3, 4, 5}},
+		{"start=0, limit=5", 0, 5, []int{1, 2, 3, 4, 5}},
+		{"start=0, limit=6", 0, 6, []int{1, 2, 3, 4, 5}},
+		{"start=4, limit=1", 4, 1, []int{5}},
+		{"start=4, limit=2", 4, 2, []int{5}},
+		{"start=5, limit=1", 5, 1, []int{}},
+		{"start=-1, limit=1", -1, 1, []int{1}},
+		{"start=-10, limit=3", -10, 3, []int{1, 2, 3}},
+		{"start=100, limit=1", 100, 1, []int{}},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			params := PaginationQueryParams{start: tc.start, limit: tc.limit}
+			result := paginateFn(items, params)
+			require.Equal(t, tc.expected, result)
+		})
+	}
+}
+
+func TestPaginateFn_ReturnsSliceView(t *testing.T) {
+	items := []int{1, 2, 3, 4, 5}
+
+	params := PaginationQueryParams{start: 1, limit: 3}
+	result := paginateFn(items, params)
+
+	// Result should be a slice view of the original
+	require.Equal(t, []int{2, 3, 4}, result)
+
+	// Modifying result WILL affect the original slice (shares underlying array)
+	if len(result) > 0 {
+		result[0] = 999
+		require.Equal(t, 999, items[1]) // Original is modified because they share memory
+	}
+}
+
+func TestPaginateFn_TypicalAPIUseCases(t *testing.T) {
+	// Simulate API responses with different page sizes
+	items := make([]int, 100)
+	for i := range items {
+		items[i] = i + 1
+	}
+
+	// Page size 10
+	params := PaginationQueryParams{start: 0, limit: 10}
+	page1 := paginateFn(items, params)
+	require.Len(t, page1, 10)
+	require.Equal(t, []int{1, 2, 3, 4, 5, 6, 7, 8, 9, 10}, page1)
+
+	// Page size 20, offset 20
+	params = PaginationQueryParams{start: 20, limit: 20}
+	page2 := paginateFn(items, params)
+	require.Len(t, page2, 20)
+	require.Equal(t, 21, page2[0])
+	require.Equal(t, 40, page2[19])
+
+	// Last page (partial)
+	params = PaginationQueryParams{start: 95, limit: 10}
+	lastPage := paginateFn(items, params)
+	require.Len(t, lastPage, 5)
+	require.Equal(t, []int{96, 97, 98, 99, 100}, lastPage)
+}
diff --git a/api/http/utils/filters/query_params.go b/api/http/utils/filters/query_params.go
new file mode 100644
index 000000000..7dec80365
--- /dev/null
+++ b/api/http/utils/filters/query_params.go
@@ -0,0 +1,38 @@
+package filters
+
+import (
+	"net/http"
+
+	"github.com/portainer/portainer/pkg/libhttp/request"
+)
+
+type QueryParams struct {
+	SearchQueryParams
+	SortQueryParams
+	PaginationQueryParams
+}
+
+func ExtractListModifiersQueryParams(r *http.Request) QueryParams {
+	// search
+	search, _ := request.RetrieveQueryParameter(r, "search", true)
+	// sorting
+	sortField, _ := request.RetrieveQueryParameter(r, "sort", true)
+	sortOrder, _ := request.RetrieveQueryParameter(r, "order", true)
+	// pagination
+	start, _ := request.RetrieveNumericQueryParameter(r, "start", true)
+	limit, _ := request.RetrieveNumericQueryParameter(r, "limit", true)
+
+	return QueryParams{
+		SearchQueryParams{
+			search: search,
+		},
+		SortQueryParams{
+			sort:  sortField,
+			order: SortOrder(sortOrder),
+		},
+		PaginationQueryParams{
+			start: start,
+			limit: limit,
+		},
+	}
+}
diff --git a/api/http/utils/filters/query_params_test.go b/api/http/utils/filters/query_params_test.go
new file mode 100644
index 000000000..5865e11d8
--- /dev/null
+++ b/api/http/utils/filters/query_params_test.go
@@ -0,0 +1,300 @@
+package filters
+
+import (
+	"net/http"
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestExtractListModifiersQueryParams(t *testing.T) {
+	tests := []struct {
+		name           string
+		queryParams    map[string]string
+		expectedResult QueryParams
+		description    string
+	}{
+		{
+			name: "all parameters provided",
+			queryParams: map[string]string{
+				"search": "test query",
+				"sort":   "name",
+				"order":  "asc",
+				"start":  "10",
+				"limit":  "25",
+			},
+			expectedResult: QueryParams{
+				SearchQueryParams: SearchQueryParams{
+					search: "test query",
+				},
+				SortQueryParams: SortQueryParams{
+					sort:  "name",
+					order: SortAsc,
+				},
+				PaginationQueryParams: PaginationQueryParams{
+					start: 10,
+					limit: 25,
+				},
+			},
+			description: "Should correctly parse all query parameters when provided",
+		},
+		{
+			name: "descending sort order",
+			queryParams: map[string]string{
+				"search": "another test",
+				"sort":   "date",
+				"order":  "desc",
+				"start":  "0",
+				"limit":  "50",
+			},
+			expectedResult: QueryParams{
+				SearchQueryParams: SearchQueryParams{
+					search: "another test",
+				},
+				SortQueryParams: SortQueryParams{
+					sort:  "date",
+					order: SortDesc,
+				},
+				PaginationQueryParams: PaginationQueryParams{
+					start: 0,
+					limit: 50,
+				},
+			},
+			description: "Should correctly handle descending sort order",
+		},
+		{
+			name:        "no parameters provided",
+			queryParams: map[string]string{},
+			expectedResult: QueryParams{
+				SearchQueryParams: SearchQueryParams{
+					search: "",
+				},
+				SortQueryParams: SortQueryParams{
+					sort:  "",
+					order: SortOrder(""),
+				},
+				PaginationQueryParams: PaginationQueryParams{
+					start: 0,
+					limit: 0,
+				},
+			},
+			description: "Should return zero values when no parameters are provided",
+		},
+		{
+			name: "partial parameters - search only",
+			queryParams: map[string]string{
+				"search": "partial test",
+			},
+			expectedResult: QueryParams{
+				SearchQueryParams: SearchQueryParams{
+					search: "partial test",
+				},
+				SortQueryParams: SortQueryParams{
+					sort:  "",
+					order: SortOrder(""),
+				},
+				PaginationQueryParams: PaginationQueryParams{
+					start: 0,
+					limit: 0,
+				},
+			},
+			description: "Should handle partial parameters correctly",
+		},
+		{
+			name: "partial parameters - pagination only",
+			queryParams: map[string]string{
+				"start": "5",
+				"limit": "15",
+			},
+			expectedResult: QueryParams{
+				SearchQueryParams: SearchQueryParams{
+					search: "",
+				},
+				SortQueryParams: SortQueryParams{
+					sort:  "",
+					order: SortOrder(""),
+				},
+				PaginationQueryParams: PaginationQueryParams{
+					start: 5,
+					limit: 15,
+				},
+			},
+			description: "Should handle pagination parameters when other params are missing",
+		},
+		{
+			name: "invalid sort order",
+			queryParams: map[string]string{
+				"search": "test",
+				"sort":   "name",
+				"order":  "invalid",
+				"start":  "0",
+				"limit":  "10",
+			},
+			expectedResult: QueryParams{
+				SearchQueryParams: SearchQueryParams{
+					search: "test",
+				},
+				SortQueryParams: SortQueryParams{
+					sort:  "name",
+					order: SortOrder("invalid"),
+				},
+				PaginationQueryParams: PaginationQueryParams{
+					start: 0,
+					limit: 10,
+				},
+			},
+			description: "Should accept invalid sort order as SortOrder type",
+		},
+		{
+			name: "empty string values",
+			queryParams: map[string]string{
+				"search": "",
+				"sort":   "",
+				"order":  "",
+				"start":  "0",
+				"limit":  "0",
+			},
+			expectedResult: QueryParams{
+				SearchQueryParams: SearchQueryParams{
+					search: "",
+				},
+				SortQueryParams: SortQueryParams{
+					sort:  "",
+					order: SortOrder(""),
+				},
+				PaginationQueryParams: PaginationQueryParams{
+					start: 0,
+					limit: 0,
+				},
+			},
+			description: "Should handle empty string values correctly",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Create HTTP request with query parameters
+			req := createRequestWithParams(tt.queryParams)
+
+			// Execute the function
+			result := ExtractListModifiersQueryParams(req)
+
+			// Assertions
+			require.Equal(t, tt.expectedResult.SearchQueryParams.search, result.SearchQueryParams.search,
+				"Search parameter should match expected value")
+			require.Equal(t, tt.expectedResult.SortQueryParams.sort, result.SortQueryParams.sort,
+				"Sort parameter should match expected value")
+			require.Equal(t, tt.expectedResult.SortQueryParams.order, result.SortQueryParams.order,
+				"Order parameter should match expected value")
+			require.Equal(t, tt.expectedResult.PaginationQueryParams.start, result.PaginationQueryParams.start,
+				"Start parameter should match expected value")
+			require.Equal(t, tt.expectedResult.PaginationQueryParams.limit, result.PaginationQueryParams.limit,
+				"Limit parameter should match expected value")
+
+			// Verify the complete struct
+			require.Equal(t, tt.expectedResult, result, tt.description)
+		})
+	}
+}
+
+func TestSortOrderConstants(t *testing.T) {
+	t.Run("sort order constants", func(t *testing.T) {
+		require.Equal(t, SortOrder("asc"), SortAsc, "SortAsc constant should equal 'asc'")
+		require.Equal(t, SortOrder("desc"), SortDesc, "SortDesc constant should equal 'desc'")
+	})
+}
+
+func TestQueryParamsStructEmbedding(t *testing.T) {
+	t.Run("struct embedding", func(t *testing.T) {
+		qp := QueryParams{
+			SearchQueryParams:     SearchQueryParams{search: "test"},
+			SortQueryParams:       SortQueryParams{sort: "name", order: SortAsc},
+			PaginationQueryParams: PaginationQueryParams{start: 10, limit: 20},
+		}
+
+		// Test that embedded fields are accessible
+		require.Equal(t, "test", qp.search, "Embedded search field should be accessible")
+		require.Equal(t, "name", qp.sort, "Embedded sort field should be accessible")
+		require.Equal(t, SortAsc, qp.order, "Embedded order field should be accessible")
+		require.Equal(t, 10, qp.start, "Embedded start field should be accessible")
+		require.Equal(t, 20, qp.limit, "Embedded limit field should be accessible")
+	})
+}
+
+func TestExtractListModifiersQueryParamsEdgeCases(t *testing.T) {
+	t.Run("special characters in search", func(t *testing.T) {
+		req := createRequestWithParams(map[string]string{
+			"search": "test & special chars %20",
+		})
+
+		result := ExtractListModifiersQueryParams(req)
+		require.Equal(t, "test & special chars %20", result.search,
+			"Should handle special characters in search parameter")
+	})
+
+	t.Run("unicode characters", func(t *testing.T) {
+		req := createRequestWithParams(map[string]string{
+			"search": "test 测试 🔍",
+			"sort":   "título",
+		})
+
+		result := ExtractListModifiersQueryParams(req)
+		require.Equal(t, "test 测试 🔍", result.search, "Should handle unicode in search")
+		require.Equal(t, "título", result.sort, "Should handle unicode in sort field")
+	})
+
+	t.Run("very long values", func(t *testing.T) {
+		longSearch := "a very long search query that contains many words and goes on for quite some time to test handling of long strings"
+		req := createRequestWithParams(map[string]string{
+			"search": longSearch,
+		})
+
+		result := ExtractListModifiersQueryParams(req)
+		require.Equal(t, longSearch, result.search, "Should handle long search strings")
+	})
+}
+
+// Helper function to create HTTP request with query parameters
+func createRequestWithParams(params map[string]string) *http.Request {
+	// Create URL with query parameters
+	u := &url.URL{
+		Scheme: "https",
+		Host:   "example.com",
+		Path:   "/test",
+	}
+
+	// Add query parameters
+	q := u.Query()
+	for key, value := range params {
+		q.Set(key, value)
+	}
+	u.RawQuery = q.Encode()
+
+	// Create request
+	req, _ := http.NewRequest("GET", u.String(), nil)
+	return req
+}
+
+// Benchmark tests
+func BenchmarkExtractListModifiersQueryParams(b *testing.B) {
+	req := createRequestWithParams(map[string]string{
+		"search": "benchmark test",
+		"sort":   "name",
+		"order":  "asc",
+		"start":  "10",
+		"limit":  "25",
+	})
+
+	for b.Loop() {
+		ExtractListModifiersQueryParams(req)
+	}
+}
+
+func BenchmarkExtractListModifiersQueryParamsEmpty(b *testing.B) {
+	req := createRequestWithParams(map[string]string{})
+
+	for b.Loop() {
+		ExtractListModifiersQueryParams(req)
+	}
+}
diff --git a/api/http/utils/filters/search.go b/api/http/utils/filters/search.go
new file mode 100644
index 000000000..b88422da1
--- /dev/null
+++ b/api/http/utils/filters/search.go
@@ -0,0 +1,36 @@
+package filters
+
+import (
+	"strings"
+)
+
+// Return any error to skip the field (for  when matching an unknown state on an enum)
+//
+// Note: returning ("", nil) will match!
+type SearchAccessor[T any] = func(T) (string, error)
+
+type SearchQueryParams struct {
+	search string
+}
+
+func searchFn[T any](items []T, params SearchQueryParams, accessors []SearchAccessor[T]) []T {
+	search := strings.TrimSpace(params.search)
+
+	if search == "" {
+		return items
+	}
+
+	results := []T{}
+
+	for iIdx := range items {
+		for aIdx := range accessors {
+			value, err := accessors[aIdx](items[iIdx])
+			if err == nil && strings.Contains(strings.ToLower(value), strings.ToLower(search)) {
+				results = append(results, items[iIdx])
+				break
+			}
+		}
+	}
+
+	return results
+}
diff --git a/api/http/utils/filters/search_test.go b/api/http/utils/filters/search_test.go
new file mode 100644
index 000000000..d8f552563
--- /dev/null
+++ b/api/http/utils/filters/search_test.go
@@ -0,0 +1,283 @@
+package filters
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestSearchFn_BasicSearch(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+		{ID: 3, Name: "Charlie Brown", Email: "charlie@test.org", Age: 35},
+	}
+
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+	params := SearchQueryParams{search: "Alice"}
+
+	result := searchFn(users, params, accessors)
+
+	require.Len(t, result, 1)
+	require.Equal(t, "Alice Smith", result[0].Name)
+}
+
+func TestSearchFn_EmptySearch(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+	}
+
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+	params := SearchQueryParams{search: ""}
+
+	result := searchFn(users, params, accessors)
+
+	// Should return all items when search is empty
+	require.Equal(t, users, result)
+}
+
+func TestSearchFn_NoMatches(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+	}
+
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+	params := SearchQueryParams{search: "nonexistent"}
+
+	result := searchFn(users, params, accessors)
+
+	require.Empty(t, result)
+}
+
+func TestSearchFn_MultipleMatches(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Smith", Email: "bob@company.com", Age: 30},
+		{ID: 3, Name: "Charlie Brown", Email: "charlie@smith.org", Age: 35},
+	}
+
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+	params := SearchQueryParams{search: "Smith"}
+
+	result := searchFn(users, params, accessors)
+
+	require.Len(t, result, 3)
+	require.Equal(t, "Alice Smith", result[0].Name)
+	require.Equal(t, "Bob Smith", result[1].Name)
+	require.Equal(t, "Charlie Brown", result[2].Name) // Matches via email
+}
+
+func TestSearchFn_MultipleAccessors(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+		{ID: 3, Name: "Charlie Brown", Email: "charlie@test.org", Age: 35},
+	}
+
+	// Search across name, email, and ID
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor, userIDAccessor}
+
+	// Search by ID
+	params := SearchQueryParams{search: "2"}
+	result := searchFn(users, params, accessors)
+	require.Len(t, result, 1)
+	require.Equal(t, 2, result[0].ID)
+
+	// Search by email domain
+	params = SearchQueryParams{search: "company.com"}
+	result = searchFn(users, params, accessors)
+	require.Len(t, result, 1)
+	require.Equal(t, "Bob Johnson", result[0].Name)
+}
+
+func TestSearchFn_CaseSensitive(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+	}
+
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+
+	// Case sensitive search - should not match
+	params := SearchQueryParams{search: "alice"}
+	result := searchFn(users, params, accessors)
+	require.Len(t, result, 1) // Matches email which is lowercase
+
+	// Exact case match
+	params = SearchQueryParams{search: "Alice"}
+	result = searchFn(users, params, accessors)
+	require.Len(t, result, 1)
+	require.Equal(t, "Alice Smith", result[0].Name)
+}
+
+func TestSearchFn_PartialMatches(t *testing.T) {
+	products := []Product{
+		{ID: 1, Name: "Wireless Mouse", Description: "Ergonomic wireless mouse", Price: 25, Category: "Electronics"},
+		{ID: 2, Name: "Mechanical Keyboard", Description: "RGB gaming keyboard", Price: 150, Category: "Electronics"},
+		{ID: 3, Name: "Coffee Mug", Description: "Ceramic coffee mug", Price: 15, Category: "Kitchen"},
+	}
+
+	accessors := []SearchAccessor[Product]{productNameAccessor, productDescriptionAccessor}
+
+	// Partial word match
+	params := SearchQueryParams{search: "wire"}
+	result := searchFn(products, params, accessors)
+	require.Len(t, result, 1)
+	require.Equal(t, "Wireless Mouse", result[0].Name)
+
+	// Match in description
+	params = SearchQueryParams{search: "RGB"}
+	result = searchFn(products, params, accessors)
+	require.Len(t, result, 1)
+	require.Equal(t, "Mechanical Keyboard", result[0].Name)
+}
+
+func TestSearchFn_EmptySlice(t *testing.T) {
+	users := []User{}
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+	params := SearchQueryParams{search: "anything"}
+
+	result := searchFn(users, params, accessors)
+
+	require.Empty(t, result)
+}
+
+func TestSearchFn_EmptyAccessors(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+	}
+
+	accessors := []SearchAccessor[User]{} // No accessors
+	params := SearchQueryParams{search: "Alice"}
+
+	result := searchFn(users, params, accessors)
+
+	// Should return empty since no accessors to search through
+	require.Empty(t, result)
+}
+
+func TestSearchFn_SingleAccessor(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+	}
+
+	// Only search by name
+	accessors := []SearchAccessor[User]{userNameAccessor}
+	params := SearchQueryParams{search: "company.com"}
+
+	result := searchFn(users, params, accessors)
+
+	// Should not match since we're only searching names, not emails
+	require.Empty(t, result)
+}
+
+func TestSearchFn_NumericSearch(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+		{ID: 3, Name: "Charlie Brown", Email: "charlie@test.org", Age: 35},
+	}
+
+	// Search by age (converted to string)
+	accessors := []SearchAccessor[User]{userAgeAccessor}
+	params := SearchQueryParams{search: "30"}
+
+	result := searchFn(users, params, accessors)
+
+	require.Len(t, result, 1)
+	require.Equal(t, 30, result[0].Age)
+}
+
+func TestSearchFn_FormattedAccessor(t *testing.T) {
+	products := []Product{
+		{ID: 1, Name: "Mouse", Description: "Wireless mouse", Price: 25, Category: "Electronics"},
+		{ID: 2, Name: "Keyboard", Description: "Gaming keyboard", Price: 150, Category: "Electronics"},
+	}
+
+	// Search by formatted price (e.g., "$25")
+	accessors := []SearchAccessor[Product]{productPriceAccessor}
+	params := SearchQueryParams{search: "$25"}
+
+	result := searchFn(products, params, accessors)
+
+	require.Len(t, result, 1)
+	require.Equal(t, "Mouse", result[0].Name)
+}
+
+func TestSearchFn_FirstMatchOnly(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "test user", Email: "test@example.com", Age: 25},
+	}
+
+	// Both accessors would match the search term
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+	params := SearchQueryParams{search: "test"}
+
+	result := searchFn(users, params, accessors)
+
+	// Should only include the item once, even though multiple accessors match
+	require.Len(t, result, 1)
+	require.Equal(t, "test user", result[0].Name)
+}
+
+func TestSearchFn_PreservesOrder(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Test", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@test.com", Age: 30},
+		{ID: 3, Name: "Charlie Test", Email: "charlie@example.com", Age: 35},
+	}
+
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+	params := SearchQueryParams{search: "Test"}
+
+	result := searchFn(users, params, accessors)
+
+	require.Len(t, result, 3)
+	// Should preserve original order
+	require.Equal(t, 1, result[0].ID)
+	require.Equal(t, 2, result[1].ID)
+	require.Equal(t, 3, result[2].ID)
+}
+
+func TestSearchFn_ComplexSearch(t *testing.T) {
+	products := []Product{
+		{ID: 1, Name: "Gaming Mouse", Description: "High-DPI gaming mouse", Price: 75, Category: "Gaming"},
+		{ID: 2, Name: "Office Mouse", Description: "Ergonomic office mouse", Price: 25, Category: "Office"},
+		{ID: 3, Name: "Gaming Keyboard", Description: "Mechanical gaming keyboard", Price: 150, Category: "Gaming"},
+		{ID: 4, Name: "Wireless Headset", Description: "Gaming headset with mic", Price: 100, Category: "Gaming"},
+	}
+
+	// Search across multiple fields
+	accessors := []SearchAccessor[Product]{
+		productNameAccessor,
+		productDescriptionAccessor,
+		productCategoryAccessor,
+	}
+
+	params := SearchQueryParams{search: "Gaming"}
+
+	result := searchFn(products, params, accessors)
+
+	require.Len(t, result, 3)
+	require.Equal(t, "Gaming Mouse", result[0].Name)
+	require.Equal(t, "Gaming Keyboard", result[1].Name)
+	require.Equal(t, "Wireless Headset", result[2].Name)
+}
+
+func TestSearchFn_WhitespaceSearch(t *testing.T) {
+	users := []User{
+		{ID: 1, Name: "Alice Smith", Email: "alice@example.com", Age: 25},
+		{ID: 2, Name: "Bob Johnson", Email: "bob@company.com", Age: 30},
+	}
+
+	accessors := []SearchAccessor[User]{userNameAccessor, userEmailAccessor}
+
+	// Search with just whitespace should be treated as empty
+	params := SearchQueryParams{search: "   "}
+	result := searchFn(users, params, accessors)
+
+	require.Len(t, result, 2)
+}
diff --git a/api/http/utils/filters/sort.go b/api/http/utils/filters/sort.go
new file mode 100644
index 000000000..f7d937b4e
--- /dev/null
+++ b/api/http/utils/filters/sort.go
@@ -0,0 +1,40 @@
+package filters
+
+import "slices"
+
+type SortOrder string
+
+const (
+	SortAsc  SortOrder = "asc"
+	SortDesc SortOrder = "desc"
+)
+
+type SortQueryParams struct {
+	sort  string
+	order SortOrder
+}
+
+type SortOption[T any] func(a, b T) int
+type SortBinding[T any] struct {
+	Key string
+	Fn  SortOption[T]
+}
+
+func sortFn[T any](items []T, params SortQueryParams, sorts []SortBinding[T]) []T {
+	for _, sort := range sorts {
+		if sort.Key == params.sort {
+			fn := sort.Fn
+			if params.order == SortDesc {
+				fn = reverSortFn(fn)
+			}
+			slices.SortStableFunc(items, fn)
+		}
+	}
+	return items
+}
+
+func reverSortFn[T any](fn SortOption[T]) SortOption[T] {
+	return func(a, b T) int {
+		return -1 * fn(a, b)
+	}
+}
diff --git a/api/http/utils/filters/sort_test.go b/api/http/utils/filters/sort_test.go
new file mode 100644
index 000000000..44f4c5d72
--- /dev/null
+++ b/api/http/utils/filters/sort_test.go
@@ -0,0 +1,287 @@
+package filters
+
+import (
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// Helper sort functions
+func compareUserByName(a, b User) int {
+	return strings.Compare(a.Name, b.Name)
+}
+
+func compareUserByAge(a, b User) int {
+	return a.Age - b.Age
+}
+
+func compareProductByName(a, b Product) int {
+	return strings.Compare(a.Name, b.Name)
+}
+
+func compareProductByPrice(a, b Product) int {
+	return a.Price - b.Price
+}
+
+func TestSortFn_BasicAscending(t *testing.T) {
+	users := []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+		{Name: "Bob", Age: 20},
+	}
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+		{Key: "age", Fn: compareUserByAge},
+	}
+
+	params := SortQueryParams{sort: "name", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	require.Equal(t, []User{
+		{Name: "Alice", Age: 30},
+		{Name: "Bob", Age: 20},
+		{Name: "Charlie", Age: 25},
+	}, result)
+}
+
+func TestSortFn_BasicDescending(t *testing.T) {
+	users := []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+		{Name: "Bob", Age: 20},
+	}
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+		{Key: "age", Fn: compareUserByAge},
+	}
+
+	params := SortQueryParams{sort: "name", order: SortDesc}
+	result := sortFn(users, params, sorts)
+
+	require.Equal(t, []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Bob", Age: 20},
+		{Name: "Alice", Age: 30},
+	}, result)
+}
+
+func TestSortFn_SortByAge(t *testing.T) {
+	users := []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+		{Name: "Bob", Age: 20},
+	}
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+		{Key: "age", Fn: compareUserByAge},
+	}
+
+	// Test ascending by age
+	params := SortQueryParams{sort: "age", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	require.Equal(t, []User{
+		{Name: "Bob", Age: 20},
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+	}, result)
+
+	// Test descending by age
+	params = SortQueryParams{sort: "age", order: SortDesc}
+	result = sortFn(users, params, sorts)
+
+	require.Equal(t, []User{
+		{Name: "Alice", Age: 30},
+		{Name: "Charlie", Age: 25},
+		{Name: "Bob", Age: 20},
+	}, result)
+}
+
+func TestSortFn_UnknownSortKey(t *testing.T) {
+	users := []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+		{Name: "Bob", Age: 20},
+	}
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+	}
+
+	params := SortQueryParams{sort: "unknown", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	// Should return original slice unchanged
+	require.Equal(t, []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+		{Name: "Bob", Age: 20},
+	}, result)
+}
+
+func TestSortFn_EmptySlice(t *testing.T) {
+	users := []User{}
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+	}
+
+	params := SortQueryParams{sort: "name", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	require.Empty(t, result)
+}
+
+func TestSortFn_SingleElement(t *testing.T) {
+	users := []User{{Name: "Alice", Age: 30}}
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+	}
+
+	params := SortQueryParams{sort: "name", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	require.Equal(t, []User{{Name: "Alice", Age: 30}}, result)
+}
+
+func TestSortFn_EmptySortBindings(t *testing.T) {
+	users := []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+	}
+
+	sorts := []SortBinding[User]{} // Empty sorts
+
+	params := SortQueryParams{sort: "name", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	// Should return original slice unchanged
+	require.Equal(t, []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+	}, result)
+}
+
+func TestSortFn_DifferentType(t *testing.T) {
+	products := []Product{
+		{Name: "Laptop", Price: 1000},
+		{Name: "Mouse", Price: 25},
+		{Name: "Keyboard", Price: 100},
+	}
+
+	sorts := []SortBinding[Product]{
+		{Key: "name", Fn: compareProductByName},
+		{Key: "price", Fn: compareProductByPrice},
+	}
+
+	// Test by price ascending
+	params := SortQueryParams{sort: "price", order: SortAsc}
+	result := sortFn(products, params, sorts)
+
+	require.Equal(t, []Product{
+		{Name: "Mouse", Price: 25},
+		{Name: "Keyboard", Price: 100},
+		{Name: "Laptop", Price: 1000},
+	}, result)
+
+	// Test by name descending
+	params = SortQueryParams{sort: "name", order: SortDesc}
+	result = sortFn(products, params, sorts)
+
+	require.Equal(t, []Product{
+		{Name: "Mouse", Price: 25},
+		{Name: "Laptop", Price: 1000},
+		{Name: "Keyboard", Price: 100},
+	}, result)
+}
+
+func TestSortFn_StableSort(t *testing.T) {
+	// Test that sorting is stable (maintains relative order of equal elements)
+	users := []User{
+		{Name: "Alice", Age: 25},
+		{Name: "Bob", Age: 25},
+		{Name: "Charlie", Age: 25},
+		{Name: "David", Age: 30},
+	}
+
+	sorts := []SortBinding[User]{
+		{Key: "age", Fn: compareUserByAge},
+	}
+
+	params := SortQueryParams{sort: "age", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	// All users with age 25 should maintain their original relative order
+	require.Equal(t, []User{
+		{Name: "Alice", Age: 25},
+		{Name: "Bob", Age: 25},
+		{Name: "Charlie", Age: 25},
+		{Name: "David", Age: 30},
+	}, result)
+}
+
+func TestReverseSortFn(t *testing.T) {
+	originalFn := compareUserByAge
+	reversedFn := reverSortFn(originalFn)
+
+	userA := User{Name: "Alice", Age: 20}
+	userB := User{Name: "Bob", Age: 30}
+
+	// Original function: A < B (returns negative)
+	require.Less(t, originalFn(userA, userB), 0)
+
+	// Reversed function: A > B (returns positive)
+	require.Greater(t, reversedFn(userA, userB), 0)
+
+	// Test symmetry
+	require.Equal(t, -originalFn(userA, userB), reversedFn(userA, userB))
+	require.Equal(t, -originalFn(userB, userA), reversedFn(userB, userA))
+}
+
+func TestSortFn_CaseSensitive(t *testing.T) {
+	users := []User{
+		{Name: "alice", Age: 25},
+		{Name: "Bob", Age: 30},
+		{Name: "Charlie", Age: 20},
+	}
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+	}
+
+	params := SortQueryParams{sort: "name", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	// strings.Compare is case-sensitive, uppercase comes before lowercase
+	require.Equal(t, []User{
+		{Name: "Bob", Age: 30},
+		{Name: "Charlie", Age: 20},
+		{Name: "alice", Age: 25},
+	}, result)
+}
+
+func TestSortFn_ModifiesOriginalSlice(t *testing.T) {
+	users := []User{
+		{Name: "Charlie", Age: 25},
+		{Name: "Alice", Age: 30},
+		{Name: "Bob", Age: 20},
+	}
+	original := make([]User, len(users))
+	copy(original, users)
+
+	sorts := []SortBinding[User]{
+		{Key: "name", Fn: compareUserByName},
+	}
+
+	params := SortQueryParams{sort: "name", order: SortAsc}
+	result := sortFn(users, params, sorts)
+
+	// The function modifies the original slice
+	require.Equal(t, result, users)
+	require.NotEqual(t, original, users)
+}
diff --git a/api/http/utils/filters/types_test.go b/api/http/utils/filters/types_test.go
new file mode 100644
index 000000000..2dc9b9ac9
--- /dev/null
+++ b/api/http/utils/filters/types_test.go
@@ -0,0 +1,63 @@
+package filters
+
+import (
+	"errors"
+	"fmt"
+	"strconv"
+)
+
+// Test data structures
+type User struct {
+	ID    int
+	Name  string
+	Email string
+	Age   int
+}
+
+type Product struct {
+	ID          int
+	Name        string
+	Description string
+	Price       int
+	Category    string
+}
+
+// User accessors
+func userIDAccessor(u User) (string, error) {
+	return strconv.Itoa(u.ID), nil
+}
+
+func userNameAccessor(u User) (string, error) {
+	return u.Name, nil
+}
+
+func userEmailAccessor(u User) (string, error) {
+	return u.Email, nil
+}
+
+func userAgeAccessor(u User) (string, error) {
+	return strconv.Itoa(u.Age), nil
+}
+
+// Product accessors
+
+func productNameAccessor(p Product) (string, error) {
+	return p.Name, nil
+}
+
+func productDescriptionAccessor(p Product) (string, error) {
+	return p.Description, nil
+}
+
+func productPriceAccessor(p Product) (string, error) {
+	return fmt.Sprintf("$%d", p.Price), nil
+}
+
+func productCategoryAccessor(p Product) (string, error) {
+	return p.Category, nil
+}
+
+// Other accessors
+func errorAccessor[T any](t T) (string, error) {
+	return "", errors.New("accessor error")
+}
diff --git a/app/react/common/api/common.test.ts b/app/react/common/api/common.test.ts
new file mode 100644
index 000000000..97d22c2be
--- /dev/null
+++ b/app/react/common/api/common.test.ts
@@ -0,0 +1,117 @@
+import {
+  queryOptionsFromTableState,
+  queryParamsFromQueryOptions,
+} from './listQueryParams';
+import {
+  withPaginationHeaders,
+  withPaginationQueryParams,
+} from './pagination.types';
+import {
+  makeIsSortTypeFunc,
+  sortOptionsFromColumns,
+  withSortQuery,
+} from './sort.types';
+
+const sortOptions = sortOptionsFromColumns([
+  { enableSorting: true },
+  { id: 'one' },
+  { id: 'two', enableSorting: true },
+  { accessorKey: 'three', enableSorting: true },
+  { id: 'four', enableSorting: true, accessorKey: 'four_key' },
+]);
+
+describe('listQueryParams', () => {
+  test('queryOptionsFromTableState', () => {
+    const fns = {
+      setPageSize: () => {},
+      setSearch: () => {},
+      setSortBy: () => {},
+    };
+
+    expect(
+      queryOptionsFromTableState(
+        {
+          page: 5,
+          pageSize: 10,
+          search: 'something',
+          sortBy: { id: 'one', desc: false },
+          ...fns,
+        },
+        sortOptions
+      )
+    ).toStrictEqual({
+      search: 'something',
+      sort: 'one',
+      order: 'asc',
+      page: 5,
+      pageLimit: 10,
+    });
+  });
+
+  test('queryParamsFromQueryOptions', () => {
+    expect(
+      queryParamsFromQueryOptions({
+        search: 'something',
+        page: 5,
+        pageLimit: 10,
+        sort: 'one',
+        order: 'asc',
+      })
+    ).toStrictEqual({
+      search: 'something',
+      sort: 'one',
+      order: 'asc',
+      start: 50,
+      limit: 10,
+    });
+  });
+});
+
+describe('pagination.types', () => {
+  test('withPaginationQueryParams', () => {
+    expect(withPaginationQueryParams({ page: 5, pageLimit: 10 })).toStrictEqual(
+      {
+        start: 50,
+        limit: 10,
+      }
+    );
+  });
+
+  test('withPaginationHeaders', () => {
+    expect(
+      withPaginationHeaders({
+        data: [],
+        headers: { 'x-total-count': 10, 'x-total-available': 100 },
+      })
+    ).toStrictEqual({
+      data: [],
+      totalCount: 10,
+      totalAvailable: 100,
+    });
+  });
+});
+
+describe('sort.types', () => {
+  test('makeIsSortType', () => {
+    const isSortType = makeIsSortTypeFunc(sortOptions);
+    expect(typeof isSortType).toBe('function');
+    expect(isSortType('one')).toBe(true);
+    expect(isSortType('something_else')).toBe(false);
+  });
+
+  test('withSortQuery', () => {
+    expect(
+      withSortQuery({ id: 'one', desc: false }, sortOptions)
+    ).toStrictEqual({ sort: 'one', order: 'asc' });
+    expect(
+      withSortQuery({ id: 'three', desc: true }, sortOptions)
+    ).toStrictEqual({ sort: 'three', order: 'desc' });
+    expect(
+      withSortQuery({ id: 'something_else', desc: true }, sortOptions)
+    ).toStrictEqual({ sort: undefined, order: 'desc' });
+  });
+
+  test('sortOptionsFromColumns', () => {
+    expect(sortOptions).toEqual(['one', 'two', 'three', 'four']);
+  });
+});
diff --git a/app/react/common/api/listQueryParams.ts b/app/react/common/api/listQueryParams.ts
new file mode 100644
index 000000000..dc2101c5b
--- /dev/null
+++ b/app/react/common/api/listQueryParams.ts
@@ -0,0 +1,65 @@
+import { BasicTableSettings } from '@@/datatables/types';
+import { TableState } from '@@/datatables/useTableState';
+
+import {
+  PaginationQuery,
+  PaginationQueryParams,
+  withPaginationQueryParams,
+} from './pagination.types';
+import { SearchQuery, SearchQueryParams } from './search.types';
+import {
+  SortOptions,
+  SortQuery,
+  SortQueryParams,
+  withSortQuery,
+} from './sort.types';
+
+export type BaseQueryOptions<T extends SortOptions> = SearchQuery &
+  SortQuery<T> &
+  PaginationQuery;
+
+/**
+ * Utility function to transform a TableState (base form) to a query options object
+ * Used to unify backend pagination common cases
+ *
+ * @param tableState TableState {search, sortBy: {id:string, desc:bool }, page, pageSize}
+ * @param sortOptions SortOptions (generated from columns)
+ * @returns BaseQuery {search, sort, order, page, pageLimit}
+ */
+export function queryOptionsFromTableState<T extends SortOptions>(
+  tableState: TableState<BasicTableSettings> & { page: number },
+  sortOptions: T
+): BaseQueryOptions<T> {
+  return {
+    // search/filter
+    search: tableState.search,
+    // sorting
+    ...withSortQuery(tableState.sortBy, sortOptions),
+    // pagination
+    page: tableState.page,
+    pageLimit: tableState.pageSize,
+  };
+}
+
+export type BaseQueryParams<T extends SortOptions> = SearchQueryParams &
+  SortQueryParams<T> &
+  PaginationQueryParams;
+
+/**
+ *
+ * @param query BaseQueryOptions
+ * @returns BaseQueryParams {search, sort, order, start, limit}
+ */
+export function queryParamsFromQueryOptions<T extends SortOptions>(
+  query: BaseQueryOptions<T>
+): BaseQueryParams<T> {
+  return {
+    // search/filter
+    search: query.search,
+    // sorting
+    sort: query.sort,
+    order: query.order,
+    // paginattion
+    ...withPaginationQueryParams(query),
+  };
+}
diff --git a/app/react/common/api/pagination.types.ts b/app/react/common/api/pagination.types.ts
new file mode 100644
index 000000000..390765251
--- /dev/null
+++ b/app/react/common/api/pagination.types.ts
@@ -0,0 +1,114 @@
+import { AxiosResponse } from 'axios';
+
+/**
+ * Used to define axios query functions parameters for queries that support backend pagination
+ *
+ * **Example**
+ *
+ * ```ts
+ *  type QueryParams = PaginationQueryParams;
+ *
+ *  async function getSomething({ start, limit }: QueryParams = {}) {
+ *    try {
+ *      const { data } = await axios.get<APIType>(
+ *        buildUrl(),
+ *        { params: { start, limit } },
+ *      );
+ *      return data;
+ *    } catch (err) {
+ *      throw parseAxiosError(err as Error, 'Unable to retrieve something');
+ *    }
+ *  }
+ *```
+ */
+export type PaginationQueryParams = {
+  start?: number;
+  limit?: number;
+};
+
+/**
+ * Used to define react-query query functions parameters for queries that support backend pagination
+ *
+ * Example:
+ *
+ * ```ts
+ * type Query = PaginationQuery;
+ *
+ * function useSomething({
+ *    page = 0,
+ *    pageLimit = 10,
+ *    ...query
+ *   }: Query = {}) {
+ *     return useQuery(
+ *     [ ...queryKeys.base(), { page, pageLimit, ...query } ],
+ *     async () => {
+ *       const start = (page - 1) * pageLimit + 1;
+ *       return getSomething({ start, limit: pageLimit, ...query });
+ *     },
+ *     {
+ *       ...withError('Failure retrieving something'),
+ *     }
+ *   );
+ * }
+ * ```
+ */
+export type PaginationQuery = {
+  page?: number;
+  pageLimit?: number;
+};
+
+/**
+ * Utility function to convert PaginationQuery to PaginationQueryParams
+ *
+ * **Example**
+ *
+ * ```ts
+ * function getSomething(params: PaginationQueryParams) {...}
+ *
+ * function useSomething(query: PaginationQuery) {
+ *   return useQuery(
+ *     [ ...queryKeys.base(), query ],
+ *     async () => getSomething({ ...query, ...withPaginationQueryParams(query) })
+ *   )
+ * }
+ * ```
+ */
+export function withPaginationQueryParams({
+  page = 0,
+  pageLimit = 10,
+}: PaginationQuery): PaginationQueryParams {
+  const start = page * pageLimit;
+  return {
+    start,
+    limit: pageLimit,
+  };
+}
+
+export type PaginatedResults<T> = {
+  data: T;
+  totalCount: number;
+  totalAvailable: number;
+};
+
+/**
+ * Utility function to extract total count from AxiosResponse headers
+ *
+ * @param param0 AxiosReponse-like object {data, headers}
+ * @returns PaginatedResults {data, totalCount, totalAvailable}
+ */
+export function withPaginationHeaders<T = unknown>({
+  data,
+  headers,
+}: {
+  data: AxiosResponse<T>['data'];
+  headers: AxiosResponse<T>['headers'];
+}): PaginatedResults<T> {
+  const totalCount = parseInt(headers['x-total-count'], 10);
+  const totalAvailable = parseInt(headers['x-total-available'], 10);
+
+  return {
+    data,
+    totalCount,
+    totalAvailable,
+  };
+}
diff --git a/app/react/common/api/search.types.ts b/app/react/common/api/search.types.ts
new file mode 100644
index 000000000..e146bd8ba
--- /dev/null
+++ b/app/react/common/api/search.types.ts
@@ -0,0 +1,47 @@
+/**
+ * Used to define axios query functions parameters for queries that support backend filtering by search
+ *
+ * **Example**
+ *
+ * ```ts
+ *  type QueryParams = SearchQueryParams;
+ *
+ *  async function getSomething({ search }: QueryParams = {}) {
+ *    try {
+ *      const { data } = await axios.get<APIType>(
+ *        buildUrl(),
+ *        { params: { search } },
+ *      );
+ *      return data;
+ *    } catch (err) {
+ *      throw parseAxiosError(err as Error, 'Unable to retrieve something');
+ *    }
+ *  }
+ *```
+ */
+export type SearchQueryParams = {
+  search?: string;
+};
+
+/**
+ * Used to define react-query query functions parameters for queries that support backend filtering by search
+ *
+ * Example:
+ *
+ * ```ts
+ * type Query = SearchQuery;
+ *
+ * function useSomething({ search, ...query }: Query = {}) {
+ *   return useQuery(
+ *     [ ...queryKeys.base(), { search, ...query } ],
+ *     async () => getSomething({ search, ...query }),
+ *     {
+ *       ...withError('Failure retrieving something'),
+ *     }
+ *   );
+ * }
+ * ```
+ */
+export type SearchQuery = {
+  search?: string;
+};
diff --git a/app/react/common/api/sort.types.ts b/app/react/common/api/sort.types.ts
new file mode 100644
index 000000000..bccfff1c8
--- /dev/null
+++ b/app/react/common/api/sort.types.ts
@@ -0,0 +1,139 @@
+import { compact } from 'lodash';
+
+import { SortableTableSettings } from '@@/datatables/types';
+
+export type SortOptions = readonly string[];
+export type SortType<T extends SortOptions> = T[number];
+
+/**
+ * Used to generate the validation function that allows to check if the sort key is supported or not
+ *
+ * **Example**
+ *
+ * ```ts
+ * export const sortOptions: SortOptions = ['Id', 'Name'] as const;
+ * export const isSortType = makeIsSortTypeFunc(sortOptions)
+ * ```
+ *
+ * **Usage**
+ *
+ * ```ts
+ * // react-query hook definition
+ * export function useSomething({ sort, order }: SortQuery<typeof sortOptions>) { ... }
+ *
+ * // component using the react-query hook, validating the parameters used by the query
+ * function MyComponent() {
+ *   const tableState = useTableState(settingsStore, tableKey);
+ *   const { data } = useSomething(
+ *     {
+ *       sort: isSortType(tableState.sortBy.id) ? tableState.sortBy.id : undefined,
+ *       order: tableState.sortBy.desc ? 'desc' : 'asc',
+ *     },
+ *   );
+ *   ...
+ * }
+ * ```
+ *
+ * @param sortOptions list of supported keys
+ * @returns validation function
+ */
+export function makeIsSortTypeFunc<T extends SortOptions>(sortOptions: T) {
+  return (value?: string): value is SortType<T> =>
+    sortOptions.includes(value as SortType<T>);
+}
+
+/**
+ * Used to define axios query functions parameters for queries that support backend sorting
+ *
+ * **Example**
+ *
+ * ```ts
+ *  const sortOptions: SortOptions = ['Id', 'Name'] as const; // or generated with `sortOptionsFromColumns`
+ *  type QueryParams = SortQueryParams<typeof sortOptions>;
+ *
+ *  async function getSomething({ sort, order = 'asc' }: QueryParams = {}) {
+ *    try {
+ *      const { data } = await axios.get<APIType>(
+ *        buildUrl(),
+ *        { params: { sort, order } },
+ *      );
+ *      return data;
+ *    } catch (err) {
+ *      throw parseAxiosError(err as Error, 'Unable to retrieve something');
+ *    }
+ *  }
+ *```
+ */
+export type SortQueryParams<T extends SortOptions> = {
+  sort?: SortType<T>;
+  order?: 'asc' | 'desc';
+};
+
+/**
+ * Used to define react-query query functions parameters for queries that support backend sorting
+ *
+ * Example:
+ *
+ * ```ts
+ *  const sortOptions: SortOptions = ['Id', 'Name'] as const;
+ *  type Query = SortQuery<typeof sortOptions>;
+ *
+ *  function useSomething({
+ *    sort,
+ *    order = 'asc',
+ *    ...query
+ *  }: Query = {}) {
+ *    return useQuery(
+ *      [ ...queryKeys.base(), { ...query, sort, order } ],
+ *      async () => getSomething({ ...query, sort, order }),
+ *      {
+ *        ...withError('Failure retrieving something'),
+ *      }
+ *    );
+ *  }
+ * ```
+ */
+export type SortQuery<T extends SortOptions> = {
+  sort?: SortType<T>;
+  order?: 'asc' | 'desc';
+};
+
+/**
+ * Utility function to convert react-table `sortBy` state to `SortQuery` query parameter
+ *
+ * @param sortBy tableState.sortBy
+ * @param sortOptions SortOptions - either defined manually, or generated with `sortOptionsFromColumns`
+ * @returns SortQuery - object usable by react-query functions that have params extending SortQuery
+ */
+export function withSortQuery<T extends SortOptions>(
+  sortBy: SortableTableSettings['sortBy'],
+  sortOptions: T
+): SortQuery<T> {
+  if (!sortBy) {
+    return {
+      sort: undefined,
+      order: 'asc',
+    };
+  }
+
+  const isSortType = makeIsSortTypeFunc(sortOptions);
+  return {
+    sort: isSortType(sortBy.id) ? sortBy.id : undefined,
+    order: sortBy.desc ? 'desc' : 'asc',
+  };
+}
+
+/**
+ * Utility function to generate SortOptions from columns definitions
+ * @param columns Column-like objects { id?:string; enableSorting?:boolean } to extract SortOptions from
+ * @returns SortOptions
+ */
+export function sortOptionsFromColumns(
+  columns: { id?: string; enableSorting?: boolean; accessorKey?: string }[]
+): SortOptions {
+  return compact(
+    columns.map((c) =>
+      c.enableSorting === false ? undefined : c.id ?? c.accessorKey
+    )
+  );
+}
diff --git a/app/react/components/datatables/Datatable.tsx b/app/react/components/datatables/Datatable.tsx
index dff56aaf6..e4c80051c 100644
--- a/app/react/components/datatables/Datatable.tsx
+++ b/app/react/components/datatables/Datatable.tsx
@@ -70,6 +70,7 @@ export interface Props<D extends DefaultType> extends AutomationTestingProps {
   getRowCanExpand?(row: Row<D>): boolean;
   noWidget?: boolean;
   extendTableOptions?: (options: TableOptions<D>) => TableOptions<D>;
+  onSearchChange?: (search: string) => void;
   includeSearch?: boolean;
   ariaLabel?: string;
   id?: string;
@@ -97,6 +98,7 @@ export function Datatable<D extends DefaultType>({
   getRowCanExpand,
   'data-cy': dataCy,
   onPageChange = () => {},
+  onSearchChange = () => {},
   page,
   totalCount = dataset.length,
   isServerSidePagination = false,
@@ -158,7 +160,12 @@ export function Datatable<D extends DefaultType>({
       getRowCanExpand,
       getColumnCanGlobalFilter,
       ...(isServerSidePagination
-        ? { manualPagination: true, pageCount }
+        ? {
+            pageCount,
+            manualPagination: true,
+            manualFiltering: true,
+            manualSorting: true,
+          }
         : {
             getSortedRowModel: getSortedRowModel(),
           }),
@@ -231,6 +238,7 @@ export function Datatable<D extends DefaultType>({
   function handleSearchBarChange(search: string) {
     tableInstance.setGlobalFilter({ search });
     settings.setSearch(search);
+    onSearchChange(search);
   }
 
   function handlePageChange(page: number) {
diff --git a/app/react/components/datatables/types.ts b/app/react/components/datatables/types.ts
index 45264f337..aecc23a18 100644
--- a/app/react/components/datatables/types.ts
+++ b/app/react/components/datatables/types.ts
@@ -6,16 +6,18 @@ import { keyBuilder } from '@/react/hooks/useLocalStorage';
 
 export type DefaultType = object;
 
-export interface PaginationTableSettings {
-  pageSize: number;
-  setPageSize: (pageSize: number) => void;
-}
-
 export type ZustandSetFunc<T> = (
   partial: T | Partial<T> | ((state: T) => T | Partial<T>),
   replace?: boolean | undefined
 ) => void;
 
+// pagination (page size dropdown)
+// for both backend and frontend paginations
+export interface PaginationTableSettings {
+  pageSize: number;
+  setPageSize: (pageSize: number) => void;
+}
+
 export function paginationSettings<T extends PaginationTableSettings>(
   set: ZustandSetFunc<T>
 ): PaginationTableSettings {
@@ -25,6 +27,24 @@ export function paginationSettings<T extends PaginationTableSettings>(
   };
 }
 
+// pagination (page number selector)
+// for backend pagination
+export interface BackendPaginationTableSettings {
+  page: number;
+  setPage: (page: number) => void;
+}
+
+export function backendPaginationSettings<
+  T extends BackendPaginationTableSettings,
+>(set: ZustandSetFunc<T>): BackendPaginationTableSettings {
+  return {
+    page: 0,
+    setPage: (page: number) => set((s) => ({ ...s, page })),
+  };
+}
+
+// sorting
+// arrows in datatable column headers
 export interface SortableTableSettings {
   sortBy: { id: string; desc: boolean } | undefined;
   setSortBy: (id: string | undefined, desc: boolean) => void;
@@ -47,6 +67,8 @@ export function sortableSettings<T extends SortableTableSettings>(
   };
 }
 
+// hidding columns
+// datatable options allowing to hide columns
 export interface SettableColumnsTableSettings {
   hiddenColumns: string[];
   setHiddenColumns: (hiddenColumns: string[]) => void;
@@ -63,6 +85,7 @@ export function hiddenColumnsSettings<T extends SettableColumnsTableSettings>(
   };
 }
 
+// auto refresh settings
 export interface RefreshableTableSettings {
   autoRefreshRate: number;
   setAutoRefreshRate: (autoRefreshRate: number) => void;
@@ -70,7 +93,7 @@ export interface RefreshableTableSettings {
 
 export function refreshableSettings<T extends RefreshableTableSettings>(
   set: ZustandSetFunc<T>,
-  autoRefreshRate = 0
+  autoRefreshRate: number = 0
 ): RefreshableTableSettings {
   return {
     autoRefreshRate,
diff --git a/app/react/components/form-components/Input/Select.tsx.rej b/app/react/components/form-components/Input/Select.tsx.rej
deleted file mode 100644
index 6edb9f9ef..000000000
--- a/app/react/components/form-components/Input/Select.tsx.rej
+++ /dev/null
@@ -1,10 +0,0 @@
-diff a/app/react/components/form-components/Input/Select.tsx b/app/react/components/form-components/Input/Select.tsx	(rejected hunks)
-@@ -10,7 +10,7 @@ export interface Option<T extends string | number>
-   disabled?: boolean;
- }
- 
--interface Props<T extends string | number> {
-+interface Props<T extends string | number> extends AutomationTestingProps {
-   options: Option<T>[];
- }
- 
diff --git a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/ResultsDatatable.tsx b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/ResultsDatatable.tsx
index 7054226f5..698f10bae 100644
--- a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/ResultsDatatable.tsx
+++ b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/ResultsDatatable.tsx
@@ -1,18 +1,16 @@
 import { List } from 'lucide-react';
-import { useMemo } from 'react';
 
-import { Environment } from '@/react/portainer/environments/types';
-import { useEnvironmentList } from '@/react/portainer/environments/queries';
+import { queryOptionsFromTableState } from '@/react/common/api/listQueryParams';
 
 import { Datatable } from '@@/datatables';
 import { useTableState } from '@@/datatables/useTableState';
 import { withMeta } from '@@/datatables/extend-options/withMeta';
 import { mergeOptions } from '@@/datatables/extend-options/mergeOptions';
 
-import { EdgeJob, JobResult, LogsStatus } from '../../types';
+import { EdgeJob, LogsStatus } from '../../types';
 import { useJobResults } from '../../queries/jobResults/useJobResults';
 
-import { columns } from './columns';
+import { columns, sortOptions } from './columns';
 import { createStore } from './datatable-store';
 
 const tableKey = 'edge-job-results';
@@ -22,8 +20,9 @@ export function ResultsDatatable({ jobId }: { jobId: EdgeJob['Id'] }) {
   const tableState = useTableState(store, tableKey);
 
   const jobResultsQuery = useJobResults(jobId, {
+    ...queryOptionsFromTableState({ ...tableState }, sortOptions),
     refetchInterval(dataset) {
-      const anyCollecting = dataset?.some(
+      const anyCollecting = dataset?.data.some(
         (r) => r.LogsStatus === LogsStatus.Pending
       );
 
@@ -35,40 +34,17 @@ export function ResultsDatatable({ jobId }: { jobId: EdgeJob['Id'] }) {
     },
   });
 
-  const environmentIds = jobResultsQuery.data?.map(
-    (result) => result.EndpointId
-  );
-
-  const environmentsQuery = useEnvironmentList(
-    { endpointIds: environmentIds },
-    { enabled: !!environmentIds && !jobResultsQuery.isLoading }
-  );
-
-  const dataset = useMemo(
-    () =>
-      jobResultsQuery.isLoading || environmentsQuery.isLoading
-        ? []
-        : associateEndpointsToResults(
-            jobResultsQuery.data || [],
-            environmentsQuery.environments
-          ),
-    [
-      environmentsQuery.environments,
-      environmentsQuery.isLoading,
-      jobResultsQuery.data,
-      jobResultsQuery.isLoading,
-    ]
-  );
+  const dataset = jobResultsQuery.data?.data || [];
 
   return (
     <Datatable
-      disableSelect
-      columns={columns}
-      dataset={dataset}
-      isLoading={jobResultsQuery.isLoading || environmentsQuery.isLoading}
       title="Results"
       titleIcon={List}
+      columns={columns}
+      disableSelect
+      dataset={dataset}
       settingsManager={tableState}
+      isLoading={jobResultsQuery.isLoading}
       extendTableOptions={mergeOptions(
         withMeta({
           table: 'edge-job-results',
@@ -76,21 +52,11 @@ export function ResultsDatatable({ jobId }: { jobId: EdgeJob['Id'] }) {
         })
       )}
       data-cy="edge-job-results-datatable"
+      isServerSidePagination
+      page={tableState.page}
+      onPageChange={tableState.setPage}
+      onSearchChange={() => tableState.setPage(0)}
+      totalCount={jobResultsQuery.data?.totalCount || 0}
     />
   );
 }
-
-function associateEndpointsToResults(
-  results: Array<JobResult>,
-  environments: Array<Environment>
-) {
-  return results.map((result) => {
-    const environment = environments.find(
-      (environment) => environment.Id === result.EndpointId
-    );
-    return {
-      ...result,
-      Endpoint: environment,
-    };
-  });
-}
diff --git a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/columns.tsx b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/columns.tsx
index 08f554d7c..76bada2a8 100644
--- a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/columns.tsx
+++ b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/columns.tsx
@@ -1,18 +1,20 @@
 import { CellContext, createColumnHelper } from '@tanstack/react-table';
 
+import { sortOptionsFromColumns } from '@/react/common/api/sort.types';
+
 import { Button } from '@@/buttons';
 
-import { LogsStatus } from '../../types';
+import { JobResult, LogsStatus } from '../../types';
 import { useDownloadLogsMutation } from '../../queries/jobResults/useDownloadLogsMutation';
 import { useClearLogsMutation } from '../../queries/jobResults/useClearLogsMutation';
 import { useCollectLogsMutation } from '../../queries/jobResults/useCollectLogsMutation';
 
-import { DecoratedJobResult, getTableMeta } from './types';
+import { getTableMeta } from './types';
 
-const columnHelper = createColumnHelper<DecoratedJobResult>();
+const columnHelper = createColumnHelper<JobResult>();
 
 export const columns = [
-  columnHelper.accessor('Endpoint.Name', {
+  columnHelper.accessor('EndpointName', {
     header: 'Environment',
     meta: {
       className: 'w-1/2',
@@ -30,7 +32,7 @@ export const columns = [
 function ActionsCell({
   row: { original: item },
   table,
-}: CellContext<DecoratedJobResult, unknown>) {
+}: CellContext<JobResult, unknown>) {
   const tableMeta = getTableMeta(table.options.meta);
   const id = tableMeta.jobId;
 
@@ -51,13 +53,13 @@ function ActionsCell({
         <>
           <Button
             onClick={() => downloadLogsMutation.mutate(item.EndpointId)}
-            data-cy={`edge-job-download-logs-${item.Endpoint?.Name}`}
+            data-cy={`edge-job-download-logs-${item.EndpointName}`}
           >
             Download logs
           </Button>
           <Button
             onClick={() => clearLogsMutations.mutate(item.EndpointId)}
-            data-cy={`edge-job-clear-logs-${item.Endpoint?.Name}`}
+            data-cy={`edge-job-clear-logs-${item.EndpointName}`}
           >
             Clear logs
           </Button>
@@ -68,10 +70,12 @@ function ActionsCell({
       return (
         <Button
           onClick={() => collectLogsMutation.mutate(item.EndpointId)}
-          data-cy={`edge-job-retrieve-logs-${item.Endpoint?.Name}`}
+          data-cy={`edge-job-retrieve-logs-${item.EndpointName}`}
         >
           Retrieve logs
         </Button>
       );
   }
 }
+
+export const sortOptions = sortOptionsFromColumns(columns);
diff --git a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/datatable-store.ts b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/datatable-store.ts
index d9ebb63a2..2db1c2185 100644
--- a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/datatable-store.ts
+++ b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/datatable-store.ts
@@ -3,12 +3,18 @@ import {
   createPersistedStore,
   BasicTableSettings,
   RefreshableTableSettings,
+  BackendPaginationTableSettings,
+  backendPaginationSettings,
 } from '@@/datatables/types';
 
-interface TableSettings extends BasicTableSettings, RefreshableTableSettings {}
+interface TableSettings
+  extends BasicTableSettings,
+    RefreshableTableSettings,
+    BackendPaginationTableSettings {}
 
 export function createStore(storageKey: string) {
   return createPersistedStore<TableSettings>(storageKey, undefined, (set) => ({
     ...refreshableSettings(set),
+    ...backendPaginationSettings(set),
   }));
 }
diff --git a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/types.ts b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/types.ts
index 890dec4c2..841cf16f5 100644
--- a/app/react/edge/edge-jobs/ItemView/ResultsDatatable/types.ts
+++ b/app/react/edge/edge-jobs/ItemView/ResultsDatatable/types.ts
@@ -1,10 +1,4 @@
-import { Environment } from '@/react/portainer/environments/types';
-
-import { EdgeJob, JobResult } from '../../types';
-
-export interface DecoratedJobResult extends JobResult {
-  Endpoint?: Environment;
-}
+import { EdgeJob } from '../../types';
 
 interface TableMeta {
   table: 'edge-job-results';
diff --git a/app/react/edge/edge-jobs/queries/jobResults/useJobResults.ts b/app/react/edge/edge-jobs/queries/jobResults/useJobResults.ts
index dcbe12129..9f9ecc5f9 100644
--- a/app/react/edge/edge-jobs/queries/jobResults/useJobResults.ts
+++ b/app/react/edge/edge-jobs/queries/jobResults/useJobResults.ts
@@ -1,35 +1,54 @@
 import { useQuery } from '@tanstack/react-query';
 
 import axios, { parseAxiosError } from '@/portainer/services/axios';
+import {
+  PaginatedResults,
+  withPaginationHeaders,
+} from '@/react/common/api/pagination.types';
+import {
+  BaseQueryOptions,
+  BaseQueryParams,
+  queryParamsFromQueryOptions,
+} from '@/react/common/api/listQueryParams';
 
 import { EdgeJob, JobResult } from '../../types';
+import { sortOptions } from '../../ItemView/ResultsDatatable/columns';
 
 import { queryKeys } from './query-keys';
-import { buildUrl } from './build-url';
+
+type QueryOptions = BaseQueryOptions<typeof sortOptions>;
+
+type RefetchInterval =
+  | number
+  | false
+  | ((data: PaginatedResults<Array<JobResult>> | undefined) => number | false);
 
 export function useJobResults(
   id: EdgeJob['Id'],
   {
     refetchInterval,
+    ...query
   }: {
-    refetchInterval?:
-      | number
-      | false
-      | ((data: Array<JobResult> | undefined) => number | false);
-  } = {}
+    refetchInterval?: RefetchInterval;
+  } & QueryOptions = {}
 ) {
   return useQuery({
-    queryKey: queryKeys.base(id),
-    queryFn: () => getJobResults(id),
+    queryKey: [...queryKeys.base(id), query],
+    queryFn: () => getJobResults(id, queryParamsFromQueryOptions(query)),
     refetchInterval,
   });
 }
 
-async function getJobResults(id: EdgeJob['Id']) {
-  try {
-    const { data } = await axios.get<Array<JobResult>>(buildUrl({ id }));
+type QueryParams = BaseQueryParams<typeof sortOptions>;
 
-    return data;
+async function getJobResults(id: EdgeJob['Id'], params?: QueryParams) {
+  try {
+    const response = await axios.get<Array<JobResult>>(
+      `edge_jobs/${id}/tasks`,
+      { params }
+    );
+
+    return withPaginationHeaders(response);
   } catch (err) {
     throw parseAxiosError(err, 'Failed fetching edge job results');
   }
diff --git a/app/react/edge/edge-jobs/types.ts b/app/react/edge/edge-jobs/types.ts
index e98333ddf..2278204b7 100644
--- a/app/react/edge/edge-jobs/types.ts
+++ b/app/react/edge/edge-jobs/types.ts
@@ -1,4 +1,7 @@
-import { EnvironmentId } from '@/react/portainer/environments/types';
+import {
+  Environment,
+  EnvironmentId,
+} from '@/react/portainer/environments/types';
 
 export interface EdgeJob {
   Id: number;
@@ -28,5 +31,6 @@ interface EndpointMeta {
 export interface JobResult {
   Id: string;
   EndpointId: EnvironmentId;
+  EndpointName: Environment['Name'];
   LogsStatus: LogsStatus;
 }

From 497b16e9428393eb2d5ae60e94d61b496db114c2 Mon Sep 17 00:00:00 2001
From: James Carppe <85850129+jamescarppe@users.noreply.github.com>
Date: Tue, 5 Aug 2025 06:14:54 +0100
Subject: [PATCH 210/212] Chore update readme graphic (#963)

Co-authored-by: Phil Calder <4473109+predlac@users.noreply.github.com>
---
 README.md                                     |  17 +++++++----------
 app/assets/images/portainer-github-banner.png | Bin 235624 -> 45223 bytes
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 9b6bb31b8..680382cb0 100644
--- a/README.md
+++ b/README.md
@@ -8,9 +8,9 @@ Portainer consists of a single container that can run on any cluster. It can be
 
 **Portainer Business Edition** builds on the open-source base and includes a range of advanced features and functions (like RBAC and Support) that are specific to the needs of business users.
 
-- [Compare Portainer CE and Compare Portainer BE](https://portainer.io/products)
+- [Compare Portainer CE and Compare Portainer BE](https://www.portainer.io/features)
 - [Take3 – get 3 free nodes of Portainer Business for as long as you want them](https://www.portainer.io/take-3)
-- [Portainer BE install guide](https://install.portainer.io)
+- [Portainer BE install guide](https://academy.portainer.io/install/)
 
 ## Latest Version
 
@@ -20,22 +20,19 @@ Portainer CE is updated regularly. We aim to do an update release every couple o
 
 ## Getting started
 
-- [Deploy Portainer](https://docs.portainer.io/start/install)
+- [Deploy Portainer](https://docs.portainer.io/start/install-ce)
 - [Documentation](https://docs.portainer.io)
 - [Contribute to the project](https://docs.portainer.io/contribute/contribute)
 
 ## Features & Functions
 
-View [this](https://www.portainer.io/products) table to see all of the Portainer CE functionality and compare to Portainer Business.
-
-- [Portainer CE for Docker / Docker Swarm](https://www.portainer.io/solutions/docker)
-- [Portainer CE for Kubernetes](https://www.portainer.io/solutions/kubernetes-ui)
+View [this](https://www.portainer.io/features) table to see all of the Portainer CE functionality and compare to Portainer Business.
 
 ## Getting help
 
 Portainer CE is an open source project and is supported by the community. You can buy a supported version of Portainer at portainer.io
 
-Learn more about Portainer's community support channels [here.](https://www.portainer.io/get-support-for-portainer)
+Learn more about Portainer's community support channels [here.](https://www.portainer.io/resources/get-help/get-support)
 
 - Issues: https://github.com/portainer/portainer/issues
 - Slack (chat): [https://portainer.io/slack](https://portainer.io/slack)
@@ -53,13 +50,13 @@ You can join the Portainer Community by visiting [https://www.portainer.io/join-
 
 ## Work for us
 
-If you are a developer, and our code in this repo makes sense to you, we would love to hear from you. We are always on the hunt for awesome devs, either freelance or employed. Drop us a line to info@portainer.io with your details and/or visit our [careers page](https://portainer.io/careers).
+If you are a developer, and our code in this repo makes sense to you, we would love to hear from you. We are always on the hunt for awesome devs, either freelance or employed. Drop us a line to success@portainer.io with your details and/or visit our [careers page](https://apply.workable.com/portainer/).
 
 ## Privacy
 
 **To make sure we focus our development effort in the right places we need to know which features get used most often. To give us this information we use [Matomo Analytics](https://matomo.org/), which is hosted in Germany and is fully GDPR compliant.**
 
-When Portainer first starts, you are given the option to DISABLE analytics. If you **don't** choose to disable it, we collect anonymous usage as per [our privacy policy](https://www.portainer.io/privacy-policy). **Please note**, there is no personally identifiable information sent or stored at any time and we only use the data to help us improve Portainer.
+When Portainer first starts, you are given the option to DISABLE analytics. If you **don't** choose to disable it, we collect anonymous usage as per [our privacy policy](https://www.portainer.io/legal/privacy-policy). **Please note**, there is no personally identifiable information sent or stored at any time and we only use the data to help us improve Portainer.
 
 ## Limitations
 
diff --git a/app/assets/images/portainer-github-banner.png b/app/assets/images/portainer-github-banner.png
index 08776d3e39010162e76d7917a262d1f7a3ccf011..75871e3c568962632abc3cb3700893d0e62810cd 100644
GIT binary patch
literal 45223
zcmYIv1ymbByLONwZE<%EPH`yi#oeXFp*V%&R;;)~DXv9>yQWYG?(Qw_5GWD|@TcE*
z@BQbToSd_>GrK#xGw&nsL~E)mV7(-N2><}FloaK(0RWW0005FQ1~TG^7-<+8;t$nM
zT1^@Ns84(aw|D^nyi~H6mDTjnR*<1pl9v_a5f&8W<bA^f04PT1>UbNb-V#e}-rC^k
z%Pd{gXE=ob=ovs5L%2poxG4aOa9n(;frzM=`h-MyIf{Dyq4O^lbECEjSlaBQW1@^>
z^-SNM(X5p<2l}0#o<1x-bnWNt!zX+valYW;GbQg8IRJ#UBg90OXc9FP`-i)~AQLJ6
zMy18w8||}uF#rHup!oU(eXf&)Bh|VBkO6M<Zy50h|2&6vXfhc9Xp;fI>GAhpAth-8
zhTiB75dwxt0d+c!)-M5R0DzNkfDApL5({whS4rXpV5uT?jRde%L|K6Wh(`isvM4Yj
zOLYRw^+L2ckbm|83P4iyZ%}{MAbl}v;Z;EX()|M9m0*~JBV`Wwk}1P62B3Y543MQJ
z7)PO1MJeE(0spQrbBkzGL<0OAO&`xtnc*XBOP?b5zP$LoMYq-GR4-#e!isB)xkI0m
zk<CD$xR0Vb@frXihfViBy_HPb-`n}KXS?ro{&%40$??LKUV;v~`P3DMj0(V2pFCeN
z+udD2aT`Rc^8`Cqm;hGv0UtME@A+0S3yfb*`N3j+-@>J+^9nVG#Hc7=zIt^Ev@GoA
z-j0=c=KJINJ2vPBQTw#&cLDg6C6!tIvpDSWlZA^{jdsHRD5?yP%k4hH(_lpKV*=~+
z7Jt1d2T=^vFuF~XUTx5~T{~HhZa94l|1g*rO7razGu0al0Q#!&Q@sVfdDQ7=&>0eP
zEVki{7eFfLiZhP<RWbnAj-S`}763>E!xE*~kpSZvCEEZ%*8!<%c^Zi-1Oot&D+pn$
zlSY5tO9=XjozqLz^^*kI0!>cpHRDe)Tp6^TFO)9}Nxw;x>HZX1LT#=?Auqto`h(ll
z%kvg%|2MvA$gvv<nmK7+A8FTDOjPM13<3)}ktjUNgeCe343f+QRC)_V{**5zw1-iI
zTJ!@$?j^_-G7ib_6&Wr$-3f)`O{MOWR)=VLW8g7e3Os2c4O%F3$evQ|<uv3mkOGhC
z&-^&=zkDlloF;Fg7XQ*xR5q=0;Q1L47?WW2Wts=uHg4I%G%ix!Jlc?)X^_}z*HAz|
zQNW7IP{@mj;%A=4IR+zg>=%L)j1S?seNLfCNeYIlhO*_r6NV=I4h#d#uyCF}X8P1}
zjV7QUKCIuzQlvh~@EwThjE<Tv5BPx@o4_npkr8`1Wk>xb9WaSk>6MbB;;JHNiB5^c
z46c2SD${Y2^YF$FM#C2nZANly5>Apv%ER!lomN7Tfv7E2%pykZk~Dl}0UOC()F1i0
zGMNRHTH_UYa~PFTBKgKj&IMkYTsn~z1pJ;^!0~Ki+0hct;`ym8dprBvk6eeJJ22P7
zsO2-JGG-hP&=2<y!~S}|#`=mCHmGRHLgq;3PgX|SO2(C`TKZx(BXdZXdy$tS)9yRY
zcUL__wi~tpqT~_$bdhxZ^q}<pN?kn<J;{0B%2&EodN@@d^aD%Z={0I@S76Q&SIt*Y
z>2+2J)=X%7YbR<>YMB-Hm_3HxTVXYPjd)k^Rk2vtsue;OPe%;lwSgMSEV%2V9CJ8+
zSF<!}fSss%y?CJT;__G3k@cvw1=%Ls=I(tON5Y2G|Gp4j&QYGAo4}gz=S1O@<g8zC
zsJ5*Rsuo)DTj^P`Jas=MK0RJJ_jJpZ%H_zt7I7B2^~CHD?9l3n=veifJd&8TI`%!p
zydJs6K3tzxxOV<qd`)t6zHmNGBgD;*A(%ww#PinbVl2t(!123%+w?{FpK`p>j~&VV
zAB(4zikaJ(&LZu$1$;;(Y(cJ+mLUEOn>9x<3rl<6)sp^_ft?=K@ifOQ+m7j`+0SER
zLmX?MCD8Cmg7AEfW1dCNa@Q(6KH`Ub&VX{PVC>+xm2Ux~FTSaLy9IsMm(cgszt&#_
zDJ_^Da~wM_7&vKC7-YZB7RerMDX-41?)S=e-Xz>2Ok|y5z1DGA;W>eyygbP|K|2+`
zvA6-=INwZCjZxxLEr@;=4RHVLIp*c$)^%L+hyPbaf5opu13L=4LXX@l0g_Ucq*43~
zuM83$=dzeGmwdm`^j-3^j+y4!>*DOr?6vA;=ehMU@qxgq2emiZ6vOX-iJwdVy|^{p
z`ZTtkTb5ncca^ly^}*|d(T9g_YK_Jmro07i=b_bpli%H={^lYQ;x_jahbR&d3FLgg
z{K%ft9{Nr39)_TWpv)k2c;18P{pe%j9r%y$B{5X}g*j3$(k@bW2zf{&iX#dQY9{Ir
zbb%M~FFMh<UP}<kyvD>bqH#}k{Yi330kh&;v*XB`CK|!WB{HVC=N@BHrCz{G_&SNP
zi5uiv3R68CYr%;6t>6^ZMq^KwNdgNbWM$*6d~>ALr1SaH=Ua{i(2miAU3UUBu_CTr
zbk(87-OCQ-;H2$jb&}oorLD3p#3%Aj9-4vwnSc@VG<v6hsb4&L+XH#uDT^;>CrkI+
zXRDgswW4;Cy~ByoJZ~{00i&dVw-Mj*Ga4j!!)RqRxkxp3%Usl`2rk33BQ)fDisFm3
z>Ra2C#ZvZi_0w<Ou8RiB-hce6@y-*%hpC~>?wd@O(#~+DrZ2a!0h(O?w9F}-mXnrK
ztc_*=t%-e+yOpI?!<L;r6>G<L&v}F*HFD&3hXLkswMyg^p*mgMq+O$lO{~gQ&hBGE
zYU0zT*sW+h$G2(wbOd8~6-pe?om8jUR@b=H=3@l?O%ImuBxZ=!A@P30^Ip5d+Q<H4
zCUErQXv4Qh%`HQ1y-Nq*waWzUu$dn}WZ6Rv_|q%WhDTj${u;Mi5m}^L>zzAf%$w*3
zvyr5mf!sjlHFtII+V-{#)XnAtu6><XRyLGdM^29wk4uhSK(|KVTIFsB>G`Rz7g*I4
z(D+>nGiT+E&xL*t*9qfI<0IoJ0u}<NCSxt2)yqP`;v2u*;P<2YkJVMJJ<Cih3*dEc
z|10b;Dk9O1^R$z$W_BL~$8Pz+YnPd`(Dg)eONtKgUeJ1*g15#%UZVdGfAkyq^J9n4
zu1;&UU~mJbv$kM7wW5gIZuS?~mF&|j?`Ah+Htas>-CpL+(g6Q$&4a>;Uu(a{H#37<
zuQ84lec5M3z@8w^V&?+!!tV2fxZ+%@4^#?0t<OQ{Jlj^Dg93>Lc?G#F;!xO5XzF&E
zby;4nx}^AA=9=%VDm>Hiz1I6~JK4!RNs`ZJs;y?X!&e*oiSIAE-2T$vTCM_HRjS2n
z#1(?v9{(uTnz$a@+>V|ah}C@lt9C3peLfp}@9=ZpWASeB&HH@c?sLcqMXL+bI%ONM
z<ND6)=9I+y<(cZ*d%r}VT6oXO;}QBj&QWmFQ@zbk=ihhcKg}n98R48`V@BpZr9IC^
z{+Ur2Q<!IX#}J>GOG86}Mc#dBJ(2pStf7oxawJIq+4tC^YJc-_>p^AG5WaNr3KlyF
zuJNt7azC%Cs1+Gx7^LZ%@D+!a!mB4%1JB#eJ2nTqX);;hQcs#!)Av?`Wm6ir68iy9
zaIV|%s|QYnx048vNo%F3tp))2F#!Ny!U2GL#Gx+-0Dvbq0B~du0Em1C07%?&I<&+P
z6_{>{MjikFG4S6HNlBaW0s#0iq$DS;>yvYm>m5Kj0DHFcy1lQsbuejJV}H~31!-0^
z9N$mlV@Oh7(oRO6D>5b{9V&)EArmg`oH@7oYnL`}lW*47Z*pr|*B>80`G^a7ES!SW
zy&HTsYP&8kUpMmQ2i~;LH+J$({$BRjV?f-*e@a4NiRvrTA8@yc^?lvEQX&TBJBUWl
z@`<AgIK`3a{rxrTVzPjD^~3bd)B2%-`@4Z*$;=1mhCMrzpl7W?JH#Q=-V;gACjq0Y
zsXXQnE&&XW%1qXJl8tb>xH|nS?O%?;s}KCHlHi=@$5a)KshG2<{j5Y+?}+t#{~;c`
z$E%XatFd<DarD!w;P&gpE@hWozx8<nuKAc4HnY}y3e!9;%$Zr{C*PdL7!Z82Q0Teq
z;nN#nMx5krHlGX7@wLyBtV)n5b1;+9mD2u7zS9$x0W<TrH&5em|KY5B*Y@*Y2^#Gp
zcy$*$(Kza3Sq1Ya)Jy&kD>QDNynL=lo8LAR7T}(fsn0HOE(2zaLP?H$SW(e-lVvt|
zyJOz_U0V4QH5-+UM*ba1?8j+`r}?}4U;cSpdY8q*n_``py445KKDAGGUIspz!8pQu
zAiHmpy5_@+4iYDZS67_3S8TAAG{@T9&zbtV$?m5|qS@U6dCxnTIO;>>W%DOAVt36N
zVDWxB%=V9K!kc-%6h>Fw@sgWUjq>abkl<q2y5vbfxY&+HY;d4yuTz7q?Bw3LGyFvc
z{=!u-c)PIGWMeUAxfB$fLudzYUZ)7Y^IaQ<m0k4&`oV^+)p9%kIOYeLXc1NKePcCv
zFLd~_VSG{Iap9@gui7wG?{VxBoPw1nb^(_>dip_Rw0%w?c5$r%R>_^FNqipY>+?0P
z7hUprJn9V40_%HNTxV`(dNTVC;Yd91cATjh*H2|VuPFsLs(4lJ#qT{oTI_EQ$x@rb
zt6(oYnk?-K9#-bP!*{rszg`9e^Sf<lb&9~(jmH~OBA#1+m+jD{K{<<dms6?VG!r=r
zU?N`VYMDWf>H_6wp^eK!@t8^n0jD@9VtBfPFADT?vP2KhN2zHk#5{jT*d2YKcg%bH
zCuCSSwP~xTx1%=ro~ohubk?P<VUOJ!%Ms4Ut^tGQxF$QZY-cRT=8GS?+V+Cx>mXp)
zKN=(?TyrtGA!o<>!3-?u!-BeB2FZh^|Ky-2JnNaZiqiO1!J?q!p@$JV)SNBE_5vU%
zSoApIRplhT<B@p0P;E5d6Q@p1kIRg~u%OxViRgo=r*S=#;~L*64LyZe;O~gC?f7TJ
z*S27*F&D$LE$fy~TDF7u*6rox_2i_-qVTIe(xuaem%L`JkFr&cHsYtLhDKT9Gb%@?
z--%|Z%W>>wH4c+^TJue5eA{81RP0BlrzZXT1#d!NKPmSuFcJwUIIO(9@MV8LtFc0z
zvVT)1*HHTpY`K)9lAtVlmBY3-4S#ZyXCM>Eyy5Yewmy%G3<~Ga$pOQPBsQoK-J7@r
z{|uSoqGXWL?WCQQ;49(s<Zm;?xor&j^n|xRat^A#-vZH*(_r1?x#Fu@YnjKn+Qn(S
z-!jCi#V06z9LGP0krtOg%HHrOTN7u0v<f=;)Egat*v~ZMZM<?<iV7(k!`JG2yYUBq
z-D@jN(QvGFC)vwfTv9YBt$@<{d_T<yRAeOe>B-j8MRYD-80k-dic1&tQ00UhDAXe!
z0^LqijH6g$WS>`R5qA8z-B?@)X?-~?MuQ3aW}19w(E#zzqD+G>i^j-vdr+7aoHxbo
z^FcBWbS8MFZv&8GWjDR#N~Mvv2cK<*1?;TCU!XF|=-V`qY8A0T>(bQ;ZP#97DwQ+x
zY3ug0SUAj-hV#CHi6~2^f#tVjAtK3Gtc5idpb@kh-m1+nM!I{rC}-cufpOksog>qK
z%ytPM(O4hR(#prQ(8Os5*tN8O!ysvz3apiuziVWkldy8JtMc`WDwX1E%a~ZB#qw(k
z;}Z|GmMD_PzDI~C%d_n+(GyfLlC!|DxGVM>*Nc1@6hotVUpX2&d=#EOkG%=dEA6le
zUYV0(>XnPAeyJSPX*KY@zYSnKnQuV(45Bxejsi=au<%+L%Ij4GmG857eIzRU2uFXX
zRX`;hg_A%)F3A`<MDG}IBcIYo8sbj9ATPi7*)TYk4X>e`x78=ko`LZZ>!l&?3%t;W
ze$8`cjv}L>sj#GIXySCS+)i*~I{wlpwYPkm1*nV|&~xfBs4MwrneLQ&6~VCwWCDw$
z;*j~NRhuKV=qP!VCrFPj-$kW~C5OEt=3~b|-*a+gVA$vr@#pC1;BCv_9t4g^R?6kK
zk6y_^L}{j&eQ80dbd#+ZpAsxGoW5UW6Ui(QpTp4J@W>2N*2?`veg}Ud4vt>-cJedl
zR9c5}m&UsiAIch@H(Z+8+^DNWn0*)Mk$Rpn0t)V3F?p``W9Zbp;a&`FPNCjrZkvTX
zP&|}{^CBO^PR8S@BJ^a)M(CC+B!MT)I!9Fu5D+wV^Q=K_d5#Ro9n{rqBxJssp|k(}
zFFr%K`<PLhX#Ka6vu<PvqFT?As5<0MSU9Sl(=mXcbiN_@MR~{xlQCx1IGgeJDat_-
z?&~CT;<2>Y21&1#D|w1g;adeOk8^Ci*p*@r-FQFxjW`xzZbNXxsnsQ257%5i9#CyV
zUmFwBHolpR2VC#nxHXoXi6Pw%%Y($Rd{PiQZ>gDai6Gt1MR|Drx3SPpMGD)#<y!vn
z&mCr#5+?hf*6hv2o-V7n*1xCR1=hDeB`(=UE4TLk2FUAexIVPaeNgQfxsf>2qrc9R
z{dEhU&plp&=a!^UJ^K5I+FyBV=WT8|?w`u(&Eu>{RD4bwxbG#Ux#Yj{njs-C5Cc!F
z|6IkC`KY%4b;BH7TEe_E*n>q*?mBmCd!>Ae)57zMK3wqHg`}=vd4UUE2A=n<K8n5^
zS%zdD*LrixUtqoX^TQ<@yCT$mLSI{VH>^ct<OG;yVe*=Dw(^!=`)PsbfR4h4p$Xc`
z1FjXwJr+e-w`TT_j_wk%w-W;ougVBwu;Y!~b!Jlh-WNBq(W4W!zi!s4{dL=horF@M
zNQE&_-FfipS|<-I`Sh7k&ll|M+1{<o7u49AE?%tBDfk!lp((`F!kh7F-oCgsQ^dxd
zO;C9UwtDZSRSY^b-6T4gPWu~yM!1)Ly0<}9vX7pg#6?a^@%g@!6*!kD&M}(@wlkL$
z7(rY--DlhTuCtt^yA%Cp7J}0`goZ*#ViRC{nyO5ee;sgi8-aT%*EL7+_niiTGhB*f
z`6tOWc)n{!jx<>3T+o4b=1xn1T&oBX$PmIzLnTWkVqK4OGjsc0y_a4@3wiR2OyjnJ
z-$;>ojzn&Wn@Jyaa?&`Yy7NHLqk!~0f}dTd<7l+|Vk+hIeC1)7EBk4Nb5CBQ52Tp&
z-#^G7Ne#(+^=(`&(_BWLI<isiW<ggUb7LyahrXfw7tO`-TynIZ=fb!g-awvL;hoQd
z;EW(1qMI4-iGXB~ug|$o@aFA_V%&>a_y0EdQvWr4piU<EbzCK7X0LV>OVpelftS5e
z<(J>o|2>1$(L8SXMK7K#`??M-nuSB|XO<v+!<Qldzn*c7`CCQ67Mu3rT-Dc0+ykUg
z|Nk~M2jOYadolS_WWQz>mm|tl@8P#(MYoXV1OUt&YCy1&qAg#u5^^aPTJ+$?Q;nUT
zX#4G)%31Z=w@NxiwAbFN&ocxkvzuXGBF-l|ipTUR{Y@h9L=Id6z6X!)`~b$jp$N{q
z8F|I<7lAw}#MDf4*LY4LD<_!N%%b<Vn*QueHntm0+016XB?NKLTDM%hlF_ma!LB#C
z!lfLiX{|Ts_jc>xVfC8K&xi0nVTA@a+PMSgr_nR!A;Ep!+#tUJ_nEuf(>wOeQrn!y
zqinvOuQ>a@y`;~rhwF)=3l3PQ907KFRJ%6}5Z9Y#@wQ{0qqrW4>lJ(9X5;Lqi{Fo;
z)J)z}rp65i4Ve3>4m7LJ9PRctg#yo=jb}|5Olre+?<vge15zn>Z|sFsCu->8!Hasg
zw~wDxZfnZh5AL>L;ro$in=tN7kd^JmU&Mn*dtF-oa-{HYalkrBIelmZOOpq;IzAIT
z<TER@`)&Pr_0ldix9MJldhL-kGxQNOqB8+9mF}?)bXzR8R<Crh+ikTC$o(AVZK7Z8
z^kC>%Fniak-tFQr!B{;mwG_CS08W9JX^TByX2mLQOZGg&#A_IgKEC9DZRS5>HPT{P
zz*kE*xPfJRLqP2IAO!w&gQLc=JHGj#8<1lQFQDuR-v9Mjh*aGh*TveZ+LP6^3MPN<
z?D210_{n4(%)S3+=B^X%M$(sd;?6*=>$8Pc&VDOQ^ttT{&%JbHIlU}T%eSFa&L+-m
zm*ttb-i8-)xBd;spoL25PaipWc=4vpXFJ~@aIa#QIY}9<FYNZ*=Pj-s0u3*klDfk8
zZ`!awVqJ0wOXdW&8eIj1FL=6^wjA_0A6@IXGqYCWe=BCw?o+n5nzZFa&xlD1A6Plb
za`!hn0gAkPTN3`%bj;&!by5P!Kt0?L-W=oG$IT1=9sM|&tXz|Gmo6`Vl~nnTP`Gjg
zqax&^x$Gpd^GbKrz^923=)@;dE4)`cW%sjZ;MC~6O3GaXkT>btA0(q;fUg^Qr>&}B
zOu7am-a*n!0>Bq80gqR<AQn++_L0hf&4ft4B5PxH&I(kzzl-7;muR=_BkC-T86O1(
zTIf-F1J(5BV=f7Xv-Xe8cCpSf(mAp+h0;Mhv9=q(d&WMfvigEgt$5pnFiZK^)R}aY
zUm2E!KENUxS%00;h$+6f)$w4`a;Dz6A~ZsPusrfwYrE$UY;BT10_-EYRjceT`0Js&
zGg~jNUfMd!8!SEku2C3XkA#R;u>flYx;t^GFwdw`9#2MytWh-jWd|};Vo4?@^3@lt
zvl}aZ2f6gBy3@+*(X0^IrD~hd*}x||gpzx^GkJR6H)!=fev06$P|xbB#yLyi8*MUO
zxyl#0KqfQW%l0T&$L_$<>J_(v`*|}s!hr*?_K3!2{!zo;_lanc{7=Ez&#i-=B?n1P
zc6xa-f*0=snxHDgW5fA{MCdX#4_-5^gd=xs+B6#v){@C&4gLCZxtA+vYRA*bcQYIf
zkX9YU)uF|-;aT0)I46GLIaRy@88`4UoGwLj$wVmJ@0O0YM-GDrA}ROcb~aPxB*BMz
z?Rse{@A=)8zqQ+W(uv)Ge-9UVLFmH|;49Yc=YY{bmb?ggkI5>Dc#yB<bECDJndOgo
z@SBZ0<UYh=pQh&2@0f9->jo}x!}b(W+gLDj_WuHEx4+a&OZmrEJQ(-CH?jib^Ge%(
zQxC?O)y&Uz;vkj`t?!7X`)5X$X26>l!TewDTA9=^=Q_pZ^{`IZluwuNtp(ktW#tMR
zl}I)Fu*b81Q3F@T)0S`au=@AQOH=HaDTRJE6>2-MR2I?uO&T91VKkDy!NtPXio=Ve
z5y8dMo((OIgJ!;_V4GJmEKNrxAf<~oLgqb%ot)*R38o83q-HWA@HUQg+<sNmO@LSD
zatXwa^QZoOF_J^GP55wepHuHBdA@}7JwEe2RzoY5Lv6HN9*t{2dW*H9($+lY03)}A
za>K70>}_VU7l(WjjRcL#?L5b>Pd?eGI|cE}J@F0ITt{Vb`R43KrI7rwyA6zPt#_K(
zn6fS!74&+xEhD8Xb&@yXkjVduC*~)=I^VxHR*GmTPk{4jH^g^ib&YbDG9G?iJ4w~M
z{G>-F?S_LGF-o2%!S8>2B;7Hf6p61$nY*tWHD9$XRd0K;T0HT;hV>|A;9FU8^Ksh%
z`%QV1l_KaGA{l3y%tLr390B^6^Gbasl)4lIvtLiY)$|%#&S8s>XgO?&)5OjhZJ{cE
z<eP$M2)>;86vEv%=V`Z2E8W_(&y3-E@GAU}#vgf7Ax&__H>DGa@1>=ys9_PDvz_9A
zTf#pIG@=`z@uJ~GJhHm*19fA5JANCIm7(4bNk7!g#S7#siV}6<!&=@#Xf^cw63C(T
z&Rh}$V@$J&g0anx34FR#@)k&H;lO8g6RV&-nHY!}E{w350xF<#U61|rGOqpE6&WTy
z<*u|lGZ1~<fuD}qPg7FghAW6F#>YJIlfoXM=nVv(DZIGUB_eco%}0!&@L_dszHT|K
z`8;zP-(gb=q4{Xhlftw*Tj)EM?a?`SeiZqSw7bkh;3J*E#2>0dEBTu^Q>g7B=8X;(
z@-(0Vm50y7TK)|4#z-!<w4VTqE&fv3I$-1~P)l;xl}=dBQ$`J-sV7HH!?5#my0~py
zK{|SDEB<a+M?YCv4IahP1ntK28}3BfzD0W|7uJ#%9wL>T*eqgeh5E}ro~TNC_p4y<
zB%*!X9`u*Ex7?V+BP`L(lSJ@P<}J^Nb>p2%`gt0xo$rlJVchRX|KyqH-|$z_r)NDA
z=oN=q;E2G9jpQp?FogFwjPwZglIs}Fdnur|2sp^%@#T}C>zo3cG)6na8M0#@7yeY5
zp}dM~9S$An#lc(?y;1su?3>t+36Fw$C12AO6NFW?^o-KwIbM=J6g|~Q)iOra&mLl3
zH~OB5<JB^6&F6U_yVH*D#Jvw)T3O&2o~Afa=r2YV$W=nXGM_0`7N`Qs4q-r?mR$5_
z^n26*Mnr@(7x|jlb}C0?^mB-A*<;M8-UTQ<#$$6Gfu^e$?HP)9`R;I8BFv(dc`Kex
zOF&RZ9osfDCy5jNUyQ&WcA-zfs#3g`>tcm*jK-=pIY`UC_U`}n1C=4i#y#b{rpO^J
z_db&__G2MarC+gx*PFYkw`$l&%|>$37o~K(ub4#Zt#Rpg67PpwjgTQmOw2Gp0Z@2F
zU3N!5OEQ9i1D^u(juO04l#+5%!o(P9(JO|yMt2xDi-s%5-UX!@5$Yj6J8QTF-gwL1
zPGC=YVn7>yU6QkViYuqAd(=ybB^}%N{Glsx>$;Elj0$j8W`Up?Elv7H?z~z*dI{bo
zqIyM%271Vyi1;R*uxcM-LT$l7P@`Zgu6og}!n7q|wh?z~*~uQi#JjhvIcs-<!{mBJ
zkuR#Y8!OLE?w*@6pvVv|fvzW+M@M7+INX>QJ;u!R#8;f{2eB15hVn-Sj&JUd!e13t
za#S^7X6u#&d2df1ud8J_6MV3Y999?Ou7Z7oqmw+(&@Ed{8X!Z?TdSXrH_GG!<S>t6
z2qhuT4Wuo9WWPIl{@p7K#D)iSAXX*aHgkIXwYPD~)Ju3A-rbKu7rEn>b)p3%7gdY>
z===N5?AuZdy)r68FJqL+z1NfbF%1v&J6;mX9G_PY&;Y-rjxt(}S)|5%A#p!Q#b2M0
z`yZT?`1p)!1rkPaB%ax%SC;GFIwyXzcAx0~KB^S@d1w~C9xs`pC*N6*x=Y(!&ajwc
zg*R>i#9ux4(!L3&nP{ijSVI9^{9s}*;vzsya?HhzLj`#@ig%>6jFC&%8C|44<>r{|
z$rnlI4@7$L-TIWs;u&vQBJtn!&PB0JmzYs6Y32bdjAYz>4$=o>D(lRcS^nm@&j==4
zm*uc+GhYW7rAO))&0YnLnP|k6<kb$|`H5}PVBO(8?nW|JK=n#S@6sO8Wx{|h^bPOy
z(+kJxt9a8JRrHG@7LXetR5!2JG5w>7^f;S#MAa0i%~eC~KhCmN&QLu6U}uSB0fu~>
zqQNSlb3Tr}S8PTmb{`j(my`4w{`R+3HP8Sm|0oYtE^^?nxN3ab;}#wYx|gjfd3pzn
zX5QkgC+f}lFO~RGpZJAGU?4#)FqQB~-bWF;UdJqj{-q_qgm^-T0mX?iEs72qkV9Jm
zIOZY1e{zW?*qcC2XzP%J1k{rM`oC1=?VgqnPcg6jvU}SiEASv(38#_(;|%FPWThvr
zE;A~nXoeL%Zs*$4!Yqj5%lLpbpz)*n1`FB3-3whv9R`}{|FRzQ69O&z(mSUV{iloM
z5e0j^akLNIkvq7}iYsrH6Bh11)<uuME)jXfj;8>hLfdk`5$~=CIqGJqvl*09%eXJu
zyGylD{vI7oC*Z1aPaBl@iD`K73R~>`t@gW_5>w5<y{5I5r6$QZR4}EF!}BXs0$k^!
zYsj#{TSf(r&AO<8_b3mWF24B&!_hxtGl;mv0?HsUm5Ao}1|srEuY~4;ny0dAjkNn_
zARE;*Ex{u{tUvUE5C~C3j0oQ<+^jsfd3>{XewavrL{F5RA4pGp+kW)43a2(;ZeA83
zNt86vnm3dX#fz;K>h27#%c~+ldbOzD(bTVB0yC+q-Hy07Xcu8^&G;YyWydJ|j*qEw
z-dek{))`hs5I*&TU?Ts!z#Cf=q*sr0i?iq-wz8_S94Fd)ZroGNXVO6D%kWQw#vg!o
z26-Z)!C8ASB;kv>5RzrWR9SO^Y9ZC9N*#BHJn*XLKhE5xtj-}GWCW!jztYq5Ej=>}
zR6XjT!>w~$FBy$-j#vSnU3iQ8Ul4r&B0zPX(Wizz7&7G9#b-OIHKHnYl-ZP<uFANx
zl%5!;gW}oaz`0@ED7|cKJfBR|CN4Y)-*4|Hc*v$AQv7*na=-f9tvAlezP7u|yglDl
zse>{q$LG7we9^m?!YU8pDe}x|l(l3ubl1yawVz-3HKEzuq*O6~2*sU&pKebyA9o6Q
zuu4Po5|g<}KRp+pneANew!`=)DoqPndoiB(r%bT&n5vPEVc8E}U7Iagl)DI4xR_KN
zj-FrXAN}$PaUzdUFq%C)c<wRQlvb3-9}e7}1jZw@mdacd|7JA(X+Nv3{c{>naQESR
z_q5rOjLD(wqH;4Q5ek3sS$w~H9wcRW$ZOa(m7}535Vi5ki}1O9?58rmscKJcYtA;W
z8Jh++g>;ra!+sgLXg~U%U(tTLarN(;AoM|1ABpRij*fkLo+L|B5OAD?XdD3xibLw~
zqpyq08}ypqstOwEjfJv)<BR0&ncZotzj>*J%izvfDyMIKOXBFpBf}=M^u}l`)JQr;
zk2^N>EiQRL=^4-=vlqc$64}2KJ-o`+jF#sYW$X+kOr=#a#IL__IgUi|^pD~ghHZs6
zF{U0~ir92<FBn-WPZI8|$St4GlR&o9gsYzx=)VJ{PhS5OGr8qGgk8PbN028vmPr0a
z)S|)y$~a(;uI@6&cS@$t7+t(qw!Ivde^Mu|k2{3y#m&QOtGhu6;Xtd14#+_(E$?9F
z258s?n0<ItDdF$nQmuc2b@ROa8_b8lmap~c5;2>aEp?-NG@scF++6WEh2}m;m!>|{
zZR?=)K5iAk41(|^f_jhD&Ji@tV9rz(Xk8bDAYwtb8*^1XcOFkKXuN9>ERCyN!tvb(
zVZ&Zy4OUn0V>svt@tr6yoRBXKQmiqAzsYv9NG~>JUuZw}4SUcwnQl&f!{FEv7Kj%5
za8;?EZ@{g>eiMQAgitIp_XTungda+W4Uz?riLp>`%hEVS8!ri~S*k8yUDvw5xFw!;
z4?HEZzVDmQbwt$1zDz6@du}fEM)X{}V5;lFHSa(!K91;_ti5T!_I#s{V$F>E3}oax
zJCwy4C|dseDXqZ<L9&z=x@PW($<`7lD~rUyy|ZH!Yx(*;0rIeDYqiGKYuNpBl8z`b
z(Rgv(Gk76!=yy-QvVV`zkr3`$zL_UvEi}`3ngH5k_)Jc=rZJkW$_nf9W+yYV&CW^N
z7gbYdYXcYDgO*{l%|+}dPy4+Y#Vis%9HJqA1Hz}OA~%@A9-!(gcky||ylt&fwj)<U
zf1L_L9~!IF#j68^jXZ`{-Tyowd`KaUp8LIFgH(a@<{(wHTf_uBb_6R6-mPwwA*Ly>
z(bbB*#-ernVhm!cv9+0f=(wx&`Gx&eoEhwa2SdMItDFrM-Tu%pUb^87)zDvVRc&W-
zSu6FX-gw|Qx;kih$ROmJim9o4Ks>Ex?;{xzb1v064AGbeX6F+0C#OsuPO$tNv9i2A
z19EKe!;~*af34I^x|%%%UMA(!+^)wC=Bg|--L3q)8JJA4#h*1trh)gnD*Ef6r`F4f
zswj6|bD?6(w6y5kq5g3-mF;bDZKreX6mQ;p@~Ms@^>k@YH%fZ2;)Ow#yR;<vDtK5c
zg+2sxJ20lxb=pUTlu-#jFHTiF;`g1cbF!}uqc5SC6wXpH>GuVE609pGu)GnwykfRC
zuZ;*%C5ak-VL?k)9;!Q%VqvSHAdZ^errw1o8N7luPm(V&`F&r<U%MgO<tU`RpHhRB
z{6s(?2@tM!+q;0e9h}}%o-bnKRT_dcX%`#@GGf`TQv6|>+YIRRC`01uVL5eGil6k8
z$es*;9PPX3--RL0&l*S`y8E=En+^?t%z;{xD2rOiN;wLOxIWZ49(<A<VG6NE_)UZe
zs3b<|bt9SX_D)OhD9(ECo8sf23+8*ogcr+SS^L?4qBG$q;kg=D4%(kuF`O)0Gn8j*
zo{yGq(j<vmp*GY@7L{<cbJ{ff|AE`^Yqt*}gX-D3Eon5Ez>CaPS$~(@kcNZ%PgA`-
zguX0@r~;GuR@MzCz_%9)rq7AV4&^C-z&oE5{iB5(jEzccC8T`Af`Uo5^csS8Zys+h
zh3TIt=q?gR%0R+Gv`ENvzbvWZr#MWb<?zueZxWsqZy4P%!U_$r%B{PP4<}b;29ZMO
zQWcoLrqy|eF``(6voe(QGo5JNBR4R9vu?)xd&ua90=YVD6YOPWZY%wy02HC>fG~b9
zS9YMV7bnRzc8%dF6{J)D9Bt1Lni;dV-Fl)X#_u_DGGcHv?k%&e^Q{TP_DC;~9>|~8
z%o&I8V9%j^cN+x_P>xngO6lm3dNxE2#~o`&@9C0DM{v-3S1(d4D?UnXnQ+a}*J_qp
z$>b@&Rx(WE>gyRh8`x5nt@Q-!M3oE^M5*FFr3Jr>FJiN19@4xFiNd!@bIXp<4&@PS
z;SM7V%dEEkTTuD3VzVxVr8<1`N>6|zvY8gm%E|l)!&2M~lS0XhPGL)YGYTJa6~EIF
zRkHPszVQhnDIIkkps&i`gXO=fR1p5mra%BkBTx;bTP+`Z%`dN~vjs~tT51<RNzBcf
zE9A|ayr&RQW}J>|E?1_=@0exc4O(MuyoF=%g(Q&!y;gfkQ)RWBb(v;=#H3J2R_yC!
zkOEh>qaDI{O825G6tUPXI8)SoRtul*>l$rvw^J>EGLH*Ha_koSOX2BltLmYf2K3uF
zfg@2czA}7*CTl%u#UF4~21HPh7G^Y;mNL{qUUvV&#YJ?(+i5+kUlEzE7~487#UUD?
z>^xw^RECIgySA<r22G6Sg)3TgnA)n~FR0%AvNejcN+Ce5&6F}$t>l$0=k2VG7(4`=
z%a(7nRYJl<u^?%7_R&UIO9Kn^oS<HeR+xxSD>p}L1|)_0qp}ztSG&F{4)*W|7cQXa
zA;#y!WsAI`5iJ*@>iQs5#=Byqjq6_hY3)BOvoXl{excn;Ld<rojTvu&gKlD*jEZ^*
zFOgnlfyvtXF$(D&Eoy|b|H7GE*$vhpemx;7akwL`J47XOS1%Y*cciKk&k-h9gPIYr
z<?ZD8g*UV&)?9p(;@b1Bb4YNYrH^tJZ=1bx=ERZV*V~1wPGs?&7!&cdr5HpDYi4O-
z1Tvs~<lIa#F&}2mw=fQ*+BtEE{a6uq3-6hdlALtkCr#T|NK=fh&HdZ@Pd}{?*|>Ud
z;jK}ZK^ejSG#zC2OGpCY$pLNSC+|zBw+)0xh986-1CI8H)517=yc(nn1tcePRLBK^
z5WD9wV0S-eJi@Muy&$DwFg*ovV=}2la~-+fdZ!c<8ofgBhn>UlUAKQ%3pe#pPj03?
zo6G@+nNlNYQ+mSXQg95L7Ewi6dj4kzSaiJtXbC+ZeB#?RzxoCfA7a?qkBeYa|0zE|
z?n74C&oX`4jXV(HrGB}|d_w%cRRBsWN@qW2RD}BSpW+r5l9(a`_+MiK@D`GU%KC>M
z_#fkin}bn0>zj@WQ`j*M)`bge7Cv|1th?hdp;KN|>pyEvqp-PPMN4`Ck?t|nS=uPr
z`E{)qk8bBBPRfJY5#3^r+F3v}uEPa?dtaDoZk)INuF2&Px!Ih;DUYcw7i(ksM|q+O
ze^c}!n+WV-37{RmuVNLrTNJl7MH?rzf!R8{p~+Ga^W2k)_F1eEB6;A#NOEN)H`<h=
zWUc;l!`!T~Hr_y~xv^m?rIyG>Z{t`*s)o)sesjl}&ij<8{;jw-0#*HcIp-ND5AV^3
zZ6ZL>TO4XeZ@5MLCf)%(Nup(V*`9hsw1S}grTpUqI*xXkDw!lG{I=t0XzoSC0^C6X
z=&RUWmb~_Mfj+BjcMjVbp%BR``_wv0roXVsX>6d~xO+f59txL7B*;V?5e&&{+rR^B
zL>eGTP*G91!UE`+Cn%yjZly&m9wI3f0S4{sKqh&G9UC2oWU~URt@{8-+lTEsLvfjq
zI5SK3$~qb&)*AZjpXTDeWzEqG746OS)+ky6Y?jlES*?EuPL)5T3aFb1Qkkr*{<aVO
zNB_(Xtuu2HIXV;Jv6n%sN9QhZ-~05aP@m1Bd_Ccj<}ByO&RVlatc@Uq`E(fBcuw!=
z^1)-WbmP=C7jC`Ly1zF`>nL$(>b=<EpSU1F_v+>T6ZFn3Nk9?~UqpDfTSq$-v#uiD
zTh<M>w?Ch%BzodO?E!reLTWuJp!U14V+yfx<9fley~EvLCJMOyqLs#CcmEHB=3gxA
z&B>BeM)V+qvR~Wv748w_2fIX&eo^)34w~vi(^?`GCwUF7;3!p>N8{O5$<0gj55QKn
z?whqrz9vh#=)C7A0qcG-u-h356!N^gAo+w~8pb@MJ9n!Mo2h>;S8C#0Yafw(hjM3K
z#frBG8%ld;KMz-C5B&|!(0KcdK$fY_HTQQn>nIORTO}u$X;7Ng+ez?gpfP(4VtD$V
z4Nk@I$*D;};FDh_<vLH(Ih`bg6Z0_$Y6m+vleO&;X@>Xv@2|;HyCcR%^3b%5D7HEx
z4Ql4<cWY;I#(>lAeI|q;0M$hPVS)RguB;W~>xGKNd=t+s{W!MiR~z62)qDZ4`At}C
zup0GcRdsMc1a}W#2viarczQc5d-mOHJ2M>wb=BR93+`1*t)*WzeT1HNVr(OT9s-Qs
z20jOT=aztc=Lz~{L$jeu?Y`TOSQ<W)85IxSdDnJ&3s}HqRG#<{2IOAgq80o~|AXug
zqfXC}=6yXHXu!f9g6T<goCIAaAr$-H=@6mjqVOM)-{58lIj3sc3jR*x%0Pcziu}3n
zsPQZ(h+ugyEAf0uxXyrm!8+037G^etmU#9s7@r@I3WD9n3=Wsoir1hR1bt>l06GAG
zl(@1|TbQ6&wePS=`iF_FN6c}Enw<;nv8ZTM$lTKji5&{&^>W;b(>u4!<%7JD_d_n0
zlU`NmBN)-Vp|fSG6w-PXbB7S^2ZgP~m+TgV!6P7wA=S$3I?A$q0S^CZ0vpsabnQd2
z+a@)9(^>1U^Rr*C-!RRK<hJImi-eH@LsoTKqw4T2uGaWgw$jT%P=XR;8e<COj{zfC
z-<^qHlS)q0iHPOjW6{gyHedrW<28IGoC5^8-1_F8J`JEkG>SMaD1ez1bwc!B>}aSS
z|J0JNIR3w0Bz&6rEFCXA@$pj7g;Ob*10qPl<CZoZqAeLS{iyevG97ul(Z7^eA^w{V
zweU8xcuXL*q94X8?YC8lWi3oL+BWq6uB@MXoz6-dxW4nrqj_hQVXzkN#DB$lXZXcQ
z7*WrPZsnBWWF0TxWUU+*Z>ScF+W;Z)l&P7Cr87U1BtDrUp3bS;#f=J8od1q`_QUd|
zP4FE>yC60lqdC&xbD%ZnPh%yV1)t426+yOCs@3YK?YJ*Ir6N4B@6t4F5eY3vX%(OF
zWVE}WJbf)bldT9OvY;7B8$Jdti^D4gjkEFa={G1X(8XX5ECDI5@kJ`2FZ#*zZ{Bzj
z>PG`NHYrnbUrr++YJ8&6b|d&L<PK9TpC^b{s6bOU{qjdi2I(PRj~p3|)lpo(HCXxP
zHsU+NJJ@c_o1D|km=8CC{>_cKRwB3xdpY_kwMWK1ssaDnYLHY|?dA^67IpcbL;p2e
zlH3Pj9C{6xI?I2U%p_paW2uB6^w=SyAP<oAPlA;9OtGQF`SMNK`^4nzqSgy$E7*Q-
zaK>`X@cUydYuuG{k-LAUp1K!8**M*qmpwl@Se4CF_fDE{ztS2kLqWK;@kNz^g+UF{
z2w^AWed0%XBuonb)=PwPE^hXmKTmaRi9od7cxEh5ld#ecD|gpt?;50ohddE(v2tXX
zBogKW+P1da!Or;J?M)}P14=|XMrI}|-DmT<Jl?04o?Pp&FO&gpi&ofuSJ?s8b1VpB
zv9U3j%U7hk5Xr%IVvx%5JzeX<JNYQn#aLX2>sd${{#TaD%cYIrJ);DlAPw%b%YlEw
zM3v|QHBZo-MzzQKOlKJHlk_be;y&KCLlJCiMBzrGSqlNFM7f^h5%<x4)D%LmJV)e}
zigkoWLArfTPl4)5`g~pL?KMCF=HizckGXHNs%GaWwS!CL{L7-iIS(|}OTYLtfF?NY
zHP}Saj7GY>h~0gfh{joD^z&^Y)S$Wc5c6+}GCo<bs7(Od?4s1ii^<OCHx^3%tS)$C
z-s+uNqI7Xn_h)J}O@WqpYRJTv5W60}0wI$PQEneMjBO#GES7E8c%dNO^yik_Os7;n
zAD@aECGG*%UPM-qk_hL!Hp!i$IB<=B>X(Ql%9u)bj&R9pOV}Y1vptq>$y3mvYy;b1
z9_b54r}$?qw#xgvo_$1YKoTxsZMPYj_qoY|A$A`9r=)xuO{+T3qRxmuSW7o(z86VY
z2-<nudh~bmO_a({&u!+-5^DI&uh2eWjl4VN28h%LuJEZ>%#tDut}*&f7yR$xy;!E=
zbJp?xhiTwnO_cxbRf=Rzdpe0yS;W&WT#<iOj8Adwv$WOm=Zehxov$b&h-5~yIh@}A
zK~QdEzxG_m30aL+9NYd+WCb8{-TIjZRdJm3^}OiZ{mcov$cJdYeCIDdK|a_~#>MAu
z{7ypZjA2;t&0gX2jyTn7onUk&Z?=vgmU(!^{27@pJtn@dL6Y9UPcKQ<UIc>@4J_?f
z3}x)!WXEDrN(XD%Y9)=lX{5-~g;CfLr$0YxR>Ga{lr`C2$KvAGE81>oUfX;xEl?l)
zo|3k9Wi%;7%LL5RAQKEz){ObL3O3}`+NJ$@$j;j=pcb0ic10%EwKNe@O0w2V_yO+6
zV6QCNEsuUAUDh%bG9NG6XVXzu4J~Jt#=yjIRJPpDn_5mGH%r8i<AxYk5pJg|8WKiP
zTQV>aGMGyrqcVW#1uEszxrmjljPxwivr2Z9>u|M->I%G?JeI>>)zo%}f?&P-VD2O?
zOAa39V2CR*{5!}uV6*YrIY{VHxiU8$hYLo<<U&wO?e|cDGFfJ()WUk~I(jxLu>Vnj
z#yj99G8d=JEIMi+GUKUcMoU`1XBiG2ym{n%v<zy!C__ZLWC6!cLAcjL{yz|-5<~Lj
zbJjYPwRwIwnl*84nu}q0H@dZ%Fj=|aaMO+*fG||rMKZsM!k*+mMT*rww=ZUI{5e8^
zmQk1_qxVMyk=W?Dc`$|Qw|D<71U@U2{_yWU%w@ij9IV>O%WTcl4`LJuXWr^QZ9LZ$
zHu=glx)b1Ycz(s{YdoGc;R)V^;?|}(GQWSC&x&m-DjM+yJxVN+OXI}`8(pq`nqaFg
zomju9zLxx>hfrh>TL~%@ab+Y|FCWIcSKCEkr=c{H6Zz5$PG{>+jhx{9BkNDl(EPDS
zL8Ghv^~7$3!djJzNE_PTX&@NNLYpk~Uw95@=g&{kc^KRdmR=C^zSzwm|FEqcN;-Lt
zb+g`ngWgka7L0??l)!IbREMzhmY|D^ys{xdaAxp%4np6mXP@#ITshYgPG*_Jkwe)u
zy!}-pl^6t6Pu+G^IcE?LM&xFjIX^Nize|K70LU`JpIV4v(*}1xm04$HDJ>H`)g6#v
zP+?X)FW&!oHkM?RojD)xVep#FKqYwB=2G`$LJ_2#;BR%Bo}v0SA7l|9?6q6rtq#s~
zx{9s74c_ozWY(*%zNl3RawS$>Y3W4>&fvL=6+9s6rpRu`p|1|E4E{H6;tpi-e*>BR
zZ6A@agvenUHs-;_T5CT;Uk_m*YuY0ogI~kjJUfDyAMZw55}S&YlBnO`L?Wy7lv+>z
zd>XuwtU3j8nE$B~AbG?3fs|d@u;0+>FMpuNW1`Zw8Shiqu>%*gBlXht$JACmarkfD
zGnU8RlTJ&j7(<zV0b?Zgx;ABn`t4JOfYG)9(77jJ^V|nxV=d9^a!gn+fwuwj(=LnW
zt6GD$;BdXQja;-5x1Q*B(Gs$X%eyoTL(+557_V@17QTtayEOAScB<XE7i>*?c5<ri
z-Qn8W4qSVu{dCLa>NzRDzI=bFz`C5syhUB~Nd{CDaTCypH_6pVl=`S>xbs-*f?tva
za^NNNMZ&W_C|fdCWWyYi-bnYQCms~7QWQn7+t)0^tvlK+Hhdm9SdcchjVly*>>pg2
zWhUkyj21<I3oXRK>yx=-{S!VxEzzr+%1#lw%zy3_RdDpDRXtN&57bSl&tVC2N>h>V
z`sjCI1N!&sCTCH6J!<?6whJ$JVR*oiQh6G3B+RsZA^*c{3W1k0EJfiJoN7jsWvL6X
z3z$ZFEO|_>rYqyxCQ51xZ>taN@-kk6eCJp|(8lq&{Xqp$CJwcUOeuBK<%QN*?G)Ex
zVEU3=W75yN7irK6j%&f>1fGU*^@b?CnqhJU5sU2FM&S?9YE3E1n)KTwhL;f0ZKqYL
z1K<N*os?&v-;<9WkuM@FmJBRndz>kVYVE1CUjEoT$P3&}P0r-Tpd+f7+Z~!yB@NeQ
z%XZZrUh1H~p=ipX<H6f=ZVIu-Hx{wRvNFiT|K*?(lSMyS7Kf|VZr4{n_9h+Tgs-=q
z7QTz|oFgkx)Za}Y;1-QnY^Fto(n!NPDbzxmuzoW8Q%^m5zwyb|oIzVZ8mY04*!-FI
zC`5#f@?6-@TpWRBJx84KJp286@CA2Vp?S5uB)Jt9@fyo=z>TRvbJs5%b5hgR#RYN@
zjo&b+vTk^}c%I>4(xFPu)Lj!r`CqBO&F1Jue;b9QZjw;J%8)zV1uCT^7M>HD*>G&k
z{|!q8uN<DukzV09N;)E<kEZh1n|Nx8lSl~^W$r#ETb&OZ>Z+ke{q(4}#Z(L4SSKiw
z5XB~e&$dk8F%@xBoT>8PXg4whDw_-C2=Tb&P%j0%=<?vylnLfbOA6tQ9r#(D4?Atl
zE;{a|bS18mGOI1Yhy&Mqv%Oc|iZ>_Xgxd?%rQdtG4qa84)qHs|_Ix>t?@DkJSrCZ`
zMu-<qF|<y{*f#5qNMnv|yvUAd{xUozzRA(=-}7<zT1Y(4HJS$a2c~UX4`uKDeiLwX
zqFDr10FhQ=z5A|B&n<}>X<dfc$Cs0WTFku|D<E<FevaI9?C*)WEogbm5ubcBZR`#N
zj#kC82^c|UNlss)keP`jXf!Xa?uTC&2Ce81htio$9F)y3w)}8aa5_^sA@78h9VPIX
z{^=d>7EN%%imwkjEMe^>xpqBT|C)R;fcBeI$S;exh_Ogc@UPP_kBy`94GuM8hl8G;
z(Cyhlop&lpxrD6k@-#Ry=aA04D`S%*us3LCGohvNajLws192JGI>`l`cX#ISi6g%Y
zxvp$~?}A@u@h{?5;kjM8wBcS@Cq&!}XKe37s5dZ?kc8V1=*Wm0XZ8x`^+Lu{3_lQ&
zm*Cx^Ef?){vYcWyF`aheF;AxHJ~XSkVNayD(BiSEbb{}V?$@lccHk^nQ1WZDf;IYj
z`z6+;S3^~BEoi7@_6%XmtSXt6Ba}z47oEPMh`enx^KoX4vf<Uxw`B!B^c!m3t5){1
zmdeHf&Rxp5GKkb*i@2t$HIk$K-0Gc-Fvm`b)+k~%rS5&)dE5P;A7B?vZ{pls>k@N+
zBS3J-UqoVLi5Hi$@=0F4|I!stpZ|OG?^;K%w&OQX9Dl6v`x+}w8YCaZ-wmN{lqYta
z@=r<L?Bs18IG1*HNb*aOf%&G?n#nNQhtTMNs_R}iJhxZ5kN$*u3+iP;OJ&>>`a*`_
zfe&Kg(D!sAkOTT}tMuW7B`zn++K6pP>b{Aw>K+Y?dIsj>3>uN1#=Jjco1t=BGnj3^
zs8_DKPj#6QS<+bHXaYda9zi`lIuq>wfsk={JtqYJwyOOr=3{{Woj`y%y#M2FUwDxJ
zPa)%e_g~8Plf}k;qC^FfUuDzz6Qg_M@0)BQMy#~e(VD7mQ+CU6{pQ-`rN)TXe1tn?
zm@4o=ltE+Zsy}33RxG<^FU!Lv)4ll{FAhUfv+F)0M(*gjtIt<>T-rG()4ShAqfFv_
z6>g|El0Qalz!~Nhp8KVIw1!p7-=oyhj_{Yre07G{mxvA!J~7ZeHlIL+Bwy2AEOT~;
z#*+&nbvDsE!Zkz|0~eaLs_^REtWNa?T9DP0BEiR*9T_bDkF&Q9i)#J)#+4F8T1rrI
zXeA^h1VI{UhE}>uLAnto1f``BM7l#jkWd5$36X9kr6mQaca5HNzUO&<*Yn12{_^4)
zXZGH+_kFMRsnr66o*0nDcC*hsGDc2mZI0@&ulJUS#cLgIv<WRwM(RH@bXkY*9pa;6
z;XjENFrv;tzK-Ohas#2P9tXid9WoaR67k?oRtwcy`}f${F(9*bSebq;P!>K^s$4f@
zQej7+`&+<T)Q}&ynIZmzv5x!8))&MlMGBDC@_BFWR_ick#eza!Vr}f@An>A~ACwu&
zjPQ3J#ZwAjjD6*?ADLm+^J^?_MSj+4Wqj9hg~R!!5^Jha%H8W#o4xrW4k{-XzU-@B
z@tBgK@^7eI4i7V8P)*`%4E;EsGYR4y()8(l#aWs;HY;RFq7DzZYq;6(-FF_XV2CiX
z<!m(BQfq6+o#sC%Fa<rQ&u@+;K)ut$>LW-6q6I{Mxmz*Ua+j0eqb|)B{cJ~HE0Mc3
zP={Svl_ffJ(B9(z0Q)CEd{EQL4vioR1HYbRe?j~q7e{_vvbyioX!!*p$oTE&lk{#a
zA5X>6FXZ#AF#_FF+8kR3x;H}Jb~*_($vwI8amc50KRxut`E~BJ`;MUX2c;^l>7&C+
zPMxl+i3)C8y>D;Ks(vbd9apq+k{ZEXsr(GSQ&I4~yj$l!NVh>(@K*cb<4L#<XEST}
zx6ntSoh~(WRJiH-Wq&p`J}&0B1hgtNr;ybbF|}{NHe1SO;KpI$V>Eu<l{@CJfZI6Y
z)NNbw%f5^@JSQY{)JBZK*Qiygo5J``Hf3B&jZ5gwj!;@DyOSyMvsOu|ahqv?2CTyk
zV<GuXtoZx+`iy*__19m#xF#+-wS79cFG4+`bE7j))A0vwIMMoJPP=QJ=t_s+rU8(!
ztueEpEqzpEvsta#mJuuQNMzn!e~LBI2&8b_m#lmu`ao83wdMthMoN0VH(t&>`muZ!
z$5uHk;>38Q75(tkGYxBwUT;SRgX3WM-noJToLM>?sR|NA%l<2H?}dMNxs!#J-?*Rp
zU2=i_v4~M{l!T%aJ#lzVcDPpOm@~$#+>>=d;@9mKANRBT1jO;Yf|s<lXT{Vc!8Maw
zA+c-~k2OnHc$npfm?9X#I*JoS%0z4~X<FK0ctt#Co9%Cs9NMM^tJdcygJwr;7Cy+=
zMVHOv)P^VNb}O4oiDwVMu%&6~B-#kAM)Q7G8#Z9Pjzx^|&bwGOmxc2e&!PD%^htqh
zwh!k}w{V;I&)wH|zU>b7-B=a|`$z`FfaTWen>{b$ndf{t(xDQHJbBU)oP2Jk^{)w`
z3ERxXl}!|3+QY(T@yf(e^bm>Iv_ahHbG_pAQhF?gCgDrQtuVq~u(A;a$LfXM46i<8
z5c@q@qs@w&cQOndM3+RunoMpw2GmUkxZ?9BZIY$&c?a?!vjwkPHd*50P0*K&k64{c
zbRmL+jL^7<%xN^NoX+ph#>$T)O-ka+4hbb?I5cTmV3m>KaMcPv&?r?^;8#)L?+}*2
zWe5g<XEiwODw+0sEsM~k5@M*B@;Gh^OKOuBkO_XrLp{Jm7`8Q2WjHdiZVMqTB6{zP
z;I==Hx&P&&MFQ*~3wdR^cMc4?2%ZS~Nk@KevuafnR7b`qw`cLCJ2mgeRWbx)IICH(
zeBfzQz2C`EVJ)C=d^K~^rdQS2M;}jAoi(v*8-4*0Z&eg^h8MJ9<rQ$4M*G<FJY9H6
zs}Ws*WceW^%vI>T%KECnwum?Vrj@w&0{Z8OdO#cV?z8?&a$c#ME#gL53SCS9$i<C?
zD}ZS9h3L$;wcJ*1a|DH?Y`nGHOU-Y1g~~x%mfV9=2PVN2B&z-$9}BZTCvQa2>Z_~I
zyZKYnv|b1dc<k&Q7W&+r8}wf{TN)W;C2=3etK~L@T*w7vt8T%*xQMa3e_94dmZHzl
zma{LMDl@Rmj%Ss@_I}d4)`vG95lgW#hlpTK#(gz4$W*Sfkr~?8W3dWEJa3@78|b)2
zeTy{P*&uAs3xJzZrHS>8?Dy>$O817o8FJz>AdzF3cjv^s>&-bUC}Ki(+PoVB9-s|H
z;!+(MP+JqCREC1%)j}kCxat;G4P6Lrj!JF`QIi31cd2RMo;^j^?T8pFR5!0hG>dWM
z2EXw6s|V&O>$iyN0whVZx6IQs(3Z0E#Rn>=Ok{bw6In4x`M07P)tX-DehVPER`bHv
z(;F&u;4v94YQLW|)eBa8CS2I6eNjED{4*_+&(8>hHepUPFJ9TTlb&g()54-o%f1Mb
zHe4WxO7@W($Y;(e<^-td#OIMN+GriZ-(2_^`VV5>Up|-@ycTi)@Vd}(VL4N<eu0kl
z<{#h|{cF;HkRGhn6I$&m&z29Oiuv##Htc)Q-Km%VfohB&nvigzXb>3xkX{`;a~k%+
zQOXrpis$=qQ6?egA=uSt&d{2GwhWX`RlaAD*$sVFUv4QzeY=jZ`Vup9pf4*Hu?hS5
zD&bC!kwW#WnYb+r{YGpOd^%U3p*e^7Wh^Ei$6Xujga%y+Ms(}C(YB$V5yxoPq8HCu
zl@<JP_ht&vOtm7CxM|vr4PVsvKHg)cB6@PuiNC2m-jwgtoLK3vhq1=th|1WqS{LID
zU~C!`6XLlFy3>Ei<lsi!cK+U^d^($KX-jf-Q6~djhs!1(hP;!99+oU3p(RS`=0wHO
zE0FMr13KoTRN@xq9pvj&<I`LiyyXL`<#BPFpYG1C&R!oC$oDjg$w=_8Htr$U>}o~w
z-L#6>Bm!5>m4~0eW>TV}!luW+^aCM_i%0bn=iHRdK|tq~>->+0f?Ntz2KiVObteYu
zeW5(Oh5+W?sTJ+56Ab%C47?N^7z19+!U1r6P)2`4R#cgPi(3uj_5VO6H}`|4o3rlA
zEj{V&gF&m9bfE2y^JcGu-fi2ei!)JX6}zypzoLMf|D^z1)k21*>m{3`ZeLNiosGUr
zxVkq=mv_XJo-G`J<Ir7Sdy^w6RkO0lBRWUA*#mi)tZfuB)NJDnf<qRYqj!&70aA!f
zgR=sfJM*ro`^X{KA+!kdKoFKQcW1y+ltlQ*^3$O?Un<lpppJ?C362l(QWv49T%XO_
z$~2Y`=Z8>Fq)Q0oCWu`g+RmL<5pT4<r$%Tq>fE{dnvudZe}x<wjjV$zoRQf?lJpKE
z#hbmg2^A_jhKFwR;fw|*_ICHqnmx5f30mAv2kGat`}zl45JR9iRJ1l07yZ>wy|2Nk
zyCJe@bfw^v{Cx?5n!WMsPONrbLB10$H`{<0%j{GKZ^dtA6^Gn`yVa!R(2?iQSr9<M
z$B2{~CupzY6EsY2iR;`qGDaPKTdhYW`wJWm-@5N_va1JGLKbkOeoYPnAOIsPo=$TO
ziS(GPe(O>k_|;El6mNL&o(lR{TB#?Vy5FfUpSV{r$nTX5$}6A*!Dac~<{QC!Y3cED
zQG<<ncS7T3(0|2ED8!K(@i&9=3h<M^DxM*C1D$-aQ3=j9i|Mda0`bOEVbGX?5-i1l
zN0So_r11`gbwP(>E<Hq+(=tO1qYYo+5Y=}_vlp3yhaNh7J-=QYvFP-D)Rex~NZoH{
zx7r9{_hxquq*Tt{>=s9W!Zk68gJpCq(qfOPP7(ZZa19O~yKJEO?*3H=rbmZ{E`k<E
zHOV>}EysgoO%*Tir=yFejcQ*|<aY>CJ`-J8?bJji3*4mvy%&p}m}@Ulha_L^i?aRV
zq#BE)RDCeoZx{63DE)PzBIo1qiQ~$->{)K^yFP%QqXb`+yiKCb>r_7(qVA1FrwoXZ
zPfUxiwLR!jET&Q_!$eyUZ%FBejc?u7p1-q3ebM4%=F<3eHf%*LuYO`T8j_o8{>De@
z>yuAM>`d(Iko11mm^QQI*%}Nt=7mM@+BU4_BKPa=eP;|N*6?jLvIth==}a@iV7M4Q
zT$&diUVAg6t~KygH7&+ovh#fUa}wi*r^O12ahoof>2$_!OMJ!@Ll}l62Ys#kSraF1
zUViT<D`KQP8@ZPk$5zfTWEVs%ZaalOp@QD5fZp~T@6i6v^R%}iSQ>K&efyc@f7LgB
z>(76Uw#(aEaSrXTvR9_7rt#Sw(O2rxtQ=_7aA<UAg%y>DQgq6E=z8X=RbwI?@gIqS
zIjzZvNnL=9<hTU^6g@KI_&j80R*v7J1Nkg*REf+K!$_{O_o<Gz8s}=UwyB)!C;zbC
z`Z7k#LwsCD(eD$EhzXHGAD(3q*`Ci6iK@PS1r$+IeJs}SLo7dWIfr=j#EYpaF)C!2
zUw>dh*@2BE#T&#zQ_T72D~(CZaMAso+{=^o^SbgVBU2_tjcp-*?6Oh~tlOnBt^2Q}
zxt!fw66q0vMIHVkiG5C8EEpgFVu|p3#6Y-qFmg)*!#6B)B>3`hfCF}042~fJ(Igot
z+}6BQHZ$tD8>Y~Lon_BSwI$THjg5ICyCk$nb4R2ky}goT%jb<OY0QKh)`BXPsG3H#
zR~%1G8nYrPQQT^B<y8Fl6Jo2_k-<PT{YMMW^1W|tnuMhjI#F*c{Y%U9Q$J+4YV$*v
zmSXXYWNKFAYnVrWDRXa(D8eesnRzlqO=#rSwHy7Yh=zPUmXIx(OXpfH@2x(#{B^m-
z#`#WfS`oPn*Ojd|AnWyrzk^DOvqJTiII9t^eV_gya4^E5Z@HjMUQQ*d*eq4wRG8!v
z%`271VrN)htfon-o+XO2SEl(c1WF4~Pj&?<Xnvtt1+~Q-Qe%m&6ja;`V^{W$ZW=0i
z^S%eDeGHL;Hq5MD8EG%f?$E!%>rK0K0OE<a?;T52au$Xl<Ut|#GH%@-(U6O4j9pJs
zvS`?9_SED6*_^?EIIp))balWg`U9v(dgq-8QM^nWp^Nys)|+p@GWp~NGeg{B$lT|i
zKwm?pOI%r=PzQWLD|aH(E$<=X7C#j<xEON_Q2JO)bM<s)Sdw%llcMt;w3gTkowcH5
zM{bs7q^hk)t)hj_Xs}4uLv~6l7gaJj5#i}qUVPtl$U_-?5)^%6oK9~;A2UQq2<Ng)
z$H?8Axs2(ZKd7jHZbXw4M1`leiFUzogM-mlxt(K2HiONz6M{o{K``nSC|Tl1l{)&N
z#;c#b+0=DUtVd6vHAA@GJOw<AR6>D^vHp5h>i>oleskvNGUdNP3x6y4&$Qu|-3I&c
znJ6#NW>NIr83LV@v%3BmTNT9(W*R-Rm=6%_vBN2e8$S|WlqCZeODO*4#+v1!9`t5U
z;`>0eNv-?su64J&yjyWzfo)1ttetB<x*Wwzngt&+fjv{2T@Q-aDq0{d(9t>Yl??xj
zv2Ya5BNL&z0a7MITW&#oxi7d+;_ruK9FmGEKf_SEqSp@?Yfa-9GoNKrIr6&6X;i&I
zf^rqb_<2-v<L5JVPYbU6RqHVhkRE-bp<{sZn0jn~m91zow{`#H8!6}EsXRt^thagC
z)z}GQxhPm(kPbu-qgVEevtEO_@ro2!Ne#cTT^`#XU}KBk1TRtD0&T?;zD7NsXoFM6
zyKT?G%+BzeQ`hJ%T|B)n*=JZ`2|N6T{l4C>c(5ruSm}IR6Ks0t^m8|3!nJCTsk3*{
z*IfZ6RXnn^(P%!XY?y-eVqEd$-OK|%AD_C-$Z7jSveKCPoN1qLwUyOb+%ru(A5v;D
zX1HQ!lje!Y^|z~&2QS+-)t#_5D3+vqY!2t#%OyvW-#y-RFu#_M8YRoPd0?^?)wJgM
zYvV9uFg%N1ylSon^h(wO0HDF!E;lIl6x^6+-ELGKny6lvvl9`r{-|NVYjLD=Y5HjQ
z%{kO<KhFuGXWZf{oNo?Axlg{zPDR>-GW~EnW*U??)6S=$#I}{mZN20_DKvbVC^lzs
z-SKA4uZI<uO)FpH>82H*4CtsHb;6MqqK~Zd7h2^~jizGKB@Rd`VnOAyuyJ^jPmayS
z(>CqD+g=kJVrX<YNCQsmp@+Y`uO0tj;WJe+Kk^=aSTY>`ap?UE9Wlv9zJ1kMgQl^)
zGoBr)i+(GuUl97`lhdB4b3*E(WYYq(2~Tl*f68IP{s;F${vaS02cRv6vnih^0`mJ6
zxpL4>E1o|`HJ#@f<4AwlEUzWq7uRz!E;|W--l%fvG-h*g^5(3azB;l`pm2kpi~vj;
zM)x+ElX$nI-}Q>gLb<flyxEkRU{FZDf<se!w6FcAR~}$8j#fn3a}l|7#C=v+x&E42
zke|Kn`^lNjG%Dq_3=G6(t{G2@rw=P$tp9a`gU^^@n<th$OWr}p1c_BMp&Fk!GE1IC
zPtxcj!kpi-@`_u2S!5kM6F3gAF+xE6kY?bO;J0+5O<OW%UsYS5h!_v?!84Z;HaD9#
zM+0MMGEftxN_c<Tc#Y@b7vDay+EP%A|IC)^!mNQSaPyI!R8OA>uN&V$N5i%(p*yL2
zd?a;(aN1m2nL}PaWn1dizRwQ{CZABtXR3yrFnrf||1c%*37@zqF=zS#@>%HSsJgXo
zwS5hqZC;?R!^1~&Z91fR7V$iCnapjf=C7Gq6F=`iq{+b>bhv}}Z(Q>C;vs)?uHp^V
z+@1M{QpGDWVO6gQI&leOBh&PG_^Hea$o8;y*~3I3E`--gK7iy+d+9L0TNr9SpxiMZ
z?*ilXq+k&&2J`1e*BxRb3{A=UuL@KJ=+1&Z$MePA3YtU##Q7a|%`qO!NYxBy42Ml^
zDZI$%F`yI?YTMsoqgWsYWZts4tnCHctl6Ek==i0f&Py2wzIs%>xeIU0a_vdKE37^<
zhmf19%{7q-Rpkwn-0MjnnbYYw-~Tp1(eF0&9ZkJCxjRN_c6Rpo(K+ypBM)=aP8`=}
z1={ikhk17xnA*p$(yh7<erz?4!1<6KO8RZtglE<B?Ya!v$&6D&z~)e68cv+g066eE
zUMC^I89Es0h1>bf|H_ej0*YkicJqF-@w>B#jGy+`@hz3Z!Uv{|B}QLzjvP+3=u~9|
zY=SG!98(5)GWlbg(Ll0@D1szDL7LV39ASgnDcu)j@;e7}On2tG&1w64b#}(3Zebt+
zjblBh9>L<Yvb|dxC6V#2^}JcIni?T*o6}2?gEC)b_m?4JX(hLa1WISO(~B)zq%UPC
z+6;bxERBXu5-Ekqrbh4UQXKiMm-n8`-t^yS_UqhNp3<%eWS#K^h!;;OIi}dRK0k2E
z;VyE~kv_8bq)~ibSCn|;0I);*&&zgJ5k_)?QONnxN8Dh)e!_FI+~c|)3g5YYi`(L;
z*jMzoPxbZ05)py8_YaG!jjGm1I)v}^Y&pL~Oke)4sfFE}ex2@*LF~+#`>VfeR`m9C
z#yH~t5)n5}Rg^n$qL?TwHgCsm>fdU4N>G|(6xKhtKN*x^nNrD*u&bBwH{a-A(qS~+
ztiks)1k1*osb+cI(Y<e#=ZsXE66t!6hXzvhrSMJ~+&>w)Nksc0Fev<7C!QCik@NCW
zeG_p%=B_#6JqBuGI>UDuI*;U-o?AbOBu?YIGCrH_`}lUcLL%BwoCj0mhW`mZhs#HB
ziat9v_z`R9@@xq8E4`a&!!t$)^_uKjZP_obZlo6S_*;(A0}Dfv^8LaCi2~<1JH<<4
z%0Rw*-$Udka5rV{o&RF9F?}!$0W-BC2j5bidOFgi+$!Gr|D<yh?;1owp2p9v+W6JE
z&EsCbFLlofW5;tRYpXmMMo|n-pL*XMrB4c5<FZ()?jJO4M5i4seog_e*(bCj@_2MQ
zF<$6y{Vm_jKyRVrF*<_p8<`{8JO227SqRxyT>p{Ag{8NYp7C&A)o@;YaaeO--=+BV
z(`4jWTGPhNy5rA^`72F7JLi70vvBUq=AzM!b$ioX<|B{^*zNGIY)Cf0FI}9b**FOC
zdowS74*`h_wGXzCbI6m~o+d!-KMtbYEvLk5j1$mVIESy4n+Q=R72SaS3+F#vB5uow
z7TN`kC`-JU=huVhqT;g}&i!+os_X_OYgvy;9Jk(_JlsBwPSHp+@?DrGyC&v5F8Q6(
zVBPKqzYPJTwlv-SVOAVU;<x*G9JT{xLbRMB^=lFEIUk4j`n#JR!GaZGMpg_Rev|;@
zWmrmw1;3s>Zxx;7UjOJOwR#Y5dYVM>#63mrD^z0l(OWsV1%DfQTFN+?6p1yg=2b5*
z77cV-vOISkON_bx!0m*jG7cvkD`Ni6>ZpF~U1bhDl!;)*&S!aD@Tw;C&waM_x=l+G
zBm4SQgjUeL%eQv1CUhTtBe818i|q}$hN5%VXhYf^K-@*}I2oo?0Ho7m{Wv5wrNUx~
z)J!ucp;Tg3L8-V_G<uUcL5g0!@B_;Sk0<SAw=>IebFd#*qCkSdfT?I((H^aM5n0Zo
zHx(jFiiP%(H{QwN<w%>4bI8B2?)6e^+R-}p?9jH$)roWogwXoJ5alIf?gz>gc1N{c
zz%6hoDntu_?{UAVVDvyU-;wv(xapg&dwj5P#<;4Sz}A18XzieKD`&_&vOl~o!9Ic)
zT~p4o$!EIxEhy`yi444?{n;+cWu=Ih6-OV;sL0Qxm`5pyn|Z(O8gWh+X=fto#b-iF
zQ4*_4NiiNwSo3P{2}VMs2|6V!XnCRa^Pog($@I4EUd-HA>N+9bq37ITy;$;Mg7<yI
zVrA3gY__g;TFis7Q6t09X|5t{#)4=AMcuHUKEfR<P8=?JubwzM#_3@=M~!bFr9H)6
z-9$1^Ec4~(PYJ#Z4>TiW!y1&Xyn(_#s^Cj5nS$|Atzc0Twc7iWK{F@Zxa~Z7q%~q^
zK9uig2(e2i?!rGx_C$2%4iBO1jion(HvLk*x^a9$D~~2q4QEpAqB%x{uQXJOYv5M*
zd*H;Y-A)l+#LOmks6<gg0lijTf@z-x77h~`uUFoIMtBYiZm&Fi6~8xq!Z;P$lTPow
zDr>xMStN+5*v07U|2Z@GiVokyTnn)b13b%Td<#xhi}(}i&v|pW^4C&6<umuhP<{L6
z-Dv(jA*Olz0KSd2p-w%w>rzH_K;SgJYZzI$NhCLqA{#H`_KUQ}HC#(9eA~0eH$c$;
z?vS`mj$&Z%M^UIELj}ih9ZknaWSg52op?ckpa-E$T<9LJdb5-c{dN2^u-QP|o%3C-
zl+x?yJD%pIGA_d!hPr5BZmgw|L1uNp!}vR0HFCI_g#N<}PD-mxH)Kc1Hn&Pv;*ke0
z>v^YR3e!~Tr#ldkY+wuPW<kML&sPm(bxS{2VR+75RPM)sn7|*#uX2+f>KnE8jw@7_
zD%aDz{P1bjLv&MGEH0*{ETtwE!0bVVSGm*=RE}^v&N|0u20Vs6vy?Pgt+J-LIi~dP
z%PC_zQ7bd+_lk4PUnQ>=JS&zHdYOHlc=6!Gnm%jmz(6Z(h@j2Wudrz{AO;c|mJT{P
z9`cQCr!>flO@nw5L<x;-HH$UB#svI7;JTml9@Ue*9O(Fk^^tQZU!%k&s>Vfk?6>*-
zHalNF#X+FL+^tYvKY6@ZKs(mW#G3lXLCDkL&_143z=6i|OHI$5F*OcG=}1z|<}q3^
zui#2`Fw4tr?HR*am!n>OkRxT@+P#g_{hovRCMfBWCBYe7RVFKAn?oTJsvCzDtwoA7
zpJH!{TcmLjJd4jF$$0x+DCy;Aq~<%M_*5xaWckbmvgAEfan6EfrdScEn&(urp``P7
z&)m9eYNn{+ntQo%(JUAtN!!@;dSW~JfxlAVqUMR^YQlRC-i3n!geAeJU(BwZOmhcC
zdNJvID+fg}|49Zp1I-`L;$Nv$@bCX1*Hr%`PMx7*0%P^>9lEwWbiswAw~S;w`pvH~
z(C)uLZ<{?OVv!S_HQWQI_f|q0j_-7)m*ufJGR(AJ&Zs^VtrgKzZ)_OQE+Y3OnKrn}
z=}9@MJ@QF~!$5Y({`;umhU46_xeaP_HZ49>*Fl)r`MA`Tyw2mH+et)HtKbxe#<bmW
znFRmK!8rrx-U6}6RX3~Cbnxz?iRUTfX^>lW+y((wdb)uU$EMt|Q%!^FI&1vEJ|W8Q
z-foigkpAw=!_RH$-E$1A@z;v!_d0iF8_;i}_6KQOa?z$fZ<h45jh=$#0{DPZHQX3I
zaV>n#;!|p6Sg^XqI&8ZZtsg~*nVa-AjID;DQ!s%LU!3b502P{qwZSCW>Y%N2_bBkA
zl5Q34uEqw_gcS>r5rr1y^^spWGFsvIi%9s|_B*agCB=iec6y`|0dYEa`<*z@sYC?n
zw*g0lC>(#DLzRl0$>|=NiD})#LA1AX#&~4=-grnw7v+R%cbYW&LHC<;;6qhv&v3Cl
zaQ+Pu-W%uO!|b-1XT4{1h^*)?Ik^c*I!kQ1aj=zo^3}>gCXZ8A(BXB?1S5e>(uy{k
z&0^cr;0x=N6y2|ImUrBv+IlPJCPWt<D_RV?IrG1syd6^lKSF=_Ba>c;kUj1@GrBPI
zz$yb-7gVG-{4Vgqx?M$^I)o@5t7dN^xcr=kE~~`eE(8feJdn!;;wufywY3d{!;;je
zK*2g?xM7YiysS^Zunx-FxERXi)7#iT0p~SIt<*p_p*nATvHprq`zk9_z&*ochvCel
zX_}Y%Jur_1L1O8GiD`3<ooPQy9P?1VOyMd4^9%FqLx)LSn;_nxKxT8WUF&DG3yh-8
zv89?lmxsg9RtBPvPBqje2~vrwtb)w_>*qPDNSEIpW{JCTVs>(Yvr@4ZmCk49;}o~$
z^DFMrd64HjNYp1iDN<|GVdI3*!Yg-8U)_RGoIfu!tbf>`{}idR^x8s<!BJ6lFM~7~
z0qrAQYR4Nxs57=wencar5lauSPp+F1nS4~sjY!(Iu#0g^vA+10j6I3e%{n5AxwZJB
zMQO#$5Bpj)cuHNjy4YF!x#_*=wGDzaElc>2fh0Mtp%L+<m*^-4&{H?gG)ERN>Wo~)
z)3Dbs3&2usO=0JKL;^~^NN~av$%^4X5n<xgnyW0*j$29A5<3&NFOMiGqhVOr`$>Yx
zat$ITjcQhTsTvLmOe*c<Zki4l&W1Ed8FhqXTU}A7<NHJm(vjT@3XybCkK$mRrWc?Q
zXAXHH*ccRd67`8OSpXP)1RX8|e1$8isL{|4TtwOqN<6jLRVKwaLGkN>Q{-+2(w~Ua
zH=cfOql@_5M$`sV1R#QzYR{Sk%zbV%jiNIwksE~GTF8%;i(PVmF0B|Y)nc*>7FX7X
zKpA<$dIFij4-m#;ha$m4kRaaUR49~(Cve4X-`5Huky<ZHxx0IVA1ang;~|k~<S6+i
zE#X=3r`A1!7B+Gw!ILCTAQc3YQ*j8U+RkIWtdbw}qiqbMms#qwIE?ru3piI<UTiA{
z#o6^p;{J|;9ANB$a((H?^?OpYV57fVK_V+}oRHl{Sr+AliVTY&0My=h6W?H$YTCwm
zM7nTD78xJ-<EsfieQ=Z>&wOH~LcJ&By{&KOnNqD3W)3!AF$+RYmoT%aXD6Ur2l5{-
zLFk9t=1sGsJWjFS`0($ujv)CDWc`28{<P!NEu_vqecm6=NCAEWr>!?zdzCNms{nqg
zO&%N-P$sl|T4eX={p#!uEH~7fDv!(r7MWJ5cl9=>UnTD$plU-3e=>tj&jfL#H!SOR
z`iX%DKL--HibE(%!gQ^-T^%>3y9>>oRl32cR8cU0L0w{Htb-+o3ghf7kW`h*D)UdV
zE{%|1F&uuE1fI87rj{pK%3%RN7T=9~Jvuf_<6=uSu;=_NLQ?*j{QKxcz1jCyY>M_W
z?c`k=gr&F_%gf$5xdS9v7z@i8=VgnzrP}xFpzx@pNCdbRa)Un;MwitNBZt4*%xDBb
zS`-s)D2_NtP$u!+a93j-^iYf>Pm`N2Z&jf&XCwqn+g4Xf0d~v?8nMN(>0#zXU<tDk
z_VE4RHpa$kp6a0BOf;QYWQlU0sv})NLfpdBUSJ*Z<4eqqUOL?RA$O;5NR4^6j5LY6
znn5IxvGESlIR{Y>uqzeUJ|>&^s-HrNAnId<7hBofRj%Y*()6ZR{;Gwgj|yX9^#>Z6
zz1L{?U05MmE~*@T!6}ig?@wBO0b^Ow9W#RsRD1XSBa&XQE&Se3X=w(`k<&FlPNN0<
z$96~hUAZ^+T-vKr7ASj$!r!$tR!-GRsS8V`n%aGXh-hp*2>4z(tvT)m3=mQj(WI@Z
zZdmF;)2F&1;MY$<qz$*KHaJbJeiohLmBs*F)Br&s6$>*&j$hByVRKE1E~YEWC29A6
zwRyY$h{hv6RqgHmIY>4f@-dryj;3js=hmrfAo>lY-piAI+sV*yCdCV_x#RmQg7t6(
zvy|2gey|lgZi(U}=8A==ntAwaHP0(7p!4;oE1d)M(c7ap))2}(P*X3}1~H|>bDmni
z#qs=obYtb`n9~p$306CZKWRFxIrs@@0`9S;0}hQ|15W{+ed`zYO?vmamkuCNVsdZv
zCmf-UZ(C%wPLzO-zt5quN5;t&p0>Ef;d&xpi@`_;EMXHq32|9xv0K+WjeRa6KD#^z
z`Hoy1B3n4-^m8JI?>OtylZmAulTiI+FU5iAq<)j2L<ODr7_?m3k!<O-@|e!BefQGq
ziF?kcSsBp+s;mC%nI65TAhU*Kb-RxgMu#$VhD5*jp=SgmKUMqoce+F}NtX|VPq!FA
z{HLK;Ly(Orhx<6L_J%ky!ItF(X?cQHt9krwF&bK7j(cHQ92_&=;~~W7+YDlq&y~R7
z0KN@xxnSbMfYuZl5(eh$Qx?tBx(G?X$}+_ZzYH1@18BeQ)?lS`=QeM{7OT@0Lac#o
z+a_m9SJl&y;W%}Q+B>2@y^76n(PWC7YOAKU@B__IyF4l_q5I{fuV7Z;@D*n4Iu3O1
zNZkB`Qp3{nH^gsrEiY|t^xcrFYYZdr1K&%l52dT9L|CTEWP7dl%P?u`JDDVLx}|u-
z#ior*^M_3bSQ1M*sMu@kB8k~6u8z}7djH<=o)PfmY>bdn5bT&iW_2H9qNg`8@te?u
z8;GE2azjh~u*atxbZ^=?dBbvE30%fdYzp9AI6btcnB}r*F2iL|e_5K}Z1^)fQQFJ;
zdXpYjTm6N78rLuqDND?gHr?jn$OD5TY|^@80w!~X$KW$5zoZsq(<@}G+d4rIl}Q!1
z=hJq))9m%4W8)w$!$A6JV2Hxd^aVCv-Wq94OA@M0QWyW15rF3rf@0!KJC0|<#Osgv
z0INL)NSa{of}SpaDWvOMnYuqkx$6sniCt&u?TQRFuZF#LDznTM-;P^7QLrc#ro|`6
zl#$+>EKf))6v47=d1$(1T4;T2>g~o=bsz$4`W%u^*lH#&HEhh#fIJ^eQ=68b^t7FQ
z-moia@)0|O`Y{^q26lEkdAQqAWOU@YF$8Fs4r@E*WgT<Q0g)En@8@@XrYhqLV@(bE
zva&qQS;r6Es`tmh3Sz)h`9)pDZRR|IAAF3EK~F`Dj6R8(Nz;mPT794rL<j>vZ~A^4
zv#&Y1WOtQ$fuSsHXx>6ezSjwsMB0&0h2|<J5gb;Jb3ieSezv<4T;TX=z8$2Utb@w-
zHz{`mC?)i=o^o|D_{*$I*Jycv*xeb3`TfC>@21^@$|$+eyA3tp)oRMv7ap#QB5vJn
zpD*g;Q&9G@rn$*YuUi_?=&%B>rP5KrqS}6W(`T$M@Y8nXot}Agyo*$?MCRPSq0%$A
zPRN^tgqDBz5r1@b@C!Bn*Ph~E)zwHQ1$tj>d<d4nq)Hi?0@j)NNkw*qt_*(s{ztOS
z&1*q-@F@E1$%@S*flJnZ@RZnD-i=Q)JgWduNp~x@So-MtUdG^~zB9x6F0F>9!BIsV
z>A3CB8gLm%p6aoj(<6(zJ#bGQ0^5>QSqeI*LZ90=-!p}qh^L277-cRFVQR%vLuN<c
zydgLZ0^2l4rQ_JDPo`M(^LK6(L8ksk!E7K3I|PMMIFiEBYx?v2!X47L%l{(U0=O?v
zr*2le6sin|H|Cwb9h`>WJKG2a(t~%6d*_Su7<Ur{rl%x4c#ai&N(?t4z%)i+dVK$>
z>tqT*eceIcaP9lTFQ2U2X;1g84~X(V4PQ9+`*zA?=T|eE3338w*R3=?_f)+He0rLT
zj<ufMHw^<<=Tei~RXqZVJe^Os!TX#IoQqh)jysq{s*>N8ye;+p<**e6#Ea){t5Qeu
z`mK%X!i_mad88?)*Lt>GN9X~_c<Lcu);t9rv;v!bwP{Ebdcc5&=)x3`C5t5K8_#h{
zPUmPYpEw?aEo%pc8(bVeU!C0hR`BHOwo$Z0Bk%D7etVkC?+F7{3n|%~+$r}@95hRZ
z(KelvCHK9z%T>vnJq7-$JH!WK+Ym~XF7ktMbS;DO)KalWx>$F^<}IAfpBtw61!0JJ
zFXO%Q$yl+0!N1sBIP@!Lj8rR74gHVwc&;nfe#qvEeYD!@L`XF<fMQN$L*TqozArCW
z5NoeV;RH!``6@**@wTxJos8pZ+$khdf(xXOAm)VQbruhH<*o1=ciajH<_G;;0xmzY
zHKVwLF|$`g>oUPE%6x9H*+kLNr_efcEOZlfA_KW+>U6h0t49$1_UE4YsubeGjOkv)
z#?+I~lrJUuKv65ZASv;3D|kAo%M=(tIDgQ;rLO0oU`)hI|0E4&C>Xe1e7wYLD~%^g
zTrAyZ;!~ik74ONa%plto^c}dCRd&q`H7#i)SMvNg!M#EyDHv+--}{ZPO6RJ_dRfNq
zKas+)?PHa_p-C2eCow(vwsP!eOo0bM`k94f(MgHs#z9d@Nhq^h7wpbz9_>ouj?S<y
z>n5ppbuqZ1o(NlU;!zpQIDAq;R`9f0v7Y|6=?1z4sjcRDAa?AjwNoOKdd$O{a;Qvr
zr?#;p*g1hGX{!kn{NtB}Q}0Nax=fl-_54Iq7z$#(Ec53p&F9uKtYZ;cNQjiAR{!$d
zfd$4dh#crp`HxkXi+(Poej_obv7h@AIMit;gJMW#1Pu3wTSc9_Xn2NB|H8&x+9p4-
zGdeOE6zrqbJ%wXKabr)bak?9|3tH9#edm_wgTW+$YqdpZG;j)e-D9t?Wjze0RSLS_
zt}8=OrOgpr?5efWG-2%h*6rKQBkfBE=QY3w2C*G-niby0bc2=#)7MhWnSArpc>N}g
zF)b1Tqn_G-CG-YJLEc-u1vmDSgPG6Bi46ott$>T+b>4Y2qBG3?H#xy05@>_AOru|*
z#s3#!{_pkeA1&V>oP-Mh2J_)ht7+v`{5;3?@y&^r7uWM`F5X{+uxSfrdOJ{&F$$@u
z(qK?D-rU|h@13L#QA|5vugf*UllnfCFLb9nDVy9o=pA_ZqRNZio}eJmPEYHG&UjNl
z<?iwHo`lPqd<I8PvB+%I7MTE|f@8X7J9GV()310gPT>=P=3@n(uX{h~R*k^{=|z+0
z7Sg;M2oi8FydOjffEdb%CuJh5dT@C2>$+U+8}mzxMQ^Rzip{%4i|HCvv+wtziZx3!
zk~Is-&%J;2bIpT|?cDB9HS6xvsUoMSx{DGkQ)sn2lyvB@@hq6?qDDB`v|S1r)yFqS
z5aS@NQg$?YYiGO>doFzu=?sQDE3MQla%8r6?MfeoQOd~`$oO_2O0#%FTAYI#-U65P
zCWoFz!;dXI${2y?8~$$3?Id(qAxO$gcAdX?gmSsbsr|M|Pn8(d^pk?SI28*<k);s3
z)jEi>AiJik-w;{^ar{RQ7N=_ky8uw}aT*fpuup^t3H{MM^)HxE9R-vJDDb4|d209&
znvn+`T71N}oKr^Fb!CD6?Fz$gb_HVa+4<rI|1xHPWoBkPp?UdTnjgBKAbVO9Ub<}O
z7PCo6a>~Yi$E?4C0+k%XiV+<zUGq-W_0<KepR=jtoSiSC1%P}=i~ia;pe@gSP~^?z
zbl=~w<w9o}gcqN4mv}#@kS?5}p|N4ZPdtIv^r5A559P#&*1ecJwzcdi9ni_lLmsd0
zfoyFeh<bqfX2Z|06Jj|c7D<tJrggU~==xanKo_U!!m6&AF8%{U=l*kIkve<4gN3Y?
zeslU-x{adjIN&v}!591VJ($ys<rLd*E|K$ibSPyf{@VQR&$eB|yY&35{vv~bzpe$|
z^`BLgNw#oKy>z;5vm>~Sw{D_OcqW2Ci$l&;jnGQ5^E(55zyH<Sca+~Y2U<_yzc+4+
zduhz?Xf4s3@@arH{PfkzbDRsSm>Hz+6(=@i)XB*oH0Y}^s6U=;7ssSSl0N&Cb3ygI
zH`DnaRxtN(_^9FAm<jJ@dhdqQd5wIP_fOWVGClmaWsc8Vop>T&U!~TFn9yKTDv(F+
z-^_Sh_dAFuRMA@}ZhHInDq=x-HRJO(0h_vR?_y&=M}cCUweHX^P4ItxFq^3)!>4cD
z?fQJO_Ue4t=#9x{%dPyNF`LxE1VN~Zm2a4BU;nt@BpDMWoYHDUcou)4WW(mRv0q)1
zMi4auV?jISt5Ao3Jn!|A@<STec!XbXdlz;2u+j_C&h2vZuN+DkuDwEA+nHQ8U85RV
z(#DJ$fks_FxM6M!)@{Y_{k->k+i^8bA9{%cYY+EbR>94dds}8;=0LqnSC{f18Ki4U
zanE^EEhoQ5uxB?O&lJpNvSdzw(JEm|%|9pZf~*)O!;8Ja(aW1u`%ltI!GNDHt!{xy
zH=`LOap|SchmnhM-^gNa$B|;Xpm3P36p(@TPMvX1oeHp-j`tUIJa~GxANe+%P$1{m
zjZ5QoC+EUE2-qI9AEroL`kLnRn*O!uXE~JxYW{~V+p<2{q~!THEJnLHhp5-@FuzG+
zDq=VXXa$jW+beXQaSgkDjAQxhaXiob>$4|yPt(g@h+Hng?&r<2tpdY;+s~;y)!sm~
zOTOXJ*)u$2&A31bR|z>#Wk%8Vbi8j>f80OEgU_<Im#kL_kvhzhT11>-Z0cqvEk825
zvhpfKSGzmR-RsRO!xNYS9~Zo3a-2f7qj&w)m`GX=p4ElU?=c))S)&Z23W%vtq4#u7
z1az_V!q1t%N>MQw4baV`nu6R47?<>CMI8;LFo(x7<$3Efs?1yb*7Q@C8W-`YtWqkf
zx$&MjvB&AbUL_}Hc=Cj#M^N<f2ku9_QYMI*$nW7t^7dJSEP4uL;NO~JC4dN}`KDGj
zne>d9loV!pJ*KY*;T%Ly4!RhP8QN2o0cFPYN-zI+%hlBh18~u=zuPbLzyIrofleSs
zzl@7`uRD1qy-V!EoeSF++_P6XT|NM083KCc5t71HjaFnjmRAa`_4FI$Kiv%Hb=-Ab
zou7D5!NAYtWD9zFGN!^U*#0EbcSkWO5-7MU!YPV#ghrZ*{aH(6@bqR`EL7>cEArh_
zo^}Y#MbUyC-C8E%!K+*#XrNx)&pMdfGIAQIDYwG^Tg_n>Nn^_`@ot8>A_q0@)pu_A
zwFKRu%xuqF%P+6ZyNyR&);kNu&darxVJJ;Oo{Yi}S~j67boxxE3r30w*DUiF=jAPX
za+W%7yMN!1d_UtvIgxVP{J#G1yQMe1jbK}k2#<xt874iK?PMp1<;fg!PFjS&*vX>#
zqea3-=hL1LR5D$6owt;BwYL3cwb4$?F3&$#i^OuP)#Y7=3Ij>J-)*`m%mzAQtzfB5
zJ^Dz8vm{{>odGc;>YIwSnp;f4BhndKB3d#?c84NFeph0-(uMznzs`)HtJT9^`EA^1
z+$V9?^<{MH!E3sztPkYyMnXvyA+OP7$7~@uPY{nwA&rof*c_cb11~D?j)J1Rg7C(~
zwn&m^RLR-mJ{OUh@p(A8pPuT!p=Fj%!u#$O70+ZDHrm>pdKh|1T?^qxFN+~cevjz9
zOW;Mzau=;ITU911yb6v=0$jumOENL<9v{r0-=BUaKwT-Un5{h(L3i&JJ3Ry2IRl@y
zB^?dx?%tZY7{&LBwI7Gu+A3}vlV)?sJq~!ROV4R)LO%zb+g3RH8*+fuAfX+Go$w!y
z)y6oR1{bE0!;~(11X?%gwqNfVKbPzh?tq;Pgc<-^hCB8o-H>_~9Oc&O+Y$)Mx>1Gr
zR}&oiW{OzM!E<U)OE3ScylMU`IT)@1)BgmH|BhHWV_a(-oI5`Rdd-AeA82;hTm~(q
zyP#dM*A$F?eEa@mkZjWQmzqmyy9OdMv}T_Ef@lQidDaK=&+_ZYs-c6Ya5AuZ8KQH?
z!A<#@uz^x6Y20n^yRP=Xq8Z9U6Kv|L_1{yR#lL%!4t;593=E6_$BMHD!a^%-{c;gL
zincyATsJjZ=p$DmzdsFb{qkgpM?8#-;G}&$)|OXLuudcP{W;DP@$k8_#c?7UZ7|7#
zigb&Ey^7*aN5Pjk<KUGE0w^(cSV3C{7pzK&HtG>rOluR?7=tVB^soz)2~d8NzcJ^q
zPO#_Vs<BqYR!&Zm3lv4;yHp{p6zjAE10~B(P?dlxHs;D-!0!c0b>dT)l?J0As*;Z%
z?Y{8$P?Bvuy1ys1NZG?;2e4%0ZskUf5o%4dRHD)uThHb5q{nDTO`h21Q1<GkYTCY4
z#X|JEQ;&z!*BeY5B@StzOSJhoWqb<Y)?(!T&QCS_s~*d(5@EUnw)bxC>~X(23DiMX
zbD}lN4~wa^87bfS`=&JA_9udTg-k?KH#*}Y!_A@AWsS%)-caOQ1I$BF9x~kBbO1Tw
z%Eno<JDw-vI+HpQzeGx7$SqipJl1cTcTcXY-<?FuPd2(59BfdG#Uq!$zx#S@hbetR
zeY2}8<ri9+mkhBDvz#GQkm3dDqIdb%Y5z*eqNz*g2f>Ca_bI;KHacm_W20YzDELpI
z9fe_zSij6O%=v8~i|4kT6LEh;SA<<NSCI#17-}>VwtkW<XBG~e_|`Oat+1{1=z@Yi
z5C7|KVV={rtihW;w-t$f<Iaw2+@?7ss2Dcg2Yhm1m#;wjg~OlqI^g21W5j}&aGEW`
zUfHs>Y&NHri(U9KgibDAKgx_uS2-`D5JtL?2YOva`xwT{5xLoO7)vXd|9S}iy7AeY
zS@c5Ka>xp;O>Fs?o*+$Q?HkgfTqevCvHO2Ow2^_mf!Z-Hu4Y=IOyyYw1;aX9h&d%s
z25AJZg@W0O#0q9v-LKCtP(vXDf#_r|%7}%xtdIGE?pBzne8`eMvAl)n8Wx>N6BNKZ
zpJl23V(~+e{_n--S~$n4?{wus!o&!(<=NSFW22l_F`ZLI8M%DHH2r2+9nwh<r9#I}
z!_9sUBDDbzRLh>bTdEW`&B7QE8wj#C@N%aj-j+Hp%y?KLk@^b9^VLZd?aXqf#Ohms
z0$8{ps&SQuKZbazdm;Yt+=>7KHp%n#bzZpAn1EiphnV-r@p~E&upQKztr?Hp?iq&3
z)v9e$Sp~~x-luxT-84CiPD_&~(9pz|n9?`(L+eqzHkD01M79elMoz4e=?fAYC!(9%
zByV;%X4dA`5{NE|b<ZvBV4w3?ybrQx>fY&+#arklu`%<{k_hWfeDmLlIscor2UHKg
z|3d(laWFRRPexrCMa4IbopGdR&1g?;VPxYJ^NyD6Whi(ANtD7!&*GcQrX`a8P3;9>
z4J_R8__1#kE6_XGv}Jl+2+OWLr_aODV@t-5bM?iACvO)Oru^2EPpTpIdno*@@cqRx
zIyY>uou9B8v#NNMfunB_NbRFf#s1*3M(uAq<-L>QERa9mdy;X5%Kq!}T+6J#0K0dP
zw%D9Qqxa<Vf2s&lV-l`-Nb+ErPK_l&kfQT6Py}bgLx1Q?d>q2qieOaKdhgT1BU?MB
zm*j*Rv`udKh!Z!LT**GJkL6_)nyn?$*`bnUd(rH|AGiW)5iGXQbO%!8d;~l+;cVZ&
zab`Y)w6m!sp7K{ShY^?57~6a2)T0Z2Kt<NKZ;I9O=LUldNOk?6#hv+<F@}snM^}Vn
zM3hWKO0_9pb}MsYM;7E^;A^;=M(RkFV0|XCP>3jNE^TE@o_$L37iIw8AMEj}5z>%}
zrOK=LG1`i!_9EEu*uMeu)19TDsj(q${xajy`V$Zgn%TJV$hKIsWe3-KsYU(r?0o~X
zC34J5R|3vL)`^=&SOKHcK>IifrlmeIaW5h}J8Nl_Qc!>{J8`i7{Nhk<jRpL__v&W?
zNaUK|6IAPfuDod^3+t7j(IMyqd&-LLxHt|{S8nCn2;xaUdcJX*D{)D_DQ5n)(u)MH
z0l_HssI9q^#a~jGzh||kUguC1uZSm*g^=`jE&XwRh*%dEUyGwUu&e7&P4_ji9xHaP
zS)hGR90%DhlaL>{qyzQ@h?o+P6XgGBZ8zNmv+M3O!4%7P@Hb%74-W<ihR^}$4acdv
zZ_R-Ob6&~zr}fDPn4;+%#L*AkLz;7bj;lHpJ=Ock{X42X4G8*%PHv$_b+o8r?hD?c
zYG+AbT&>h2@NA2}DUJ1mou@R>gExO}G66Y$=>EXf*>awJ`}~4Wv>BLb)!kqIT*BnO
z?~sVJzFKRsB_P*H<vUjQt-oX!7HD*nMNg0iLt<Y{FgNtvC2BcFSv>8{yMZ<Y9Idwa
zTQJue>E2lEOn%yt3~KWZXp*nGlfE{07;cOB-5`TO+}%tz=+G28(N@Y$cz>^;Fr@mh
z>&?ckQsb>(&00!UcmXV{c4fI07~Ru%k7^9GA&(n3^Ak&|jwN>=I)fTo<EjaLMO53m
zGWft?z!mV1x#Z_Qq=V>|(&@g@H@4St{9c5cI6prrQNUy?9KHT!JO7+@?075uF$|^k
zc(U0ztSs@HEjND~BjhnhD0gEm{P`2v*<XbO(7w1gMzcvXa!wo(JR=mVqa`EL*>~wV
z8<?bV8T8_>XEArOnN+_%r}w%P+x6X-CqV<o4gF8d8!s;9OCh7VNneoNq^I%Z0Ob}V
z^4m{z94pU`PtTLDB!0a_t<yTb>KUEn%1pte$1@i^{Gw248?!=Bi#P_Z@-nY@sr@|(
z0j<jUjWA_nlC)1cVRyaj-XD21Hk!_-t{?wdhZX4DS*k>TxnBcpCT-n`q-`ux3t5z%
zLb?t%T8wSv1f#(sog)ZKdsArz#Up~;nUGX@JRuC1sK7%S*+kM;+eGJn3(DosF$iDO
zW?ZHejhu~2P4dKk6<$Wl;y@aAT@cBhB`uE#FZki#rAko22tiz?BMR(G3<VX6eAgxA
zwd12`+o<d)*$ONzgQ5xwc)17T%xw!|!a)egoF>>MTq%Y#e^5}s0i!2lX8k%$ZVL$|
zZ3;b}p3XA}FCXVBYz=^LTeiWlKx)JD8dA=<W`V=gKURgeJ<p+YWIaHN1JFNp2NbN=
zuX232s1Hno%GyRo7Dw?3A!hl<A25S-QO{Wb!Jz>$bJStusVs6}?TNqxw=1=tIq(Fp
z_e?buRLgp4Bzi?}>PovLt#x=QM{M4*{!D%ao->80&b8NLN_r9HtTWJsL%>(S0~p>V
zcC>ZHZ1p(~d`!bJ)O|4cY_4_Z*)2+^J0Kyh4z-+FpqRNE^OP7;2JnjyvYT9g)nld-
z9l;b2NI4b>E9i6cXWfW>i$q(wtFw4}a~&PaStH?(I;@s05FC$)zYuI#QYN|-_-_R9
zKbph;ks<kelR}H6^LhSS^yrJbI#S-2-M^M(wLLk6WLId!`lsc|jwe%k*5o@zVBQVu
zCi@>;=g)SUO>R5QOP-%UR!;c;t!v;dHrRAi%Qs9O-1ui3IAbHz{E$DR;QN)o#3*OZ
z+|u_foIk#cd1yN7%=4ZD)PmjYOVs~-o;>H}lM>Jg%I{qGOWX6m(|7;zH=HqE)wJb&
zqa-MUB$mRUfKa9G>C8OaU-3XhRVeo)l17vlae#X}k5suS22zS4O;j_hz*g=hCv(W|
z&)+6+ed$WekpNnLo_MiOb6gb^)*yTU&yhcW^PoalF-#0XmopO!D_SJeh&SO0&ffXq
zT1ceX@ebA@;4C_<5WH)znc(c9$#E86Qg{GtPRp%aiEyu!uaK@}OUyYxJ{S9UIe*41
zBctbV@5_t~hX%0}IyZ87p3bkEX7jZXN+@UgVP9=!6RtVQo~-W+|NUwbeFI^B9c6IN
z<lZa%__CnjUj45gNHzWC-ApA>yRQQ?LP7{QfzNZ9Tz2}wA^d7)4nF-&4w$)r{sOOz
zBNPuXLeKEtTdn%m;*)2ebS7bLjbR#)_?u8~SIc2U1RFUXf3Q>DxbNybKCl8QAL0*0
z-oqg0LW#!66_biiz0D2HEA1iIElrulDmIpyHoOJ@xes~v(1V^LqNq5N%h(^mRbxDn
zf*7&f`<P7Eu(+ZWiDeTN8q+Vv5<BU(gqqkOa7|9~XJev*l(>u~o27gRYLulH9^S!l
z?}#Kxn0ZcGel6wiX0c6tVCMohdy<9}!R1d6(@EG;e)JfJWxmTe$s!vJHG!f&H1mlz
z!QB~Y#ai{mM-j?rUU5e?ivQce_7_wU;R}gmTq4ZgIV>M^vGv0O!|2#sXeA!wFme5m
zd*X(YrEu7kNh^!>WHwcKs#25{PikqL5Zw`BXDmwqtg{*7CN7ocHCqZ-Wqz0~`}<jl
z@SU>Jt9JVF@=e6x<;~!DdD%Fhi32_Vk=N{a>?Tv@T=}Ljg7m311LeRT)*+N9$ldui
zp{K>z<zZ|X@7DqyF%|a+SN+SsRWmJF5Cg-p<+kOxQt&AKcCyJ`0Mmp+$9yhx4>c8Z
zLpn}buWM9IER2yAQ>XJ3L8mW;2_I*+EUuis0_F}f_cH(gmA(Hw^Z&Dy=)WSQf0lv&
znU4MUV)Os@;Tk!AkT9O*JU4Af7f3DA>#r;6nT+y7$PB&TF6?Et6a48oKGh_8tO$Md
z)3!7_(r2wI&{_|<`ltILVDiRht;=f6-9nqKH$}Fm%*QY=#!%N+B^@DGxJ0<uFxbF{
z_GG|#K&|<_0rYf3$REv8<UdwSNZ?9MzMfRHgii<vRY|zkaoU`oGxrtuYkHNho!TKZ
z^{*lZ&OVu4SYSH!0lwaBm<J!}gwBW(8v+y|;!G{R>B5Wkm5xkyQ?~b#qQ6dYByS`g
zxTaVS+5%SBEe~+}Ti0a)i#^ifk?%G=TKD~Bx*vl}-R5IU*<xD4PxQ<a9oMlsB)ANU
z8}}fm6e(=#t!01prPwK?ORoH98RoZ_zlf5K3MP(0J}!W|7^?KBOL4c&36OVa3c`Iz
z=zy}u1YZI%#Dkmn(HY%g4YZEp`jsUf&zY=}N!rHiqrQ&MTzGyrM}k>yhxXsvvcDdk
z034>&Di%$1HN2brJ*lL$l<y-MQ_R1p-uGcJQ+F)z6CY3)nI!mY#eRn1qwX-}@adv@
zI3i?g&-k_L@xX{Yn;2;s6aJCy1qp_)qb>{EggEG1r+I{>Jr&)>2%1rw4a_<G*+B1B
zD0k-%hGVojoIE4+cmEZyE4^Kns(<!rIb&NM>&Wz~gK`ro$x{e%?+((_gqCt;GUQ7s
z76bp)nxSi>rX@kVTQZn1_MKXt4~)7c!Uis5Wu#z7e#v7e_~jNvt&ixxq)mW#$-%qM
z)m6;v%6zJtK<VFl&TISAeR=awuoC+CV2k{}*mM5IKmQw0`|o}EpWW<#hP(dX9*_Uw
z!{w8H%OBv-eexmkHFr)e>JpHmVkAz|Vc=_GmLFxw^{Ndefm?w=IMojX<WLSpl;^b4
z5rCKC3ue<rxNnQI`P>ytiuuR&)nWt~#$z%puJSz9uCyjE%ga-gCVVpgQgmbyzg}cw
zcU^7T_+{>3b!qQ(y3HCocBf!Fhf=iArTC-po0*uRO+uGvA5!foidp)Ch-2cd*_Mf9
zebd$aGn(E_4~tW+E^Sv2{&YZUA^OLl5Rs*{LKf|xtU7gsI6bF&wc&I$4*>O&4xf;J
z8{oySuRL4Fj_|LU<%Srl3_k<}MWLY|StG2Uj1=i3rxPHDL)`rAao>NwA>+o?gK*oq
z%=1h|^a50yIE+)bS|?{6sBs^<dR;m)sWG|9g+Z|xS9-&5;-EjA(oAdsi#Y`qM$GY0
zi!s<TJ}rB2V`ZwWZr<NuTpah)*_%vPbUfR#3S5{Jw?a55BCz$sp3L8pCOrJ`C^N5V
zdiopTuB&&lSf-y$eC(dFkd+bd&-N_(C7V>|J3$s^pT-UJbz<Tz`@9Apoc1#7M;?SJ
zl-WD_ZfqyG@6ZL6-~Tw_?dp{Sf3q{HZd@WLURcdHD(y+Rg1qs+db{pNs=xoQRH&?q
z&_xJYkr6T@BQqg;?|JQYjjWVa_I8czO=L^RcJ0lzviG>S-0OS1fB5_f-}}S;>E73Q
zzMkit=Xg99&7fj{nZ{bO@)HBftp3|PyR7}CQE{?V#}wkfqxna#hHH?8g#iL~T>%v&
zk#`v6o<j)F80-x^%8?U*CX`1CE-AFInl>&er#C_IER<#>=~nM<DPo-WQpW;uJ2JFm
z`9-3tubkD#{y~nNRokHVl*zImiSE?9yA;ol9@?8+5v4JJoZ)a!_N)#or|*1Bt+Awx
z;0vTh*c1maGRVDU2RLyzRf_4DbH>4fZ}(Z)ecF`o<&fhb^o7q(Lxbqt5Z1A*Y|KG}
zVlm8o&RMr(1DuRS*<@|+%h9D}&Q#CS$jEO7a|fN}5J)|yJ-~BBK7r8UExA-2Xh5x;
z-(pv8?}zwoXIDfob53s(2XSUoQrubBJwBfSBW{fs8<$xT6iRS)&ylkLm=fat+a^=4
zrVR8py-Xao%|wAyuLd<}BPp!PLF4W}5}oi$<nP%;4f5~2>i+b5=FEKL6Do%gG}VRM
z_WD_ECRC><<SAu>n2GcT!Rsd`?CS)(Hg{Lk`A*^sI>JI2*gHRZ8~2+rkL!-V@-S4N
zt4h(Hr&fZ3%VvUmdkD^}{)5R@aJYP#HAyv#ULEHAjpT!xo?JNIX`uhE(dU6j=0n<s
zoSfwe6XYDVma8Ig{+6oh9gJR@jmJfjh9kOe1j^<XDIdp`#|Ygx3$ut#-(THrvA6Yw
zeTkpn7caasMpB+=$I(|q{&7V?U(IJ%if2y?d5oM(gTFeq%hT=wv4l{r75-4tU=hrs
zK`^_#Z%y@Y>g^Ff`~(ZHB^b@VJH@@+wU4QCB9q?%|6K2!77Vxb8fK)h=AtGdNGfIB
z!b~|G)D*hlO<AbqRezBu$;jDhls|tg+JI1^i<V{->A^M0<ANJwDF~Y`$s5z>7gljp
zTTy7XZ!KF@PepAG;Gw<kShgtvOU}4?ysG}O7mKcK$<s9YY#0<rGk9*brHbrq@xMT~
zJd#FH365vktX?e@IqxZYB6Ll)4wd2F%Obt-M!=jTFl_SRyy`RZoo)T-a|@Ld&!l*V
zaFsNEOr@aM*~UiMre8}s3uHBQ4}Pd?%>awgGGoT9{M29~?|brf00@&vGKECnId-F$
z404kRKax}fz<_Fex|ocuoJ&iC_d+G68%=plm*`S4!UJu!WwxqjpTi$T(rSoG0t3?9
z8^IhckRg@ha=-^b1&zTKwZUYZ6~|Z7+boQZGb>qA+ZLfi(yqHd732k&Dv~Pg^$zpm
zF5q4^2qbq2<4YpY7v^JQV#?+o#j`BK`mOd(8Xb4Ud}%cU|6QQ<EI}Hqnfe9Q`Ti}9
z8~4%<;ISjp(DJ=Nl=9C$yqo07jenU#iSd-%8!C59N}d}#UKuu}<I2E*$<R|xhAiLz
zwP@*}vBoUPD`d0D!9YFLsVTgB(_r!hspt2uO;b`;m1_-_Cw$Qx_c(H3<w<q$z1rq_
zNQ5U@9tMhBZrihX>!^Lm>YVqp9%Z53^|G5%)m{QW;?LPU{ZxzV@CXCdR3{kWcQM=o
zQf||hdj@HF00!4rSqf8?c3LinP}rUge1@B8-<H4!Z5vyD9X!561Zf&^dfwc;;@>mN
zB6CqjCK!WAa?_b^Pt}Ia#V$!%J+a3>1h5t7rCqN2Gjscn(AZ<uc#(?V`svZ7(y=+q
zoC80DOcHr=XVud9MMhXHOOvjSj4fQJKQ{p04ZpfpYFr-$%>!UTgArlA3FZ2aex!VB
z;p{hVt~vWg<gAp8r`XjPI%3S?<uIJPVdkxWmua>$QP0<@u%1egTrG`bGvz+svz4td
z+DAOGXY6z%a`6K!%Kf;7N}&+-gn@J4*D|-j8h>dzKR6hy<iGa&%Rh;ZVbV{+@+FuL
z)!6=Fw4yn-Ocg$04I0c(PGvBx_zeKhc~&Q;yuzZWHdaCNgtTZYvQDn4@qiqL?*SuR
z;9XtOczXKIby}lwe<{GjaUM9aUn5W>%t*tiZMA=2`4T`VD|Fh1oBKuYk3XLHbhOI5
zEm7vit-2^VFq{i!d?=m$NrhW$YtqbV2n;&@d%z+;Gpl3rVbRe|)$Pw;hJL{j`~I$4
z@aW%@3l#TuNhL;!xK+a*TUblf%*FZ)x3h6`^9DalEIP_%p2Oiw>yz7fn_M_+Wu-YP
z;LSuvlVC;A`AWS`RdtMPqPPxXL#qBzXE}vbDcR%S^Q6P;Ff$|!0#glo{1IN&gpn-q
zm|oc;bm6Ah7MyIz@hKm8xapqgEMLW}z$!5Cn>QLL6HUFV=o>d)K2ldvzikpuLbJN6
z`taT=AMtkg0?|i&y03{`BFtkC)d06Hzeb9@<&m#&o_(3j)5$({pSFmek5%UF8wpwJ
zT;{cz-g^)-mZ>2t*hNTYzF1*UOik=9=P(;u#<s~<KRHU92z_Q?jr}T&$xzNTO)htd
zR$cwTF9EzcXC5Nme%GkRCq~6q%-_{t$eGiir(X&S4cT9FcrG92g0iAAVb}wx#z<(w
zmjD)2{It0f)mh|~XRi>a?K#;+`UQ|M3u%k0E5&~`-xDgj5ldlC{ah5eHrr&y@sp%%
z;;S=+VM~{VRrj|od8pjHJ`nGP>Lv*>BJ`7|2P_h3aa%<sET_)ovDJ35tDICf|2bG2
z;TDS>Bl+E~)F1R;Q!=Tj<%t?jz7%90)wMP>m#?UL&DiP#-j1wt3&=XbJCR<dJ9@B&
zag{i!$iltULt=d)wN<6y|C}!_>EwV5Uq6{|Wm0Tzo>W_~U*4Lhvjh)cG<ok5*VS`>
zjo+NLiogK4T<TJ5Q(G4XpF6&KfXz$zbtO8Z{X34fja}R3-ebu6R2LgA-4FWenHh!g
z<1=k4bdAsS8Qkn)^PdJXd#mwVL4#$;tI$u3WP~T>na>ZG4j!kAp5MWwiPi6>h|I@l
z8i<E#Qr$=W#p*?sxMPZ#M>z?YQdromdfx>frNs+FEyXPmNlUdoJo;0Pe$u(JJ6rSn
zhbZI|562gVbgVM>IlE9n=<c-9JGgVyyJ(R#xR1wv9orfvh<{Nbo)MWC{^-Lt1Oe*`
z)A8$<M&W1D81!Oj^)4`~>A#Xv(XbSCucas1hRlRuvlld<DYiD9Jhx#Jv-38Sz-|Yp
z?sc;|S(~&r`9How*kR8}u1>^+u)m*#DX{2Uve$Ov>pX)!-?X?Iv4|*BVtMUr-%)^u
zRi#vcJ2diVXdT77u}4WaI{8b4<X{tO5Y4A=(ThkyQo_Zmat-Z=<8P8PuOQ~9Dzsa|
z!wq=^?@^QKrAuzmPCwk-8d}3C_-8q#cWHFW14mwj98EYd*2dnFms9I!*K4-@qj9Xz
z`;s7jP7hu}*L;sm@Vq&&x)xO`bc`Ot+Q7@~z=;p*)XQjTi!LUpt1+G&1S$iEOMG>0
zwxx2p`CQ$?vB|!#I<6i2GSiS~LKD}&l<4%m&}se6Ib5t#DGQ@|9Yf{O0G{g=XhN1P
zTo$^sx&rNaS6LFQ+uDTvd0ez*@H5$d{2>^12}ClQ&-6PmZh*J>?a!mo$_I1f*u~2p
zo)cQ`V|QjucrW~A_VKN>h?nF)fd?zd>Ks{bpfB-?w@J_?FpV0tK!XLnS8UZyOu7bJ
zDV`opIo%|MN+MsCN-Bf|CWdZnm*NWDA!f3xYS`i_6=id>KEP);**U3kQVd+Z+bk1n
zyjE+xCLqEgsd6QrQKZ)?^)+f(_$xyfLAE(=&=AgE`>A1jLbM}BILQbvP-MEL*V)?h
zba?ZmnrP0@;1vA@gd2|%CugqjJ4LXmD5y|8XkLxIML-9J!F6eMxEgL59`Z8v<2KZx
z`zlw~sIk%CCFte2*zrz&F*A!;#7~(qZ`f)f8_4KJUwepKTx>A*Dr8M%6!U(F=F1dj
z-mQ2DT0RGk$Oup^Snm;?M0|gcwhmXz9RjXI{hPN$)f=cIiVAgJusqK1-hBLBNtI@I
z*PHPq5_L5nMDD$OcdYPE8T}yA>{)JD;w`ob_Aq-+BriJ3#I0`rSz<--!+u=YpUToR
z<wrj@7`>RaP2<g$TO`O;`Nmc>+u08k$u|eu!<in;`|x-#wu<^49*dev-w+Yt@YLP8
ze&wfs!IHQAp__iT&2o{|-`z7>4G(Wy@3yfR9LMyRJ!1(Tkh>9vp6Q$quz;kn*mz^v
z(<1P0rr~GiKM>8=X~a%lCYf2k(~WoWn~eGV=HZKh0Ri0+`RO@4kxXpV!)&~Hcoo}V
z4)f5UVFt6+lW3LNfa?N60j93Y0PP@>y`SV-5%dGp&rR09R@@{l%j(hfKaqX5r=x$Q
zj)}mKy6f$&#@cY<Xw>`cNXkhfYc?3=Paq#exO)>+l`^x3jRp>=(^1snxh7I?fgb1^
z{zs3<uKX12FFuipO=HNjwioQI-_M+A$ivHHOeks+%i8LWupz_&Wzo4zHY9+OeKQla
zTc?e%S1h67M9h9G5{TrQFOX1HqpGe7Bj&yB3<}l{-%y1oXPZZl)!{`gMS)E^;dVdb
zoUC2eIPbm{2JAP!8iyZpBK7Sb^pgsD`nHjpxv%8~NA}P$S(scazKes_$HpDUjdiqe
zu`OWAE{GInLTBKjb!Gy~cfMge7Hq<<y2yU)Zmj4Gh(6GKhNp3n(OkWKV*pQhUaAR)
z>vK2X+6y+Vw_v<nvCz7GUu^o&CoL`xPCaWn`*J=1>$(c=JWI9m3<vwKC7NvLY%FMk
z-Q6~sGsJaWao1UP52TvG-AXm0l0Oge(9QxF>c-yo@MH*VUd)&E1H<e1eCaq@0jia|
zyLIz%*7%zFJ!#~jXya}-_UJjIf$j?OF>($~&5ndKzyAEGdUZea0ARvT7jg9C`-yLl
zVzW9LUW>h?f8okYxLvq6<JB78@Y&M&Pmui21<{PXfA-S*L@*Y&=BDB<m7E>19j-Nj
zKEZQTCD8Q?$uT2)(5uFOX-1)xqK!vJF6Np4eCXpGR-pqpTykJm#2F|si@MIk-7SNq
z|M%vKl~^b2DRn!O1ZZX{>EO3DYV(+kI*&|mv9$`>FpNl=pkwr|UIqBx@~}An#kA;_
zc3Cb%jk1P=-_PPmH&v9G^O;+|R7lm9rpFRA2n38ssfDJy<bwFEs3#yagjJRo^DGD|
zf$zrhTRoULX}2Lc!B?vB*l%2TuwRx}_B4~!p=b`7sf}>skLT|wiFZq)mod1A`_!|K
zg*w$&6e9o05;%cI(#&mFt5x}E-BMyjndQB$7M@F`&%{t`hBTOq!yY8OrI9io=aYoF
zz3QUE_D#{k_v(+n-04~n{jneX!X)~=_vPxhJEO;MM~WXXE!=-A_~9v03@=B1PV-lM
z&El>k?}48>dm=k#xZQ*)ciiZLZutxS7?1f*W73DQ5ODU8z)0@Zr6>U#skr4O<t&(L
z<M(DiJo+Jbx>lutO(UnUK%(udq1wiz3O@(Cm#BX$*@2utiO2sl$aB_Gtem)y@d&Q3
z>G->ml#AseL>WsW1A)1^`m@$lvwlPcIptR2Shd(I4vW}6Zp723=JAm6S*o!EL3)vO
zM9eb5$*)>eG#{Rq7+k+z0Z{=g+RaAF3cN;zC_5H$eCqW%-s4+^;3|*Pc#+ZZdX)~X
zo9<*z=+AUF{g+pQgA>nt`xN}k*5-{|{q!i>UJfldJ~fSMbxyf5_?r+P{Yda6x5r4*
z`B2LDLr)d6`K#J*9IN_zSHpv?nC(MV+uUOD_BNrRE%^?49lt8zzbAdXf%AL)Hc!<k
zHx}c@E3PO_A}!-|)F&}@%VL13IP9)fs;%dC$<*{b$|#r7G!d8*823{HX~|*n2SqE1
z-^Da6mRoU}lEjN_{GKjVC#8B3mGz|saMxQT^v8mhFf@}qB<obKqqdeDAA7s(ds629
z<I0!yfgu=ZslDyhL^5vTaNSi=Q>SApB%o-^gMpf$E>^U$T-~Ra4cv?JvbMn%eL7sy
zcYDOsQz>3P9=jwr`C%awtL7Mf`xJ;6^yN;{$0(!J_{QO40-xrZ^2il2D-*8`ZcHz8
zy|Bw&9;rAz{}*YknBvM9gLz+Ccyp|Al<mhD9uiO-wcm5jvkS@k=NOmg=dyqPsoD0c
z!K=H}ab{C7Kg09EHWL&$^XsA)6}45wC7`+P4ZQ;M`FruoEoKiCD$FEqK4`R>dT$nc
zG_&J}?cHT2`|&i0>kp`heqpOf3`XOv$rE0w6YVK~BPHslW7G>Ph^$z^7DSj@r*Up*
z)NM9y0B2qA>C*WHdT;co&zw@_8XT+2$zm;fg6$ZeII(5zP0!B@(baJ@+l~D=;Y;Mh
zBK4rp&Drhg($rLi*ZP8}oAmskc>ND*9>bu=-x>@LYVQ#pdt<w%8%!CKt)#9oLkXw+
zd7tMatkRD`vZ1FAPl@s9(Bhu7?B0MNgPd}C8S`X9!O*vy1#C+Lc9`~bI{o5?EFwgh
zj4rrpEnERxl~lPadQj2g<F;nm705!cy1`f<-$oxKp>kC`{O`H1y{;NT3S;DKu5*uu
zDHkviv>5Ru@@HUOk7*#rRi;&zy}uGp(F^3>YD|wgF2@h^u(jwrX9NF@T4-BKB-s5`
zU81dis$9v`p7iq3){Na<26m^_5;1M^tEf8+-oQ`xU5hZIgb#~k8rBR@^5N4JbvyPh
ziQRW@2j)df(^`~~8#lyQ>zqt|YVs1r5>rZ*_3tpb7ddsIS?}VQ%`CPps|tXP=qaQR
zW43AuuLpe0l}SZu%~l?4??SJ_>Q(8Mk!tT%`t%uYVKjeMhb9+6{Ez-;t$inVDd}Qc
zDR18-2k=XL!4O|)+8Fvt-ioA*7V7PMM1*P>itFedMqculu9}a%`aG{+yU1ZyIEnmL
zl4JaYt|%1^4~c{qs)A{#Zt-(_UACJvO8(mI`-_u}>Gyd{gt6$PHR=Ata+8!83T1lf
z=>UDe!Q>A$C^3}Qr~uw@k0J-95^>?qc&rjwnKHH4p2w^MJG2IcQcdy&-3BLKD~A~c
zvXbkj7+4EBs@)aadK+a<E`+2d!fybQYjRx8a@8{oM-gN5g-{E#qFrU3m)uyvYu*b;
zQ;xM_;>Y94cDx<9CS&$ns65CDEjGXOuRIb&R-FF{yq@+^`QUti!FhT<C)%*5DlVco
zMZf)s971;uBg|+o49wOO1`QTh{@b8+F>ZAPKI4d({e2E_2KZ1r6zGFo0UK|s4|Bg7
zh)bbfCO>411V>w(p{K7)EaOrcwU(L526)1}4SugiMlPhE{xyzsk=jA8m2`ah{nr9e
z_=!&1#KAAaVtKrV8089GKdL4i>TA0ie<j~}|5k`#!Y>^Ye^*VSrn(EG8ef%@x{1E4
z+Zq}Gj(PQ~*+N`W4hW{1PeY#(v!SX;v3(bGXT+Po);iPkVxC=Arw<P;o@ie6%iBgk
z(Nkk}=KrvH`EntGYn$g{a4oMatS^)4(gkr?$kAG=3CHM2xI0?)(eTx^8U9&T)q#^O
z>iI#OmXx&sRcxH>)6J95cO+C=IEB{<P5=N7T*i~FUQ@A!z5Bgysw~Giv%9q7ek%HB
z>-vQlJST8DpaDG|$^l40XHN7RxX_*d`h_c2xiNYheNP1?`uYcdTouk10N(_3`*~N^
zr9~csc6WoNgr+S=j(dD@d2NDYktHK!;IV(;io~7>?wM&Fx}suC*aoT+h|YvmSt8-0
z17N(w_#cSP(2yvX^`qCvyGTge6F0}|>(lp%!s_ns1dSIaVvab9PlZvq&o$pjaB$6L
zIn;*DIgbe%!xJno{d`l|Gpj9)n%4RDsoPPP(ke|d@H@Hrj)4jhEl~c>Ee6^ppf}Ne
zdau?lKq$ysC8~aRaLYoWj>U7N?U7Is56$eUM@rqa345%$vMklC#)=Y+$~AO}L&Big
z>ch2ZW}re0S5n3Wy{O~WV}AA@N9QzBeP})|2|2Q&Q$2cVyx$zHKu0!JokW$~lTe?x
zRi(f}+3(^ko$pyQO!^@UUek)(7-Gttk^~UB3Hv43O(<>ga@@7$j`Q5EwJ9AEd&hEp
zMzn0n1+x>Ds;(qIPr~vMsJ}x<vqy!MA+ZKb<oJAgwzb)|X#QP2xzG7)=>SJhp01o6
ztIwy#IV7xhp1@xOcf*9ECzd9*4nzL=DaE4vvkvL*gaPdQ&tWi<`*QRadt>d%1YSs!
zMHTZXa?$>IuM(DC+{FIe3LwxtZv&_5Pod+M+sJO%e*+3LhUzjtiuI@ZSAXhYTg9Ax
zJwb|S2ae>;b`=@<o!*(3Jmw-<AEcc<%4K{<SJkULFgl2z38<=MKL?SWJA9U4YU}1T
zFqMHLjIJqJ=-24YjV<UZ;Bb0o!1|CuU5D1i>nz|x%d8h*>j1bG(hj_>zUDwcaUbR4
zMO91mA9h30>E-}6ti0H+j6oziJxrO!rE@uKXHza}iY(&S`bx8Yo~jW@Q|oj?kfV+v
z^9^xTuTuBu;7g#KeqP%PV<gKXe>J$D%qp{K9WIaPzw|yEdEz&@E1D=F0veAba^{dV
zh^E`<Srr~epf+?yl%0SSpFLe16KN(d)c?KoOW8~ND$pxDjT*jx?R|qI2?*K)rcpgg
zWA%{3Uj&M#<~w(GbMfB3>n8K>3ka-@|6%FqM3f1~Xo#1UnLQhS@HD8l#-gY4ks*7&
z6%yGzDOmc<rV)!G72GBy#+TfEUql~k$3aqFswYM&0qCb;Y;EG_EpIp)q0C`6mHQ-B
z>8wX|cU~|4c!97E%oFnC;}K{LH?`TiXhfWocl+*Hah4TcSTtN@@UKYVYbi$3%Zx=I
zJa*hcLb40|9`Dgz(@nBGNd#a)+A%S|olAp58onl%spDa@Hd-H<&do*lXcFZw3{y2D
z(Kh^M7sKg7P~G|ar6>S{bpW|b!A!6V)jWHGk!Q($L<{H2wv?V6I&i!bcwxl-Kqm|R
z=Y@gCd%stG_m#L9tQ>djz}eOtqPzP*!#aabU{Hu2i3_&!6DMxAee?@XaMWT7SSCUX
zy&V>48Ab&sQeeO{UCw*-A=P!XZ<jr^&=z_nD^-}qDtW1_9;c+7jkTA0ldR?eX+e=@
z`c4)Jc2a~Ew(Fa0wX;Wrf=avNc`P#z-!Y(*5`lNUN00`{5kTIatEN-|Eaml{*Bi{f
zXoaciw1~#^AUSB^n`JZ7AMf9!%YDpQ3$dzi>gRYNdSF6RYITb0Gt<wS9IInem29cI
zC`+QE0?(ts4G&(xHu)$Q$|_#f?$LUfue^50I}f;EAL!o+Q7$d1Wpz)+qFhB%j%&8(
z`r^hMC0Zev2$|$>M9tr=2(s@Dj4@E2;lzFa0`YR~q#Y64^-o6-vakJ@)(}xaGJEl-
z)Xx_i!%K|5j+@9FLb>*Cp&>f;JjDoBp`;=oy|VcQ(MKn=OYaUvvR#s%CDyfvLuRHw
zZd{5VFt+v{5wgx`3&@R+(g%r_`c<^)!3RhIj3UO5;r%aWhhy>$EW!{3l+CYSHg?mW
zXJ)EV%cQ<<wg?Fwd?LFPFHrBCJ-BCO;v6KAZkU}@cjzc`l6^Y&5$7<{_w83!BV3)-
zNTXV&#H6?K=KMFaJywrsbB>A@mbY5Ah)}t90)R<|3f$7ypge=kp6Fm3DJfO1ry;^*
zYnO6ErE&2_>70nO9U}wt=MMTQpi3u^zE1}`;s$fE>lZf|O_k2?mV)kxU<Z@pxk49`
z;{!>0j9wM=Kc(LNEau&w@Nk5yY!9vKwQC3#`aNmBeG7o+z{;B#uQ`=*`GPC*g!XcU
z$!vwEr&rG9>0nNakAJrDO8Ya40sT@jPeF-%L??f+)o*0$SUNw;+Ly}ajfmqtK`v{@
z+x2zRc~dbl!%Nc_zz)46J^d1S2&eWtE8ndnrM^Zu&Z4<;17K2d@cFasZ^X^Nt0Agl
z@K@NiGWa|l+fdYcYA_qMK0ruSxFS+1LLJX}>ZbV}n!mc=KA%5+EYLIJiI#l$#e=`C
z_oD5mvyu)cBAr)4?taxTn>her_Er<U6$7Z9%=mm$JvJw5{kkLC*#l$YT0{le7Id3y
zjf&<=f`+^3eo@@xz1>URU>_jwF8OJ7QG0e*{4P8VEINL0^6nQ4ncK7rN%1C8+i`+1
zuCG?-!qnQ2%`Nhrc9Gpe$fxunGjjmv;t#6<39B7g5eQ;bY;ne_`^i#EDHL7iOUN?B
z<J~3I&2s5_R4OC}6ugSS5_C$q%B3$${enLshS-OXR08-bcps5xv#W5zJFsJSA>Po!
z#;VgHgGTo^uP5$Z3u_aaWuehsKxc1snMHNdr{M8cpU-&Q;_wzsh3lyTyRg07&>s+{
zeeUM8UHx`=*=`<SjM!a5JTDhJimAm?sN>EUj};yRBpO%J@7CmSedVN9iL(g&Q!u@S
z>&S0=k%$HnMYJn@P{0A_5J&Xf6DoY^Mz5bnL4hjBOst+)P?Y!dS?Cu=Odi~hLma=L
z@HGS>Jb2{!oJ!WK_*3vIo#LEud0vHIh%csXlt;l>V~UnCoNP?(s(ymEQCQS3cc9yr
zsTEjJ<1_@DFi?fYAe|WAcp~IETvSj|alTVxw}&VaFwyRgPRe1XQrfP{v)S1lP<D6q
zy_uqZ%>WiWM0#5V`yqvy?tEWCN9Q*LJkErpGAZ?yD*3tfd&!U4{$Kbh4(bD&`b(QG
z>iHo$Pa;DD-hHIEqLBT)gs<p*6UQZ7Ah9i#r^M7su{E`_m@0&Ef=Q5rNoM=yS9*3l
zT+%Wz;mKvYg1woK6AcBOGpW9<VBOydL7Y<mtMoUx^LO-riT7vRAPNC~a{c-L%jF7)
zwYuiV^@qz1;6JPtWJR)L*4{(Ecm10-DF0Ugws7^!IYi+8%{Pz48-ih@bOq}yo3iiY
zAhAW?9X@LtRs`Mp)ez9g%$($X(P1iUZs|L>1xr=9s-q3z_*)bgl==@OjdIKD4#e1T
z#Fv6Do8r=)57TC2!9<c;f`1^nocr##_w4duVAUtnO$V%|s#uZnMy8KnXfUAee0ws1
V);pvwWcr%ScT!4kOC<~g{ts)gJX8Px

literal 235624
zcmbTdW0WS#(kR@vZBE;^ZQHhOOi$akZQC}dZQJ&pefHV=y+7V{*SEgsPgUg;5gE#;
zjEtx-d08=7C@d%d003ACabZOO0N@7z06<9ypg$wr7(X%pTrizQ)SZ>=Or6~f98CZO
zjO`3f2qbI_%uEzb42(S-#!R^XU^!bTt2?X9NOKz5+0YvN1w-p@WB&*H4;empdjlgY
z6K4WL6Eh229-`}x9wGt@V;&+k78!aOdm$5Z3vo|J6D3bsWg|~3BMxICK3)QDcg{Zq
zY)qUD2;6O~ZJjvXd5Hc)m-Em4U&C}n1pfhXw&EfBn<;e}c>*CjM-u{8T6!8IdU{3z
z1_oAI23BS^R#s{PMtVjDI(kMr1`ZlVCQb%=PI@+i|Ne;nOy_89%Bd(U`rpa^Jn;~j
zJ3HHR($TrOxzV~Y(b_qh{lVqn_=^T3Bh4QO8Yd51X9IT{TPNawC<vQ4897?mJ6qV<
z68uHcz|hXcnTO~PtAER2V=p7~FJW7!|7z-w&gk3??CBV2>FI22{u1mz&`!>ZCjZ06
z{|fD->|t+0r)c72=i+Ge#~`M}{~-TS-v4`|zX1Pm!zt%z@y99#*1~p1E;c5%&Jw~r
zM1TIFHMTJ3WTiJTG-hEorZHk?W2Rv;VK$&KWM(#`F=A$8VWT%OVlZT9_=nE_hA$+_
z#3Cxh#xBYv!py)RBFHYpAtb;oz$nN-FT~72&-4$jgsqdafvu6rKXY6Bnft%EZ2wPO
zP9aAV17|x&Wjj0Tf80Rc+|Jp~$=uGKfRTZgk$_yy!q(W%&57bK8~rV^u!*CEtBJ9w
zqn!=Gf0WE=@xL(e|4sP6@s0ogDv$0DQ*?iM%Kzm#{|x<c$G>j>T?l_3{#{BYwtv=-
z<DZ41HzuD70Gt>uAuOQmzIM@Nk@922g~U9gV<cY61|ZyDJTQX1%&U0O>1ZO8>3C8u
z=QW=x;<sfO(kjsqC|9VaQxt@rb(-5Y(|xFRIi*4=rE=I;?C5x8=z~2Q8+_08s?YOT
z$G2HYajIcBMRDq0(cU-v=i~R1Z@Wef-}`<^Ot%NKU2?=wcGEO_N#g25)x0UI)>fC(
zvEA3({`V_7U$>vtmbsplTH3gINt3E9Rl<p07K{x-jCYIp8!AqUESo#Nu;d&_(K?FU
z+gAh`S<l-izTbBU-IAG46?TQrAY$3j*2U7U@50K!z>wE7oE;tdeXyv1aId<J{V1oU
zP2ya=##(!UgHv^R*5R%Lg|6?rvjKVyZi`fn$5>u#y$R+nqcAg=y9ndh#5FUPBo9Xa
z_xtnrr&`a)=j@0nYs(Tjt|?PXPfv+*l}eFHq1ef2wA$sX>HXFw*Z0Eq#{t>19i2?2
zOgZjURJdr0UNMYl+!g~So--D0f_Y;tv^yvq)9w8}?^rZ;mfIuANC0c;A+Aa|1FXVp
zqM#ygdEdM5jn6i`kC@y%9G6*Rr|#)-CW^13>kI10;=-pSDS#c>mT`#Q-k#4co-WfT
zyK|VCwd8%y8M>{dxA#YP2d+l}I^Mq9_ixXzn6|-tK2d4EkCOY1{*n=Av-JPkWWV8T
zORuV@(g&blax4S@!B`O{Xbj*DDLWTi9_9hZrzGbj+4$vak{_*Qh7Ec{Zwk98i<^L9
zP=#{#wrJFykm1N=ha;coLkco7O5#1B`<J{{Nmbv^xRwC|jo3g!1PgMGP=L~pK`ma?
zc?cTO)&djt17ow?sZuH3XfY^3VjNqFg|RfC;HlEVnm8LWOr^KE@zXhzt-@Pt3(SH<
zH_;fbLb}Y_6j{eR!dY3)!28CIfN30A-S`WlTR^H$vv&*ogrIwu&V4t(0x6IF3Yn-a
zZ|NQ1zZ}jmJSC<kqobs}8`)bLkbDcd8&(sb0!;R>UJ+;oKNuwt=t+j-4j$A^ha$e~
zFs{#N)x;{RVF{z4Wt1`3QBM&w0D+lN+n05TvOi>+Q}h~b2D>wPIN*k=D?H?Y(cIT6
zzz6GDDYg|U@r%ek@rNDaY@}V{Cxz4k7@tK7IQt<pR828kyxLvIi8q$w7GSkuGQ+}Q
zQ_V%<1Q1X?B&XWa{5N;h;S`;z{`HcvZ%TE?x&I5*jI^%G+6^h4;8Yp?<txZl$$u7)
z`zuDImw9qX(7?-8Ae0Xb=`Mb?xfuk$eCu;SH^8R+*vJ4UR6Z&MRm<E1n$QRC(g>Vw
zl%nr&OSy&V)CNb2B046hBMB$MxEX7RMB)ub|HJTVxodl|buUsT_#r9OT(5EMSz)pa
z$4^C39i`SDX33N%nKA~aw`zdHv*a354*jZ9ZMqnkJ|ktLRoxUQUydGk$Rc*<Nrk!A
z8z?!+fgK7a<5p^61WCt8Znkb%cyh}(LU?F<*R?T<A4VHTI3H?_6!&-fzBqt4{uikh
z@=z6#Ov742BL*g*0u#)vc8;vw_TM?*Eo_9&r<>GI!(2ByPd6lAXG9`m+Xp(XbjjB*
zS9ZL6NihX+O3VT8|FJGbw~{xn*EjfE3=n`J2(J_^mOc}3WDNMvXW!f!gIqJ>@ODwk
zXY{MeYr{MyRQHLMMe_ybs0v)-Nqwpat=c;UH3d+hr)YWo`Jj_5mLwLI@)uI9F3`vq
z{L?^^i_$0>DFC`4JUVbC-9-#@4GRQmIS4LN$pfS%`$D>azGT|h;nYzR;cD}AXP;%)
zDtKT<EJ<hUY`LIu5--NK_88@{QPsYo8B8ILCvK#52Jy7Qdr8w2gWuDqAn}-MWEELV
zuJq<<^d0vG;nytHQ=(tqhCt6s(hNf=O5P<e3wxhVY-F7x{<xDkrYp#TDs7?TF+t+9
z*#N!-Cw5gR&Y+iL6T|5XPUVKT!OxFs;A=VGxor>~MUJB8n~d;ejD9}=R~bzxJb}K^
zE^uW=yX%^p&B<9|j40sahax5!CC2t3tw#&pfD2AG21?0$h_(4(a0wq#ezpVbkL1PQ
z*SHT4#_r9+XFPhIyem%;@mVX6%V5Wi%ws$pC^G)=#yQ#u5-guNHK1sWDVn^s@OZ!0
zbV@1$+H#U7FdQ36wXS(}?m>>dyVSt(Ql)*vZDUL6{p=X2OY8ka`Hzs>MwOd;g=;+~
z5Yx!vDjQ7Lu)sNSiNFA2yCFYtn}Qqs8@0OqJSIQK<31a<sB~Uc^ahdF=yUKIJu8S;
zun>bXAyCSHs*G7~VhBDJyB064VJ<llCaQC?IEiSAWGEI9A3~Zpi9p{)?5>6C8%El>
z!|h}RjIiV^Vsx3Ire$}ODNKXY&rIS-oGI^i>_AVTQ#@|&@bJih<0@p1Y^PpwhY`?9
zln<l<wou+!guV)&L<lih9uRaf$MgGw2aP~O66%&ti`iD}G?9;y&#x~M-r}5mfH4N8
zXbHE24AL<cbhC8(xn&rV+4KFe=pVB_V{TJl(@AGx43qvg@HtqL7pw}fo0ML-5faz6
zT+7u0PoPFXT%ejC>UeiL-LxZrXo&SGgF3Ui4Pt0JXG~CFyn-da;*2U@FJEdlyr8_J
z7eOwzW@Ss+i{WV)trD*v)wNdfqz&)A2&Xy&%87`aT$zcj9^vQ0_)Mo3)x!j)P%B{=
zK`ct`WzU#?iFH0#xt0Nt(g|e}0D<`hL(@uS><TTVl|K8sxQt@=HW8Eqj2sauFL;Cw
zE|CFCr$F15*=-@v35TR){<I(P;;UTB$%Yq3%UyU|m5;2&zhZ+(kr7!|uenrtn;Oz5
zgQ)A}%rl{|#>_&`cRkbihjCYN;;D@;c<R6AXZdP;-u*NU>nEqrj2T0f;h(yJweP_f
z+(vF?6VQ0Gy|tWCQ5ABh*Fbfl{2hIM2+|{FOcztA!*daduNYUW+|N&$8u*LXs674&
zteuW9%{+6yiGi8D^%d#tku@!o>_iHHjIzwds*G(J-IaRZyX)tP2cPK1WCh@cxTQvp
z!h^XYtrH)-x{lie=nATb*ZwQ4^l98;wj$P=fh~?|mZHt?bJgcLIP)6$*#<F)nNV4G
zMo#zN$GG>)rz%31le^tqndhV~v_;|3?3OkO)WM@`@SjB~VAe*A1<-AY<;vvm6hlr<
zh)qCWUWgNPlA@MU?=#?!I8REVjpBk;c(*h@&sdxLx}+Vl`|bX|$U9#h;%vI^Ci7ez
zV=EtdZXWhCXIo#*UN1-(p3m?1Y+glquIqMhPysJZBVS1C-_0f0!BiNlBu4FIGJnMk
z>08`=XIHCD97h>uM;fQZjzm8r>44Lx>_cZF=uKpz2(F=bH-ET_nvqX*YP;${VSkOl
z7KejhT(oOUtTWc}(9L2NTE1K5eT8*f+-Mg$3PI?Z*mbP^d^g)kC`4T!2G<|ObU1FZ
zRO}&2LXut2m;Tze`VPuEoVo=sm%>FHalli-)7{hjtz{L5-ba;TzT!l<a%D(GV*Cr4
zOabX~ZAKuXArK_u*I>-Jm-|Z{<v2&7$Bx+v4S89rTAz%>aZc?RiSX`vU~xp#-)6tN
zJ&+Nzm!XQktqb_QRj@{C@G~Jd<o*^EYVTx8Z^J>x(o3ODy8q`9lBMyXRAZv2TqvCi
z!U81!i}fvYI^t!m!+b}vhhA^aT-%K6ghpR|kTH91{|I$PT6Mt8GCpHW(acmveqs*W
z6fv7>8DV|Gon>J7I&N<u#C@*1%6<CA{&==F=?@(c1oAE?HH&$ZI3U+LLTKP3La_cP
zUvr_8BCT{qt_tcFt)L4zl_l0zU^WJg;l3@Ywp`AiUxv6&;DUFA{WvnEm;o|ff{6k4
z!9_<?t~CuQRnyyx6(*+k%}`BhK+mJ9U6Obagj!uC->KpcUScaLndW5h0mn1V|ChkG
zn=#K%wiOLb!L_SxP_=a7XB@jsCkEknkS!a6q@n=Wy6EwaZ#rEz=;P3DJTy!qg%L`1
z<A<$5fVPmmmXk8|ibkw6{R|c%KzyazIHcOR2YNmMv~=EX%_EDoP(tq%x@JvHqER4N
zPN1D5(8E&0+7ae-qWZKdW3-M&0y{8+1G5DA?%OuGRuqN;J0`bMbFokqQdf1kYy+>R
z#Sv$mJzEd@yX@eoGFUXD<JhyE=4UXzTxbXoQSlhHI#rI-CJwK2ec=_4q7a-l(Q$~c
z0PGq=hA5;gWY*{nZIEu=wCdk*Bz!e4EiR`=TN)=B|HO$J&S-ePi)6R-hqUoE(tJ=z
z?G)yM*WRY-RPS&VB-{_}Ha5_&En$Rvo8T96(&Jc1TfjwzV@`H&cMp&2N-B_esVKjh
z9X6|@<R5vv=o7`0>vQwVVTFVqQ{P|?w(~(=b77kDom2k0kQl0J2fb4)I}dwbCpz1u
zL~qdx<-r*3gpD+P4^Q4rmTVbS_zc=pjp9X&*WHakrN+2FzTdm~czHIh*GyH#7UAu=
zhQmQgC~eqg8z|}2&5e{yoZ$NJp-uypE?%unH~^7l&FDZ~nhJJ{2(_;+6Ggyv((&eL
z>%U_FuNIuz6<kiaJ(vzZtQ<GpYC-H1aD54(zmYC|%m4BEH6x$*0?AKBV}<ZWkMT^4
z-<%pSO6A$*=Gf)t((O;ppR}9(9?wystq`YN4IK+hyb`G#nY*E_T*g8IOJHH0^p6WG
z2woIHrUU1A=~DL>@UhUhrpo#c3h+==z!c#d(NE4L=;a8|6A*HiR%xKI?Vzu<FtRBM
zU0coBl8<_onnitr+@U|k1)unz28uT;r`gUI*W9uNSdURDkR1T7jN&7QHRz+u$5|TE
zm>ilk`MmE2H@j6Zk!#C;@<wfiblZ9HMZTM7!6p^-Rtxw+He2XogWn}MC8bIT1gNBY
z&|yjyRqj7Hl4-sX1F^~U7A)zH8DBVpz4}sa^zeFfj~_`h{Im1h63*QCo_O7=(r5v~
z7a^NC+de5c&}8g;1LRc|3U7j7A+=$&XTJDSqI|vvDPHzOK{q(W5Z6*vx4H!$&>7ua
z5C|D%#_W3v$PoNhA6?EA1vq%I09vum(6!o~B^LOD#9l!+F})RG0yd>0AWg{sm$Ecw
zp^ybBhSayzW`;pc=}rW}xB55TIc$HyavDwHBW>tPc8Y(BM)8LDe4y%DZhN2GXYJ|x
zRB?$C%?Ob=r)h*Hi4}+S(II93{_q^}Vr3aKk70DobVgxv1V<6K#5(Ql4eTUCej_>K
ztptY|xZDkI-w`^oT_TITmLzp2aFc?Wa8mXiStd-}5@Norp&h-G0LR0Td3YJWEcO8w
z1|TX85y?z`R<ci}uH08@^_;IqUS6LJr(V;Nnioy>&%B!P<<70a*Y>kV8QnG~+^)Qs
zM71y486=AMJ&84&(j@7w56*wIt1FY)^?cj)xn2i)iTCI}<Vap=G7WP$7|7w@4x*w1
z(g+@81e{Af@dd}^gmm75VTK#QHoi=|Gx{cAPCHF<qhP&x#YtSmJl+)JpR>4_wh(y0
zA8-Y0=sD>s+k1V1S~NF^WfV8|dlDZoUUb;NqLE@QUWf6QaAEUaRG5mMt8l=BtV3*9
z+c0H!oU8fAa4x4{RXqJOzka6~9NZf$`H&HBJD^B#3`YGUNC0Fqa$=3ap^BEOba|GR
zDrK7c)>C3W#%M5Sqvc>Gx`bh(K8R_>xSEP{Gb7q~K68q7p<d=F(A-w<<8mz@hEk#;
z>)>KRZkZ3H`FO!TdlO{ib3lEZI8)j@6T;8twTPM|>#A+;PG9tbR+R5F+Jb+ROEu&?
z%e8g<Au+ulr)4sVhA=w<g@O|TJti9pV>m)ORU17<2b!b2jz3H5HW<Tk$d-38Q|_f`
zacVGGRu@3E>x=Bsy#wDG!!F)_bY+IC3HrO8q6)H_DUtDir*`PHiNh0SC>zKCmh;RV
zfUW%~A(gtm84s+zGg>>ly0-rnJ_^s)hy^w$K9Qfv!fA;C53bU#?Q-?pW&d>3u?yAJ
z(CpY;U0IeHog_D`vZPX6U;6wr+YZ9FM4&mu8%#)i47jp}z2z2h1#4%^2)n5wmMD)4
zy;v<#T{#>VGzfdh3OQKI{a52aVCFWSMoJ_&6&RdHIh@Iqk>P%)PM-~~W>-Sa59HRI
zzmE|v!xqK-P<g-cDIZ^>Dbez@yTCVb%zq0>%!2is1oA>3^CDYr6Piw&Sko!eY93g~
zcai>}ndJ!`<iZ271CtZ6BSxc@o`g+D@BJ*gEQb!34rifbaq4b!a0{ZR&dn38poz+7
z{6UY5K^%0Y(wK&l9k~THW}k%Y5n?@9n4gZkaPl}v1uhNSuj#)#?!G#ZO7oLHR1J=`
zGk2KX?Btj_t!#0{qViY2@hu-3ZmLQF2QW%9@@Lkf$}eTG_nF356z{RHJ3QD_@pLr+
z6j-LBSQgQ3N4o%{0KBg(=$FouUQ$&Bz5$&VQ8M)?ABeD1UUrBAouI1am7_{svA&n`
zkU4Bsa}RW*l!*tkU)TR``KcoA-}$bSTb`!zYJrOVhXxG;!Y?ZV4fpYxz2|FGL1YHk
zSWX35-PO`Kuwpd;ZR-Q2%d{hgB@aSQya0-Vqw$GiA`6Yk%O7TlkaCCd1aHkL9b=?j
z9ma;{Tdjh28<VDvWi(9#nQ~nw?T-~q<~bs+D&n>1{lFX3Y={h84Qdgrgcn1{t}7J^
z7}Inc`bna@T&o38vjga~#=`sIH4$8+;lLAKdW){6&X_1L>}_x|wEEIm2Tan47$U9+
zh?!^ASm*^JlAn3${o#{#qc9ng_Zm&awv?jTp7F1h*X_vV`LG}$7PDfYDI_J|rb0L5
zWQw-IR`j+rzEu4JFOF{i^$?p-1CJHlEu|9pAXK1QQa74fN97xb&>&l-T9_lI{E$oX
zcB}2O@h$>xM7g=4+6fDlz5ukWY~7H-EO3p3qQs|NuOJ~(?Q9r#hN7qHg=9WQ2J-{K
z@vLSBiQ+^?cZD&=(v*HSH|AVdnnl~P;tZf&nn8xBt^9@jeFz&|8YuQtL7|ghIYke!
zsjx9+z2{)L_vb{V7B4^2B~P&qG78<=rHbBJ*-*rNOSpI4Sc@4qf+7z=kIA{>GY1%V
zp0)gR6_BS2hOmT~qnW3}e1L@!$z2FpR{ZyMbtjz3dCJwo9b;0*i>rhcOo>i$cd=ar
zNR=!0mVXf+iGk~TiC?|bkTb0Z_$=q%Xa(5lHFX}Hzo5h&<!1E*qjfcQ57!!Q0H)oN
zxNH}1r%YxON2owTU)O(KxH4{;dz1c?K~_XIyz`y+yz*$mLaNl)L+5c%6rT2p_3P?H
zG6jZYQ#CmoHI|||#SpicOU7{|ac#rR#)uZF1qjL``^FWIksta_<xKcmJVh9~n<YKK
zRd5!G0&W8zSmHM(O#=ZtxCNZf=3TpBIhP9-mPCO;p#73+i#WHs2?}d7&gt?6B}Wg{
z7d{Hsct(^5o=l$%7qqfK@gw831sV`Q55P%Sbc_wM;ZWviiVY%&M8fe@o*wg%M7e5<
zeOiFvHWYWRhuq*2YlDS$6tx{X3|MA3MJ!RuRtm_KQwji#YIb2xI=)&bO&LuX^~S0i
zh6y)=`0>F4FCOYFZ0>v#P#>7DQ1TEsJkSQQz42p&Ol(JnQU++})^6rc8W%>q)SSg`
z6LD*}_RCvYG&y>p_MpOmg8;L=R4@6)30c}hWBUk8b9yR_6CFQ>E7pNoO7`&0s|l{h
zLVDA!XB+2JFU6G?d9}xWe}4myCA1pHuKnnYZhGXRY0`;t==^Csv4W$l3SV$iO<|34
z=M3g*pj3&3$|(L}!5E*fy3pw0RV-$Vdo$$klWzB44qv-^%{}kmN5?T5Bw|<Am1)TQ
z?APGex4;EIL`5F33)R$d6m=AU+5!c20h|3qz{?k=Dcg-H1>4P{-^I6QHLi89wsQ{&
z6zMBb2B-4C=HuH-Ezg{%WG!W_iDI(C^B_(lx=kkiVj<788_=zdjB6CBtKiqrc;Qr0
z>zm4d??-6%;3$t4olU5WX1@7f5NQ+m5|8c~Pea9u6-6=0Vv-H3Ak<LcwhKb#!+NDI
z&fnKQg!`6Kk)L1~1s=Kprex;Q0*mru87Rb*I74##WN}3*oK8&u2H>JHuX%!pni{eY
zjGFIUuXaf_n3}PEAys|Bq*WHO6+6SD528jW2q0l0PE$Q)HY01ak$a-H;AG7)pKnH8
zHw1m#AVGc#8h>LA2bnEA)lG68EIC$GvkMnirB|7HYVz_Yz>>w5p2wq3SjJC|RsB?-
zM~{9QhO_uLj;M%wo%^<Q;>zJ$@*wr5QNfy@8Qpj*A$Kg9r^yil#cf=S4Qb{%UHC@b
zoT_Y;w@teK9N%WbU*7jw`Vnw4ze~C3kR;t*g8p-D9=U=f&0xLAoLlnC96+WVJ!|wM
zx_9~Lj+bdW^ZYKmxlhQz`6?r+85H>Pb&#epA0^*S5gv9blg3Ot@z|rZL4sEDEE5V~
zNlYhH5Ht0pKB&HG4SRqJE`6#4Ms0<{Bu}i|m}bY(r0=H0*l?C(KtcP=4B>b|U+9Eu
ze}5;W`Z^<=5$J86h4NXYI($Ax)ST@B7&ntfn%ov0VTODh#wUIe&x9sEz89KA;Cw9*
z%VaiJYQ3&<i-XfCs#PLlwGs~P0q?3aNlCjMQ?wWLq>8_iQQ%`x@a&VGKZ9(wC4Tdh
zy7j|nZp(H1x#|qZ{fNJ4f?V%9*Qda#jnKNxIaTsPJFkEi09O_TQP0q!Pv`J1Aa1xY
zrN*m(&f7R~-k1EEe7uiNw(s8nL>1le?CX3zhfh5*KraN!jt9ixdlCXzEo-P`m9~Ze
zx_BLK$h%Ok+C#y8lgUO&bqW(LusBOBv*rI9UznhLwE{9gtTjMd{JTCFPU?&46vvaE
zLP{^X#X3O(ah(8z17ybKfj)lEU?XuMd{R{Gxl)$!1VBbMV6b;X^~d&*Go@rZh_c~}
z7X>}1>636xFi4mu*t1~U9Ox321O<q*lafu|;<05r(igl5opoFhjgN@nL3SE{?9<#B
zcJ(2d{9*#x;O28GN@H6$cJR2fs+3zzG#I8qpeyeb&Jw0zo6@nay2gcmr<_JG{4~(I
z7V)rZ`<c=5pl2~<%9%NiD?@lcDHW`PoUQIosCQ-9Hf99uMlpdXsC0Wk8^D2Qpd%0A
zJA{N<Yl6X4-Z2X*F(&x2xvETi>b3X=!Pwl4hcWeLiB31daZ-EX=4&{d!Vx%KBjK-P
ztlq19eq&nM;+=y?rUhWBbOfd1{gQvPf6@JifgWqVcQUu9#?XXXSVVe6=PTj{N!k(6
z?;*3M#dI|>?3b%`3GFOwyAw=m3?<_kr!I67u7-x`?8W0bOMjOL`L}~%L$38DT>w;s
zgqT$TDXFk+<A~J{vOh0l>jL(^og^gcH~?OHZ5eWHCfglLHl{1gP3U-xiq(A0Fx)V%
z-%b>|DG32B27q`G7m-qlFoH;v`I87nY^5^z5VZqq6tmcvrgiSHyW@G+9r{&5<G@9p
zQ&-Bh$&YooVC$NK?1a77*7g_HFw*$)`1l_P5&Ck7*~Z#4U4x=rtPv{K-BLC7)01zO
zM+4Rj6{omK`*Y#wP{kgY0CMUXl@Z+Sk?+t(T(?^UOuyi(9>oPc$64ivV-U{EGRO1z
zF9P0W3Em@MzSuMcdW3Cy)}(GeqsL5?)HQObWbHIJehg3O=qeppwBf2k|CCBm!LL)3
zC&b9Ub|%c9j$7AaKb=`7a2zG~C{o~PLRqYu$Wf!?)%!QzppKk%#jL;XZoTfOW+|dl
z?F;ukOE_<}Wy0f-B85=u3ck-E40@Bad^>N#GH&kBxKdrfz(j2<6nT>QO+;LkH<qS<
zs1<0!;R!mROLE}3s%c-F$s;iJV}dR;_0Ep=3*|reQ$))ayzQas0SF5_Kp0U`%0dpN
zQrb^(M<|xhIayc}QHNw{^l1rrNN|8aORXwwG!lIpWi?B9e#)<?+7qar8>l}HwBP$k
zd1Qj?LQaa^05|yL!ssDh1?N;sRjW=z`E9QJZsIA=W_W_@R-SfP77ZPscb|EJaI_~m
zml8?UbKnFS^18x^RgE#;@#o5!IchM~ov~Cq&x9-D7IZ9sfgz9ptnxeG1}&j6>$}1v
zC&WZ5f2e~_Y<!t@eMoPsNSU%$RZ~@dxLhZfdu^U`%+4_CJk{}3)w^qT`XD-QlN-7*
z7KRr8LLNRiF$kDz{uvcCUE!3DZK3{=tk#MI!Kog2H-8>zQNC+O7{Lu`*&2{=1LdSa
z;Y-_APelF&lL_|Y7TkMRUFM&<-m?GowYU5GF1|CAc2+&n3q&#FzE`^xqH;O%yZY_9
zfa)&x?p4>)!Fc&ehke3X6y??1I`KQ=t|?7qesV&!ZTrKVW!obZ9GIe<gFj64Mh{hN
zoFK@xb}u8o^G(;Y0l^1WDiM&!%ZYlPA}dKyEYaXJi-Yo@1|ZYXc$dMU7)rl}jbf#_
zMXZJXdLF*IXpZY}#5r{WaM0tGi!S*Jo`5e?mJ3b-77|-HV>z3rbHn1Ep;fMcTq}Ab
zHuecRnKjzcS?X5EeP0gTfW~_D%(Bpk?_i^tbMruNV<0T7q|TH%HkPaktbn^Sx|N7K
zUx3fTV^x*5%JMw^#10;8i>}Fp4u{XAD-a+#fF`!+k_o0rAtSIH!8rd}xuvzzobP}p
zTTBX;R(#R2Dkj5q{DFXh-;Up5<x~lsBV0feS>mMy{4@GHtKb#cnkc7VTZLOm<@@IB
zSrH$2cf>81?ZGO+)07G64B!KubIZzUgWNXH48DZF*3vd;>&!BX9!e*FF+~p(y|fT?
zNCS&h>HJ62SdGicKx}ZcO$SR+U?Rd>z!7AraUzzYWqBR{uPvl@<D&=>6*guTvwM%j
zvsXtA4Xv5<gL3kOxN0;>Vhy`WMi+TgD_ekJY%@^tG>%^wBlD3YU;kG6bbbDu_q=-P
zeOS7FC06t)1b%^TBy2;HX`F~-4RPb5QQ|{BBVFiOxhjPE?&9k7$WstQuWJVg^wY{|
z=P%?z{Ek7;n^5#XtdL#>l9Wgx6;K1Jb=JCm?=@jhj7N2IyITvw4=%sv0!qbh|8}Dx
zd>2?3Rg>=k*GE{O`=CdI{Z*dR3N}iVpnjuY&vDbZkR(%IKNEDLA1u%!E&B}c+;>dm
zD<Kwt_DiRFuN0e3#Jda%>UjiwiWyUvdko}z&;mvl{1YJY;>HbaWs4JNWR3keu{p?a
zn(cDz^z7xp+r@LsMzh*&U>|@##C3{%`%!3fQKl+H^BGTc=!9RmfD#tI@1eZDsiIsm
zTDd4-7%pn1JomlRmxvY;i?d)ulRmxx!_-O=3d(f^hw;}bLR*VgWVLd!JP96!WW9QS
zScVHKu7c9)kaf5A<XJI8wd3#<1oJP<$i~F%wqeX&6%hK;Ce-A|mRaUD1_)I<jrY@M
zyk*iKba675;|^$iT@JY<3j;~8VWc)ku%?JONe<;oExI{bIZ9X^oSu#kFXtn2*^Lz{
z%ZR-tC|>(>lJf;)rA3)7A*xh>&nQjqY(~2iEDanw5YJazU0&B)S?g}-EqvNITU+bf
zT9YX<CScyRvm|mJG$}Zh5WEuEG$>ur{f1nmOG=0Tt>iBwm|cGtYT-<)$|X)G;@Flx
z_P34DX}0rY7U-xXOjFXLhkHoxdF)=k4UJNo%)L_ik&`NEG%%`7FTlMWcdb#X9Rv9Z
zlg<v!!qs8-zm^wq`EJ94h-qN+Sj{g?b?X>?t2HcoZ~ZViD-8*Cm1Fj_oNEo!!u2SV
zgIdJXW40zACo^}b)lyA5gTUj6z4zxmG!Xx!cQ!cj4=$)xa;7X3RL&mSENIoaEf(1&
zlN8D9DZoUx0*&JWPL-j%(Cbt{vXI<=0VG|?4TpTEfH;uXt=oDiF{`*|5`3!YJ}+z)
zzu|`Cx#YuweDp7Z9v6vRZU-W5maRiEG3MJWE)R49{>_XUL{<<Q5^m@lt`(`J8KL0x
zJekmv?DCwZy???7c&+-zwjzUOHXGi6kzK1umISeaEMFK|P9=71?pL?5y{<=#ey_1l
zsl)~JT$<xG^QyE%4eiLwIUc>6weNh{Bjgab{p(Pe&_}~uz~JpSSV^jchESF@&fe+j
z=>i!%9*?{DH;>1Mxr<{v2bTrgNJ#}MqtWDC??F9=*HvG#DGabXeySE2zF9~&s>ag0
zp{%}dcZ)jh^+wP8ml*!W_s-|@^>(|P-}Q~H&a(Q<!IHZy1yf26q~%JFj#p)31pbT3
zKjrVvH;6@Rmz%Ax0X~dio_Q56dWcK#84`xRmpMV2Is$do$b~djo94i1%7&YQHVFq>
z9^l90&}E(!$8AfLM~fkQEn^kYRi~`gdkg5Ryvpjg*tL`80sCfMK3+~wPv^B}UJ=ox
zQsf4dNYkicjPvq3mrW8Sm%Q@#;`-@&P{qV~_heJ*M6XDwb}61#?nJCPrKH8A1`vL$
z2&^V>g+e>8#mBt!H#A`YT9<-qI}8@4UNeC49bTyDnO`@`Yq<O=iZCT6StJf@`tf)M
zr_npUK-hgEY%Bp@=ai!h^jYCE=$CuN*lRKw!LsHf+LUC!nRg%vp98*h1xJ|ORi2Wj
zde`Yuhc$$V56Z_?#IaF+-*h3>DOc(gZZ5#MA{2P6B|-V^Q*Q*IVzAGSI1p*%JC)(N
zXGaY&)+QY711upxUz`7s3OYBHk;(n?kNxZ{t4NRaIfU5IN+|?Pt;55$gdmbnpZ7<_
zpSpiSwJ_{9Xr9cGFox2!4Tu|}RH@}jIIwtAX($gYrX*MU^w8$x;46xJv=;i#$@YC5
zI?nmH-NyI6fAnmE`|SOs%Ra&m@?p4T)|pGrV9AH(=9pUnOyISlw-KygT6m0*><%^x
zeAMCg_4X~F!T0sN8`}NZ^|`vWySs_s`8_w%;&-!~<%N&C;W4uaU6^nIlNS!DD%l~5
zLeX+=UuOKTOC+;@?wGaky)Sz@;ibL!e@Vt%4GJt(Pyv;J?I4L(n_K=U{lQDyD#Gvy
zWMaWAie<23dGB51<w40?5n|ujCM3h41NuxM<P|r75fu@M#+{?lEkdB9yw~S^ZG`?Y
z{#<gtxKAb~hsVdm!*d<1e`?`BM`&n*Z;uAWI$KNl1H;V5t|G1CJlH<yWWm^e20Lbz
zHkpEre5xgA0}|tfKMi5@Y#QN-C6mq_!C8o{F!~83NRM{?KENDt+O(hdn3*9)KF<Dl
zxTjZ~&@{A$hmV`mM(BLN9zA#b>@7)b2zRHuIT@g7>`=Iw8iB_LU%i15%Nd1$OdoxZ
zf4z2^W7hU$yPZ+oh8qi>|GCWczT7rlgC%F#MMtHns!;8xBk)!az*m=ACX;cJ-_lS`
zZFGQjZaEcmKT>IlA7q48GhBG3K>S>%!68AOT2a1t{EzRte!zkTp&eg4j-093UiN9I
z6X^mfVTp-?At*4#snX2nMx}Ojm>!%xX*zHDa|zx14&wKC`Z{i#Iy!RJS{0ssR!dKf
z?WU6B%d?9gI6iauex8or!Y5xZV+mw2_<WuZI~OmIG9$wp>-za5D)6yC^UoX2zB$wH
z=G<t|_N=oNa&6|CqBW2qPT9aLWl<w!r?5(F77z~bz4^Fd#mHiEygy&bzIoqU{8oG1
zzCUAp?-FvpAHDcKUY0JsTpIA3p!0i&Xh<P*Fg98;_|onq_y28{;@SE7%yFI2T70Eg
z9tZFbZnjeMS%=LaR8`fe7UsaF8Qlq^*94lLDUwV42`>7C#bR%&)LE;<s@Ax-lG*Ze
zOGB5_baU9zNNzomz)A)!HKVVK!L>w@^{HwuTaXqhT3LS|=2*wAQJ0T{S1YSVK<t)B
zKx0-y8Qgy6!3F5;GxxoFyD`Jm)e>?ef7%+=OTYw$a_B7;x`mU0f`o`dG4gBfyv*d0
zN4&uXVSCNoJgARa9LTpVg%#N`NU^5g-qfK>@G7^!SV$fyPJt=Er^cyC%kpg4bNJaD
zh&9ech}ud^(N}f<H~nfDLIg&?YGpu}o2W<pbfePbvqSWJJQfyHQ2!=Q1cu5lm#|#v
zP3q^TV~|p_M@Ln}y|OIQ4`OKO4O;|(kXvAYsBuNU$U5YyBCKCt&H(bm>KY$nr!hvC
zIGAvCmq<7x!&;0a%@ypBNc<n^iRs0fljUmxfWM5AgC$i4Cp5~o*(Kpxs|1Th#_{w|
zJ9<AR?lttXH#^L~!?#`=-UszC-oUu-m--&iN%)E{Jocu2C8h|nusBdfSkWCgxX{g#
zX{pjp&mYH57sTLYqjPwDJl_uHa^4c`oY^hdbk<!SzQ=CE!Z$Amgwkyit>;HDeTrcf
zntsLzja1?tGzK_YZ)-K0G~n74N?2K#D&2+2F%_6KX-%dp3)q)Oqd_}NS=(KCS_{*-
zxU`?LZLTKJP2+igh0uN9oa28#9P_=u()r#L<V;?F<yt<qzITzr*d<C4y$4xgfm!VV
z@cdg3lX{rYy4;)A{YbRqKH<EG(#Wcwk?T0zu+o~-q4nHUS20-&g-WW2l(g6GYl(Zu
z2fU!UpO?{9#%FP@oEwr(oKTm%ND8u1V4j0ME$07HcwsO#kVFjJmC>hbAoW933ScQm
z1pb|f$;3b2ccM!sSIZ2LS-obv`BrG3P;JGAfCIy`c>uW~<S4`m199Vt+RmF<!}=83
zOKt<lQ%s6xl1T)H#2AFQ)N!-hpc1c011(Crdp9E8$}kiq86$rg-%J+a^{1f?U<I4P
za3aS7Q`psZevgF80vvtI;RKCWVQoo+7vvmBC2n8#LmTN@742~ci0#1^LYjk<Zq#_g
zyE%2{2w>YqiG>O1oti088+5j3BZKbvvA+5^scg1QoP5aO7a{#zR`+TZdk<1`tOT4M
z%geXyvO1Ri3A8?ZRlQSYUF2tTJR8Lm5-xE%HBuq0O%Meq>J0tqAWOTm_YZ-G#3X@N
zdkAR~BSknEmj$Zw+LUG+Cf78*2bylUsbVVuuXYK^kNKT1u5pd-jqpL}Z_3loaWOLR
z<1kw8AL+wlg0C+0)$kAQpq3eTO_$C+ygXk=r$6bsUq9euy1y!~mq<&yby_l#_D~4=
zBU(%Dx1KF8*(fTBMomvrVaF(xNR*UpvB9@pY0!vmWVq;e%1bt|r8ITW%OS2(ihb0Z
zWSY`u%Kx-Raha#jdbrfKsHs3>Q-D{eL;$~)-UxB?^4R5gKdp}CsOEf5q~L$vT<Lv1
zzT<yC?)HUL^G15gWq3e11A?9-v3r)8bya!(`(A6_`~1wg^n0ROsIi|QwC`HQ$;#&T
zzFV21q-SN0fTmQgp%Np2L)H7qMJVLD4@<>MMvSUSEH7&!Jh2ob4L$>=o{timLhlpO
zhh5O2pjYJoo)40yyu>9&!#Pfx3IsHhFD)Iwpjcm|B$G%?{JbR)5@&na@1CdiG^z6L
z<y1N4repb8j9rVE2w@agHj}7_unms?wpB}<Xts(*#u0{<v8SvstH!zR7RD_~+j$I}
zVyckvN$uu^^1JA2`eK}UZIdaOt<ylGd<Ui=ap*o`3QazmNGQ_DNvbNTSVa|X4_{s)
z<SRyHFK?&~t)*jrCYk`A{v%QzH5K9l9~v(v4DK#P<|o-X$Ith*@Na5Ukh~wMrhVz<
zd!(Ut9D+Z0g^(ebalA3X<5P@)dYplr%!K3GsQ145`P(5d8jNGdjJ;Q_;*5q0*Cbg?
zbbSD)_h5nz4j3;p&dRzdBVQfaU-`~L<Zh!z>m}O)V<bRW#wh1d*(OiMWk1hOfAW1j
z>2<$7uzju~_i#LZO1|dJXA-F%b&{xGcLY?QTwORX!s$9mWFIl!x3YJDB&NW{Wp9mf
zS*H}k-}pT+T|JN{+O1^6>AYu40r{FQpDV3lhPQKQQ(tdzuB>k}4InJ?L*B&S?F?nY
z<y*a9eS9o`zs>B%<a`X#b-&1cpZfWH|IAUn?-;(MU>Z2fC=q7KWy5_f&;Gajg=+fh
z+q$8X#csy`Hve?5Rx{^MTg9j{oLg%*c5(#aQj?R6ViF+)I%Zd&B+F|e^c$$VYWkHM
zYXK!Ij%1_^G)JZYy@3*y;bUwGJ#}r`ZKXX!eXY?F$4r&;7#P1Nzjufrc1!%84$8i$
zRjV|OzuLncM4YO^PphdrPMIo7e2A|31e*?xoXkqu-cklduNe@6EKy2?7qL<rHchtt
zQVPce%)BB+J+*a3FC3W+XAeq}yui>R6<<v_X+4_O@XO?z=mukQFD;4iTt_*;ioJ7c
zjB+L(u|m_xoi%-RD=?!#%^%T4hVyX28wQAkp8YIvCtLDQ@wvDs(l9Vro8BB`1a|5?
zN~=(x5QGwn$v(v|WF(t45}*>A%q<tTMG{5W{TIQhQ<{BSm3|Zxct?z_%cuDTf#Z8z
z8xnahpEiUHB*9@6$n~Q63AH}Taq`S0E?5!cT=^F@p!`Bor;NSJYO!9P2`8U4^XCW2
z@Lyy8=OOT*+5*#yWAGr=W-<--XCEgSa(>_Ie7<+<31WJ%mzWT@7NHL@a#<lon)v#d
z41><zj-96vOIm^J%t^tv80~OG-I}m@u$%m^l<E%t7ld3ZB6O}JhIAt|Z|0eVncKhH
z%di@^D1Yg`61slA?l&|Ph{>JIudM6kreu6s@Z;udyELcb<KVHLKUI{F<$S#PJ(OI=
z_}#sP@V#dI)Ovojo>^qlc8guBd_l^>vixt0xJ_N#y@8*-+wF^!s}dC2R<T3Z8aI!p
zWJ^~cK0hWcjp;oHWp_{>l~TIopYDU$A6CNotgsmb!HKH52cxBCxG2@tP^oBggwR|P
zRN~nra8Zf{l`dFwcokYmK>p;gR(b5GE$Zlt7PsLj@}-R@R{T1oDz(YNsI;*92PX&R
zgh34&`_x?2bE*P5b6n$(nFc5>Sh;5O{4gETCYagEFveoex)?V_3CrS`I_BaXbe)EZ
zerfSlVj0zYOGOW?uLwv=#>#f0u=cciPEs@|A2&RP!kKx_uwgL+Z3!l*u3M-Iw&d6%
zsoi@p!UM3iWA+Z4f_`8qSr9vho#TeSf>c<GQpUg83w9@|q+SLcR0z4mZaH>+4&3%T
zV-{iy-85-`ixlKnq-r5ikM5_aF>Qxs)x8uUJ^^ir6O5-ZgzJ~a4jQ{0$|UzSNcEvC
zlk%pM=uj{PJ>%+)wsr!g3+8WEI2R4D<$N5$_q?XqeLcLM-p0-82<7nPF|~FR^M)#0
zuKT)dW#`y&%d$>gVHpch45&fn=-{>*j`AhMWPv-A6;|huoqLU%p0;Cnn+49)YcU|?
zi-AFL(6p#i<CKiER47!bo-Z`0tXIp*W-qxoxw~iR@<ZCME4$flxB0#QNt&|A$jr>(
zd)`_K3JOMIzRvi*>D+if>K4G~rlna*sHoi=S7iS^CB>+C=G*%I(2K%veMZzr*gGjU
z{1h&31hI-oo^l}8Pp>W5RLlgmK&~$LCpz_;sHxkt8v<1;+qR5TL0NSt#=+}^%{3uB
z4TX)IF5*c#q)8LV=YCfdQTpu!B~RaZ-U&cpFKI?7QM;rg&04H~dUS0LZQ5Ll)-bHf
z8X()h<BNV@^l^o0KC$IQSDf4o1h{s%$&sR9Dz$(q!Ikfy(_=O~gN9OpoBu@noV{pv
z2j*0SX_Fi2?H{aet9SW>=fm*#5i-;b=b1Ln@vW(WN8?KRqzEFi0m(UKZoZS^ubx`#
z{t4{5%v4NneI^Kr$b3xt2ywDWdt!+3f-(&hN<Y!3{?d3+{l=EFJ+I^j!O*SqdF@LR
zXWd@7Wsa$_g)ua^R9X>79hhNbaD@UBmgRGAtl}46VBE$VKBHv=^4h!p7+7Yt{;f)d
z%hl`eOE$lk7C%mphhNW^FbSc$k#a<JRJI+yO&T>zI$o?W!0VMNur`I)Au7vb{YfQq
zFyk`?#WPXO*Fe_h4kTh0n1;V<yRYxl)$TYwx{V>0&e{3*#%E>0^i-<Lv@Ody)?A)a
zyqM&lX1mw<eC|#TR%lY*-$TGhuyoG6-b3&=*RJ8vx4AjK9$LN+-tS}BM)*F){HmX>
z9<jZZ7iDl&`2O9l8fE&uMA+Nc@P2^}dKw*7ujx_SUS8tTJ|#bT>#{UeSe{cxCDVi7
z6V?_Naq7v}sRlM9Nm11UM*7nwVNMU3A*FN9-QeonTejjlWX8dw@{uhqO1Eier#&a_
zZq1nktuT<HGF)u5q<z*6Qj0c#cn6xcF9whp68S!`aI407{m2r%OjK;%t`|69rF)f_
zG|UKVVsSxe!yDianEL_4U?f^v<efv}kWYCIu>o1xtgag~HBcN$gx;87pMtS7GHA<#
z8L7WPWG1Q_MQVsaq~$C&yEhJk^^saz96+ndi;iZGMK+BjfA<;dW|c^f)IhLB{-wI%
z??K)McI6{21E11>f%_2fLu7$S6|=})u5WXZ8;@J^Av#H%uqYHU1PJ+4Cl+Nov`qQ5
zc{I9{t6Rj#x3u|AGR*_k0W6-D*V3J?lPe-VHv$QCZB9&`Orv&%REhZY*bA)9Qk%J5
zd)4=s$lZjU=I}k~wPV%Q)D`}gF^pJ&hQjQW4%_P)6+XO#ip-*U7q7>|y583SzVCa@
z=2!uxOJdkedOP-B@#P8Dnsb(1aQ8{e;_w2v;-dXg%~bpOEKy<J9SaQ4QKbMn)kTr;
zb9rFrCqUc!iM`72`Jxz9y2dH^J4nGCrfE!SUk$?cqJVe+&ux#?sq}K9M7|dAkVN`Q
zRV#d?BJ|5*k&MqH1Go0}=P$48F1L66RqxjW3KFs&Y)#Ik7{6P+jMc7aR^)!`ng6M&
zU{t*G;lf>A<#7KP)Y4d1=W=?~Wm?afLZ7mp`yDk9-za5IU7lE`-iR6WAYHvXU*j@4
zgf|H{qN#q{L2dS=gYKktb*X$aqNpVhn;PeBkj2y@5+#_12{F44ip%6Tbl@ibOTNIL
zDT;lu_~Ojczds7{rX=xeLhy9?EWfy$Hdl;t+fd`sM#Cf41UlfVTE0ClKQVe0vB4om
z|Ei28T1ky^!Eh;o(3*pl-guTNGmzX$bWCtO!X{ERiRPX(a(7tE#&{KUgW^E1_ud6G
z8&1i^epp>}{sk~?c-BlmGiwxJ!~|dTgX$ck)Y%afMHXVOU}#D6!u%*rCvNDg$UWw*
zYf*KwFmu5>zOSTsA>JN}kv;PD12R!e#sz(w57{%FrcYw<;a)OaQG^opQPUZ+_T`vF
z(rYbFZP9XXva@Z4C&RD_4Ghhv|6wR;leyaA?N&|C@5%1_ZKCJ9qn5XgCxj+2`sl;j
z$=5f2C*2ynX2@sdj3h{xWzFoJu+io`&%lJ6bC;)-E0}<n#1r@&P&wP{<`l^(Ny@Mp
z&G70SydZ)%Bl9o@Y{03Zy5g|17*cu0U=8eP+W#V%p8K$DqF7gTqCI^MRWcM;70R{L
za@|%HzUNi~-p%i(Zv@}R-g)cm^meZ2`z_~$_-;Sv`_j<01^(wX8O7w^UsUPd+qgMh
zhrCs63+BPn3b9zB^oKehX&YT^q)8%c?`zUyAt#}-hSWO0pjR*Fi>QY0%wMM29ck2e
zZv6h`Hh>AFH41GW<#}PdL1B3|Z<P@Q-=JiQFJs^umvI1FXH8}*0w;mNY-Lk_tO#=(
zIR15|p9p0)PLy?{wYSv{)-99t6M(yysYc6Kz>7Yjv8xr=q`oV8tXB8h**<zvPC{0i
z;c)Ng&mvla-d+Nhen6^sGX@8|9Xt$@8fa_Ct4w$Hxx%s)NwlxVCCMJ(4KIkBH{J&w
zeW~i)Jp|~Lc2xpJD-NNsIv@XcRsGECdOW1})%sY4@o-Us_6AD|C-+*QxDGD|xV{kj
zF_2_5lQY?3VG+@9ZBdnup?7P@PA#VCDF_c|B`oxqVPeb_uSQ8^>|>j-tVvcmyugk6
zgS~jihq8o^<v*F=b<f*jNzeP@*w|c^hs;9vbE@G8*~ri9lkteztMY_89rX6(qvQe$
z?!mnC5SQf;ea#mu;088&LD$)_A;p3LlbL3;V4G_&-H7;u93BQB9h~5d=)vx0!N77a
zRnS^{zUn`xyUVJSUnA!-6U(Ucrf-v#8?FB49eI8?HwO40RbFn}JwD<guRFK5*WZUd
zzkFXN^gdD!`!-o+Ejj-F%B=H<{j-m*UGA&RLQcdU)J3P?-vC2!nSQQAeu!o}!e@MZ
zuQD3Q70gL&$BuKnu|OWXVZYQJC90oPqGXaNOo7=YQE|pVBt><)t|pOTSN#Tm$comd
zZjA%P6-BLQ7iz*7Zn#v}zJ&k2bsv$g>ASM422%WY!>f05&&IkQ4s}XwfOUDff%nWO
zP<)O3oUY!A84XgRMu~zA=HV|bBFgA_o!DPGNXY8~+W}(qc{e+!I1i;zjt1JTf?7@h
zxGU0BsFKL7;E`7xI1lgo14B`hnFO%BPnWe8UPim{i*JN5I&+kiJT3h}6h^6zewO-(
z^Suas$<ZqM*rWhuby_SSqIMsWUrAtE`s~>*)KQ6@(fQF0Chn2b=31t|X+Mb%rOVB|
zEgA6J<x!`-;NYp&Xi_o+_P8K#dT8`cf~m8wOFh2lJKRo#9N(J)fw9zW^DH96Khbl(
zzIwj*zwci%YGm<z3i9>fEuFT6Y9%UM)@P1uWpv>)47zS5a^`xhVibjn-hO)+CnlRZ
zofDt;7~0Oc*zD$SkRNt5FPt!raP52E5d;ThfZy>ss$v-F-vM3BKzMOUrQH-?Tcpo{
zy5O;W7TX=&*sv}svm{q=b9Z@J5d{Hi4~274s!X#)XS?6M6k_i=Zf<&91E*~KEUA$5
zyPvUedRplDS|57H|DWKGZHE8h+~8+6m(xG1g!}+ib**;UR<DbR!9~JC&Lc)<t?V+7
zx<itY6<*~@TZfIVkZ002kWZBmepj$|22bRHuuQ1B&QR1(_wdo!^f;%bmTN=e<E@Id
z4<#D*s&N}<l9}nL|2nv%d(Y_&60<>89c0#*R>;Ue=CyGyJt1(|QJwDL<nHD7z0_AV
zpauRu!C~N)cuja{+puOf$xngl!XPjwa>VD<K^N%76!>lk&?}E2s)=~%ZEyovolf`&
zOyIi{&+%Q9FeQ8=_dy$lj|*G6ECkS5t$tr@D5Xw}+XQkYr1m~;19BMDeaR_BrdE$K
zCLg}@GHOLhMsRes^Wh}<f0%j)CQ-PUOSf&?I&IswZQHhO+qP}nw)?bgd(L-f?mJVJ
zpRj9XCwa1x!Aw$TYLDLl0GuI6jg;I#Pb%pdkZTsG9m|i9NZTDU;YTgos;SB+400N&
ze;f<UZ|Z$ssKu<<IWja&G%*0@fOV?3F5?ARDT~Bb$EEHm`3k5eqoalU!RPZcLHE1=
z`|}moha2j$m*cgUlMU+$@mQ(L+)`On&bm;x)Tx8KYUd@1PZ3Z<7>v51)!`V#2>wX2
zTnP3w1k~2_w^aFZ18@^$<^_5@F#%#pgg*_TWWo7;@z_uuZ;zcU)T%y2sow4o9%DY>
zqc==Ko2jVHiG>!hv;XX4+nTfdgbUfn+;qm#FRu1tW;Cw`|ATO+_wy%?*YkEEi7fBu
z1b^)^Dem{hFYmwB1Djxv`c9|c<wRM)@!tHC<r09~+Pn+48PD?cIa;-Wk1(6M_%MZx
z{1PJqt7Ld3WVdqvr^3lkCRE;AE7r~G^lY<d@Exg=5~Hbdk+!ihq>QO)ReF|6lhviU
zM6-&;5#69OF!VGA+T}2AZcZgeG39-*8CIwLCbZ{rw?Dio?LbJS#`Np!>n$$cZm&yw
z+x8!V!Qt%c@;TU{<L|;9nSX=15ssFp(uY`dxQKOWRLEIGX{3368eNe*_vgHLA9)@C
zaSVuauelw+WIK%sSMQer8A`2frdT&H8zd0r>>4aGDhSc-Qt$F<eFYj7kf${(42h7d
zm?_6%L;n^hl&)_GP96C?y2t_#af`W()*zqhzgrl^4q&ol37?J*<=l2>-Rw2cQK1r=
z8Wek#2hUP(QH!|^gaR=$fR@X6ND;p^zLj@3sMQHEXbg*x<$PQL9v!|1X|o}tyimD}
ztb=<ntBrcTKkszETYG%IcP<#LWO8^d*OC5@2>dPgEa6uzPM5YrKrB1+@VEumHkp{D
zUYCES(a6nS@to3p3x2IKZ|mCuKJi3+)|NXjJ!7JZ3~wpn)sD9*5{K;#_?c=AHT|S}
zp=YTrC6iRxV4j>?%o7KKpX{eNi)3cdACIjC@R6R#%5n5L=v%+zJ^A#~M-1m$ujgOk
z`#glvZ@~H9?t-?!;|@<Q=YGD4S^q<#TE;fM^W5})Jpt`hmDSHr)Qg-@Mr;H#L7)iX
zYtA-u--*lHGey5}TqZ$v#TT#zf36slb1EB23n@=(G9-um86%^M`MsNJR--CE*4H4P
z@D5i$DDH)*yT(IK6p%t%K9bDkMKxIXGi1jcxF|{srwSugWmVTPcTAN=Gm=Y{Yb{Kt
zMh@)#ZuRXt(&r$fms4s%z9laK?8KhbTUT2!?MZ8-Y_igjTy^8SKo3M}xiCPcMd4t!
zg~V0lS@^?oDUrdj6`#zBm=$l~2`_hqc^#sq+r|1jLs0_=Ac=<kpbwJE7Hp~aFFfo|
zYm^Z96*r@BeD*0El&TP?XS~wSFQ430RXKp@w(3>kI@1Q4%?6d;Ym1T9rRo}>7SjS&
zkR^<XZ=)oKU5ZcY{#ccxfdgXzYq3va=`dfLBx<YpDun2<K+%*m7zCvyq-TuSc6*}C
zDt94M&*fbrW!ludV^vqKhz$Ntp*QLUN7@Bu_Z@Hf*h$2pfVAWCaU}JAJ;DFpx&5x?
z_5LV_?Vl(8>jT6=4lPMlV)5{Stjn#^u$6)=FJcR!KOt}eU6YyZ0N}yMm`#1t%P6Vj
zBbD}ZvlV9n*Lf_6oK@onPNLJ+efNU^;xHxv+aoMVIQtY&61US?vDsZURw(nmwMJ>?
zjU`$7{{ojS{mpUt2VUQ&^Mbv+!rSij?yOtNJFK{5Jx9jQs62ajlvVX+&cwya=Hlgj
z{iWme{{8;EI6ptE<Na^vyN+je@7JQOy+}2#ISwQ!d$nb;1#qNDH6?}?7E85sfMl-o
zd~+DE5@}luI+IHLHTut=W%P|MWyt-1HWz^8;OjPp6d<|7CLYun;ZKn99kqs~o9IEB
zwaw6hVUr;X+VN6GVl@O3=Wq~26SICnvTGRaX=v6j{OTy&TFK#mCSO2pm^^eU1e4J#
zWCtIbG<fo8(4J<dt$6+z>t(={42M<J3ld$@LrvlY7;XwErbQNOMSSdlbL=B{$edq?
z6#1)xC_v<hm2nIIq?Elv93W@S1Z+$}8j0HPENnCe==<38JCrGD3?Q*SN2oke@em(_
zd6MLaVcTamZX!4WkDSW~VvyDKC9fc6TZ)+B6+U-^1ggZRw><n=7T}47e48M5HIfWX
z>aCnSJv8x{BzF|SlRVWoRo`F420s=I^dcV?4A~aZ(jerPknBJ9CcG_DA}SC_Ur{kx
zU++O{Qf~iE=<<9FlnXTXNED4IZle-1`cu2<dcTW6>SXu+n7hUXuuZW8U~J_AY?`1*
zsr%Cv)iYi<F>;A{=<=>mP#ysYsz;GaTUEs8^M2{~)itK~?OW%n$K(4ok_OLu{nt9A
zq>?u$L@ATT?Pgb#HZ4nrt!P-Y?C~*{fTyIZH21pbGi0{h&ADPz14l6pA`-scJzI)@
zowoiax!`?wxOPXsYrZ{LEJaXD+%PV9z<o13LkOqZl2Q!c2i6B{)coR~;+tP)xjOCI
zcH&hTF{{y7?`FHcWt)fH+%J(maVW606qTK<%)jdSypQbu>|bxW*)V+$<h<f>yWeH)
z`F^1DeJsTJJrxBN75#_LZWirzE#2%%ox&fs<}A=FwT#a@T~at*0ZX-JK|H>IWcGxV
z;-GaEu+DruN!xB1e&pZ_>SrlZjpOR7zXdcDjf)`(-t(Vuv6e`9>W)B4W^$<92+Wk$
zXsxzPE+!cogQVvPJgOtl)~QV|A#RmOrzN~d(TMoHY=^Lt?|X?KElUrXh*&TD-FR4@
zG0$(QnMvE#c0t_MbJgh)wm_f}w*_OS^hj;58%c(W%muML=(psE#72Y4(0d5pMy*nB
z4BGK041kQ00&k-iyiaZMiYz9JOhEzU&?1+@puSOZr_<;O8`G2u8iB(DgPIfVWi&1C
z9U~7aJD4RPCM!{{j+}2lc%nq4oG=6E6`*I6ttYN;#0%Q1ndY)h*hX7(xp|b)py4@r
zG!r!oK<Mz!(xQDpnrzQ~lt!FpuDI-O&5u&R>M`I<S@iB@=iz+cx%F+cWt-}GKMaFc
zD?9ycDi!<V5jBTUY?PoSE^V@XZ;Je3+hG0=_uDHZ1HH=fT%G>gGTk%|mmBYOr7;J&
zy0!^3uoRSRWl615QE;j!bauXJ$OL(AZHIL#Et52SI8;#x-#XyWhNdCJ-}HCZdgIJP
z3SVYcxwi3%v`R$`yhWY*vb4ZzV$9vw`=F<c=O5Y>HQ91~a(_4m9tO^g{IA~uFRCUs
zmgn~{A?Np$^xs1uJ-F(L`yBH#jugRyp3ev<Dygjk)dufm5uA-b-_SN=)fNWJ1uLH>
z|FM)KhS@VhIaN;8GrQ+NiH@Og5u3ncbTdVdL%+mT4iSRl(iJvbu~fW~Gno;2ii#vM
znv8xhqzzFPgp*@`EOImzh%-tf7p9j^%?;qsO<@KMvl*T2`Krk`_mP=!fyOz!k>`%8
zsD=*VJ3ip~5F*?d@Xxxdg@$P>iNb8LCgE2d{UiAY#L0`D=WvIb6rfwMFvqlGI?}{N
z`b0J6*b2{BfW=TcOW4p^Oo!JBq~fYMDksGSsiF!xMuQP#C?fwfx+Hmxg(>f#o&L|M
z|B4@y*N>o|ax2chIHj576KB(_f+6JR@FiFXI>|6jwyAC?<l+k#(dYEOC&ioZ^@Qgq
zQvj7$dT*WXzK(~|M}ciW%jdz8T;JQ#l55L@%~suP4qS{9ey^KX(`NB}tr|AMiP4UY
zrsV6aY%GLQTUKPLao3G`EKM4C)H~kH?#hLAOX!0Vcn~yG7M+z&TW_2}{LO~}MEQ&n
zFZf(W`F<P(HKW6g`1vT<rB6lWw0AAG+DO0Ezp?sz(9GIIfh*vT4>s7P_7bz(UYA&&
z@flEla4~i!7&p$QdDkYl?_0jcl>$-YM)loV)BC`FjfT!%k59WsTi@qV+<(6onc;JA
zJ}tkOxVF$Fa?h}UmA@f5wALBpoG}Z9M3(xBmE6#TnkwGG5FsM>hASF33T3#_gg;`@
zPk)6#<?&(SeU({(-(WBUlz`QA6_i6sTTMwkUhqZmE9Sh@Ycvb1Kcz_HTd)Pl6ll5n
zZQX!U^f6X3tcQ;t?%|@RbTWa)42mx2OUs_$Ts@(4ns-P1*xW9?f1ugb{<=hmi-KF7
z^IIP!xJsKqQNCmhCgp$@d)pATk*Mo@nYGxjsPIxcoHi<UqFYhbJyHhK7N&1)OP1yE
zn&?0fd1kfNqoW$r6>uJS%-)S7M;opW+vC)Prv5<BccYi-t`bC34mn0cAm;<Vi`_sR
zy2%<Vg58GNc!k7{TthvPZkJ9mrf()cCa!q5YY2VRF@5X#X&q-%=&}dcF&cK|w$n$|
z-%Qc<eLOtQ4b7`)=49tQU#=9o&LS}9jT~QnJ(<^jv{rZmtw^?2IR&mVooN>0x^n2v
zn!XhxdwF{|p0nl8v#_jz!w_0nQKp$D28Pl%KaaWrH@&d8C~JFRkmH{r`3bv^QzAmd
znXf(j+O5vhzT{X|iSs?vvWhn>6*@dyL)v7!_<6V1%BrPUoji^>cJL7tm0Sy(t^E8j
zR*-yew_<;+s|%>I%Y)UowfUXC0Ghzd$<F?_wvrV-a}D3s!*xD^NR<&bt%*+Q1SX|j
zz;d7yd|-9t$-&fGR89`%AXda(m;5#mTfDuf5Y<V^#H8*_DlC7dQ5P6BlP&B{a$8*@
zgWRlnSPdZ8DiL!pC_w+&9oY!A#Bc|+e4p%YQ?gx1m0||#g-tV4T0wq%%Wf0%77{g2
zsPj;-l15m#x^`DZ_phGRti9<KZ5<6$kk)jd{EL>a=zpnJ*}ezJNRJ_$@*DtT{L4rd
z-epkITqg`{CRN@rlD}qpmlyKk=7}B&U`i?^(Zi*MdQ>;A7XS`*Nvs>d3txgWC;2x2
z7`=@FFoGob3>GvVj89C)t&vO(I$$`(*cawy1U!|5?Ru4{aQGTGUDyb-Hv%8sRaAuK
z&N6QA27qm%ksvAf5fm(d^4h{oAAaaByN9)*=kryQJhe>c`SQ7ay6~3KTeo_-beOai
z_7AN3E&{*yxW3ul)ti1LK-bF{RTYynBa_>yjH;<6AG2CB^R(MrK~2|LMUt$|8lfL{
z=_=svb7b1AKZU2fw8Td>aQ>GUS){k4Z4zs(=Q<nSv;|`bJe%#+bHz1P7_Mgq?xDto
zyu3%>%+*Jy9BVT^`dPeL@@CMIRi~FCcfFc8c(}ND_O9$YdxC;Yd)2rm33z%MElqv)
za`NiP6V5wtyj@IbzFNu8YqLCLxL9}W{?BF}lY{Fg-9IHus@63#^m0|Bv5ozE#IC$E
zV0b)83stKfW>(qrmmb#7eIzn?I(U}FV<tt-U|pCY8dTJ1uW0&;O*#YLokJ%jkU^+v
zT*W-!@4nw)x~_?{FjZHpRi09(!*Z-mnF-x^>Pw=NUY>D#uOJ7+`LpsM2~`ZtZ?fz9
z>3DQlSreqO_#3t|y({HMr<i?l(}^VK0pSj`G1(jT-ZhEeC^8jYwoxC>>42$%N9xUg
z2-$tu1#GdSj0HQ;!nFD7OnNfOA*+)Zt%_|+$LOPz85Beu?;Z-ql;3azXCzQ^yLU1Q
zD)5V9?=S_8`B-zJg`MR{7U;OzRKg+3MxDKILJ(TYfOBjdpH!ebcL1k|{OiLI4xz*$
zbK}KRTPcA9>EX*nG;xsx{ByPC{SrlI4`)QgZ0=|ZUN>8OEBQ%M)x!qLW2x{{1}&4;
z=I-L}8EzP(r)Sf7>ePtWC!b{;p33(<_xE_{>fq8Oj6wc6Z<~X~;W?+Za}ORTi?e60
zx+NprZeE?*y>*MGOR`KRmg%%}VbANo>P!UP?%3m4b_16BlrjqQoMTE#QU8{Zbt<lr
zI;lWnJ)Jp-Wq2{2=L2MM;IT4}4H467Z_L<+-enK|(Sykf;^3BL#(L@HUwYc=#g4r!
z-O-|bL1*cqpp$2g0%g?AZ1Y)bIHIOqGwroL`TQ?0z>X~R<YoJPR}HP71a=@1hiwrE
zy<WW$M~2<mg^hKU=DB}!ftsI$OZ(i=z?!G0WO}oDCZ0A8cZe$qo`+C8NJpQHDL~L-
z8wmEb(-xF#MMpJ0?YCCaN`#;Flx<IDh>(LeU2FqU2^YXXWKj0{NJp+E2yj<%LYeWQ
zRzm&x#{j0%$N)-Yq5Bt9g?yO_mL$8b^G?r0T7Q6mCF9lS7C<5EKpg{&E~4)vFBzv3
z;0QM}Mh2G8TP%jVs@#tqE55k9OW0r&7h7>epnSjhd(a56$_6nFch3)9_lye#zC{^W
z0G2`|$1d!;C*RtHJeu{>F=FXN^1p!0QRa$CIJxj{6-CJKAArSVqg*6Ews$KfWaV~P
z!so{w6DcW&L(LkSsHvP_&z?H{y{P58ks|o9QxW$Q$@lwu&$!hiF4ZNi>e#ova$VD&
zQ5#zuA1*o<B>Vn;z1j3V-bD7fo$V=+7#e*QT3cxIZQ59#y`eG9)c44eo!eZ8FGuOu
zooxNKclBI_2b}T}cy~pvHhlIJbMjlVE3~zVd2#d95?s+ofO~6B93~pxg%5%XGE~#N
zK^`+(=eN6AH2hcpr@~?j+mqxap3xIud)0N!nEAUfU%!?PYAvhmFh7FgB3>_^pHFOT
z+;14Vp3c_v9OG5jMVCAc4L(j<uVQm@@@03__Sul;{2x!bUG?Li9{jvHxIt4AYD<F?
z;Z<D3vOgo75k%TV{dvzOg_E--(-rYu<V8$3dBz~69TutgXyrtdM!sJWru*i$4pJ2m
z5NMb<qz>f^H<74U>RDLMw*-`&9a)ZIpeDrxD0e=PpT=;q2Bzp1&MK==AV;9Kc&U=c
zl55tcTCHnygSvEA`98iWDC8@R-*l1tn<TJF45j}}4oc%z!{d2$M3#_<a!2%{Sj<{S
z-jdIi)a>&Ou!Ddug=*K!5a&-tViQ3J>XkHs=I5q_D-eL%Ucg8!Uk@UuMqG=@lFv!#
zZW^cK+~f%a)#$XHaiI?|OxKDWI*h~STaTvYt@~*Om!}ySDe8puLDYAG)6l9%3W1K?
zo?59sb)u6w%+*YHLPqi!J=&Vg)54M@f8VX-IBU=BbSFcYWfH+qa59ms>|`o;<_kVa
z?vB;BC{+#qM1`GEV?wwssl=74qgvF?=Lvk1QmCm6Sl)7-ZG7f(ZPN5imo1aC*kO4x
z2)q=$-nA)Knj7AqDymuxJ`@@AmCxCol@#c-ksqzaw$j(p?7xci6i3A>!VA9TV!u=D
zmr5DB^g61*d+$x#?scxf`!2PbWzAe%{woEtf`Wi00jQIG`+uu0K^XFU>vQ3Lz5gTc
zC@>0U-Uq<XzogdxMA*vKdZu-{Zc@xj#F?VdgX(gTql`kpB~4zcw=iWO6+puU@ga_r
z=%+UwBU(#uc!*B+7TOY_YOab?w1_p8jAH)@tt}DEYb}xdVY_Uy&)7m?pF=fqn4C1x
ztf5`ADoKU4K5M#?lqNx>?>Nb$sRI$Q_~x7}9Lz8ahgX>HmwbUU&KkrwGr-s#=#Ocp
zR)9BCla;QHp{$cNj?#8Gl`#<@jmxIBso4-?BSvgg>!MC${_#gApF_3x#Ahu5t$!Wx
z`kCDT<F2&d3@i}iuPSH`E_sV#NNJHd&eY&BvX=vxTRe9gjB3LyGyC8>#nf0ZS4Ke{
zAFmXl-Y5Q?4KjpYi>xmM2i?>6YhBmv^8(;IO_@VbNWl*tX=QSt^?#F!5>*3uZ5wCJ
z`&FCU%Rk#*f~>0?CAx)jSclosgx$4Za&xJkdAD3~@!1=j=_I4q(ekol(6b1<t#Vy@
zH=wW0WNTU-12mL&?#+o12tw2=c<#wuSalc>{85}pjDMX59NseWK$srvAI@f82PlqB
zV_^cW(}GUrQTCCM>RJeuQQ6zv(xN8t!_V*+y_GP}HQkeRQ}8a*LCL%PKHlBkuaQ}+
z>q_}&YfFpnnA5mQy+yaiqV2LZ^B)%ObpNzFRwn1`7FG4^yaxq>P(%X*PCI6L;?Wp*
z(*Z?w<Tk2VU6SkGuyt0buOu&$K)SrhJjt@1e&z~gf)d3@Um!}u>>B{t=+Q#cb7B2M
zDfx90sCiO?09{fYmsfRr=qSWcx<bN);Q(pJYchbVAVtSqlHe|%?XJrZ-32tSjvgvD
z9Vnbv%!gJ}1a?Ve$k}h8&M@XL$xpt8tO}P*i<#5v$dq9>yvsukm^bXenxPE<pIzPX
zdn?OI_BWmfxSe+nn27*XXeBp3@e~|V0M^_UjzSAYUja-C9N1<RyOeb;mR^y^%~e&c
zDU=|$sygU4;Gw>L#9*^L1O%jkV1#CidZJhm?J}Y$t#<r9tGX?T%Tx*qYQoWqAeB~1
z@YZ@T$5C>Mkhp<pYwm)6RJ(j@YMVjwmcT{{>V=L0icQ0zvy<CJCB(^kH=Pa*q<k(n
zw^<I)PFB|9gP#;n24!M3eNKq)>Y7fa-Nmu-MoW&#xI_J^myhdJ2VEK$33`qV3=W~7
z(wv$a%MAN1|6Sjj#8XB^h>l5U4|beWX3vcfrn{c_q*>zl2X6W=U=Lv>0~oV!rn<_`
zJSjuk_eABj5K(b&Tc3ZS?3$34Se1s!_JKcK<_bM{W>nClZSOi4`_uQq*VWOPwMmMl
zX$+IQkawo)^N;n3bLRg)*RZ3Nz4?CoS_;C5Bfv=jRZ(_rMIs}jVH2SM2OsKf<iAio
zy3jz+0}OlOyJ*CyWqjTknp9=y2rRM)O2xJ9uu(<XH>yxRA@Y4$n+~mS6w(H+9ftB1
zX7!|=mz+#++~7M#@>bPcHafKojoUhgK#ZgydLNwLXqYnT5cQ$iIMuX%szF=<<-n65
zHvS_`!)85!)zLl9g`C812{t034M~84rHHEEECC;InA<Aax9z2Ac`pg^CYZ}miJ=bI
znWgN>q2fAgB9I;bC-8obd;+<DOm2fE@+I+HTY4U7hgTkpKfE;bk9tr&wXtG>p=N*!
zT`&<Tnuh7#9}590QPNHEy;>N_@uAt5(ZA%FNl8*S+p8O1QE*zH#wqu#_V;>=3<bV@
zQs~92mSg!c&>Ao`xx6Q_h|MPIOr-syO_B;|fk<{uj2j{}$zJG-GNpE%*-w?*Y1Opj
z{gu+2*iBc9Xn%ffZAu}}7h%$Cx?Zlns`<E-eC(dirlP5*H!uF)t=8wG==ZwS`@X%s
z-6s|CmTs;*dLVDrz5*}$<&bk_)14$^AsOF(%);Y#XUUK}(VvV(jo{cUEtCw=wyJs>
zr<@pi@r!w?>KdY{;Xt^O0o{rhqBU{ABo!<OQwVLrJz;_t`dqum3P`91oz-1@hnD`G
zZ!ODu>At3(=5=P#gBh}Sd`kY=*wcIR@$+@v<u7Gg@cPfzi49$-hkc{#R4&$=@y=xc
zh^>uXvd?O=M2A`kco>r;8K-uzsXSt)5!X;7(~+upT(NN*_QnThovES=Lis@z6j8k_
z{aBBAenU>On6<gQ72=Q9B4j=rfdHXpIHP2Oi(LEup$zvoKrv*>Z2ncgblr5nsAgn|
z%R{Gs_$fVcB2=?nq%K-Dv?z6+agRX6YBc$qzsfL|eF0~u$~J|@WYfLYJ9O2`s)SU`
zh}W)Ua6a)O{@8B4IqNaHSqav_dBi*{nifRz^5)ATkU>cZA*|-><`cqOTX0XnoD|KT
zy<dUEv>HAWap{e4?GyHS<~XZq^2b8Idx~hT+)X3uiidnbFeOrRTZF!XQr5b1L_Bvg
z5Tq@~VYVyz4YF!ezPd)jM1uDsF;C}rWGsb0^=55LdEKBNe?w|42IwOu!<9U#&1PZB
z`P=OuGB{J`Mo+hV9|^lhP~g3TzjJI^hb!+JoiU@+l^foz>Z~p)DLO_2?-IiX87yOc
zjfBp#tE0tAZ<Z9VMN|fE*TxxL9j3BNNgI))sl3lu>^6;!m8tL$)7)V+j+xwUu6?bh
z>~V7VnTLEGFBSiqrp_hNd*#-lqG?z%vX^S|?G{*K0KPi`cx~F$MYYZN<QCYS^_n$j
zG-+N_o~`DoULd{q(XKXoOR~%^LR>(gIR^7WVi-74-r`>E62xFp#;hTL&5Y*en%9(M
zc^Yuix%Qr&Se2HlE3wDUU?p46m@&uJtaTThfoMmkPGc4+HJ6#Q{5)E<pY?d&Z2_%3
zxJ%xwmtj9gD4E=yl^-avbF*re|JnJO9!^~2=Vtpk#7B-3P>mxBK2e8IWO9In;bKcc
z{&Ml_ZGZh<^}Ht;uVvu6uC*O$s_ewvh#G;n!<tEJF#WNxj<b<~3qko=_$~Hp@O2HQ
z5g8|xGSZlWnIIH_f%GSyKdY^+oxHAbdvxplY^(%~Tog|Q;}_nwWwxB~es9h4n01?T
zi#2tQXhh}RR1rN*BEp?drkcSKA+c>rJ5r{N6`P5UPjWJl<Y*B$eycV{dj)PeFM`QS
zp}=9zTUKE6ed3Z%((?isJObKT27{49Bf^lC2tzkqt~pAE<U%E2;v%Fzm#;C^kf^}a
z8=)2&6au<i6gGBbs_e8f@&-jIp%Z-D)2unwe76(#K|<m1xc8?Q?Z>-w%Phc4tJ09<
z-q<<4ETU$Q%TCpV;780IQwR!lADF1sC&gKedf?0<v;(OdlJ?AwCT?Q1c;K5PeTQs)
z(Y1fHGTtLLm31%a=iSek9hpWf%?d$4Zbk;($^_V@GEiEU5a0}UXS^F!n;WUx2efeP
zNl?05IfACVjedO>kUZHv+}=XOSPUD-MayolVw{5MYsh>^gD3c$v3mLax3LJ0KQNE|
zKs59YZX_Aj`#CX|_jP85j}+ngJ>!<k?fGEeQO<x%B71WW2ZotbieQ=|@OhR@G%Bz-
zy|$9@ZURsBEs5s*vc~NwlTlg^@Z@6*MQ}U2dz~>I^(V8o6A7+5MpqQ^s@6qQMZ_d!
zZ}080%<ysfrR#i<5*W}|&|$}O?HQQ*D67;8-q{Kr6r&wGhhb!6<I8gm#>XyviulXE
zi%Z-}QfogyUbc+-ew>1PYe-mSf#)<mM6h<$R}JCwkEu+lV9*nL`rk0Yw2mZ^({e~(
zHmsg9WLxQCKGr+Nf;%TAER{EZof4hU2j0>5YT8RlLOa{|S^QBvPoZj2VJ&q|4&bZd
zaKYqZQrW*h%(9376F-t;CkHj($M8zl1+Dx8QizS<-lub}WWZzGi>G>yl!6p-k_?3K
z$;vHv96*UygGsxGsQr|2t*FSnvXp8;n5_(GIoo6gc}b-YHa9Uj+xqnbT+cn+gYK%k
z<PKU_sP}L5%mt>mZVA=WAkt@g&^c`PuyjSInl7b4jt@XUDDviIu=X=WVf*Sytlgmn
zWvT|<rp7E0p*JKxm<>CX9;Gk4dyzM!@W{!jhYHNTua`z^0Bu;%!T|GlR?T!vd**kG
z{wEtD5HXYT1LWs157o|bh)~BcbBRRaI>qZGH=f66mN`Oo4;ND?@~q!v@0IkVs~V+4
ztKy8W-Lit1`Dq9bdtdmg8q%eZ&PwSR(5I)oG$Gm$Ea;7cd&&?%uj+yMMWNYetI|&^
zOioja>yXStpTj_SHyaQeeY(<jDxB5W4KihcUr|4?3hqflP{PT53znROYjrjhzh}Z&
zC7iCSf*WWDOJ#DuN5AiWI`MnII|Hy2I@v4i$BJ51W%|ImM%ATLup^qs;)Xvw>Fk$^
z2$tR`6EY9q&TAdnN69}dkUO@>A!I|V$y<Q2&mToM6qe3DRpl}Wo;ch)>UO=Zb`9B}
zYd9}ktsF2yYK&5I+(6Zf<S*KhVc)i0TP{AgIhSr-K2G$Sd3ibT^|f@(G%LPqFL*jT
zyRYAW!wl$Sv%JG`5&Vd~alt>{*~M*P16ybZ{}SjKMHWgD0Yq$lIE)JuoJAA8YC4Li
zo*3JBN>xQBetri9lpx#eLfBT8d}q&~hm>0c0la?A9`T#?r{@1M3=6|JgmzDgZ<m%&
zW>lUlE=*CIRw1|Z#VoP^PxLJ=%*?%xEW%^oM(L{%7}G^R$#zk1*i%3G2WmK(rI+?m
zV6vwlHsReV<EH(_K{mD_MM)s@7<@wd4Grh;nscy5)o7}N6WvVyz$B<-U%XzJckzx)
zozyO9h1obb!zn+&u>%(Z6hl`TRxC}AOO_xK*dsYglU`$X*o#}L?jVn{0jb!;_)EMj
z#wYpUaT&`!35|3`J|=^w+!PB`Gf7<R>9xsO&|56)QBzh)h|DG^DzG=dQ9Q95k$~*t
zVJYGbaj0cL&(~28bA&_yX2YOr%hzvHBXESmtXox%8ZsqV^?IBG65-R1pPGQ^TZ*7i
z_t)hP!0T8RIujl@tFvP}ve8W4l-+5BZc}pE50aNfI^+&=M`S3sAf+I%LP}{%&3BBf
z1YQXGL9XmRo9@;O>JNm+l0+3Kx+)%zGxSE)`xbGWpnZ_=E#M4DbV_q-NR}vlm~xyP
zxkK2dk5j41r^OhtU%|_;>FVg_&Zs(`QBsw`1X<t`xkU@#iVF7e6j-=gh2cO=0IHi#
zJY<u{)tpQ#CeVzsaUh`y%Yum-0c-#9aAmTXY?72k*21fLNg`3vB?7{ExgvY~;j;5N
z?O~JB(%$oK-Pys}47F8{vIKl|OE6CZ@tQo1m{MiUjz1N27C<efwrR72xc_(B1HS5$
zEo-RPBAGt8I42$GMil>};TU&~;cvUsZ8iKEUD+Q9IPXym-97q50xtuYRZ!FP8k;o^
zHp(x>$1I5Hd}$O=bjHM2S}J%W>rY(`sWx`E)yYC?$dR~j{$B*Kdm{`X`c{5d>_vcM
z`sl<J;{lIhPvv`%8@c~a=421+JiEEQhIIOrzap@sp`HL!i*X@i09Uutp(^f>Yd<vw
z;}EO%762@OK*>{LCo((!<}TE;yM~We13`2EGXta7k_f>^nXlk*Qrcl_D9H}Yq<DpT
zYb51CCv;q*hxip}pc0X84Nnl0uDu5++)LE1YwZxBvNR52<CZ_Hn5#M@2jZXuzuhW0
zA**Cw#Ecz07mLo#MI#f;NB{`Rgp2*SuJoXcxhssMbM|U#o}jICF9PzgEJcw&yk^Er
z6i~^9uRcT^uIti3=BS7CMV2UGLL4scsMcx>#QVey8spc!6<4}jYnfhEYwXVca5KCz
zjZZ73|BO3(L+QaT`;%NFUl%oO=f#iQ(^D7wgivt|coas79yZJy$vHk;&HYw3X3Y^=
zH8y5*alJ{W>q?uYsTd{=XXll8+^T@RY4jm;Fhi60Iun-J6|a3aWO0Aii&ihHYoQ*0
z&A+vt*VWo3x~T$75-q~)j1y+*aER6S@-ffMxIQ|zosa5LC8uOSNol2mxvGy5K#O-&
zADMHiCtpZVme|Wlls2-5D8glUA7`-8NaH?pWH1rLVnFq-<8DShA6&2frm^8~<A;@U
zU5&oPkM15pL%-uChM%JWk~qcY0^4N|gy<kRmRCl$u7=IO`Z&`@+xG2bdaA1Tq|f;G
zwcPj+Br-YwSw&4k2Wd}|$TpFZ*PWoKT8Co!V1J?MaVDo1qWoy9yaN-x8caWS+(7Qd
z2kQ(t{|?BKk)LlXDX2Iy$ep-^eqy02GIu+>H_@0um#SdFsXEhXAU{hr0xhBsX(+MT
zN@Wr{fY{4zASZE1{(n^N;{M=jCTnQy)DdP<R7KdPs96Fl`3_Rd66nRGF(f~Z-^ia~
z0mlLYm3WHxI9}m$0#9i-avc-V$%{1VPJ_ZBT5^&$iW~?y9b``YTQ!)8kY)5UbKhs0
zr~5-47hE;MQqd0QQ@xCTD_T&QKZG4l;KMwG`Yc>K`D|7QNA-qoJVArMD0RPD2m>i0
zjS?}KHDqn0n$)eaG+AZ?v&|~JTjV9)crLvHF!67^DWDyzTXz#JqMJ4mt{U3~$|XV{
zKj2_PWQ?IXPSP2*rZVIJ`Q?COu;6LFD+td#X22@HO#R&KNhdv{9-L5E;4>=xR~--=
z5eh4o^&;1;va#$yigGM+qPFN9C(akQV=UlHPJ-46xVNj&WCP%s3N!}B!VbWxy^l6i
zMCN>VO%S2CooKHX5r__uS3mm>BNKw#75U-1cD`B9vhgfkQzQo&P?ff-X<ezdAS=wV
z0|^i#f;}-{&j{x0k`zM1qojMn5gXYe<uNL43UaOzZK>4^Ia6c-ewI&AEu_GDdZ^ek
zzi5)UlE_N0#n!d2TT>S%yw{Ty0>Da0qX|ovQ=%2Cz=%Z1G%W)#SZZEsfx8CT(m=Oi
z$aPc~MmxQLPim9E=b%nQ{KoUOJ^S|Wci#)wZLe7I{z#OWZJV5p*0BF7z;>7dUQj?m
zIK06Xt`6S^jkm>x2Pj4Moef<PT~wf}Qx_l1R!@yt(?}p5qdU--K)!=3vxr4B7*Sb8
ze@>&d6kS9`zX4M|$!;=94j}oBSo`^_juzUgK48B3^r?zMJ+tg0yaxrms{E#X9YkuT
z@wgJl0FdN@6-CRXrzbW8`4P0$`L5UwpT+UNgE%OwFHely86bf0(#AgYKmV^3UZukG
z*%n&pQJXeJiYlxJh7`BX*Hh9#D{Ugx9%oVoq~ZbWiL~OXMe?q+&!<TZdom98RVm4#
zzO$#iG|grmZ$`u5V5=X=`S_gjCz0aNtk4MaPQI5Raa08e#!`lKlA${+2}7R+wOnt`
z^lspPn4$pV>c#7Dk=|m`OQ2w5)*yUPXO{=Ynsl|>rk?81KNF<`veFGUlBPMx)jC1{
zDGXr*T@JFZ7A}GJ3L1gTi!FT`n;p{98>B0g;;bB`LLRA-X*pM4j}!BmBVP*8*M{mr
zmkG->*+L4&hTQGX4{{w%1~&L*WEW)AM4~0c5tEni-w}OcWMQ}-Yp{CN>9TSCY~3(`
z406b1Wi>NE6jdlUAEb?7<$);@q(L*?VPKaB3Of!U5Iyx`dy4&;W6{E3So}t?;nhSD
zh(NhOLgUqu2EAxjd`tvdlq^$$Pm*VzReP@G*e7r0yU1+BmUEREmH`-9NOokQshywY
z3h}3bxB+coKR23X=7%<Cr<E`+^oSC(YoY!vnSZx4|M)E$EN~19%0#2b5DVf2v|Ad%
z0NCG=&lgCo9UQ;Iqh)Yj8BJK=<>@z~ML?yi#vt5b6cIQ}pTR?{Dpo4Z+kldiK9#B`
z4qwwfI`SOpp=s2gnHvsMg6rTyY8uYOiaS|ej~N=V{C4{}+4~s6{~|z$?e)B|Wi8}T
zKFe9zzMa<TnLa-!MT5DAhyAwrKC|?UV*oq0m20b&++8>>-onl<u{vLo(eNroUR{5e
zHW-;}I;1hY2V#ff3IiKG5bl%ePOA|v-e8KP_uOmyo@chvS#i(l&0Axd;l$;XpLVfw
znJAU2*E%4!mAk@73WV#bHMP=m{mxG|m{7+#H~Glr=WdqKjN^6Pp`}BGJLKomNM0G2
z%=y1!TBq-gVmc$|rwi1jm7H565qttUL<M{lcA#rp2i#7lucxEDm|T8){#B)Ij($Z@
zaa5(RD%1M>)egBn4ms4=sSD}i+-I;|(tdA)q%y7+-8^EfUtyqTru_1}#KB2rWqwo)
za^QEqv{q0-!y0s3wEKMieq3sWl^?DxIn9WIF_#afrnlqm+v4Zh;q&+$c8Y!}!qZf8
zGG}|kkOT9ykY%MP=cSk26czRO_}J1?|IogBlk59ZZG-ip+~?FWT`bZd_kuVpE6?5#
znTx4N3XmjVu$oT*$BGBm_9uJ!X3Iye|7)JrW-0FO9k0mD0I8vN#nZvJHIoj_=`AFU
z#DI97W>a(PnXPN*`S^JM;p5|C<avgLXU&pXcAnS25LI}aQuc+pUl)%c9DpciyOWez
z9o4%6_6G0}DZU5)o$!ts1dQ0(nDA>{O%tV&+=V4;POr=DcA*Fy{dMm25i0cci4&~0
zOgL<F+{{Umw5vu<u9r0c8&sbs-6sp9n2MY@cy_?T@&F(qMP7h-bH4!J>%;Esi+(Yp
znjpb{v~zs>D(fIDBTG%)p6<~3(cS<z#S19edEe`Fn%|7bUXY$hsq9BS;WM_3)?p~b
zDqp*zTDfFZMS(~nx;LwzXFxsgs4BqzO;ac(rN9?$ISO(E-zLm)EGnIdQa@SfZ*HwR
z!pF`S{O=h!pZfCgi(21Zn9jw^W}GMvwo?rulAu0rwF>}h#>%s87tfVz*mnS}iUvw-
zJF%9~g6}G7Pce!6o*=4F7zC62sgsicmH^#SP6l<I-e1Vo#glV1tj}KfU91E4%uij^
zorxiO{hFYk{8YJ9g(Vqfbk`ou%tm3~nq_s{U<#COx5&jsFW8<JdN9GesgXp|z%gbA
znI#;!uy^ZL&AM|S7@<8k9i6qu_h^jCD0DUFX=fPK?EY_y?9u-TZ`8xPyB?IPjh9Wd
zkigwg`Sc|KpYn#nWzy0@yw&EaMYNScRgkU7!lN(On|9C#Mx`BIF2hmCiKeu|^sA#L
zGPl?Rj#8N8#vhxdTy9k^jktuV->d7gl<dJY$B4)E!^xdIx0SgHC%4Fz=S5K!S6Uvw
zj;)>U>WfT%u2%gs;2!-~4E102z<C{v!VZh=jSU$cbg)Ylu+g=S8dgUM6qO#<(FW>^
zwq4&xToXvs?>jNS7rCDWzK?tOUlja1v{hDL#ssrExrxk^^J#h|#mt<)8(H3rxZPHo
z<A`1Hoox#&^P23*W`xvWt&!2^^MKRK5w+vqx@o9ccIY6sP*YKG!NG;MAH6%bB1@eH
z{PARU&37GnNC^)iMK$$NJ^Fue=o|_foY0V{lMgvqCqw8(Lz6889}`^=C}pAEms5@l
zsv+=aFF&pfeSAfYTD0lHJrQmy>N#*B+AYVQ9XvH|W-v#uZiqmd4~wu1fx`$uAV?3-
zlab*wX3V-%7#9e|8eRbN9i6*g?3=o5U%GlNMhnUwMVAl0U-{g<eSe82G+4jhPozhs
z4U;;xUI5vIF9Y)*`CxL6ccK33fD~}9wwa(WeOWW>6rBbyu(2Zs91zsdhct%J&UXVX
z9s!e@w~st)tc*^;9i%6Y+@pK5$tu7_Y}MNp1)y@#L-OEYbzb=0dF}oFy!QR+-tzrn
ze$IiIUAz`(Oa2oaC9Ctc2zKSN7pJqfI*i-!xA;64YjnR+?9%#$x8zf93rGf3F=xk%
zA0y9}%dmOaCR2zF2KG8eEMsrUJAVw#1U0B=W6e279<h02ypdKVQf3W|PgSHLduFxi
zecmnjYQYmnWFnC1=?2c0rEZlu?jkYjem?Db)75;`lDEwrFeFtY6DyDu^aP{l6)}md
zb`cLQ`^aA${2&b#sU!8Nkc};C@N>k`7wEOj0qcL_9yR*z#BI|OH_ykk0VTGVOILhN
z;gTBY<b&~|ru@i7aCvgBhDy0W>ZACuSM%rYWLR@XJ{>usQ4BoFrZjqm-NTd$4X}Rg
zXdy?dT#I1}v246zkZa$I)iXhC?<?8S6{*We)D&J5?~knr8eA6to86rbID?ce6pol6
zCu2yy55RgzC;B8Xpq)LeQ@VJ)`j&CVR=*$851!$J?;KjL;LK=oo?cs@?}wf5+YsM(
z((h-U@5_CdZ(B)>KcsomgOX!zEq7_3Dc+Fl;TSm?3x|&^ZG7F^2{fzc5r7Op>-N~?
z1~HSEzwEKf*_=oz&w+dD0|oO{K4wl}D0okFu(qUm$Vv?~Q64FV@*t#&>55mkjiJiq
zyd007Xl+1|9t$3@w?~W!jtuo<BIFJsJ801=o2Kuy4TL^6zw|iO;A#Y?DyI@_4hdmW
z*&>P_*1j}cAHm$ah9Q!<1dxgcDu9W#sx7oCJZ$-(tL+tJL&HXo`}NOv-z)sj&+l89
zpL>J)3EXv2*W#L{SDvk1V1;z9jXh92>7eXCj*OQ5&smy@O|BMi;VGaC`w#4xaj>(s
z-rpK0xhID3KoYjdPpshv**rCNLrzbA8MutEX!k8CDzdKC=^n%`gpqPX^}4ja*RDOk
z&xxY@yFwe*O|DY(T`9RQ1TAO?F{-J?p-h;4o8POG4iT=_f0lIsUJ4hVE7Nf|AEsiz
zu{-?8iR3w}A_}W!j~uw;H}yt;ZC{v6798jud-}%!QX4d9=bpQ5BIfWu7P!p#8Q093
zx4!3ZK6m>`0g6))Je~DpP*urk)-X}FU_DZ?A+^%QUgys9&#w#3@I>h3&x!I40n_EI
z4P0G)&o+gY$Uj;sqmC`@jl>b)c-+4}ynS5PuOV*!ZAbm5zCzgdn_1`Re1hN@nqm!_
zG0|)N22JF5NbUYq_^Mx!ccT-A+xrWFxQi*%w3Hn@bYyY@RN1-;<v6emDeRn5vi1Ar
z({mB^jA95T)Q(TB+^l7zMNDl6i6;#^EL05}q$lBm{5TLs(N|NmhI-CBB(70&R38Z>
z92#>%;_7M7)s-i!$=1mR9fj5qzT!rXAgZg0?n(|xIcK3y8)kIA4^4VsA4_EhcY`Qb
z5<=mfj3N_ogd3$g9O&&`Z?(Kpg=X?%bVHC6$BjLIKPVO(l~F*qQXWeo@MT!JsMR@M
z@E#G7cVRt9f){jH!Ce$S5LboP^GOjfd<0Qh918Bm^VGNS7L65<?UZu$89++df?NTc
zCM*C?;G!8@kFa?8Sd@peVxiGwiEm2db;B8CWyUlfb0yXjuB3zE1e4<Dkizjh-IS!0
z26@|L@o5w~#yXRD$LRrOvSlpxVJSm<eSWIudY@mw{hoGir`{jT>poyBHk?LjB@f1q
zAV#jD>J;_Iq?`*K5$tRw<~SddJ^CH6MzRgFhkP}}nRqz%%n5%{+(Hw_IC-S*in3v{
zNMmW<KiO$!wy(`6We&Mrh;S5lwB&Z*u>HQlH80KN_>{nS03)}W_Ic#ICfy+076OA2
z^1+LBsY8A9=~5p#X1WsLL@EmFkH0=V+wj}A2#0O=g0F4=nHT75PW0NGyFiL_-H_8s
zarJ*UIr$RL+jRi?DIhPl$~c*C{hXKvg{=r%!lE%1@*}ge;g4f6O^CCCjEtgsK@)<s
zmqt{V`Clkv5+!fL#IK1D&btcp5VMO3IBk*dwA48LsfEQ20F;==DHnO9jy?Fl1y~j4
zea>wN{*T1wp7EG<S&wokD#>=)1=v$`qm`rvN=pKhnFyaCfPZ>AlpetwD3Z!Y(&bhC
zX1p#Aph0ro6C&PDqf2J<o08`&O~0I5`>pIyo{>phAPyK#!Z9@^fny|s)3l4o$N@eO
zdd_RDP1kqt&QQ7>j85~!LLPzz-?z9JDu|UZ1ZI8}3Ld)nQ{Y_gQMwLl={!koI+czv
z4?3DI7S?POSaLvq6Rid=3J1Ol72P9)5jtvHQYfU6qX{nFre^RKcRmhcrjkBc^R$Oy
zK#VA0l027iGV)?LL~+njJ&W|w-<fzH`nc53vx}6mVZ{TGV1dRA1*ogK!ap$cPL`;8
z$>FT}0cZ2sU<4gtamCfi&)X!c5`|q;p_5<aY$Q%wARom7#1QlQPy`t1pHYAy-!^v6
z$^>B?Ch73X_SY=II8h^;WN_58w7g>k`xZ7qIR+SyMdxVpQ4(;qpoR7<-Tv7G-D$Ph
zE!ZPH>5|{DnV}vV!m^h--L$~Knj>b2xW&$wo8|`aa_GRiN=c|E%g;2WDb)S%)tP2y
z3bUA^Z<t~E=jr$eWXS98*;*baAw`t2to(XQR>d&ydK#~PpV3sW%rQd^SgU?s_I~hp
zfB#-z&qQ7O3c01q>59~$u!(}pTL0xmFn8>{v1dmRCS}*bs4`>v7^LdSq=Tei8pY@F
zcsxIy)793~)7^PGoQL^#?c-wBQ4u5&Tic4seWyWVrc{|%6%)VWT03t<aFMW6aBay(
ze&W08LW^PZjXsmQgTu<*?4RpxL@l)IxGp1rsv%C6-H=0>Y#D}@1$8zn&E6<vcE&pY
zIulx3>J3sJKmai1z8j6Gu;4PB8xp^z=p={kwA{Y&a-8D$Kdt#XD3$I{u8aLc$L;gM
z!K2_$a}hA(L?_LS)%Y1lsHbSO;CYmRklgtutaD(uix8Eo?Xi|E^2VJB8yn73%?4vJ
zX%kD9jv=}8>N?(dAMV9qu3mz2_CT-L-ibs+SLf+)rY(v>;`8pUYq+&Fwlp=hH6848
zrp^34Whea}gE|?(k&x69m6F6D`@FIf&%4K+-U}KYIGud{m?r@n$VlWLoFQ@*@5}qc
z=XW0Uz*#5;y<$T`th$CPhJLrLAsS$>aBu3-NlQgG0ovI+6n~mJTzaX3JPIrSfcC{S
z=rzz+l?xbWg>+FH6?)6`VrqTq+`fQv@&fft=!fm1>Z4@d5V8Vr4@;dH!E<dVGerjS
zrIh+V6k!A8Y5qn;i`-%rkTg_2^mmQHD&pDH7VXy1oMPzn0So5k(bH#0X7A#<U-})$
zu4BgKaNH3$>JzboMC3Pw{FVVFR)8oHr`Q%60u0qLn*=A(=ppOK5~=o5!UMe9YmXu<
zO7`3VB=7@0Gq!Cz+K+~!mV$doAx7;Vm3*=%3VM{Ozh>#YevnDoYWPXPZ!|W&ndk)%
z+k=(~k&!ZHQYX^gGC&vMfKf_sn>O$r>CLZ*15WA+QOKKP6R}ElU|flVx5=Nz!#bjj
zX?Kr4PR0ctWvNCW%jlp^V=8Uae}=ywoA^F1f1lqC?;q%RDMn@A2+Nivwx^*a)TdAK
z*9If;TN%Lo)>$+Qvw$wScj4KzHqj_wp9^cv>Ub!pHXcm78iql@*qLE>uRndA18Seo
zaNTazpRDJr=807s;SIX*7kANBS4g&dq*=655SS~bsSM${$jdnKT?>oC@_$FmTfqY=
zBNJ`U=3UZHc)_LTu?-qDYgMB{`1wUECoL7So?#I6gOYasb_Sdci9gzroCaT6v~t?w
zgg)fW#&S(K{_lCF>|qtqYm-S|@2PKVQjTo!dcAuMSw+-At(fxBf>bHz7x6w|2(zc6
zO_LcMx-w?;3EZ;wKC*`L0A%^nVXQlTR$NEA57kV9Te=ipOv7VSnd3K2`)}gF(KT|M
zhN?E(qc2JTZ#=%L+!3~%v#lM8x5PN{@Zi~FlZc5+zMM(PzuS7$CmkHi047c>oJg?Y
z!9VBVT|S>t|IAya%J9E)_};YaettAF1QGeu=b9;ikdz=@1WEOl&0c43kfjNSfkNtN
zgzkLS#A9r^=h}tI;Kz{ygOAH&t78>5B$yjcD6&FHMTf3P^7gmT<I;O^8@l~Npl2kS
zIBdj?$$rnP&ZnEU=8oo)8n1L17KnmtZ8EEv(Oc$Kv`EPebj`ELac9-wgNdQhG>$}o
zIY5&JTOp=U0giz*nv>*7-H^s`oFh3MjRkmh6#^jdu%I`YiB91tH1@v?7yyyr<i6yc
z&i$6-`Ij~ZZ^VTegv)Rc=h)U>@$|SWFE|97qj%eO#`-=?##-}&QQ$#tN~Xw|w?kpR
z&|e0=q)<+Ncl7pFhLmz4DZp!vkEv7Qaq}O}r~ly}3-c98m@7=fvUPvGXU$dLy<}~V
zRl&}#2AAtUC1)|SL`$T-mTjgTZ%!Z%%D3`tODayeq+z?WB`<w%x%S>yx9lQ%v02wb
z!ti-&Ged#k!h~*#7w&5fa$v3C2<Kzem5=A)nPCZ*8&MsWc5I#2Z#Q>g8FKf!%qlCZ
zFIyTm<oj?Tes2Y_>V=QWj`7_6!Qk_-4eqFD#?nIpLHMca#{?%93Bm(T=B-)EmRQ-J
zLd8H7KwSa*ch))5nln~fXeqDG5V8UwAnwWA;yy21%l=RxdiG?cwbo8|XJRwaHJBzx
zH{k_zu`_q>h*eYj!+Y35|8sr%-=ol_x5-fNTep?4UrC(Sht*Ipno@GeKc$kG{7?O=
z^KbEM^mTLUN&98W8$$|U$umyX$)-Bt*^c2D4LCw)WMv=GSjGQ~s&inkEC`o%Y}>YN
z+qR8~ZA>t+ZA~z-ZQHi9<7DFO;LbVs9^B{YpU|uOTh;YeCAL`||0o8_)&G5*`r@0T
z?2+M@08>7}g<emk;K(k`DvbU7dy?rfxy^&&wS=9^TWrutz~|$u%L%n#pc%SqIzT_~
z4MJY>phSwtvS2%subIigvZklo_idt1*!TH->deV01#FGBWzaR4D`3|2(CpHl%kTBh
z)G+OHUDp9SW`yNAVkrKgOX7sp=j6~;sLHBo;O*Kp0ZwqxNHIPhtl3hK8DW<6`H7)2
zzD=%F-=F5d1{nm?EyhA9>l~)R4JMT%#m;AytpPbmi15)c@=yGZpo=<M;GfEL=iiKg
zc@j041_~LCbIBTiY>Bg)Fo+GTyG7(cKv%kFDa}uEzYsQ8tyH`B9%{BFPgN>kmY+`C
zNJlIv(Up~xa3|2x0JyKPR+88i<Y8qA-Ge9C>xBWhFt;=vs(bLxtdi&a8<O!d1HAWn
zJx1)yC;uJ;hP5&V=e((*!_#PSanrlwZJgYk&bB^QBi{2g-!Ik&QtOf8JPC;#`Cue@
zt0)2bj(FuPtPZM<?o6~aTzTRrjW)pxV;*uj3*El%%Zpi9En_47aYPi8B7%7M`(?mR
zHN)4d)5k!`gNNJOrBxfP<+wUZ0HMg*emZCy?yDpppPgv0_PMSgKSxBZ9bvk)LjMfQ
zRgTqGvo>>Gk_P7x0V|-0F?}kHak93=?>GLauZi|*nFHZ!txn``2~a9hvgoT}3Cw}Z
z(Kk_ari`#HJN2wV49vE_=1EEYe9Y!2T6zrDkgK@aE7gF5gQIqR>NnKYW<lQ`K|-wS
zweE|Irk{>_6p;h1W6Ji>pOA}<;i*HoYShj_|M|1;f@e(H{{6K9>{IV~#T2?RaT|PQ
z9jzdc{2e!58}-^DX1j;=N*e0TN!cMM1;?ko2`ajLtTyP#-0?Ujm?Vv!$6s|}9=QZ@
zLmf;`y&t5VGv`Pw0*hN`-JTq;bBguly0=fUzJ?yJ`Nr8aQ>gl*!vI54a=xkhRMT{b
z#!(C)!HPH76k{|&B(=L<knb%1NATdaZI@{_a3j_gNBm?+VFFUrpVAjcqBx4DiiDs@
zl{!~EsrMQ-sNaP=!pFy`CFrOnBIv9Sc=RIl`aCE6J|YZE3EFkv!B^gu!0+FW6d71=
ztX6P<6?brS6#D)+_w+Jx>5wy)=?&3DDsbnRw$jfuAkM>*!5O#Y6tWhW=r`<m2Ludj
z|H>E5sqxc9m_TTRYg99m4}1Onqrv-V_ubyez=@l?OHj1L&)T|bL`-V$`USYdd95l~
z_c4DRSqvEYdwB24N^H>A(TjWj!SF*L%W$g!-rFP4Q_9+{ZwHN!{)}FIHYZRaK>E>z
zw+aro^K-RJ6uYt-{xwhHF|fU`=n4fZM!44F8eq`2K@8}6o5w|BD%36{BtgUMD8g}$
zNz{#{Ep^(}5J=ynt|I=;8vF=Kwxr2HYMb`-mqo%-xzZi_?2Tz$aPiQ_Zzwe>N7K<f
z#nQ1zh{<gS>)ujp-<iB65|`8M>c<zSD~xMDyM1b83F2+v_cQUwzE`PNPSqKm)C^P|
zDZ!@?+Od82Jjr=B!mhlzRZO__Z$0qu5?`sUt?Qhfo6!N!GP=sQ_wAtfx2B9W=Fgd@
zSgUjUp9+F@Q<Y>)qRoqF5N&0*(wPrr@Wns1WS4}(uWlv$U?-Fsd!!SY@gjZGDRJWv
zkQoFj8Ky*a3$$^fG#kIHW63Z|4e)r|B(NqaX7<gt9^KKGNWEA+Lazu|mwCJ}lhQv;
z6CgVqk0GIqmJcl<ef<U*gaVrXuN<2@s?GWFKG5FjR1h>MS_~KhuYI;TUrsR%h=te&
zcjp7UoHMe7mcvCw{SzPV!An_JX3mt7edy5(VSMP&Vx+JlwwxB)uD)*VhfI5$%hwyW
z;;Kxog?dAj)Z?Ctg1b)Z8T^xsA~YxsRQOEgYec&5b)_y4(F;B+vhh*PDTV0wA0{TE
zWq8dR0(x1Hf)r+n>bcpuJ|O>PLGQZz&R3aW)l`-SJUQbsBM~j%<YJ8H&fVb&y!bqs
z{<`z5rJRwg^dJuj;>Anfi{JNW5OC}^2&l-{O8gC=X1kzP&QEQ%@r-+LX~>*AW4A>#
zg%KMC|9Rp_awWEZfO86It;Cb0tU)Pjq&gw1Vi0;FE>*-ybBJ5fCZ%84v)nW(s!(M5
z+NW-rLge*GPY3|9I^qefi~OnTi)TH`H0pYGB9hZAHUs0EQKTKpY>=&gH7Za+M^{BL
zKqb?TmK|7PX4`g(NuX#Um#Vi3fj!L9Umb{giFwe||D>U-O9)*8&0+Jymqx*Dl*E_k
z!^Tve*1`EvI`)$V!4FKEdxj`nd)pUp&uEWBF-Lxm$hIahq}$jDdYU=yW`t468dNFR
z92Ku3PlhUHhQ;mh`kxD?GtsIn7ygTv?m$T}K~6Ynv=DTu9J?P6-Q6I%$7k`FE*18{
zf*3A#lIhQVyAni^-f<eG?<j~C)z^OC`>vmp&}MJ<mFJeEC1p9wF_hh~%RQR-p|<F~
z-{UqDSt_g8<xo-9jMZfmyZ-D2uGh#j;lF3<ni$`&j|)0=o=)?v-tsO_R()K%M9J{u
zS{|g5#<JSV;Xi9S->~_ofpz@VTP!;(a9PM4sw8W;(nl-v$W4QzjX0z0t(8`Fs|1w)
zI<ao}iy0(dNgrvg%V+>Wm65U;67E}A@bH5E9!oIdm7rK6VkorhT!?inBwarhN9T_T
zkN>#-_tAU~AnrB)K2)CBFB*|5F%OgAlR&(7pZ=>`%2<5N`MD~u1wT$;JYrk-qw$)j
z@(A~+iO`p8CkLVNq(KAu59}jk$Amfo|D&V)EE#^=U6lgahqmgM#*mfu2tP?m<2x16
z)F<vc!PG}L;d7R(;npc%8^RSqNhvuA>2-JH%XQAnZJP7HxkS+$8;jSahvuKceKlm<
z?fpFW^?R%NufJ^wvwOt>VO?gr&K(GGj<|X{*JX$#R(?}-HrM$2zo5(r<pSe4*^gst
z;SPTn$v*G*$3?vWo6QBE_O~?3ygE}rU7azP;?M`o-=Eush3f&-XAw%Li7aAK_T*7W
z20{kUs<99)=X}|1djV%##Qt}#O>b|~#7~C$sg#5r;^l_`0@KDyogbQ4PhWpI+5K<h
z)=tl!q_-{$u7y8s{C!I1^vI~S0CLE*-S)^p2d{PHKm~X4X+Zn5S+1s=yY5)+9`Q4<
z)~Q2NBz5(7=iPYHwUNPKP`8_rrknKfz_OW9np=y(>gA?ZZ<SnE7u*v=n!8?}o1q^-
zn!W0*sYUB#opb0b+K7`)#SRL(Nws2(qUcL}X+BHRi}OBl0r4t?Pj>A*@RdsAeghkJ
zLEVQimWi6p=3o#95?{xv122aR)S~G%Fk4})Gr;J3a$$}oC|7Sz94S9i`f*MlrsII8
z>+yK&WHpRS(Mkqk@j>4C#drF1Pl7bU)ZhR6qwilh$V{0_Q^%r2@_7%b_iuCpY)~q>
znLRwQNiMX@kX=Jm7^dF{5NEbXnwmX&c}q+vE_R(?7w=`2$Dz<KX`%>_s63s@z(9zq
zty@=lo(O|TR1GKluKf7H`hb=B)}Lijkq`~n)eJfmQs^Nu4}s3T_<*qZu&0JER1{kS
zERG*a*-M-002wMOgm|7ZQ)WwO+Z?S`tt!ri8$7+jo5GE87=o-_QbxA0u3qE_@CB{c
zCz4OZ0sa3qe4OAA_iUj@`+nIuT5IS!%)RHT-nGpy6z46-lq4@1fJkJ)EqVrI;O2}x
zAmAO>An;tCuQ))hP|O^FS$1CfVE8}=U)Ds~f=*_rC$5J1Ix4m$uoZmZq%!fIYd}7~
zsq32M<1~)*z~YcarzGt>s~T7<#xy$9!bXdNOa{32>Qv92mk%O$qM6;8VGjD%MtJb`
zX$SHBvg(38l7n<YKhU;=3w`EyRLcv->qEMTviB&6Pt#iWgLyha4tnnU8v4He`1r`^
z`#4@YD_D~4?d)i<JXdi;`V|vY&5(^Iv$26L0}oV^Amgra1yX7}>Es1J|5C!chQCH6
z&FfcLfWb!sV0;`2zjyV0M+Ch-HkIprrOXus^y<{WETe1uh-l@FZEDmLHlkMVXb-B=
z`HH&@_`YiKJ3S*7+VMD`N_+5iY}OgCtUZ6Uf9aZ;DZ7T6lP3+WnM=2>I<YsM9HcBJ
zGsig>xENfH+3@YDgpwh5<XX!S6da>gXE?nix?;`Ruop7Ut4p^|`(u7~>b`G|nzP?&
zAWC(ml~G)Y9bQVmPZjF_$E=o_oF9=#HCpxj3brotWWFUB?II2Ah1(qJ^jFmQCT;lE
zx+EVhgzVd3d5LL7zP${)X$R$y*tVSgG5w_uuh_vefs7V?5xaKTQ8A7h0B191%h?9k
z)kf@4fX}lnn!)3UpMVSam<V0B1N>^+6|^@(irA?x?DBUfy;YYGkUB&#m=DZ!BxQ_t
z+~{>eW=z5=&M;Iq>1kNSPE@&OeP|ZV=t!N73j?0-lsfQtW<S|0)k&^BUYyKKWoSR5
z56(jrp9e$-a}XMGBcaA<AglwCy5q$`SU6+Iyw;X-*35V_rZ5K+7Fu$u|D5Bxdv*mJ
zr5IGtVQCJWgsr#l>+y}xVvYRhpgO!3#gVRBsazeHCAgMA@b8zIsJPJ8)xIt&($Cw~
zw88T$exu9#pXZ4*asl71n%R}5gcP$k@9BZYj=xcd<<SN*5mI9!DJ6{=afc`r6R-Tx
zDlRStM2HPdC-186Zp%<-Ut6?9)EO(dz7(t*24EXX*#w?8bAPJ0{ot1*;%OBxV9H2k
zmF;Q4RusqcNzf0iy%R{7;yPQU#i&su40_MfK?nP3GtS^5p4H`vKO+!XkQTy7!>j<8
zBEnTn>Ycrt@231Wo(;As?o<<v46uJ<hj50MKdVkC?8d2?%k)8;_aXem#}AFaU&lmB
zAB&-qvO<xs1LrWcdA)Oe7<m%X&4VBxYWkmVrkycLnw?|mLrReeuEQ&<d<^HHi1oP}
zEBOYD)lix%3tPzK%;icdQ^}K)qm`(Lrxr8Fp2U!?d}=0*pQ~oPpB1`yH&G-7HR^zJ
z@o8JQvKUs@%dN3Saiou~R~7(Rc+Bd4+|a9S9th!I79e$CKM6u)XA?s4e-&Nhy4Xc1
z=(cTXxfR7!dYMDBvAqKfiqR2WlnTfcl>I}rN*v5dp}-sn=$)_1RD3jPtWv9v7kD-I
zCC8HTr@2M3qCc(igK#VFauVJg5RTIBpz|$se#*iGDbB|y%z7De#~v~A3Z(C-r%#qL
z$0f#Hx=je0q#-a~vF4zmat2F8C?2}aZ#<eLb<K6W`2SssRnKp3Px~A$K}{I%Yi;Eb
z)?b78wUs_&rcU4=A8TGiw4+ZjmcFkNE=hps>)@cr&|<H+#W}Ce`|aAqZf_>3EE)9X
z*yjX%bCrEzoMx@D&D$b;F7X=HKhRTOH_=#o$=Mk#<}Eeju8j9)-R6#~smu-#g#7q1
z-%aRUD=x6~oVS8G41BP(WVE&~Qsl+uu)RY1{9;-3Z(gZppzmS;1pHi=1RnYtWmr%7
za@M8T8Sar);NH~eSmXYD7tBiw*@d)n6Z9SS9l(qkaVVcl`!7X94nBfS&{y04)k)_N
zKWtSM;vD?(kVbeZg1z!}yiJbF5+MezeOCU?Mn4DR(Vm0Z4Q~;Hoj$(*OUH0JLEto%
zXe!|x02sj4))7!iDK8Pw3#h*dtGZ9=AnmKPiolHzgbaZeIBW%NUMVuUm9IH#>R>ya
zZ-p3!r9qj`bN|lusLEwif>zh?&8zLq09Fyb$v;}N46Z>K7L-r5`rY66A#TYp^yP1Y
zFIFeIs>{HCC*+<?1SY5-+GV@T-N#6M4&r60vosM>7XJkQ2!f!v%)Sm%(aF<G$1PD5
zkgrdQPrjS~DG3dVP2#Qb0(uRmVE4F=)Qc-1`mX9J6|3m?_Ai#;`{?1CIzyW|@NFsq
z7zhJ>1+zSDUS7QB=Ns9__PkO5Zt)4oIPIzQKYM7~?d$E!==A5+hYCe(SQf_$Z4S^U
z@Vq}SACeAA;>u}_a`VGEHP_bNtU;P+os?|heGS}pMfK$9%w%4*j4qMc33Mvnji_nV
zzP@>9$uZ7S8D@Hla0x<3(l;|Ohx5~LNWsY-IxVfpbN&YmQ!9auW5ucNHt=(KSa7bw
zTm&DJ;n+@+`+dC6^=&bsI|@_#Cuk`h@{&_X!C3QqZjC-hpDCUu9V&$co&8R5po#Qd
zKidsv&qi2xxma!(6_%8$w?^9ZqNZQn3jaAR@_Kkw{-%KzD<sShA5b?c9`(fb(-PPF
zsbr6wEg%zZR;3%-tAY-Z;U<*P+LE)WRl;WUVQT7ZF88vgWp-@FY76PJmUq2a3#KHF
zz#jjcLPK&S0BoLS<_uo!U>J2Pew~}Fu!)hX2TsN^S^^?ba{wM~6|Xd!VFr0RIs!FD
zB>bm22x=G}?i}h(22wT=@yL3DuRG+$R||&(dM7sXvxhD7>}e}Y5wY#yi9HCJoDQ|C
z1UcG*$8A*JGmrf0{FT7}NORE<K}VtW-7L%n#n5PEXh^?9C_842&hez4ANzuJs;b9X
zvng40-9n`sHu6s0^#?pt)dh|JnBUrG<Gt`a+{0|)mi;LaAfYx>{QF@5s*Q_Ng7JqJ
zNXL@C%5r;91Jw=*_7487*rFDdsyO%z0?_l;xmkE<W`MWwm`EL&0TI<gHF6;W<^THo
z=9&6O{%1-c40i-rGKELWWwteO`SruP{o=eBT8Otky#wgjI}3$}b#nplWLQgY@Qvt?
zYSz*kI(?c|WYpgBu}=LV`NU+NqB;)C^owf6LnFvk?5XH@&~jeUvFZ&`b@c8s@nx3#
zC|T|yreP|WZ|1KL<8MF;a*wobQsx*y&^{4xfg5mJ-K$)#hAhq&=%L*Aa6Qts_vc3V
z!*hhREr};2f66Ax3FU<*5#KTr=L)$X$R@D&TXXBm$zS|zEHYwZyXuGj3OQ=eB8L0(
z2LPl)p`%*M(l+Fhs|!Cw_<Dvj#Ll5(WA7>{0n;6zP&@@OB-&m+Ier$_e_mk_kw{8^
z`LD5%Ut;735T-H(U-p48?N+N4#wN}Y=6+ox0HW78<kgtFW7Y+g{$7#ZKtveAHAm-q
zcH}kl@<G9Ysx$!2Yy6Ar(sVKptShPx=C7Lq=Ed_BUXI=On08)1a{?VP*YaFCw=^1&
zk0QcOIlvh4K{su1{Imv5&zD%FE=iV3l|eZ(Id`b6h~{wHhE{|Xu$n2lXH+|PTf=-)
zr(IQrJ-6?O3xl*(u{`4$p|fcSEi9Mav|3pVBk_&q|4&YE1lS~8R2GY0Nz1Nxr?Thl
zffbWA*Cae7dc(2qcFUNO9I=i|73K{3iQNwqGf>-SG~ph6bo;Wr%2@B9Dqd%|%EtH@
zYP2Yvc=kB}16%$%R^v=b)Ku2k`5cZSxqBP|8_Fc%1j++K0{?4XzK3xN@OmEIa_a-9
zh)~Qu3_1WWQawE!CaHnFKtq8FnM2iPD4%;Zuxb!6g{)~R_~aq;Dx)B%a)2Ve(2-Hx
z2B&jEjpF$#DD6=<q2j*p0UKEdORUNav4nzMjSvyaAM$Oq{GFIGO2Pt8<4&ehNhZiN
zJvFF5JOaOg4n<{k$g8-f*!mYDn0s|&#MKHF5wgb-+|v1emH*aox{{djFeVTkiM#k#
zO?N0~R0q@+@%KFJVF9hk3t+OK_n0Amu|odA^64hWNx<J(88)-$@yMGeHe+oKSOl4u
zY~XJBci={H`$1m1pXf+Z)o7bP$oY0)n+et#F+jd6p;x3TB9Y5skB60_M;IYOhrfdk
z{@MnJ6p0KwC?SV}Kv&Z+_4NMr_P1L>3M;00ooV(HnmF}VFn_OZPOb=CoAvBa77f{t
zrNNV`Qw%}R-f>ksV(k7PrQtgFcBwnNhA1s2!crBjtO?|WgeahCYquMxYqTG&H1S9a
z(J*N`X6NU+yu<|ONxeF$l#Hs$j+0^Gr@|x(0NX})wO1`EGM0W?OSVAVwWF+>CzRIJ
zGE+&Q4OC`)IRX{Z;J!dR`9Zrmc(nF8jM<R=afhdoOJ1xb49#<z7M-_qUw&?y!skMK
z!nc)n;fiZ77WVO&rRrw+y;}{Xr{HgGy^l|<=v28&cD=v)!*;WTT?@h1I$<k!j!RHI
z8PhD*;Klea-jH%)JQEOi2N4hc<5C{a=0yqnb5QHEk?P7>?fNm>2vg85EzP;piwipY
zM5Kj(u4y|D!>B<t+o7&_HbdcH`8y$s*0OtorIGF4{l*ZLjdrR&%i->L(Nv2<?)XZk
zf0+Nh$$M#N1yz<9ysZNbTyZaG`NkFSU}Od>Lu97XSN6fbsbkarS9Yds;hMBLpT$e2
z{9}HkhJDzt1p&z+MFge)<(gb+5qB6)@jBBMwiZPof3dfpOMA5+PQsuUnSaGf8^voM
zZ}GKLk)iBAjer=|XR{e<LdWlWU2bxk2;*v}Aa-hytSwY-X!T-?p75037P{1N>v3C9
zNX$Sv%bYoT%*tyoO%VEuiu#QLb#_kvH866q@cB^5KxSq(g`J@-{CPK2i*K(>Z;AUI
zgIeqvhogK8XFIprlq~dHkjwOW=gs$td+*gqzdh*bSvaWZWBw-Gi!c4J*2-Klq+6BG
z*R@N<d@r>y{pDCfe)l~97Bp(d5xcIg#XV#mpEZr(EzRI~c#o#6m=SnbNZwvO`Q{(!
za{JY2Ffzcch-x5gJbhVd54G2khu%PTr#50T$Jaq-l?+VBeUc1AV9%xMY}I3a^6fSL
zO;$*zOi>yhYTA_=*3EI?Kz%ez8A_$u%+NZ)QQ}zI-Wy*)bRm8pFQ7k3`d+L+dEI&`
zRjlTI6JsW%uOY!RX^LP@4BHxEk-l=cd*teTaAgJj7@0C$6YDj#RBBiOa3l_()M~dz
zVm2;7D9j*!;`5xWPF=0%+fAxZ4p_hhUDm^mG>P{exy*?BlQ&k2#JI89lPRSE7&sY=
zfI^o$3%ZDNuc@JAjdzzT)Mu4`STW;U7yK0#fs3gZ1WrZW)1q$M#A0jGD9cy|re_l2
zwh}G|D485DymlcfZ#Y}0ch<sRvgcz~U6hf1*_w5i(o;=oBaQiGSr{9Z^cLWZo{<9C
z9gY0R5r+%RSTT~eMCi(29~-4^;{45zLnmgUb56kgU4MUpM{?GE@XQFRL}TZ`oS36b
zsU-a{-Tot+rLuZ3bnJYg_w`@Q8&DXOF&GekZCvh9cpz0kwmlqi%o-t6#V|$vGrv<g
z_-9wG6@}fmY3)f?g)e`JVw5Qe#Ty2R$jb^)1-XDHB=f=t|6|nu8@26yZ|Hl`DzbB1
zKSomb|Lfv|vFS@$BASNa;rBB;YgOymTmB~9gEg~J$G93c55+{0NYQHV^Ttc7Y9%4?
z<LE3S!%}q~t0`xO6^9xg9EWwBpE{Qx-k&6^8+_bQENFLGZmM};2`5Tr854|An|;Pb
zZ9`8wE^$lGGTO{V)!1NqlB_;*z%AXP)}gFh0i+4@5d~izN1s8_vIG>w#86q6On6ME
z%RuX875R4!7ddE{4s4SWmRR5)JrSn%d)Vi57CLRI2bDt|;4zn^ERMzPkS4vNIv??K
z-Y(Kn;5vsbbtG%Wo0%3qI!y0l<0c{v*$*=#7lZWZe&yf?FRz{s-f@RNh=h|?eh;o*
z;)Ov3M=MrURTuhBLWTEL<-h{rB|&?Bo$di@W$3xyESf%~-8f*tMRF7%_6C;T!QndR
z$4ffX5AIHvt1icH_1jLCkPn#4b7!#&q}qT6+S(T@l4gpRz{s85FnlqMsTG5~x=XX`
zWd@OiE94^)>ou7GCrx349xl(`R{A!tp`zO~WQf!-bn@y5K(r*{l0O-dhc4PyValnk
z@VP(w3vPFOB$i<Glqq;Z6J6ss|CHA6XXl~cJCc;z*5w{N3T5ur<SBm!g5)%XKQl<-
z+zk;9hha?QnH36-2g(D4pF^z)<IQbm8=&Zj1dXx;k1DMgaCu3yQ8-^LL(%5*YKtsH
z;h|@Yvb$v;hFlMXApu9|F}V`sH)>IN*{;gqtBLzd!*<ZD%Gi+4{6wBHo$GzxZwcR}
z?7L|P^=db})32UDz=GZ71GFS3cW0_4?0`Q&>@S=z(}|A@NkO0rh<f34-8tde$5r4z
zlCJE$>r`Z$YF?D&pEzh%gq3#QI^-B}MN^uK%b>yMJ~gP9e^YPjOl!eU=eu@}CXgaP
zNU0#Y;Q?>e5cXOGMghi;Pk=*G(MVBgVk$)`T_fFja)~orxhZ0^OpkgyWA$Ps$sKRF
zwxnTLM|aD}7kpl0EmAzlB6W6-VuA^`P@pytmXv|&fvWt!K86M1z#wbw)__s^OPV&;
z)x{@&Eyj#L3^1hA?hSNjcbVd_I7--`EWO+RxB@GOnW2b;^Ns@lSJr_zUCyBE7U_Rw
zwI6^ZWg(9_z(Lp=*+8>_u?E}DfOpaDkLs~}y@3n6)o%;Ggxu~4t)$2)4u~#Tkzvq*
zl*oV=xa(?Hi3$w4^Z<|wzg{~%;rY5>o+S01d)HFfDy2<W!H{xz;>4?IE-$mQt5xib
zC6a8+chU%HnG;;CL0^y7R&Aa&D3UGkwel{sGjbSq;#;)q04e25w2*M|wwuu0mM6MI
zcs2XY1J_%t7i<XgmC5e=<Ex8~bmg7(PR;xM9crf?{f(h@fy<{D(UQ8kNp||#>Y(TI
zI-_0t>eh%MQ+s5m-h1x`JwqpBp@1)hSpiXk&Ce9>-PhGF<i5`VVAbC>W@G<H_a-+u
zOyDr65lEkmt7O0eXLZh9RE~Q9f}@}@;F+ZExwdk2fzXj_Cg!sI^8ig$q!@%7X48k<
z4E0y`J&l7c%$-9ue3wuGGn^qR82@8VDA9ZUo<sImVQhuL=4++16pFovY4CS%IMX16
zC44Z0Sba&ox$(l&9VC+iDL7N-Rai;SWrWbXD!~wnS+<T@`X7lh2A0WKh?|s$FzqLc
z9isB|>&(Vb{-f22xlduV?Qd$@r|-`>zR^*tM-Qp_a-reT5%6kPDEB2ap7;yTC%P^f
z*(60kNw$(?wyPyLzFd^ONkLLj@;~yaoT5Zk2>q1fX-o;8q^(!e2leNjz^st<v62SN
zB1z}ep3mpgZ7)#E257wP{`qBv)vAo;n>lq*id%at=zl%&cX#NihkE32n_L?^qT;Ww
z)_#akU4w!HC&va1ik&)h#@WkU&cXcSsc#cuILWZmZ~#SQ+*Xj$n`Ku|SyojG)n?QS
zREh2ToK;mXaaY+$bSByB-r_-qoW8FShm3Jy33oAeNr`MeTnW50(ZE+R+mo|Nh(}q2
zyS>U100;XCp(V6|+E@OT-mP>_i*hHDToE?%FQL7zL(Q@OFuxo#=6yQP;s+^FO27EI
zJfm`B?tf`1c(FYC;lPBLxxmSE?(IHU1k~t8fxdPXO<t7u;D})al?mw@1pGK~{&Y)K
z?3MNA$AgT*`-a)Bg0IK&f`I1@)1ZpVkow$l!=^ETt**nK4>3uO9Uo~cdv~DIbONF&
zhg$dj-NMCHw;RZf+k0*Vf%Fpft>d0X%*jA$;1-Rc)N<<!t9Qr~a3)T*l0m1$5uwcl
z4=g-BUUlSQ<>USc{#F`d1H*X(CrO;wpr`w5WiE(lawD)yk@oTN4{_qE9g4FqiuuII
zTkbZw(RtBlvIuqCTSKN0!^OoDG&Yp=^+%r9&A-k67u)0MjagWK^~^~i@aSOV?`ggK
zmT7vls}OyxZ+oSSz*@wyh9JM4UzmM<4Kowd%{3Qru0YW36XqZ#!c`99L~8h+!Ncy?
z+;af_I)fVYhl;osp$TlASgpDEe8_msGUAHndfb+B_yPnYch^6;$YBrjNCY|Ltn98k
zK6F_%5+9?-Km@m`TSxfgtF7;Ib)%D@>-qitwBD(6_sMWRY<#FasA217Sh}^sg4Hpi
zY)kv$u)5Yk76lQtH2|A?4OrhJXG*}4ccfD6)Xv~=-tr@SPjW3HNzvJr{`}fjkdI{|
zHw;U6|GM1l(`o;r?vEPu8nmkeg=n1nE=#*5BvlzGh|s^_djD)IrOq4@-O$t)?Xf1e
zZhZAgS>z<_+RV_&YMld^GoHM%4+f?WVnMH0NpDPujwT2PVxhoS;qRWlprDr5z3&5I
z0<MgRsyVOPD&m@qmkdn?Ps;T#5p9DgXiYt=hmI_0V%NsnrA>6i;hY#M5kndI;Q$uf
z#9b`kj_jHo$u+KwwTvMiC@kCs!b{U2@)7%*dW3m?uHzOwv!?s`nUL%Z4_5BlCqrSh
z)>SY%76SF-TEr>}3Zq($g+-2x*=&n_AKk$c^$7wRQbfGtg*f8#U0iDq!{xMyxl<an
zMyDiAXh#Tevh^)}d(oU^EAg!t36&ILl}X}lkQ$}o&cSo^lm8b^(hCJ6j+7v*BK&3D
zup#DboC>iED9KWBNqpR}$wO;kP;qj*Go*z*mxm;NN108pg0_C~)Xw=gun(f8Vh^qF
z*gH~i@1h~h?j)e&s9vlTpE?}eRg9`GF?VcdHUxP}{oDsZy*F3I{O8M9BNE~f=@Qw`
ze};H<3|gnh_uySykY&YDM>)O$O~%+}o78Kx6G}`zs979qQJq?xg>67P-F8&NLx*VB
z66-%2+P~|A5VqgM5wyg4Z*>x!_9bDamSV+BwiKx4{ouc7Ns&aMD`I_PZKvw&Q5G+*
z<HGw2^4t8u{OkJREaNk<Z|AzMbA9UYYCtgT=F0QW#;(8~61dC1B>sewEyov#;B(!#
zwDY@W7GTb2!FP^uf;ish&f*o*<c{Nmzr+!75jhF@su=pKjQTa7D9yB*V}JeS!NzkX
zi45;xJta&DoobE7#Ay*Kr8Z7%zXwc5X?>+C-=rCraG%azmzS1Jr&p~f1h5s+l&Ui#
zH8!Aa>jfB!0=;Z{2|?KBt5cKS^lsKrec6FN(u$RLT~I@Gl>(n!n5T!?M7{Duld)QJ
zX8rd}Tu`rKjva1o*o~7V=a|xBE@&{9;@~joB<*qBuI5-1_s7~l%YxAi5l;x_^{{<*
z+4Uw7;qn!E+LGCu(=-K};>i~e=2b#Z6PeTLdQhOWrIBf_zum9clT!cibBY^3?-pvW
z#=YTUU9Oy<?@%W}@7GP?PvP$cY2we1!T7bgf<*zJhbQ=^?!<@2HBIrQx$ycPuBrF0
z(35Jtr6OLf@=LT!6jE>Z2%v@*q(P1W2WWb-Ygx{ZZ2*<~h4T&{Esz8Xd+aw<$n4W}
z?uwoha#zhmA~P--K13-qw>vf?c1+G_&o)6A?i5>*Ju}+E_#_<qKXBbD`c&#%`bcmF
zl~JA$ksp#oMT>oItP#vNIPX$j+Dp}xLc^%xGQtxFz(wpk#%pFHlO*1pZxoCphufK?
z(@Uv!1W+8K3<UB$9{dj?aLKy+w)?*0ROdMd0~d}0XIPD8H|W3BO76~M%wTRS`Lj@O
zO_byk=42%Df;+e$<0R}C*ENMczm<wSaW?MUSnf>NuF4Z7guni=5LR~w7VZc}na|aA
z$+sLwRP>zC=hMuL$8EA3(KX0b;u0b_f^#Zam`uB2nn&=9jIy&<j73MJG){Vd1Lwag
zvxT{s6a2cog1Kh7hHAP$D0(NTi1NRG{~dI97kFH1dKl~a^ylIyK;i}lurJb653ddZ
z3&4Xlf)!+U31>6V)XKrb*k${647g^VLZOk3jSRnz3O-^!Z~mU1E^>y-mN<dJLy4`9
z<i0}CwXqt+8Kwy|6fdrB>yShjuiLjhR<vGgO>yQacQQac7Nt6Me$A(a=W9ZYLIa$-
z#Y2t7`ccw_=NBTm#IKY=jHDq`Qc8S#Q&o^lFhQY0te&&8`iksn!%EciA}{MRf)q-a
zQfn(KDd@__cmm(w>W<bO>zLcPnRN+O$#fA8oy0Vvlq^NI?qs@E^u#fs{dCqAHI(MA
z?CN@2yGhhMY{?J&C{M)M{ni+a*ga@Q=r~qlrpkl9s{Zx-W*QmcBQMN2m=Do6qmWih
z_^tn?=mE>`yCHA5A#9U^F<iSohq~kgOu2dv9ed;YaQ)`L|7NwkNMrnSgf}XYK)vyi
z1Wgz<;Ix6bt-q~K4}da}O_15JOci+>dE2;5AX?h)_!lg{^L<VXnE$%6{(ipr`#0Pm
zGEOB&Yocr(|M2bMZR&}+Zgy7KxIlPbGAiDlXQepzI<JHophZ5598_81U%v}9<>3JC
z^fnzGs>(ExLa9&3wpQYA&-+m367w@}A<<gu*op~kX8PN30Tp}nr%#<U9@Scu<DQ2q
zYq2zcLTxsvO6p;08e-eln@1cQVoICUa!^Y}h9XeQxhWAr)5=I5b72ntNd1iC#G}_D
z;3k>(K?0NT!Z8h8L3T!Ghs2UdW;>}KRVyUUy)_8>ABM06=jLPK^Y(LJzv~I-@M+49
z@#!)lzxkR+=yRJXJqGxajlzFsB}p3tcFLnzwO(UEFm`zj#Tc|&d>74DDWy_@A)OKj
zdr4gNB<tTW7;yRUHRAiCQ8VqLE#k0i3-+7VeMS+@w~}&b4cZQdMXH&S9D}@CbG+Ev
zT(Xw?A%;Sxr@WJjF6vQ&jParLsX}APnmhOER}pxyn#<nf^}hAg$;igY5p={qzS~+`
zTRY;j%z=*@xQhy{wp}opCHQTMkwHSI(z5b$%NTUlwfBBEbWkq*mNAzfAjPaNBhK>g
zPPtcI&r)pi`BTac2^JE^vT_(Z?;5Oc(fq@-<~n;7M_)UULe~M-+xE}w+-i*O&VLwC
zygi>9!wpNR0?jZlVpxzf2=J<P7LmHh{UN{1lUVyXoqS`Z*qv-=Hpo4`@)^%q5lA21
zA;sKjKG7m7t97R*H~iBL){O%{&aES6VgmcpChDd-47FJH-0xIM$*X?pP;W`NpcuW9
zLgL^dv9Py&c2@5NUS9RQ5G`BTEy05y4X%|0a$m4hc1F)u-4-x=kzE=2qj|~2cBtjW
z8{)NHQi8m|j7oxG-7q}G>2idwlZ&Wxa5;35JMXoIg&rNJ{vK|C&CIdxqcHEvV>HWl
z)V&$iZQ}Jz_jtSCa|;SIEuwwNT0(bk|7@jUNIDb-E(rrS`aYH{ReK+Hq00j8>pI1%
zjr_g^HP_DygqdRz%wOCum&;fSh{FPzD)A6m_hCfl5{GmvHmo#3wf)T41{RHf!+AlA
zy#%bGAljIVa{nT`Vlv!n{(Sbe|0e`LeS(bX@1dtrt9A71%#m(a!quGZ&TL6V-rtYB
zzw~~t{Y!$gVJt4mdA>WmIA1ajB6yA{GO(v#e?uWFho!QuwUcxrLAu~4p#7Kph1CD+
zTFCy>b_vcD%_eKij7X7q57OI7uO18qoNT)p2;KwkJ6yg%xI?P(uc6%SzudDq_kZ-l
z5`<*UmFGi*z`b$=1MaRPRQdW!=9s~(gr3LQ<-!1TA;GAt=n!3L5A!zt5k&CY((^1u
z?^_H-sqw2+1nuv1lXEE7n7ISW5_!B^p6CW^QzQ0T064fWlmNZiv$HDBp9R;aW%!*>
z7YuSc?&7@qi>Iwygu(qE3NY7O;(OORG6+Yg?>y4%4swQFz+>&ckLmI5lAj*Jj{||8
zo?7WmitI+_Q30(#evyS&GK^vv-*`QGA#|Rj{;q^1)ydkoDBke;+)IkiE|XI6oJ|Gu
zn7r2f>&MtbY}%=6Q+TV80_e6&%XJ#Y0aTY5&L#YcFJY?DSl}m?lCj_e_hb`ebarw1
z9tZ_CHTu3kK3Eq78KE`0e3mnhN>yKd`ibIT!|Kgow<?8R0)-|Dqu50je&*X6)ZxI4
zqx?l<;R59=3s4LTv^sMIEpZ8XEW(GDE_9Qa0?W=6$AeZ+b;ikN{I&CBg%c4-a=}Iy
zZV66<v#)|<Str&^nx^Mbu}@Wx3Z?!iR!dX$v?)|^iFUnI^Ha#;?YrUSR5;z@++%&m
z+)uuDo35#~_NMmSYECYDD|P}mo@O4NG^Z6ruN4*y!eZ(d0uIzi=r=TMeGm%?GYjK*
zFyeYJBi=6?MhwYu3K`WyK8lFk^U}`eYJ**@OT*6q?n6sUj~RuR*a!=J@3yX{DmLR@
z?5Vg&w_d+qH?WCK8<uR4tdt`8848z;`OV;wRh`oKK(-9SKQQ5lS~q?(f@E^`MDdpX
z7#`t86@)Uc>WhF!JM|2DSYp`qF)Z!nRr9s7x=O1S18&7@C`G)O-Is-sz#~vOCO=gs
zxAJ#9AtOHvndF}8-7b_Tu48ciPc?BEpM3Y2D)9z%A037}=iUPwA@4f?SS{w+bMIeG
z4{vkT)w_@zTgZ8@77pEHcf)!QM3e%MiDDaaWFSd^frjW5QOKev9Co9bv;NPl>JB$J
zk}lR7a1DZ`!se#VOEc{HkT^6J9~oFbDucwRLRmNn45nO;NK|TCXwPd96YQ?zv?Khz
z?+Na{JLVpbPXG*!bGV((%;DkjL66<{VcYizzw(-fqWctrm2J3982w^3j^ax$C#wg1
zE1Ec@m<D>Wq_Cb1rR9#VbSX%uY4&WogJnQ4JtPzNCGHhmw~#D`<?pHkN<uzGpBBiM
ztp>vXSobct4|({(d+SRPFg*(gN#?59^O~D?jiap`m-1-8e?yLP|GU#8%~EVae@ePB
zVDUAt;Oo8DR;bsmkI&0faDeP7s(#CnrrWc?onAVV#>dASce&AHBA9@hU@fhZQ%aYx
ziWn#<7&h$e5Q3mdu38?+>bE&WA^I55P+_ndR)mTV)DBs5kLnej@lVEN^O^Wlh0utc
zgP5SxCZ8jy-v~M&6j{m>2{l}zFGF|-sn+J_7eFR!c!VR};i$<PHX}*ECu6VCFn!nS
zMw`sOJv1%ty~YK--yQgYoM2;H<LKYw1gk|ug%5x@>2>`sUYf9B%QkywFbN<|x1^V(
zVN0TeT}Sp*nFO%OjO^}y&E#-nJ&dHJl=o|%#&k@NVRI!lt!XAb^m~x_2oX+fa~f7?
zMOIQw3erHgW00HX4cLHND7J^&(1zU0rj});)?1FYGg;Bs@a#K4@fdjTsIIACWo}x&
zDJcDD<v}iPwK*T(AD8BtVL%0mBk=kahQveK|IVQJ;F5e=;r)wHpK%L_yh_JQn81u7
zTtXP!qXo`0=jpRZ(Ol*Lv?sb@ewCDF1e?1v8<M*9+Rf;Xi)+lye0sF5n|zB5{*pY5
zuz<X47^+q1p<A1BT>(?@>?sY1e1p;PNhqod3xr|ynP_kW@Ww0bM}K{RyW`DJ@b=kz
z5*M$(GY3=~kT~0F^dn?co%kyj<Rx+ZD;HtaTg$Wkk#0%EXr8^#cT8SEjYh$Qhk$=t
z!UfOigaF|Dz-_0Ud<%)IJ8xoUNgz{JUx%v&cynZ7@$*BrUU}uUj{c@im{Jn$$E5iu
zt__TQwYR&m_&ucMIBg5{x;Yrr!7eFRG~>J-4IL?O2YLjZ?FW62^?f-nxYn+&RO)&d
z{2{?pTJvFr(gX9O)l6ow2MvC^)f0!kgNEBTwv?O)u%*g{L;k{Os@+!`8#T6b(*t2;
znLYdgUefP(!1r_L|J&!!fR)a5`KvXRP`n(e1DD9J(^<3Z5)2OC<H9Hb>YVi6z$alo
z8{mMrK(_6Y5y5;Pd)K10ALf@4T5!fi-Xoj%n0Y57==kbNaGRjOym~3jS+FB(*ou0o
zg<*-cM{;S+&vFK#Cv@8T6F~Mr=y0(Q1fG$36&WgyvuwR9!Z$X98FFZ{9+gBgE2*j(
zejblYz@F{mg@ml~_J%7fuW(v%#pEdOSjoN6Gfi=MR5^HSc?LZubBHhzfkV#e7x1<x
z=$4Sw!hki>V0?^AQ)zX!g>Y0o$x&cpcz3q<NOmL3wdF5SWCTIcC(1Qij<ruRg;b7N
zD(tJ)Afelo=gK-Cc&!S-SxEq27K<`yQTY!Buq)M?3N(?3_Jn*2n7$Bzg+l8f64;p}
zhk_ST0=)7)LCINwA!yEDEFADt5O4F&GSI{{=k!x`Dpw}9eO3HjuE>ESIVAANJ=#^U
zmST}bjpX>o=6wYaPC1-~mCpC0x>;hOfPx9iTt%zg8=^~RRH?NXRKhCG^HXf=_Z@VP
z)~lg}4-n}gcpP4>znra5nXgT~QEwMvzPwvc$}axymkN7Feo{ZL7}u&!T*LDfxXQFg
zU>Z$(4z_kf0?E1FOAk;GQUR{6&)PN#SKNIQzobBXZ6(681G={tt93PCMylXZ^~A<j
zSAA8pJ4t1+gfS93OV{m^!h+*&Fl-GA*bgG@Ou2X$N0m`&U7~^2iIS{QX2J-eU<3tH
z@=UcB`3atl?$D=R+5MPhTX3gDBK|e>BQ~U_F~c?jy&nE<%=mk}xwJLk1wpS>2?YXz
zfln>kyT0uBao*{3WlO|gMJ1(#pM%Wbt~)rK_yx7LHK2tlos8NZ8Q_dAqH>&*6xIuR
zoP3Zq{A1~wY8U}^tOGn;)z?F+8ftu#1SlrvET39iN^MvfZTr9a(U&0|$2{%-bNMSk
znZHpB`RNEUEJA2*ip5c@OAjx__>|U6mXFx9i4?Ru3JR}vA_VZIc-_qp&B|2+i-&_<
z8-DTxhAsr$hM^aK8!%6G=-qZp3<-`SYm2Box_HGbS<f5_C=b`*uQm1T2q?#pDMt&q
zOI5^<uMUvoItyUulQBUSn;Kx-(=)WRmNZNfd7$*5BLA`meWx%$quWmqn>0~Ox8!!(
z<=Nh8TP?4clPtM88X9WY<o9`heF^%0!HOAKx|amyDV9uf??;Xa0L_StXZ{ga>n}MW
z2m-n8a?M|YZ~l{RL`B)&xpcku0zkuv<YgT^?B(Y1xp~lXgfEa+{X@`rnwQfr#Xk3J
zm3kFb<T+$&#dpPHXK9JrQgf*FZ>pVj`x4p-4oEXWp{F}s@pSWDk&dRM*-$Z0bl5Hh
zMKb;wLfpH3{25$DvU9E#2r%x6Q0iBy7~QXU3N(?XV_3SzFjoz_*9=)A^;#PaVo~dS
zz+TAbQhyG{Im%N~YLx*PEp4y@&bpG6w7|M+L!hr%I=n6aEhmB7NZ8b<uT$A5?!O5A
z(}UyOHhM9{XM|Vh^G7trB_H=GQ7g2Qxg9rCoT%TdAGo|H2G{W4ts*>8e>9)~^ufbi
za_xC>GsvMX8g)6h6SA-47?jB&XYx4rdA_>npZ&$U%0=eEnlN+N+hXqfussp<C_si8
z{Hs!skd;MG!fsMARfd%|jV_&huTN6w%8=6caYSe|MH8&oSW3xs<wbX`D}vaQU5R+B
z6anbQF~nWzdZc))>dsL8aUSY78rcIQ3W@AeUkZmU)BJ4IWnNj^^fKuP=!mrh!4t&N
zx%|8j;=Wh<+ufk|@B*8rE+-{hKI4{jW$UJYQCdmNeGgxu#=x091+P&rM<agS>MAMr
z5f@lelcGXN*|>j>H1I}<X*#FSpIs3yw#i`EAjx3kM$mCF*<>I?cL7i=M!f6gP6|~E
zHdr$cZTo@zt>*u+gp@{r`cBd1LG9vr!4r4Ka-h?yNwV>#R|D^Wav0<<xJ34TiGgA)
z$P=2u5l&BJ5ll&@<7l3C?ta`KH5uQAwzZ{?a(TO`i(_bpKfulAOqZ4wuP12e*XU)%
zlmBem^yvVk<}xlVmkivqjjQXY`+jt4&7HZ0%~7!g1Is93D9QZ+Kt%3Ya#gfo5jd8Z
z7bCO``SijMqPvEJU5k(%-d@iKo0qT97tLgisz!VK{sM|hWEqaXR07G^?=^7M?LSZ)
zI$<}RP1xzJLtZm!G5Hhuw<v8rUuJjOZhBqJ)8i|cq8Ge7ZzUUS9F{zyfwp+57IElt
zLtzC-D3A+NKRWn~H5Io&6|@I!E<2RO={GfZ7+Vw~L66BhE6*pR!T1IgmbtiKeq&jV
z5*E6~)ROk(A+@RvMybI1?-$(xCus-O;B$l5ag3^iwOoX*J6r26Tsd$+`_Xv_EDFV2
zk4Ohj(9rmhKgQT@(XN6|)yqBolg$+~R+=dZ;<*?>&|2~yrW$qYF7yWVvERNjubp9~
z!#Omyg)TSU<Ts6AlzamOcYaeKOT|0W&C_D4VCBb>Zk>N4lMmmdwlCaaj$^%ldJDg<
zKx1XuU<4qpp?m^v{YNevtziP{2I1{2#W9J8a)1&inHbo@?4$A~PsA-Q@sJ$#3Md0Z
z6s%ZXibtd9SeQKCs-ywoQTyWZvLjJrg*;Yc$x4lnCLFyk^<F$V1XuAdUZZ|Z8y0M!
z42B*%zJ_MRtW@HhwUvDB!-v_Ka;|@JLG&WyTboNL6qoGzuFaAMZ@gVub|%o<30W*3
zHzrD&Qmjj2uV>3-xJtw94mT>X1U7gDUKehGkJ^DiFJd8{uD4Tq?)c|9Ez5{!iOf^_
zaEM>qx)<}yL|*LsbVOXUgJ1gX9Rr#_cVD}?X+s{&W6w9^N2rJp7T^FZ5<iLcLlh~u
zpeO$8@b;JTc)iFyxwuj_2t(4;b<6q@?6R7!*kw{Rd8wc>McaSS9!&`D0&@D-W_Ym*
z^l;6la2NkaQyjH%VNPv-<UEw~-21aG8;;4Sl^9kR2{40{DN4A^VNI|-=o__Fw~`Cu
zu}3Nx@h*3ig_d-|HVN;{>_@5%V(TaEK`B~f>i%2Y{Sy&9&^;6t+B-Zwugs2UFR0Iu
zF}fOsbuW6P-Uk|k`qwTx$8ZXrEUM#qJH-C`Zw+6MMEXxCQ<%%aJg*GT69F#b5@$$F
zAPqd6XKKaH#!cK1ew*h~Zssdp%a7RG4;p+-SP=Ss%-~(Z`3wm<sjPE*Lv6*S+D+e`
zR6G*Al)Imc8P!XMJ2k;^6Bw-<9$MUKCchr`L*jopVdjP}A#4qz7L)4_q=g9`am>wQ
zN5#1ofz&pyuGIWeXN17yKuzT_Gowj=w(+v1gcZ@6pN-VJaHy65cbng}xv{s(`deMk
z;RfMNl55D^VcAa`D`%sJBACo6OVF9gUhs!0EiV<;Kecp`?ObwAKVJ&WyYx7qRO_aM
zVN6F@WS@o(HiPCx%?gcQ=Nmx;=yv$dSo!HPD{Z<pFG19V<C}wL(BwPN*jql?UiFCo
z=N8CN<?St&yCZ&foi+mh&env3w6gyrVYhbOBpMV(r}>uI*2$i3(cRkm?GD$Iwh2Q$
zNf-H~L58@_Djup5;?oAgEea5=V3sGO&iy>foq%lI<KphXm3KP9qb*sh(JTKq>!w*y
zFvlx+Wh<>E51BAUj{*wc0rAgefX3DDdd!Y#lYGU|lzW;b#k1z!EG6m`+gYCZd0f-m
zl`7?(O~K9p;L{d2ZlY-f=uDO0?d|dk2fy!U3%^sh=ULVFD>rd3@U=y`*R`JCkUP5_
z4u{PE8LfiLz)cKvB5KV#_OySw8YDH;t;%E<xoFJhgqK!I6UK0hjIf^vtZ09BKYWCw
z!vg-M?LQCf)}td0spDiLKT9<sr6vrNvDqsUe8pKNrtOJ8<sEp0N>=8lGut4Ef0y-c
z%-U0frHk7tCS5pI-)Jg1n1DYN>%8K7d{iR@MG8QFJc`P}$f!*J6w&o<wtXDXvjZ8s
zGa3RPANz%*{U*4ABSo2|KoRT+f~zC`uatK2cdBhR7@H2)K%#9n2<}3^vV!)L+EuTV
z-2CAvh_tE%Z}1(?FdYAW<;bLJ5+-}vL%k7W*Nt7mt#NZz`2&1&tF>IIB-ajm*3xCE
zhh}Wub}(=2f|9`?f2*ifWT8n8D1|v0)v9zJF-uVD9Y}n{(c|Mr$sXCwwQ6=T2#)Be
zt7eu+LVSWJHF><~i`7m?ZA07h1_ge2bVkg@`TGQ3qF;=p-#NSqDxxkbbIVb%g8P=5
zBS;W5T)(92bnRq)RmedW+%lMmYLtlTFRvs+R*@Xq6oohgcY>Gn%=z|U&o8Cd_~yK(
z;kIP;O16@UH9)O6$Zlawg=_FHh$gIdaSa9uY;2JK!_+r$=fOp5zOkLgw%u5bZM#Wh
zH+o~+wr$(Coiw&>P1byO*4+Pa*4cYMj6j&LY~XqdOh9Ar1E|npw=)<Zk#Lky2zf^O
zb`JEA`aDsLhNwt%7&535CD#sl;+@qr?U7EhE&*ODN*O(R7GpnW`YsWva48565+Gke
zIi9J0eA*T?yu|3gQGGP}Z^){6!>kDBq?O3lQn`wUD{&fAFrn-!&DY?eAZbl!8+i&`
z9$nj#!6|y6nIkadW8>H<LQFGIWIg0%b^UBcY8)hwF*}i}(Okp@#cY(;W{_NyT7oew
zMH%ooJd9L-jQ0L?@s{5k&I6&(pt1^OuS8PKGh=WNU88F$EfBStmyx}-axraku>;xx
zTiWZ9z64gbq*V!Q!Ob%KY1JZVIHy6Tx_;{#m*He8{oVv$)6{alXepgBTrP%q2OBV8
zNsSn$fGS%%bcJP|Bu|x&YqHek|H#dL4zE9JPGeh^JPfq6Ud-%RcQ)OJ_HuB(c#Q1-
zc=zbycKzDfj673L<T)5uB~|HTa!l%r1TT_;b5xN`rMA^6$F=76>w0Dr3HEB)%lRuK
zna4S2eLszm(a#4?;a$>bW6}Bl5tkdB$==Kd_wM;g#<iu1qe2;$3mMHN@}8(D_42>~
zaWD0FM7SoO9cJerL_j8uk-<4zI-JL*_+%;?tFS0_c*kR(me;?Y5h#&{C<)pI7szko
z#e2MxkkRK<frYcnf#wm>2lKO2zy#1THlKgxG=%vnxcQW5PF`L&oB77Lb)$|$9eNYf
zYdGu?NU(vwNEU*@U-UkG`V4`6P>4NwwN$L9(3KTDy7XgBbn8h(bjjxY1Q(aRy``Pb
z<ZePze&jD2g9ZDd8w247#{Oc-Y=d;w(6d;rI{id|LRr(R&bO)cr%f>)89z&u63b=X
zBoh~X_m9JeGngJ7I&z${6O|}b>GlI0K*+3{Y9-E|61#B-Do6|$@e9yYJs>tWH2N?0
zkkA;&EkIA%*Iw}NngJNCc=WHpO5Y`T#Xf#Ap&6?~tV)^nr1GXRPD(#!$2aYM-&*P!
zsxhN~s1(o!lG!lU6+v5tU_k_A3dd!n4No<dlFdohgw#Qqm>`|MWan`}DI2VR`#Zkt
zt~*V-;m>@U)ObWkW_^zNUN}tdwv7*=qU!1H7=kp}h1qd!m`#JQtEDgwbA7a)xa{Ud
zT}4AgW~P6js>#2&F<p($Xi0bVcB{MecE>QUGe*pMT?HerUuP%=j1Q7`K)RXuz(6Ac
z+6~Ca!(3;HI-ynPJNVN-3mHF0Y}j9Tx-PF1HRheIIppd;EZv92tG7Hq4lDalPVaBt
zKbn<I!@##0;%Qb>ryirD9uaLLirx1zJ000f=s-@dV4j8)pzsuWDy9N;P@ex>q=&g>
zQ)4sjj&V3uDyKLawTwDy>32IB@up%7f>T&8FY#u1&~76#mulYuHN9RZ<?%Xh*C2Ly
zg-J7<N0ro@G0Ur72+}U_&-L3qJ+nhib6HK1vgMwTO!719SjO9ke__TA&p>Sv!ehK7
zkpT{<J<{T&{@A^MabaZSy=SqgQw@SoxU$vgay%N=R<*4`*8lGZf7Y+QeBxN05j`A#
zGet)`Bs<??HzkyHIX$x~6zbNglclxgJj)8jOx43iox)nu5#1U+OTr_jl}ilYr*TSB
zBDTo2`d&|M5cI6R1=ZRotm`5gyXkeYl=<CZ9lC%+Q0NI-T#Q0gy`-w?%quHI(>UMQ
zMC%js6Jt{WQl5*~l<~B&&~jMahd8aR;nyClU;+vlPN9#sBpu{1{~VQXkBzLU?z*!N
zejS~>>Ly#|{;i$2J{AWK=3<*%L5j=}O{1!|Qjn;PxI27c+M%td)rTtINKVG_qzp3j
z8`eaiCmgc|6kJ9GOjy#o;a+ECu24d;&#nUtL95{(pjp6ODCQ7A!6BoG7y1fr$Qf9N
zxe_qHAdM4X^luM^X~Mh@*jJ~MGj0r)l37LuD(Q%F!+t7KAVf%TDYMwCM}i2YmxrEQ
z^5iQFl_E8VZbzi`#oPcxOhVlDb4nW*6<7UF%r#R$(LeE9K=#sU?5}>3#2$thGkf9M
zA@~K!TPg(*!RRDEoj>^*F8Br<#G=P-SarC^iO!b$P>NlmB*`;sU}*Mc=5;80^O5p0
z1yF2aVy-xP75~0m!|vQKkgI46s+}0;>~XuZXK<B7bEguS1s(quemK=sM@XS||GLFp
zA4g~=Km_}MB<p|5JmVy-o%|<tS+RVLuuh#XVDItqw&`Z+*~Gc_9hrF#GQ;$o8F4r5
z{aF9?DgU)D@C=p>0`Ty<y|&bU*>JC_RZXPQiwHZ}oVs+Z#+sfpjQc}ciY|leXd9^=
zdW%WHgsc_DHoaZk0v;^GEYXVw^=~bwUk+i}hCF^ixjK$a_O4^ZJd2}oK{nqSYM&jt
zvi$brY18w_^6EYPYjb~b+OsN565lm$n!5T7HpI8aCZn)^w80O%@1>(6o7bz(TgK(d
z)R7)@+*p@8&Uoah(%P4}O++$fr{q^W)=7|J^Cp)L6e;gy0&?KxOy(%7O(pHw-&#FQ
zTa~88f42XF&<tCxcuZ7ntv=9#F*Tb5^z!hdn2kLZ`}4c7OGN-tHfO3~mUqX9C=V}D
zkc0jM@MOP)ulj$X2#7nxW1)sS->wLcL1DiV5n+ube8A<4yT*t>wU;bKPiOV!qxLwj
zH{ook0Iacse-(5Ir%Hf3QPE$o?1b-nn7C>3nUHY}Pn7*eVF5@bG5>%T5GR2>S^*V@
zG#8p642whGCryzfpBaUmm57bjZ+}?R<LCOv<MDcoO*A-LqL5XwBn>>|s1?}eN+a8<
zIAA6K$3YTz^hHX)Js}^239)mZ?DLUwCw3-5C;E{;ODm?B6rgY&6Bg7W#vu=G%}N{}
zgDvf=C#k5&m_g7=c5wU$Y^CKoOj9R@>H37q%^*pUQt?Z~wdcKJ%9)JfA}=J6dk^2i
z&x!U@YF(x3jFUO8)XbLzEwS&hNBx<@z{p?Jlg(I<iZO2G89N=$?x{vBd~v2l;Cj?)
zBS95HqDpWBT<bI)$i7zw<MX!7);8#f&%Fg065ql~VZpjX?^mk^og+A?LzsA2i2^7?
zxbp>DIAg6S9}_!v*N6zHC9enl%e_F_^UqHpJhw2s)K=Mg-fT0;>GSWO<j{3k32@SN
z{t>*{m{b>87wXkRZ+cu!UeL{kW6~&St7bT1AM0^4pZ&g1+w8S><Dbrfw8iiFMcMV-
z|23A}^<3V4FW;iMg;l@D`_KKW%WO<LxV@lDb$YpHVz@qY6c}d=ffhEZLbY9-;*G%>
z%mc|jo_7`Li!>QG5H*D6v!UwRGqO6kyZ<g@l+J*okw_kMYM*t~4h1F3t|kfVLT06+
zSbF`d{{kR;sNRE9PxtY#^`d*@{n42{F~45j8Omku3R^$ShH&j9TC&fp3`@js;E-BC
zc_*q_HK!4gEk}XRF!b{y0@NAgsm4IZf3<nVR(M8Z*hoT5#uvaIeuh`#L^^Ka`IlY4
zLc6TakoULUfmJri|6`4qaqn|85}yd>ECN6B*qX)+wexF=O2-@+xV8}%+Duyk@4atc
zyqM$5wKS(jmFQmsZW%iyHc^t?ia+XORReMlYQMY(9-wVO^5U0H-sB1R-5#m#17#{&
z+s$bG!1#G#OWiNzE4E0|o`j0nK;XlS6@Vh;$MGW>SG1qG;a5JZZJs+Wf=lV3+%`nR
z9_|o4b$XR$PA3WqwBfwX7o3vw1jvQvX?9#Vm^6|)5#k56x<0kG#wJ3H{sHU<%SZzO
zc?_dSAA_9*+;IpEt2SwFt>}BR5{0e>Vhqy#<<$i4YZ*Ej*-2t^Y`^%Vp^i6{doI<^
zAPsobW}UzUH^C-?I&Yh-wYFh=^lrH$5zz2saz;Wx#fAFWAn$v!<I~a&0RNVI!37`x
zvW#+R#f(AMv>5epv-xEpwqun5aQtkfG|V5t)I@gU70z27(OH|fRa%P7DMEZxR9J)-
zV$vFPsxuv8lR=>S8^cnt@$5ncOGJv48VJbWu_&2R(z?iGLBc@DX0UkfLx%#Enas4P
zaIY_i;WnPYqeV$^G3I};AM-vo#ntq_?zrZD_B)B#ub!`84@XCCn*E0PgO^%p(hJ%O
zR@K1&wJGoQl`QadQp25&v3odaxvD--_?CO+{Q>;SPH)top5FZEFOH8PGIrrt6%Sq>
zIZqp#?*I^GUh}gENerRpEYq>i+)qU39tVO+BpaSrLiWKQcj#0r5mRWob?Lbn<7W_S
z#qOQWpWNHodbhC}OXBQ)NRVSs5LTh;R;M(|&dY}5X>42AZ!VJS#4|0TX7&7V(^D_T
zG#!RoHt=V8hMcGr>6M4?z*@0yY=T}j$Kd#JX^03@yx4ezSB|K=4pI);VUvIXdziaT
zJuy6yrgo;#Tx3BXc6m3!`lH6&@PD1A9BXGTM`byb(a2RKG(ktiIYz*1&F6CR=W8XI
z-)GtRQ<`G|!nAxGElCDJ?u6`rB<|-OG;)Ot*h|PD)w?yA|DaqOiJKFq`b$=(V13(o
zA+we$#Q(uN-RKy&)^jLA-BUs!BV5|^M1&L2mE6$}`B6e!0k>h<rx(tqxaiF)nl<0)
z948`3h;TLtnM1-1Y+@E|xW}GcTukCK?*`|bOPHz4PjB`p%LnlY?mndaeUKm%@P9K@
zp=zKrgd;&j#$MgGIL?bnGUl38mxWm3raa(oc;!iv#*|eMG;gqUa;~f!xi14GMiNG3
zA|CHX{}zaqdjD%p3fyGKKGC4nM>~qtY=E2Vn-yX0&K1`@ThhEgv47sA>g`S0Xi-G3
z<wF|+wS$t7C2xZ!4=5%9Q2|%bF|aL^Q}NBiafFTqee%OTY_rlSFDL|DD#rHD_DUeb
z`iwGPK_ZQZbngI*#v!zjYEdTW7Ge$F84+`Eu9-EHqKEg$Boh*rG^?0uWTZkf`o(uw
z+Bail!%mSGM06uKVS5pECp>rD=N~}|d>-hV$lke5&jpxX<^1&Y(bKhp9b0_y-$txa
z+=BTFd;_GrsdY%PS1u2Br^V#u-xI}lYEpmWYEBhKqiwKJ40vd~V?$X;)bbRNwrOQ`
z*js-Ucik6qR9#fc6JA9vQeOV6v3^_czOi)I`C90HEgZ~$nkLwEmw(w)w*f|o-Nm0U
z$RMQ}IP1ullGH^vBi%29Z^JD!HIMAkh08!5=()D>toxU0RxUFkTu&qy{K_hF4O%wO
zGOb@_sDS`-pff3&7&$r-$Bd~LQ!){50q-vR#gSZNPnw+C@<DSv>Rc|?_MW!*d3d&3
z6+tPX+~}qlw=Y3$TbhL%b^DG+Bl0=ulXlJZg+eMvBKq;8@7RHXY@n+Y9<t(Gcva!w
z3yPEu?SLrw#3KFyDv+NB3xCz`?ds3_2;!S|_C8FYIGkrY;@7D9#qwDVAKiaH^;YH1
zlWoi%&-*z)zc_P@TCNGGpdLxbKK@z<wBRCOlsBjsEDaR?5XFhLXN7x>Z+DKXY<Nd=
zG%tmdJ*1C=K6>y(5Tr`<&u*<MJ0y268sR4NZ?a)k55fE%Jiv7?Eyw~GgNhW>C@GU*
zqu+o*Cisk;@=pLJ0Awv>C4WBRT!A0)I5t{oPvgi5Y8_(|lCMt}1tl)hD}^oW3jZ8l
zZG%khRtPtdI4ZEn=5nKbS?vchRuD8QKLI}+bCUuMY^!;6_j8VS$TzSNnT`v+$S8Mj
zp4rem9tF9hSS-(&`9(VRIBSh(j1C00BeH`LF`VYl*kx=}13hY~7>1CN!lM9TsWXZ5
zMIdw}sd;}o)f1X+Kqkg6JHMdqLQqqH5JX%cauhS=P=ID8ZU%&b=gG}c?U9wgJ~VWk
zo9HphN(E&S@j@XD&gcJBnr>A3t|DEvkbNH?v8&37K2CoXK0yw`Vnq3bO-Z!y_d#y(
z$bnYO#Onc~Gtpa~^JfW$MRQ=qnI{38M?#W4a^Gc!ppbBqk|4E%!XLcMJAXg&ZDmE{
zfu;%#m!8!Rgs=~ab3$))%t8Vt$=Vr$K+zgbh2K~IC`>s%&90U4wIKV9#h-_K9+YCc
z&FP^TBQ_J+t+4jP6)kU$2fSn6dm8eOJqAbHG=EHd>?eEO4|iQT6lg&zALQ?b3%qv<
zI9v@!o5ss~?Otx+E@yQ)Tpw>PgZO1<PiiVEXcnv{6f67kOVM8&qq>)ZiRq65n_R))
z!GRp?!y@GP!^T9a5fmKXneYrT?mZ@@{S<bI#`PZ`H;!pVnu-z7>Vnd~C%qz($@LPx
zj#@nW-5=MR+5cP*p2r0~NimJ#+Lh?lc_gP$V<U%H7y;h-9rTLrZ|&u6kW-i7j9Bqj
zk#ykIY;)pywZMi%rJI$!e6^s^)?a|GWEh_>)mHYk2HDEUUanGf*oEzf1ecob$|mQt
zq&xh`h<M#!tQ|k%Q_13Nkp2f^cfquou{(?09VL9L$_2eP5P}Z=Qlf^3$sFYFfSCDi
zG>xbs4f9h>>)mdL+^EY8q;!rW$5vkv3I5G~oQOqw2%%NhqJRz&RMey!M`51SC%k9|
zx8>U%`KNb#^i*dVCBacUV)55D1}3<V3a3wdz#&UIMm+EM1UjHw`j67mhDYOJE#B5?
z4orH4*h`4^d{Q`<MenR6+JP`tvT@5`h((Q??4t=!`}~c{L3~~a@z2Iuc7upQ?Mj*}
zHg#BnXX|x9ny)D`s9Y{5PQQ^n14Kg~#3PoDREj>Read$DAIdf?F-GxM-lgz?b0QTQ
z_|RsQoxunu7MigBkN(ciPPS>T@eH!3>`I2u>&%zIx?FQ^{PHpr`tvF_yNtGaj-rzz
z@9oD%%jND@sN2<kQ&0!v#NE+?k)c-j-UMrH4(0{8X4v@b7-dP#q>I0eLqB1C_|Xj>
zsS>G~c)_4MEM!`>)DwP&JF+E?LUUpbkNn<pH0jI$Yc~)<+fsmQ$y)ucE>#Q}G?ZYr
zXyKf`^WaV0Zi5m7yy^W>jTpKfE3zc@?k%In(|wjAAsN8ZA?EmP+OWLLD=@_8I4J6$
z<D1N>69w(50@_LveA{^)?)6^P)N4t=#Ss3{D?Ho>7|v#7({Wz)+AGYJ-5N7U<U)T4
zZf<$6DK~zL-0xOb7_8s|O{S@}E;*g{cvb#-#pD-|UfI3J!_V??d0Kk-y08Akv)j(3
zb85?!F@0a;pxHR?!IS?j#hJwEC)b3B*lfrD7lS~VglbGjBb%dV<`*hYwS6zBav_9_
zZmNm+@G|z&!)RMYW+Ttrn~R?J$Lqy<i7^xzJvzn74mYkEyi&uUREA6zFYwmI`zG7#
z1}^(Ot67gPZ6Za+FO<I`2!JLxG@rS_2Qr^p)89{8b^BuRlX1DK^!HSMCbWCc&gbBt
z3>*73X7pO~ql#H2>J(-ABHd@Lv&FW63$byAQIwlv*SKOq!}7LDlvPrW&F>jdQs5|R
za|pJIaq%Ax-*wi%37o&w$)CO)hT=C7$o*jd=a2~610}yCw+>x`WipP0;MFy(b2AO-
zl2jwhp9LQT!!ioBuoCHStw?J-YtvIgF|4Ru0u(TNL1z_LS_)T8bB9kKeZFD2i|{t#
zDZy@$w5VmBM`)DQ*|P^-m^;BS^>X$M&?0s8H0Z*u@LKx%P~lX-EIs@@Ez!8H6-Kd#
zG+D$NS6x}(@O*fj^pm!IAAAXHCV+u-&W$7TNdvqO+RTdev+96J$OcTPfadfL26}`!
z3;MJf1Bo4vX|4@BpCJn6bPUlc9$o5W`E3{UND~hDW`r30|B@AP3UG3^xPA;d@}lU#
z#G+9zvH$a~qoSRZBp|z{s;yV%%#}vtzL*!;XzTKROFZk+rCLu5vqQ2ag(VX78zfk=
zDMS<e8R5nmzvgN_gWXYfZfK6P2V+WoGA9NHPgF!PGq>Wp!BBByUKNG{Au=RFfhtzW
zOi&YPzBJLqWAu3X@bPi-?6Hxxgn;KF2YKZ5%vn`1h8p^pU`t!4j}9wx*k{AKLc+yq
zolP*uF)de*>K;)lpo^?9m+=dG6ZyxSRz6F`a?8M+Czi##FXSz=$kT^S?Ft8~KT(J`
zSN^!Z>Q)C^J3}$@ix0*TgmzBJ%gsKye@<>=x|LrNjCnc^@Vj{Kgz;OEQs2t?qyhzE
z_s>llNet~`?QbI>ZJbZG4u-bK#~A_Bm+~640}sB4E9O`gd+|HJY$LDTGhz4sWAZ}^
z?9mK)YNz>BtDl#@!`UA?gZwT$+_33xZR7jo6c=UgP2(eG>1_f&XJT>1LQjo5J*0Pk
zKy}|;DqE@#{am)$NS#vh-BHS0TvOy<6~Mc=P+d!OO8>LxnaWZMOnZI#%U<s_RUrNi
z&38mCgFWK+Ooka?;nv8cB=ykWIL}r1UN-Zy@8ox@Bt=r1C-rYO>OyhQWVlx%CRz7>
zxD41g2OIofRluISYl~&I^Gnv;Re5ZmTTN{h+%YGDh8qitq*7(MMQu@ue=P%`;wM&O
zzXIJAlQfJqxs0WDZY?Hz7(<7{F+_b*W^J3LwALd50X`U=rYm3z07|lXlpAJ-7%NC;
zlpo96-%tWQrD*0;ZIyO;e{Sen>thT0yJoZBIVti`$q)iF{{T&SdKsK{IP7uG^Bh;u
z-rrO>3&|qV$U}8LBRgBW!Q)7F-Ynl86OGQ6wSsw^%~;5>#m?vN4w+<lo<vK}0Z@=X
z;zlFJ)L-zRPNmI!O*CIxr(Z%fZ;p-x9R4kAR&VwU4~1Z<)SU-qn@ChILX31`CnJI~
zAI1&_=AS<qJ)GElEAfw>Sh+ilk|<eIV8uh*0k5{IO>5nq=-u<l%lg%(t(u(#no-8K
zP{BapLz#Uz%TLdTB{1(>GIn&WNVyywMErO^9BfA>3Kq;up%M=>UvJfNyIvo(h;aKZ
zZ{EyvKn>Vq1E`mA8qcz==LuYPI{GT%`>6ZX^i_Kf)K8ZR957d~^RAR>-+EcGJ>E$b
z8Zfngp65|w{~#GPs+I$k$rDZnpW7UU0yeKb!S0|&M-^O(I_aPaRo3q3?pm0347Wyx
z>kPj@+lE_x`A?G{e+qA^5H2;AE+OG$*lN^t>#XG9y5ukoEbu3vxDy5u1di8zsKTQB
zWc}CktNM)aeRJCDCO&)Pz;NRy+fLdbq)%O?TH?V^24`%Q5{MSEIFiXY37gm<BYlX|
zv6_~R<`HEpXK^nQqhZ%ADP&j7uz4Laz%{5f{XY)6-2B;dcYeNyl?l1}Q6Srfs`>Bh
zKW^ItHBQ$sLLqe1JHSj{&&N0KYbOZSdTWAA-o$+KBtipH?nG5>?6JqHEeVSG;^Moz
z11ZUqn6mQBOg>@G!*b@pKj540ip>XWJ&k~hHgo*7M$i*vv)KNa5~BWO!3z7(r~xm#
zmi?VI+q1GN+72_ot~R4a7sS)nXvx337p&y>@6d_=9(;Qw$M%WSht2D!dbs0$N=~oi
zY$yuTcH2^)k|`AqR@};Gus%F_SPa=(e{Ux?#O}Cpr&c3MJkeB$lsh<X34acq^X}g<
z(U73KiMtY*>rO`gLjS8Lfb2{ze)27hg>TLC5guRmw@YTqS6xI_z{1ANsu@AogO0W5
zO15S;gn&OvGRp0~D=_AF&W{7Odm-?JMPAqY=lh#{9`R)xeV(Y*mbKsdnIiTc3oj#V
zzE3?AfZ)J>ky74qa&=EFGuxlX<ZC`U^p%Jk{Wr?_U_7*9gHuycAv%EEX^P3@$1qDj
zLZ8NdWM^lS<!XHa&J}qGE3uv_5sER4$X`6t<w-6<!A;|SNjmQNd^2SRiBxh^?}VNg
z=c}4e+T9<IgkA@H>k?DpRs9lrdGIKacXSI>lvpx<s8ET*H3;Ppo)m?QQW0m5A)lx@
zeK^euVW3c;qnYF8&qQz5b}lzJe<R?2EHEVbYP)+dx!yIV*OO>7V4kca(a-XR0PcRz
z2h`AvGgK|~;1)^t1z3!=+2mK{S~m1cdCxD9skzz5g6v?JU?F_Q_%jSY1wG-4NE^oZ
zU2)$NbX#F<80ZTHZI=ls$9zrV-7`Xn`lDG9-Uo)+PB5?hkq?aAJPreX3R`45GOe$+
z(DM~T+=L^gJFj1Rux8OZ?3#l1%~{7gy!6|8K5~wl&-cOG`x)-r8P^j%)*0F)JGC+-
z<4+7*aU0>S|5XS!!YgKqw)@1%hA&d(ZGz<ysK^sp*E~m!Qg`d70I}mPx@94<XBsS9
zDhlmzb`(q~i$p9rL-~lqpO~on&YG4{VIheA6Q>agsbKVLh)2^`254$)n{+@5xC}Rj
zfHHKkT?TI|OJCyjpgj~#GyEED1Et|(5W~47T64%X&ucldv!|yKOlz^B2%sA>YT*Jb
zSNrHm@p2&=WwzdQT{Z~5DMfh_tZ}6PC6W&?{&`dGapoGb_AWL>bpNM9FJ?{q&<-Gf
z*rUvnB-BPtFKX4Oq&t<G;WSJrQ5l1V;iX_&^|^H;F+@hdTmgi|CM#Obc=y6OH53@s
z;$ReB#fpm{Wo#Q_{&7U?6%q*bI-#05AW0j6_bgj^6f;LJPzIs$DQk&|s`LF$K23+*
z6elM$+e(Di;S7gG_9x&1`SRO3EpK0$HHC%)NIA}@7`%V}3gOwV5O<fSTQ`cfBMAVt
zoBqx5^V=~}h3Z>}M_ubbYg2>vs~lHAMLGM39%1*2Nn<(uIPa=5d^Z7$P}DH7mC?dY
z=MAa{%vNtX(dI9FbF-pG|4W?}hU)x{hyvHBOY7L2!r9=<$xDY7oo{5`nB#tL|HJ6X
zYv&W@9qOY7M6z3&87OptaJ<`?Z!$F9jDus2`23~WjDIDHWI`{Kite8Z3AFvcPQsa)
z1*j>bEmVNYBboF4d=k|r;eUVD(?DPCnLDIn95agcgd}vRb3tBk2_&Pg(UR>eF6<eP
z@SMxooI7dM&*rdXXFC$utmhr+2}F+GFk}+U_Edf;aqMI7&BFRyBc8ncIH99}8^oi`
zaBP7Th5F#aFB>AHu0L&uWY9A}^9PtJ+g?@ba3tmSXTKJySC|-u3>+qU0gGvg>(fz-
zz3uBc6gscSLkHc(IA%v@mDxRfymW#LbFGn_$t>fGPZ~!x-1H539gL|LMW}|9dX<E3
zduZ~{7C}q+<?F%ap~Ou<iITNi$N@}C7*#B2_3%`&xDFKr<KmKP_tJx$hF2b%NrJm^
z1sV)ToZeX9@QhAqr@t^~BonPce}W8dzHbND857(Z?lY%o2RgB+EyaWZR<uiWR5c;N
zIoP_-%L2Po?C(E=ZFIkz<9Nl(zgs1K4OTtpRQ7l0S0@bbuZ~2`u`z;{rkP=%MGBHK
z%r|_im~=yeWHByDd1GldQR^zyVMQhLgqkO<;4Zs6?Rg3X+%rE8go{=ja=th=x4-6%
zzTl?cAD{n6y^9&#^#F+*J?bw&^1O|4%?XE2WYQ2V-Z5cMpGkH+2{P?<RtT{TfBdg+
z9yKc&{6kj(l^Hk+h9^#lj3MF&fI_1Inay99t8mRX8MOC#jvLe>0F`Sv-H|K<OfJiU
zRZHFakpP2S8esY{d-i@Xk@5zDD1Zj2V0-v>bF+DqDHA>d+TFELs*R7W&+P}3-DqcV
zp%iFuGKzF$M5O`;40+`*1-u@uYH95G1nbn|GOEp34t*5Ss9PL-VtB~?)UV;LJuqh>
z+WU=R=p?w$@w-5~*tuab&PH{3kaGGN52-|JRvw#YgLvFlp-yJVA-9J;ym|rk8uRTN
z#ZrHh*cj}IlYQlXEH~BuYKf{&fA~A9g+DiNq=Y|(_$a>2Q$2q#VVnyRL=GDp;Ts1Y
zq}k{PexOaR!jIi+US@Gl)?<`;Xm<+mvb-3g-pZCm{MHn`zwf4&G8VZydjNq<>!X}?
z8C55T<>B$+^Yirwu-BTJ{r3E{<MGZ2N2ZcK1d0dXx18*bu8$IY<MnwX@noT;C7pNq
z(cywCDq)Y(6wVSgEd{=g65IEJK_>a>$XZ@vu5HD9xIHfR$I1lKCF}$2e-iXXea78t
zVZ(=*31R-#Be5>tpcKv{s6SK84op175PV&&Ue6JK`HE7k8zq0H;HGFnD}%_kVLiaN
zZ@<QHOdD=%b$`}q_FTs@=YpVgDch2-2NUH-jERq{TTv6^t&(W<8Kk<Vr1Rg~+DY>G
zWGOS2$fN14*nIAv@RT2_F<lIvq|ydr9VivS80aGsa_GkV7#yr@(qsr5m5Fdx5cXFO
z<}fn}AI3@Xw7o&YI$Rd@g79ug0f8tMWfBGxJg%xp|BKL_RQ$pzn}(&Tz}}cXuLo47
zUxrCuofJaO!Tp6Cg(+0y!Iz!Q|2lT{ad+qB`nI(1e%W>NdePpDWHS|)SNeSfz~Bkq
zHfV8-KS1Dhv#I0!;FE)1z^*#OsR9evRAn-SZ(3NJ!N#@27b@)Oj0`eb;WWfi!BL7u
zYpKuij1NwwFz#w^&n_@mPBad;(d8Xy0da6!S9pts(rE{reXYrUhQ33<feOCpr`1kJ
zu68>ee;x8Y1s|y8*Z(&)ba7Z}moG=Ezc9EvO9!56D|K?v3V&UIN7q*Cj6y0DG*T0T
z#<rbpG*|xeey4IFNctijaH(yIRCQzUi$S+$V_w9_db>6>S3r*dxo*=o&G+zbg45^m
zuPqC?Q?jV-I9ATBNkY;PiO47pa`eGMC1@GJOEPP8vd}p<9*ino|NBy4egr=X_%6l7
zObNlkM3w-{AyteY1$wt7+j$r!4+wAxc*9qZ)F)tu!Lk8OS7O55k<4<;Gi^Ys4JqWZ
zC^Y5le&=4Hi3I+NA;`TN8oy@o$B=%A-BEG!f8pR4Sw$kK(%^g$zG36PHLPX<CEG|X
zD~neFEf%uohRe+Hl_o!SQ|x*>-YBa8+^R3SA=rucR2!Z#;Uxb-yKJLNhi(m+RCLXf
zH_@yW2UhvRmqd310y^F8z$1>%t>nhIN5edL8*8mj#we7n*w;3)rvOZ6MWv3kzLO$b
ze^*8}MN~k<IMBMxbb_Ucdi1g~7`xoAcFeT}INJfciUnv95U@=yaFG(3_M9_Py^4JV
zFc;kA`5UhH3m`0esl#hj6a=lmPiKzHLa*3D#w8hbbCb!BLt=g(Vxi&k8qy>aYFThF
z#3<s5auD2Z)op*~I^#PUX$!xZ?TwSwVd{$*(LTpWHU7q4nV)o1<jYXD^faX};?FM{
z$*J#*uICIQk57R=+O4+jVCFDMA=U}yj7np#lawNGvkPX|;(eSAqke64W3dwc8u#bw
z@~6ey7EmX-F?M>T{W@Q^!F-3(?^OQjX5WR3olfQ|YaA7n3jUzHnVrSkrcqfG%mG-M
z8V@qUqCZ!Yt-M)Tx3TB%3uR4r_Ypo&*D21QEgEv9*MUvptxTVC=ALHdEHzeTShnP(
z$fsMyj;>rftD7iuqKl_&)9XJUPvG@_-zNO{@V@r`-0F7wNX*avXwCi{$W#YW#iXg%
zZEoWXeA-ywfMRjr7bq`NMXs5yvTj4<FJ5%A1RR5n25gkHv)dJ@AT||SMnEutlKsnl
z;xop#qSAutIVdL^(%O^yT^7eXz74BUxomgP`&(60D!8%D2JTW|Zf@ns<=FcZ_Nxz3
zx(nuK7VK>@;tG=N$+W<&z}F1@`D2asf2I-+SlViDwXQeq)GC#<1*hOJ4Q{Fc;eqOF
zpW>AqDR2|TTz}UU$Mf8#0q!~VS}=?=H@m(N6O90HK=i6oL=I74&aEEu8ckxKv;&};
z=Z#uwtzHNH<(>#Hpsos#X7I^dm_J)UcQH7|l&H)=)8?!jUu;f-YO1rh1|U2ajawqI
zZX0WA5FY#Gim4&41h%4M+#}0&#{%ZqwtR7}40M*>WU{SGm{<c~iAUkb_NC@=H@eXS
z-r@9k0Jv#6fk84g3z?uqeSUv|mt0XaIY-hMU}O27!@k2K6uc_LOUc1Xe~;ba6#TAW
z1h;O09rg9B>9X}?qS#1f^JptRQ9xX&Bi#8mQ&V~Mhx!9I^EJq44AT@Oa3)cA7JYqQ
zuh$jDZU%Kg1{vf<j7*%)4jk1s&YHrOA+Aw-zy;C<$%3V&B^u5^tgQH06Y*zXVu3E_
zGQ*U7yTxpk`A_fH=U<@v@Kb%4j_j-J8yoAUdXh;$Rts#V)y6MfystJg-=<Gt`3bjE
z7VPq7Z_GxnNn#tY{4?9tz~b_7-nc-W;lfMi#4Zv+*&sxyn}+k)#);|s9<qALSS(c8
z3F3rPGje2UvNDegw!n7mLI?8s_}9UEyhfl2tHxiTZ9MN=a}Ha(JGKTS0#jPx7APPq
z7%;;RJV2lY?qw-HB97gKc!`BIer#NaCcBVWNVyHa?<CvvRp=jv+}8b$4EUC}gjAn%
zP<`SU+tX9e(0L#2pL@Rrf9+o^UrsqYC&{k1UM_uZMtZn;CfM6fP0JDRdD+=JJHItb
zGLOkvc}%tVI2@NWq<BO~xqT<RlCa@S*2O&JGe-qeE8<>orY-f8M~<;$ZbO^-zl-7O
zOqHG8j-v4n4o<N#!hSC{$3}1ha-2#D)gA}5-cOjH{PfPBYx-a1`k%9mJyTh{t~yJN
zHZc@G_7s)K5Uv;6PGu~)6P|fQPP-gs*HdRpp#6RhRgO6=_n2W132^qDiAYM%jyH;;
z>4oLGVf+kgNh%=|UG3CP{!xDRNybXVoH7H@@4Q_5?zxMx_&CG<pcOwC=ooeQ+^H5&
zx$kc2|B3{A)ZcXI_5h)@b%*{Ba{UxQaQI-zK2H~)=H*ucfrTCVW7P&0^8?^y-(Y#~
znHpm=5&A~{OjZB5QV?og4v%|bXiHsNqLY|GjEbowvKXd9GYSiLys0Jje6f)~?QyG2
z6Hi$zAF;R`9W5I7&-)qBGXvzd9v@O#jYagW^@XChr=N{1|4mvxg}nuWdNZ+fMpG&}
z({$%&78VYRu_7p1nC$8W>~H|mGtLR!XlBWZ2cojr<^C~S6H89?ML2|jlVN`tNVe3L
z^u2WV%%CX?OcV*V){{uonl$33YrkiG$;lrr97#ibb?4^Hn;AD`9P{Q&LdHJYo84dQ
zZOmMiL(<^N!!D|<?+sh=HjCVl9K4wJv}n}&7$x+6IN1xnj$@NIl26lFDu;?D0K`)*
zTdI_^R_~Z0=Q&wsnjvIC*r@%0IlH4wuwO9-h{TPX5X52wsP6?~-H4}s@4)@(gS(6d
z`0mt1!azCS*LHSdFNSIo>o+=2m~$FUO`oP2Hob4nyquSc{_g7rNn|-57odk<)cPiy
z?IqDBXktpnQkKS8uo2i#<UcSEhq6|I?#M1D8duh$Mr+G4xiv>WyJZcDyoGV4QT2Aq
ziQ64_5c2MDfXFLucJ;mz{!;kz)muq+fZL@+LQUa+PxRX3=qkWWo+r{HU>++!)7tpi
zG#`$t978DJ*1)iQgDIl&DiZFMaCeUnw$%aMW=>ty8L=fAt8|PO^2STI9DMic#YJsJ
z@keK+XRv{P40e#4poj0;u>4lQtBtesn=7PRPSO5-ML^&ETq=J--riA9kNQ;Oz4x5h
z?t+>#T;!h*qW^}0c;0@v0_88wZvTk*fi(M$F1;VSG-Gy$lK^^-RFY*^r$eV*xkyC|
zbaS@X>vac>jrz+SRlIBtXWDWg1z?t#d!NttJaZ6uXZ%{xe}>DLeefu)tj?zr!0n}q
z0I6!Y+<qOF(^-DHAL0im0Ur)0dK}ANmQ`*~X$rP9Udutuh5<aPZWuJ+zGIU+9v_bG
zXbfIo03~m`YQY{MY#>`u7cIKKF)Twos@MAAbAgsoME&#Bz<B$r{w^Fhi$=;!%DqY7
zfb_#+@q6$0hUY}MFa52j?yh?`+QF@;i<PL0XSra)ixtc2;P7HLMb|JXyi|#Dr&b+O
z#Jy+7eQ4#3NPUpF+@`(<GqSZy(aZ~glPi+DeJ8<Z9cw1R#q?YX3YZyyU~#C`wAl0*
zJ)Szrlnv#2yL#<(XBCF1xwv>5P)@(*+^VAzsp(QQ5E)Yg<3nRsBU_41ga(Vul!Qdj
zYk@0S0pC*P^MezP&Ch5cR$+Cs@yxcv$*6e+igQ65Dvt!*K!gf!T%i!2D6N<BSdIsc
zyfvdZ6qFO7fCcbFhHY}?O(k<}D94sr*R<V6Wk@&61{=r?!ZQbq)p)8HZ)fLQP6FNv
z>BQnUJ~~gVC?#1EE_<LHfXB=}>m)T96l-yHjpA?1{BNz(Q<#_+qwl+&;(*@Yq&`0(
z=!k-x!h=`|&T5v@M<5-=lca+mbSjwts`sTQkN-jhTR+;KX$*lfS|_e@)R>e(2>AyF
z?9(CPL<Tk?f17`~xCC^69$2|Nu3dbSz>CXF_39ubwq^5><r#snQDFaqC~Koj2RqkI
zD{xtf6zp0OB?_fx#D^6VsmRa~@dE;6@_hpOZ5=Scen6M&p5)_GP~v8)BUM0gMGQ|#
zSUNe5pD2D9d%m&sCVC}r{AJf|+d^Iy7j?f1-g9psd*+BHcSpk2;&5uzqC2{SqBPZa
zzhaIkvT>UW&fs(_drac+p9p$8B76fmT_Fqs#`KHfV~XlCza+!|i4)QN7vvZq8|keP
z+B1b|TQh=)n-(QABFE#>G{fNQZ}T#E+UR6l?(W_PU=?Wdv~*!#Z+DjEkq(Go2|~@J
zr%y}j%Lt_Jg@eL8xqh4x_8`QM+)nfRkmh_3t3GvVr2)}%vA(FC2UPK}m7#K8#G>`t
zy0ppaip|PFc{j7@vW#uME|^wrb=U*XqKYcYn6wcOfA&1ej7i3VIx;TzAgE_nF*~Z|
zfmI84>w?m4u)p5#c8E4b)H>n;d3K6s?WpG1V3h8;MnF+`o8J4n00U1q3@CTyA}Xgj
zD9Cck5rk;g%c^IpsQ<p9F@Ht7+d=HNX}ui*rkCx++Y&hMx7hCGfUi^8S+G}k>t|bn
z7Q!v#uQmR59M!i2T}a#8Ej~x@qgwCcP1u|N;s5G?UEJt8e94C_VI_t&DmUatH!4@m
z@Z6(5nK44utYQDKLRWf%klK2Cg(v{gXp8>)ibV$totAT)w|GrA3}L%*sv7zlV9~hb
zTlp>jT7>nH#YKw*7>GYvNv8xrRk7pe$fzLO9f}5R#uH22|6>*8*fyuFZC^qugdYWw
zG62gER_O;yY(MGx6!VVh0}>YKBP+`l74{>C>&SJNciwfDhwk9n-4+>CIgS>3#S1k3
z_?!`5>1iSsChlgjn7TmFw^s~+p)gYZ)<CQX`H`VPaLg;lctI$ckc*rYGz{WYVRL_(
zIuCFO>;u}&U)hR172g_TA4Om+dltRc2K}0UxO45?T@(jfFkhK)SxQfks9;-4;$TS;
z^Wl<V6!Oq>6Y~~KuG>BJDLz^)QPfKYRV*w?+8jKtoaR+BK`u@|D*`25(QzM#)_l@Y
zd6AwmOLo*#iv(u5>PC-ZLISMRk8{czXdj`le(c}&^?AnxCGbKzP@L5^+CKIO8S^={
zJQzEu(Fg+(;y;zD(Tk4*O1SZ5Rf9o)<`NRgui*KBq7XviqShRTE4=drTr;w6Mc+Gj
zhQo%^@7=)qeXvUi+VPzI_4IPP-Jk7$BKTf$+!WP+!~obUE(6B*4GAA^2orWY5)zl*
zcJ5`ki^?A8*Dk{lN;=`e^7rQiyftQW2#P80a6S#ei#Y8Qd#MHeh(Si#gYM$P7yE~i
z9+kiNT=ZQZ4kI`GKgd+EXvBGv&}Y*r?_V2QP_k?w*M|EV02&eV@EmaUkxp<%jaiJC
zv@PFsh#gSCsY{2Axs-ccDW}j$w^%gl%qD5b7#l2^MaL(8^v~0_AS<)}ax1zJ1zx)U
z95{mtQL1Wv5JzPa)7y?;*rUvB`dCnv<##mU-CeyC7zYsvs$=i2?^C(ybuJT1Bs(nh
z&*^Qj*oQuFv3vlpq0jj&0*29#83d}pHv}Wyc{(317uhtMN+x}r?5$h@hl#HZ(nsHM
zW1Ep`hIj9`@5Xv#pJkno8v#zZuW__D!i{|a&jEf`w@)y+QT^^gZ^P)1C!`I=%wVVs
zjNSjl+8%E;htI0nQLYaIiYA88s&u=srtLjCBAhLd(Oy^#44<ssiUbCrmRo=pMc6%m
zLT&ll*2IZ%6V0YsZZLeLe7@H31mDvl&)fY0cmJSRr2%#w!e4|WE#P}ecpxn)(!+&O
zN{FH(RE(TU)U&oY{Nx3#NHotFs-NIQUA~iOn}vXuwmKe99n4Xd=@N75i*>q>nNTkM
zm*L_j8$Y^j$<5X#nR{q$E!Vh$Yw$2#ADqhj#E~$aA{rab>;b7f9_bLtmgLi@UIktX
z%@+-Qa<kUR%N$;}vsA3q@P{>@P46O_vrVxPM_o2rR1G?)1o{2eWlPz$p$60GuC7;n
z;LZG6yZ^e~{t|pTVanxS{UX3T#0(w={emJAp1e<V2&Os`pr#%=HvdKuJnMKN`jXWX
z$QW%C=7}zt;31yuMK>DPTa%F+89BSyFaA{4Mk><OSh^0If|X1chnE&L6Rp!ry(e>4
z^($%#DuTF=c3i0$pDA#PoymRsI!a8GBHqk3wCi(E5oFo{uA`_w2x<um{)wQ>zk_V4
zB9`E{HE!WnW|QX)r&5SU>}Jk&Z{1N~!+J6~$3FSw$9U8OZtBFr7{ImFYb)P+E8FFd
zT5b7CE5;l5S(`P+-OI_ze0cbLljf|!@1RlS3dCd>m0G+jD6YxtT7IFKV^H*<q!sC0
zgwWy&O2{sGVUrKd{n<102QFNT8p*;yu#Nr?s*l~{KG=zf{B!*32eJ^2VzGJL797;H
z19|z&Nt1kan=Ppw9qLuX0NvmhC`FatSUp1ys7(+<Yursdit9pc0V2DUSUWK4@kK+g
z*`L<(4+cp_)t&oG*z*gnkeF?KL(7Y|+sDXeL4lYjMf3PQUM*oXIUmG59ndUb9rUcb
zGGU-37&V05H05RNQ|S53R!#Hxvtrun{nn<PdTNdRnns~Ln>Of|0Pi4ke_y8#sMKpH
zz>S@rNLZCF;z$T9&}n!c?MEQcjjqlJ)94D`4%2buA3r<8aIqLw^%t$UhrHLdcsKCy
z>xl9*d5U=mekeqs8<`6hIKnFXxdaBq_~x>WUsbDKcZ9i2`S+D$3%R=%{(B(3xfgeB
zlsW$A)9<3U>vkDHvXN~YQ&Rhhz+0e9zE(CjJ7-f<AvR0x12XI0^hC{zGDk`hy(3G|
zpT^{yKuQx$U7uoprnoIT3#et}%-h7lr`blKFWo%>#!;HDVGGV5ua~I!#d!hc^T}K!
z)l`1<xkEel`aY@o#hWQa|GM2QmXe)^iPfENg|i*g7;d2Et!kIc=4}Yv7Z>MlfTjT0
zS`5s?Bz9Peb=~^(%2*n9mF9Y$W%mrY1F#_hVwnDxAeW{z^i=VF1BJfO)qO*?c(GV#
zA56h+o*`5!24ME*43Ge_RgFjpG`!?D@=%l}yXT}5RWr_`d|oJt6pGR~LsciFsb%S5
zG{o#=I{Bm}u2dP5d9Ve_@1g^C^<EXv$PRT2qTN$^6AjxjR!$<s$Dh#MSSP(?p_dG^
zyU_Lp4xLCc`Z1C4J_rizO;|a4Bdv8hRceL9HNIqr0JL1Q!|msAGR1tuxYAy&fu$eF
zqyQy*G$CA3A^VHI`_mjYS<)cUB#3H7c)r_ANbtgZ4-e=9Q6_nPpKVVe3_QOk%kN&l
zWGiSTVD7?4rXCdGYi2Txpp{zWs~cgUCDjm!g;9HvUghCY_{+;`{lhNXOchpXXg)o2
zWiu5c_9m~$oKs-fJyq7@<Qk#bIWTLZ9R*G_oS4Q?4&s%oci<@5b+i)*->Ck<Lkjy8
zYd<9YGfN8+UDlOm$FKk1)V6Nc(VN%J-D%BP@x+*oX6TQYzYi@mBVt13dRFTr7DrWR
zpk54`riPBn?+G_0u#v75Z5?p`a^67s!N=68o<D)9V8Qb}(`|BLdLfY&8)nMM#-K8P
zc>QGAm%zxcnR{_ALF`;vkkn1V3hZk&EXwEU)I<Az(vcc$CaTs4WdF=G9hsQV=!3vR
zD=Gv#wxQp+cOViMvyTO|Ad+EU(yisf*%DU!_z|bPBslkwpHV2n!oZu*fUQe5Z4-!3
zjZW(xeb1LoI)31RXQvqc)Yt0*{RNz*4xz^F>2N2-d*stU0q&=-8`;m~>Q05XulEG6
zD~<R4t}jA@R(*Xd>F59Sw}h?=YFB#RkK)~ER^>aIQ_#FeR>dgyLsOcY!iWpb+jSll
z=SHB$jJ+_O?UD(g!)6o&h786D62tdWbh`P99N|Rh+IH0Ds(_g+^uU$W5D{l5yU1cq
zNI@(g;*L71B38}!?(<Ib8Y@k=A5Fuo2Ohy3NIxIQ60yKh4gLg!L;736eF4B%R($(~
z0Vr7Oz87}D=c5`hXs>Jknn)C1<`rMCK2S6YD?vkKSm~1Vq=gOD#l@dpJ5gL&_VS-g
z{Haf!ZVzQpZR-sxt?g~6o$jpiS--P+Ej`^mEwRT>8Q`IWhg3DII1q3#09z87WoyWg
zn%uO<t=~ab2%R-^E85^YCKCZ})&v3+Bet5_O{(jvx}B*A!B0`Pdfn_<QFq_MiT?3%
zQE9>q&Sa<<s3g<@^*B43`6l4RyuZM7937=kKOc!YDc&7V;M3A6nV&lY%E~+?`fMzT
ziMj~o?I_Us=rXf^733E<sAvp`aCS_E+S%maR80RHphWe=9j{_vW)-FCnKn0jWn6<z
z+0u&2yd-GZNrhQtO~=6Mp{H#6brMVGxtsPOqV_xngMg1RX~BtqpR->~`KGTK>a@tS
z!Len+sXI#JFi7Lt@zpNKc!sJYQCbw+<%rx*#4T}C*@}wc3Z*X5GzqXs{4fd&r;M7C
zC7!JzR90UnBa3T{nt{s90~^yG=$)Rue5m+eNf#L6LHzyZ>&^d2H;X-XyJ?b;wm4Ou
zXWZS!OS*{3#R$-dE)_hgeE5^YUkvSkr#%o+DsZ3rtvaTQn!906*YFLi)3@l$KdZG^
zR7MVfHs`|)6rv$preW%_Jc^VKfYtdMrQvFAzA2*%=ch`XM4%L@gJ15*GV)17Myxya
zU+VC1bMnG3b-Z1+7ybL!;q<n2!E<bPk#|vyy189LKFL$MyR+9Oh-gGl3|u(3XMYbm
z-u^54M5tR@R4J-cSh^O5?2Wl0vtE>|uj<5s6ZwlYq!Fb!$kn9X#EKhRKFDZY6JI?J
z`Y}Im`<fd3jB#pu>~H>$<FO(-gm}#4fkKAyveM9`8M3+BTxD`6OU(30g*K|7q|4zV
zVt%0~^Z*0<Nr-|8qCqg1C?v%zGD8ELJ}NU@&9uDOocwB$)E{>6YyR$!j09ocS5eQs
zsX(!idi!%mUPtenT<;HDl?iX>AD?^6=Ubd;-q%&{pQG`SCVn4Lmb=Sx&tI=0L|p=B
zkI3Evk46HIduKSGuNOfI^9P}r)H@}J&Kr89R$<p*JM@3jKqUr-wAdVn1fCl8F_#}v
zI&jp#3IifC`q|QKA5Q3kQ0(bm#hHJGMYx(OS4Gtu#$oj5Q6bvqj35zOP!{6sYgQ0a
zMo%w~X=f5PAQsAC71d|-N{BB<-Km-2%eWcrlO`tC9hxo2^9?n2Wlf(wv?Vg6`OYk*
z|JK{rl&i@_UF6bdTOsOXjPzNVyRi@gfgbfE<ig{HHn0qA(FS@yDeY}~;}36;S~WFV
zq9ZpODGG!U)_7z;Dhl}b9virM+&yb0VOBaA*At(|n^{L*r7_4lL}jtawKTB=Y4Y6Q
z-{cZgqN^TM`Ol1kho0k8Hki?At2AwpwCEN3E{#!+5pDV_5E?lNTpxdvuk0}$XE$Go
zKcv5tKc0UCo!1t-&@jx*Xhz$Or28N(FCB3rMFlb-^CzV7+>?V++oRjKyExNP4rI_U
z>|{sti*nbNFUE;Si6ApcHO`8y_vQ><UR!SAj)5Yn2XS@sLa;MeHHZBEjvMzjX~1%G
zsgQl)bb%qkAu*V0TI$=u|33ixKm@-6vsCGj4AO)rS>=^l)p7pE1h+nXc59}2l{UrW
z>I;9yJf}ZO5qpa9UNmdV5EH*ppiT;!aG*KCx?P!mC%2cqV{0EmVHmHtbSgAa#gkaB
zob*E51ZuivTRy7n58i)8E#G<c_7~s!%3IZ9LHF)3A5M<*EYk*bEVlECZU1<W>HAWB
z?8Y%Ms~S@VJ+<Bqij4Mw7|*)g5JMQ~Au%3E@w>JxOI4;qrL&o)OONiGHb%q-e?GsY
z!?|<w4kR#5%cUmLM3k{9SBuN@^OHxb)dd|{mZ$5QK>m6`?4fRG&z9?QL5zZnd@v%~
zJ6~?-CtR!XY(%_0=~~gz6^s4fTSXOY1Dp>;IOBH|+VXkK*6uw7rqd}M>*>iU?d@bT
z8I4BXe7qZKzjw_4gM0GVPsKAj9GZTA?bQGG@4H{vgnv4(8zKgO{mlQ&D*V<%{zvY~
z7oJk-+)nv_cwhc2$KtP?`2X>JSMKdH_hUcyV?VwoxWE0fI64xK-bUTsLq;PN`ceBD
zD&Y<l*YVL5iXK-evtxE9z@RgPG8AXqrFqT_XHkm}J#<87qSpiXs7Q`><kkjb4vTA_
zymNm#ozTN|G9J_KFV8R5woH>W<#MrJcS0K95-ez%RS-H506@VFuGI8&b(+zqBJPR)
zO8cpTkr3T;MNnNB$NPQ(WklMb{@%!rS;ae9FY1+DIdm5gPf6mE0+-+xgrGT==Y{Gz
zQ#X)#B5FydiB6*9OvE#Nv=Z;@-&Z2isDTg)QfbtoiG#=@FKBxa7>niQf<UlPlITR;
zHbi0wX|zp4h#^VV+f85}02LdD1mI=K2*i$u!-K<vBFm&FaF0#T=Oy8ox`|Z6_qBKK
z`Yflu4!<=)WYQaURmI(!vG)=XsAOR92X}ed8+r4n-QM<U_8W~o1(K%<P`)O@!{Gpq
zeT!kN^hZ?UE&7&WgHFh=>so7KA^_T(9ax6z{px87=-%`bDNdp9Jq-~N3c_!MqB=Th
zK$w#E2exel-I~Por=G=@NqiQuKo6dYB;~JF%6o2+{%h9%!bhgkKD+TgK?>z~8|66`
zJ?KjDEKQuvJ6<ti(CUiD5*w9l0lW+O5fCqJ8w}V-S#9o!#Fb<HZq0=#B+XZz<{}%Y
z=t~n_gv8atQVa#|C+d@ifm$fgFb=&OT?y<I?kGVwcJ1Z6tFH9whkwg&{|A4^eD)vz
z%$$Y!Z2I{0L=7f`*<shBT|4UVeB`%|4m?R>UwB;Xg0Cg#Ag<1(sXmw;bS+KzHd9I2
z$g{Ikx)ZZ3y?*lsLGt-xPP;T53~0w!tCddE7)s`Q9!OCBB0_vRpBl-{QVZeQO}Soy
zHbmtg0ejj=RaIW=szo0Q&A?s`M{|VO!m_NvVbY8ySzT34RbzF9_@_YY5JQ4hM~sX`
zTT#qKjc<a^LU1-53?oYk>$0SeBa}}^io^zF+I=j?al-%bUGaNvh@<4$iTZP^@W<bF
z|8U`}ZyI(#Zo^-A82-*>_&0BffB%jg?3N$t+489Y|4(0(|I(rOlkd2{ec|^t{QcOE
z{n(GMHl&jGKQn&tRyI5+iiA+eYH_(<EeKq4IMr+gz_G3i94OII3PE;?xO!M+5+EOq
zCxjO+&*ud7q}K4vBgg;~6xkQStTXg0g;jPA|M(=~D5lp^vPOxh<}eBU#X0(Qj+&>a
zg4KlLG^E6)F)(9yo$nJqIf}-{wn?;3v?981a&90J@O{i_2VoFs0SDqTMLxQ9c=P7*
ztx=W}d@pMw`GxN`1iM(Gu!mkt1jTBCDTEAqMFGKmon~k`bYctUV+Ud1ckl!_@|`Jr
z^mWXN!R=djrlSLn&ce=iZoXWu)~nh!))Vd}Bq3lU$hnFqkWf8yJu-JK!UbZ6DU-#J
zK+SkGkp!3s**EK!$u@$;KK016t%)MvdAy4q3Vd3hef4<Um2tO%kZtT3e-=dUTz>kE
zW9>ytW_G>8B6dZ?z|wh6CzdWC5f~F(10%z_>$98Ow!yRCFS;%&DxO2czw{$IvBSY=
zI2_P~XzRM|8nLB>eLXt{HU+|9E^N#8xTv({7V<F@!Y)1R8KAy(j``p*v2PgO^QY`;
zwtwKyzHN8${nkxBwjuLaE>Dnvme!R(8>eeL_jL)|dr;i%5=y^55#q8-*hZc4tAcWb
z=pWdL9ZU~9DiCEs@xDYu3gUZVb|v~gnZErawsG&a(7(+&-dn+QZ^1PzqiY*YF6mxA
zS*-rg|K}&Z`$xX-`~SHgpgZ=ppa0zJUwn<;F`gX{CkN26c-!}4gU8yii|z__UC-xp
zn$pAZ7{WFJ&4{?_nzrFm6B4I8dcIj#tL0!YoDiiKobECNR<zB*!2uCy)3$k@6SCKe
zc%YyOub`8mTiRe9EH-*82^vG&uNxwo-nfp)V_pp3J3F~tF2;lDWHQ^7_1VSZ!O4Th
zbTTdI23}oUo}Ha#AP;nu=mNGe4}xwj;_a!%;>I>V!4VTk=#HmByoL6kt{#0%+%c?6
zlvSnW$4{1%OZFqj;*Y%`?`0owyrCI&-i1H=!2h`iZf?GnpZI<g{<|o||4&|!zi}#(
z9nq$#^nDZl7hY9Ae&+wg+wLoM*kk<t*pL0#kB=Je?x*YH&j$p`2*_q-7MLRNM(|U4
zuWd+RJm{H?u)uj?-L%L*aqGrpke{BNKVDucr=2dkSnTEWbhaMm&@#diXAj4N7w_Gj
zjK^)$5KOs!>n8l{d`|#Gp(TPX2?!u1l2D{?41q@akMq`dsMgc-JvVUp=*_W{6fJgy
zI-+REAu=mrN}GDXf`a?Db3s|fYuc(L<R66f88WL<!lnR{Z9}*sk>M~+TSBd_bs=p7
z_h}{uxh+e(UTRlsMW{p3)7-&h21^itW%%U2Ww8$$-9kZ$I3g@~5cwJD;?}jB2h&5^
z#m%O?+^pMGyVx}A>QV?Bjdx;gIQA@inEw&;aVQ_s+qFdhF#3jBt8|m+m(d`muB*B%
z>#}N0G{kvgMA$p1Tvh0KRNL>M*RJh$8+7yp>*5IH6M4FOf{XzmMgJ$uZNpkkr`<}0
za=#$>=;6DGB?+bk?b+(=g2A6MG`52s3rtK=g%3<dOo;^`BU|no?Ugb}w1MJ#p!9f<
zBx50hX}n^@DjP2Y3it>#<r=FpsNq{=1n|Ct)Ov`QTJ+nBD9`Vci{g?{-?HtWb;o(G
z^L^OzpRZQB=TH6^!p?OkJWZK;ofB&2u8TH7Sj*~xG#!DWsS5*_K){jPx(hbc2#4cz
zXVD#!iO@J#_9<NPzKW_f-Z$xnz9-hB;NNH3#$^+tH<52g|4@3XA=bcoYI%xv82Y(^
zlqwKP#o|nShwlscu{{J7*kTRN^wa>WH=*SL@vcsFo(S#FUcB?4pM3Ur{qS%8)UW(L
zn*VQn{<B|s{VNC8Zr{9fFG~ou*K|P)S}~w=q5H3lD@k<t1bGRsZ&oXb=2U|ys{n&n
zoe;hENPF(uci(-ts_MMR=t7o@P3ztD>6GBUQkpQkV*>sB!y+a>pyijYd4@%$J}nC*
zIOrnD3*{QxcDY^?QNO%AU#-eS=F`amZRFwU#XAol(5xVuF`mv^YX+QOESC@0Ya-Tk
zH`95c{nR?cVxzTmuXWb+zM_yA!2vg=Q$q*Uw~o;M(|2KO>9(_63;NRd7=inNWWR1A
z{;gZ$Up{_zA?w1h|KrsE`3LR`<+lZ2yTE>C8GhgA?eDrFe(w$WYbX555udRB@4PO)
zf5Lz4fv0_VcW;-uAN#Q%`|-SCZ@&`8N9`Lwzc8jyu&pM%0=ozSd2fIiHL6fO!Ua(;
zGe#QGF6XT+GuDlisEG*Zz;$A=b`K#wJ>1((OHX-vMBltN`}8M2aqIfc_uqfNEH}d<
zWzKD?%5(%@RiX$FC}(UN(ILwHgs4T52c=5ZIl{njiVQ&2p|`XU(OuF-X*rq%k(>#|
z5dA;V+r~-{9X&lF2;|eRg)!Z`@4t6(ewO9ga5OH4`CWN)Q&*2p&&t*&#9tWDDwgK0
zF;z*BlQ0K53baN;XD@r^?5WnrCrSz)1-s~2^}!G!F)gfP9Pc_?8C%xPB^`FtSxAaJ
z>zhP(IZZm%!xZfRNs>rT{6i7uUaZztThFF5`o(&^zFaQo=uKxf>vEe{6vq~E2KFJp
zN8zu)Ylu~FoDknP;j$0Zyxm6>wy}pq<N6lj?GeTduXr5@XF2pcSTo-=b<?RNA&5sL
zfTjVxMa1(VSzjcEo{K?P6nl<i37P0r*{*pB9aFtt)%6A;T)hz_Oxa;V6D>t|d)sF}
zK|i&P6Wwx$owv{S%5d?mk>T@a7e2Pp1#w<Ih3wHqjCR_NP6F|cF1D#OO|ve`WmRvQ
zrh+XK=LGO!1uJ{r#G?)>TEa)CeE;+^L)gXzY&&iHCWKxg2R<X%)+z{n&CImSH1UN>
zc#GZ_V`+!z{vxmnr5Bn>dINXJXCMbcOl`DP0(saj<3yV$ZmY(YtMt~(g&uAen_Oit
z-Ffl7_uqf>^*3(azjyQYZQ^gx;+bHA>r_W<zbVUgxhCSNwW2wn<;Cz|hyXJg(qZ9Z
z$b(d>NYk_PGumgO_jOq#=|CwM-YN)n&~1&<c!xF@BGft&5#0B;TJNJDL%wk5Xqfg4
zys2?`E4y56v`lUu-xv%Br)OvD<vL6BXgW&=Ik9M+VqIdfgoKSIB@ufEyspwTrTdF$
z1FW$+3j-*vdY{;)s=<T2gD;eZq_C=My2Jwh_gL`wxPbf54EP_qCx7(%vt6^5V?VX<
zf95^^lk;!8MWqSsFFo=<e(L|=UHIrfZI^j3<Nx)`^7r2ofBIeb*H8Vz?w{lPu^;=f
zA0He^R@`~fe(C4R)x3(4Mo3#{5)X2Ms)(Kx^gvHtI2eu-nYOEPHYg6J(;}5aLfwdO
zG~D}?p3pEfkD$v2dPwJ~MCYXQo2n+H&!vPPxUqPmLu%5oE!Y!Dsx=`K=Vf%>iHY((
zB0-6E8>&V0B8dV8SoR?ICW@9rv~v+#6a(KH1xtOleIJi&@vXHdiwpWQWB}vAP~~ar
zu@cWk0B@mZLvLf9&<DcSy0bFH`?c2FDBf6G6}?L2Ls&Q(hXb?Gj-M~)*@O3Hhu4xU
zKfG~c?ER8Z(dJSM!tcIs#_iuo;D+|+#*G`-u3gLW+z~8mZN1ruhYt!fn$4y}cKmvE
zczAIA`t`Q$UVHtuv$Hd(dHmCg^pAwIyBJsblu+mE9KD+kR{_kX$K+9S5A2S<)~+Kw
zIn1)+-u-k4F~<4)?BwjEu2+O&={+iP5W)I<guZ>(LfoXVDeG*zG>cL)XM*oylQ!%>
z1r+^pU4m^rRQpg?=+#{xn1Hbh5PJ&A2mf51{PT@*_}8-2*%`(2r#95nxSeAq9OR=5
zCe78ZZL9VAqAXVs;h<4uv)ZiI%VoRTxV9u<Sb5#`F6#X0wFG{}5%Ez1nX`R=cC6ZO
zJ%_MpMn5NN#0XfzqA|oP5Qs}uwP7kq7jeJwbORXxeC7>0oM}46zWBbIB5p4d2Pd}Y
zkA9+Juedb?_@%es{mM&!^mqThS7wvNgLh7>BmS)gUoDsCmzOv0-lpl_p}oSj1}5}$
zH(4~FBYD8OE^f}PR!iauiGV{AeFIcgRYxs8f#^X|5PC<;1V>^q4?0UTy5)L$S|lmV
z>32>}y+c1L1#x~$ENR8XE;NMGd2*V*cItYuSdE60JGX9BM5L-R&-7q)vlxv;q8D@I
zGjFO&ct6mZ?q*`zjdfX35PPURVrhvs#4HXD!j063U`zwqkrc>lK-V-bu)@+Dy&Tr9
zzx=`d&6NMn>*5dG76hQ5`PCQ8@Mqt5|H~t9|9>o(ZyfvMZ@a&7=KtM0@^@Sllc%o0
zOF92jpHe?`;Q#ys|M%v5Km7gJkNwz>4~*{Uw#te$oM(w16q#|brE{p=2QPY|gcU&?
zk4Mw#@m!q^q$u({VGcTYRF$pgR&klqE4zk3+P%B?KK;p0j)#Lsj~>)j8I!F-GRW9Q
zqr6H_{zUnZMjUS?6t=+4y?Y9esW;Hy!k5!Y0_U+J8}0Vv3+Xv;O|ULli>I<c$<1y1
z8(Hkh^u3Z<ZjnMn`!JMr8{e*)4SF}3(?X_FZ$dO-49N4z^IRbAz9!sIj1CB0LWQf8
z;p_wT`sX~_IKis8FM?=H?aZxFF*!VX<x`(9ESyy3<BJm_4O;53tNvbv{)|SWf^ZKk
z_F)S`=!cL{(=>IS;hb1^czF2A%dc$8^1;Ig=jZ3W;(k}N|JsG>-aB%)T=3PN%Fp~3
z!Cmoz>9<1uK5hx0Zf(Otdj0tLrF(bp-oCjht9Kth{Kw7a(W<ntOM)vYXAm??0&Kc6
ztn2mS$jyRcOCfm+FiI<t(j~PWZ_3u2hI<3C5?o6l!dD*6r#!0fJz|gBwrQYZQeqqL
zx+|pj-tXTk|D3DP*e6{JSIJgATn4>FbW+`H7OS(<i-*g_xivLSzouz7RcY$hH<j-y
z!&S|6*U<#lu{VT2lZGW?>Tzssj!vpL?c85|{x*k7DP%Ki;P(Ei5NoFGV-X`-1cufV
z!bYd7iE?}ViO08ZIbMk21vJ06;65%jvB=$s7&P5@F!+t%|GmHR`mMCyjD{mNC@LwA
zjt^Zvpv@6TXYjM9d(;w{shbv8!TC6W3$Q+Vg=yI)&PkmlgM$7`)0n0o{aZv<o)tO4
zdK(*c@+6r~MltCYMpX)CTRyG~AX6iH^J8*HN`y*3y#m%%bcBwMi>8et;Jz-a<4GDr
znMIzZqv22{x}bk+Rjt;@yYp;18t9-q>k|TsWleJzS3+$4zM=sboy!)Ld+Y`646XxR
zSu7OLS45KbtWm}$nP1M}ekj>*I}-oKP4NS>XNmHgRrs6d{x3c9Z&d$mWH7`l{-f9I
zPh5)Mb5s1#fzVIgLO*g0U(Uby$o<t5|GD*ErL!OVu^;=f9qqOIb~xs)9puH0>qi&!
z%W_#UE&Ea#y!jx_F}7~S$e|0iF4qgMA;5<|fsk73;kk{jR%4Y)jt>uCdhx}g$O-wM
zot>0z`_98htJP{bUzY3T(czRJMO#;dWk-`qlBG6gXF}0#9oFRma8#m$><rRpA<6)_
zhp0eCjWyciU~8vjOw<vC3^;+BWa~Z>{W^QGxdb|bfQJZ%4prAI%W^mvkFs0~lc#Cm
zRrKJa<Kh|IdiVxfgX-uynvIi0YbhNtS1(=<A4c|lJEe=hDM+e<TG$zHHg)y*;?(-E
zELTleixx=&VcQPd2ZUjxZR{qD*-v4V6^YVa(=Fx;g5%@KgkE-Waq;Ch->gxmTwpgM
z=z+E)YJr{t<sV39y+Z0?CvSM}U!O+y&wzUZM$#jmILfzo`NWofM5qo8$HkyH7>*9o
zoHrJF`o=-E16__pz7qU~V#(R1+T!Zi=;o-9A26Oxr-LHrNUNne<A_gnc0rs?64xTI
zNvE@K-3(Gi0ai3r4}|U8rj6!Hx_8})f+%Rm`182S^Al<V`|9f$S53zs;7C~IiI$YR
zGYDfA$gT+7pI-pnpLA_Qh_@wr*MW{m9}DRm$xk#jAPs@CEQlRz*!I%)9kbhvXSQ99
zi6l2l?xQH51Kx|+E*nE8daYa=`#fU1Gi&Jn4K7->ZY4dg-@<O$K`<W`ZXxDa^vw*o
zr!0Y6*462#xOF(S^UK6G-DWu%6t8~ItBsOpvFl^8T#oaMTTho@y;`ozl4vOH#=-Pp
zG@a1(FvMv)q5}#1rkqU^6@4<1Tt@q!W*PCDtSE-Xz*tL^KqV=WXS$xnVBoB2n+ggZ
zmGn&=vM;E!ZORvzVpPZZJ~o>}NrM|d@YbLmmYBIlM~+CdG|}M6MV1(3-KpS0ZUjxQ
zENX!^ZJqEiOp?l2`bvX)k#*>pf%8<~$&Ce+K~67M$g6O%hriE>W50Yg_rLWJ^7`L&
z_yOF^qBiEo9=N~!$p8H2pB^`Vt1N4O{LKH|x&JMP@Y4A;<0o4kEB1%(%HMt@{`V6k
z<G#Na;_t_P?8koK%kd!Gyyw64vvt>&O#`1oq2R*dnCUFM>^+K<Rk`wZCQ-6<X`T#W
zn8QNVF57j>0=iqB)3GP?;ll?%@e^zK)6+w{sVj8d!A?ahai7@3@ew`O7tKm=Pv{vL
zmMJ~58(1P@ZQtRggcDsvz=V2vP>Kg9`Ufl`<f9TdTAnBLch9AbiwiC)+GDq_P0-dW
zjCD>Da_<-Up*wbc`57fhi=}=U8(WcB32;GMF3Zhkvqp!jhzFw-`<exEsGh~v{k!W<
zPfj-Ll8}D!#j#Y$$zoBi=SgQ`&+rpb2)&j*>G9*o9wv|GU^aW{?)}5rfuz$U(MMbm
z=r{J^<45nj^Dgat*L7U%?CDuAyZ^c(nVtsvANBfYejZ|fstWXQCxGpJOt6g<C!mv=
zh>SIttJRm@efZ9!d0AI)zVqeB>s6&tR`sF{K<9+Xq3h0@Jhe%X(I*}7NEJyo$tQzs
zfF4<Es$e$3ZG=jhk`Sl_t9&Pz_6boX8I;}H-g}46)fTne@IhOjEq?901-@A*!J{ty
z>d!lL63r%KEI?F&!wiz3Ji4Kgu-n0avDpx^_wZUxmDI3nVy0iP*ajlRYI-!u@jDxw
zt2ExeJv!F7`L5{~mGU@gVgK0wvs?QK_;?uS3mtuuTINl(Y9|f>=^9o};wlL|uAph+
zHp<nIrWP|Ah!Y^}InuG%A};b_ad15GOIsT;%xA;dq)T=A{(Gkn&t`3NNL-x={%SM7
zIIoN;@`A|2V!g-)2p$%Sr)k1{^owU=vmx~F6f}D+5m!R+`EWr0hR~&|M3xG!*5xM8
zazrn8hW0qm(T5;*4aAZC!lN?oTwL3T!^MOIniu2gY%-lH;psME@x~{rpK48vh0gGe
z<D<H5i6EAn+LuP7c3^8Iw9Jdauz{u1rY2l3K&bFd!O&FeV_UP<iuRRwE$a8tcZ<#<
z9ZQ=2a&*hNm+^n+j`-0V@)`GfB7J}J-2d1E|M$OX#Y^p<e7n$`ZNG`_tu6bjC;q1w
z;dkE<|N2ew;!{F=`tu)qLH@QQ2=VDP`^Wlz?8kn5+y~*6yPpu#S-Dxg_wWHd#{z?|
zMzB1B0})U=a{#(YrW3+f&1$o0sts1&y|57Y8Z2TXnibgN@yW?M@4ZXUeyx*eA4$+z
z5H@W)zgVsptM$>r!DKo!P196H3W5r@w;TZ~2|-8Ue`1|#eXKDGBPG1)oL4+*Xwb+A
ze6D&cLP3~NqFN8_F#0xoTX45kl0-}KDB$)8xm*;4M5Z%|axZkWF2-<ac<!LI+171U
zmWU;C(e_8Hz@93w_C2Og)uTecwh?QM684|0UDxGe-4K|H_I@4~II&Hy&r{t|1tG*0
zq>c@>G6I^ACJ6x$nP`GGS)LK3XxfHeoTXXSRCF48qr<DV+T9|+lUnsxLHt)QxT<Pj
z{p9H%ZVxv?P`CAhj1fjCtir;GF?F(BzH#<wzFxHzvBH{;k1!Hl2|;|!Ssj@NQ7Fiy
z3B(PvEI~w&7J51!4aTWtqH0X(+qDQwty-Q!Tutvr?ijN)6XJ>q%v|U*6?VjR0D?By
z*jl{{eBwL5N<cvI%#y`(&Iy0QaK5HmDe$LrUt=*mo_g>xRCJ?bf9x-z30pT(>X4)=
zk%d-?Hv-EHhA1+oh!n9U*~hr9o}I)pJg7ACoJB<T;H_9{ijxJuC-kY9Ge`<Uau(*9
zj_(5f<1uWFMyf_ScB<;Q+=L%#SW03_2Ub<pYE@#ng^t*w@3(H7bzQ|i=CJJu=h`M|
zt=ZbuHW9-#F{$VzTX*JszPNFt8{8R%)jG6LyAb0Y4Ttmr=a-ic9zGb4$6a*0k5dTe
zgU(j9DT$@iiOP$DZuG3k=mNH;vka`f>yv8-13E!;cNR3^v9J|wRO#zR$`}fV6*(#T
z47C^?i%>Kyeh}{-j>b1{-SMv0Sw{H&-V68ndk<*)MI2d{(U%K-<v`cvl}%X((|wVT
zra`K%E(N|SaD6550fq)6nq?C0yppCU@wMm|%ab&x!_3o^ZpqPf@*NHC?`AxSeJ)=Q
zy$vu(U_X2;{=hBqsll`Fs2%&$?*Sq&EYQFFCJ1xm*{zgc34IdIZe_gkEEoTj8w_!q
z|J!5#^Xu?O?u*|z{lJF4XUPA=C)E!hAyn)A1~Io+gYKQiv4?Hg7xwpKKlbC}GVXjb
zT))lg73$%}K{gH3M&5fU%7Db8hiB*WO_ynXI4q#KP$G)t;Vh8|`p(u+@tO!_=_gql
zy=-LYdn+YY(!I0i^ZA!vfBgr3!*6)u#h2z6XKh`<R*y?#K>#4dj+v!I769L)KsNMJ
z`-l}0s};5FQFRb{y#_t$VTg|Pb5sp|jG?3h0aTQ+EZI8_(toULJu)&0Jt!cB(98V$
zvR{^@TItr<4N;e}wo&DegAsfe_1UYJKL~=OTp-4HG1~JaQ{&leI2>-OYPsH^avKwy
zQqfzyaJI9tWIL<Mt!0Yfbyc^6mcYbxI#XH`CL@k9nNALl4(LOd^JU%CacyJUP<w?<
zIe$`KetsoB?(@^TeWlNN_HdrOpcmTvDDMCyhCYe@VRYt{(aGAI)5T(aF^6_LNx`pB
zDkeZFL7JdYl1>Pdjnv__?D|1I$?4!#2;(%((t&d-bXcoF@Y8bBefi6-+Bmmzy^%}b
zyNv$}-wWzPAY=%U2;5*?AEp)fmU4;S&j{}o&q$AUnhM@myuY4Cg%4thZ8lgWaehmN
z8As!4@I*KbCJ_2a0P`U_A~=|10YU?Z6OKkpLF|o1)3uCsb<w9d_uQ23n3!h3q7@O{
zELb(-P=z2o49t@zGa9lB;t(*7q?;`R1I&lRVl)^Iis2w9@SLO>Fg*n7fcE$^l9<-3
zi}Q=+YGdeTYHYV5^4cs{OLlqbcv)e=%ko4o%JwJz!B5TV6Ei;_D0%PZ^;xcom2}Q7
z%gyC-L30@N8R5H$GoZeDK%bb-=X1K7k~F1bq8UqE)Y{&)D$rj;)a0C;o}hc=`0()P
zD3ckzWxZaH2V*+&7;X)Do$tNqiGK@6{8rHM%XsTWKI!{Q2qw=pzHzd_Xnf<=ZP!)A
zXy`kFu>S2k_{Nz|#&j!IWtAefqIR86RH$294|Ci)oNb!AEjJ!<a&YR2iNSPGY1H*#
z{>Cr>Iwh$}ljFmK<HO_OU_j{p==!zqXmI~yud3VWH}HBor&Gn#=YecGgFkv*{N5WP
z72oVi7<~#&jck`lbtmKh(|0S|3+ld!VX&$Qs_@}Xo3Ud5+BNYn%!K*Sr+l#tzx$t9
zyGQr?u^;>KF{#}j-;p=&rSH8F7xB6EeTQNo9H(XCy=elf9_VUxV$-&HBJ)H6Dl<zz
zG@b8s?)#2On5aV`yNy=Dv)Oe7<x~Rb?p#^b=a-jxmX%dwt&wfVka!t0K8-=L3}*?T
z_Et$vSfxd$VhlGGQL!x0)agw}zyXU33Wk-a=t8Q!bq|MiJSR9xpKXZ?c+^;#mO4iT
znGk&E0IBFxlG-#dSPX=QG8)Tzxmqm&tObhyTQ_+guA)+(R}P1oz`%&mA53T8_p5*P
zulcpV=IyuN{rf-lQ-q47?sIt1UK(v1LtnFpSw{pfL@;dh&u>~J*AB<SEYBQ##7i_B
zE7*ksV+vdh;b0v^I1okJ=pFi8H2>l1_0unSh66lhtoih7xQ!wYtl|)|579^-c{S2`
zRWa5OiXYt`X7?GLM*{bGCeuQuxf~8zK4ckwqS8XA$zVDj9gK@{q68oCFi|XFqBcC^
zfnFtAk-fKAu&h2g_3IPZII0N32?_U3oFdwLTHeRp!s9U(^}(l545ydT6$a-EyI8Jg
z&qlP77ro&--}&Qzc(LN@<>Be#eXQQcMr~ZCn9ppGqeOFvz&$fov{rRqdx1RFBrE7b
z(dCnb#|a!6SVIz0)j<(c2J@AXs_Z&uqbU<iAkopldpAsE8;icr)Dh|R!y+U6elVF$
z#^a2@a;l3o85KbG2m{NZG$&#TgdL|uG;syOuBviA$IH;I-MY<Uvzf2T)rNMVf$NQL
zt?ihncQ)4i>_7SZj9-j|pQZWuaC!|D_inyi%@=c;nN8P~T}{V7n@#v?L-z>Xu`Svl
zTDmKXBB!HT%$HSNU)YP`aFpi-ovOBO%+O%<DYSHuL|N(e)>s)AD`dQ<wgF&~d4+Av
zvX4edvGV}JAsFn&y9~>3xN6E5!yybl>%=>|f@07eAK#>tk!H$v270><rw`IPG4$=_
zI+}b0*URO)YG7()u^))UkZB6_UBH^s?BHN97(#@P_>4?QJ)2C4kW9z3(PT=~_&XZh
zPZgqMza^U@O#ig?<hO7r&Z7Q@f4k4d!Sg=l{pQ>M!TYfv`>`M2IfI^Kw_Zv0PqMB>
zeHJh}VQ|JaCbW<V3+aURoIp&tEK3n=nobXnW>cp8<)U7}T?aur!o_EBfW3(i=puv$
z9#UK8I;;v*O_4M<R$rT@F<mnr4e^#XKFvKn)D?%Xen+Str98p`vB?Y8d(I|4N^pTU
zS+pYDm2QKKrY_N3!}r+Pw-WCn6mc+}3=0TcU~!*kLC{tWy;&v+L?h9y+*!coG);oB
zga9^8O=ur&vSO=^e)_5KY+YPJc@aSeQ1J2b(W|e1cbcVNdgG0CwFV@Sz1e(k+Q@ow
z2L#n_Yl}j_lz<_9x>RwEBKj;Mo>M6e^KVVNTNqQ<Wz391H?i=ZeGrj96-diJ3gv$l
z0`T-tAcBbq*F-mV2(vtwUMQF#^2Yki1byvT{HpIs?tk)dGR!sVsgPbvI)}vL&^AC^
zig43d@FHb8gCR=7{g{av^3kB4ohx>hvq8lk$bA0BeV2}zgM=wImNK;E1{r!~42tFs
z5oOlEB|a9v;fIc^6PKAHSiDN$x*{!C<#)K!u)ZnN_f+TVHT?p})5xChY<NNhopdTJ
zdWqq(50O1hE#nBq5=<mkXf53|+_ZGpAh>}T81YWx$VzIvb?hW?uM;M%M+1w9KKA`(
z=TY&7btHtdVhZEBD-nc>Ivrv`e3oj$)7Ou#&1MJV5iviS$_X)4Li9y~S)HUZlN`|$
zD%ud?jVP3&(=>!c@Y!T!YFn+#HDhJ)D>}Zq-W1ugT=SR;9GB-r*)?aYr5qNlTQ8Pt
zD55-HF3Lxb&&yABmtD2yX5BQ}rI}9ara3)7r>RIEx~Xeo9Fx(M&hYu^#d1Lqzd62k
zZ8Du~l&af?`0Xf7=muCVmv!6Hd81iHC$p~VK~xtZL(0R1vj6t*y`alRKcB5~Ch}Mz
zdL~W(PGu@p!X`u1;MWDcp`iWJ(DN|K@_Zm-OEwaaja6FsiaxF?>#}LPhNcmbe(Pg1
z0;4-E5s8dRU$<`FJid0FJ}E1P7Ry2M@R+{l4u~XZBCFrg6`DP6{aQorPtktt$9{aw
zhP(ZWIKDn!oN%cw*Ja~d80n!=6pq<8T2!<V>t;eUs98o$f~%SsTS?DqiClVmBKNQm
zsjdXR=@A-$R71xs>?R9j&<m9!Y^S%@^A6o?&I6WvM&QmSyrW;o7FUGEZ&6URqz}D1
z0;U#($FmS?oKduc?4!6&D-qa<zB}wb<C&C)<LULo!;}E0!1KQKriJteCE(DfULmp5
z5+EYHK)bbBmz%OwL*~!{$$CxD6-s<&9hjr{41iH2iU9kvDqnl^OGiI*c)q+`)(aP-
zE@|5~?99`*Y7<xk0lY|23<gsIZU+a`(O{Gf3G1xNRbyI0idml04jVc-UE6haT$QjW
zShiiv4Cq&w`3{ip_KouoAlt9c0rRQiJ$}-gDE8X^X!OrC9AJbs43}JG)0?+{#jkkz
z&a0m|I@B^63)0n(U>lWZE7;a_(QggnAyM~;8v{}k=#-ut_DHbPz)lTcxm5T}JHn_a
zaTE8`PGmmnY=n0aal0rwhjvP74vkBk3!qN)nY|}I4^PRH`g6T=f{cBtv?cU)^u_zI
zy|f=ZKVr9--}hDk{Lw507Io+gZ|GlLYns)jD%WfJe;MPd>ejcdjU{I$Re+N_3&a81
zc!}sRXqPj1VhY`hO`r+eWnyi)BmNC-2u&r4qoW@rNqR6C+&nzIar5?UHX9BG1EQx&
zXGBDaJE<f=!YdJpE-q#0{%%0zf^oDVmEnI)BWfba3D1XF8G^R1o+mks+Yv^laE)m4
z^E4}TLeo!-io9F558ryolGN4qa=v))!Gn4Esbrk7OVzB~$qd4=b<-N-i7yl9x|lDU
zsvZu8!(sr}Ai5EjOBh&2%?(Y1vaZc?NlXBqSf-0ADO*()U5>$khYk!&A+8$uJ}?uD
z`mw)OVc`piK1%H1o(bz9ECb4@&*Djj=9a({CFwhfu1$2$)Po@=#fo^kF)8;`0Ra#q
z@75)xd0Z5!FbpoO^kqZ)C=*4@ZM~^K{h8zAgX5$a(Z|sD$Y?gEgQ7c?&iZ#WxGx><
zsBd{EDcv3e$#V&f{@OkJtD)kVK#%OkedOCy!G~)5rAgn>v=QS2-RNVrMcX09V^vs>
z`!=F)9zSI-$=Q$n*pH9Zus1(3y7OJvJ7c)mth>gxK>?Q<MlgYySdk~}tANrP2sFI$
zUBd}(8ON;WiuVFpwpE|7K5S|{8eYG4Jyp7CTS6+=jt&Tq3<m`PiUc9{h{Zt-7Hb2c
z1K>>{^7mdbk#Tz5Iv}1{b9FJ%2MP_CVG6i1`sidKbr2%zE&5hk7+gb#!=uXG!IUP6
z2%c~mL95}xq!<obfMbV-!`5x<;6T$E;l)iw5WUQ_4l&+`ZvkMBQNy;)@`=nnww$7C
zn5Yo9w)^}SzwqvZ6MAr!WmQ|=3G@NbA;Fffuc`xFqMO0O^^xa776m^X=~<CV?HAo<
zU0pQmx{#R~40QrgjwW!{(yj{lk9yy_R?tPU9eOQUuN{e<h&}xX;cJ!b`BSz2D>Qti
z@Y(*s^~t=uzruw?!0M$7hS@Hc;#QHrG?IsKD`AyoC5$mx<pDDca>rOlv&SIliKv)x
zZphds$PL;$!=q*OrOVaZgpvvEJy^Rhd{J#Kf`D#cMJa}ifoKuI^XS_S-+gpAr%;r~
zT-DIqq{e8YC&{u;jvUKCy@@=Fofy64zl8e?q(1PLWKTERvbg%QQ|0t*3Bj;%2Xe%&
zHf=L6*Nf!>sYx5c_v_7iRS_QC)R2DASusRQO;*4O6qVu)%%VI%i>7~gLcrW@bj`QD
z)X}yk_R+=#sSwrsH~~Uo%F~@x6vbpXgxO4{rbRj|VA-M|y3xJ$J1)71mk5m`Dk{>5
zi#XeX`VkL7&{WfS+vbF8hXbNaT~;MD(a?@da2I3|@++Z^4`w%y52u`s7`r$>^R1m+
zzfRP=w%yPD!WTaM>Ze|O;kL~4c7EQq^<XqO7>zGhi%6MORU^9#Sx<Bm>9niL<!0HM
zb~GAKX9vYFBOb6QYil+!Z;TJHl16u!f}>~K(0{b{lHu-)*>VuTCouOHSiQn>1jJ$e
z6^_ls(Kjlptl&;BC3JWYB<UmpeS&juLp$EmoYh1cct&3lG@%UAm1U9_6HoWO>nz-G
zx(*9>S)PsZK~vV}kI(Mhxj#KTptlgC8;po^kA2*;?`UxUU%uf8LwEjLsXXZy9RJm8
z@W21*rT=peeB-xyas97;*A4MIuZzDo_y6-l--YKy$<aywo)LU(dU5~bF8s;2-8(hA
zk+T2nMR_;totxNSe&qhvMbO{Q$~rx|mNB?|KlWok_T%F-g3|TzCz>yQ5qaw&i{L}j
zBMs$JB?)}Ap*!TMvbL>PH4{z4)F>-tx^6?LeV9nDw67Z1b%bT<iQKleX`5Szul$Nn
zyfiF|rmE<9Fg}=GUS7Dm^aNj^vG3>!p;8$|7#u(Z!ehxSQ-LLfiaMim!q<rpx(fi6
zP=8=2xNy><ftFwpOs{#Q1Zb<}9@Zk!rbk8x`t!?+%ky&&oo!X*=}Y=WdR_<TglXaJ
z60C5_(!r`k6q(n&s@Cmhk)#>#0+K-qY?y5%EU^Yyh4Uv65I!Sb!r+C&2!(*hWmBGR
zsso>odFBS95;!3PI)ldcf*1Nk10(d%8cR5=Blu*h&FR@d4r^`CXakGNu9yz9<Kyes
zkEXLhB2^Lcu^9;4blkVW)=2USEulGRx?|m%&X@#GVO?wj6`Vb7>GLeQ?@MOenl=mJ
zs-s}5LJu(x6fF+1JZ^DO3GO@4H*JUALY=&S^4^KKeGmPZj-Ail+vnBeve^XJLd@lP
z<#^eI_Ob6SgY}8jlT^>S8W03%+l%wl_a8pITrP}h(yA`jYu;>{wB<a3M~YK~sB7uF
z#Cby}mrzSgE{hQeB2mn`zEU6S?81vHXPb!Fc_e^PXh^<Y?(uw^ItwXGM7Dr~Azb<N
zMI#(6;-Fu4+sqpa_}bxuEt>A6T)lq!_|22|%5@z&-Up-lrloz%h~9b)xd$Oe0+4ix
zOl9iQG@TE`&kC*y_@<gbW|{^mVnUdYaRTtuR8g_x`#FZ@2IM6qG8rVQ7$(_BDQ$(Q
zXm^^f@;u=omk#3nSii>&kf@X(G9h|`%ih3Ns3V5nwb4$~iD+ZvxoglZKwOikvlN*M
z6&eWWR1`)2%1bZYzLBxzoTeY$$V`i_(hI-hg?Rh)@jv{T&vKPb1M6(FTGmQm%QfAI
zEk~n(rkiV1cHPOvcrvLCuh%U&oue5J<C#LGgQ>1eSe>1j#-wRdWE=}~Qo~CN9WSWJ
zW0@|fAQi&TL?8Ps#n$}O_v$HVbMO_=PiZ*Od-TET&NNNyAfHzPQX6mU^}53OuiI*a
z_Dj0aI#^p4D#>*=7>t&y1#zH6h`KXt?^QOOPG`gML05On`C>2}7o&mF$`Y5hp~wox
z&381o|H*G#O6!XS?wfZS_BYO+{fJjb_|;cxq+ET}+ZUGq(fhLR^<7)`w=cqjHcS=!
z!}sJB0r)5D@OLlw{+0W&AN#Q%-}*7X^@6-{(_cL9LeXvrQnA#-C`b0zbdI2Iox`6o
z&junRz{$Cc(9**;6Wy-pQfpcQ+B{3?-)WIgih{sLB6v0^VBs;yt5UD#%SI?;;b>2A
zD9a)Jg*Okx<j9UyaOVpU;}{1=9C$BE!oh^|U`~%JCqcay?iU30RMchkMav+2R}I>p
z+@kOR13uGXy<ft+p8i~}R|F*l;d`tLqoN*{gpo+em2BFk-Ym0XBD@38Ak55Rv)>1Y
z(z_z$*wuFf%PfHuULsnvbIK&cVyLrZWxLh93oT<y30cn21ZaMs0ubD2?Uk@%K<Kme
zx?Clv8y!?ukAj~XHk+{Vh^5!f?d$2y>3EPO*)Xu&e&ucdGjqQ>2grd|B`Wy0juE_H
zx(K_ZR_~vH_~&rBtxf*bpFi}v2y9vGc8Ha6Wbj%=n>V>|86o&bkKXxz|54L*gBR}Q
zj=%Tj`=9;tn`i5#gEGq@)2a-z>^!?fy*`L6FUl-m5C^1_Koey%uND_#Q)a=y7gO?%
zGoyg#P`?JkMnJNmt7uT0kGd<19g50wxm6({T?$qHxMmYALVbVv;{u8AGthczP9H_!
z{7$%pnt5Qoz&`Z0{Bav-H3?xS(2XtPm>)D(&zGy$A3pfpJ6~z5F5_r=CcLP87{e(Y
z;RG;hZHaXOOnP4h+eG=ASGq{xy&84kiV$d&6~&k}IwqQ*^aI6IbO4GP_~7UjMUqa7
zVmc~Dql}oQwe@mSH^x=OBW1>k6APB7d_Y)P68}RM8xeDKs=za}wS;A9J21ygm6Ubs
z>WX-IUC~F<WT&6eY}XR!$TE7(Y&z|_c}-Wa>WU-@i8x(eJf5G?zUNKyh1Xu24G(_R
zOLuAa>t<CpWhN5>({#d`w%)9()u!28Tpo3H2sIrR5=O;@z5$F67njTauym5ymYLQ=
z3g0v|t!?m0qCCQ+aJ@L4sx+lNe&YBKw<eh6Mu`vB2YV}?xDEsVObEu54vDAZh20SS
zx2^i7bGnaZ;PCcA6HYKq%N<cBECtL8Vn=OPp)V-Q)i@vWVw7d$doR4$I(K$@suOj8
z@M19<SD;8;sxn0!?Bn@h7)20X2&C9PBfr`HD(ZIXk5J}J)e|dB&Dlh;2Q8awepRQZ
z8*`xca`^q&kNwz>Z_8-!yu7%5U3F(Qp|6@Am-MK_vy@P09$1Tzscv+9G(8+LWil0v
zai*y(;jCO6$YjO!gV|^>lxR+KHx7?xlNn-Pg{mQh<+>QiG#iX3mzRrGxz4jZ%L>$4
zVP~(PzkvFJDfq@4#2`tS$QVFag$lY8+NOy}0=I^jTr`@wL<eEH)>vUc&625|c04vG
zMvG>8vS&$pd~h(HOfpR`@Ksr3wLeXhE`=**G$GV*>4680vt3ma%!Y(qBiSlGz^>}q
zv6>rAS9*L8C(IywJWVV>4U%FuIN12jV}cVbNyFF=vPE_+Boh{Md|^YL)2T>RF_c9i
zQF~33WGn^;VJ5R#m1jDUW0?-8v;5{r-x6RQn(_0)qI>VPWx4PY@@np7zcwDbg6Z`5
z*!}CDgfKDoQK41H?b=$)#0)R-Tx+^$*ccm?L2P)?$gpC<1||zsG{5}0%g3)hzWd5R
zq^EDZwt4UE&NdK=pb>%V25T=(lDc?BtWIjBI@%<m-<S$)gM}lhOt{prp&<<C!q&)U
zD}d@xagWVCkp|;?B7?45;JWDI6XT`u1{W<wS=e<}$F}9La~<8vZ1_{`#q%xX53#8k
z)2*kOedlv*A&9O)j)OQhWjnuItmiAl?W*1=)W^Kn*vLxc%_^e6zHTftXfLN7u!68<
z=NhM4B?$HdpZ1a(7p>HN?2mRx=7Qoa)oPgMG&Kf9j7O8%WHcTnMDD;It8!h}tJcg*
zQ+7cmbpIryT#vJ2s75petuwK$oo>v|n~q3uqTrtieCr5Ow*>54I?1V0MW!}{awXL2
z5CEY!=KONb*a<5)+QIXu?#u-m%ey=)<bkf%&B^J>=El*{U}O=yE7Q^VT9Pf+%T=>j
zZdOfa+QzOH3q2eVQ}OhIJfrhomF0Z7TrW2njD9kR>tK2$i7XL|_Gqn7i8$&MwS2ZU
zyNZUdvgfQ($P;7CuuQ}IL^@ndSWsc=;}R!nLMN4`mTi!WWn)ADF@Y@4hi+7MwQssi
z$#^{#)cLl<mId8-dO94Y2ZyEOotKB#k6PnSFU~uQ)jE2^u*js!i2~JC^DzbY&qiQ>
z=vQA|$sWFrt?kX{_hUcyV?VxKBgs~3%+Jn)A;j)`&zXRBxS%|9#wLo7b9g>4>bff{
z^tGYyQ8>=%fjUUDmp}8FPk!Q)1YXw5#dI=Bw4PsHw$@gga<f{?$B%TLH&uOpdXlC3
z<riL@j1OYgEQ9w+05V3QPFaH5KwH4`D6n&m20CE;AQO*<%uadF30^j#W!$z2Cs2tN
zS*TQ)ia}S9zcAq<SU34#cyxSxd~{^3ZR(BhI;nJ!inxaosxj7Cm!&FI5KpvS)pZ>q
z2AEK4*ua>bbs~RCzp{H&@m4vjjT1JlS?YArjwi|WYIfJZIv!0Arb+IKgiXh6RE(rN
z5Mrp*DAh>;a~_?fDy}{h31K(_UHmZf$5Lbt;tWDNL&1g}TWEOloUE^v*Kb_B_ZITL
z0(=soL!zs+m74<rtH8zc>hvGJ+TMq+{(|t-Z?;)oeVeI+7kj4C+FhQ$^?vp4d%4n^
z&DwP(K}CXn#IU5`nPRyV30Dp_q(OES>teqFWYtkggqk~pJrW?C=+Sqd5f-)<MSXKa
z?}WsxHFZ-PWBs-fHCjsUd~bRc&DQ2JB6xf%O!5QUIn`sG194`%&g0%<G*St`%04s;
zKaRfiQSlQSTSZK#jWQrqC*g-4E78$*GDb<kkrh6Txg{KLTNmxq72P3383>mX*j|^)
z=Z1i+iS5B#7#qn<w3njOLUVC48eTs<JeZEg<IyM|W^f!LS_FTmRadX7<-9SEF3Z!!
zM(S)j8XXJ<b=ItSLyV3l1LXPw%^1NNnps5_V60Ttp*Qoiv7b0iMVivC`MCbk%h>Ct
zxwxDcL+4u$2@5ZWkiF>1XhwgoLoI_6T3l|{#6GfoL==x+I66FBcf=@GI?HmM#3&0p
zU(e}O5O2q#g=uMHRa4KG3wz!TieZ)zchP<HY}+<cNV=>@z6$7f6`GhH(IE%!LlY+|
zaH8gZ*BR2Yu5G7uAMhKq8U!b14k3><Qp%>OiQ0`v<F0K6A@6+K2A3#7_ql}lE~~22
zG!3Er!-Ls$I`w(ctSZ_Naj9{V@<iXbelw##Sep&<BroU-&+wr3&xrllkNwz>{rDv}
z`1CgGlrGWq2)BAd?eXb}QZ>?a96_Tj%`=xTs%34%WHLn=b-5xMKv>Ro?P7jO597A&
z-aI?IxV&5~SM)%wTT_)~un;p_)6v8Dg}ZkGJS~#8Ev+&1q_=S8f$NQnrha*n<tngM
z>A4}0O&B1+tb1*`rn7U?&AVVsYx~emQ>`F+$67q0B=p|Fqz|pV96ALiy?2+3g)s&u
zcc~r>MoCI=0!BAl&Z`D}y(~rk58-(qYm3liOX4ZLg9Cpm_>n(@fMfL#0X#e=hz8@e
zm4o|t@BPTH`^>F-x9I$6P9S}di796@&U4Q4STcqaON=D#EoBJF3>dr3<gtU}cbTvT
z&A7}vwh`=I#UA%S4<aeWkauLzUCbde?!`GkqJitLWh4Du&-;&fVFaJP2hKh=m~tq7
ztWhCoJ|g6Hx+<mXG%^R^@)E6$ATg1#G)@;>NCT_J5Y;VFdIBAn!qu{XzC;l5KHux#
zBj}A%pr=nU*6urNm+RHCTpimfoQa|UM?6Wg>NPbxcbr}~A0xu9kUao8<Tv0yJxGj=
znY;FhzFHsEGO&T{kACZziNIX6yTbiNW3?o{B5qO!sew!x?43kX7z@QcIv}FQRN&rr
zG;K@ib7HD()0h|n6_G0FS?mtrL@bYHqgyv_+`e}0=wO2Sy~>pE39F@O%Z`<VUQ-#I
zExno7rJ`v@Tv=L8cpOb9iA-2WcL_x7aN%!Evq6lMr5|A70t`eYEFsprs8Ew{OlMql
z_(69KveBd-th#lzF6-6>o#um_b&__B7btVnj=uZo^m0DGadbrZ{Cv3_PsZR>SuvWi
z#cI=-wyes=)GAF5G))Gye-Lw~i9zi8^7LY5H`!sHr31S0k=}p~SURYLIJVZRUt<A%
z6ksZS6gBsl({d})=~tY@HY6ZA)uKM%d&@>LM%&5Ktf}jisB@C8mth8zS@p>Jx~!Np
zzIAlk2<X%KP18&(ZM$||R!!$d*Y6hNvB(EJ&FRqS+dv~dfje($ZwG_H9^CK8e*BUj
zxnwWrh;MtV4wq(sK7MJ8Ot4Q6AjNpS3TwMRAK&nhFMYSXc9(tm9ED;;(?%;mco?G1
z)o@QROwpr}4|OwiRa0$Bf}6TCI+h>bc;k&<{K6NKB#}~;^t^1_SON8Yofeki7V)#=
z;rQ_Q#%Mgnin^5fa5NC(^=1RV56KBn*LG7kZCN%=xggw4d$L}xAsv8Zo^{>2@t3gC
z(H-Gg9ib%O2`?hTMqDlMmqd^aq5QV74<0@k4aYaHT`vZ+Vo(UdOb5k(pTQXA5kbI>
zMF#ZVwH}Im47BR*d|6n`8Vy_Ljy`zDODCgU4^-}!85deE+Tme-?Nf)}dtAH#tim$M
z#@vqx2(hiFjbp50>@u*+mH-g`+G&<DD3Twq*Dk2_s8~v-Hubm(k7V+?GjF}|K%QL?
zK2h-QLz^>;kOu`=*(=b$UaO2=XMbh){`}XlZC#o7Ht|q8!Sz%E*aGWGRHk!}<FN=2
z_DuH82{wR#pg<ptVwUC+knpZc0V)^z2Q1EuzJmhvYYVrpVg)$gT1ECLN5mM7Jv~2r
zaPs(QdYGdR1hX;*nR2o9EA1N%t{jbmf8un%#rO=QBW%^dNXoi8WBf@@*|yPm_w%@2
za9ilY<H=y|iZ5Wg$r#FuS%CmwK%l=2Uu(HBnDPWfk+V#k)cVdl-ZYl`iimG#;_^kG
zkOk{|qL9O)xOwfy{oA*%9nL0$0%@~EewkIktdN?o2YF^|UlCKL4Mar~{OqCjCn7*(
znC=9$&w7Z=TW;#AF3T1D3+)nGGooJfAL2H~Y&PZDVzF4SySD9(gy>l4j$3Zjsy3I4
zb(Ob>ak5?4G@UVtLeKii#pM!#((>$bof9|qU6JY8<bbGmSyi=ht+yBDx^A0148yvj
zPi^XIwOo1w8{FY=M0?W5*=n7|Ly!H#gz#yzNfI4cJ^n(_Ki2GHq*uSfv9k+}m!!|g
zbFj!^y+s#~b8?%9rJ%-%sx7bRlaiz;=*b|4gTbcURCOh|)AT)qFNbcmoD;XGI$L&r
zaE&>Y7<zv`a9r5VC#f{naMKYD2qN8s`~CRX4aM0H9f+CUdIM_?O#IW!Uy?d1`uh0i
zXX1~&AYUD#uJdja{`9-<uRQj9QP_9*_`w75U%Vt=DNvT9tM=c%<^JZm-(R+GXoTsJ
zzjL2|<+CDsko0|&*1~MuD%N;Um|)pet7e&ScTA5yAqUy$z{$F)u^L|2>&=Rz`AuC}
z)-iY*M^!R`xGpfmW(Nl^zWm~~o3}5|&U{<1%aQ=Z`TSzOSm5&lzg(^^=rQc<nqZJT
zhdZ%%2^VDzWT_=9@+5GSNgZ&ajeVp5SJnm{K~I1{fPSu_oQU<?rg2KPL^u}9C4Eqb
z(GUY64$`9=xa<pb+aZD!xF4)QB9LD9cr#*1#h-CggEwVFzWA?m1OmN5>EG8xW55h*
z<~z2QtQ2BSUoRbV4cj=g5&k0hhmE^5thDeMYC559b0o|AlVQcWFa5$7mzNjcb#U-o
zZ-3%i$Y)=9)cx$wn}=r{;2vsVbhm<PgqV?qa=7S8$A<v>v#DFpWIR1T%Bt_pWm~Jw
z{?9@9zQ7)Z(SqAVTE}{wJ^Ef%v?qiX9@H@ETLdGnqxrT!p|AbNlNHS;(T5Ff4mcF5
z;}8qUUIEpEyJ-H-Ld&F}tNZBD<1c^t%Qp^=XM?eHmL^uBwUPp0P{8>T>ju#yQ}hG`
zlp^*_qg^}pO|xi{(_=)a&9`M>9Gl>x_s#4BrTX>?5VqKHK#(%JOrqN&HiX2uR9Nd^
z;(0=__<x)@L=O=ULBJk;+lYuurPZx<O+a9Qv8~@m9`|N8o{;?PV0w6bI6Ih4CzC-6
z9U3sJbx_;Tr@GjvfHoIc+K)%0$@u8n!O<a6)vTBd3-prU4Fp(C+q9dKSzG!|>s*7$
z%QZGeJ3!cWMRT4||E6u~U?U%dD?U*VvzC6jsaH+g1#i#Ji$oU*bn|6JcQ<e8(~05e
ztX*voG8GWEFwD<qvq^^_0L(>|=5(~H)-0Q|)A^-sTGyFOtLb>6Gx}dK9F27hYjd8c
zELSR_dtX!`26-j@(g??5lqd3rZVX&rx$S`7@w6+()@!MvlT}X@VDb+Hk|+`Kwrgaf
zoTVM_iaaHVzu6S?<#M%LqaOz`YnU2z&Dz#3mYb7b{KA~&FMQXlcW&O!6w9zEpoLa(
z(qQ%KV-4=Z^Q86r$LlZqkqGu*y(~X7cv3d{Yp4FFm%k)yr@wB(|J0}D{cL+IbWs1z
zC)Co~zjeNMYWmI{-!<TW<}>mte*4n{{y%(|`nP`(S8f0O^Nmnj?(V$IheKbNBH}I{
zQzGfvZ?vd7bGBTDl2v9ipr@WTY}FNoCDg1vvuy{7zRK{F4Y4FCdsC9$cqP`=(9;$w
z)4u-ZmkFp5%7$a6vvpP0$b;`-7ausPg~17eIGV6cmumP|Yr)&P=CJJ>6xoPieCt@(
zd9=p4mM|q0EFST;u__(=DPxJYuls4OA<ntDn9t8m*T=)gB+OVkjH#GTMq6z{Q_u=K
zqbw{sBw~kT@2br{%ocfQq;r}uo|BzWPAQWHJ8aIy`7bPgYJTuJ3&VTATJYssbscff
zF^bU5!^;PcE>A_4+<Ezak!O!yfB)TIJeAg8|MmAj^Dq3s!_DR&{ru<Nc<mQn_|@P0
zsZV{^Eg{}oUjE$MUpZUDvp?}n5_R!0UMkkOWvqYi<mJx^oqcZc{+UAlGc}IBRKxi$
zBr76rh-yM#>Sb1kHtWiE7wR6x^H%`?odyVYAr)wQ<+1jUYP^WmR^HoeBBTnm#KmZW
ze&1;pMeP5SnWvAzS3I1Zo_^sMU%N58cI)~Lx=!$mR5H^V{_kn3VBw_E+A4O||9l%)
z<znhD%H?q(pyw+BE;qfQ;&$OD>VoiQ9~DjzZm~X|7G6yj|3_yBj2nGi+~VkEZriSm
zt}L={O-VDF5I!7h=(WTRGc2(PnsGHvE3P`*Ik%0#MdLB7@ok=^1k`7<S&<i7M>gsq
zC<_G50jUjblKzsV>G5dB)HH~EGC8_7nN5>opk%5+G=OYF<QGkoXRwx~f4VVkFir9y
z(;0p8`f_>6E*jg(PG|X$ZdV^U2|Q#3-37dAoe>}ktEQtP91il)V0dzNdUk%PA!1Qo
zLzGnxh)(Fi^78WR(aF4O@?t>HmkxyZ(c0QoUDGyoyp9RuX_6$!ol*qUvrH93+Fb^x
zEP6eWGtu`W3q`wt*#PAf4ka2Sft!n%p%GbFT#;k3iP^{GGS=sixp=jFWMm3m!VInP
z^pS~n&8FUzF6zWgqN87uCpt7Na@sD9^?H*!b~HQs;>G&^`rH5atIP6-e$#J0y#GQ<
zM=PMVvK)(KbX7jq;GU*^`ymL_?LpDUfYep)*_rT5l%@RMn@^B^KVZpvSN_DMZ}&6#
zJ95z1{_npfu8{rJrTozw;wR_+qa3>S<N5IZ-lzHDZT{YCv7(8mriBv?I$a$PXf0*Z
z#MajF;kBE?2|bj%s^o1;2qMp|F)QfZh4jEZJyMF@m{8Zmf-eip_4@N)_(fF1tYur|
z7^SpuLWGM=HY^5+rh)LESc4ZR@gaM@$Y6|_W<)Hw1v(s!M`(eqHs$3hYhy00>pvzY
zF4+k0p#A`oaxQGD%0hwT6{4}CaD#p)qd`Y(=}R@jMVltp-BnJXMj!#Z5lekhwC%5C
z-BFvtqYRxRg$psPu900MOMCL(qaQz6j}GqMxXlxB^60(!TW_hdxpCw6uYBnfiSXy2
z|NL8D_~P|zM=uO#w~h<(?%9LS{e5Fs<NH7OJ>vUsGyb`G`{q|3&(k*_z4Atv%-((D
zwauf4+|-JBi37795HxCm0DNNEKBfaZ@ii*<&;8Xiuh}+z@?E=XOsNH8hHH&CKG?nl
z&Q%cF`Cb^YB^!N|Sc|GWAtQmFYm}9J->xcv`4BG^&;X6|ZzS_dY~eKb{ONrQS6l=C
zv~_cOdiwtR4}|A2%hab*WEy5eS(c?m5i7lDctyZ5s@b?+7G^&#8m)@nyPrWygO|W2
z2-s2R7=sE?7Xix{x$L72BZ6sLL(`_LHpDGye!EDk7+N>6J!tqL!Qn(JMcH-hwrv{1
z_E?38iEDToI#YF_afuZHHuKTPp5qf`YzpQ|Cuu@^4&_>Bh_GS}B(fhDLGAy?-kU(%
zm1gB(|8(X%z5519Pb!sEQ&(42H@%E$z}Ohl5M#VBjuXc?!9Z4sokfhp7{F%o1lTN`
z-~?hY1iT=N1tfMb#5Q9yk2Y<n?iy86sWiU%PG|h5?7jc{B$cF^R5)G3J9SHXy6@gI
z{KGll-v771FH!){0jw4P=fx=&@pPD{y?&Av0Ges>DD;p+8T;1cSucZE4&eg4ousLZ
zQm<l&gsc78?r?jsHP|{hC>CYaHOLWiJ{F=ErwLB$te#F=Ydi|xLNB4ITnvGM<F(d`
zN!M7wxV6<Ng4sZPtrnWKRabV4s&0}bWlB{o+C2NJUg_tjjvdR=G%Jc>QJ^eThL;(f
zi=ibJi!w*qtOP}G$fW^?l<>sM;g*CjY25`EX6#Z-3DfNiy|Zu?Es(chmxd-WX^kp$
zDl>@1VE}aA=A2f8$Oi!8jNzaMCj=iv@|2Ln(W;cmZtI?#fAsS9Mg6g-j-7ts%;xE}
zULMPkF~GGs!QR~kwWm||xohHvQ<WoR|7dX}Vfik=1n-EeI2QAV^1EEh$rLI0PnAbm
z;J4zI2=>9@U9|k(-$QTgBXIx5wzW;Zai6^S3{^%FT?MnO09{ef22l+>Ipb8OY1Hqh
zE917)lj*^JS)v-eMTr-5mM20Ff;Sne9MN40!!UgI0`_!(!%>J2&;&#BD?E=?49Gz>
zZObg|K289$JNOln-c_22D4Dg5=^E720Q69IZKFjx$N)3Mam|IEP8!#s#0=JMB2Ym0
z&XA2Jh6aHEM~n6dEGd^vMW2Yh&>zW@9}XZKc-}X4-8Bt_E1Zlk4_7r9zhfa9!IPHO
z%QiAb+D5gVm>#$*VzSN8ZFiA8_P)ngj%`#sTUReX!={TBUdqiCOl8)UpO+1b_MW|#
zY_s~>g!7q}*PcH2`~T)=a<@=BA9<ed=;!qd-#`8FMD?E9nogUpKslfmRp2pna@qq}
zByTAseY0SEdY9DwtHS!bqW_x=^x(X;OoC%=0JMol0+d%)q+QgS*ifmeI7C`xxatj+
z#G>uh&58&YB1TVP7Yq~1*W<;YXun@B2?!oY@5`!K(yu{ZUU(^tzA%<(txGW!#GHE7
znWk&1wpLYz_O9fQgjwPkWls%}r8EjZ!MRJ+d_gcz5t|fCQU?M;WcF~XB8TooE(}#?
z8>8DA3ofh0!kRWy(Mr*0<Y`=6(-9n9^8G1PA({*9D8|B8x;pKMhNKY7ww=MWJu=iJ
z4*@0NQAU~Us;Y_%#y9O0&0dk9&hQ@Q5@vc-yP}!wM9SkHTpk2AIg*-4!V`nLu>KTV
zfXbO04n_cG(c?8jXD9;!i1m6@ZH&fi<JHyOovq1aR@H6SajK(8xF15B#&W-$&KDEd
zUn13_Y9OGRFG`u@Gl)CpHH6U6tPuue(D)j4Z?K|$QNoQt8$YX{lRKlKuh&LH*s|WB
zUu0RH$7uwU8tx-iHOG1xm;ziFm@auvv^&JmXyrw5oLCCAdRpZ$NS`utS=zjuko-^u
ziG}I~YQ`X!DGs$v;f4b@j5La32+6vph9GKnbrmanL<H^EYFjt$>dJUD8vn+V&s^Er
zMKcHIFPy)){lx6d>N<=EYnmW;ik!T6ZSEGfKQR)YG`OLk8xk8#@tYqw+K#rj@>W`3
zTYqP$0`Kh~6==RyH|U)MeV1OF9Jx*3!zPtK^)UO$FEefEL5qkD-CjLc#GhbZ0PZM_
zxwN%i?avx*E?2WDfUSlBJlB-u2V5OTfXFb{h7Uz_fF~ArEYdWynEf<K62qgntZRUH
zQKnQc!R&owQ=W_g6r_3TC4l-A=>vn-$!D)^?X`26^x-Ye4!E*$vF5POZ|16n3Hg0u
z`lFgWqELeJhf0n&Q2-A$kw|#vgvAK<BSex6X#xNb(eJXU<E)2rBL2|G72*<9K;Z#7
z9O^Z53KI~T5Z~K%PEVV1sN=PLU8e2MwJT0HYQHKL#sN;)-oE<GM|q;A^DClgXL{@R
zp8B;xlvQQzqlmGUkG*th>+-)Io7F{?^apEQQh#jgxm?98U0KfyHJ7?<Jwtz8Ep!X$
zlOh#y=&0&nNsxM3AiDhHR{VdfEX@s4O(^yZ$ev1~9r<JtRf5?Ttp;4=ed<^h*!gHV
zg`G?g42!S@NtC;wJ;Q^J4J~>QXNuCS1P=s{IHsSW-845OUMbnKtd_ol*f>;HGJu=I
z-T=i52mKhnX&r=;4q^?5OmtK%vbZ$B(Xpw;MFxh84A#Mj!@sZq11$sM7!^(xUkch|
zNh=zm2>{G8##JYV4yh<)goNy_ZtJRnzab(RjYqzZswvX=QtNrw0H&3eCB`RRry{8Z
zZ>4B;gUFt<G*Vd<0irjRX1c|ASCFkT91v~DaFsxiJX76P6$*W3UCbjdV#K#F&jcDc
z3#zPjSOnq)!1PS09O6)zUlICCz_~=7#y~2}F$@|c9J*jBip)y#Zo@(i=(}t%$osvb
z$b0?tU~hl1&;agH2}ov~jeF7N*;8%Ie&@G-qq#oY?lrd5vEyi^T*Ls|+p6ZZ!TAgk
zfo>u02|=LK6v!1tC}G|>b^3kpd*VH3?rSE~7oPoCqq|DO9iYQ(I$pP?5y0TDUXt=<
zNh~AZU{s%lKRnq^!8<5J74(phxg(a$`Y>ft3V&IfVFNu4x{eClF$V#y#;MdC-qaM~
zc@L3ce{Bp+i(?^4u-7bG9gXY#y%(Q*x^1gd_n*#s{r&y@wuR??VsV*|VmFFP-_@CW
zPOIVXz>MzE_U_pBHT$)R|BUhN?|*pTU2l(Y;#+j<9Q#*0?lZ>X&R(mI()RbToqoiw
zo#5AA3~6|L_FIoOk^o&1FynK#s;kTM*)D0EG_kZ%+yXok5l=)Mr<nB=HUlskMcQ=u
zXjWWn!vU{HsS}0)m@j&99QTt3p4uzpm9*&1%0(-ijrFzl)p6tiQ&?%?c@B?M5lc17
z3MbOIKPqw&4Kw6LuzY)G@7k4%!k8560%XW5W0nmugp=qLB!Zu1@M*$yH=G(J2$3~z
znUh51g-=_gkEl3RQQWm%RnC(HWerh@AIm6V4~kS-pgm;p62*#2?^>$iB#a|bjKxU6
z-CfNRHJEer%+5TUwyN=IBOOnx$>RCyDHgNVwSq%L;<hFip&4UnI8nr+UmHJVY%m%e
zKXr0_7@4$+*<v7hlJ?4yO)mRMtJ;=86lEw6i&qIxBM5T0JaT>D$oNAq+e1%UaYGqD
z6n2J^Qn8Eymc_G9>QGcm9~DG@0|ZUJQCeXKGozt<MHiN3up*Uc&qPyNl0~Q%!UdU5
zAL>*?$t_wpq0)Ma9IT<RQByU%TxbX!xaMdmB`F?J5<1p|00UcD#7VEe(jSb`CK#d{
zWNt*9X98LMF*%OGNb5|4^`BVsX|ZcbDKQj+cn4!EcF<2Y=<55hU_g$iQG^RODCQHy
z7SV;)YNK1M%9KKE3<fJyn4vtct(n&KY+jnqB-Y1TyE3UL9%ik?%I`Em{X{7j<)StV
z-gt^?V2HpmVp^cUVok#!_OM2yU}jl0&^{@qxFJx$T4^L70Z?TCRTX-yAtNoqasgZc
z!$>PEiLpaE)Us{?!7uWhOsJ=Tn1D)6;cGrijp+m21#BI~31;rKhqwi1<0zBGsMlK=
zEhf_^w|=vmw%6uc5PHGTw=)ZI7_G=K2LU;pKrhcmg=xDeiU-3L=<(yHPA5g4X6a+^
zec}^8@PTm_Up@Ei)}<Hq;(%o_RrETlzwpq|fv=aO$VQTwc9+l!!rK@<-4v-{+OSwe
z+$v<#<DwiExvFrPFeR;kI7nba@D3V6dJOiA$LWkzI`j;Ndy<A0hRGeJa1sTy0Q6@9
zA*GU;a}b?vUAgpo&s=<FPmfPN#>X3V4fipn;)uq+qu2w>e<4CUQp-8oj<&b)_M=zr
zsf7PGCvPIfpV@KW_2LoT{w=-zi!JwozWbuho4p2b|A($Pa}<%i@y(xnh#fn_0Nk@+
z#flcJ@ThB8#{tQE%#Q(F>by5(1Bp}^RQB$S<16F!-s-SKL;5=HB}qSZ6+9qak)^_^
z#1*+rCHGmP`dN-fqn*v-Vr9I>czU(jnVJ2O?<Fn3b?pFI8{5>)bT(f<cI?zBJIxE+
z7l4r%*X`R*mu?}uDW+!Q)JUY`B(B3%cjVeI6eg5`B!7c>5=?I_IgxU_6u=SMAm<xU
zG9ZE^7jf3@ACw0NMV1)@&vfrPEj=v-phYTxE*><~C04R_xWECpkV$AK_*G&Bx29H(
zQ2@eATP+%_`->Q21qZOR;T=W^F;Zy&e;~)D^CA*$gsTtPa4_nf7>?F^aT+t9OFvBD
zi`F<@PF(GM%K>QF2-R`W)R#LMibt6RScEhfdrMY6Q~`TZbVta9vM?B+$)y#L=Ru4T
z^PVJB;~ZwrA+FLAZ4C&CBYB=k;HVgbAgbZMWkxc}`a-i<+6S&6=#bI#ER_37`aS;3
zpl=pKm3dFG6-pOoLJj)^abnZ?L3*uri!Ih}`>2Gt!tew$^(>V(6Q=H14f|}NVZG2W
zgyO!!{X!4`Eteu=LSUvAMb7~!bIgdNOpomZIUb<25Y}WOy9^u4I&G;^mTF`XTjOa<
z=sD69#kPjn0L9<Yq74x_z{8lk4HYZE|0#MI!{?jMO!9d-pIel`X-i|`EQe?*&9YeX
zBFpn$zk{=iibboE#@2NUN0qqN6T^73q^Alk)>+$h-C|Kf{MVLAmS?(G=-j7TM9N5o
z^p_SQ3c%D@I&I)86%Iq}E@Gj;C=H>TC6+qYMFf%)!G0NaBC!aK$=d;mLNH!?N?8>{
zFzI3+#c`gdXp7q$u8!9E=h|^GxcbtSVB`k<zq_*o`yJst6_fqFI8GjZ;(f<YZdO&9
zX8HQYF+kEQYby!*&}J)x)jX2*d|yg+-|-XrK&=ikxJ5v)1f67X$%6IbB+Ie_iTFvR
zkl9am7cPoC>Y}1)H5||^hbb!Yd*Ukz%Hw0w0e;i)2*A7a2KFks#vdT)M3O%2Ax4J<
zqdDv_VTwgE$pnjW4TpEow@us4C)3?47yj_l-bbopckKxnMHO_Tt~Q1P5i1`xNJB$j
zP|Q)RwL1d$N88c%Hs1C$`_>oCFYJrYT;TviesAjj?XKH9lDdCuZwt%5>74oSzWDSN
z07>jO4&2Z0xycce>fW{}_M2z<AN)#Sa69XlbY5EVCgeam;vS3GNWLDkxact{WM8Op
zl=Ow{Aqe3^D^IR$<XPH7yaV`Qj0r^7MKOR{doVeu(22@)T{)|!`)v(aVek3tMItv&
z92>8WQT|UbJ3CN{_ls0FdN!Xnx{ZrC>*XkS7l}Mki&m2$A%_l+Fq0|S9RwBc?_jL>
zLkbGQc7p}OLP?_kyS7_QXZ`*_bHq&;%V+?zoks474Ej54nGruM`E;a98R7?MlAv;K
z05~B-$e`6Ok*^V)i9=XTd0D{}a)A^e2-|glE4!wfPY(c}_5kHYDYR;>bu*oAP4=(U
zliD>=Bn}xe7;ps9^pFZQ2*+c;y!xO}j{z8IL^@0MtRC<Vi|Ha9IZ7dCMnG=~OBrl~
zs{L@8$jA^Z$ZZOeoM8qKqKvrgwJPtBj-q3&BWWPWpj5mF!tHoAiYOsW<`C~7TM8?f
zQJ^2Lmd7d2G70fmQdGx=(Pk0zm=6w29U;?$H+ZIKdj&_Jgnf`g!A@u!QlUYPHJl~t
zMMki5rxc_08gl&-(pnY8C;+Kckm^UqG!}f2T@#{t*Fi+3twzmwOHOB4ON$kn82CXi
zbjU@qD1wCRIpjhcD-@qklUQX%1gJDYg4rm|_oUj}KUh>%gwn7D%ODmriQsvbq<NvK
zGPYXGC;Ko88m#noD%jl~&M!Dv1IRvt!#7<8`z@2jqDqrR3<p$r;^?oY5|nOIp`w5!
zB9TuoBT1hKt1YxNMN1XX9fq8;Fs<KVKp-)g<P0L2&U6?&dmD@bAa;*%RUnSjf(yXy
z(I@@!PkGN{kCoFowl(ss#Y-<;h8Ed8af(TG_4;*~6ZhSJ|FILtp|P5_t?MSuv(7+7
zq@yIMJ6+ADQ8R;ItgeiUVPCnHxkf_x7)2cwDGyK;bKuB20S*EYQ-s1f7;JawGK&UM
zxJu^W(F;*@j775OpN6`l5aA%ohjHv04lx`?IGAFG_=S<}1lF2!!v8SeY!5!5WE(Rr
zSyeXmbTYp-=`QXsp4-~Haxj}&)kH<3U8A9Q1dIz2rO*sQ5_6AZWe(o%1U~}zN88c%
z_TEa%es<UW%051%j(8n!qh9;z9mMoUz4qoee%~W(ble|YC(&<9Zmn2wi2P;DiF3-}
zk~BE3i>ow_a-~kJ9ed!x2Ud@*0}z@XOzL_*>JL^1D*%h}`CoT+HHAl|_qyT^l|z_K
zhP|lQn>FplgDou*)#J@>1rT?5Y|K@Z<VkPTv)ltdsF57e`9vXt<;YQJ>IQ&?4;u8r
zQ;NGoc^7|Jm3auh`Rxo*PqYi7i{K|M>6=8vxnR!DX4Bz(Xq40_oM}v3HOSnEyi9$_
z10PzLA}aJe1V5bE{7YJ}C-+SHXF_G6#O+3%7X)^aXcR*9hog-XC&vAiW?El;>FU<*
zPC1{qbvfPbZ5}_KY#b8+f~}pG&F*xz?;91%Jk7OkZB^>dkd}x+pD{|4TQ04LoWH@Y
z=b<>3iVfiv@Ch2o`lZDacA~{gv(Pi-x(evV#a1apaGZtQJ_{wu055yJeEs;!cr@-x
z)|GNmK`XYH+=r+duzQ@yEL8w(lSCw`O~xkfi#QT-!P1<inTJ2Ko=<WM;5g3BQ1MZj
zTEkZ-qLg;F!x{{1T!(3PI4wiL5nc!SR{5@K(3%*nRhI?Ce5sSTtQSDei;}TdC`6x9
zx}Fqqf-kKn_6v$qA|(su**)zl6iXAe-w1Ts@+{&Wh0sx^5%6x3#00A)DyH{`Nil*6
z0pkxKFJ}i$Ro9D!)vaVMLhI!;O;pi?FC}fK6V}GAj%^van!-92gxPWD<cJGUyKbrk
zS4?nWXEA4oOq-zE?<Mj?QgU*Qp<&Y$uymdlSsFvEfx_{r!eRkWLjB0$hY^Dz%yQKV
z>x8B36a~Ewqf`vo;R{KWLi{6mETc5Z0C{uFtUEZs+WPUe)nhcU5h9<w?;(hFBALKD
zr%s)1wMLr&hZPUVW@oZ%4TLukDv4Obh)SFVoGwwrHt9i#Vq?KlXj?chh9&Z80mA@S
zP#k=MqbQ9>QwWqVl83Gp7>}V)jl;1`MHqq{w<u>L@iUog70O0Qn7B?Th+R9%IyeY6
zJwSPzDELaj3`y0ui}~!}^49e~Jb&%nes|3z*IBW{j=^<hi%PM|ML82OiE=_8!ai{c
zfdrgrUB|zz)N)`(j3X|WzRS07(AG2K;W3#CR!9un@3=kU=!2OtJIat9ZST0PIbz}*
z_1e32^JgAon`hbHHDpiFlK)agyX*427z_qj3K_@4;Rq0I+u9SG$4{KvDDq-uWd)$s
ze6}d9Ud-#+q<l$V;ec=AB+b*P56G}5WNcl7_B||yP@$WaS!c%vpPw>Hc9Ym~!1=KS
zY?-Ll^;HAFQ`^aGT2&3E&z!9%i>ueJ?(NU#HCoBiLyYq2sF4nMT@dlu`9ryvfW+^-
zOj?M*A1oq06mSs|kX!<f#<pB6%DIn{j(mx_rtw+}m53CuiS$das36tO+)^cm@H2)#
znza5=&;+?2UL+1N6s6G#gp%)V3y3z3H;<iq^u3R+uB`1`-JQ?s-RVBckD#Q#X}g~B
zD@LX!5=|0yT&5i#7yXTuH8{qu*<RFhYfzMsd}@PMr`B<ee00xmsgIQ;??^Ouq_6;#
zF>I+mqTmgzq(J2rg+LyG0bss5%>iR7YZQV*7b}r)k;N(-XB(&ElerweIH*cFGUE+s
z5tbC9H<W|1F9xm{vSQdJg-@fdCtWO2<P?B%EFl1J@B`*TF@KF@pMrJqz*Rn1C)A|{
zJNHpnU*Y6sCM+xZeK|<#xo;-dSceV<4zWHaQ&ATOS4EJEh4|cu?7YNP2#MvFWHUwi
ze1%Ei(9Oo9KDx5pDgl5qLM|5SP7>OdL}Nj}S!-2TmLc<78OJJ$u)SbMQKYgsOQQ^q
z3kVnDtNq>mYnQIf4)&OXaV~qkqL=43MwHBS(=@ZL-j7)|Oj(zUMXO=R!~Wq4F&T{Y
zqZB3@^j&L(HyR@g81VEth+{PLHA(P5%n;)WPm*BdR201erc)n|H6COu!yW*Bv|K}i
zxDB#Bk{!DABJaqvrR@VQa4}Tki4!zvqh=E_MHzeax`Jk_I}NRk;V6}@kQ)RR5!4MX
zMq#%J-gIq;6%DS{9ZY3ib#>Ds5zAWz!5!dZ59jSsm@;B9Oi?Ga_7LS|3PUbz1GtAQ
zH)sT8twE3@;Nvm6T!jg(&=HSRN|%!i$wpFA-=H=xT#CjZPs9*P7}6br7*|>=eU~tZ
zyId(->-b`ScH!dnXJ5K@VNso5@LgYY*=W(px`P>m#<(I9<f4^WXh8Jqg{xxN9LV4g
zf!5n9bHADJAAUkTnDOQgYYzDLK=H4C&ivSQ_l2ACYwj0Qa~E)*2=?^Cf8mp+IZBls
zZAaVDcC@`Swyf|c&hRIHgORh3)}53NV6K#6eQouzC*B8mpspJwV|a6CYxiJ(Vw7Ww
zSI^YbgK5>)y4C<ry+$g<uoyi2&_kQUVO}I$+OE@GQ(HtrsRaBpt$Jy1?bs$j2$QHd
z<$JTe#+X?(-`cINZe2T=Ov|!b%*z&q`^*SHO_t07dp8=D4TS)_M6?u)LnPMvNdn$C
z-CAEs=skdb5<_=@;GF^BiKeH32Q9$sYAVt`oUZFy-@&yY9`R93Zo4XY9!Vm;9H#Jt
zrXRBC1&fk61^|XaC4l2}gus^MUnsAJUqHG9AQ2rcCV<}B?XKCET`9B^MgRaqRmPTa
zKpz$v`vC2nP1+I=^s$vbDt;KWOX{kyh=L&pGUHvH0z$$Rv~*M&;K^Ky1@=7F00X3}
zGudJxA`)g2$KVxPo?;Bb6lo2`$hFBhiz1sO4!R`CM4F-mYL-n`R(4ibRa#6Pn>r1s
zQN%HiF;CAD1>p*WM>0mX4782{Kt!0x2dmk`CO|d@iI9X^U@A!#EX|_Tv9znHoii(j
z{nfK)9xO)5wd>D3{~vyB`qE`)bdtnHmLMl4QA~N%Y(e8=j`-f8I6X0m(C+|g+X72B
zCAqy?5<Wp?RgYB)UI`zlLt0W68!;}D(H-gh7?RE;O-4z=nS?K?tk`<f>5@0lumERw
zc6ZLdc>cK;o-Y@(B37f(fFvw=ZM(g4E@32?hS|0cBY$HIy(lL0$)aft#SQ?D;h-*N
zi0oljK+8KK&oeAJL8&G@54b>!(xaL+4NC1$xo0w)rSUw;@_wGqS8{V49d3&}2Y5<t
z8EOkcRO5r!15OA>!yT|QKy_MW5;&MiG*&8HN%DZ^73m9MV|wgf=pu!rC<>O5erAcO
z=Fxt)g9yfPOKLO`20XZXMC2G`U^%dgp_4kSIpI7_(_k$?#442_^##@IDO=B$!xMYZ
zQN=QzIMv3J0|7-W&`0QI$Fb?)x2;H+M`=_+Ltnz1wu9Y6gC@|K5E?c0?*9Jy-RUz|
z7te0j*BjBPjV6w9iD8D7%vgvIV^-xbI<-fS<0MVGw%*>}E$=@D_ZgZ>M8$*q%G>A$
z4nwJstgl%A6+~@<^vzJQwV1EPci+i@#ub1gY=5*JZAaVD_RiT(J>>hVY;nK?XNBMo
zJmA}=nI234dF<}*l?!-E8Wgw&FmMsk8$7nV7M)HaNmLZnh!#9gS(a4Jl-v7tHOq?P
z#EH!)RR9vAIMHczFkMXAuCCf<W-3#ci?XiEXgjJFrBbL{-ZZ+dN`UeJ*5K*8xw+XN
z3;}&yyT1GM^XIfNks<~=;&khRk(KlQrcnEmmU9Qn=Yc=(3C%41g%qB$ZCf~x2pyV8
zvEPQ$I?b>|FJVinJ|_&tMNoL>js!Lkz7zKbIqXF7Q0Q)H39nFfrXU@e2n%kVs+m{-
zsMheC2u*oqQ^OT#j{5!)CT5Ggsx;;@i7H?LNB0Jp(mXieG2_|_O^!=g<AAz~MW;fZ
zKDfm?@@4W|B26D4P!!vw*X5fm%J3CuUM3C@AzFjw0N<lHS5ac}fzF2_jaU}(EVgOf
zCDOtxRVGs$LA*j-1aJ$0PlUu5j(J{^O(l*p9^H~6e~`h1Q!#M%aKgy40lXKouBa0e
z)eu@WmrFL?8;#OodOYd!`QGBp=6#Pp@)%P#5%tc+r>2*#!0?h>rbtXtDe9z0USZ}o
z@<PK9H70~vR8mQ2qzIaa8i#;v1y%H7_MXr!B2j846k<f?2ggMmtWCg098N-#@M#`2
zTY?pmna}6CGSJ{vx!6BAXgegDr>sCqewMayEwipMuC-2i(~tNH@^jLR@t$$h3QNxc
zxzoCl)3&PwON5B9<P#2p9%?WUTa7D54kHXtYOFU(C-7`3j*9?ZmoQ~&h&<<M?BXnk
z!x$77Jxs%j(DGOb;UpQ~hJ_h&UX#Rh;m{C>*b!M{cNv(!O$$RFKO)Frnw-7h>ttVq
zoOguxjKW1^&5(1e<HS&h#)5N;(XtGJY?f!KXcAsEO2MrGLycHrc`jBXr(zj#c>^K4
z6b7Jw1fc+~JqRAuP(4+H3$(4p8VeDoI45gq^zAY{HaOI5f;_V(VW?9N-LYufskM{I
z!NsdvAHBN$;-cL%$-d1NB5!r%vE)5L;U(dE5$5bQlhAGul%X<~>8jH0O{UXDJx+#5
zy+;vJtk8a2aqeHs?IQg4)wQC{Qb_pdVfgOd`0IG*Xgk`Dwzt!E|D){qY4-d+iOV20
zJ&G_#zO%DaRy6?nrs>FH2I&F_j#^}sM;w4(N-`!$76HT^#cDVj6ocNpnw#0gnzjWL
zwhs?fH*YId<fYbEcXnni%FZNKtRn4Kx3wm`?9+6xdHgs$iTC#>0C$e9A3L$Ww%YIa
z2ZK(#McJw-BAF0J1ZENNIu@#8DJ-g9Vruaa?c5IT9m%M>umf~N0_+zFg_<iKZEu+A
zEW%YsK2C;|R64Yx4F$A(skMo88?k(166qH)5JWw^i;`?mB!z8lTQ=l$iNC`<u(Qxc
zfMwRR{LFAv40}=S7wMp8@x*xD0h)2HHqD}DHmW+@0YFaOrn&?CJz^2Va)G9cx|-Y0
zK&!IG0myZE?KYsVe1v&-XnjEQDoKz~ltd!UVnFJH&2Dg#<$WGUK2t1?eHH<52Xx8O
zNJlYGq)8GRC!to8qgV(DZ3_CEgxU!tV(ynOgCs`51BokXqB%LtuF972hDq&Mt9jLl
zMI*~rlr67nRyJ5D)6H14)0mpgTyC1aD2o(Zi3`(IrCwBk<L#ocb;E+`6Ch?K5&(&z
zK2~BKETVAKj9270;9RgU!p`u)c84k-u*MPw0wQCq-4sT-$fDobQdM7&T^5W1Px=WI
z%?6t@f<VFt$^5o$ysn*qDNxr{oTX<Ue&qP6lh6eeuQ=Z|b=~mBqQ;MDMZ!^pF_XS)
zGsCmosX6SUru7T$+ph8pK#dU+=HVkSEo`f8)gd1TO@|qlDWi5KmeK+&#tbqR)}m-9
zjC{0m1=MM%Zrfr7Dq(q{=$g@vi-$!55;LNCKqe2882yCcG4<|op#a7@PHPzWC`1H-
zZH!_$5~X!wH2hMIs4-+zjJ9GN$x#pu0q{34#SAiyJoHX1VEm!aSA-WPi1_0bu8Ltf
zFC$J6#!5@wPDTn%GIRmlLr9a!E(1j3ECs$>0QaG~I=EAy(j^vn1GsNvYhvkZ12>b&
zx$6fz)B5_s<kHUkf{!ac=2)D9yLPS#CDIUYK&YBJEGdTg3L+^BO+a?W5L92edhOiB
zwO*vwAk<|cynFZQ+y{q`T)xJ~QgH<M-mzO{*=?GGN7Uz|?Pz;@Z=-d8;tYHCBZ1w5
z;v^_!4v^VYRf)bllupAXb8#aT#A)pwlcQEpl@_|^xK`+ysdf&w_1<nTO8^-?d+DMU
zEbir2$;Q}44M5Ki*H#BAABi-TvTEw-!2uwMjq%FK6DK02hQ;98we2iMz)@o9UgzMk
zE<`WS55xgJ|4Ah;Jd?;4hr7e_+8dbuc5qLYyFvFI-BJls5X%>155VzQ_e-fzM`ARb
z%&t6HdHF+WoFFgG4@=i5uZWT?=&6&bes7rP`K&&ue5v7-$(jkX+nANLTB%AcN<MYS
zU2d)B25Ch_f3ViiGAa7=gRY$~0P>_-X4>nr#*cT_C0Wa}Hd<wBgUJ|k^ReQ+$fo@+
zUgH4e^OP3_&r%;}DBTFJ4Abx(V8VEmsy^UE)a6eEPo<B!jTl_2!vzK&bT7jrJ>X>F
zkUt|G=G_q|8RBna)gqbJYSIU70nt{fE?o^+d~Tacw5>X5_^flLg)qfdbJt9HJLTPi
z>zZ{X2Tb3!+$gIH#xmWH+M%}5)KrUds^?ed&F-{cWY>4k?O)#^7g*zTg9fmXB*h@%
zLN!P*H-e_68d4IicT^4O_|iiYaiGI2EJqr+qU0~b9n#;V&F@1s1oU&V9351)K)p$#
zJpfqosu5rl3Kco@)NpveQgA4M#1_jlYSYzC-OgJ-gP5$TQtk#>1c8$7y8d{P3@6#z
zWPe^aoo2e`x`8H-q9{)x0*EPFiVnYkoHdR$T=_yjRjhrD6#8$eB+iRG&+=Z3)v!sV
z<S-Y#elLnMtdT&tiv)QVgmNTmyjzqyl2m%KEP*wgY{!VgZgE}8XhT=fb`2Jdz@DN6
zt6oKd6%z_6PPnvzCJ}(~EjkexPT>L?sWHm$3xOni?jmmBg*CN!G`Lluc&x;$gW+vS
zJQvM_(cPAz0YwrAsv8AkINR`?q2*(k;8aKADENkWk3tz1io6k3`UcBExQ5WFs+&vK
zCl|J+AHBMJVY}Jw)ZB{Nu2yQ;TA0T*oD76&F<!L6Ko)JcWsR159*0%iLPQbNiPAVZ
z|H65uTi59iyywAn=s#Kxde?z_@(yEHTmP|ze<fAvNU#g_$1}MfaduzIGs!efWVn6p
z8}>@JM5j{zXu(e=>}1M&SenCHhwLM`#>)-+gSlJ$M<yXXnDYlReqV}35&7W>Of<XF
z`j;C2<lMi>6X+{;G6^fh!I*??b$<U2wMS^K5A^xz6q<sc$@niHxS!q*R&>bbf_H3C
zQ6?thZPDF|!m9|TiMI}e+A_F=dr%*LDCZC7&?bB%W<5Gq=TWxua^qj9{6}A5?7>;V
zSH$7!6ZHFzW;@+$93BS1P%Vc_uzPv2_N{x3COt(>8tTsBKyYHyI||L;Q!KAyJ!Uys
z&cJDxmhE-e1(zDUkoG@LT(lCg$9rNkVW;Wp(B9CqIn06%NA)u$9{tTvF=+74E&CdF
z{?gs{`QC!V*q}j$wfH}H#cg+Q_TB*91nm#K&=J2_Qm<WXeEsHT3N+OF`r=H=jwg3%
zwC75HvGMQZJNv1JeBSeQ8GtK2XVI`x0xpDSoz~iQfI?J+yyljK#NlTooG6iI1y`zU
z>Q1tnwJ+^oX}VHZ^G<hhj#?l6!LaD{>#B}Yo~+(iRrRPhNRot0fEAI^-F4#tX{?RL
zMUonAN5#Mn(Q|k)nE}QCJQQUG;DjQ}0sVA<Feu2Nbgk!0kEY;KbT?QZFakd5G2JMM
zRf9AVOhzgh#b|qJItd5{(~Rg(<;eMp2WwkT%pW44P>M0|a)_D}P$IdI8kA;tim(Hq
zSX8Y<=89`kSf9f+TBfS5I%uaIe0R#ynN&I-4OWgla3&x2QM!-0N(w-AooU-7>H4Sk
z$7|0GH{Ecs|DJ)}tP)uy*?^~s>lH3bO;6gK%UH@J6?x8*h)Lm*N(@*Da4mUUA^(~!
zeXOul6Zuq}tgvoa_NtCW9r9-kp!vq|)(gN}t@f4nSWTgQ*NLX~b!F?8BP1;Oe8LwK
zS<g8Pm}bVCQnr<!H@;~dj+54Um@O@14ZUFR8oh_0DXJo}>rUp)zBg&ZqJ`;N(*bge
zW|uAla_;=x$cBl?X|#-`B(6la;KOwTiaXGI3Ods{$_ZoU9XppD2A&R;LqxE4A`uy)
zZN*Vg4fVl27rV|;B}VWe#(qWcAH<Nn2)~M)$dUS<C21O`nNSM(BSh(NNS$v0DYs74
zw4ee}9K;e5i7KXU+V!e_pl%v%s@AZsk{YnI#v)M!@tCo0J6$zRRW((MmE4R-IEg~?
zdW=XORU)%Ag9((O4o#NC5E$@Yk)~;1O0@BERAs@Jv@A|yLk#_wNe!se9wT!KZczIQ
z#->5XXbmUcc2w1ZI9eqclUUmhu^_5|N|f4hv?6AgOH;vS3?MT#7TP{wXpCmMOvhfQ
zaKrTI<^Xp96_!TONKV2>kb6VtNPgFnL@<LsP#{mydE=r4y6a-v-xJfH3?@Q#1SjTB
z3c-RY7me9z_4zA1zklxXi~IF%#}_uQIJ^=Ex1$DE99WbiCkz8v?x0fyI!-v{8m3Wk
ztHD4K1!<v;u+8z__VmY|wOT{_7LUDWm_^>`cOAGF1oeJy&;8-tzY>85y7s`Z_T!h$
zU5okOen39f;{gJ~DExnS+&?&PZ^N>mG!UP&#y>a|08>Va$(OG+0B+dT{z5H&d*Xj_
z-~H~?|B=J5PaBCpyC$CKaR3u5iq;8VegXi408hZ7e|FdXyV*US0379O&d5|Om5`y=
z{+EmPUvA&*9surtW>tLlDhEitj^2sO_y5f<++Fd9_xJgCy+^rQ<dn~(FFV&iwIcqH
z$9X_qH#TU`XG{Ne&)L@x<~CyfCs+9Atcpi_{6x%0(e3L$l|@*5zV;v9_y2a+0SdqM
zx6qQ`{GfuCbcZMK<JaAHUwk#h2V?ciPorGASsK=3SoO8fnWxKFJ7*X<-}rz`M9AX7
zQ;Yq>3l`4j#?XRG_}p~?xb_6W#M?mzDLL-ah5RyI$ocw@Y;=8a$Uig|pSB|IPf;B!
zdAX4*bRx{n%M@4q{GR*ugL{;RhjH>P4@!t$^kE$JJ5&Ev&zc*x`Y_%;3mRcfd_o@^
zVL**=t@S^(4dDLGUSrJJSKco_WrRl$AtiL*mpyGhwz$V;{FEX8Gi&0H4+KOYaQBE_
zKI~x1Kr3Bo{2wg*&+WS3oVe*bQ8A3)|ESxz&%OAxLq!r?;>S`y60yWY7E%B#mc^xL
z|KtD#CrO?cPIr-KE5kn8%j~v7`kd)@QI3)<+T2W|Y-Kz;as1e5xYEp<-K$qK8QpjM
zq*+v538>I^xspXHoKLv~aI~?qT13fYK8aN_%yU%ewnjUH%l{<On5aYw5sX+V|9X>a
zN~M1Y1_EXIW%G?K<uZL>5>uyIhcYavj1nt`SIkkq!=vK*(hig~E^*R0cj)Enm)5O>
za4-{Tya0qQW8@1j%34j5-Y_mjK8XeLR3gkOqkKBoE=jUN_V44P(<1Ff%w=n7?qjhs
ziXM8<jt5oDYH3_7R0>~dWi66=tke9$IQLlur?M*eYAi>9`4ZX0a=}HTI;{)}$_p$D
zri3=OiKTm)rDgWYp%e;MZW8w$@HPTKjWLIBQDz*=H|H8|NxapzUiigKG?i>hU(J2B
zfS0Ws*Ot89@qotx%UVmcpo;4jLKf~&!$y*gk`;vD9rcZn#OLs&tq<W-f{kxAw{zyV
znd<{0?iLFsOX|u#w`qsUl?#>_&QtG@K%b<ELeX>btEF`l&xE+KVna+5f5VD*+3RHE
z#V8Gl3MiPwM}Z*cm;LF<ofps2En_n#f*KO_GrE<L9xPeRa+f=vqugc`Cz(uB78V3z
zPdcK;>W<vPptULUPQ%59&AD}K91Ix%QbYKNBzJ_`CM+`{xQ9XCbam5Jq#LhL2$J~l
zDC^IbUSSHSS{C;qz>O4oKw+#K#R!GTk<1;EDnc2mqs1n47lz|H-)WTjM-B=Wn&3-g
zJ0rM<LwC?LSlB`$x9IzT%`LIv=%TQR(cQv}rFR4}?(H&w;^bo%u`Y&#35NPRd8$nU
zha@ir2%};A6LLVSTg(MWaY(X9;Ug?9hMTP<i5%*XW%wK-E%-r^wkb|lqvy7}KAm0I
zn!RxK;M~=ND-#%kiI4j(%3&-wShwpUXOLb7F^|RGa8g++^7alOX)Cl5b=`T9#F_9|
zMNbt8qyBK^rJZx<&b@GaeRX4PEkC`Pc=PVe-1E7H;QFnb!~&=hQolFedGh68^mEq4
zUq2-tDfqGY71=|vz*IWCK5fLl;Dq>tx&NUn?!)_k1R)FHt^e+n{4b7)lYr?X_9`cE
zD&_Ek6ZlKV#FGpE!&lrdzVQ<PunVYH@t4IFVOx#ZSKKc@dsUoHc`R;c+T2Kf^(B8K
ze>IvFK)1(xcliK}5%v1$SrA-(*=hM%V?b9+Ab8g;m+WlD;q~b&?29+WFYUYUyX0;p
zjB|;LFr!<(zL~uCq2Y+P4i&&{>1(mh`ii}`cM}4_&1*$1V}mc;6km8k!tfiu@>Rgc
zdXn`rTp<Y;g0{F9?VHqV|4&!Nm!1;u!DT4^DmicH^wo$1<_6?_q4xjxmiy;d?HeUl
z!DxB7z-aKsJGX{#f91INl9Td*?DpY3zk|?q&zbwv8GHEUWAZh*f_L2@y8f?E2nb&{
zU%AobVWYkOu+jd-miwVAR=>mY`0FS6iL?H~(_~>q3<r258l9>v&+|w}01=B}Pe!V0
zI)Ic(oF`1dbGH|(o)@uZ!vcQf36mYVT*=jwr_;eouUCwQ!z2a7I(I^B?eE2Da^}RT
zu4t-*{S*L8lEW0r*AT;@<E2y;U>0q7XC&eD4*Bs*eL$2#p>#N6FUfD=y%X3zw5qxl
z*x&kZf)6|-a_RFTQX-B5)<Dps(EA2)hsT5_QFm@G0uZ2Kl#e8dMsnog0A=DBV0@&t
zNa3VZx+wZHJ_J0%qQoZ|TvaQDjb*($nm%yf?x~ZDBAM%E)>OWJyp7VG!I&2@slBiw
z^8JJjVkAmbBAs(S5k>=emtsY-4aJ72OvCUwV3@YC_A!Dak8Bw{DTfH&5+NJ`m1d^t
zT&;c8`MP0M!|RHdl`m^vPFd6P24Q+vqSijw+P9^z7ra|A4cNWmx?;LvMtjsUTzGWM
zWtIfz33g&Sm}LHi4P<vTqP4_c!mK%(dwB|uEdd8ahQ_JJ@P>AgFoL2Imy}WH(4@@e
zSefiwxHi}8_fMTVIT{X7{>Itm<xvKShoaDBHkc|tNoZx+t4rn-`UrdEMiCyDl&dGV
zVaggKL!Y9aU^GTDlANxON(ww*5<(PNr82TQ#hU@9uGO;C)1mtkrOpkqnXnc>8Hj@|
z2FM6SP(uiXT=2XE79bz$c_O;E#9}dIh1?+#-YRR*5E}XLa6biztV3cOYg1)H`lRHn
zjF49Z?vTOHd-6D=)dv@x0I-4p<zy@aa9=lA#)_Y$kV3;yC)X<*^ge0vN}$|3YSUm<
z39{Qm%{a9bzGx~*A0g3SSX#)p=(m6jFA3de@MFCs)@icPEz*A+nXe(s4VO8n20IF~
zkA+fMI!&bL5Gx<Lz-kL)1lKDh6CntIkyp2~a(*zGZddx5Ym?`$>|fZe=Pu*L2^MD^
z3JV$AH86x?&Q%rxXm2npi4ykE$7vFCH2Jc+waV~JW*BwCENNP3`()5pQCyZ~hke1W
zUfq7?*>l4@J-w2@8%?a<`cE{Nr1i_e%8h@n$NcNh%Fo{rqc_rZfR^C(sYCJqY`gEc
zVBU;_>8A|&H$I^L*x+_B{hHJfczw!H{N$GX`{&;n3IqsJTg0O`P<sF+a3=rYVFh@F
z-@TXpt(nVv+gi(B4`}@K74Z#cCA5ir-Gv$etRKesO#-6*J1<xO$03$z?9F%r&iXZ%
zk33rvOKyp3{A*sXcG#qmx;eT4wgR~P&PUYet&2B=GT~$&%=zCqEzjosYoEQxp|uwC
z|LKhUi^tyBs0QS{67k1-^7A&tH=Q#dc_T|ho(9#+rWn~v!ao1bg9_$XA@BYz|3`ES
zx=oF@eB)umM$G@#0}}dc_(mEnp!_F#@<XfqA6>Bje)bLm_$uP39&}1!of)!J6_zSm
zoyIAk^9qHoyEM%$Dd3BS``XN#X{`L{<Ywx9?A`k6dLo5`&#}xh*^4q`+`-QNbZ?Rk
zdP2xfu*=ikt#Vcz-&i@h%3UK{leL&@L=70s&~;3ujLfnyaf&sMULgGGF!_fSduU<<
z=z^?CNy^a>yEtU~mgJn}GMoTsK$yStH?-dwAvhTkP1`Zlec={?80t653{^w`yy_Z`
zi&%*S>dC&;aJX31zEOBv;0mcbzV#CI6|vMnB;|NroH?uVH8k_-_3H8JUecd<sUnFX
zO`6Cw&B%Nx%2M6S4~i^FInTR6#(NUWO&e&Jh{v91jEy8)jd7U4wOxlmMq5euDD?8O
ztg4yAT2pq=vPsj;YUgSJZKm7K0D^B@*T4%veCz8D88WSvi@kWZ=gT>ucGi}ntr@c6
zkxS!s3oq6-j8$~!3ue0j0*MOF$k4|J$cqVh<n%D%tywlJH=#I{C@*OEDjVn&q*YLE
z+=oRH!rSBn#sZg_=rAM<L!7z@DgG#V14D+KaUE7-!WbBxK$o=fXoxV+(Gne^a2dGq
z%evUZ2#zmvkKqr&Z#=|;-6%nEgxO)3_(LI<<u^pQa+Jj+wRn`=;Y+n6r!^+MQ8*qj
zEpk{Sia#nW>!r34p{>GMIW&L^Ja~l7h;OYRBQq=Hp-`wr`VZA{Sh`$`ZmcM#6jnkk
zqJ53MfQ8>7Bq3WaY&S{tFduYma2+5hKLzp;Ao^g;hDz|nc_ArJ4M5hIrNOeJnhKQ5
z#7n_yT!Ex`Nw&tQD=KN>ij&b4f^j@H@@r7<hgMK1-Hp9v8TFY^ei6C3l13$PF$t@b
z?>ZJ1RxwWyd7nTKpcQ-`t2{E!Q(Sfc_%Cs$E2YsO9wO^TaTiM)Vf+rUr#q<HgL!>v
zYxn$>trzC};-cH1)dtHSR%JSXdx5nzG!k|R18|RxUTX+O4chz)hgo}=@*To@Au?3V
z!F8Fg)s4gQnkZIL*HrsE+i|RVg8|%WUc9okvA%Y!xc_Yi?)jVk%-gz5_PquFpC479
zIN<ko6#!hm<fJ&0sjqv^-UE*U#`J%6LVWXsYILuo22S8hPs&Gf{teID=c{`}6#z`9
zn*He&@x719S6R4_x0pQgd+l|}Ut_?)2mbr}<X4=Qud;&i>f70jfA^#6{>=W<ODIeI
zaT!-|4;v`<9S^I&d|cdfL;d-6_^$fOXUrR=d_Z^xhyJADJ@!%}FwFbmC)Br|vp==t
z+`Tp-L^x+M{*T`y|I~`$uY8%}t#Jo=yvP61BkF_q+Gwd@9~z7I_xQKGV1M$ud*=ZB
z(+~6YO@IBOv$z&d{_wtQbU8!e%DQRhlNxPAJ9s_{Z)#_oF*4^RgNHd_2nqNOp762C
zSF<ALfMG40P8Mz3Y&bSv9S`%tO1?6m&*sy4zt?A^c@oPQnXj5Mgt+=IEmr_{v{DXJ
z=^{d=1*xM0mXFZ8-j{(;K}M@4C{ZF07(H7L?MD$(ionGt<6VwI9yu!kqE$YFXT3vt
zdDr<^tG*Yp(iJxq93a3X6b&JDZ#W6zG*u5rD46J4juaMvaZ)uYAFbI>{`AF%J|mCT
z21244>rio(4&bAaN@5W*kg?)OYQ_>s<SzFayDy3dkys?`K(bxIO2Ha}auw#ES=phw
z%q7nzmDIH}4SJdS(x^&H%(XYJtf5!ftc+)^t6S5Qu3Gp8Q2Wd@GuA9vQ=wqL>5QIe
zvp_8yN1`_PC$zQ2^fIG}9CbBeV!EIcN}zlxKtuW~J}h?-Vd9Vg67CZr9Ut6msh~B2
ztFu(PD#(f;^aK1v#!*X+8cz&VM3NfInjt!qh*L4TFordn3Sx~Ite$=Np$E>M?q#X)
zL8U%e9fd#wnfD=f2ue3B2y|06I6zYhPGG-2;1-fo3@5ep-=#G`BKe>f8cMFCJ6O<w
zB&IhaYllc2EzPXOf;g|GR33+9EPaf8chcku!Zf7bZh~@TXf5kP@DO-hH_Nc`GzmFV
zF*C7(V4OxU8zPJ>uu?V&4NrPNmZAoaL?0ZTButN*tsSML9Zn5PMqn~ZG4mB+j-BEs
zstmWx7)-`fEi$86LWZ2Wzz;}HmDN~}LT0^!bdYd1Aw3ASTv6Qy+su%y0}uK;X#d1J
zn7AHwYZCvGf+##1^TCL>V}CG-SjXd53u7#V)foijh8t)>2(VKp3tI5ejyJ}`1T%`q
zB27~(%_26XXxgeXTMP5TUUy+%pTB<a(ss3F^EU4Bv;ag7Q(o6oD#MjD6(ggu!Xt7D
zWtAj(-(mpe8d}#N$sq`MU{16h+--!6lMIGmwOH7$iIpF(jC%#96(+U5x(9ct>g@#X
z`D-C9D*0Phr``2=#R;Ll?eINZ%fk2vbN<gBSC1BVIeklIjx*!;H0J-{hP<NC)vJ)V
z6Y=3+pE(vk@d*g8e}2!sAvEwe@0VYD=I*)a&LK1MKx0uRoDATtwTSf;@5#Fm5<X)r
ze(e4HYoD|C#u0)W&wqAIJbE`u5}XD=w5h>z)r-x|1a{+)=^m<S!@z*=-n#NoS*%as
zFX!B+g2S7y0(_uNzUe{v*G}ENO<KnmmhEYHqTzsqz8FKBNUW2-Z5t}~tq)3Qt6x2E
z)yJdK1J3R1&&oS_9RT{FWhTbY%(7q?dUhj*&-1%x_W|EuZ6x5u*S}QqS*rr@^j#?>
zf!PnEdS7E>!pt2-Y^3ne5x>jY)b~E7-gD7@_e=KP%2GFCh_d9Tjl`X^ufl~6Kez0u
z(tq6j?>MpYzWrf&D!qH7EexC6n~erx+c>&=qpipMJ0DT2k^O<o?-Yv8sfYOH1MJ#G
zYcSJAb~C=NDy+aW$PW%m_V8%*QIhnMLL~Q%2FKFewtS&=!sGt2%`5w}1I7y_huW?V
zhJgCdo!f@z#))IcPaWUXRlBPqxX*TF+d6yQ&u30!zRy(vHWFbI)#t*(a~H4zV^}!b
z`Go5Dqr~ylXSq+Oi20S1vLhFJ5?)6#ibo&RNG!R?;aP=D5hVShg{B6`D?8XZZ<BPQ
zuy}CZ>o?;uyOukPiY#=SbAevWf=W)XtRgZ9fUQpCJW3rzAC-=}C{Nb%hd;3TiJx$m
zi~9}R%vn~jIcNI~tFd&KH3I8N0l#*r)`A+ISZ8YCh9HuT&0Dr#vsukr7;h~z3+tOs
zwSaLuUrlwh)09;=Z*+sjj}{?+#mYIWD&94$ZFpS@S210CfHt~i7Jg{GZJ2GiX*tRP
zLV%)eD7jq993ezTz=ue5DUO2|ZVqAnvR0S~`z#bs9^waXJgG7S<cuw2LPniY?Iklx
zKr3P{pD(}f%rau29CZ-lN1xoV0D)9$+%JwOM$-N)j!@@CB@e#u6F&IC51u@694iTI
zFu@XR>4oLlQZ*6zQGQu{L0l<Pba7#-x?r`8*XWjPtUL3QJcvb-6pTP_3nSMje8cfz
zz=f*`FnG{jKr)IDf?g_KOL*dO7X;$z`5G?Wd3QrNG@K8=bs2j(HmN=&1Rz0(aCu0I
zN3rxHgbYGkgW&~wGZ<WYhmnLrLAb_(nRrRf@2Q%aq2n5%^B`wRFU1302TgxzI9p^T
z(Yggyx>B{qa&?881i}5%lbPIndC-}HsEe3ZJY@8#^jO<Y^TvAgeuJwnib2oFX=!*n
zhj`keV6IWBgCQ3gPx|%Bif92by252RB;GZi$8)b1SR@T2z0=jAyE3hwKWLvh=w6uW
zt7TjIl*M_HWEkQ(+jXtAI#O`0kwMQdqU)1s02NqptQLa%l_Wt;68C9MTb1}<l%#o4
zIG8CUxS6C$k&V(c#$e3rs;>4Aru);y+X>vmWBy<5IDln$auuKp0X98T;_Um~ssCq}
zk@#`vqYtL-^%n5T+w3_87xmsA|DN~W1=&MWz*Ya!zWen9f1!paIx^h=fvraT{*-_E
z3I`nUP<}gI<V?o@*GJ`Fe~SIe!Rx}3a4Y-jGx96%zYCz78x~3%e|zd)Y7kgM>*fN9
z77t|nvscAuj**#t+qdAI?|HBMt55oSU<Hg6`@Hqr5!e(@!~No(|Gk;JOs4^W{sv#=
zBQy6GKC%?3ftd}%;0GR8PuxPXhcM%t&e@Qfy){i6ijwbo8W0-*BLC7;cWIN|&VOX?
ze|FFP{>)!(0iohu1^_g`$M^O5pIZ}uY=AYIx80$?>^}LyA<x9eVSoYbyA56gK7Mk6
zb=bc>!IEfb&!Fp)BDhDs`=8$se`0hOLdX|w${)Svo+)2fw|;0WU>vUBZTaO~<)Kr4
z^}s({dgy{BxL5pCiq+3BsvpU34=~^=zUGXC^Zdsb?*)K=@{r&5;DnKUzV^Sk=YC^?
z8b@#%5ITO`!TpC;#dkld#?f6OeCR1S+n?XVTfyF8qYV}6{Cw(2z+`-^xV_O}Sbocc
z5}NLNFIn>r!1qzYPCnrN{VxF!Qvq>UiyG~yc}G|fSL6Zt>-CMn*|Yb%d0kkJ)De$K
zdw5W;uWfGCcKhn(k#ifzPxOky5LDUO*`7|Pqv1#>(Hr*bx|&U9^J@0|-ub-DPmNZs
zZcJUT^3e$5De1V=RKja4k6W2&$1^L*fi#b0t}sE2P)iGDgzYn#>r6l(fHVX2Y9)_W
z6es7#BAVxXKkZ-2(tQ>usp_(0u2>%rdi~XvUNLa1SDKmDF9K$$3H6#KeaurqB~mX)
zZ-#PT%ty#9!3hnJL@0^6hO1+-D%q%IMTU2_k|ELt9IhEcd3cz1j@KP)YHbk;0m`U#
zJ9k}EH^xkBi-dTHDN8>u#k@j!__~g(-B@4pZ3XDbYa==XjR6>w83<!E(sV3&M5&hO
zLj(<pca3-+UzB^r3y~~nrwF%v9xj>bA*oIO!-rkqnNtlXCp&;(G%LbQ>QI0@<jfIa
z1vU<em4|;i<S-Gn$6&DG%v}O&7+`6Pj7BU^&9YuEC7nn3GcEEA-b<52CB3|O<e`T@
z@c#F~4|GwXR@NQ5bp;~Ujh%8Tln$1%o-)mc_o73|OR_?G1^y{pI-7+If6%)3%fN@C
zLL64oTIKx>hcp>%uoP8G695j*2La$yfaGra0UfG2-GUZqPgMTwmU8lhr414Bu@=_`
zrVaAdG|Jl;dWW8cBm+cZHW<*L0Hz>u8c%xeXs|2b&V^b+7>DDZ7^sH<ygVgRf^{qi
zO?fARxABekq~dWrJ4qo9k*r{PNh=jO`69}P07D_7wnj9i=>W1L&qWTZl1;Z~1<(3<
z3}-Ll_mNH5Tp1ZVh@Yd5$EA#Ql3<lG^F`}31Htdq)QhU-6Q52hacM_CzuUev>#lVU
zZpAg+cZ;}CajN1@cPPt?9fgvbq~jx?y#zV$!t`?1$-_|$Z3zR-=x#EZLTpcQmqGp*
z>hSO=$%;J1+GNthC7&^?>w0f*_uB62+X>w7YxZsDU;EMes|SDy*gI*1C-k3QxeMrf
zs`Nj4)&1CYJ2$r{u;<3VSo>c&VE^>8`=U+pmye4FUXHK<eE;2t<X`ziK%cMuNQXUq
z#odtof0+C4yJY{bt=qHPZ~_zK0iXTco;#cIFWwaY`7v=DoCS>d4<Au~^+|KBeN&hM
zo@2i?asT|P`>E|$OtP1j-O2*ucL>{0UqJ@(71xM3@{8_7_V6tF<pcM<FS$FTCO9HY
z@~2Dx6W84b`us~y-p-Z=n041){{MdiXb4d6N3Oa%(OyG6`&{LJa?5@GhWJ}&<%4%r
zh5m&N@f{ald!9n1`fU&21=(L|{lDCD-*?&FHZWT3M}MVdzcaP}`z8AqkBR^Gq<rFz
zGU%^5BO$c-*Sl|a1q5LIPhNKrsJzMX`A56KEdHhk<ekX=V(owYy8Az`xhr>TG>9;N
zb7KF=Mf(L*C=9XLZMPQ)incl&neT-3{i%oj_?VmRlH^E8K{|Ae*PU)^0to=TyP|D2
zysJ@-)V8sZD$RR+IT$s@ofxm0rdcc&x@oqywg7{iIB|kV1$KLP8~*GSy{2g<(@EQw
zc5Bg1v{b7r{jpJXDpcfEERxz|>ahhpi#b{3+q6zbD&+~;dUDLA3LjJ6l`9t|E;br@
z%3Ux*rPMQ^uNWl^MI2?mw`SMIQF5xkz8bBc<?(1ENgi46j|S-rFHUx^&-b^s{o*`l
z9myjCG?0XF0N;nY-Jrn20bFq1=)|GHt?;#-``LC@V$IEN&EmT0oY}4T&bDtRozvEp
z$b%P)g_{TQnc9`L!D7~{x}CL+W>v+y2Jw2=V)kCwqU&O7YFAg7^hZGF!kVeKLA;Xa
zF(}0-n3kP(hnA*GTuBsnLb|jB0nrGz1VG)=ek!Qh1i;Bd64nz3iISX-l<&hrK0rgM
zC_jw`yn>uesj?N-;F&SRl(#nvg>L)=t(T-S&k{gS1%UV>9}bd!5$F9R8)RwTFM5OF
zU^pE0dVN6fd6vd$8c7w!Q5wfRDNy<`E0QRdf$)MA)kN*_{szC@-!L1vp=e22@*71L
zH*}Lo0-xV0kQ&B#0O0&EhM^C7zid5AGL1Y^!Wd5^tD76PIc3O2pa<PZ$P)|cw!?XU
zv%dSL6GLF@Q`#O^3LK7I(;BVY&T1-uz;aP*I~O=MSS5<mGI&rj?ZUMyd_$2C4Z1Z!
zu!RmzwA$f<QmhE&PC+q>S`gFrk|bS;4(FChebRiTmJIA9imcGtEv%+_tiuT{B(Y{#
z1Lh}(W$hz~YV*l<_uLClv0D7ehaOH-Zksu#(0#)N8ah~!c$PX9TRI}{1faHQg*VE$
zwiFlkn@d%DVdh?()H{uvYth10syI^##C$PDmKNh365Wr`&e}k%i^CYhOVaP}P-YYr
z>=ncxO;xw`qG{Wvt&wz}Cdy&#1EUyX%Q%gb1U?vHbW26f216-#FqvN4pS_*HeP6LJ
zI4;*Bc4saX-pB;|nH~2BbN|Uh{uyIY-Ys(vy|>eOcwhsv{7c6K?67sWe++H|5oZ8c
zUuX95<FZwj{m3=@{g>Uv*P_nD^?uijsB-xAXXT$=dl`0oyvM)wLHX6snfa@dq(5oM
z|Mmm7YsO3r`=KlL2QIs<*OG|@r1-5b*k9Q9Uw1}+>gZ*=0gU_iACh13>}#CBt84(u
z|H(^8Dk$GbJ~fj}+_9wdhPMA?Ebd&#02BzJ)DK>MZRHjSioW6*^WlB*Kir39xNoVU
z^$U9_y87hn&}4*Y>PqAPxA&@tUXJepc0+71d(}Q2DE7?{-X0jh_VarVI`p?DuW@wf
zZiqcTyzjs2ehGl}R)$q7*tb6-FE#$j#l6p8xRZS6i}quSx7Hm18Vv&SJ7t}Iao@e3
z(pb1{{>U}=;RFBIPKhtxl($w4LrC@wXXQs1{;hV&_ptE?9%m;XWV5}%k9Oos<0Rln
zpHN;9K-jRCz314m0n&}d#@SQR%F6C!R@I$t%Ee3PH-^Le@^q&x73cG+f*thxgFMfb
zQq$=aK!2L1SPtl#TxFYTeR6HDOPb@y9^^eYFK4ci+@+W`mkNFqzRg%EU4vjrI+kFu
zu8$oDT;a6PUir?)W$g_-!jZP@`y$G_q%ge|*IV&}5$g|BF9$^Vc`NC|V>MbG@s-iO
zP|%_M9EtF%t9b?(wc@CAAFi9Sdx(Yw`DHE1-H4Ax<!vntPf*Z2s%F#XcR#Y7^mROn
zXSH5Tu>!D~)PUw&jUtqF4cMJmC2v};JJ#V#v|Ze`3eY)*JjQcv8PY8nl6T-LbSKD@
z$)G||V6|Whn#4|sfPh5=Ap!5Gm@<?LQz*ihDQ7{9Zo;-Ih`5tf%+l}3g#bp}K$wAm
z;gn!YIe#AHB3Y*~Vt_COdhAYb`dG4}U_~1D^Q7M^(q1p?7ej#UBm5s;z2UIe8}uQF
z8uaokjx!PGQJf`7OoHkW0D82U3Ru|(gbWQ1LAFLVyCda!v2-^L3HignZ>greSvzxB
zQhPH${(80mx<h#_vo@sDU2r=NL?wjLGNkQA5MM|3mykhJYMBp5<xg^xqH<mL@}n;q
zFSoo)v=AcYxWj0I1(H1~ueVJNP}S<rnik$bIUp$$m_;g4WK|GUWl%l}L4AyF0GPxV
zZdnfQ4uxWGS>zxG+e5m|p{6KjOL9<H|5+LVcuCU$hx~HU2d9QWz|WEDg=HIU-NCGL
z+Nbk_`PHpUFYR_OU27j$Kcz)#;hdez66HnT_*_fYVik{)DEi~2Ze(j?^a(Tjx|z?|
z<t_8ko!N_xzSfDEOuHnt5mthv4(6Iu5C%uGME5NlT(l!c>Gx&KMyfmBBr1{;rS*}R
z)3#mLwACU?U~Kjv9*yEeP=!vK#(A0sJzI~QLrpS5s3i)Q+jVv_Z{AMeex&%{Jbilt
z_~k&BJ-M)-ITl}i<`wlmE;jxrw%mOw``R-ydu3ISr%L~p1^0mL|L%E2w6Fgw@XY@5
zr_HxLtp3ZFS4@8XhWO2?_~9$Bh(=*3K~!)X`vSo0x1YB^c;yY8z^@;;7b*`>9*%hH
z`+sg-{LWN<|K)q(Iskn9))x$byf^yAH`%W%5oS7XtDxP}>~B16UnkA!1~>+k|LqT>
zV9r})Xu<h^`7?Isb?f^7yP5xc=k52rSKV4%aVp`TJQS~9(E$O#hsL*G^-u4(uYAV5
ze%<=ZjsKeG%!OJ4FufJupG?B4l({$K;h(tfzW#YLd+RB|10w&Nwc8u*C%4=;KK}+p
zilEWH`JBDfuy1?#Wn{fmDM}vwkI$Iy?e5l`75vmg?5W?Sr@pZ8C{=cCys|!C1t8is
zEj&Yq{eEwCWp_5;naqk4_oaZfYuioBC^Mb6SNE?A+eKM18V%;x>Vt!W;cy6mK8hd;
zSZVQz+eMKA_@bkzSY4lMSHgo|p{q<YU3e!G8Fk(%E0{J;RFYRQD|=ls6mi!$K+F3R
zJ!!R$BNXz8<svKEUeY<CqJGjJ%l@hxjO}Pmk2mznuo<R2m8(L0urJPRATeyaVa=X7
z*k4>L7xUTt!qYFzp8Y7R4zPgmkZ8Z;o&SIAy$O_MSymnP?!9mRa|{`gb7l?M)z#hA
zBM4f81_T%hkR>6OB^DsrLM++KlCfk4BY9!Vc-fLzNC;R4A+04DBx^8260&HZZ7}oz
z)pR#acU9Ls<QN&#pWl4%_1WkCh>VD=E~+ZCD~IM+WLD(=5&yq;-+k}xeeOPc8+Mdr
z18C>9Swm716WR%DPxzkHdGnc1%{Q(#Iuz5q$@4~!O|vERlyRZp23E_+iP0k$EVcH~
z)Q2!51Tit<YmBH23<dFJq=p`(3a!&aJ3+Q_rEB0Y7D)R}O#%Gnpf6W+8PUOQMsw_}
zvNe(lfKw$)x`8{PHE{^uwI&dUiWKj=MvxV1@dxKIAv)jdwrx8>t3|5~U3I738T8sq
zgZ^M?u+;Ak`kh{X(CPPEcs*^kT2X{*ydOo7Jpgkll$oW1C8W!jWvlar(%dYRDvhE4
z3LzRatwLOcuHS_c#_UBK7_n%HT^R6KCpljzZ}#2N>=Aswud2BLxcQU!OX+(rF*Ik4
z?7VfnMaB{f)3^hdJ^XpKgqwmr*LZM%SV(u&j#6iF;1=qfd3bi9>48OHn0jD3yk>xq
zEY$2Z<_bL<C>sVem*L+^IGZ4>;z%;UdWq4M+!R?m1wBs#yC)IaYq40Y9pE+14c4%$
z<i=sx=P<W1EYIgq9JYeRYL4NVj7=iOscA;RuQQM)_FLmob@9@8vbFK_^B1oT2~NkU
z?ac^E`yQHNP$%zNFD?X(nN;W{UfHUe1foYZ)83`Y^!d%L7k0xdLw{#pXHu3b7JeM4
zAV7n?7Ik6jil$6f3p%?5%l17a23XMRAQWuy4|x&}k)SQe=QGcF<8tyvLetPEhHJto
z@?rPsg*+pnTre;RMT;#~Wt?}AqEXu!-&2))I)LNGJO25dzYFG{uYO0LH4FK~u(8SK
zcP^~&);k>CdjHoKUmvpHueJZ+vrRwn4?;;AfbTw~er@OTMpypHWAaFgA&v2mU)2BP
z>g(QsYo-1EXZ5jA9IW5dsr=_p00_SL`rUhIGu{BQzty@RJBz=sdsLkLx1Mia7qZ`1
zQ~Y;N>z{g5yuW|v>-W30_hT=ct=Ad9`l}Fmn?H5z(4=~ISN!VE=lzw_v7lLZ<mCI<
z2zg<zH<5~F<4;`FvGl(G{2`|PM+TDk!#}_Fx{t`?WBWfmcQ+#Y^9jKBktaX6ZT`ly
z&F<^BAN`rj`efuCdBgv7RsQ^S`JtVA9o>8K<U_XAH&wO|idso)d1<Mxs*xSmdA>Ut
zUn%n8G@Fm6nR(`s2W-oTd^{Irp0>iR@m8g0tF6;2P~A>{KA#hypH8O)Tac^S>C9%c
zG)>B)B7B}MrzclV(uFJ!@>1KZnpmC2L6p};Y(xT)0^N;cn1htQjM^~w^OrNZJ5G#V
z?yFwvciVdHM7Ff<rLjuWveOEBZHczqP|+=1d4cts!fR&b3$t=_oL}4=zI<go+Ssi(
zxAky$zB8L_Y&0)^&d<jtVVJllpI|%>><EMbIW*+GjSM}X@I;gAM*4&u=5{)+XBSaW
z%qszrKm!PUV@=!cznka4ID@TP)Sjw=bP3|a>I5jCaVu9*;p>jBM^|fyE~Y_at73a|
z%P>p<#;KYBj&b>1fWdN+E390d--U2FQ4aqq+*~~FiDacY<2)6xt*`Ma$ZR}ch223b
zO~bSmw_5FPx7Y1=mY2Pg{b0S{@AZ#$msh&I)lP4z)fq%-H%fa^oDg+G{{aGjt#oNx
zj$|w@`y89f@_*V$^rkX}5>D~&p=ye*E&&0UZLp=rmCP5L>cUMeLr?2$e7MdnoDGOw
z)T+HbW1mHbzyWY?4@l;3D(c(4AHhp>ZEYIQwPd?WHXCEIghhF-aaJyjg7ls+$S#aC
z4>AYuh%CpouR0-)<4krD!^Kof@{*BO7)C;$M#G>op!tTPJVAazIF??C1RUuFG%0G)
z#>;k5K&Eip6mroS!Le>AbvK+zXWSA4{U81DT62?pgT({llOVC2LC^X*XR5hKkOhiH
z#4TDr=*{XvN-a$lgo<$Ra9F+c;?_$~U7qi5Tp!n?xu8?_($$TNo7dj**44nXWjPD{
zMA(F;X-n3kDHFohk|tSuSlG{O>^ym8^zyKHu@<A+i&Pv20N%V-l)DD^vZ*R<Dk%!H
zH>G)yrOU|0fspVFYII!}d07&+hjEwk(-;}QY0{&)N#};7cMcK0>pGrkn!)&pTN`-b
zr5^-t$)c*uo$>I#^0~LKp)PCo%&PCv<>!BRS^v!CH`voh$ms{3(QkP-dTsZgypW1N
zwI&HD-`r-r6nNi$Tpdy5{K6)L6K||1dAkB~`WKJ+D+iR;7h2+vugagi`1*G0S9Z)#
zU%msqjWi~I`SekYMO*TJZoENAbhWfU^nCMA-tNCja?_jhAXN9U(d*s|Vw=CXX})e*
z?icUrlJ#KnYJp0`7>{I%5%K%pXPV8*zOl3ZCobuCa6HpN4)$%w)xX>@uWO<bO8y_8
zzoit2FWlo>*X8oz#iHjk`@g)Pci-sN{^-m4;S{;H`_F{Z`>vDnw?<~By?gs{_JVi(
zoO$uHoG>G~jx{12P!#!WKBHS70oaj<YA9ay<trP#q<y?U2t3ndSt-MA9C&`a&SsY{
zT{?FB{JLp2w>Gm3RDmFVp69+&t=4Lsdc}Cui#-tq)4J5f5C!OJjL_P!M{iv#fixew
zO;@XPU2g>OrPkVZ$G;f&t{pp8#Ywob;&*#-n%Yh;YIkg+Y^1c0MqA9=yz#fj{y6uC
z^J;f8+S>kqcCUo__1&%Oqfu7Z#;a%aLut}E){AtvtcE-Drd5UMUO19i#A6WvstO}(
zbST2JCuF#;5&jAL5_FDo`>*xuMm2O2`i<xq6SAFoP0Yd*4V3B<A{<wZ2CVZDiVlS@
z0JY%~F?*C4VO_`)ASA!&s_3FotgX=y7z5L}x-^W{t<!)w-Mk^h0-bc#K#dKOKu1vV
zA_Q==vy|C8`RQ#!FHm0S(=LbI-pa`nr%#_gb>{4e6DJ1C%l)On(xBJx^*WuN-%Eld
zA`l-d`ckR%BTt0v+`fNeRSe?yi^GDOc%|8EbmhIQm9E&V1>Kr%D>U@p+W8a(TDznv
zh*Jcjrv&>yy1{^J4FhV;4WaCeBiSjHVX0XJnYn~2xo6<HhvxTd_6HEZIS7B;Klj&d
zz#Ob)VU%=B3wGfXv)_no_B>_e0uvovD7YCtEgW<XTxof)xMVJ{yM`Tad@sgA3PDp0
z3=$c*{ehS&;n9F)I9#ybTW8pttK7QFy%mPBxL&LoExHXX+w0Sr%)YgCRhA8-Wn;t0
zudBE$gFw*HL|QY9mMqHPu<1c_MZ=y&4c77?kfZnZp1XAElfU=u_OPJYljRl~oOZ9)
z-gq{;c=_e}?Mv-;JT1na$SsWStJo5WZLA+{H|pxN_}sPeXD;pz>53wj;6_P=SJC0u
z3Ngl7)Xu$MHONKtu_Vgr(y#~;0&*^z-(V<o?ln1mJj{e>W*NF<wUR{neiVfQ5!4aw
zIg)*Y09nFltL0-@FK9eHiA6&ZK(%icJsVk`eKCeu-Mf#EjLeT+yd_hMi-rBim(AaL
z=ny>p6RVP7(9Mm5U$rFPb-4GA@WkJJ=?z*9y2tNM?ay8_fA!3b!Y$l62jX9Ch}T{-
zCP4FZS50;&AjsD&!E)r_GoPH;pT1;nr4{j06Z<1C>c98Moje%{(b61vV}6LAp21A!
zV4LPi4h()pfya6%Zg$iEJ1^>6QNhuK{HaTtHsByZBL48@efi<nyqsb|T=nDQyOH&G
zeeauYa)|mzSIp;bVbCTG)O|E)>jwtytC!?^y7D)M_jd7K3|8&&^Ww$NC{`9X#tuj0
z*?e9UWnEPOO)4Z9fhw&~Wz#(K(u=z*J7?BcVn57gleMK@I|{FE4Y#gekK4<89fPR1
z&FAxtYu5&Y!HUr;jJj#ME`%=X*_3EQ)o!PRHRer|2EjZ@MyA=4{#b`buI4tHC%#!-
znkC635OJWQRwCobCrls#D&yMIg=fZ<n$PR;$c~3*XSd$EUhnSO=~QR)**x2vk5qP@
zV1g$C0;ob3apFC2`pg689@+?J&tLt$IofesE&_F5oMWMQhDV62zspK{3JB6Kfh<kX
z$O@PYUO|;mHT~PC*E~`3!k7!VZP4-Am_;d<{nP>CkbG*`zk}UuATh@}0X*IDQCfPr
zbjoeR$wzEr$###5>-UzG8jZK;1Le3^+cZ_<gcy1uEmF`AagkgQB8r0`jKU<59KuI$
zQxS^tgZ_yV?|keXf9T8p&|4mUcy(p9-z7j#{E1K>#14dyBF6D@q5og3OR$~;edmJp
zGQ4Kt?FCqQK7)Ihr3)6EXvF4L(llzJows}8PYXG}fx&~(LN!iZ#QGzwVDJyX@ZIPd
zwP*;N7*Q*@wW5=<(KXVaxB;BT*GJ3%R&Fp!_b2w@n*Gg+eCNUAj=TF|NbRj!*og0Y
zq++GPI3pgjXlFjqqkL$g`lj;fBHD{9_fqal@$H^>C>=K`4dM6@ZZZ(;xE?op5;Q|_
zVP5cWE*66pUXKgTuy`Aq3pANTAaTHHs$t=Yjt0C(D}v}XO+Mm%goX$$3sDz-8H7G|
zw((2^MZe*UgSxg=DGd?rMl@Q`-$K#>Fn;*-GtYeFV;{Nr!nKuC=TDzpr!%CkjNguH
zh}g|=Hp#1csoSzqr=n{`Skj51Eb)iv>Rf;F+Ri7g?7Td!3Y$tg<8&DKP2a~#Rh}bo
z%SSC;!X1hxC;C4FP(3>Dh#?D_{RllX^imD(LG*7r9Mb-!Ep%?v5l4wWiX@?V?rEVh
z@!^OgiPV%;L6gxB157ki(pd{Cqa<-A;ycLqP(FPEF`z#H_xH@BG~U18w8L92EB?z3
z{hcS|!6wK@TH<WtT`Lb?CfKR)U|RxRq5l1rc`mzE^z)A{n?HR_o;^_9eP2&rNMDB_
z<k`&r_V^Cq58C2CaqK9@`q^vx$}JnJ{KswcO}pl18Ty;{csYlQ=o|ap>!rO^90K=C
z0lGC_5!^r45pOxnjtEcxyRBP2n!h!+zr1b#i<39rc@TKtuq;0OnvJt)Yya=9yL3J8
zOMCMCVORU#nb=>sWk(=7kN(*;bFf2+DEA*<5%;{?7-5A|4|qviG!@<FEb8YPcRxRb
zN1yZpKa6RHT4i9<sJF&DHYksu93X@y_YqASq{r6>D}&{ERnQGMZKW{ttI8<wmk0eM
zPIOfws8U5~*wa!}v*y}-GHAD&PIOfyrEG7e(a5)1qOP^NTk)z=t+o;b0ouNwDp3nB
z6W~{~BCG36?AHFZQf}_b>)T>y+iYz5qaA;~tIM%5b1Mtud$s6T)dA3rL&6}E{#W_k
z#_Kozj#}AjuVqQUu1jxW8HhW-hkbQkGR}h>&@ZSn53+dS*9xA5){9_iBl5^MCa86)
zVL~_*e$E1M`tqTxCxB=PVWZ{I@^ATNX+%YoV4>hancW%PaE~TR{6rj3RyACJ6$tnA
zxRUR_WrYdCe-yjcyP`6ha0&V+y?z*nSzgpd?%6=a{dRAuztkTrb$iRbcBj{BwTTz$
zrXG(+moHw-jQ6(pzVGY5{_EcJ_O~w$1|eJqJuJYu7Ere5VTT^4k6GBza3kg-`NTD6
zhOS!gEav%&ZxlTKt!pF=tkZxi{xQ9mSMBnh4EtGX9%*)GXPJmWCog9;8LXhdMidMa
zd8_Q7Lr9KbFHNqp$eXf4T&r$q(#A>LX{Ws?LDsBNdwTfAMZlQ-3jHAo{yqm-Jc+XQ
zLRrM*&dE9G93Z0R!xvvj_fD@|sXzS8%^!4wUF^et&Z}j|A`COM^t6wA?mMhQ;pAIM
zgiEmdyoERyFG_YL70$ktXn9D(PUmbG(^iJCj)5izRy<AM!@*Srp^5;VX%B#Bu|QH+
zH5MsY`hw_Nc*V=6^iARGk{E!;0bRNAu21vd`S|14HZ~hiOee$Zs+#QXlm+pHmZrD%
z<SZ{oli6BlHAt5IKm@+XX5Q7Qe(K`(6W52&ZBMV2O{r29M7&U?WtRK0t_4!p@&@xB
z4yz!&rY@U+FuhrHDu*F)6;GE~P^f^^O}E!0Tu-E~-|Io1q-2uDgzh0`5-8}?Zqd~T
z2NT)6qQP<+T%h35??J<F8eN)#m1~}%modKb55WCB^PoHNFKyojL_2ICt@+*qcl1zt
z@9D_L$NFITnb7|cpTS{$8yp6K1uOe+H_d-@z-^|jy!Uj)M@O$!D|Mx?cSJjJA`(ZI
zGM>ro?`!Sy8Vl$De$#x_Kq_&^X4e~D2`P-XSsi*NkqEk)-n7OP2=B}LM{f~7f8E@=
z#+|0_FK(G{T)h!(CSdd=W2s+bTkWK=Z=mtx&3Sx9|4`-{Z6zW5mkWFAgZ68?=C7PN
z)Q<cWgBy6@9)6s;pjS`I%g?!DC6wsCFW~eIzirDA_P#XjFz5zRC+Mv&_tt{6DjEV*
z$?Ay_hCoI^R2P$`E|v$&1Ukz3?AXd`6b6&wNYMRzKHt>wORN1!D}5pDZH4~Y(ptZ}
zB8|$HS7*LAisU2-W>F}8+-K*FH>ImqspYuvMpL`Jqqer>4!*?pb+x-|s;X*Ax;NK#
zBkK}MV#Jjq*NPxD=jrIB(1g}h2(U5IN<xS)ZtY%fo*r%N%%YUV%mGjw_k5yuzEGeV
z#rTQ^$uV0-3iOq+=sjQ=M6L?tD8a->_(sSoSeOsOaD-(ikkxC=MPR9ws%6kbK+clo
zDsmy}AfN&LP6O~;L!(Z3q&nQ*DxjiirCt!)S*G*K<FrwHT4Vjr;H_W&{`Y<0E7Nx8
z>a~q0o_cD0eYo82J@nv1XU?5oTIzSY?I?ny2(qDcHQe2O`svSIxxTZuvc9ss9>*Qc
zF{IGX)Bx}b%>dZuO6@HN7?zwH>ntA^$%Vk{c25R#BhJtXWn6@o;s5-G=m?r%8_pEq
zBC})-y$css2BHv{_*cv-p|=L=)Cls*%PK3XqHeHpwTr8w4JnFzKA#tPMh|p!#>ug@
zbziM_Xo!$$ByZq#@AIW_iW^3i3u{VtBf=ley7juLh);MDcAeaKX#nqCPp^0l*An4*
zM~nNc6mqqHZ(j-~xLsO$VL)%MpsZ&LA;shkw1?Z0v5cc!Vz6-i0I+@)%JA?8hBFJ0
zc8e-CER~oe)(FyR(u8)WsSRW~1nz4vDsFuC1E75TAU(_4oxJwSxva;2ISuPfBaMPk
zaP-VeSMstB!X&R|)9H3G-4u1@M}yiDGa<ei&L{J&&D{rA*V1&Ah}f0w@u!}<_?aui
zmxjeyCtk2D5<jLZiKe+dw_ZI1M^`m{GD0Q-!?ylVBGD)-9BV@Np^O8%Bf(m~DD%>o
zigp{l+hLS04}9grJF02oi12?%n4b8a^0~^-4zb9^3xh<3jn9h`&K_!^xo6!Rdmq6@
z-;+rz`2%o&Z#?My|Ba!!dOIw)>8*Z!*L=@ebuh8=-CaSG?jXE7pNP|ki-lK8?{+!m
zeQ?M8m!}UwipM&l<9n|K<k1#9cZWdO+uCCJaL(sPhW27{dp73rF$|h+HadJ09<_zw
z>Q>%id>F?Ql6b{5u0){-eS{eN)@@pZ`RK?zF_UXcHwJJ$^4`%AAAfC1o9mT#y}BF0
zJ;99k_71VW&B}i4HVxWUKB?b*ph5gZbk9Y2zY-8xJL9dNmsg)7T&=4H!IT_|qjW?_
z0QIgWTU}eZaPD-_=%A_FahPZ2&U7NfSd1sR5J{TOuk8%CHkXf|Jhr^vSb0TnU#Wt!
z5tlRD_`ctYtE4yScjs|Z4la0UP%QQ5t-fu%O!<Z9&6GEmUNH7nN1Nq%=lV38O=tCV
z;_Z&q?vC2tm7@uvTQ4uea^~y2@dZM1*vqmZ1g?A`d<Dl0>!bUQVE;(z+H17*<~}^z
zo0+M%H)eYKCBG@sZqKs?R`JWqNMn)nsf<exHF^OJ>3PB!$gx88+zP_&LFG42sR1Ay
zmc+p=A$uKI&V@yjqXNctx(RN5MCYsa35&>vwolT_wFmJ4%HX=JU}Lg)_+HfVlYXn$
z4%)4_7ccd?EB&S3U^yDBj2iEWPk#LBrye)Msj`ZI7hO0Wc*onm{V)8*ulR}&5c0je
zyZzATp1k<fvn{L6pFVr))X6xF0Y^oH3MEU~+fi!hkkDStvP;iC*AimTZMUK*34BF}
zkEJ-F1na4N&I4wZkL2pTYe41v(gk2eVbpUH^+ghr>oAp#Q#cuyExT9=u`Y{>v$mWi
zy92yN)N~}QDK#WRgyhSrEC|l!fOJJc@SP1JA<(JlCHiNU<%I9^G8<3EO;ax~ucrMj
zYWq&wFMMupU4(X-Jy#uG4}pm&4?K&d0ByNBK!C<V1*CP>5URx|(HH$j7)NcWp?EpQ
z+5UL@>pHJ`=e2vDJV%}u?hRO5WjV-KSRbDMXpd#zO*HSSMQpHw(>*J+3|HG7EkKh3
z+Kd@mvm-2fzXySm5f(kPBk4vj2p7R>Z4!9jz@#2|4D7T|J6vI<4o;kejjMc?*V)u7
zC#s&xrmX2_r8I%w8I52hUlh8?{UjnXCc?-_n%2`O(A9kR<tIm<KC}A3qwfuE>r+oX
z_j^yj{QTzT#<VbT&u^ts(gk;|#-<`<kA)dx-$hlidyj+$%it8G%_2hX`)ERtaJM10
zQWx_)&*y~Md%aGQ!~pNOB?jDO-O$kqlaP)lT)E1M&^#7DB-Spl)20dhI1VF_7ua7)
zm_s#{3ef){xUE8PUVydr7ah2__huvQOnV={eQMz6bMInq54wzBNRf?t5Zn{8@A`)z
z_3uvY?Xt;xA+wiDdoWjvxI{;Z$!q8*s0|u(@5oVjYx`){@8$Bgjmb;7eew>0d%70g
zBCb7h+ywg|-TdhK;{4%WTbgp;xFSC=c;%me9p^R95yVs<e6q(M_Zm-}jndwo5v}W?
zICa<}?8O{kx8*^{{WFKbeXQ<_3q9QnPd?CmlAs2p<%r8^=;kS9EjR(igiRKflh9To
z@M|HfG=XxvKR9*fe4Ms+Mw3+f72SzP!;MPRIu*UOtbJ_WPItrTTJQL*9fm8tw3CJ^
z@C8J&R;di>fv{n0CMKVk<vcg^K9^sruRK|gH}ay^`5ZA%Woe4sV{2-b(1<GbD{slg
zs}fRHR^xbRma9O(!lh9H=%$(?`ibuGGn(%lvD(nC#ZeSNhTh35?Um@))9hIZ`Ekv{
zZy$)t)L8Bmme5ZFM6rnQ4NA6}feJd14x17Q0?Jh`3<-ddupls0LAzJ6lAIVkBtTH(
z6ZR+Y5``j8(r&lk?GD=QUccAs^^#uFZ7(gi*V;?R)Jiw(tL0Fg4AMc=YgGH?+Whj#
zQy-jejz9IJETP#^gWe-w`mV3~k}rL<+n;zgO;i||)zF`BO_Df-F?pjoxf2kaO>JOt
zxzbzJC%mjEX4^X(ab#Clbi380G3;0vS_VR>QZ>G6lyn|KiZhPXqSnc8h!<q2mD7T|
zr+}=TPK0IP0%nh<kd0a7O2JW{lWtkN&lPNfmoz}7XLGG{!k2{Qvoa^_p5;|t0%8{#
z{UM-TW(4wRs|ofO1wCIopOg}DM@bkGjR|QF2o(l&Y*>!(La+3~NpoRD#O_22(tQ-^
zZEbjkrm0O;)I@ulQjc^!^mI1Q=F=(tTEE|ue&UBnPm>Ixoe$3|T!4=(vhLgAA6P*U
zH)@6qzR_IG!Wuz<Q~FBzOb#V0z*xJ4o?CFPz4$G=-^bx3`|NA#;}9!wIEyF+8>)qO
zk8w6a__U^?-K*<HR9>CyI>Q(O)^o3IHJ|59mx?N%>xxdds<uRO(16nI#+}ubIBRyV
z?@W1}#}7i>#Y)84MRe@uTcd3H#FfeNv)Aa5eBz1ccMIi*E9n58Hgu-s*>0`TD9{k^
zD;snNS2ZFa0Mi9$^qMg6BRaEK10P|v#MccS_>87ahrL$Y?Uq8{eL>?~RalBp$N*3^
z9kh~mO>=ZIXA^)xa;G;=M(raC0Q3ezvLuRZ#HK>{bz_-F5%s^fz&)L2tyjJAguIj%
zzp8Gzhpu`ciT0}sAOd-J?fYEYTNk_UKPqEiI1KLBBLQR30}YkS;ZgMV!tJY<Pa5x1
zaR}TW3%%sEp$c>7j7rzT{ngq9pxnKEG=s+e#q7?YOUp9ETPl>k(tF<g==;#(AABqY
z-uInXw|8ImHzt+d%?Y@#@{4!p<9KxRnzmWlo!d0=O5+`o_t^U(rIvT(^n=a%dA;#c
zVF}d+1Z+`H7kOV5bVE%1WdfqD-qK*OL?|(CwVTH74#%UctY_uc^=(4uv*~PWchUrT
zyL)W;UGEOgpPz+cnS?~~6SkzTd~fa{xJk@vZ#c5sBeT0xZEx4xJN3>^I2oq1sm`-a
zT@eZ)Fyg{$Sz)eGjOD;1u8zB0ClpiB(rIgFuLv`2nB5RyYAmYbHTP>8l*!pWT?R4^
zRU}Oat3laPF)@omYYAb9uQ?vdmjOBvD;;={S=S*drZ6sXc#un;f^GSLqS#8rSjSOH
z;1$}AIMP037G4qst$y4|lcd!S(_XjR8w>`0`VU_n`s(*Oy<WcqC;1?bROq#2n#z_9
z;v(@ytW#b03*EBuv{sSwUb^z|Z?@Va6l5U{>YhCL==<J#`uLJ;(9BAMe5})JPMyBy
zZ4o}cvb`gP@B@_wk?$+S3I{$^@KUw9y|C3Lgfko?@rOnyYfR{)!xCQVP&R1m{Kb)D
zWYnHtJA@+~CB)t>vRM28YM)FE7Os)-ff4M+?>Xaj#<`Z`qS$uPnO;I+U+Y>obKOh{
zxzFe;1Ar&^o^$P<p3J6MF(qtY<%_yK;eW!Rgzt@M(pK8(^p}=bJDpw}CrJ=QQZ-zu
zcFsarY!Qxdv7&vibDGP<gj{RX>uZEFWm!?vN6yOKyx1+v@n}39kBJAKwWqu7ZpSQa
zX`mmnPERjh{i<#cf3pzvJN=Jm7MgyP+m&%Vm9V`JS&70ziL+!~;CIBiA%p_UC@vIh
zfni-U0Vpnh0dDk`r7f;ImfHo;9PYxjfT20S2@0GNqe$af6R9DdR1&z)nL|}`9ErNh
z3scXVispt0U>RFf!1Z*x(ZmeXXg;3kVqU{7RCZR5b-NGy?WNy+;`!NpJ|;pC4rCb7
zc_*1U)x^^MNN_=(=l~HmIxY9sf6zD0mi)YS0R=zW$*0q)FHF0YByq~&X9!L}A2r->
zgsv+ZusDqAz|z*!eg!I2E_&8u2Y)GHcCQq@Inu#uObU?tFhu)o)A&um2a~Qf#BMZA
z=z9s=6aM(v$X-d%74r&kT!<?LUU)vUA0EE4?+1<k<pM1)1TH@^GE2VDH{H{jbRrMy
zu6h&(TKU^nskKK%(geBMhauJxP(+uot=n2JzkaxXm$+8&+H1FWNI1|B4wW+M+j>x3
z8P(WB{NYV|yg8p4NKd|rJ3=Fw%Da3{{r-=x&yg$#9;4c;Z{N8%tnU{%fA}F!K4?#z
z53gP_MWuYx>&NLJh();W$7}uNp<Ua~L~Wz(S+=#kQxf)#;^Aa={rV2U4*DlyEiKz#
zx?Z=Va%HXc==u7g{`MFk+|PA9&b(n>4ks1SfzfU=+?B&!f4nPZ!)7+r^P$bhqMpI6
zL$<1LjZGJ|VqZi_a9whN)pNm2LfJytxyuygXr6`u8hq1PdE!uw$MztWrQxii;PN@a
z_{OhFARPh=k+qQ*(c6I%G;qLC(kF~aKVCE$fn5}U;X6XF*YN0pFua1VND!i$?M%-j
zg5-(lv<GS0OIxjew>4Pq47$XFmivS5px^GbdueAWO!^62<lF6bD<x2xunG6Vn1xF)
z)(9OKKhU`2<i6J!85kKmE~8*1vVHApc4dQJFdo7A;QZSjeaAcB9i}0T91W6hMLP(4
z-Trp3+MXA~ot@EWsOvgSVgjk{1YuLkm)U$)Rka_)1QjQ<S*6sHRjt~FK@$*6CpHlH
zgggl%hU{ODQnGZy5KedEd?|%0sesw1bixKD4I6d}7uRYR)-KiySfTFly<T8W$V&)i
zvypmT*7dX~#`F1nI-5=A8Nqu(mvcPuZ80O{N#Lv~o3f}-xd$xG2$F?S7$r28G{F5d
zX@@ExycQTP*`gK<bqZEw6x)nKsfD6D*aSF*&UIbTS5?jOd_1R5Byu{RjHdGm(TJwV
zX}ij$exJK+!6BW~jb`*HU+Fq|#EoY!OZDI-^M*MOjyZZ90vB?CB?h5tF1^#(_=tsd
zZkO!+&eOwNV14VfPX;};f-ONk4spetuQ~9R-Gl&y@du{}e^>I#2n}CR&Y^0`u@(X~
zPLWmc$t>L<&+{^y>ZTx)oZCi*en#UyE8xci<1EBh+hShrY<poG#I4m6XZlO4e$pz+
za(8n?Q<Y%7uJTzi*W7Xf!o}m&RFD9<j9H?TrmkS-)6}%_Ns`j(0FvBjWK~$KZ*|kw
z(x6M9r=4eiQxcA+Gu>mWSDMl^=MeWSR1{)@vJ(z*>sk<j55qW#Xl$wsJvqEKi9$at
zW}BLRI0!?HkUk=bC0NzH)lf^|@&}%6LU}Y5c@MaY-5Rsz-)x!>?V49yVOLxqt&I27
z+<wnfjd-PUowJqQxy#hI+TPBJ8YjOU-RmPO88@@`+gmR`f+&>m?tZDSy6K>3dz;6^
zc%Jm`+sA#pYhTbo6E~6b+xRf{J{`C)7HenQWtn7!QFT9B>n^QUlPxo@ic()LuV0<j
zS2s4f6H;b%mE|Sj;iT1DU0Ih!Il8*tX?40wr{<|>vSxO1gP_#(%8s`?RGTBYITG7b
zZ+lx0H@tl0RfNTLV``ugNw;3u+tq<jcWSglHU%9ts6sH@gdS^`TI6z!*z~-l&j6BV
z+``3F6xA(vaC&STC>MdE3v(00=9Yw*YQh6`9T1jJpwlPNlc5S+nF{KBf-jjSjIU@P
z=XvIp*b)GZH1X3kO2U}1Kf%d<zt!t@I_&^&K#;$7r;`o_$?Bl9G&t7j4SKykylL9q
zPPfx)wF%b*C`ZObBv9>UJ^EhQ69bk-RI4_O;gscwE8%klYXu=cin2&9^~A>J#_v4-
zvB}j9_NKAv>alme_q`9CJD*i1fNKl}#&6KaTQ$vaHo3aFF&ysFP7jv)J;E+Te(FM0
zc0Qlcu@fSPW~L}Mhoj}myx;F7aRSp!0zqsem`WQt&qWmgyu17$$tVf}2*f)XNYRlA
zx^Q!G&7MGj5?#6MB44>Ow2Mo%oRh>swDb*ab5mD&RZp||cs$zK-WlzV#?x7r!G;xO
z<hnqGnNVn%&k5P*sOgvBk&P1(5s{Bn82Le@P!=`~B2}$3!q;5C-?Q+fp@+8)T1E-M
z7I|GxiflZeP4YSYJ({6%o#P{$NQ;&Xd+nAV_LlmCezzOK4xS}ME`f^g@Hg8zAF;<d
zXtclB2)h9HoR((zHZEQLxM8J8RSMRW^O}j+zt^L7UmNEh%HzumSZvP84Wcl(<c?V$
zS6B(b*}ke8hWNG4N*X^%Zt{6HozFm===&1cPsCuVqG}x1qJ!0-vDT{!oGQ@zC@ob<
zpF{{-Hx-R;RZT}k{{7DK+R~Zx{nZn3XHYcF?hKrPP&W;c%_<iSU@Z3_!_-niz;9U7
zr7Lh+0_kjmgc=rsZVC5JnhQSsaZ(n}(RmaTk6^95$BhBBA>5`;lQ{(ctTA2@O<KX7
zwL}`CB#JZ_@!^OHRT#bj7h^@4#F_@2J>jc~kFK>|c#;}>FM<0LkysAA%D!@yjdtf4
z)=Po68vDvf(ejljK<L4%mA)i@77>8ECy70jNA(Q12vU#K>5V;VT&QmvlkRPuEFJ%-
zJmBtk=*Z0>)dx+a<hBZw+e)bWp_}p5mW<wHBpKiPe4;Skk?T-;TW4J)@7p<N*UvYd
z6>s}uX~nh{nFxzIxpH~ipKlC9F{L|WR`&aYul}a5?=B5K^q~)5e(Cawa~IB>e{gem
zczt6Slrw*_=@%lOZEj6>Z7a#Qx9nu<jb>_^g?XdQOp6KK-hByyF`QDMyCLKh2?pSB
zLqW?aVT&9v0S1a1AdqoA`yq04QImW1+{G*MI=r`+0}2cWT>_yomeAi&DRa&dEA|zv
z*tI1XSDFl~1Fe*Bg*Th=3DD9}K=*(8(AL_@@l&VL<xbRV4^~!=t*kEhy33u;pxfo3
zC;HRvwc9BK{HS&Z@Z(l2-&vG<q_?O(paj+|I!qfFE3yeW*Tr2V61!%yGrn#_L+_wM
z&7va!W7+s-GS8lS{^@5w^@%#G84=p0wbgTH&LvSe%L*S7WGpcd-Vsehn5dgXdSz*S
zWzg$(mzS41?JmJ~LN+<n?Ah*cyt%VWKu=fAcskx5?hg7yOa{bUxBv>z_?9md_89j=
z*s26du>(GKl53!@cJC4V0vg5PbSYAv8wPf_1Rtn`S-9s27dIsq2KH7%;*Jt>F`Z6#
zw|6(LUfbT@na<|~;n}jLq>ZJ=JR{_tl_i1D+RX*po-heo5q*VefB<25rfVjPH6wiC
zx$ar`JypE$VMSS%6N0w+e40<j*=&NZX-0S+;vC$xX$R9jQg{aefy5|Il6IPQTU{a#
zbfh%ag18^o9mt#N^ar8*LYKeq*n?`dakYHswCXfV_&2vAln}(19LdT;aj{6Kay4wh
zc><i;E8S8Gz&&g(ncfn9Z!!kyG-#T87BaLWGrq4NwBZ^(z&-s(&le@VRwJO;dG<*6
zo;YQ&X^Oiu1P(EQdrKHR^26;b*XH99{VehMl@ljd)=%}8*J@7<C)sc^o#&MYf2|1H
zkmr#ioE;;BOGswU#H|BQ213_fmC-KHv9MSL^87HO_oOYOA8n@zGLHk5BoPs3x-L{@
z4iqk=cBWX8&TKruc8HBz!DjtfxB$~53LS+^GX+3AL4U%55&U*A+fWLqc|pS>cQ=Ql
zEfGWF>o_B8eb0b<Lfb$37WG(1ylHi&A9`N@{Pnv9-M5rD6?+$p+eQ`69PVozHFkVh
zVKQruR@P6(w+#gN(mQ?Flw-HH#a*AAvt8{+p7UM^Z#B4`!01fu-PhP2?XyR!&NJ;j
zKE^uRZ3p3sTWg-n?)kd(PHow%<Hpoj4Z)44w?h&pabDlQ6Yl(@^GDw&ytGWy(Wzzs
z#A>j#rf1RGEPwAq>sNNJJ@>h%lr)dM<H93vd)sr*yma}=XXo?jwX0XgvrI|4Z*I+Z
zw<=C(s$Y7FZlRI|vJ!ocCV(_s3)oRJ4uX8wSC($u3<9B<XPXc&moTo(ExTc$)e*ku
z9BE{n!qmcT#_S0tT`JNdvl9h-pHT_2TT!iNoP<KB50@7q*m|8HU|o-Ap3;x~(XV>@
zyWTn3+P(VHi-cg8){jSVxVyEpdwuKCx4-=>KJb-i&K~cjaXX4TQIz^Y>MOtpG;T_V
z;E~v>7o~Wky_!Yln&BOx62pl@xDG;2fVwiY3XD<M^2BYob@8skS*!@mU!YO?j!8k`
ztIhf7)1Ups^raVtR+igxS5KT+9V}V)|JJrf12KA_bt~}CuPz_&b!o`bH0g9&ARlM~
zMoqV7RJXCS`_h#w<I#jRb!TU1I2y-<<`aUm5xp52RZCNPM!Ni0g?v;<o_+4PMQAEg
zgTla1go-d4#03za1i`crKEBcX4=CgsZm4wvL&NR1U}s3C()pgsW;&TphU4MxaA$XS
zKA+bp^Hwe(8K{&oD$y-s41VaxLE1`^Zo9QS7#v&b_F4qrtgMTskTWIV`%;xIT$XUN
zLvvb)s%}QZ(e7k4&1M94iz+AXCqo&;#1L9ZNE|H&(2G(!&@JXK*vr82HdxEshD*<K
zK^1SdvA?N)YWE3%6Ddh~@VdmQ0nXf?@Ut!opz{K)qQ*7*a_<7{EKzKxIYo!TSB!2Q
z+0gK|B+66QMOBUqB0*&}%Zphy%g{go<j;<t8iyRq9Y|P4V+r>+H;evsIyrq#JjUvl
z)|J<2q@bagE{TQHlX;d!Nk9{9>DWqtd9A;CvOQR)nXx-9cgACa?jCJYl$69VSOCMV
z4H|+v;-#3LSn@#E3K8`(L-rMRTgPFfaC#yVn+{b(geoMIL+56p8$S#cIG1I^DOBEl
zIN1sr(9u>Nu@e;r%qJ0{3q5@dLA_+lSIhNzgR+6oiW}7k!umPQ4Y!;_;|Z}FaYb!{
zI5L$ei+d-b_D>#@U%ULKR^k5q3H2*GX4>2pyWdgXyE^itquW#6UJk^;5G#7TkQ25(
z1cRIp%)VPC-J>46eMT-s)y^Jf7cUofe%F`opU>?P+03!<w!QgkDDH?=&YO%=>8p3Z
z8HZr~|Ma|mDYsvUJ*OK`Y3}(!yI3H)ZtcKKI~@z+#!uc3b<V)|-g-Dw%-l!wO(gC5
zeSg?n>)USB^kcJ>2BnnKdL=Ku^h@6Md!JF4Uwodh*i%n@mTsu|bnJ<Gbp7ghdmFNA
zVG4g<*h*SIpj$FGry_qx`KZwou2HxJOPfdoy(a|Gfc_;bQ#6)B;YDIq)A)7CNtN_7
zEU^Wq=OO{$<ALD87h>nU$Wg4$l@OI=1{TtAZW4VuBq2gLJ49CGL$Toz{7hS|v~%|1
z)8F;&-|^L7_C8(JJF^+VnO>3*A{poT#?ClNTMs;N{%j=Ey#wvqa<Q#!`>q*f(}%^C
z^@04H|08b@=i|6wQ3BqzFg2>a7LGMC@VN%=d5h*q!^qD#;R+~^XBzFJRZ-Ev7SfKI
z`qJjLPk-|9YBCP2s=O*We*Cd7dEbSz=OZH;+UGFfbYVhN#69FP0qejg@T2??0vTuZ
z$aN}VQe9V_Q1#ofX6ed!JkI8M93`DzKTHxD_&l3C9d=&Ai?YlMfa|)_Ig}uVmlJVZ
z6(Re8;4#)=d@uCfM}~B~Bl=$y`9X}_FIDrQ!_oEFARZK>BvMjmB{VioQO>7;_tV*Q
zLWE;7qEBixD@)*l($Mb^r%FQzqvEvHPTPd+d+koY(-{nw`kgo+pj*x|(bPhs5)Vh6
zn%<kfgI$nEyi*h4olK{+I~G~XK`U)VY1HYpyWLJJPGd!zOL#K$U0Wx-PhGP?;IRN{
zVO--57Yfqi=Db_i-TL`}KE2*Fc2VGW5@%j@LI@fS5#dk4NoME@Z?F=hQEx7adNQ65
zN0a${Oq?hPWQ&+h1V>2vi7YR(ISnCkl_`CfS0xh{0DCN;pa;Q4+|rxYFp5>IJ7>Zj
z>=|T2`sO(qO(W_YR6x)vo1l%tVxx&ZguP?u&Og}e_QKBUT>He3hNGRyWL8#noOVFi
zX@BVVw8czBzMEI&ISm_xb|Mr(L~m=$sW7E;Ol8j`Xz6LwXq%EWrXd>b?$Wrn+A*|5
zy5Xe_snCh5EZnLVZO0|D_5y<W^r0~I(VA!&fqR;K=pfe2c8w-#1`^I~63~CaO;r<P
zL)&r9;m;z3BCgghKJ4BA_iLf}y5%<;_q@L^-rc!dlGq7ke|ca0)aBbFkbOr-^ba5T
zCuc_s=a&n+RojyX>gyL;;&>#k-43t)cXh;4aOjz5=XTQE?M2q7S*hh85Jj-_y?0v@
zwJxOM2+X?w9=U<5`azeZo(~t)+m)Yizb<z?o7qPW%#Cv~QhuMD--bau7K+CX=d#`X
zr{U{cnmBRN$m>wf_<m5ChyX(|yLS1~$IbN0#x;QUy8hK)`p}1e^YK|;1nt<<xo(I7
z5H13eHbSA;=1Cj+SSn{748SYe@mO+gYR{IIzI1Nu(lZ6TZqNr<Xkd)SGlA9->sJbE
z`AXrQms~8DEc<|fcHy+KXD4DfXjc)!=O9%98+k0)vm)Qw>?qahw3k*_*N-1Rd-m+P
zGiSc+J&(Ts-S1pUoP=}jAYs$zaP}3Y9u?JCx)yCN$Q$8Q*HVLEr?4m&W#G+G*Rgb|
zQ_$F;1s0MP{21Y?2EkVJx{uaQSFmrGu{aYMv!@)Q-_Vjf1eDW%5G(KsC3j}oQ_np6
z@@GGT_)QjQy!CzW{lM3J&BG^7q5nV;4e)8a0~BSkrO3q<i~LQnET#|ai7DV&q)j*U
zMZbf#SOS+zefoyb5hM*^hy{|Gu$3u{DYY&LVdrq1WDA=T-3dj7rq{ecjodWob*<6H
z$nqoFY2Sw;I-s{hx!;;pnutvvv48ZUCx|W}e5$UpBIB}jl}~58+gm$3o4do!Je$yz
zAy^$MFM`!ljEsaZBsM}gyxr+^S{>LTrmckCPl6z7tjWrprsh<8?DaC6&9fOn`63sP
z7==)<XrR5-l~ux#old*cZpB1s;s6C-bm9_<CrD4zS8C-ofwTB=%RvrBp#Rl6mwWNb
zIR5vm<r^o|S%7=yahj{;n5xS21A6}etpv4{XaEuDFDUZSIKO&rXJg~yWU?cbX}6Ph
zJEg-#;G7Ojk(I18sgdmqH+NP%VWfQ~x*V)47ty@zbgIN+w@}YE+%t~uV}R{S>dMEd
z<Fg6|xLcs~9RzXQ?+geBZ*1&t&WVndMV`^_5Y?g|poyR$yA|9VT)Q4$4#1OIMi^H#
zyUgii$2uDOtJ0(qmfk){6ZjT4@HIumR=?Ljed;7K;4p8cTli8~T?jcD&LDhNn^vnu
z^oE<~E7~Qb*m{CkiE{S1QZV6!+MWgjo<Ma?<B+5&T{#+V)X@gb0POEyqP!pY_XfCs
zcUQcpdk4g`-?}b8GBWz^xY@m@E8gFiAHHR>K^N_BT0JzFw0|ETA8jyrK7;w@L2y6t
z1rdyYbNyC_gXZhEuF1m}3GdU>yQstARlxlVxjh)%`z1X|oafd<YU%RuHA`Y8ywAaX
zX}ph)>^H9-xPN%wR}JI`w@vd0@c#2ZXwbf4#oL#F(JB1ZOY#@DZo{AvXIMKt>ppvb
z5iJ=HOeXZzi>5$UkeN)xrJd^=*RMbGq@`P69Ld1n+1d5Bcl<OB<3zYLNKXUKLb4DV
z<gq$gxN|&2X%Z1qbT_wIEoR2#wrae(@R|x@71Id5OS8qIg&rPeiVVkHGAeXDK6Ewc
z(!@VJ7gfqef_l$W1VRP=RKf)w0TZZvrHl#7wY$B}(qQTM+VO`kTzJ<z-}%tF6D!?L
zuiIVkqyd`hV1D3pE^7r53U`_@E~oqblrXL#058-6(=$;)nI7p*0lG)g{%U-PZ=6!c
zuyr?t-mI#w(CQ1^FZg+29=mW%asRW6Kux6-7Cww@X#ZjYAC+JDV(y8HSFe5iqaVvJ
zUxjU=SE=RYcmLrpfBRb>?f8LhDkS78LE|1EW=XKsx#bjHY!?uz*$>YZEIlTIU^oWV
z0sx|#3js<<U`X-E14zkQ(Lr?^iP|TDDu)CKTcH_~eO4w-GlBaGXHDS`%tvYf&dg-+
zFe1zu)jERBAula3;UIW6&xjz*=SAlHjT+<>jc2oAQ)P6J;}~}2amdI$iU>h=(^j_~
zw^BUfI8hv~N}En&S=4%7R=hysO)CvY$85%Jw}|p3_?|>;osz_Tdh~h`9)1+YFi7z|
zwn;&88!^Msa(OjonKPny9Uhp6c9GD9A}>0E?JGoB{l4Jd{fsfJLX(VuS)sxUOXyob
zRsxF6(8Lh9_Xw;S8c&a?&}cm0+1|EI?ni#B6(uSB<24pIuo@)Lv;ik6Nz{skV;+3-
zadbIl+0e{k$W829dV7*0bga?OTRI~2F<4Mh)<%Ljj!$!hKEK`WEw8S^2eUL|S<T0j
z%NyfK;{{R3J=8v(aiVq}KinNG(2t8QRT<ET*8B;o&P|n}!zPZ=4xt+r2EA6_54|W%
z`~88ZEgdqnR8%$b7CL21_;b=p*|2M<gd|BgVH6B@B-^zLZc`CK2(cEMU}8Uc{wtO(
z@lphPXJSQ1L_rLh5PiDxX>t)Gsv5cq)u0iue!Uko_q5Yr))TEe5v}rpfmjX2MtN7<
z?dTr-Eo<_lBXf(z`!DUuZ#XP)x>njJZmI(A)ZT}O_K);$xaf3z@6WEw|F~stQ5^rZ
z%knD+hc@7u%zkou4?v2U_I_#Gy!}8kat~voK0a=45oW!oBmT4X``=53rtZf^X4<HO
z?bLr}UH;rP@w?MMK=+^b@hdy#d(O&(DEyDD$e+J1|G!(K`ZRn0!pWnv?iV-jCt;2!
z!j{+^+F$>Wnb)?gn%acchjR;z1bqz%;zg}C+xP)nNLPqMXcIl>djD8lKqy$0Lf7bU
ztZQ902H-F=c4!UfpEa86?ku(;EG;4>!5lQd0ezyB0V<oi;i|mz^<IE1AY^B|=s|Nr
zcWBSa@wp)Cg<(4AbO*f?$JfuDf8hMNGbc{2pFV!-<gwLb{lW5bFLjy-?pUlVBlila
z#@P@ujB_SCNu**}ak?lVun^5s1^OGVAQG5fDG||6mTaBw0bbLfG|=JT9U9+OF!WTd
z28$Xjgz*-AjMgnUaO)=*@&SfbQ~Lx}8&UhBk%ewv-W-19BftHr4}aLJv;>FJD{pz|
z!S}qAaH`66K%`00(c!lOuRzJ)vO;MQ&g!z2g!?Q2)V#6qIU>dq%0LAyY8D*7YJJzh
zkDsc2!!9kbfP~kG4t+jY7%J0i8%+nWp#zy4ho73NB8Xnh@+@PM`uUu@H|Iq&Lk2L-
zB$mk(2u*6LDY|551j8L-5j4VeL0Gig$D%?zjglm4CrLX=(<E)TI`lWO4=90xka!lc
zlM)jOembzYLFXvUSD1motTXfzB6O{G(n-=ziWq^!(Sj%rTvV6O@J|_+Ba9=Wc{Z^;
z3JnjKp3bC{-6*j-#FjbM#bYUPlR3^2TSECtewjoU76|~xMc7Jg1iUMi*8K6rR!u;7
zmnIVtH+mkC55S)?iV`BqT9;UpC{WSnC@ruv&;g&bS>bI2XwQ~K(BT+1)uitTRul5|
zS*wOAZ#l66yJk4t3mwIT!14JNvA*c!`pIJ_PRS^_e08J9t64E8(o}03p<CK;&H*vK
z%IDr`r?OLgLeo1oc%6<XonV=%ORT&FAyKD>nS0u5tsYw@YQ`3zhI41>QZXv)Y%&>J
z*0T9HP98LUL^X|N+aK8f1Yv|?KR9NCbt3ML;Iv<kes%>MZW5MGi)L)Vm3hqRs<dc~
z25Z}Mc#>$uHt2=92f#f+snhYDsc0Sx#iOme1>Do)8<xet?ceGh{ku=e@bF3c+hcqE
zmG+S!#dn^N2M7Pldh%P><j-Dv;~Nl5@2{LuM>gOiBXcpoH?ZA**fO;J2R&GbaS_bA
z75Ns8#(#B2tw;BH+1@=~$SuvQZ#l4ZLnrw6o>SlP*~a_<y#G9pmvj60*nacsfn~J7
zqjQr^oLga)e`-zs;r^jh@p@%{ZFqkj2D&4r%VKLBWCb+qJ|T?)p71KA8!k|_;B|hd
zC|`tS0-hl(2feYdgr~cxXA5Bpp-a=0x~>S{L9%XGRALv|M))woB`WkpU`1s7*!mIH
z?Y+wRb~p)ybVYgv?+(-%2_(bRvi7nHxlxAkzVG|p&hpx^W2a7@eBk_B9(w43GpEk2
zA73BzSNh$gmBKL3`ILK2!N!QR1&!fQOQ*9D(9^qw1Pw$hkR$@cAXsj&z{Y@eKEw(v
z%7)4YT51B6SfAjyP;9^O*#VF?jo?y*6$i;^8>ag1omk=FIbD(Ed?5g>TFQlpiS2Ye
znV0&R=U)8SZ+vw6^0ioUkD({mPoG*oaXbuUIBNneR3H|)Ovo0-NNFr8@cWB}&p&^X
z$3<LC1gk{TB%(PntZ=^(XrHuh?ZYLhN)82sC|p5mr1hfpSGjf{4l!08C|3d@q6QrZ
zfNJ#4RZ|g%Awmc5%Bq<aiV%L5XYjF~PvL$upQ5Xk(EW4@f5S$LiheD#CXJ$?l?Lqu
zEv~I7YDGyDCSl-95fHwuwO7E}hMi>^UDkC$ya96(Lr#D;LThJ8D8AR~^n2Yd#5YkI
zg)zM^_g~Tv1#C&GfkPW}V^TVMX*RLZygq|y1wP20a16|8bNGAdX2=b1@FQM14#(>w
zA_jBg2c0<-bS6IRk<jl+hei<cZ=kr>1#zNzJsVf^F*+cMf=(aNYPD^m%6eLs)3V6f
zMHQ|#IEnlSy#j1R8V1HjA_{Tbq)Q!;7Nu@eb3gOKSC-c$z*s#_%R=UYN(%&qRsD8%
zb?JBz#^do+`&C}q+NdJed5L)$v97GPkUGU_O4z!{5EuY|QnsMwoHv>njn9sq5?$H>
zr)L#W6fLc+wA<~Zg(hrbf78)!E(0QgG%08Tg>hJxl|(UKI*$jm{%UCE>5IU444YOo
z#G`}UwMTHPz0aL##54)X^U?~MaTT{kyBui<?=j}m8HBoM3naAq0mebx3s#r|Uz|(s
z4DO-feXJw?-`%@qC{{!9Hy%(gJz<Z8O1}2TpIMWCbm`FTJlEdOUpKQ?YG!?6W`BKX
zzvK9g!B3U<SI(;6nb^<0QN8bXo={)X6-Ub9zqV`dl^~s`=k^yi&7V6^WhbEjLl3I&
z{EWTwMoHjbIHCT;>KBUze5SpBecgQHsys-L{*x8?7f-66x%>uOs!vAZU0qR`8_|gb
zJgye@Gxw3g<lkI3-+XwIe8Y<T(`)iyZM;EN`Oc2`zH>*{Lx1+Fxmw<D97~>it33ON
zec^K+!bpu#$dFQ8|HESuC&}tv*iR!r%7aja?!l#i+eTvvbJwLu|1=F7erV@p?-@m0
z0eTilSHuEqc?8xKcicij;)-d8Rky%aNR*T=oeFirs<e>YG|;C=6%veFSz14J=H%(q
zXU?6y@Ro-kICpk!b!B;ZrQdF~_H1;VnGM$XO~Z+{T+BA8RtnC6aq4#ngIM$95>`15
z2xVZ0#TfQV#VR0ZhLG2ZEGfZASNnqX^uk#I0Vt!76~E~OMhyW+7EVA(yx=V$0<hL$
z)r5d4yN<CG5D=E)k%{cI*tx!O>4g_PMS!<gds8o;B+~B^uCbzFLv-bt$Us4a;3JlO
zuo8!ZNm&YmS}c3Zqhee)qAV4GA=E9gDN3Q5>odmz9))9(^cJ1Ltdw%LlAh&u*u_=D
z4HS+Xa~|oEL8VFp)zGGSnr(4<wG@Ss1%O$F4%r&!F7R?GA?1OqOP--&m+j`uvLFl^
zM}86q=!N7uG*&<AdQPutQPv)ebm07Gc!?bGS)DkDQ`V_S6~VZLem!cT@3z%Spr{8k
zg>r?B&OJA~G&3=PTxnfjw&w))hMS=cvlw1k5!yJe1#ynq%bE3Dq{9B4*@~mdd2R%c
zWLWW_2<MZ-AH_>T&`JRfbDS=bq^4@JSv47E<54yoPiHe4Gny2gAdWqo`!%sTmCq+l
zo(awjMvr#`xa$1cwa<p3QDtpxqj<4sV~GK<m`J)AZh7<qns{^;60N9pS<G`fjK>DY
zP9Hz3{CIO`Sb4@zL*e_#5zCFvwczzDrEG}UV>k(+^}S)odIQfU`U_U|+@^x)1N6Cq
zIie-o)WlDE{XXqCeHNY1@T~O%Li4zKAjQk3t+>}sX@p|hax@aq%xT!2Q({{9FlM4B
z(VBor2FT@T*V%RyXMp4eZ`kpJ_QRnIabTR|#nehJBJQ}a1YvaShhM{~^Ik}(?FZhe
z_>L7d-*T7rIKHPVe&VhEfBjVR^6M{kf8DbDpC3|3{PO?pmU)$>fFFNZf7L)7EZ#qm
zh#!56|CgR@F28<)@lC7pub)##tlWQT+uS8x%dh1@r|eH%(qFp-z1BgT^urIU?|Pzn
z1ML~#x+cHxyz;)79v>bWf~wzk{Ln=F!SiZZ+yCqJo6kO&iof?3pAJF27xab@LE(M(
zlg*n0?%&-NU)q&)nW9tjS9i>9>8`%{@u6MwD?8@v4+!caW|fo1`{4HL9yB_O|NbNX
zvBPTnXEOWGubKOA{X`u<EzUjEy!=@PD4uM5R<zSS8}L)G#~^CDY^>)sm4ms~mR^$~
zC>6lRxEw*o$q;pTB4SXy?-YV2P>&r{a9`#U8`64U&_@UdjyrgDA&PCFp~vDrVYe{u
zcKfTn!HHw1&zwDf?(CVfrye+S{^Z))>hkiS-|KJ+rF9WeoNKlCh=uVyH~WgcI3SM!
zIH2jiPG=!VHvE!sOBo9T{Y7yWssq3S9D4TWf%KQr9gws$>onqq0^7KE6HXNaNGZAG
z%055*m)cXrizb4cf=~-|_k^Y{zwq)ipZQd_yWLq^Pokty+uqi6eC1kkX;WT!dl~v!
z-4K$K>{5cfE6p?v#|YgBT&LwU8}uV9-f<myY-G;TY`7~j7qN?&0EX@YQXI>HL~doq
zRqL(u>|9i;Ez9$z=Dl*OHw!CLmpq2&Ff^fPS{^4N#j&+$eyy8c%@L|qV~eWdn*MMy
z*`3ekCEO3O{ZRR{Sq?NkMVVE)^n44GQ<@q<lmwh}6cTh#lLXc`al$2C98Sf4=fL%T
zfF&l^!_0@4-D#QyTIZvI6$~&%?o4pCaNcyolhk=ty3AY7S`gexvFNSdw}O*wB`IFX
z!|Xt9f6pU_dBkEUSq}p@A!dOdccb${OoIWa^ODXlFKo3|TJ5%{s=A)2ioiWlGv6j@
zLWj@CDN>ZSg3~3eFF~ZdIeMW@6zN#`G%ajs{YXZrh6j?4E`l8BT=GK{_X*rbrfJ5$
zsgDl^YyIP%7mue!<N3r|C-Vv6U?fRtsWdkQ`z8$2q}3+8Jey5x^ox6hx@iP~vxzPS
zBBY}Mj%SI^(U$glOV&$>-qDUu=Of8!7W7U*JL+`0QC#Vyih;CDuir^x1TfJX>RND%
zxR%U6(PNE_E3laWoyUUD#D;nFLRv*+!J=3|qafk`U)8cfdkOjzSXsvhjjlZOo<tyV
zJwtA;sfb|R1K_^ri@}}S%;Vu*Hy~f$7eD!k|5u-CUU)tD{*SH5zk5Ng9=@Fu93iNh
zfBu3geZ<dQGv9ws9SpkplAidH3+k^utzTD>k5KFnKkP3bHpwA|@Dmqxrtc-J@Wc#b
z^5334gvh^nRsP5Y|A(G$Ca=dk^}9}~A2_f2zV}7-D2(@yujoHA5N8gM#*Xj(@I#7T
z`VU*L1FAmS5`XUz|GnL#Hz9hH-~7TeMmj0}+FAAIj>}UK0LNT=-#)WH@J#cC=t-rM
z^l!hY-`kZ3&!Dvs=^u&oe&O{9<sVKlXz#emcl95<tS=V#qcn<c`DY%e2@|0D#l`KK
zZp1a0D!E4%bx#hL)zAP#CXA|K<<UJ7eWZf(i@4;yxDG1R#kdA6TpOu%0f{j6P;o56
z&=Wp-P?1svH8-GqRl(_n-XRLpLASTGw6wN*;^e6Z9(v&1xicqEuAf{#zP7s3YbEU{
zj`$;;P+psb@JEY9f}>y<E!fRvQMMF&5$22Xs)OwgnD5o87a9sDQ}N6K5!wY}b7&rW
zsf4%RqqukvPN%wo?e<e5Szd2lWUjRfV28B@7T*UFLI$JZm{OVMg_mCZ;0OQR$A063
zq0LuTdYWKLVnpI!zk2b>Pk!=|2OjKq2XLwZXf-N8>X65clkjeYFE~W=5bNNmLD)dZ
zuPo+GRVpD<6@au!iDeVZxKy#&*_rfv?BeMySdqAaRBwE{P?jttCVO{0j;wMrf6Fnd
z2(d*)8tWZE%@(%!L@fdnMub~~D1ds~G@d3Hn@?tW1}lC<$rdI3pW_dpg^C0EFG-`g
zmBa}FdUzkA<CZ{t93W>4-as1Wj+S-k0StQNp5dhD@=BSTVx#eq`>vjg<A6()6izP2
z1jkxuZRD|hiXCz!2gELvPM%#9@67_%AGt)xy`kc&v6Y8j7mMIzp6(T<J{r#<9QR|9
znxHW;qLql4`B79<bt8y3XLKGJVt#%^jHcgP>Lig8v%J`yS1>F^3M|_lX%4B)W@VLQ
zfPH1)78&vkA%xG)FglDB)<|gD>5#@vome{FwQBp)^_@``wwH{rhJ@X<Y4v-7q)n`$
zi~}j8^A#Gm`D`?qPUAQxwq=opS_xF#qa?xMph;C>jisV9oQ@M(1ZqiGUsn}yHBngf
zd*H-rr!Cn|`~41$J`oN_nut^paUoh6V9^0|n~n21O2NT%w)g?KcQQB4JacaW&LHWc
zB7E=DiHyWG9(;NatPK*w5#V?*2(2})U=Zru6X4#vgAs~-9K^dWq5aGH;-9|5|B;vU
zzk3ZgbsD_CcuIZmIdueB6Qut87xnM!Lii6a>#rP$Bih`rU6%jsG4a2>sDJr2R1Jy2
ze$QF;mrto9skDSwe(W`Dz+L$Gr&rDU`|=O<4$aH&I3dp@{trE;UkkQ77K$HyKz++G
znS60o?H7;F%<TVh)%?u|4(<F(h;s6yZT%Yg-q-R<)Whk~tHX1d{hQCd8I19}PbmWT
z`wb*5h1UNcd&K|GKihmEQ1Yjz_HVz~{GAK_k%>gloQm~NUed4SGWCtC@(0hWn-?Vi
z<F<KSwCWx!-k*6`t{gL$p0Um?1Z{+XS&P~uG#*$h=d2w!2#_$a>cMx~2i7~dsyrY(
z)C1Nfdoo%K=>ASvEmmP@kzrZZ^Qp}Xui>|qo(%k?+iEW_A3JsW)Y(&K&Ye5|;Q6zs
zPOYyUTV5V4r>%ArxC~UwYVw*voG`B6)0NqsjAU_57dNi%dysxFL)3wTL$?49j+G0`
z!W&tn``{jU8ED#b;(hDNxeM>}&o`^MBn%X&1>?O%aev{Lqq%J}!oHZgk<HF{`?H_;
z<YzzecvDQ*SLj@s=f%X7BQH{gE*}5HM_b+QWAA*=^6K$MsL5<ToK7Lk2m=WziRL52
zeS*e8$cl3VxI(Gqa=UY4d1=t=$4MOdmcW-EC|-Q<<U+FKISW&9U}&7^{7_BWsZ;j4
zaJ@w*@*b&LESk`;_?pjpc$%^~XN7nvgZQNaR{Hazo>XR(SG$vWKF<hhxvX0st~nt=
zd6eO!I0mdoUu;OT2ci(=Qnh?uJ;5Mi5lK6rN}di2KO(1$+SkZ0j;nNt&t=)V*}@al
z6^B{cbc4j0J!)gkVt3t}nZ11%N3lJlcSo08ue0YwF)p*gy)_Pz#R5j7;b@7jbdOEu
zTLFA;BIumNZa&;8W_4DTQ&Y}tITuaY4*ca_cd3gQ*C;5AUj`AuZ$mhi-Z!tS@pLjC
zkIMNRjmlAA<5o;Z7;&zItYe6k2=99#A#CD;jWjFmbSX|YpL_P%&waKmtF^Nas#eF=
zMZ3M?%cRm-RTVOjQ3B5yI$_J{bUvR+sAD1;FzDs14g)`Oa|z5z6B$@tS!#E?tj+PU
zkkHT!M>~ya8sZ6AHb;{Loz28NBFOBK^M?Kog9ZdJ8{%C?T4twcMkm4sJ1k6Q?vF5*
zrDS}3IC?@mrizwXZmw{x<>+IUGW0{%;$dZp4g+yWd<GXIXmjrYa39@KHL~I*{yQr}
zCFZ_a*`+`n9E!KL#6Nh%|CTlL&##$}jLfV#dJPsVk*9n4pIs*yDsLXff3acy#cODd
zoi^V0KCS=J+tFKm@cDPN#ZN!#|KgVU*Bj=euhiHl7<qj2G5IHt$@g}}kt|pG`JcY5
zf9~o%i6<@>1RtB9e5-%qFtYr>0G#I+uA6^--F$9t%`1%wfl)dr-?}a@+=NQ!8uKmw
zB9PzH$o%h@^w~sw$6;|!-$yO{k1ol7c1_dN8r83WENCWw#Xx?`n*91@*}Lfiwo%%@
z{<OaQg|9%Lh{Rtyd9*j(V~y6IS(870QGX%YNa$q0km~O`b%+!V0`I>+ufA?s{;LiB
z%R3f1$~XODjGzqpZO7%;F3HYKgZ4WU`?sFgGkxFAH+lMkJbA8u<`dQhNCCh#j7k`s
zKy_jvOlBzUKo8fr10$WaJ=!fbyRBIEuk@V21yL~p0rwz<9}3-;i#)IL!p`SjRSKn&
zZYNzHtejjsfByWr^ADUjedhexv!_n3AM5p?p^qX4h(JufMmuD~mwPzxag;rSZ3c6U
z&G!rG-d<_mxGvW{n9c%qbD+Y`KghqhZ*}4t54}B`@O|{Z_}*IknonVCxGs#X(_#<r
zJClB(yxLZ^Py15pis1Xk)s5L`L~JIFg3-?A<x4M4C&Ox%TZyoq%U7>_^3%UNSU=HQ
zKT}w-F)N>Z?&Xc0A@XtS($<w*OwgVy<Te#SJYhp$wvxEt>z-X*@ljP5X<5f{)h57f
zLXMavU<R{9KCVK#&VYsE4)^%lL*U*zc5;K#?9m%uv@v#JUqp1RVc<=GzOGCO=Nvlh
zWtOvlPE+T$o@I3o>9Z0(VR%JIo+t-0bCWcte?(zS&@2Q-ghFG{Y`}or1rNAPTG#Zj
z&|Lxj3D3JxFn1;4n+xm<4Z3Icnl$X*3}GXB<1)}RTgx~GCl(FS3pJB7V?A>J68i+e
zby_PY?r{}lZ_(Szeccd{)Ky)U95v;kJ3z+le6NG3QGRLctg43De4OXws+=j$w1ZYi
z=#|Y$i7;`BgC7wLPg;K96RC^R7EP<+PHBqV)H%(#nOD%*M!b^a(@7|l(55OYIF=@=
z*BOj9cP~Ew(tI-UnxfdbywrY}CI&IA@y>_{lz{4|3}6@Km*|<u>0EBL+r-3cEV4CN
zLWx7*?y87V;_gwJwg&wHM^d1pSF#}`JdU!g_B`}o6!R$R(RdKaQ$$+>6w@VJ-S|S*
zT!P<=^5rEK521EkZ9v2u?TK$;2Sgw0@*>QF+yTnNtcN>(+=`79aK49@2Zl$Dy9%&s
z3+g}R@~-akM{e#g3c2GB+!n%g`%-Rx=)psR^_KGf_zLdU&$F4vZ;#ED!lOHTBE^{)
ziMH?m|Ji#JU|X`RIxNqS;~n4p=dq^lMnHqaASTN;3Wtp+p-@PHv5bTzBmyL11z~|T
zS~i4`LRbO}*s>iVM<B}>OjtH1AdH1u3{681)zvju{rSJ~jyY$ZbG-LHnfKlI{;%Oz
zRnz~|_tdYd_usqk-prFH?_F!3wbxo>*Fq-QLr&^v_w?U*t$vsI<CWBW_vh-L{IEP#
z@aqcaPo3d^Y@2^BHXoblPtGv+3Z|<o*p<-vgMI$BLw24N3lE+Vz~3KwQ>iCb1pp`e
zeJ|HP_MAM`?G5Mq-Iv6-pA(;%>t7q2&n0F;vpjSe!1}Kpu&*BSzIe!H)bGs9&+X|y
zef}Y!|M%r6wDSY6){;pepUWo<%N3~Lm-Xadx@<l%HRz<21MM+D4$t@uC?z0!V73qC
z{JD01@HGX$@_TUnUp08kT!L>{WB=r?GyOb-Tf+(d$PKmOF(Ay#uMHgI4-eT_4dh=b
z46M3O&h%}XG`RK7`s^!u?CaO~QxSV8Z~XM!eBVp;Yw7Q2uOb#i?7~yJNZJY|_3dFn
zTd@|=2m&}Zl&SHaM=KSQwX-I$2l1i(P{*nq`WOm7WFE@A^SUmlGo7UX*@hR-@9b=!
zzkKoPQ%_&HcJ(6Q`LkzthHHHQoq*~HZvh&p(Gic(v1Zz)J)z)+Y#bZWL-VrOno5vt
zA$&JWgSGLZZ-dMiMSAC?e>rQ%qJ+;_<442V2Ur2m$v1G;i1)4d8}Yq%8epsy31;%b
zDN6JTtl;Ysrbq4Uob`P7*3H*HakM|5r^#sUl#UbnVbEXOI1}}UMg&@V%*e`!!+Cml
z?_e6o0F(m3dfjfX*LOV+If!4w;{sQNzTfMF!{K0aeI2+GHWOp3VU=ZBU6#Idea~}T
zm#Up8#nuE++cr|iE`ej<N-_u9wQ1(Y*t#}JaHx_>b}aZ3D#tw9GA|L<V>>Mlz=Sn+
z`?_39<^js<uXUmhJaa&{^buO!W7aJ?846f6*kWt3GW9kX>s84b{$&k6n?JVY)g}Tj
z^*%JM7@D<8toDM?Rn&GFFO*k!@Z<qxomNz{*}|xW!;(kZ>CjFSpX{929%^!jn`PGM
z8CcuvK`MPJHp4Sl2Hj#ypg9Gu5)StfT8qwR@pv*BO=bs^gVA^|ji*(S0KA1s$vvKC
ziNyX^XC9}sq9}|Lg<&W})a$vz_5IMOs;ct&2o_denfYA%(sv!(lHy{`8ih(Q7u@xn
zD4E9lZ{D69&hV}la2YesDwnyV(Wt6<Zx~jn)KBXi6K5+}sg8k51}g<%KAa#R`(D2b
z*9m~TVeViE3oQye9ao4lOR0|UV5bLMxC%f|CAmzCEQ+FGzYkOfo+QtduF=jDeT_IO
z<^h}o9>*(&^c{O3G&$D`iq*1|3^!V6n~-#L1_e9DUL|hrM&WP`@EFSGrDsB$UQJCM
z*o|Pgb?s#ANeHo;V%PE)Oqr7?=L-%%B~_Gu;<maNINxzzoC53cxeizd{`~24@2ccm
zYUgKmHQ=h^Q6SLsvH4G5sDJt+^0@~#^Z{mlw9h`;f4BM)djLQ9YOS7dIPsek^Zl==
zAAUw$JBjZZX~_VCe#6?keX2Jz^EY3sQ|<i4OJ6LuIS%QvzW<e4IPzO}_$dYmi~MrH
z;Lo@2yxR#ms+|A)mHHQcuWZ^w?!48J1)P2U-mmOwmRkO?9qvAC(!Txd>HUzm8G!7+
z_oey+3A=sFhrIkO-`vp$w{0h>X$qQ685bQocms}bQ=76+wV^gd64Ih`C8{ORPXlw{
zQB}`y|C~!izGVey;Mzw%a{0oAbC=FvzIx^Al`Ch@pE<L>zR~Z6s4Zw-58m`Bi5?Ld
z`9&IXa1@PeC2R1eYGXuMvy0Fcl`X7W$`f6n^TqcUe{G7j<bl1w?hk<b<~NShMokNK
z-;N<r=2cVfwwiSAG-~y#t}zKfIlPh@y(|Tn0FTzzG0|3f`};>xce67*S7fYqtDv`e
z{=&0g@?{^reC_F|yPjsHrp=3<=WTQ%pYteK-yU|iHa6DRh5()bC<%(#3Q*pT02%mF
zHwXhldE|_ayE1iEq7=d*6@<q6IMOBF^de)`8g12?vyh~a1B-H$E%B2=pCK5wV4oU7
zE9-Ax)o6R47U+0Wl{qQun<iW?0zV`G-vVcvVNZI2bWwG~gk61&ak)cvS1ZS|4Y79n
z06;t`p2)Zz4_iC5Z)6!&Lq3eX4932OwgvcR&EN}YyRJ!TW~JLG^B}`WO)JGT+W}Vf
z!|ie)OIX{JK@G)hQIF$|YOE>nWBHhyhEg<wCfq#HL>r8<U)Y`$baRQ*{OIWD&i(su
z-n+B6w_BtL>){AJ7q4ehq!PGZRl?KGlWdZt73Duf-GLN7;Cm0ZxljgmC|I6M;XdLa
zK;%r<@Y@1Q_ZZ`9fN#sF<A&Y6`@2W`hiC-PT^R(9E9TRY*9m+n`@@YCpm$ZcNZEj;
zVeW$;g<NawMn(Azrop;`xl(%Y(t(J&0UE|KlNV`KX5=x&X&(<K%J*Er@QL8V{t#Vp
zfZpQ1K<T*L#T)}<B`_JZKZ7I)EnBe#mswti?=J8Tfl{-w(vmz43^lhiYP`jWXp+DI
zXQY5#-jpb?-&kXBIjs}i>%d4XVO-CLGkFrgePxa+v-JfE?;JfI9*r*Dd4J~(HLIO(
zJImj*C;Dz-e)^97v3DoWJv9IU{J9tEAG{{MX`R1k>4-gme{}2ji2~sN8R_r(ocU{4
z#n%lVqR@D^Bw=d))@$`AW(N4c7n=g#;`@7r_>*V&`*HgJt*QCpH`V|5duY4#+1Mnw
z{riw(ekn28=W~GrzW=_L>l>N)PtNn5_xi>dE9aMw^pCu$UP-?w@&)8mA9bJl((>RI
zH?~498j%HSl?&u}?;xf}9K$6h=U6j(A+dc=`W}GCl02mW`1yX=jXG;<>le>nynOz`
zg-hoF(O<lHeq-3{MNtPn@E2gbHWh8WlL!QL5!fV(X<3}i195X0jm9m+<85)YEyp%}
zymX8fzCQ@!7vS4|e^JP9+{{tiD;BWc*zNlzaPN?A$F!C!e1UiMLvN@S5g(_TGTV8I
zUkJ}}se+1P369SA2z*^X@?bu*yu5hn8R_=7&RoBLe|J0?b^PwL&pdbS+K11aJs<jE
zGE0hDsXX88M()lQm)_Zp!P(8hdcWg`D0Ozx4+p`$N6z7fq_doRaD|Pnej|QY*wAWJ
zUKLpI_5#fs27-tOvw@XGzT}0eO{1=-`m?R<6R2-W(W)+rDlaj`77O%69p^dbmIC5O
zNj1)G7{Ialffodr6bo3bvf&9t^AQwFD-P1lCXlf`$A&eMcWW)<IISMXSd&qL>ZWO(
z=4NrRjt6&I#Es55i)IUJg+u?bP~Li@>b6yyQ8O^jm$Bz>*ANzl0Ub77;*BF_;~b=x
zYWdu{Ws+dYEMC)a!t{n#lk{ZB9a-0v!i^l2XXR{`?Cu}jy>lZQ?IWd-E?z}1z*tyS
z&9XGBvB$JDM9Z*^L7}fr4Ht`dx_#hvp)a?FgCdWCyqN&_8GNtf12Bj6g~mCK^nACs
zrdYUt_f8t83Kn75F}jY&^D5_?;TgD>^E}StnA#qAQPk)$Pu(o`Is*SHivpVmY9)Oh
zcA_BiP+SJ*fT>~?Ha4RitAJw<x*-sNsw}gt41=)SjbO51RiGq~436N9q{5U8<+~oa
zNEvubLCUKc342_4K#AG1H5%t5BSv98+4Cyf{EhEF_+HUm3gUyfd!z}(VRD12P#y@A
ziMK2KnxaI4CqZ*Rshyj-v-JgXt-1X;*+&3k_@Ot|uZ_+3UOsJC|89QwSI7D%Z>wLQ
zy!SH#eE;pAt^eb5{Lh>hAAUrW&|EwJa-@I!(GP&L6Z<yYao&G%`xGR5Kal!&XXe|U
zum9|M@g3*+wMPtOxL25;-$SZn{S)8Yh2anUmA#88U7i7IJNqE#lQZYtPXwUMzx##)
zn)DYhihpy1%SQyOH!}0T@9UqqtwxXJLCH>U20m)7{rTAZ^2q$DGwi|ltDo6b@0j9z
z>gB|v%$P%>rXRVXeq(CB=Mw+=A%E1yq!(fXGxopi{=V&?eaHpxuZwGcfc?h5uy%@8
zy==WL7fZt6Co37yxUK`A{I0`Y26z%~m#WrTngpHb42-j9x3{)7H@D87J$v!o`70MM
zojZ4?*Xwu!ext3>Ym<{tHgE-xa64L!+rC(QRc_698XXH(@F?oDDTC@``AwsAMgYdt
z2@wCF2*>^w+GQBCDAHRTzg*y7{Imu44(TJ!(leia+6NuZsX5^o?!hzGq_#GILtJ#X
z2Z%vsO)~jM>ly(#erHn*dmEQ7KYit?quqmp`}gkUN!;%a07}j0X<h>0OJS<xIIi<D
zlwvR#T-@3^v)&DT7v~G+vsM5h(blI%B#6Kn19UM)7fazZQ-<u0P=ZpGSfS=Z=eaU<
z5MfL#&b_e?krq~4S9sdJ0c6j}Kwo1-Dd4T5EYmzok~B}#qO?_dUMX9C$8tVL-AH%P
z>Gnc^n4Ux#Y>i43>!n1m(Co($mUhTzUKtD2+Bfjy>9uut0{YxKBROX2&FVpTZy6c0
ztqx}KA<`HaQQ|?{Wq}+6(ITyR+&OPtO`HFd0E?>0wn3H%DT>rcB8FQa$1lpP5s$r@
zSkuFR*00P^GA$Bf^r`eP!>TNKE~UsQ1B%w3<V2s~4k>duL{BMT&L~RY@Ox6SNJuyo
zKM18umL_N#D#KpC9|mS~gPBUzxso+CsYO!wo)7`oo-iT^L}#t2-CNy`*NtdZ)GAAW
zTX3lXwHx4fjBRbLGp8I+?>RNw*xV}WGEGx#hY0;n6pf~1T~~hOclup88n|3V0gOWf
z%Eq2<v|_D+W%|C4$QziP0p2o^egxDHmH@09l<NmR95*lre0!JpFu3*{>jeTBOHB<w
zT-aO)m<D8z0_|LzjWg5oFp8?B6bE=&Ma{Q{f@^IaFLg0nizj8<9cqkM=1+vr{kSrK
zu>WBHgQ?uZQ{5|^qsrJ0)KH*se8XiI0(Qzw#*SAXzp~c9n&{_a{cUG4`RL1f>>Ufn
zsd7F(#TL(>-`C~){xpX-&Hw4H{@55`4gWVb_?L9w`MM;^`OT^R*<Jk$2k+$oxO1Y%
z6wX(&_q7;KJ>g<w<UJ2Kss9#9i~bL{`8RLycax29P?}#pGXHG%1l55zgY_k)1;efe
z_D&e}G_dyhJI{_h*|r;SN4&q=>$FsiJ+dwZ=HZj``cLfeZ`tBsGk8}fLICT3<w*bY
zJq`ToJsk5XK>Qvm;Q!!;y68J!zs8rB`rm#XH(?%i1-`dS@UgM}<V=4HHO+t3;9Wud
z&&<vLeS|mT8`&3KAh5XdCC*^W%nnIz&6@-s>n4ff2NK*PUgfID&GZOm8r_g>@9b=B
zoI7{!;)M$rFI~EH`O2m97uL5ny4~)ui$!{S%WBeR*Cc3OU}Wrzbtq1$l>xQj%K{^{
zD7Kr{d9o?QwqAy&DXZGr@@dihDSU5H_;SDOGNwPp0h;%7eG1k$I`g(=n7#Eok8boJ
zB<27Zn3q+YWkzx@=xByp97<(~f3ZIjl_kRH$VIDm>H7dNT`a`&{W~|u<D-M41HknN
zyijAn%1XgA4~Km&{50)lzF-PnaRAoW)KO~%Bj|idUCoMXC6om~<P~W#KC86hs;sAJ
z94DdcTsX5Cd4b)iurBQ+8{tYca-13kR@gF-XL*vQO{pHs^cBVuk@Q6gUgHJ<fGBi0
z>Gr*DC+hb*T`vf%)CY(fCJ>=>skWETUT<qB<7jKDiOmd64=cq>HJc??AJeb`r@0Vz
zku(&5pWH+-ZL`C%$xr(uj(iXow?OGO?G8{%0P5~Z-UB#M7}bz7O^0C?wwT8;RYnnt
z*R6pLDfD$42F7V?$>wF@!KjMqk}xXT_@g?Uxx$z{^!uG~YdA>CopI<@Sqi`&%`R(|
z*I9)rz;Lew9zGh;Iv`p<=mJOvWK7Z_4T!lj=mtVlgmJDoeDK2Cc1Lgk+1lf^CynrY
z#~;ix0Qr&M>*>J96l9=W!9cnm5Gy}$Ysaawd7j7dXexm+3|ydRu&MyXKsvvY`P9QM
zXD<wbZfB#@3E`y5GOOwmma-72)`LR?1dY2ifZdrca-a)&mZfo;bhwC9!80eM6k*%}
zQ8oD=;oPXks>rspaGOP;stTA7T!or8SFr8Jin3_S$F66MWQ#WK6t1~O#>G(TWH7YW
z#r2P+{0eUlH0j5%3ZtI{Sx%}^k^DZN<Ys1mZDM|Bs$WXX{lYn@%mQV01bXmY3{bZI
zm3{V&YiyD2QfSnqK8ABLs}W89p9dNa_?y=G(-ATgIP4BVB4Ff`+8kAgAmR9bYifRb
z`T=L_yq22(@(rx~eJ!@}Va0mG!vhHUi38Xz%x7affZv+x@q0ah-<hGap~R@Wrhoxd
z;eBH9AHAuzJZ4*^BjJ1?#^f;7pPnlqQC~acz(ucy%|-F(?YX8oIV_!9xdDLn8&d;h
z;FLJ(MsEJ`Ed>{G;d1bfyBshl|KmOVn^R+*AK{HV*XA9!o8VCYI!$TSDvIA5K3<If
z>kt=MMMfiV45>1EkM1y)DfAfq7YF*Q2mEV>*gL!7v2EAs%Z4iC+Bq!EsKVv<sks5l
z`l<JNdyXpe4{xY*0kiW4u=qyyu8l&L*u{6hsJ?Z_{GkCGO7;eYSiKuVNmzmZ!(IKW
zBa`Wdp22mznZ1`20XhM<Aw1Pr_Vw2d*@wF9jE4)akLD4$kaFeh(WJeenO`64kI&5O
z=@%WWZz$+fUoNhFdG)DZwGD$-Uu<j}Ta`Pi#xPpb^a-wQZ||HxckY>|o_+4aPhY%z
z<?`iA*RE}CZU#Qu;8{@z?Vua#i6yXxC37uo@wL$_*f?0LurQ5XJlE}uI0T2R)Vbm6
zTsLUHsmJOjo6Q`DP_d=mr-$%4a$ez!n*H*!eo$s}ti@*wt9-^6Rp*CM2-D<e8In$r
z<qWgMW*%q7-guN06#(~6=tsN)jDv-2tU6+&Er8^#F4MZ4r}OD_GCsO>bnlIux9;qY
zr)l9-B0yLy0Vel0HaE^XQucE{m@B1+J?ur60E*D>h!i2H`60}Vt)tk6jBY82k^$jZ
zYkL6q)qFPJJv;(X{gKPtuJA}{MKykHH))Vyl}Z(=Dzrk!o480YXcl-%frdC#{?<<8
zTLdRu7G+Z8DLk$y$wI{seYX<?q2v-6h_T7K(x%)JYPV#MMD)~<ZD-J0*4Q_CazV6m
zs3u?5t{bko^}N)ULoKM`(mt=%$}4AKi({>BY(<?iq-ZhN{00;Y83$clu*|M8P>GPB
zLq|%@!rHVhn|8(N7LsbK(`gj<yvYKfG$m%s@WvWXRgS4xLrXB#6%|9S(}~=*VJ9!v
zjnM18ex4>-ngNL-@6e*C0PUAWo%onSD?=9uAnIF^tk7&;DT56!-42Xiz+kF5s~lb$
z$9GJRIY9m@DNBI(aCw#2%_>uuPN^IK_rB~3uZyu*RjyE7U)4o6pG`AZa5d+?2Pf#F
z6HfPVf6rjJG9M1sJkNy{0SATMH?HS;STr*jzd#~;I7+(j;TB7iq$rBDwap;vc)nNW
z1*Ocw3)SeiB|Uf~tQlHw#?TRH)C6)^TuFw+fJ+x>5YQ6Lv7%)lQL;yE;5fyiD1cZh
z7xg(9i){_P6m7RjEKI^ZQ6q&WMo+s?c*UOpa1S&1@u>kg+ka073s~yEyQBZ*NWYdH
z1A2I>r$W}11i31F450syjh%nWF_QM*+T?%XqUZ|L&c5`pRx_B-NF0Ctg=+SN!-hYA
zt1PUC1MW)nrveNVD+8bUu|jzL`8$ADQUibf`JUc#8B7SwYKJ<8GSwUaT($l3{T{%p
zsd@DSH7y53`@imez61#`#O8%q{R}WhmoAEgrGghF)6EqbSLUq*B!Iep=*>qvQ<&Ue
zI@G^(_-F?SZ270}e2`Q6+ejckm?s31089E851k#Kb=y_#<5oBDe3R5pqLH<}&lNGR
zKbSRew=n<cmRfh6kh8<eyvrtaSb_h?2Wl!0ciAr<!XGpg>I-~#TAnmGS(q+(O#VeA
z!+F?-$<}#!{Y&f5{4276QKrn{v)0jS0hIb1>u1iK+1T3LzI^$^AO7%D*RNl`a`h~H
zCyL<X9iS$L#&b@xR%0W8FiE~K5+Q>;`c!T3AW0nz`Kwbo*4WCtw%w;~+>~x&W*Y`z
ze`spmI+{1tSjA2$w-|rW?tV#%vy8}>WjxEpc(ZJ*N!4WD%DM?#T0r-fdxi^hbo)O*
zx`4`e4-P-^na||4x^nK!m0@?-i6R*Qphc)ulv$O}i`gWd?awC%)6tzbZ;Wo-yL*54
z2xx)hIc^XCggqt0E|UdwW5o|s^ue5DIdvXtKmo3Y+IBYxD7F?$n*b=uDMgh4$4Y?Z
zKxvh5F#+|~jhlB54zFCg_!VFBbg$FlT-Z}0mvNZpIxEX*kxsIClA-9k%<B^CqeLNW
zYpG$CsZe&G=UJM^aW<Y!=1F4J9Xs0_0K+iGN^;j|X=;+vxRjxwm{q(uwl?oHDOwhG
zvl`2}wp894Zkl#~M_cjM0?+fNr{UP7v%L(o*JL+*u$*qM7$=g~RQ&CkAc!~Qmgt}_
zBkI7604Pim0u)=ttP{|J0onjm{EINQFV`G{`=)5$8njY?7XAk=7J}@S$549<+P`3q
z6@Ytf)}`wgX<ik8>(M$Ch*V15$w^ff3U8qXxl+eKUY4~^C395|ej<V21%Vr(0g{XJ
z?F2^m91U-ECFcOdb3nVo^;MN6F+6*T{Sd<CrBlsISb=cB0Zw`elMhqpNBwSp2wX6k
zPopT@K6_@kzR~G)r7Klc0%P(#^fVG~KvBZvIB)gt8cXgTJkG<|+M=umQ9lejKndW}
zUR9MPZB>=m6_fD30SARaS1t<oH6^gs238dCLm-wOa85cQ?65}{e7tson!jsRli*5G
zIUhAuSe&OT#9FzXF%;J(fuq&U-VVG+IpWF4#{BK6{=`iG>+6p!o&enQU%jCgUJy@3
z?3*|EH?Cn-H584O01!W5Pyq4&?@0gBk^c1DJRf6c-j6;fe{HNEiXmP}%#Yqw0e8*^
zXvt^muflo1+J^Tw08cDcYQF$AIe_xF)EDvq9>W1RK3UDl`xwSq=B1DO1QJ_&EDjPT
zZFjZm-V)slarrq!Yw^^kYzj|Cy|v-m`u3SK=P#bWa^>pN&pdtk(xr{{jkQ6)7e;7f
zPu>}=yp?n^<cUc2QERJW%a%^#pvj!JEZ;hkGu<d(+FI?xamF+Pk>g6aX`J@0JjN_6
zDO=drnC7(FjW$ZO$*XskeJvL#?S#6<96u9Z;J?PB#XPt*(3WnS&4<P--dYUlhO=M`
zAGw)_kuQXEckk|tufOqXzkjXQ?FB)v*T;yVT30oC-X~=`NoJ#YJWG@5=qMk@^BjI;
zZF+J5DLCP!S0~dv?xoXkqSJc9jmnKFTn|3D(LjW82^Wt^Pod)3XllJIfjlJXEXFt@
zIFqOw!WrGacfU~P+?g$b<x&BlDo4nqP)whuNtz^i7H9C^956kZN^-Q$BnSMuRsg=r
zsz?%mf3w+iI)}rKlj&><P_aK44EkNb#s!>LReQ`AMi7v9DgbtlEuNz5p=OPG#*lH$
z!g>;o6g6Mi4K=3vb}xbo`_6JwY}@cmm#V$&6z6N&)dtv;H+|VnyGBFOT6}M>Z{xL2
z@KJHX?6fHG;J9iD0?`81nqSglR5lvf(0SM;M0lU1`gp|HMJzCKfKgAa?N;Vw;Tm|p
z0di#+fb*)T>ng_!hD{A9O(`(-3cgjqPk>#)GfJwL0}*kh--*1nP;`BPB-=$XKVU5h
zY>;_ca;gB^9SpQ%VlvQ9niq+RCr<5FvQXn#19_C9C}G*i8gsRR-atq<K)0N{>h?O@
z+h+_PqKhV$!7G62f#1VDiCR&UJGUJjIZ($qhIQflXlYxiI?2>znmP>dJFJ@sX0K9}
zRQPwmhILg5j@o?>ZOnyZ{IaT(Dl0NrcR+-AH;RyAk?saJBy5wo(U@vwY-Ip$30jhH
zp|MMd)5aPHx<CjYqirdJPH5z$w$_Y~crw8Kw8lL7Z&*8R{r2{9h5!Dp`g?CG>o$EQ
zWZ!d1eDem|bRRBK|45hp+nfBaR_34H)BofyDxtsQv-N|?P>b#Ozjp&sze^EU2@!yq
za_;8lQClikV>MP|HCE&IX2@%Qz`OR5@b(K~zrS{7`{IR*XV0CxaQVvBOP9{Ct#x}n
zgrhDF`0O<J;f*!O+9*`wXxod(Y%NE(nwqxKy<86`i$K;`8@4#Uf!q|GbqwXLwYtNs
z3A?ch4I5pgo9Ay>18+B8cw?Q@cpn}Yau+ryZ#7t>lU{&$)=GC8|HM<7v<r&T)PVUy
z6K(;b)7GOoLSaB8h40F!6Xa#`${V|Pv!Y5<?xB#0F_%dnbBweA0GDMYU?{5jdX>|~
znyac=QHpBHt5oYGE;Ex%lhM5+%pw(mTMyT~vpYjidb82=-tKsBlvEmJCAHB2)XO}^
zTCg>ztc~!3jm?dIzb6FWTwCwTdUAMh8~wy(rd3+x^BjmknrC@YRSwF%;emn?z}A?l
zTc&xQW(5j#;&?Wm#nV|D&+X;|{F)a4;_5l5$*!`z%0maBR;5vY36vn`WlcJJLh07D
z1``#q6%zZ5(fvenBPCimVk-g8p%PBJ<wNe2O}K#N8I)bxs^Ph<*f*`#oGl_{ou<FS
z2Aty43CC*u4R68;c+(-l8#>3)B%N_`<-xi%XC%yNHT1lJ_2jFgEFHy@B9w2LCn<2~
zEV&gEN!oTGG>nK;+Xiv;vVo_JfV)Wy7uG>Vj*)b-*eI$nRjRBi_?d%Exp?PkV%Ea*
z!d@>L4%|*CJy(*7Ofc$0cO<Z<ieV)lRVwI*gra?5S*4T4$QFeMOH+0OhPoF~V_ux=
zxFYZcZMB)T?iwtWs2>6Igc(o@<#y<r<wyYbMOJEHYR1P?tLr3A=Hp4N)Y{O6OIDTH
ze3k&T4x+#qSP4m0QEk0WohS^j8`$v#U{3g9S=Y>UeUG~ZFW?-|$Q1y(lx3M?;Q>Ls
zhmt8^6lI}QiFWpwiO@JGY1$p3n!d(v6Cr84#evC$C5JjS+u)!r$LI1%c~ky{ef{rl
z=|A%BiuZ+f0DS-WEma#-)BgDj;?G^+JN`Q~8ivBTEZASWD!%P3|B)N&XZKD>qHUf2
zqdj&#VgrdZ5itGz()rX(zmj5m{$Xjp^M(44?})#2nXkEwtw8>2tj21r#$yHUFFy03
zZ~2p7KKks|xpNyEo7)3`fBk;9>$@(x*SoGVCaX<pYEc{R8#M2*`e%(^gpCfKHEo40
zxLs<LUEp177k}Dv*qqc$AMda%z`kxgT#oU#u@Ia!((J`cpWL81@icFV?c1k)=tJ3Z
zYwa<(XD7Z~j&vn0k8UP}VZ&clds1H5K6B;bg*!KHWV3iYpH_Kkw@DmVI&R=_O7TMb
zPtqO(EQ1f~s&rJrOk=JN_&J@#v;93TeT)k8#nx8mnWxY5Ew`@oqr*Edz4Y3x8@pAZ
zs7C_zIF7FHX=UI9Vb~q^I_{w3?`#aWwl;<v>ua6h;9#$e=K!lwTVG-AST!?@{ibNx
zSs}#4;H9F9(_}iI&ryA!=5dn7D2`TjB~S>2Qft=>LO+sR7<4d4EL*^DmKiXH@n}3w
zXITk{q(u|gYwM}Vp#Xh(o*SZlqu=dxqA+p+-#cy8Be&M{45kLfFj_m-YLZm{&0bHt
zU&BsckOhO|)CZwiBkXD_^VA<fDvw5}&#)+MD7%eb2e%R^3d(LNQNR%XxY;t$i>1Mr
z8?k9m$5?4SE(3~HXi~5=Ng5~>j>1`en+mN1_&PxDL42wW3Z@+~U1O@77Su1QC~$(K
zU#9N`K_DqG4%rB!ZfItE(Sa{%)`*($C;?!X8o9VZPoP?afj?OD{0=Y!;riXdT3zI-
z%HY*Ecg}2Xosq7q(fbI`yFel&>Pn|of+PgU20Xc{0BBn?Q}n7Siz1l?!f;h|L%Fqe
zZn&{l<mqHORb?3k0V=X6Hy6&<gSU{{0c;Pe$i*}>Y#wnsU4x#ZEX`Ax1>ePP5OmS0
z(Th|Q6%^Fd!;xzsgS8p9xB)=zxyaGlxMA$3Wtdot`!;Zw;mnCA2Ha0;=cn%IFYWP%
zdfGh51pb?wc<1(|^Y@>@w3m1PLNIk#L-rFNk{5hsGvv2C_D46^zrW4D_TeTT;<Xfo
z??1PP-MT+@M}2Iff9ylDCsv=NtFaoZu^NxjFw))mim(5=Yz-~$q@)_Xi_%`D^RjXc
z3mA7@>OvHaZOF2VJXJusjfD~<dOx<6e6U{rfT85una`ZEn>4L9V&P?JpKp;PWaU81
z4)=CP;DMJ|eqGjtotn2f3}*XBk5Azt54H$%$yME!lCgbo*dJWKe5E#OquU#8?u|!B
zv*{cVGE8rcNDCF;2wqjKN@ME6K@hAQgme{UMo~PLf-g$kH9;kVlj7%YzaIe&m;;Wv
zcX#jh?R(iY#-9q5DR{o`MZK`!9}YK$Yn#LMt@ZVFjI@P+df4#_vzV4ynq`RAu+LR6
zj4zN3T?RRzdO-U{hOR9rtj~*>+C5V&)0e<l(2fu{A5b*`fDT>k$pbNvLFfh^MdKEz
z&`5U=_doZ-XJ3BhrO|job}`Lvj0aOg3AG{Fzj&@Y9Q1d#x3{;pd!23wcwb@(Ut%%e
zig2i%l2hOof_!d!E=)_e79qkG=NsolLq&7Vo9e!@fqTrf#e2$MvL^P{BL|y3sp5~(
z%hn>_5Ivv=+BHMovCT$}X_p_fDjnKr;tp$DZrfgg=J#zM2tK#*DV?Bc{~$+LRDT(3
zDzjjmS|3Ly3+yhHO&c^h&uHpd$4qJKbA<#!+dTxd*5Q0Uo5yjAKLXO``C7OD^}|lo
z84ln#!YD}N`E+s^h2dahTSon&#55@51VvTNl1$gRL%Mj%m}9~f0Rwj7>Pi7KlN5I0
zO4jRzKpf!6E?qcl5Q%d!i+e+~*)h5X{uX+^0ahUK<Y2*-z;e-v-{lImG)Oy?f~(#i
zY{KCcXos2CmEu5W(K^$`61_rqOGf7R_?{zit)UH7g}0N_G-aTyzq!q|wb{bilTXn5
z@~<4}pWjp8dEp&U^XqA&ndu7Wzkd4Bkp1%bfomey&dZ7UE0@LB4BxII@>ImW_mcQC
z=fzLmR{!&T{X%TM=f(O`uqxfJ#%ip_YCK-!u(N$w-I6MH(Tm*x)N^a)I^46M!zv>z
zHbLdESq$5ys>zSOQA`~7v>l6K7EYAT=`7f{`$SkknYVga^NKB_XoNjvP42X+pe8iw
zEl~R@aIW<t@v8aG33&Cu>yrmxi{`B)oS+-2cCgk6Uj&}FxxTKL>2;zDXU-gqMn^|S
z)A4vV1FV&#2@0$=NxSR1&awM7H(6o;(WuJQnW@XBi<nN6ID-qQ#tnEB$oX`X#)qWb
za5nnA&Gjue>UbSM%OT+S!LZ-&5Bj}9FC3t6i5CdWuSEbzuZ9pEV3NXewZN<(3@5d=
zp9*kNj(Yv9MtjCQFABg}HTKj35~ac^_d<*@^Q0Rnp|fn}RCVY9viE#|`(;(6nHDB3
zvYUJNKl$SG&wuih)A7W*7TKN#!0w$e>UJVHT$sE(D*(s?w7-1u()pdUaNJSQ!Qylj
z1z~{L-*bKGdf1eT8X3U|2HTbg>XbN6q_t?;VaqI(Imfn@+*vkFVw5XuT6=se;%PH)
zNnT}aH};aVl4*J7@~+OJ8^Bt+po+}i7kZ&U<Ib|LCY+1mhOUU!k8uL`mH}YDFUpnL
zwsCs~##+>hg;9_t88#J!*)0Q0K*@(6uP%9nCG&YQnL4$0`vc%rs@Br;xaR@8>-4&1
zsbD2W{WX|>;fJ#%g|$%wJu8YdFEOR8Mh*yYJ@h?40xkfg%!dQdu{j`t<+QoEzO%Cf
zAU>H+a#)l{2bE@7fqk?=r^{@MJwsIws+1fKSKm=4>U7beGm7#o<5h{4`88(r%7v{g
z_J|iSp8+xmLEB=~?2K1Y*hn=;Im!yXP&$NczN$*sb*by8>A6O$)B1@5_b~qPEiB%D
z)!;4PC1G~|!A*4|Gd_2||0>2_zMq%-Th~QxoOhW#3S8npyCVL`I{$|^)h{0E55!$@
zHCAIaR%10jz;VwVyeS6T)tuVo0OoOHV@aLH^+UlYBUc>dxMmr(FEG#o)}I3LX6f<o
zS(j;}WSs|cXO~}eK`ItsH}2%@?Z|_Dd?WfX&hmD|36yV`e&CsGGx5T^g#;6tlt;Yn
z>BMrX%ULgq;9<QW*xKHjX4!lmC-WI#t$B?9W?5d<6?&UjH6rMuG<k+bI%R28&QxV3
z2aS#dl?}d-fT{r=Ddv>u-i_NWLEsPEPEY!Pm%Cv%^h4kGLwFR~gS&tml|t}XwcaMR
zQe`b`42l(8az)*}lw|AF*fOh%3XX!A63#@T(W3;uQo*y7lmiOSzP-J(v%S;p_kkLW
zCZl*X3DJJjWN|V%9A#NrGIeMF-tWHfnU`+7K2K&O6d~<Afl$<vS5ue*iT$PqP8>kw
z>o;z`^wP_l8ykbcpx5d4x;>yLKvAMzztib<Lciy`{chCn0#^!U6KB@;Yc#cbdjXnW
z>IJtn%Y759t-hb!jj_J0i~XFY;J)}iV|uX(aB4xLdPms?a$7uKtUweZG1I7Yn(uO4
z8z}GLhHyGZizCYw4R66b>dtr*e#o3Ae4=3mS~YFr&QePVvsP4gMeD{_3hrg?0E5ia
z44%Ln41=|GrIjna{@PlW=aao%uh#?81RQX%z6Hw%80KUerx_*=1N|(qvl}~sffz<n
zI2`snk&jN3MOGHt6>hXX^nDiqx*LRPQ5CR$xE#+@h6;EGC??EfrL^EY&9gF1gkV58
zVg1df)2c4}K=V9ID-OaCjyKdDAge`|Qz|X)Uv+^WlRgloSjrSA;djUtiUaqkREa8l
zoGamy!V2yrL43Zf3yhC*J*3T50jvHA1NV0e^H*Q4fAS;pt>RHXJvaXwIo$nwTl_oE
zzh7kxOxmMH+k8cz{nUr$Uw*m%xjnu599@moSdG<qtVYS*U2l!$w-E;^jopQu%m5op
zbG?Lmu}m+eJXO43&X77K+Bt>DAL=`~{IFATRHr30iyv8$g?UIBe%afmZFGFdhJck4
zIaa{&01aqy;c*O-S=JemoTGJYY_Y!8U>I^*Y``MWCF645^#g$8UESSKs@SZ{vcMM9
z!kU`rC3>3UH%s`k0!&|F929{2x^z^{+k&s{JC?4`0kUI_QoF9gIyxeFSI9{CfUXJZ
zcn*N6N^^J~v^F*9+YYE*VP7V~cc2K^94S1?JYr<zNZJl#>e|$bBcOK#umUD?MpisZ
ziMnzCyyaP36gixZ?|Hp`e|=-9xiYL~MZvJRujjK_63^m1y|sVum0PdBe&^PBG75|e
zP#umQ@HR=5oaS{&@u7_3(uD8TWpyw*98X7p_&wJRL#o?HKv()vw-*K8&anT?^=r>Q
zb3F__he?<R-CRF{;Cvb8zcsIOS_jUi+rrq`DQe<gIOp3WHoaI7$gBjl_}Z<iC01#h
zKw9;Evz?<g?cvzy2MSWdRUw?l3y63jJiDYaKZ)zxN^>jPY4VwyvVP<2&+YaETbx3>
zc2Sm&LY2l}-=QW`m}G}#d6{IH8+L~MwQ$fE0@xad%QV@&4-@Y8S$}<fI2gc1nF8}n
zlhJ6L#CcU=Bela(-QSJ6Yl9xpMlX=6%8E1&gxl#4&~8h5KsJH=Rg9sTf7tV)KAH!q
z+~^uOXjT+(@Bq;30s|8Q-|uoBm*r?a)4Fg&S787e^`LN)l%c513xf_E;OOWu>U07>
zfb{^=RG3oRL|P%ss!Y-xj?YIYC)!%U5QbV?4^wK?#*He89>3PLR6cQU&7Vum_r6&F
z_=n^}b3p&uE;7ms0sG6Bg~z`zM;Hm`ho6?Sy8e};6~14M)mV+yc)Z5GI~cQYQ<q#@
z18)Eu%3#K+7PhI+4h%=)R)@2!#<BI$WiR>VA1&(Z4=tZt#;{-r59)C23oUBxiwCf`
zD8?^y2Hluvo<Qx3Cv3iBoKrP^)&?IflpDr51?9~{HX>Rn$0@sfK;{DL<1Rqyz%b<l
zfDYjwMOp`pu_{X}E*9wVjTVU7X3he(s;xR4E0et0Jpk-(98W9s@MgS3_Zc)*0SF0r
z-KCmssa2UPr$j$aD-eQ9#%eS)By=grTm`GKo?|@QzQC#ES!=2&3uO%}fg(5(*nq((
zTJ&~Q)F3;V$8%LCz6)?aKirRMr=HFy<vi(mVJJ7sQqSk}n|JTN`1(t4-n)~OnFBn8
zITb@;zSE?Tkz9o0#jG-2kxp8ozy?*-C3^hiaT=rC+6{ykFabwfZx1@K$}U_wXPh;A
zwQXCq?RRC?AGHlJINi3fyzOGa`jTY-p(M|=HU48x*!b=^&JtN=OW=ONIjKE>AUyVi
zwm&qsHG_=UHL*6lu=IbMaoYrX8GiakXjMNp<jb7?k+yC=bZN=K2`{Vyo+f!(RFgP{
zXYBL_QGWnTaB^^XboVZBiS>&Yx6hr2MTNPrXvJAfM+fnAg2Y4yK^S#<YwK&nUN6FS
zkTlkn1MJe5q8Eni8|zt79ZlxIO$(KkRh?xytYp{q;Ogo+_IM=&9~P=Wy`KisDuTd^
zI+Zcgc%G@ciwznP+z4rw*$xOe0-&dBy#e-P1YxJ!1!@83mnJbhGpDYgs@7?eCD<<F
z2sgk|J}^Ag>|^u=ZA1Zw)M(iY>rE?|=}y$qzAvA|x8_gH&3ApS{`=3$uk5p&T;8X(
zV_n66b%g)>#x?eA=L;!$Uw56q`;@p}m={*!oYh#3)mV+kY25YJZ_43%wP*F;oGM`G
z*$046C~SAL@$Y~v35#PW3_)aa3g@SQzKw%@`&V2buu~QKQ>FR^j9$F%F@JE5^Jtej
z#)%C9<~$VMoj`szPS%{P>@wq=YzbaegO>xaP5}F+2f#5Weuae8HlxXAlp;dsN(iky
zjM+rXLxT9IokxgO>T(f}M8C@c?x5YDL+ymvJ?K`2Qxtho&*Ar|-pi|+lfR20yBve2
zh$uitoQ_t6l|grTG|b0ZD=P2Nb6pssIapLi<gYm4SPs8k17b(h5yq^1Tw}v;mCPrH
z<D<PSPx86Q<MHh`Uxwo^>om_20D~9LozqvZuMLKEQANIc_0lE36Wux3pG^+yJXWg0
z&Pa~tjL0%DHk6}sT64P>!<&M-^{RnM0iI*H^c3UpTc$Dq_@z-XB1kKSXVlV)X|U*$
z+6YvdqPkgH3=gix1rTrDo6NG!&O&d-9?UR4-WNKt31xNmw)dlrU$%O9l(=#9Sl6wN
zzXj>s%JC_ViA;|8($Z~r02cI;TOS{XEs_{c4sr-3R~g*ku?Y-P`r3{1qw#n&c0E7n
z^|<Fx#-sgvcj0(;E??c)*?|MjlBB8?@U~<;%H~r9_EFI74mQ@ex}Cn~xka87Wvc7k
zcf+;r5dAD`HJ{GL^ZCJe3fH3mbdTUZg(>g$hQJ8|SA_5{zH4|u&@ibQpn2fJn@Eyp
zSy{s21f3o%%Ua>~0QxhLxTY?F*VTtdBVZb+GV67HIOfS@K8vO2`hkGArm{o_C-hm>
ztWp(Pd%2vNbTMz)lM;9{L#F7!?*b)&$%WfRKB4c<&&TF3e6IfL0lSf#dj<N-+9kPH
zn67aColX7)Kf<RX_5)YNpZ{DPtJR0;YOKa;tj6OqQsLkC*S@s8k1&p)AsTgClaNN8
z)0Wtm8ft0t-3ZY{0y)mZmGw*Th%F(jC0O!+V%}L;hPPPXBKt=c?pyOg)4ul7OSFBr
zOJ1EPYM~3Raty|7Y*HJUbrSPwE4XOtzqZrTiX#}AjqAq1k!rb!(%=Ww+yK~=6E4Br
zPVTxYP|}*aBlty6O8B-!NT*DN`9fId&&w*qz#~-atGW@}XwsjPI$Mw(qEl66l9g#z
zXvFnC4}8aS?Gxka)rCRzeVwNTpfipBC>rCeG+C>oQ49wxhTiGAHY!i2qy0NKj`r^x
zR{5S+WiB%!&XO#Toiu?tiO2hCJUe^l%;x&m_V(75XRbY$=dazk_2P@4-M{xnmX@k2
zHCiIp2+0xUQ;rt?+n{T5pwzf2fqmT-HgzH@MBNd2J)*6S^a9`rM13g8h%T^lsHRS`
z7yecS`%}ex$9X77Zm(yH+O40`BKpd%pOYnibG#R17B)__t<b2o+I4KP{z4FBtk)Ae
ziQ}7RVeHuH(@M-1j<f6`_Zg+NvbrXde)NME9zbgDB}z<_QZvyVtV!Q5iekLKuc~V2
z(v|J==i!U_3|;E8G@FkOtNGk<h2LLW-`E}whJeadolWye7RRWz?{By+a6*n5#^dp1
z3Wz(d9Y^?)^!#2o>U2UWM7J}DqR5vjbdhmza`!}=9m(J>D9QrPuiNcOv_q09?o`$A
zTTD{+t?;!@V6~=snWd@ico9PsXff=^)uYL1GM{%k1AzU&DHR2YDFGlpfM2F%Tyf+T
zfkJ~R7KI_q#vI0UDxcgp=r=M0f0nmuT#n7J*CX}~Yy5FI!hda@fAa?a`TdnRXEj!1
zHCE#>8oS<L&fPxtg({A*oYX>TT6|BnWWxE@nSwfP$?gx4O>0^%nnYU1D)mhpDQnnr
z!E`y`$~mRlcb5Aamnx(W*Y=!t%|8u#5FRnBkAHam-X0utPO=Z@!8-4;?IDRMoF)MD
z`1fpT(g}0U<DX(EfVCoTr5VOD7Q%ZNJj6Kq8v=f*JcX5bZ96Y1VyV)+B*hNu^zna1
zk>`ab{V~?<Q9|tqsVR*~VLEM|r{#Q>jK=fXEG>#siZJZ;!cO1y18kXKysQcU<<z-b
zm07MTMF~p|336)Ow-L+_gO1x5jtii?%;ID=Nv22Hbl=fM9r!^Mc|jQYh{;RERZ)+}
z`+1e^9qnDYd_5X;w>#%{03!x#p<%Ck=3sPx9-{+jjfx~Zbux3olP0+iHbV-m=ab{4
zR%q2E?e2_1yUxm~;lv7=6>xH8Rn<r<ja8_S^CY^dEL=;e#LbQyyB{#XH_L$tMEv;D
z8lonIMsGts2@5M$yKTdp=WQ4xUu@X$Q>5>>^Msuuk^02TqcX`X9}XQ6JI-mw9TltJ
zS&n>IUV#p!#tQ0-!6kY$o*qu-2eb0cyJN+KcKxiVrlS!s!kzOMb}n21ayXkzvNS;w
zI66{E;<(Zq3_HWkUVq*5+;~1gLnWr7(C@(ImL70}*(9D##*^8!QkC$$s0*OJFMT)g
z{m^$q5AeSWvmp&S*Hj9CJ6VI0wP%5yBuaQ#f`_xCy1OB_BW(03@j9ceeT7?w+L01w
zwyf2`;Q^dpuQ&8N-ZY+bayLRrz3Ty{$M+%Nq?H12k7~9e4?F?i7l9AoEOD{aSyI3=
zKf&N0u5MR4AMUWP8S;<z*yWJ*DK!w*UG#W(%=_H=rgi=c2U@SRIjgZ6tFao7&A9Ka
z-EoJ{RfpO_a%uuJO(&<O>{-H2WcHy5*z*P-quQ4+G_w)0R<=*ryHTnvp=77EGC7UN
z*~2jQgWa^wk|gFdzF8o-_F>Fw-i<Ba8>g+-FRWC|17za_$FPp%3q{4U;^wV0uh?<5
z-^SLqPKa1jHTHQMcXBMCb9AF|Y)Y;qAZa&F00Gyf!uX-Atg<YlZd(Ax3gyM7#P(NI
z)N`~q*Ju-70Ej7)>1=;I-5(zwjqV*C9gfnha+nCCL4SR-KV0`c9}WfZ{$xIl<588T
z@K-do#KI?Y(Na+X?#FIQZo)9^cpJXxat=UluIjuKd1cq9N`I2na6B3M<_B)Zg3Lw#
z`z)Dcc~)yPM1%d!-cEOGxc;H*Pe-BIJsgh46QCS%oFrKRm<v;`;Pg~sXOyA0KY)9L
zrVbYGQLe(MNdlm~u4_}2GhW}kef!ndUvstE=yy9lKuN0j!l6rHh3aNudCwYJ*%aT~
ztJ8?)j}<mcm(y;$a5Pw4*w9!djCPh3{j{h~^m8{au<%bh$sX*Z$Rw5N;}A4sO=2Ai
z3}_W<ZS%$niCWW$+$!?hJ%^>OFvCaygvfX{o!`5A_sutM+&>x}&GT`h=QXQkM+grd
zw{_;s`qmcQ$?<HO<w+XP%Gq4a=gjvy8=JkY9WU&`alsFOh4uSA0LXyXON7m+1xsRB
zignQKV|~68VGI_Ud78lYdSMW_0-aQ=O2TU5QecJ`)&sD`0Mip{Nj<Zwu24T^B<=+=
z2}=}Kc2!kar<Ve4qkzUq-tTn-m#6VOh1aY`uzF!hM!mt|Xgr-Bxnaa@NP#NHX$-&E
z2|d)XSwq}Pmw7RsjFKb`!|wXV#*+%}H(ckB?}-2C9KRkik3YW0`G<$>BOUhqN_oE;
ztFaoZ@z{)s?A(>ZXUju!^lnP?RH=9DAFZjjNIjPlr8}%`?n8SRbV=7tONT@~Eyit9
zfvm8GwZ+pVSkxBpAMB%jxU@ny6>|GDZ_}!KjEx9)aSOH>Uyy?(={##Qa350IZ^b;v
zF6qX4;+(3`Hl2>V@iep;jOoU1g*EA3+-c|ng;BM#BLYB`QmjVoUepF)PF<A+!QY~&
zbAVK3t+1yR!Hfa?#C?I!T~|hzWuC_q6hH%#J383gyLWiFJ2~3RMzbm}6qC#g{Z4N_
zU5|%rfZ_qqji-}jHmUR2R0Z?Aovp24ZB4jbX_e;bbe1Ft(6w+SAbVego-cy{z?$g+
zn&#U{8Uez~(zJ+C@YCseu7}oyxZzOa#Kg1NotwAT2kU_!tPj`Mw%29n>9vi)bUKM=
z@pLkq0Q^h<bfxIdk^$Gq0r@GkD_2y2wxF7tLU96XYeWR|RMq93yLUhJ{Ac3HXnoM{
z0=x_(jI|AYKL|b7ha>R;=i@$zq!idD>A*S|u|`ludAGDUIYpG&3vIVt1nyF4x<)6L
zDdj~uO`EK>rDsb9O8mse4{Q8Y3Ay7d@-}g+<+`+pC~L}g!8W@!4SHWJNMmmWD+;5C
zT-Gp<<30g<yTLsO^hVaYeDS51KmM^_-`_pRv^h*O9S&r77|PHOL~pR=dtqHx$z+_z
zaS@M;@kqyW=KA60nZfqOZU<-{94{)OFg-T(bB&#>RZSh&oQM71Fxml>jpwD{ZNO2g
z5>~gQ9Taq7fPzLB8|)-@fb*d;2cEIUcLsDELSl+yH0Gd}6L-<&2bM8_dm&xS2Y~kw
z;nYSKbqS~CMx8;Y2c&TS;1CY8zrN0eXJt9#y#rUuZWO>o3MGM#cDsEztjR2f`-k4H
zgkw;qFM}tuq4q2L?7z4s9uw`&+mEXu`$+eZ!9A?!@Z`w_eD!g>8mqAytMS1Mzzh4{
zT9M!fvdy4s>i70*w8%8Ipe9R_<1oW(gks!=ej*%#@2MuU$9~q6c!6M2Q!%&l1>H(v
z-qInb#rMubvtyZc!hD#7=An$>*k@$n9oV>Ang+lvx$m6v?mX_uWMuz;+~9a>`?;}e
zp-xdd9g7$&)3~uPg7m1Gz`qC*zB_0mqR}}g&GMp{*JWG*LP9-3Syp6VqtGajF%0R%
z;2vHv41WdipTx7tbUHpf9PjOp_IHo&-=7>E%_s9bO^nK@4*(#eXINb%1=FdnM^efJ
zFx_<Glo_BhVRWGV4i5)@;JFgeHh{itI?Iw2_g<uz%L6!0*YkQ&x8LmodhSGnAQ*Ie
z^=vkuO=oZvGbfGufh#?rCzWy}_k4%XC(|2uZgvJ;9?A8!^{wvNZrF(jbAV{+9BmlW
z6f5}C*?bxU5}T(<hDlji{jZyDVl?)_W(0?0wO3$6g4>NcYlFV7s(m=?=@dH&TsI7Y
zDDVJ>hG7&$BJ$k`zV?BL1TH4IqJfI*QcnY23oS5x78}PMCaq0AU1h95qr{`8zoJY@
zQ|Ac*amJh2;YCtZ%hj4~2V+|?$g5@%CS{0^8DSPCN`@^=IB^*t$2qqFSJq3l!Sq&U
zM18ug<bOeK9lK?=bW>=z*6e6D|J_f2>iJJSAIKolI%dw<D^K;;wk3cj0Jz<#%<6c5
zGCw>5PFT!GI-fHsqwS5s_8H;z>MHBX8YWcLh>1;AV_2Ds8a=dX;=lr6srU|pby%Mj
zCcg?KQ}Ecls$sTOP0_L3g9$5uemaitO6(g)xe#`9V<8_|l>=`ec!lvkP^AAs4n$G4
z+V!x@BCpCcQ*c@P{Xuu&!Ro?Acl$1^g!Q!zKAog-0<55v&c@bOzt^veDlaRzIrew=
zT-O8I*B@@UL1zYcMG`+@;2y5>pE$$+=5?{{u_xt#Kip-UIgg~wDK$ENI!+@?gI~Xq
zt!n?Pu^Owf8Xwr$^@e+H|C*XMb$g|az!pm@mEgQ`YQ?xjQ*x{`BDTRV(C$P4SV9{*
z03fv{7%fN@qnbuUvhc82hPO7~%hKToK{+#T`3ds&Q2s&I^6+Od%UcJ>Nwmv;JI4=b
zEDT%O^wI;`*dxMX*uv+C_7zAs(@44D0m_PS4Cykc7r9aj5N(>JDd74H<?nf2r`oB2
zHL1GMY+x9xgB`UTwKr8=01!T!PL2-t_x5)8@83V#yEoh4&u6nDnQIa@P`{mIzKgX{
zD}HuNRb}z4fUkfsU~{JLxtvL(!oUwO@yZkSdNSd8UV#x)HDJCVbY0)|J+BWqJ?y|i
zs0y2NgKmGgz7@}tgTvj)bU&Hb5mtNy!zy?Q2|Q5c)5&P>V6VTvwzjr`ZspR$G}2D5
z>J8S{*D@Swf|mHRSu&f)2`1s9BnY=JkkVidt&q~CUSkP|(TSq%wT*3naf5;9dhnpU
zv<2lViP0R9i>Z(RK{*1uu-onQBR_&i`YxI(c0vL09XAK+62;jSW&=w=|5R5d$9A7u
zk>Lyk33Dh5wGBC-mfZzYv!!z?!?!%IHN_+<OD6Z)GF-=osyd84xEd`<ZFs|ib+%n6
z$6H5uaoSeglO~)CbkB{Dah|_^<K~SUw@Rga-z|%5^WudIm#;b8SA}NM1=^U-#@S>)
z9qkwMi75*PylCreZ~GkJaaGJbSTC>yTwejTfklXM2NIw+H8vnNhhxn0L|4kONn4D2
z9_ez(Wga;I<|s&X_5@^a6kH3K-%7(%IY?098F1H+p}gK0;o{P+Yy2sCIl*m$01qw(
z+N9QS(AvN~GMP+)!fkBr_))aCy9e|z&+;gWp1%GJESWf+!Bqsr4_N=;U>}aYtZTUJ
zWX>e~PRFmxvUt+ma{lZE@prBZ?};j7pYvJ7ok#M_IjqdzeqH&z1^13KS1WM88mqAy
ztMP%2Be!?Q9bT<RS}_fu%~-(~2(vU(m`;i%I-!_o({(UA3E##w0wJu+V^|Vb)Dp?H
z^{T{QMPUxNiJXK<Tyh3{XH5S7>s4=q{%w0}6BEk#;=uyj^7OG+rqxxDKAHp-)}`IX
zV=aOEwg>iDbKR)F$<c)#2_IP%fM4TaoxUuy9EHUIaN{g3(el1U`~>Rpm|STPl-J7C
z6@dS|#FF=HdVlxc?YnpO@7@_79%R!=8PA=vBtZ#xe4o3*@)guVAS9&i20)iZRp-h&
zw>Tb_v0X&9%nL)|b!#nh_<5y;8+3ZIc7%#E2M~1xusG^R-L>HcfO~*+)9D<zh%5N^
z_Rgit;o<n)o3FjPd-qlr*M8`uSt=ZC?KlO?vvfM1Oh>b7r<McH^8@lOkLoC|%B&z?
zf0zK^HVOQL<ff=mhEEni3Y!Y7HzJ~L&kX{v6Lq%M0N`!+`@;wWO+}4yUloOc<tSyU
zs-mn5IDoPoP13Y5y*}@CeFKMUh4$LOBUL(f>S<Z1605~HQ;bR9$FwZJ6Z&503Kv19
zp=M{+digXPP-aO@Pe!7)y>{tgjf{&rCv0LD+2ET6EVpa(n7%Hhz%>-XHhMI&AN#Ea
z@f%z3cNW>TcB2d~zEsRR*xUQ<kAGr3jn7|uhG|)h$2%9Vz%`wxxlq{Wnx^yl-o5zn
zPB}R;W##xCzP96So;NZCEZ+5H<h#HD6j4xEBXCpa6>h2E3J2zdImN0jOJG#4^w3xp
z_e992pPE`=IslgY!UzWzf%07}>l>7h0m>J6bI~bb=LozjxX1x&(qmcjj}ss`srVf#
z@Z*jZ+?-{R8?9m0hGBI6!ukEZ{hM#zfLrVOQ_o(ya&<l%1ECom9(i5>&j2`nZG8i+
zVv#)O=;X7uUSv;H<^GRu@V|cT2}AZUIs!Xu9|_#U+v0AqLi4M!8mqAypRZ9fvFi=%
z90kkP0z?23$4*5~$_4?L&=v5<<?wk<DiOfK6z%EM^pWi-&Pzv<%-LG#G!=MemFk8<
zKoyn3ttOv6G!Uv$^S^!2=sQ2)9Y$OHe85$(b<<xoE?TAiqSKN33mhx5HcML#yoGA$
zeu@2!&G{Qt$E#ec*q9U%eU783$U3I9DAMi<=oaW1>Y)U@I-kcg9MjR^=-^=Q{_g$z
zcWzD&_KVrfDf32t?YW4Pu-a*7RAJ+@I<{XyZHZF0r56k0T1n<&P7om3r~{~N9>W2p
z=$h}?9tnY$tJW3vQ5J=eMV>}}-~~ZPIb{Xk2k6GuwzoI7&xT%4muz?Mc9B<}i%Fqy
zYH$Qz)}7Dd$#^!8vwF+vb;H1qJTI^PT$K@-`r{4(=2ewA88yK260JRJj2gv&FW@9-
z%+E2dHt^lh4|-9r4`ibocB2k}HdvJuzN>4EZN_k{X<pBZY8EH6=~QXQ54)YgdKd&S
zEptr8O5ywU{GMBl;X2pUVx5-?06(Bqc;v?B_U7hJC&DNKW=adoi2zUw1vksCm1uxz
zueRNcvDz40=5O+`7{wb{H4h`PkzvPM0mnqvHp!9#-?Xcyc`|nF&|^&7i(>N!?3%Q9
z5S&O-RJZQ$zWC~Eowd#9zU&Xdg3(dW?+oIsKrea5i)21O+MVv-DaHq;NHN{D+xG{X
zGVH+O38frH=uc_Td5NCYhELUsPF1>i$8$i;a9HrQ@3{?qq|@b+Lb$Z?C{7mW8T^*(
zdd8r?s-W!vK=G)$a`3-c$Vaa&{IO|eOKAIqC3|AZ3ik>q1;K&09(dq*GUn3jcDiTI
zoKuy0<>ePY``J&!0S?!OffvpuQ&`$-Ya6rK*bgIg?k_W3Hx%vQIpGrn?w^X--?%P1
z;>r66VXIHk)mV+ySdGVT?0IVkvUkoTwXIPCymOS$TxyO|25ns9c%-U9EQ!157%WQJ
zNbs?Yrq=LHBbbrAks&jiQ3Rjmbz=;|j%6(i4}0eUw;a}VKQ2}BPXKVr7c%;xhB=S&
zVZ<IR_AmDU*eIe#t8E(n1xggiz0ufaVFG{T@nTz%8NqZ6R|0$r2(~EDzcMY#d0l0g
zQ&j<g)u={LWC_D<>oRU?c&Igo?*i=2igG%e-QV5Y+ufUtjwa)y!-M_%yLYqwT_?{d
z3`;mT_b5rn$;Z;Nrk$1=<EOC2Qz2q(%>E5`(GZ8!9k~4h;6Chjec#KA5~VR&tSQ5`
zf{UIPIxpcFlfud8Vk+EGc(}2#1%G^r01$p<Jedal+1WE^uUvjAnUz_VPNuu1qbTSM
z!T&s&@x6WDAD+7~zIfrRgmWWjn_9ZHS9vwy`hq4xRdrcc1@;nG%{SnW0zL%mjU%^2
zV(GcSDm~%4fGlxM)<R(=n1mt{|Ip3{yzW3bllfd2Hjfj5mj>H6(=6HF-@9}FE*y4f
zrdy!`j3~Vju4tNOhey*S$%TJ!Yx}~53+39zTE~Z%RwN$B(zLLUlM;5ZMOW}<LkF&&
z#Ez6>uGywKw86IKlrK}Gyl)J677jc1Ckso>#SOBwDlGvxZsKK4Z#sP!_|*NQqucj(
z2b*Wkp1UZ!J-<*JK{ut~Th9;cG*3o{^WB@}c-IseZi@8!gPpVfV9gDIH~Ar}q{lqZ
zt8u$c!^~o{Y=uysrqN2I7+e~>*WnESP(Cd_LAwgXevH5+iAM@d3vIQWQYmzWa$Ogm
zp@vIM_N~+|z<|Wr_I*tTigY;zw*olpzzgda-(|3mp~f8pxb9_Q;%>Kh@zRxeK7ZxK
z7e4(vAHV+Wb6Yz*{eJ&wJc3o_`GG<KAw0hWFAVPy@ob6$wI|{&*yql7T@cT8o=BXW
zYNuRP;a6idR%10Dv#~4tpG@5NU>8fhRFwqqLbYtkUFiWH1cV0v27&LvKLEE}`~v<K
zcv8YwUWkr(p2vLO7rx7UD^j4mE3F#ad#g8K{4GDfjPnj4UF#FI&qofodWR?1$5~oU
z=Ps2-k71X!zu^u0Amt6<k3#FRLa|L+<N%Sm=K_#P(>z7d2q1c0C<O5h?qkbwq}=l*
z0xUo97z1cLiPL#jPUp$~;rQTa63@_GCQjxk!l_DZ$n_+%LI*C$mK{s1goi4m9M-3_
z*>Et3<qe&aXv7bk3AmnsoU^=~jmPuZv??>Bw3QtJDZof1#IQAKOAMUU=<u*Aswn6&
z=2lA0?%$hbDa_58jVl)~UO76tpQfX-oa%rY4C*?a$3?2^TAaUl;X}_n#c|`u=e{Eu
zQ_{mGV$UbE2bis{OPoAiQx9=nX@L860c!@Mbjj!v_m0r!(Dey*QZF(Zg(76b6;>1B
z6FzFSb<UkKOZM*Ft{vVR4&d}Blkx3aH*eg!F`v)3d+hqT{`U5nZf|I~2bT;O*LXfJ
z$Fq5+;!<zTH`h9{7hn@Jr@Aka2vYu&XdDj&RpCrf=C34TXY1)L=w2A(+q{CtQg&gL
z)ara%k9*y0aIrQot2OUgifAy$x5grbm$yGLK#KMb4vt3CbC<6LQFk1t((6bGTrG!#
zt}v`>Ha|MZkM8Su>S)RO8-sJ#x6fTdLLm(bY0z$mYbGh5+F&If1!Qnt(AmZn#AxhW
z0wx-xiD}g7P{#ss6|K;+h6%iZl(tq-z}DdSfRu4&?Y2zgcLgM%LV=I5Apz8vfUknB
zxA06#o0eB2Z5Fz!QK5qZeRSP{)ffc9`74*llhMJOZ`^tPwe^jS_3iDVstykJI=w!=
zKM1)0yc*MUi)1zfa`<F``>z@B|6u1y^^4gp491$R#%ip_YOKcNG)m!pc5V)T=Tq=W
zt;jM2tCiL>5I&*3&~?!i9R(c-?@>e@_`Vxp*CPJa^P-;YL{TpY`w_|~hN0W>ypHQe
zE}4}mvfkmx!BJ+ZJ#Y!!+fR1$wk7$8$a3CIi*0LQzfj$r*dnk$)otcz<CcyYsDz<7
zYcxjGf(c-*Qcgt{-Fa2SIm*A2ES=6~0Gj<UlwJTp1wf2;EP`v0y(T4tOE3``5y1K=
z0<t85L@8C|MP=AH&6Ptv4z9}s-z|MaRoce8qEL#qPT+WuH6g0UK2#E#7;7fP8a;=m
z^W*eY2}i;uK~%UFX_{4ts#T}k^~AtM*Au}BxuO&XP2?R!Mbd+FE=hcyr$v%t_iLJ^
zeE%+hO8#un?ew<J?CkD!%EKd7XgCR&FI^SNsQu#Bt1rL&+%r#|J$u$41OVUQBwVa^
z!vGxVp?VvzJ$y^KM%4<FhiYvA-1|Tguo#R%y;u*HXnKR5m#7`Fjj$FCTeTNSS-7JB
zQ8GBvWOncNjf2S;NGVd0>Ev*<e{^(I<we#Lb==)Q7{R1787d=^T;(MexJ6M+<2f9p
zP`+zC<6B?TMrBWp3<yARe&Bgs8h9|ovF!gGYwT*BHnD0>c00Nao^9J|@$aH>(8Rwf
z>kvfLi#0|4MwZjo`kh5xpRlmg1m)7rWPqX^9gec9mR?jU_$E9#oJ|IR8P;b!8_!0E
z>1el_je#8U;dcMZb6c0L!SUAF9QdS<q9a)vfx9=9bE^wrPi0x=z)Hd}@=za7ov&zj
z3hxa@;&O3FJq75WoJXY~fsmm*T8Y-3WT;9GIR^J<P~n5f9(xe*hgkcksY354j(t8&
zLpz#j!bxzmNW`O!6Hey5EJHzC(dqWCKJ#oon~e_kZ@%`rW+><nM4eM~r9ro@<7A~{
z+fF*RZQHhOvt!#y$F^;&W81cO_WA!k&KPySZtAO5_0DHLvjA=b1B<PXh<(ii$BKx$
zQc(`5)ePftJXEfj_@|bDj@&@C@n2v!)M#y;wF%`OVCZ?8Uxpiq_EIWZ6z<$OA-!Wh
zgR#xfUB)zI0-k#)ISS2nRSfMP3z;VoQGE<c>{rOPa`xQ33^`DW-G(RRTtXAvg7Ie1
zyLr+wn&MfZ`QAad+d~YjzVrSBn#yt%wG!el54{Kyh3d~ANhJY%bmS3FZW5oQp`tJ1
z6vKKWA-|}Ao);x7gJftchOzG$9MU=!5JL-my4B_X#E<cKYKd}b{!w==)kFLd2Uso;
z=@sxNX(E?Dl$Hro-)js848cCUM!;Q_dhl1lTfU5G#^XdW+XIK7+U`fRmnSmce(2Mm
z)WFj{ymvwU!D3x&&)VVMQ%m)vL5Rwy0hhJmmHRoewpu-$yx&WsN^U0YI)N$Xdpuv;
z5o8hGn1<^<<Raj#t_$v8ma3NZd>@k|Q)!>t5j&x$%M=f=PVH@O>z!G8C7Gp#!&|g0
zF4t=)r^X5GW3vVy{ly>>k~m>V35{vW!tER~b0JV9B_K-v?5f>*Cm5{T#*;O4{+Yuq
z-51NJq4IgY(oHzzFK7iDNBsQ0=#r?k(eNZ|Y~RejdYZD@7fFnduFJj}KlKe91Oiy{
z1AvjlO9!DC{1HnfsloyE#`#zR0E4-xxHx`-U}aL{IDwFfB1!Ey3$frr55(KG^(?Q9
z&FYx%_vLOnBBslF8Q4FmywtYco!6UAGpk;gO*5}wem*iRtLuE6A~Z@W`5PI^_Z;0t
zV<9}`iY^9HmQ{t&<oT9UBRN-aP-3gK;GaI``H2)E_et#g(1)mJ#)!zX@RStPn8hH&
zp@<VBYU3Mpt=u(+Xx**E!#O-*{C$dLB^3=e(yCx-l~|NcAietL938f*Q=Y3jJs2se
z{mqV^t?mz3eFH5<DT`CZP}Phg#fEf-=({^f9uUtd)gYg+DuKKG;94}Ue^!=}DDLi~
z0QaDubR(XWI|ehdwF&6t8K4lJ=9-nD$<{nEkXrN~OnhW#jvT-=Idi!KJ05aUTb|Di
zzbR^L$wYT8!o(Nt&biQwIM_LT_cOOWzu~`X<nZ}e7cWjeoWE<eYnGH{(LEuYC?O$m
zH~F1sx*_6TDN?sHx~c~se_`{PyRP`Mxf-##?pLsXyb}9e<KFkV36zI<qFF<OHak@V
zv7HKK^AqgOG14(M_sWv(VbW*xh0#+q6ZwP&IdmggrNOuNUA}&<c4p-T)pTDxJ(IT@
zFor)v_I~ma3O~_pw0++Z3*jUR>e)d2^(5XJo^)JSCMDxVCH1FVf(xqX@CD6HExv{b
zW6wQ7*df*Lg``cCy$XkJ-b8HOI4K(gI<5dI<u%fmBS^0M85%)=|31xSI|w?7%t~Y|
zG81Dx+e}ys;+=*WAWR(|N`f&-SVS;HH%=5k4`xpm;nm}xLU2q{C<<aHvn&_IyRq$c
zKUa9)us?)XNu}V*P?+^fIvXE&Gwrx7jmasTwupm^c;Hg~-fCsja><5{@Au*JMjZti
zJ!$3y{5%jvW{43=;nZ3{vHes#c-kJ55@q@={Cib$Y{dD*Sy#7#CGpr0(KN3U6;Xd9
zd{xTy@qv-d=-x~HD>hQ_Rz%A7w=_<GcLNRCy#`0RW=7wMv)w};U>F}C7YF|e@usJ{
z-8R)(I*57cfVX^4{Cw4rm0X@LbM_k-hsJaPQzkz|dD)>q4IA=|E>(Tk^#+vv;zDy=
zmX0}SReZCLCm-leB?TH7Ba^WY?*L6ZRSPvjwPh7ap&ObV&5-%zb@z99e98cGuJQOj
zyIh2=&;;{~{(@6T^_I0QZN{OB-y>slQx1+Seis)PPa#p!>6ze|C1W8AhC4Zdd*HP)
zk|*;Hk8G+g0r5dDW=2r8)v4GH+2Kl49&s%X3QK2r@WNnna2ecmgy|o)7G~7`QAXJh
z&lIX)1f@MxNCu<r@EpSMF@f3GF@cm81|pE7m6seD=k%SycY=8Nch`<0Qcri^<E!GY
zk6Ut=hAy=(3!9!T+mprENF>Lt1LlY>+D9z^_Xh0`rkdZad}9Z6mu1^}ui43mwim-c
zOU)*DtUtR;qw^WwV*+0p>FwY2?vL{#(3G^54O5-Hn5rH?eH*85sUN0`7W}3Xnw1%7
z1w!CWz_iO$=7p(RjmgOZ$jAZfT<1fL@oUq1EeU+b7v=JM8u*$_luHVmi%O^n>(%A2
zhx~iKZcw_O!*99iTy+l$`TAF#>WZ3CO}MTb)t3$I#w6fuG|7aOassmvAaWLUe-8>P
z!76ViDyiQLow58-pCfY%==4(e`9YKcIviAq>UQj&=U_{C#gbIXQU)~gU=2fk?Mu?m
zM_K<$0VnfH9chQ}US2<WcZc8ev^N7a%z94m_$={`e;MLUUziVPvEfd7(Lj#MP$A^A
zIaYhO?^|P0Le-YG?-R+isghv(qII7z7OTS?=I$H9<yPOt%Ry;|st%uc9hv)dPC7Fn
zjvHbG#?D}cQv}j@(~`{G3!FF^hZ><aIRrmg2sU_~F!{HhB#$X31TD^Iw-6KeM7ah-
z<|Cu0r>m98vIS=GqOqL=f5|dzx8}2~GgM6hQ3MrRGx1_vgp}>*F-MgRl`@esP(YP+
z>&}h;(@%lP^<c#^*XzBNtkwAiFtQKL>Nn?2dU7&13sER0)jARs*?&7(h?DtCPT5Xi
zkWPeQM2$NK1<B!j9n2nPobywPuh%C$XGn1saFr?iFCDfSzj@uIVYM+8-Qh7|+T8OR
zJ2COyX1UdsE1QmN!6y+l8~X&sL{vq6M&%dh<Jc<8gt9J5-X{zXDkEkRa;f@B2&D5Z
zPyR;%g|eaxF%l>^5hNoR#x>NKuT;wK%f5ZUZSt48Ac-J)82AqWnZ_Gp#8d~kCqgI?
zLB?XX3wnt&j7nb}IC?w3%-FJyx!$Pbojq@~!R5f~YyOS9Wz1U0arK@f3wY<%`()eZ
z3gMp6Q?r+&zOC6->*;{`w(k;p?x@55S$b^-a(M1a6zfv`dV#!WDlC-c78)}C@)eef
z$%*wuje4}jN`g}0k=B4m<YuuR>wkDh_6!Ddl+-l0+d#9NCjpxi4bt?$J95qg(mpSA
z-O1m=DY7_(v$<O8UYR1vG(Nhd3O}w^L*@tm`+20T)hFA{C7lIko?S27O{9~hNn<lh
zU|_^x5r;{NG>&Z24Hi1`k#{j>p^YNQXEM2e#=YtU*0K*FTM7Fj98oDYxN{xP;i-dO
zP=XqCP=rl7c435^&q2vBC13TIP+9}qYo!e$5~}{KFq3044g~t8rbEVxIXO9axL0PP
z@4#2=gbxvy!=U784i0f5t`A8B3V){{CDdZ**Sb26Cmt6~otm_5PF^6jmZO=VIO8q`
z!gWBZcF?Y?=$xEtd(vi1AA~cf${!s{&3`L&B}N;7nwvKilBh7A*m$vWxH0B^1tlOQ
zLP*c}_)bYDt=lu-EG`s7wr)A^u#N^uf(p(uZ##drgVsnK$Lqh%F0=T+lCj0l`f13Z
z@{oxsm@*0mWIkH5=BoWDr6C64+!NvA76#c>r8b~-crFU<7x@_im@&RS(u^=V^ve^c
z3ZE@-$G~<S#DKOMl4-E7JFz&^?@rih<vU@#EFD9N+-3EO=7&*?u}S-`7Rz;YH=S)_
zmlKr3p~^M(cGlW$&s}<ShaVZyeSM#;-X5l=A^5CKy%x6`C!H1+4l(TOehHq<F>e0>
zMawE7a#mDvu7n%(49no9=AR96gMDJG9U5Q&GY75B!j`6v)f6vo|M!X~?dAV9Sbw}p
zDeHu{4@8jDn}Z>ix_dWHcUO>DNIj(_Dw2($Em-skYj78JR8rF6cv7->@$&HSdVf5V
z!^6YX<K^l3wZXS(-MrI*8nTe%;k@Sp^!$4MIVO-irpKlB?H-vHvAGiczw1R3*6k_O
zZ-4Xb719aI>pik-$hl5^vN)_Q9TnVsEYU)xJ_YSg)OsGf(2<_pv50Ys_gPYNOhR=d
zNjZnt5Y}gl8YEA*jCOcZ%R@>?ACg-bB068;H1Tu7IQXS#<^$jSn%V)I=AlTwOfAXy
z%hy_{+pz@T049CPCN%CUSR!B4ZKNMvxew>lVAIiVwcZW-0>KI~OC%i#!4p?%xLNlQ
zWbW14057!eDx;#}c9pfs!&f*Sma9UtEEoT_2k0)QpHEYiZHjdGV|eq&0BhdWU$lam
zgRVeI4r4;AvA7TuH6y$e<>0qOP%LTFHNY0wrP~l+f_>9#l=Sq)Or?%5Q$;i+zmDJ?
z0m20eTQ!0-njYtQ7(P@If!yO4QEbFl0Yq|;x-uSa?j$_Csth(Ua1~K%hEu&Jl{b+W
z{y4W&->@`34sQ14RE%Tdp{bS7wp->}^QcnqQZzG;ViBx6pKqsp-V(w|q~}8_rq}u(
z0i{2$T`b`^6Fu>V44!iHk0{mj4!S2E)l~{H5+@HNK7Z6)s#00{1ddDZ(vkj7MJV<c
z#nV^oY*|N?7q>b5IxQejh8}7>c%$gn3{oIvgayM$5BG2+po+Wq54$~zlq<qwZ2M79
z>=&L%c+T~X83swEFv3NVq+ue~&#b~S3T&7gA7}wSh}-S5&~*y6C(SSO&1yt+51bdP
zRWA=sp7+{M3ueerRs4ix#E{<dx0unJyW!O6ig3%{?Ue1hH}}Bz=WZ=jcHJ%VS91VN
ziiO&!&fy3`(()anBr5(uBh4jPL%ow_^i+lOaf!n#9=Ws`%+vc1zn8N{fkc;i`4`WK
z#AXa}A#<eZMu;*j>`Hsshxr2+A+l+uvs!It0y-FGyZC2DaQ$q4Cl)CB(?Ra_Un6zM
zJd|WkktvJteLmbX=5G4E*mtk^eytj{-;<e@EHGlr%S<c-ZOA=XU88){<&=J(S-fny
zE_ZJKXO~;T_PBAszqR-o(jism7IN@Wk}Y=9z{{wf(gexD8RwZYLxIip-h?q~1p|#^
z0p-O-@vUr#xSN2u@e%`<Az1bkWL}ccLGcM++rA%9Dz;6<d<szD7rq#rF(`%%AF*(@
z)kHz*r5hLQPlgEW;g=9c;S_@F1H9nkFQiW(dza{^8)Vj7K4<^w1Ys<0kx>C*&+oqg
zw=p-Uo@mdOTtFUFZdF>AgOSM-QGlH*9~$~GWTrx2dOTnkJ_AggjuG9H@*G=PsNfZM
zfr2lB%)458L&b+oWT7pgCVw3f(2uRv=6Z^kP>C%hk%%0u0>N_;pp7$i;YN8NsNSHi
zI3qws08vcG$U;te!)N%}7wS;f)+2Y}bT*sMB29-TL-VMRHSjNEYq8&lFrquihfrFu
zI0rQ}y9q%uLN21o$d&j!>{xBTmF0RI?`D=Pa3q7Pn66Qx0_Vh3Vz#$mo&+vLl-GAg
zO%|#Zs*z+@N&G|AReAvh7sa77#0l`JS4F);4UeR+E1{+zdzfpqL|ZWLFc0GuLWF>m
zIc}I@eZgtY@IX|V?QPIBj|*CJZEfG0H0$CraiIM@)k`-SDH7Gp(n>{fuL#$GL#@7b
z4n&Q!^j_%z5fBU;RqKz#_9}E2B!asCA_o|v=YjgV?!Sc{td>?LIu0$G!wZ#OpViZ@
z&gH4H83p`nsh%N!`}jz^>WoBZn=02)TvbLfuy3?2EKJ5+x^&f|8}O81%cwRzyU5R!
zl|narhxE{Rk_qApET?0$mvll4x?Lf@rQ)QTZ-}Z^K})9!;#xzIL{%qLMsiOscMjP2
z#nih=LC+=aG|re>6D|TTigI;$LsdcrZM`CHZONZzq=<!X3b2ExTD+ym!d(&B37s>P
z0r#l)-lGR@|BKrN=L$7Z?+?u{7cu|%v}z_-?s$fnS8-8`>fooSI!CE_Tm#&Suj|*4
zzOU`;MeDZn-?tw%+sVM=$DGf%vuY{Tj1wl)wWL|$w5PLdx@Q2I;a_;Cx4#g>s4JYy
zoUt2|N6qekXoQMl?X6p|h45#oW|9yqCKmT&`SN2QbH9$3qyMGU(Mg?Pn1%%}`rZ5y
z#T$;rIYVC)8a`=x&AFAj^i}0$1Sj_hj&+BjK%z+iTI!p9lv%fdS{isWJ%JR{<3~^6
zDxd6?SlYC<0G&Jvvdeh$^zd=<@o}i@)T9Mm^}HShy&snZs~Th^aE^cI8OzpzI3{wl
z%)&Bq$1<dYkljJJfAqCOg;#?X5`&vkB1kc3UNw|_rOF6;5DS2)mTAExlimGVJgg|y
zc^WcqZ+NV_JY!cLC6*Et&$X6LI~tfwg97dA2evQ?4Bw+vPTMcgx15ghTiT|=7DC_X
z?IxeqgP>P2b-Vt)pz}T^_j@~*o7o;M$HYBpBq$9To!?rMP(oLn^A4+i1hoXY+Ans5
zOf*ibu}ymkcny9~kBQ!{%K+pkJX{8kCSgkTFr-Vv!@<Az6{}wBzc+8OHkGa)4ePY^
zshL#6(h8o4BuI&;YqgMFtadOdGchje09OddfEY1|P6n#=PjLR`TcQ(lEtQ@Y?wmGs
zbV$8;HXr5z&|YC&jr>i^qqf<(y+(EVGJqWGE-Mhbu*LA~s8-9>(ftwLO&rfuUl6Pr
zxZmzcD1Y^7#a?ZB#G&8kgUd}y*0pJ_lc6n$99#EPeYQ88r^I>qx-+KZ5=jD^RY6wX
zR`19Z`QI!<wfJ6muyfiZras_L@ifPsJO<NaKJ*5}F2V&Jz5~F?tIVdc3!8p<K#G4;
z=%buFoVxnAA<J{wO&Kgt+>)j2aU~=l1n30Qt9WjBN|5ltLHN@P{ZcLHol2ksl7nNc
zhZv$2DVyLAX&8$P+E1*Qs7R&D&D74#-W+38z8j#Qy%bq^`FR*d?vCv4?^_|KOBlG_
z{NJ8tt)3Ww$MX2PvjE>~rgd^2-7_w3nCoVs?j?jIETpKf1j0`3p3;U;h4XLU%_4d0
z7jt+>A9c3Xq~?9UX}JCh+9v+{Xw~ypvG^AwBS*ewck5>&VyfPQu^+<rH`Mu8m?RLU
zn49-2_?_BCOP}ngw6>`so4v>#%SBi|8TU4;R^w&|us`oBq97ov4@fvrrmv0*O!CEx
zM5Ql!vwb9%&*wUJyQjU?TJufD&)pg0P$&nHU1DpkrPMfzul+8sBy;WAydU&3q|WJA
ztefxJR%i|ZZ*5K-r3m08f+g}KZ{$H(PnnexlQIPBcDQ$CvU`e0GL07yvPw_xs<Z4`
zyS;lv9rN=6P(q>VN#jBnIM<6CKxSx&Cj_KH*{5z)_PbWR=UA3Bi#SJLVk6?J00aNU
zb9&j?o%x=x`5LeJ7#;|-Gh56Nvg4+R51ItI3NLHisu}OT_T)rUry>eJV?Cnj_lD%L
z*=~@4RZ|}ap%BU)H_g`Ugbp<9nf@sx+$#v}_}2IM@%K>7=FcExM4c4dH+60`e_Hxz
zu&sCoys-51BtSz|osR#2iW;iJ+-l*7#K2Td;#x$70!Dk@;8QW;dX-9Bpo;t506V(8
zhU<A3*}r&|#A9d=oDvE<P}d@8hT#=cYN#dzP`r2x;w%3u(9a{~c=dF2TQYOTXZfXE
zJX|)bYtEb5Onp7OR~mz8%MUFVtvxxxGdesM+S*aiRoBd?WuLY^k8gIeY-u%B<D#8G
zM+nVA#-Pg4v8F4h;S}8m-W{E%EO3d0T3cvfMiV@W%pw#VlN2FrD}43ar>gprdUP5m
zi}pyz`d?Ad^OVY)5F`{6Twmuy@eAzQ1{WjV9|UgLFs5Tycu|!)FaJ99iRIFk<Lgfe
z&$v3e$~NsyoxL4AIDhZN^?u&HDLNO7N}X?50bTK3?=_)@t)74GI`sRFEM4=8y8Xm-
zMr_@hg*o^>8Tb+B&jcwUx7my)l+8hm9PqN&bM_sq7eRn39m&!ubsDP`$PS7V;*896
zuoGKWnfEPxzlSit8_2qf?>4`uWxqSEYZ$aiute#z1W3}}^eDc){QHtWwnpCI*GQh-
zk7yG7Q9NWG@BB=L(GTIsP<_wAn(f^-ad;h<fQ9GUb)%+Yvk;m)4PZIu38Gu&VBmlV
z{jX?SYM$S_`^P`i5&fS2ZrPqrw)HcV+MqBECL0QvD7SR;)js1J@T5X9U>;JCSs{di
z)}LmdS6<)9=&RY+`Y8_R22m*hl93~h@_;y4qeuK_g*~7o%n*hyd&c9VbEpa*l$lRu
zl<e%5e7j~iascv07C)}4A-4Gip<l3HY-arh2YugO{h>BWfZM0l)BLfT=1)`m^I|+}
z@^)1yVl*!^yUyE*p1bqySL&XR>2*D>tlv-<1EOTNntP+mf-T%iMbm}~P1812b_Q(W
zAXH<mtFob_;52|@fn~~9AXrc7Xc>+E$x^dx6#~NpsUf22Vtq&Cmx?><g!4}gmrlN(
z?yVkmo2AU@_I$VO7Pu=$0TIZqKEsS$T)LR2it?Qu4cSx`DvH-3Q^oN(nMjq7JX`tb
zWVB4yVhHBUS8^-jufw>(-3U5BDhvbW5eAFxgK*&YJUbya`f|nF!tum2ukY8(YyIVW
zew}kDCmq^Ii88X;P-E6r6Du=?%KN!VRl)RxrAdcp1B?rHbM*9mVapbW=l$<h^X2Be
zt=SF7EoTveoE({5IJ8o75GhlqKM7tFr=}E11}4zM+}Do6xvm4fX$jB{{abx+Ofv?x
z`$mkAik2`dd$hck^w%`W#$ffQEq$d9c*m1mMwKE@`ZpwW3WXY}2&D+(&}+RdWIePk
zu!>mK{l7B`U@JqGxFLA5r>3trUO&c+!m<e|JWlauWbl}hkbf>Behhz}&t9b7YuN6;
zD3H@Pd_u4OH_Ws3J`|l@J-U(2m2mBXlWzpK%VK*Vq}fCW#tWQRWgR%V%WpCcdIlI!
zwzeR%gCGXXa_uUD4B>l!+<IMieTRL|JQpX9^?cENOZB`>^aw(g;tG;ILcJVRAk6T2
ze3V*{fnL+~evY!Yv5d+^<r!n!f_i$5W)MlkU%@ic0u}~#g9)I>g)yhC5&(ZiaOaMK
z$KZLYPv2d-bZl530`Gr<+4NqZoEw>9B|@PcQPL7e1PhRi1m5~01B}QR`V{<>7C2F2
z1O!wNR3PPD^(#52bzOFBcDg@4TXQoZcL|au)|}Vtob4=bLwkS7!QTh<AwH;MQE#C)
z{4nEVbUfZN3zgct)pch~i<l!{rR(S9&aSvpLW&*zX?bXCC3hv$BwHPqqMg5@6ZfyZ
zKe2<w^eUHUs%djN-EUWih9)8-i%%;GgY0_VuiUzCqwR8Xag$8|bpiu1DS-5lxC9LV
z3rH@e#KcgrI@mt{+YJr5sK+kBGQU5FxCA&Z0herO9Fa%-EHf5lSAB-WHZ?16B~_#6
zT-?lJC8L;E!{zO+saJP(CJV{DjhThPlQN4qT<Y(;)4tu?*UgS&$ouiX{ehTIjEA%#
zf6t)8^If#4!`C+xnfn;RMGjh(K$>MS8jud$RfcWIIOZp79YA`k23z$>`rR#bbZJtz
zy}k$dJg>Wc{vNlVc<FwX^GiQK#G4JH41Mh?D9G5cW)hZ9S&Fb}>B<Dgf4X94xL9Ln
zOrP%Vew|`w>)LspX8&_uF9&&d0Iv~HJHkYj^VytR%VW%pvGRvl32lrmRF^k${HIQX
zv9m%$Dz*wrg+hDL5XY*%BBX41`L5tjP&Aaydf<`ndMFQCyIg8$F*-YMV$M|f^Pn}b
zPc-z9Jm5jiaq4cc9aC$3sEnnRs62&%u%?^!0o6soo!t7$pME?XT6labrkW_vn#CO_
z?LS8_bg|igpR$6#aw7fz)fSGm&jp*NG+VmB$z6w&AK;Ibp170_SGz*V*Mi_;1Z-oc
zs<!#r1(ZClI0T@}K=}+WTb;`GJ+l1`>G!gE9nsDAJ*~&V&aPdhb-dUai0lfZyZyAT
z7jEd6<n(RgoeMLqw9Q+mJzR}PQXY=x&-=NfLA>4v-dUa5ehCH1{zL=AYjcO4kE9xp
z=zKkh>E966)O^}*vuVwWeJ}+A^W>4EvM6l26R;3;Up^Tj?V53`EvaJ2pwE~TrKesC
z+9M<|!Mhz0jk4-KQdhx!fy^`O&G*t5O88prrA`H1Y&DCFh?A-8#AdaNb;a||B{X$F
z1t$6jtQb6BIADPIugR~c9cvH+82&}^`RA{rvm@lfG6;@3U)^Lf?BgX;F?2FbXOQ?r
z$2eX}@viHo%%`Kb+O%#b_nW4~`=2;5%yx52t7+3^le??i*R?H)%Im#KEcU4w(jd)t
z`6nfaWWZdE#WK7at>C5@cw+2*YeNi1>{4Z&Fc*ZX=D0}Ir#eA#s?H}{3?_yCi1qi2
z2{M{nEICgeCA8QNwmCIPP6boDr<pDunxzZv7Lr>-%5Vl_HxR?umz_Zrqi?R+nFTPF
zG8)kW#(y2n1q(m5H{oI3dN@*}7DjNz7=NVs_F719)SEfsCV%8An$}_j@VX!E2vM?s
zc#U-k%JaFeE?wQ1%zWQ`!t=eH+&(_aC=cNUs1}FKDa|M3C^sxDa5?8&2skSvxO_HN
zMg+ZP*n2u5H)k3+75?gC=b9=}3Vd(eO6Q<cJa9&OMuHoW(1hGqK8UlJI7+?&K7?r7
zW3FZxk3PI@RT#E}XCY@CQs<W@$OIjQemK<#iuo*}@UZD1p>#W$HEP46T9$7vavUz_
zzou+s#fchHW912#)R=3{FrNvlqk$+AW15ROht(wGMRY%5EqOnEc&N02THltw-s0fq
zJk79e+CpmggYEUfAH1d==y9xee8lo|gb}#NqW|xOC8Kb?qhZa@yjm9l1!B1m%4n^!
zWoO^~MadX*LbOR$H$Pu0ugxyhbb)#OvAOJg$@s7f(k|GXmX?l{ZTUf<%kBB&;^pP&
z?k?zg%kSYRb77BO!;M_n?_B0pq~#U05`7~N4bb0E;ApKD`&zxBBa%$GYK_FZ@kwvp
zdt|%bZqYWslQek{U#+n>k}gmQNh&|QD=VIR+0mWvw6e22yKA%dk5KkR20Od+M(H2o
z{kG5=4Z%OKW!`~$c@SDgVEZu$O7<;bV1t60ll=Xk=;Z3D?~T9JhrpXJ&rMDRpn^ff
zZf<F?mNR3@gz6)66FE!vnbZ_gW-t>WtTSbLe;P%FFfEucps$d?9BslX<@o(qsV~aF
zPv70wV-doyPUG_Tk&4L3Z$<x7Gc!lH`7?v{^l7+i&TcJQqXoR|tizxmPtw$eFWU2Q
zGWQm`#vDXld0AjRSp2a^W%IIUM@n$bufa5MX&EvXOcz3F+9>q$D6l!0l}nAk#7+eJ
zQbN76N6r{+B@508XF1&=BYtpL7#~DVH~hWN7|2GeuGwuW4j*{5%qx2NWdg(ey1@~a
zAitQ<J$LjmVFRgy>m!>oj9e&K*xyzX19U-I)0Cs@cE8~5NJ$$=IjT1tT7pV$k|_eU
zJ{>>EOb~@<CRlgI(xYOBMxGw#pTo^r|5R_jWM&>dS}M8u+AA~2lQPaK<Q-UWasIt;
z@QQrhHPu;IWqV8+Pt#C=)3k1PY3Xvvba@zf_<HTbhBwciZ%@%*PM0QW@c^>*{B1Pe
z%YxKjdXM8OSt|vdCbg?@Ju4-dVN9LIV;6-Ni8%&QN%*Q7VaspXfYWq5et-3ElxLrl
zP@;e*ETss6ZUCFOvHyhQ-dd85j=#3g78TU3wuT5s2p73YzB8J#g%T;Mg1kMh<|A9a
zQQ`FH(peJ^50BU9PQ$Qa?j1-5S4Zt$v-9$6+U3PdZ8w+CBYN%=ysPcvU*mrZIb*x`
zmL2Z&r#;k=7`+3n+ARX%{xhfEC&HFY^J3IK^~>v*rVW>@6{a1Qvyy{iSI*sT4Z2;=
zU--7F6Q&JqZr=|V)0;t5R+%at;4k{mr}5_B<6U>C_1}zXZ-}z8(6hm2fc1=>Iv#Dx
zuxilH&{>c5=O(K#-y3UFN{vGRFOT-77@4=Bw0`Ecrnz(`TK}5qdZYOhB->kc1q!Sr
zi$DQ>9U<=*6|&9{GTc})t^5N)_9zLtE&M3l5yRTneBDsjJ{s=@d%F3KZRRu3Gmbus
zI=f_`7f@40(Q9a4+a#j`5;v>jA=s-F0N4`x(HLHUxuU6zY~l59!P&1q5JZ{T0-Co|
zFuVg8{~cV}p<l_II@kso+qylaH8pw}R1@TJz(TgYhhYbaX_jqlW2TX>&Wt+J#fj3#
zB_mGRJr2%yN2i+_5(rwxRON$pagOn)3!mWGOl-<p+m*8;#bVBL62<BW#cC>}&>G5|
zHKllQq1`))iJ%)nMEm|eb*RGNX%yopj9eJY&tME?%JHAQm=+ouD1gHSaTMHUY>-(o
zuNJoy`puoy8OQ@9{(d4eKV@>q)bUZ_TM0o!S^{u0mwemAl`M(dI*Tw84FGARSNb0o
z#W&-N0rmvUop34eMaq5OnfywmWKl)RAZ(!(NH@4?wz;cY_jQSF0D<~kSf`CiPZ#DI
z+=F8~+7f_mHu<V!&2`Gq?)zn$r<_Ce++?|>5o3a}B+)uE+NQbN=9Dq>)%$y{@N9>I
z*);<ljka;@l(O$VuF{&P7$+|a@TeZpIR!cfym;+wVsTrGT#8Yl%6?!!e)02*>fDc@
z*$O#_;nj&xf4t>aNI=yf(_Nu61!e11C>*m8tw$VMe|QXpRe5zVC>?cB+FO`>GYB+W
z(h(H=7=C}V;=Y*Nk;kF}P58#O*P#=E%qdSlKh|{B2Y9v#(qwVv1Y*YbCiit6j@xy)
zemk7<bYC4lj_Oczx2pI5RDf#E%%5j0<4rEn#>MEWPO_jkRUd-RvC<~<NVi<U1U%7-
zIfZ9E-yYC7i4kW1O)Vah`fSLJpIvp`L%LnzTwUYSmJfWs?#^vFE1H|uK#`S^bM<Kn
z!$;jjgyb^+kzkg>e~=_qljI~q-I=)pjJSNtyInR9J0Sk6rMyt7RRg?F@$dgJTMpKm
z`+X!&D9D<9AM65H64K?uGI*kGYM%=|P*xB$o<qWr4TH=pfGQ6#0V!{^2YRk`Gsva@
z6_I5VQQ8^{E+Q)V_P<Ho!ATS76*sVlx#~j<c!XLH_Tu+7{sJ=^{LAb>adOIelTno;
zV-(|ok^OBV={^)+{{*a`q`PtZFTMWnIDv~Cs28-Qmhd7csrNqku3-OkdI7Y=qfE+i
za;Sn|eCkgtq^8PGlfmYGSK|KuPlpJ&qRG95!lVo@LnjxI69y;HFVpbYX1h|?05kzJ
z8s`%zL#I~%6kTKb)iBZJ$mo%2QQ0(J!IrqP%DkW`4-2Ssv!SYxWAo3S%_5&adP4Qg
zlWdnl&y}LNZ8dwVL{PtLSI>Q)Pti$NYt`35`(e%pRUw}zh;8dETf^B-JFg<$rl?I_
zKqW{^3u2u98t*uDU{glP!EX_jkz8mHFGXZLw5O#148@4r!CHrgx?Pw$WqZ96iqJZZ
z=0)M(AiW3A`-^9aKoyhUb@zRPP3DA4R{)_Xa5!eknJy^@H|NCBv%!XK-Sy_vnqeXW
zq|PeSMt!;as&MS+`RXE@Pnk%r!!UrUz=081n*|JH_9N(auS~dL!ByQc1|2ZN3C&hc
z3Gt>PtYJRe1v0`?`%PgAA84w{?juHuN`0X~rJiA(L%IQ+MG<KY#()N}wg=_&`iN=)
zM2&;vSfs;+j&g)Aa)GsHzZ^%bei&5F6k*xa@tf?i0cOu&mX&$iVqAGtz!nYd1QMg%
z$gNq+xqpV`+%>=V{2s9Lz4$&_e`855`clAk<4ybT*}iHJdp+1t7&L;9oPf>Qb7{1`
zD$}L2NwdB<?1BsYI~bodNy0yezA^q`NK%RU$HBkaxAnDpI(IrY_w{!zcV>EKdfWYF
z=i|ef;r9+CR4R;nIC&nHzV4W8#uudYZ!xOrD)}TIyS)_b#|N<mR~J}WZ#!TGl7?x-
z9}O_(OtE+9y<6+VI7W+9k7d{zXA<ZKPwU0ar_ct~-qq>|#7m%)d%`{}aw%YxT9BCD
zDnI~V8}WXy$H9D>+7<40LkjK&=GK9EEFiKCauw7Z472plzJZ@W?J#hUD7j~ReH9en
zm~`ZZx!KRBJ44;241o9$CwmnP>@{5U&++5e*k6@VaEQW46zS&|6CoWlhA@-4Hf`(l
zJHDuD+2YowiE=h6K3@ERIHynQr;bqTizYkAcYP&m%6miUvkrrUo(rjZ3+<*Vkq5Vn
zg@I!?p%|bJX|iL9tusuJe3Jw?y&2-1#*T95>VH$Q@r)mb6=w}q!eGU#7DA=#ATsRV
z$jtmA(`JwuSXjIYGtOc{8j4D}=qZov%&RHSa!nyckE8OhG0O5+gNX@MX&rOo;h3x#
ztO+nca%Zp1(`N`xC`7Ih)V3iis`XTjQ7s8r<%J@X4^B?UBI9NZFgYp0C#dbE;pkQ2
z5?&4uKwAgGh+LkCD@W6k5nm(rr&^vvP%Ih~;#!+O6mG{x4WqEW@cyRHy<$_<v3qkd
zssKzYnb&Qx4zw#|3OKW_uWx(Zn5InGY%Uyb!@#PPVAZbaUsY01B$x&eH`&JoG|`PE
zLxh#DRG|pBrv0r6r$W}Z-hb)-_Y%(#AmomjWF`8=49mJ&TpyKuhSZ)ZuePAKqW_D#
z6DnlPpO*)<CSr{1R5zboARimz+`0d1%p5wIy&Ss|(lb_})j?fPz$`e(O}pd9Cg!@V
zy0BuKHAOOMOnIRbFlwcndz<TXb)CAm-TwXNa-I8h+mVUe_}?<;864jx-M068-`O?f
zI`5C`v=w2ZswPuro28&dVvzFJgI-(R^jU{sstQZ?)N$nJ=cf>sS1?-1PBM<_;wG0F
zJRUcDo0FfNU5qK`JtorO(UQ1#5(Oh{D0oC6Qj(7s_k~p!HdF>%wvO8mexk3=wfkcO
z&m~anJcpNLl3rEW!>&Cg`2!pT+uQ*5RElA5pOP9r`RfVPKMZVIfBYBc8ACn?T0j9c
zK0s<VXhj#?Pm=5}MzgsA2)7$cTj3P5=ZH6G?l}I@DtVK^-o^w&$9T!Epd%Oly&7od
zx7ZSOWF9f0mtZk18$-qcalh{#1%`VjA?cc-AnXKuT4s<f#RLLy2V)W3Gg@MoPoQ$7
zs}tMu_QxC7_RHEboN1yo81Wt$Aw;sl6zO#LbtiaV2oG(*E@0%5IV_%~R(r|)sg&VH
zGeCcV<b29F63#Nd$cP$29eNEq*-5(j2!%Pte4cGQP*xAV&V`UpD_w;*v)r3VCX`5~
zoSt(Q$l<J>Sp(t-Ni|Rg#_P?eq-sW=II$ALp#0AubK-&$nu*%lL9+3ynzgv{btgYZ
z##m{a-f#E2_+{uuEZeT%9xfnj<4G{0=<uWkL<D#^zEN?1m*9B}90IdF_Uw1hG*7uO
zf%e)!$ZFvVJ>HOf^;y8D@T<t7;8Bu+1Muw1%J~b^RW9^bjJh0UX|$;3T=Z~o4i`KY
z;B3~B)pMqcgXgLmt1eHfm8%vw>11U^ShRGjqoSRK8kJp2`4jovjp>OoS!XPg=igE%
zRZI9_QRCGoLCSzuBKy+KXdII{Ls|@A>y*KkgDfeRY7O}Sn(Cyl-4Y%4NLpsJe|6wu
zoX{}E`trX9V<Gx)CiR0-au(XtxWq<zNSfhfP~OiQf@~D2Nsuz;vf@S>3yc*)bm%S)
z-Qma(G~nQ6s3c26v!o}+PZm8zmY-cfo}Dv4#qhn_%f6<(YA}Cz;C3i{7B2gq|7EQ@
zZj<rY-eY;K?!V67#v+eSlh0|w1k)9b6T!R^>Y7-~CnLv<>j_TWYg<~}YSj_^^$tW7
z4l-&#w+tOTy`7&gK3*Qu;`o4}maq(Gc(=+8cf}}GK;CJ*aS#8%%_}$mwf3qF2yGs)
z<*JYk$Vej6PdKC!VJIU>53y*CrN4wDl%N33xVO)Qp~(u#Cx2;|m)~nilDp$ea}l4$
z3B)#Z+yUJWga+^DPx+!t6sLpsFKbKT=;97QfAOycQrb8gg)ntnxEIPEKMXNS;K^uu
zAzSqr5c+9y>8|62tE?^RA1gNp<j9K%A}k{R8;*f0@kY#J=#38SBX^RTbrIF}H*`bd
z7L+Rxz)!>VbZ3Mx*?;}IAm8@6ukvy$=7=IXCWGW?qk!!~NCgACB~Iq0g%h0TMwKZH
z%~47&z`evKrLh*CWKsfpO-BQg>JI_ekV_$(2E3rSJglL)NEb5>^rV{8;=s_PNz!W2
z_LTuWoclsOj=O15As0}Za0IX+W4v;3e*prOc6XREw9Mg?VA6|MT{Zc~Vb`(Cm$CXU
zz{E*gUv~UR645nrk&RAhCIr~jIkK<A@~?x=49B|<wdu!7c?lIxp#Dlg|2pA}OX;mZ
zf;EoOcT{a<MY0cTC`GSMO)+&RppaVzN~WEqP**FYG$vXq2`<;txJ>(Dw%c{*(1reG
z(QH)AmZ!CF+L8`dnX6k7cxy66b`2EnE4BNms;P-`P~|m9H|bQ>YV3DK+0@oiS)47Y
zE$26QHHbuM_-81)sk(E`*2x2lAz$fpMBr$|S?Z?*Crg}c^-4jqf$067npf?=1u=;~
z-bDEz{*+$ORt%VAGAR&7-)?B;Nk7Qb7mv_JS+<4_ZmVba`^$p7Mn{AfKGIJsuD>5C
zAs?S@4^~nZu7x}~icNKM6tEQHhFtp_EWkm|4tjRDl%GinA%{)5?xp+L1QD7l2}LJ;
zx>NVM(~A6SDeUS~^t;2Zbm8NX;Dq~h-|wC1f}P{PcbHoTmah9s4x8=oUao;Id*Ee<
zBR8{A-x(@*$dtt&3k}_qK8T()IVlZzBoga_2}7o8<m%qZiGA$O*VdM?ra(yv@Nrth
z<Wh(=XVA<Q3T&_`3)EzgQ=T&YZLyK~HUs_u6F6H~1hW~LE#qlWE+I%@+9wh*p*suv
z*hjQ^o7pKcs8AX|hCrQ25$L;a6k_Js3?oZNIzrsakUy!jIh>8EvsTa^0a+ea?Nxkq
z#1!Z>n7Hm8aAnTP9Fgg$od)B?ON@@DyoA3-Eb{Ib=ila(9tdvCYmixsyc7asIlXbP
zsZF(hUCp4U{_f1#y!veN5^#}3b0G>aMt$bX25pq|(V|?y`}9~J9dG-6Rl`EKYE@j9
zeC^Sy?Z&Lr^%6{*gXFWMa{^F%ww;&I0v-;q6O|Q6FKuI4)>85z*eH&E84$77Q5ljD
zo+6GjhG&{RmOUH7!JzCu1VED_c&7qi-5j{9F3`D27!;jR4-0HJX{vBMa5{)mSoMb^
zE50e04-aIH5bOh+OA{vt#bL6c?-H^6=WkCIm&Q(m*+Gr)l|gWyrokty?B4(5XAo^h
z>vxoINlB@UvyX2vP8&yB9Y~_1`_Se7#T`-u*tp*(PBzGp1ryH5iR7;&xzHxL43hLK
zP3lWZq2AU7yDV$85}{v`%NhrDHP;OJEXzmiHc(r@*`SkmysPYV`&Lj<uE?}nwmY@`
zv8J`#mhM=c53~B5x2wL7c`Iaaw+f&P8_4xTq_oUyD?}#{Ua^m4dHhn<fT7W#*Y7HH
z9E`!DNvQqs@735VfLeh^+rX$EL%<icYQcth`V@HmlilRcnG$JPD&bg(yb*8yuY*ts
zH9J}X2qF9cgq1h`^?QsRzhp|wzm`k}#B|o*+!GabC&3DSDV2a3JyR_u&S!xo?}+1s
z{RFp+>eR<#gW|rR@Hu9>%GS14=zgv1l~woS3Hh6Ad3W2l^g9HZWtq}omzvXj{(IVN
z7r)AF_Ww`-KDe2G12w7J?>s7hX$VV^B5CM;fn0mAl>HFQ(CqLOa_YI=P_uGmsJrj0
zKeJ1wOczd_e{?tIv&7?*wK>UcY@B1rfRkBBrc!3Aw*DYx*sJKO%xbb5kPsS}DPZhZ
zwpkjpVleibaC(@jDuVz5tb6IM8}UHLEN>K1<*5%Z=8S;LgDRu87a}A!ANNp_WaE+n
zcWkvm7AQWc&c{G;F0e5#t}O`W=ougvB14~qgyi+=LLP$5MiQwwhhXE)7|Eb$Rqo93
zAj6<lhCf!|zxvU|wUNM^p_nUJ+X%6e%-Y$HP-@dQh0Pszw}PsWndUsphjLINiLTW)
zn{-&`pX=@+Hl0uS(y8DHr1E6O35S=I1Qt8hAFHo;P%)gdk5LzG#)L^{ew9zr7_pxg
z%6bO%x-t>^9CIMS_#SC8+#oA39VFuz3?2Beh@$Ef#kExw#2R5?CUd|gQT0EU-?Ten
z{>~(#3JxKCcY*`ePt0!w26Ms{^bJ86Ci*wZNns2?u^g0VaDaB=dsuTt<y=CNDh#VS
zutB5Mi#(WvTS6I!XW8?5_~-B_4;^EIMHcfcqYP$07-BEf2-;HGhUOp6+u)Nn9IKQ9
zcxup7l&1D~()S5wff*#xtq08avS91*>Z!EF+FX}jarHPkI(rMc*mi9S`pT==`(1Fg
z<G==ZmHVA@(vh3FUCSJMtv|M(c3heYN%>b}bTEg&2taXg6=*(%6s5YXI0dYdna0-`
zV{8i4rIbnre;@hlVEk*17;}4Q=v#yG^Ng-a`b!{}%t>dLP77Jm6rBK3hIC5H7$RL8
zO{un?RYsuLb|ki1xu*>TS7S1+9YMDv)0C#oNZLU@*C8Yoy9344x4K&T6xPia2SX5!
ziN2=U9x!?S@+76UH$e8~b=~%Tp!BLHxA+scgcYUf&-^+c4<JED7fsOvzMJ;@W|XI_
z4|@8~d0x{e@A-5khui(FiiX=Mou@VV%Xt)fiN^GWeaH{XyoVnGf$;s+n>Smg!jUms
z8Y*zsXo8#W9%fZ8kJn#fT9BudBz-JO&ISY__~dk<J+z0L(U`*%$y}<}9H%wQqBDb`
z3x#t(5Xh8%wtl{(>lg8nkwH1}=m7^=(qSD;B}qpo6xnNuC=XsbD~#woOJ>r@L-I}u
zii8qo;%Ss|7=FGTu&*UaMev?juCJ`>o%{*3tbwHQ$H6CVdS;fqk97ClSj}cb5VT-a
zAnC<u2iUmyVFDeD`RmfyICeW0TC~Hjb%|QHwAvtA79RP5Zf!G#!r6j|3Zf)E2^N5%
zd01?Ywr*<$NMgIPMuj865pXdN`%)#%4d=8iTZK&*E|%Uw;%89MKtYC-k{~?5;kORg
zjZ|whf3HR^`%Ip(J1NbKd$E&J-wM(?GR{gQXH=OgBe+H15@do@y89~sn70YaIuUTz
zLLmfY6%0fN2me!>^Oy+0L>sLYZx4=RG6ZVNM5UVgny3o*`geIxucf(oMLOOdzsESt
z!Wh&tTpavpyaN1H5>N{`60mj|L3-tYR5BARnBH$|KKtp^SP9sKa)yV|{6B}YMf7MK
zL`|0l=yDiIt2~`R!}xnHr5J@8Mz^f&+`MyIK(WbTeLQd9u6Z3-Cog}{ymjnOF3RkS
zM|!c9i98}~QOf-q3OG4<*4Oz+X1ANBQW`3v#vlS(_oFuX<Ml(TC^~5dPJ0UsX1`94
zo#k&bK%(*bjpIKkGzOxu?XsXj&!+<xiuFa41?NeqdF(p^o#BrOF{}!rR2cSkP?BtO
zko_#;`30r}pjX(#v%<06&nNFM|LD_%IaA3x0pW^AX=Ws$A!siT+@?Ttm?Xd^jJpi8
z=|z~|)NY~QzT6lyWU@^ScXr$LKNR2jBKzGVe{02lek$f1?hy=#Zq5%`QGZ2uoPE2U
zUS8Mi+4<~sWP=|4r?tn5@t}(h-fz$Bxf*Xl%+FNW6h^Cg)(;H)K8xO0*3UF}zhbPC
z<~aDI!jd&$6<WWG@Fmun90RqV9DCDMmD3dB1kT5E1<TcE`DgBi-#(PS{fo8b*_>GW
z?or!LRgfSyE)*LChx@wQ7$f8ffzJ(jB642c=%+Q0qiXQ6jtzJb5w+;*VF*{*MyVQ9
zbQkG?w?Sp@C}&31EwWsWLXP3S@D2vX^2xyhrK0=XO85i+qe7jFv>{wroeVsChBtV=
z(_?2#+#V}9u<#QieDF13Lr8JlL#tF0iVl5pK@^`ekKD$9E!ZX&3K@emVCvpFBShlJ
zMfZ;(Q98X$*xLKb=*s$V71rF-Tve9Nb6{=jmEi@AD{Luy1>=58rmv5Z@!1un!O-hZ
z(9~yWrz`827!)Q;4u8a4ip`u~-Eir-$o3GN$AjD*Lwcci;yECrgtl{loTnT$o>+>s
zcLa5f8DFm_uy>?ujNvAWV}$}n%SI@H3Y(K&jyr0<N+Thjh{u_s(O(2bkBcc069OEJ
z16e$y&iqG1G64N%qq#WsNR(dhrZF~fGc<{cdgMlfKzD{fx0aXR0UASi5oZ!8f*X%$
z<ezf&(!A^px)!6gLHZ4*yU^(I;a6vDjceqJbh6s7W;E{6BZgFlAV#pX%_H@6XHs(J
zB4vk1q1gA|bfrMWi4&2QT^j4a<X+z1oP6wSOOKW=3;(p-Co^#-5F|RJ{n<R3!J*6k
zN%Poc|8adWGiDOP)S_2|u82DWn|6V~uNcgZbUJ>4+F-2BY+)9A5VT*&@0e{!rLast
z_(GA6uTzM9Dmzn6L$)4z91S4ghf5B}rAMU_$`4a#PwA-@&pBrG=NQUjBH?KW&e)>y
zoMxU)aDuVd`*m`dXk^yg{R<aC-8fx?mToGx&x@gIYsAKTBZAJ%{X2W6pN{6=49%AX
zB^Nb$wT*Yf+b_PE?Jj7)eb8@(j`Owa|3|!ZvKDUh;a~MI+2vXxb95xmvg~`1ZKSFw
zAd=8X3f__K_Bd)PFVyqnk+F^evoZnUtxy~V%d(L7&xg4#ulKD%zz(DNzS0*qP8#cP
z-=ractQGOA%;$N`eDYzM*y${=-Mm(}JYdS<fBVB<#1!oG#g8ci{%FzRfsG#p4{FR~
z^a<*djEU=jE&{F=eP0*CKP@pbz+VsjlJ%TR(uU~gt&k|qJ`9tN+nfNIa#z#jCbr`K
zIek1@Yhef0_<8|;NpQM*kvjL7YgTBiqNTX7<XXVCd$s1OBrsx*q!C%N+Q}5fcOg-~
zg1gb8nVXt2x9lL6Vexv3%GZR|N()M@JN%lqtV8h*tY(udwc(1_QG}e7QJ=4PK90Da
zuXAzc4{2O<LGt>fpm1zc2>H8DFCG`~_FjLjBl1QEMb}f@4<)@S9X;IKe9fI&GfqW0
z#s3};cmTC)awkQ)&B~5y6_-r!fa2qqTD}!9kz^O$wHJk-3w<dk*ttZe7Y{U@hW9rj
zXoQTfXk>*G+WCZCc0;3-8bd_+fXmHzh%d_SE4B=v5+6DY9)1IhrUw5kzQplYB+IlS
zJ8IzLX?@vW`x8-AhohC{JX0z<Tun^}*RDuGshf;cD35)j*JsFtO3^n@43i8Gc18GI
z9O!?fys+8q=Pn&<lNowO(0+cB3b{@WI{rJr%L>>xI{*6A^-Mp^uC!iutcH0mG*)NB
zQ-Kr@V|)nbN14&1{)K+xYJhB<XD>=$X;o&64bjfs+JdlN;TeOae-zc5gE@i=7QVv*
z@<~|<f=&5{@gC<b^nI?ug_8P&0hGq252m#nJ`0U3;hu8vtac8p4K6bJ+@Z5kl5=yg
z<DA1B)X^r$l9dTMG;QUh|1){OK?&8QO~;0|T2~RbMWbda_8j|RpZ04Ce$(#@`RF3|
zXFQk5!1mj$j~njyfZIb2?uUm4@3QJgs@&(c??sF6vq0N_au?3%yoRfnuLDd%ZujtG
zZ~?deJJMe6EM%t}2gzDzm~JWxi^#0PLYNL=qC7>WyS!K@D*-|RX+1kDVbMoxnUjxE
zOfg0>WG@lME(7hF_-rgFm6zJprDe5Lx!kVS);5jh-~$lckuAgP9sQn3Nlx}6#Zc?<
zR+%vYO1!XHGA=iv#uC!?WD-I;ta9_6H+IG&CAuZx-~FcwRJ1@y{P1OLbR=v+Vq~o5
zE9SEUm2usTPR=k7cAz-NBZIl|(N0_m#7E`<fGc<LCXv0Diho(hHej4U<z>S31UwkM
zvVoMfzr<3NQg7b!3#8B>77_YA9d+jK9}P|phqVG9D+sx}bbr{u{Pf=^Ve=@F|3lO{
zc2^cC-8y!5Y$qK%o$S~h+qR94ZQHi(bZon0+jhq{=RJ3fvp=j~uvYD=S<js1N%@Ra
z0)2Z_(&5GD<P4K-r`o4SAZ;2;xb-zA_T2q=(ihlO1p>VRE0jJR+t<p(@?FKb*L7@F
z<-Qpxn@o~5;>Ij673v}h#K4Y~CHMMbBN_voaj3`yTI?DF{n!~}J509u2Mcwt?@Q$}
zcf^nwL|1q~XM5P^1_Y8QK}CG<5O3`8p94yPFw=Pp0euilEn<q*tx-GaZ4lS8|J45`
z_Xm=?QBxbT56zp#rQaowyUnpMi9lx)icW0T&+{ua>(BJJBP5p@j?E^!s>)k2^%61i
z*U}R2rxmr}t3?Gu-%A>Iet;7rF?zjQ*_muZ$+1ajp~d77<mTjL`AZxKD<muT*tBT1
z$5JFlSnhXU-aE2nPQmc9PXPl0bA)XK>To5*6>v5JBh=!W`EUvgN^_3KF5nteE*v?+
zlnbaN-O%QA!inoz@)L{B`tuZLPMIGV@mVu9rnz>avHE^r|LL0{tj0}Iw3f`6(?+BV
z%rBPpjb;jkOhX7u1h0mR^6*jLDKj1GM~}e|IWIe^7Ah*>+&U_VocK`$65Jvbo6i*S
zhzkmf<c82?WKU{?^X}MHbNV4}*7m~e6Z^?;x3~ST_Z!Dz`pW%n^Yv8v+2a$@n%VQo
z`@B5;sK=|q|0TBpr_Oo%J)HKq6Mk+j#zZ#$_dC#xdD@BL@^xck6;VhJ-~^32h20|K
zg85#>P;b~aL_vo6r9sf41J6mE$^W%fv-iT)kverjqCp4!tA9hhVb?S)(97T|2_k|q
zrdofKS>CK#mdojJdp#J7#A0Nutzp->?jo`O?c~I&j<jXN%xv0UEuP&_veM7|gVH(;
zIU+5oo~-34+H>qE9@c~sO5pEMgS*$+_QZkKv>%e_+t}b=<}`7tIEihp&H^KQIh;QU
z%qIBjw<JUM1u`kRd@)q~8k_e@#i>V|U?Ae+*gsuH1^3kkzL+V${qe(}xj`P|2v5oO
zeh0r6f5B9U{HY%}ygO>Q?V9|h+NF&&!_cCkN|-fyGOnONJP{b!VRyOdka+AVm+R&B
zVO_qKdGG#oDHhxP@f7I#&1J*<M5Hf67eq~|@TBClj*9dCi7-*p-QDI>-(BC>^>P39
z22WE%)BXwp-q`R1|0FbDi-9pS#Pr(OPV%2*Mo~_PK1;8_2s4Z5ojimFKQybT@b<7V
zJH(TFENm#9ihuY3)RU1=)y^~%132!X#3V>Y%eev4_1{HfON9F-Kgt(eu`o3i7O~QB
z=o;265$V`C`&kLO7#%=G07z1NAqK~mMV?xtz7MFX;~$I)x#1CofKLcaKHv{lE2*@-
zA<4f@P#mlg&kj2Y1D|DeN``2%BnpGXX;>XnHgf7IZ{;>*6?ZoePVMRonHbgnr%sZ~
z-^}!Cp%TzW%B*gMyTUa2eD_*%B{f{X_d&kLkt$HK4YhNJl*bD~@G&5AH;1=OzRdvz
zoWyRNx^Wby@N@)?_=UEVv(7s<%~-&9)|nKwkR%5~);>d}C?J3lQ^iWQ&s-cpSPwDg
zlK3g5hA`!MY-D)+lTEhYSxi06nKXY~hyc_gXjXoDc5%;BX?7hN1Lfgbqz|9f8g(y%
z8iPK75N7%QlTZi6KU=_K*6=HD6L>W8#{1gi8Sdog`$hk8b-=jP)8nwm&j0i^G++Ph
zV>0CXn*No`IKX&0)=K%$qcH*A!#Cdkx($C2+UC6|+P5yerw8t_#^C>p^J_7W4^F>d
zn_Ja#4>+}v5kG~|wvCyH#WDd+IJ0LevgTklT>tEY7j<@c=1MHiN<hUhN!xm}c>!tY
zS-RAsNX|}tprQgl6&MEFNu+)6_l6cHCZt|HZto7KrW%OwJ97OjrRqLC+~=LVb>_)h
zL*GIpKX`@sHTvK>MvH6^Wh&%Q<-^>EsLT*2XXK`gzu@3wfRTn5yT7k7vdo!1k_%^S
zqo-FX6N#kdDox;W5v9rU0)Eu_!pxRR4|D3pxuE_u3%YIH;RE%8^3{$F8l)SUvk+}Z
zG1SOV<6=fEi9lsCH=}T_5Yx|PR9OakFE^L`0S@hN`Mkcsa|Lt_<r54Rt#tTaf3km*
zyAo_|-5QHJZx6Sg6oB?FK6AaJr!#vBpC>C<->XfrXMkDo2|jN@C|>C0rHhnW9nw3h
zGru<7vYf7BwDYQ{?_KkdwMP{|HuAJ7Ytl(WvR6WndQQ$PHP=VgRVTk+|7Q)z?<sPa
zX+#}W0pTePZ4!#V2*~th{KD8=K>##}BH!YO{IaGo_$r14Xp61-B!u2<2)Cwk54fsI
zDF2)RRCz2x!--AT?uH<4PTD2Mf2o2z>N~wZWdXxZ1q;9OP$fG9XedF1FBAVH*2IlL
z(1T>3DAXkxaCMv30A3IL&h15p_D|mnLf&G6uM3a6NOjTDq@TXb%Gp#3mfR@Q)Ay1K
zS7$kiI@kDlxcE4WD~c`fM4N^zolWLi7&}Ue*Wt?@=F_87Qr?_g1kjk8=x3R*>10_>
zC2lT4>RkpW>(XtY*vDE9RZ3q$>D)48C$uEe7@&0#xt=&(KtcdHJS;I)t~3P*aA8@d
z{)7l;3OW9VwZtL<&RIZMbyXpyU;IUAB0<;_Qh6-$_Paq__{uy>VvV1_^jm|x*;gGY
z$EK7Fg8TxIrM3uJ-M9<b3B(HoU&bJmNgg_?giM*c*dgK4Y`WO^pX}zp_C@~r5PW5a
zzUp<{A0IBhU$ML|?cek;`u=&Fp7hx$dK0}cYtWC`7bq^Fd?0e|U;Qs#Llii7zGvx@
z)13QzU)g~&cAsSKxAMt){bSR3!dA>pgqUWW5gXxMN!{kmf+hG5vxNE|aX&NFBtw+S
za8LHLd|c;U9xHqt++SYqOBrEjYg^d_CjF2;sxoBLj)V_?P4eIwDfQKLcIS_1>*&mw
z&Rc?6B7bmFr!x%#n7GQJK)c9SP8D3{SYXo*YvU!hFX9~|FZM?fC7w7>Yo#eA;u{jk
zY}hit!i`U1&E3|=aW5ItqX*P^DSQb@Y<vC=_f}(=iXTKLG100!`$b13l`G3L=Z_=A
z%aHyggssKjm=MR<%>)0Lsf{qh*!mqO2WZqtBeD*x;H{BYm5q&k{;k93;r6xJy3KIE
zcY1F|<o&Q!y8ZPzH7_Si^SE^SZbpdT<;>!FJUzGjYs_OFQQwx4yYWnTb3rZBqiywR
z8cCsgJ%?dzDx*d*SFW@^{zXM;#JR1-eNOi1e$|VmTv_#SeyE$b?Co5t0yUuxuqfa~
z4q^*h0{RJ-|5yBvHd!zX)Th13bw|rpFTr&Imb*fRHkiI@@|?yvF8qZbKp-5QQG253
z4u7%PIx}J%kc482*0w_0Ja&FiDZYZqYX)kZqm8SePQ02n;7_s~Qs%#(tJo*dgWyY9
zA$RvT4gc1Bqb!9hK3Fk>B?2qYOJ8az$!o|O?P&#F;y4>dy-Z#prrzhq-pv8R!Fi1^
z0vv$-x?s)4+vdv881V=N*wfIMGj5T|R;~jdY-TDe$eeLDk28y_rp0Wp>!bR|4kP&!
zzd8<t<<8Im8zNT9&0JF~_(k91ucx`DObiAeQ!6z@ceO#EG0NEn#Em^Vnlatxlt{Xn
z`xvLPs=W}KbdZ-cUt^%r_AB~caH{ZQAc$rKTcCL30AV&Ar@`e<cso+OeR~~-zmU5!
z1n}VaVSePaWK9x7#OiL=JwaWN<$b~M5`!@l>i}={+ShJ&U!1LSe(OEo8~-=GnuQ(@
zv5!~(@h_*iuTAIoOUln{-C)``vxi5!4O!}r|F%l|oD7izGJLDCyhWwf{{RR=`cuSz
zba4i65deHNA0XE@9E;!(Kh=IQm;Pc-{#Alb3f1ig-o|>fkvHT0n*HeE?Jjci@OpS(
zX~w9l%}{%45@DHv!71nzx1Zjh$5A>qDt)uWgNNamq+);mIA!@ek*k8~YC#0j9i-3O
zC16(v`V+EF6Jiv;ZiX4>ud#n12Rt=JhbVJDVE1+bo2(ETNTF|4bmdXu3Uayv0R<vU
z32z4$#O3gU)Bk(Rlr)=iJ$s!w1pvY$Xe{7?|L{vLS+HI}{O^3_VHUDTFOokmS+81<
zM(X+HR0(y3h;A}gwcFQAMeO<Mtw8e9%kJvu)@~-!HU}>s`NgUBml%<^Z(F<V8(-w7
zKJ!@1Japvyy4}W0c;k!16>Og~<N0*E&9ct&<-LqLu%>yy13PDPgGZ-k$tk-*@i@`&
zt8;R~kp=C((1dYmrtFW$Ss*_LSEuLk!Gkda<|3#vcpT$#ki@D@wo!4yEp-X@scI0l
zPN-7IIXTxBzWV|aL0!cG<SzlX<%^~=eZ776uaQ2ba2%qzg@UP#-{AwzsMrVklYXMH
zIXr)WC@De_hpRY0Gk%D1kmq`;zLso2&?(2#2(vKi_BKG(;V5H{F{Os@b5Zyz!+4UP
zJG?w1A3&@!-nX%0x$nmaY2pM`^@$nsGCnnf>;}4=Y;r@2Ne|>mc@wc`QXmZMZtd-y
z^pZT~=Sr6<tJK=olsz!J3r<ilR*Y5UxmR`&W|#!L@p1tBkZ3{>{@{1n(0p%fPg9J2
z)##N_?GRJ&A5NTHJvdgC4ig7|IKk94-daAuB(NSUD<F8+*2@G`r&a{$>Y8Z`8pTUW
z{>}hWomjiGi`Hq#NTLYL<P_q$sSV{zC#<aAcdGSUdye#sYcb%sJl<qhc^bg+*;)GQ
z2g$RT!;ogi#Y~G<1@2Bpo(M1}bfTVk9QHjooyEk;PU$7Mo~=cG?UKGvvv^t2_+AQp
zOlnUHRP?Pg=oAl+@K@|#Gwkzk4M!S;uKkyy|5S{P+}mlqGp_weS|4Y+5{09oQ-#4q
zxSVz5&r~7_jf>)l8vEfZ1Wz$7Y4WF<Kn5AMUerl;?r3`<b0TuWY)0>|@AC4p^Cl7<
z=Okj)6l^bYkv-|<=KlRgqmCrh3t1=5PjD+)$bP7|Y;aoSQG1*9)_SdK+ZAe&#&tex
z9~vce3~iob$v!S-jq<$Qi8;RbbUY(e40Bfd&zlEd8XQOuln~&<L}umr;iF?)7J9Lg
zMsDlGq0c%n@dctc-h!)+T^ipDC?N;gw=$1(8rjGzrU=Xu`$HLd_CpHg4}{bQ2p9)J
zLZs}`15frN#KySeoNXpjuGhmzt`{)<k|=wtZRIJt22i=mK23CaNz?=p5338k+G@i*
z=DF>C_ptx<_HjK||FO5+^BKwiSpAXf{VWbJTe}RUVBLJQ^zN!*)byO6PwiP@O|7gZ
zr(&m0)#Y_H+}|_SBp}#MzaTOZkyvSI`8-<{nfDt^#2QMW$vs)OT~{?lxfpCKY!C?1
zNXOf09!0?YGt-;PS9gWsu2NTF@Fkz2i=EX!lzYRv_`8Z8#1sFA=egiz%VcG!c;XI4
zaw4HNqkW#A95^&#tT|)RG($_2bg=j)auh5l2U~itiN8A7Z@LjC!?-`QaH7QEpx=6d
zbzO+1d_cH$C|SZYx!q6XFem(p<R_5cHKb7?z{Qu4960sRB|x|W>m|#(eJu}3FaWUy
zpv~l*L{ZY*dfL&x3R8$hNjX%cS%XJITj3~lyw$>1O$)vWRzbprN%OnC2ELOmXp6ma
zp&W|To<DthyeSqU82ma_!eZsI!6rk0;19nEv`e~}1El?=HZIrbUv%U~k8QHy@rG*S
zzfDn-Tp9N@rOUrXvFNf6iM3ilg;0iu&}~<mo*@$@1(EX8MI>^6(bCb%ZV#d}^#0(j
zsY*m0Dz%}<XTO5dE=>D@sC_1u@@QXx>vey7G@zO}x<9I4#FZ_ZJUOXX@q8YQ*3%l%
z)4CSF_um)aWnb<ZI{i$<{Z8ovjp?_(Zhkg=*JXemeW7|Nl0B>yd}4i%Ogx0IG-E8M
z`dt-rFr)5O5vf~?jtwlno;E$>w~a(k_giTAQ5UeQltM0r09sUt>n|7)VX^@Aup{Uf
zwxNpwr3?=Ixp0AMSTq?RuHy>bW6u=WvX01Y!_5bteT>6?Bly=pmLj8}-+mIKD=Zu+
zS_!5o?$3<l&5dMPE9S6&)}phmJ+IcKIaC2pfyec6Q2+15oN=N%Jr!diC~7n@o-d0m
zu#J4T$XY3nkj9oZAW>h^XfW@=uWlZFs50@zGtUENGOo{4#7yWbQB^UV#nto-{wH^r
zo^2?WG6wHQ*0iN#)AP;4#c|K$6u0X&<N47?ET7NU2U0GtuWa7qXP~EDPLD%_Yw4Eu
z*F*P5@QaI`=D+rQT8DaF8{pLa`P2yGG9xz*#ap*}C&KOi;>6aoX__o1^u4Fu6inI+
zhxO&e=c>Ln5%f0ax&WSqbelZ1$2xp-i*py8E#~Fsz{ddey!PAV^5nWnF*ur8NR3ET
z6>2MFW=x?YPKK1wZI{S8rfPJ>g^7d}r7#`JJB~s7AkT#X_F4@=mDH1DOzW?etB^>V
z7@fb?D?g-B?!dzIIAEW1(F5f57e|d9GO&M0ryf_aVAu7gQO>)Im>5etq3D`gNP*x1
z@Qs7FezwM0)FYit2*XNZH$sbvr=LV2MIh?tzeGWH==K{*aG^nGAsU9DL?^Q=Y6pK7
zeu|JSH|~r0xV7BgJZVUmI4M=zrZj;`tB#j-w6_EbTc_t+2G<C0EA9&OLp6j3_lV*D
zT2^dEtcffY?l&~s!zbV`_zOX+%K4ETVdSDRRDwckk{Dhkl-6`C1FK{4Zygg79YY+s
zgfs`vQ|{5om~Y<C3M>S}j8@EtWXb?AhNl`uiq_u75{SoP0%}wX&bC?|w^>LHGTtp`
z+F0cptL<ISBEXDDc{7dRVq7*n^GCYmweWeeWN&=#h^utWqTQuylg60*|FZ4=y9Psw
zNqzAtz5Dy(V_vmMY6O*A7!-|cnr;S3)i6q|f>1rz2*sR2ri8Or=qkZvy1tY;kvV}i
zQ&W>Naen9`l?DN!0qd-jUknH<G(ag2P$TS$5ml6Fz>jU+A^g6zgxy!6EnjV;92C&^
zf)S;TE_{H%DEnpV2Nxe$RMqMPrxV(%rg{xqC><`%0B&Y~^BoE0{{!5a3Pg#j=Aie-
zfonfbG0oK2oS?0-hB0{$f`7($(H1wqy9x}wAL^dirA=6i$iuV;Sc*sKtM4>Mw)xq?
zef*fwCk*>61<NwLW#}kE1AFkeF|aS#T9MPMO3~`z;L35iGyM=cxtP=9zrCrp^Zxfq
zwEXCzn4}y<weI!s0?j_9nW_|^UwxUQr?ViFc|7Fmb9KD+{@SX_m}^4xS^N1SW<|ez
z{=F*tU9U~QzT2)Q$9`2%s*#bl+Jxrm<I;M)j0YC2i!WE{u2I&0zBFO0ZtAXeXqY1h
zxWdOcY$DS(6UJeOw>nm!kK)NOe#Uw&iwYK^LAe3G+i2@A589q|M&mx6!r<0babVP~
zUeLGRpW1OvC{Uzl>FOY;)_u7zcjOEUjHYzsa0RIpclSuY5l`;R&Z$cvkt~QeK}$#n
z(`ka{DpoPNA%LbEn$#ozhA5>Ikg=7ZxJUjO$WM_ri<&q_^ZUb}3o`R72tvi3912_b
z?=t}{vm{dk52=UXMnT)G!NW9G_&poQ9}mvidE@Hwnhu{$wnz;hR!&8Yw$-L$s70c6
z7#Av<*UbDv{B}SNCy6XY-sn!0$LwFu5u71}Yz6|zsgyk5U$+HN6CvdVDAIy^LfEWD
zSvdv)U{FDL7nJHtP!q;-KNRSsIJWDGlOx9s&7{Gm<~4-)Vjpp!q^<TIX`S9Nv}B86
zj>FKkx5^Z)O@o8u3_Ub-`#0Do#S-cT(sKTJPHv*Q@o>R-)!|e3dV7^U-|iSUpC%O3
zbup>2tSl8;4x;U_yEN!s^?v;Kh5vrW`n_4-esp(wex$knB@r;L<y}!>LL`k5kLa+4
z@J1l}ssA*&l5cnB(cI?l?r?u`7$M-@xG5w;&4w2+Q8l_lyC({bI~}o??c!4BRV;vE
zoizsBe}_4FP|T||`km051}~|cuITd15XK&`@HMgJ*{qSEqh>e~+y(SDb)Sz0n&&|R
zKr&Fq(n+YJi&E!0PeV^t7(GxQy%YFOWl%3C<Ahg2PE9lKG$<~++;#qOh<RS3X@F42
z^&*8up9z^PvN@2+8rO8qu>70S=$DXX^SAwDRkowLid;Z~tc*+(vgr<gk4FuLXoqED
z4F1VIFDwls%CP~GY?Wb<vDN1MbA791zSkvBp0wNJ@%8lfR-Z*;o}^9=ufHt5?Hz+w
z-@u>h)Z8F3R=#|;<M-Y?6cDyj*-s*1bR9Ec&_m@Ya>%l4Y@e#U;bbUsBA1A0B+!W^
zYr(|xkMDlpWoRK)7m7_PkQ9O|EFkjiZe+&iX^;Qigaw;`aFeIqcmFE%`AAL8S%Ht!
zv%5ddl}z?{MmM)frA?jw)N%5t5h^7@ORAC)ION!@eCy`w^|c!v+pnB6r8{|4Tk+)d
zr^oke%Sld7^zMkmabF+?{3juT3c8s%rf>*KDES<03WOYG;J3#^HQEXb1>dChe*8{-
zW4ulUxdJYC74F|~J2V8fV3$EsWVAF`e<tL#dpWTGMIS<3hMQ3eKqjytFz^r^g7O2R
z&;U80SdJ==xUl*Zm23hb%NKT+CfnLv9n|1d;$kHRi!Q!?4V9tjJiHPFTvi)u1n@7w
zI~#qHHTaq?zP5-pCf|UP9H?jFrftMh-S1a!H2DLi83WQ8`5)vJXSKiPLYpP6(s>2R
zg0&;on0{sWQ(d!vG%2gc!<K_`I|XAz9Ht;wL9y;Eti^f3=>4Kfa<#dGq4PkQIH%~q
zO7%_&RxXT#b<C7-7Z%#|&vsO|ojSR)U^q-X4bgki#QRlruO0`zVM4LA(`9lU2#+CL
zh^&wo>xRP_spIYY+jMFyw^Mu9Wv;<Ru1>lrM{cSaiLU;Uw0sj=_jM!*X(vZF;=JAg
zM{^ohyW2WO6kSIBMh0*-b-n~R!aRyzw#VHLsHk_@6GE}uX{Qe8XYa>FH9hag$5<;I
zgxs+){pLBoQNEor>TBg0aGQU_KQAH3%-^x0zLG&UJsP_^IdZ2MV16;Ex~qcu8DQc<
z%#!u<ZaN~!4mjlSIgS5j9dw>7P42-*pZFR#*R9Vti8LsNAYPirn+6G#m|1l0hrc$)
zqFj{xAtXV7i;|Hay<;@3Bs7b{(XikMrKmdq)V42EgwFtdqAU;)MRDWZIyQ|%;NVpa
z5q}D>5vScc5Ls-XNhSEwmmiI9>P=lE;xXGM#g(FwgAfWsdn5pwbD;H7t1M4ZOsHjE
zJlx%_-XEvl4_#gPpps)nCR<yoC8euNm#(*7Z!y(tRvnkF9<F9CPYf9%kDNZu7VR51
z75(Jb)Ao9pd+WK+zMdU<8>8g^7?bmT>dO5Nhd|NGUQbMwiB~ge)}U{klC(^&vLQ%A
z%nlH!Z119>Ox)4uj`_>sX2#Xl-1B(zIhEOwSj~|}#SCP?M8>d>010X8JOopd&*B5+
zr0AP>)>@%~s<0bxr-miu3c93$&r}BaN$B$%6XTVq@9Gh85ORm%kd39uS~p3A-qGx2
z9NGFOval9V^7vm-0}ad;31BP)6!Z*+vf0La55xS%nVwq}njSdsM`V)z5DPzSjC}Rz
zwE^l9U)Kso&%mQA5MD4uz#(=?Q~jQ@%$?=H6c`fGWC9D~fxusKgb8vy58;qTRmGH2
z!m2{jTYpSIhJ1-ak_Tt$_5)}`x(U$_Nya8Ga({FR&#k`c^~`$~UH(S3iU94ZKB1{l
zJl_}BJ}!f5Jb~e;OG`8ZX+<n3L$;Yop*WdP7+a?C07j{97q(g_76BDZ0JbM;T$wdZ
zu3h&B5{}G(wVga=L?3v~I(&?ndyIMTnSn8iib!Y8j-qj>u5Xl<cB}$bbMI%v2@9`V
zCWAFbx6zDIW%MWjvx;C#-j0TFeE5<xv%c)1Q*)qJ^u{EliRYD|sj54huAqx$K<{kc
zNt^#pLDY^w65%`-_}2Y;R$1Hq`Z^*)rO&rfOI|g;%R0m0pK!`fED5hq9cL&Y-6E2r
zqdh4rHv_Xf7rV7+nSP7|-3=8eNK==L^bRp^g?vn~am(dT+*z-|3uj!yMa#=ra#-yl
zx|f2|lUn{-yLu9|Ne4L+_$nJX?}fdgwKzqRjWn^x^yA0XjehbePRnkcMnD;g)PJZl
zTO%TZWq~5CDz(a4d#!>K62Fs}aA-hOVFeXz$naQintX3z<6H&HQk`iYBByOQJ6hU4
zxDJ_@0Ek{M2r5Kat#u2-i3||yI5qO{yARep*6Vb8eSKhczb6&{oA223b{qQrYh0wU
ztA;&qoJciMsy#S!yMO(6&}LN``t-s7@9O$%o&SB`jFIp^3&W|z5&lMCOu<BIErp<y
zlU;7iUFALd2&I{g0@ykR!~&_1{Dca%alYu7eHtpAW-?`L4#V{M8Mo*B*U^5h@A;<Z
z7}L0Q^6xz>25p(t%5U!rBTNp^dZ5gbKS=}-Z^8xCX>WcM?ABjz&2uITKv!kY=KqmR
z1oa_JkWZ2KOW4Fl<48lvZl_y$QFYO>xBDsW0F248rULQ>@7{M-stNadOg^fquE~gN
zCs%?#$?I(8K{lb4nSfP3p|F}}0XIAt{mBvS$WTp$9O!@~Ep8{goPdZ8x>ids72HaT
zL5E~oz)A7Ify`PPvc;VAaMaLHW346h<gU{cFttIV*&NWAgk~-cc{ir~w@Klupi;6^
z<Dhc5L_*tK;qQwm93v1K7iedK<ijzmD1}oBt+n2P_{hhp9R#O7+gO852;@+pLy7Uy
zW(BqvJ?YBei-HzPjHxDU4dpJAPm`M~L|?ecWMS-(S$`Z!r4B(xl7y!7HuH9>fxJ(-
zLoWZxsd1f}3NxyGhe^T%G#MHuoG2ERSF_zziIGj=!H{(9skYqV;%(*hrH683#d%jb
z^+J%2FuZawwX;+YKO+L<1gyxsMi^x@&_%jW`@FyF`hSZ1N5$@kzAH0l)UsI+1TIr?
zacjG=nLP?>0?fep+UlJppPtX>P@x?EhkHT^yDfgP1+It!_N#Fv@__7$LhA(><9AXh
zuZ!yqb)THsgnL0w&eb;s4464`#VsNP5H%x+qpMGjv$PS#*739(1>!<)*s+CfgU!<B
zCc~l^g37PzqutB;U`?!w<xPNWfdhozpw&f~$l*ZN&|}S_e?zr||1DkmP9Ip-NRcbe
zN?!vD!<phmzH3*GnmOnsXxCR|XJSZ7tEpa}^7vif=GB;SY~ucObWmBFQ?<0Zw55wq
z-jB(>F3eRU)9hh?{KU@h=2q9^>e1}=dbX&R`}xm{k6nRvbJgRzZ>od6MK`-Ura8jK
z-uG*X1E%8sB~{PI<>f&{r`bfq`~BAUmh$UPFWLFN^gC3}_lcKF*ML-7D^ZXITSY~|
zgtp22UtJq*%Ia81-P7Eq-B;wB*7bMNxN}=oBQ1xDYJM_xADe-I+1OnRU6c(Qn%a&D
z<G?q;?UxcHZkcbnf?J?c(F<<o!3wmtXF=CwcauRyMR!Nca3WXMWxKCZPj;qtX3YYW
za_<`#AZpucV(T3RneV2ZN=7BGj+CHZ*yS3n&MxQMlF}QQkP2NS1mh4=G$^${HhQic
zGL0Xc*Lnv9nq3bFE7i?V|Gu-CILeGR_8nm$_J_3$;*7T#u0#QM1YLKXHLVy&Idfrf
zm6@QB+w$D9zm||=m4&ofYd7DYY>!?7wl^FVST^qJzwY>p@7+&DFm)KLaq|e3C)OkU
zAvk()8X3wuPD;~fT|mwY92<T?t-BedJRqjqn!Q6{3rEoYjx~|yO6h1kAUIjOaY4%r
zS2QE$yiC64X0=AR#EUVvZS#CGlet}lddY6S`IBhRj52maA7yXoEHK1SV$+Iq%r&px
zjt86N*??HeHOd5$h*%KO@?_U9!?oGtq=b3}Jr@pWxC0%s9xQy(l840ddY=h`!tOC`
z^_-3pKGFKR?D#J5|EcnyU(K?mSo?)ti{XAq+<m92EbPFD!d-nP{8;4#-Rat`tSp`B
zqlZFnLIg84wFhA@D>E+H`4Tv~cXncv!6uBAid${(sc>NSD*!uuH|gH%wRLvOJykd-
zv)@g=k|9m<U+%6@qg4buF|-B_-fPhQPDz+Hk&Eo^4PKq|swd$Sd5$Rpw`e&h+EOdB
ztYNB<J8YF5|1azUF<8M`tY|cU1)E}~9Efn7JL$Tf2}NYx`U}_-q3T|9eTxE@mUaJL
zo&<Mp5u=F;o~}RtfjKG@_dCZ*wB}cb4#y%>Go2M`CU(u6*f+b~uXTBFbtY>H1bDc)
zeH~nC0>W-?JX+iz56GK^xVQ1&$A~_+KD1g1`9II>d~OnnK6jvFd)`@K9t|Dbo!pN5
z0y~B%zRn^Ur*(VY4?MTw`<e7|(gh0#W`PxBYs4&`Z`?s+vU1kRwM(gL0BCiTrEX?~
zYa;8=l5Dfa<T~<9uND!LWmSk8eAaVQomH82bQ@jyMpU#EU_CMls2TwROgWAgd?<cp
z1hH0nvh&#47(?-djuq|M(qZ%FZ0(Xs^h%Rtk=A@ByGx9%-8GTz<rN?S+n@<z9l0$j
zSwt68LkWnly569IkdbKJRRib4tv<QjoESV*mE)R)&lBIY?+vcL{I){l6rQ0$6i`mw
z@EGLKG9hRRcETVJ&wBFacj+8Sq2RYUB{A&8UWdi4vl0=5Y*DL%SX{kO%*^(WMt^v;
zVyOmEMS#~>s;i96xssLyOHsG!NHQ&0{^y)+!XI=Nz4@~`rZa~Y^FDq9A^4>NQ*sH@
z-(Bh?Z|qD1prl@i*E|ps2{3@yYLqn*shTR<WdSg0q9&7b-?1^dJbDB6zF_~D0T3Gk
zbnui8eZYX>qzngc!D7j&8!&3BS^u}ZI@b$e+rb>0ZE<Iq_)xMhF@iosKj{}%bgust
zVhol*;?$GKWW8nG6dJK>IwP~UI$@WT?K-DE7O7^BMc@VF11BQhXv3ti=kMx}H_Xvb
zJQr~r;#4)QbuHdM*Z=8xzCQ^)g=)Z2ppIK$;B!?Xl{oa6IR_y^!Y(o5z91gNdFO#b
z&K5U^_(<Y0V@_^v&UZ&3!LPkf1+$+IQ0k+&%HX|@BaGxcVe>f_pgbnn{ovX5)NTA7
zat}q}bA^b@x9_&hA{-zO1<@R&%}R;gN2%LyN2HtTAKQ?+3@%M*;^6^6LRoDd0Na+b
z>lkS;0P^4V65ho21<UPYAjtI&sIfhR1<6~2`7f{`cRM*3YYf3Zp^_%t_(Z2fgXagt
zM9ZU+%pY1dYu2WICp^mKydNYI>2-S~7Ts2BwMG<t(=Jz6tP;>7Du^Kqc$apUmjoAE
zpLeVKJ@31v=c|YI?XF*+fwkTb9naez)z<ZEI0)K=8C<-$8ySEY-_L{9eKon0C`8J_
zYoE7{?biYRL0BS@uiKf=?cDd%FX?}qC#%ufPS-cXXBBS0y>wMI)~i5*AfQo_5f%HL
zBw_d$g~_2O`Z0kMI$8_SI#_)T*rp7K?3G-#Yqb5VY`bDq^eUKx1=DyqaP8fOXn&YO
z;J`cavFFwD(i*8W8z=H(@B59pYd1@*Q=PS7=0gH+cP~A!zlZKOy=}fu3-eVfl)fR<
zeIFizK!c)~wxwrhfly}+l^3q{stG#A2Im%S%yX6W>PYLhX*kGyn>1X!)dEs;yKIA^
zF=emUgOxFZb&<5vOa`^)!{{(3dqgwRx>~L<&4f5^)wXIk-5EY+{Mo_b7<$w|$bw+!
zyfQL$ur|{M8Zufm3osPqGX|+<>j$Bbbht9B3=MX>q4sLi^Tox(hOtWdk%1p7)uXg&
zFO6|oLxjYat$eQ0w&Ox-6bKRR5d~@P9O@4%eoPmj<M=p*h6EA^4}U|0A^eQ;!COZ9
ziirBqM>m?cQcE5||1L!^I02d{b~n!~9z$0^dZYcOV4fCs`?$Y4kdSRx@_`ErZgpxZ
z@aNw0{;V?(bM-&nMeB+P=S(*6c4~%C8#xI5es2_~b&&ODT=TB1>lt}K%j!=Uz}&Fh
zbwP8lzFwozzfylfG2upg+He17?EP+!dfHV7vK^ZmZ6f=aa1cUHiDmX6&VZ*dTK?H|
z)=7g9VL*4;o2TI^yr5IY8Ai;;Rj=-PM{47!q&Ghw5<Sen983^D&?}>WD~`~zE<9%o
zg#DmNKgUz1*Q3E78*x)FIsJM$w3Q`+A0YIE<^mq9)AGMuy#pUuy^n*v1eozxsEsRm
zteuuZiQQRv8)KN~hc@OlMLDB9I$KF8vT(y@!iFI{Si&N`bdocB?Hw7okdb`}q%Q;y
zW;n2%TC}rfj?NMPot@L=nyA^(N$vNxe4W(;20B`=yWjf691`$}dO9Z?Do6B+kL{jf
z0U1n~3>u7Qe@(8vo9?-N-}Sz8<~u!J&O*1pI=&w5J~iK`^hAOJojxw@eBJEtRShn0
z$4<`|55HcpzT}FAUM8@bX^LwSM!Q{)r$??gxj5Qi4(GA>X(EnmPaI~7;9&Fnp%+-R
zL@6Oc86DqF{+&%PdDy`;5-Xq=to$jVS?%ilQ*}mHXdC3`Jr^N4PT>Shf}m)I(K7fo
zHyq7ojUMjLO=p{T6!a3I)E!uerp0QbyZSdmbNKY>bNAbf-2JpW*HsHSX0OsB(^le&
zU=yB={v#*gt8W5A!{{$<V)<gk6mbl6q7E#lSiId*=AolATMvh~_v_K4N4<a+X=NBM
z4G9}tcV(e0hD&5Nc8bNmn>(`LEE=w*NwA8zwX@gC#vOI3781KwZh0?0k*%VjY+qGQ
zUS(jdV&qRH_J*>k7E-2YmA1vyV(!WV5p->pnyNdQd0WkTn#!q?y0AwXRE&^nV;^`I
zAFy_rB6AMCh&I#V{1Ij1ODqv#N_Gok;Lr#93Yb&|pmvwa2&v&4W&mh5Hi5K8?uctj
zkE~<5gRVgOYxNwh==N2ZrlbcZ1#J!MbBDB^tINPcLUzHo3gP!oO4#hY&w}rm&F~3D
z$Bu%{AtvRwSe(Lmb2Gk69B;OR1mPdvH_k#e!F_<~5;YNiUHW-KPX`vRYdhZ1cavam
zdze#zaQcF4Y4g4E3G~#eofB?6|DO!BxLjNFs87l5@kgms8m3WLkXqm21lM08-#Sei
zjY+pQ(;2eoZg_C6udi>~Nl2e|qOz*VL`l#y<Cwr2$~z<vL|!-*z0x2IMU=$)F8R*j
zm*yKWUH~gxpx1e)Z%909Pf$_lT@vA#vID+D07D}G4V8dP$=#ba)j90w7H~W9<JLZg
zF!*Qjjgn;Tj!A-$D;Rpmy}Vvu%NxvYecG%Q3T-MN)RTLkQqB~@P&nwgA2-_`*}Fz_
zA@i_`CUT0x_u*ko&gb(!@@3Jj-NwnOElnx#;i}8ilY9NU+nbu1hTcEe(YIoWDf7fd
zyy|xUmNO<&?WPHNJyE<a`^0=77=7Q~yIdJ+j|vB?Qc?#jtYvgg91T+4Qx=!DaMIu2
zLbqS0*=<<f&xzh|W<JmOy}qEo+O%sG6}C5Jzb=X1mqxC;@B5~@KE^<@#ZJ5by_hlQ
zcceW|vc$=<2h&GJ=;y&4485N5`+lmNWIR8)j@&R;0T~#7so<=zr;s~404vvI_F1eX
z!PGq3yS$B_Pl#~=D0tszM!A&SH5N?jb*nB5oPs-C;>`*$)^a5yU5EpXnFwv=o?=U&
z#cbmEIDHlkLGT0E7<K5f)%c~hl^pu(Z*Y2LJsO~(x^$;utA9mfGaq=%OmWewzIb_S
zU`Z`v-lQJz61Z)W^`BO61$qKY5(=e$O{T|y?Z0tgSK`&C$K|(BfGlq}j?}Rv<uc+y
zPhe5#G&?UUXSPqR`4QW!v}gG_ioh>3;NDWSrY>pY{I1u)(y(QQ!7@>utH4zpkcM92
zfH1*9+pW%zG674#Z~~$l*UfPYe8^*hohrzPw1&(v6cv_rDWD&1(@`#q3<Z%9zj4HX
zHn))r;$x(qY*@uXL~@h(G17}&HMB)vyPpgTVX~rm2c_1U|6p%a0j!bza3k3a0D!V!
zEw648-+@_k2u4=aoK5o)343TYU*wN5WSt~+1_MkXVz`ijgU)n8v&fVBUE<>28kh>g
zr6e5o%MPr}n(iJ1j6J2@;OQ6!zjU^|n9u(=LZ8vdu;N{1p8c_qG{ZB}puvK;v1`q#
z3ygMvY)opWqkZMnT8gf!ls_Lc<|3?ID~J11_T!v#5Xlnz_5%b&>-&R+f#^vE{1ikE
zM(K+e<Ps0DIOYSSXR$6(4aBgYz|CR@f!?DC<iwK<R{oto4Yt~Du<u-sxp?qOu=q>3
zAvO70bbRlMlV*)PT@pgNBkGsPl8-h7gLMNd5VEBr(vDkt>txlrvF-l4SopY@1+qsR
zE+{<K;O^d>mTNOD=Tc$>ws=nLRVavC!BA^D;jDYG-g>nmGeSg2pn_zZ+v#Ib<nuf|
zHx+ox6z=M3S8msJzxOyXGLx%aee6o~ZIUaDJ?;EFFyr@rxLBR}-23NdCRxf<9_jm>
z{cN}0**w0SsWvj-&hd6pN~v*wa;yia{(RjGHDk;*qhz#AyX|?|`6Tjs!!zQ=WJoA)
z^WgvLi}mHvo0=k?Gf-TrnY>uTaJMi?1O*>nOr2oQWK`w%X4{&BC8_IQw9+vHr!~Z3
zk8d%c4pbZ=U6X7<0@!smzTNEh?fT$~*-KHLq#Qz=-xXkgcO*v<YwZojK3*E0^GaYL
z(qYRA87IWk+1j~Nk#|9BpkV&625(H_1;qYNtij1}P!kX=(XK`Zv~+c3vp06mDhiAW
z2hKY3SQ2{4?k$>(HNbPWfIMprf9L|8v6-MuN?oYvY@=NW{U-lCTqkDBb*6Fv%t?oQ
zI`+6y`%#~ttSa{WtFlkgq))sxfL5IWp(MrP_bb^ZcrYchAZW%wyHX}RUha~|;iPG{
z8KiR<Xddq-MR7E&FB(S)du->iG~Nveo)EyKaOEc8Fa_p=3U$U>_?eiCUW&4r4sW2-
zg((8T>%{=IqCC(+zGb#pL<q!1QU7cPRpXlc8c%%_7hG*+>5dP7MQq&4^p?9b(A=O7
z(MDgxbF$xgsq63jNgqkphsls^p?$x98qV52l%?6L4+;&@KFCy{by`nQiLPg?>{IdK
z1?|S^<k-EgYJWRJIRYz>v1naJif~<#9QAo83w<RA$EMIrH;EsX-2a!D9v|fv+?jO4
z^uYj-A6`Q<i>hO|>-!DCyHLtu)9%7}2UV8hb|Ubq?RRO|5Lx~X<z}aA8O5>LUu@8O
zz1k?uMIt%Jm5aE-^SwVDSp00+WsHQ}U=4Ws?@=y5WY8h8mwzIKaNg_BP%(Bv`U^AV
zrRx4#Uv;j_O4RtL=<ymIOE@HrDyS~qc-+Q+=g`F-;fsJT!1lvSe6H^*psxPcI3?)p
zTdSQf-^;~RrCMVoe18yDYU9MjHv_1r)8+Mfdv($`*J^hmO&Hbvvi^KERf{Q?!|(fg
zr^1!N^Kb2KV0ZS92j%2pATL><M8=Og752c<;{7>0A|G|{_brdcv{uy+cf7E^z{@w3
z{G}*9Q&fbO5%#OiZil+YMdkU&Cwm=CERik_PPwH>BqZDJx2q1ho_`PXJsMlG{oL_s
zM^aq7!7>BD?k?YdeFLtHz=^CiI&xUVV;O}e91<BW!bwH3_PVKkuUn_KS(pdKx=e`y
zb6=J%!mD)qq(LrxnS{;i4{qpI!VQl0R^H8UHqzh(-1L%1w*?q1wPf4zKmA3VGe6rK
zf`r_yN^M|F8U~$})+^N2+(D6blWS;_s>#Tdgq{>o{o%g#5twz(GzhDsUUTGKEj87;
zS&|>I%QHZYlmXDL{GmnGAh*nfPq|PoRpC;!Dp5_;yy`{?N>7sdQ$t!UB6o@|2g>6d
zi6tLRL~O~?9AY1ih<;EpWdq-kXS4vnspVCBQ8G{&$QtXcsbablYhZL4utawrPOp4t
zqbyjG-Km9EvmoEHx!Q5Fg{j1B%Zsc}*OD#dZwN9E2cs-FkoNj$8g@>6M5sLlHn><z
zuAe!V&q9|;x|Gc_eH^UMBhMlpipjj-7&F;*C|~r~KW`dv<Y;tVWP7imjK?S}i<MvE
zeH97Q_2$9;!E~b*ld)i&p|UKo$LTj{*z4{q_n&FQd|EnhX*3=*&42&~m~5A!&A8U+
zy&%vTKkyzvj)s?hr_nN}NgwYLv?a4i4cXgzOO2-OD97`7i<9GtX9QfDmC310V4vH<
z|5go@=cE~YNUr>Jx&tfy<-?H(R#N&~V;QH6!{zGfLH5~o&8Td@Y^(Rn3ZVeu)en=9
zE`%uYK-Du@$PvdsP@Y$GJ#@6aP1ZUo8r|I)Q^x2hQ6;#5ze%4=gwfEp=CDQ`qmaG-
zumvn@7ttnf^Z6~V8wT7!^`{+7Q9{?z67;!cpMk7WujW6Z5Znv(+;I8cJm#&2{UyOB
zSYfvi^uc_o0<m)lY<)eShv(+Z^mtw~d)~G_=b{^`mo+{P7VA0qzpl4d*O1^GUc6`t
zuWX=Q%%1l<v^2h%(#4{I2Iud~Xf;dWz~PF=yDAOkfm;`@m1P<Aj^1Bm=Eo%~bQOkz
z>eS(DnXWBHzx9g@b9hM#B<Z&yWC5fdxo3DZoNKvTU0u&-h9nX9O*$K^GK5>$vBFx6
za+$z7mYQFGfk1Ps`7>u#-Nm7H;vd@?;xW?V`nk{YE7&kEN=}MR1^4{8HrE#y_!lyz
z`-12r61afj{kf~HtKFq(gM{I643+pfOZzZzRTWxVjxyvFMmjI$Ja2O8l3#_|^lRh&
zT2MP3mXg-{NedS$V6u{k4N}=Z>W*N(?C?8p%MT4mn?nQ44}<oZ3PS{}0-MU(8Q?%0
zaq%4LH1N(?!-}KSSLtYL5lkk;j{NoGkd~d)Is9*A{50T{(4;ZRH-2>K{OD9K6I)D%
z0Rq(*Z3GCwKD*3!xyGcuV<af734@s*P2=ZS;MV-~|8<r-svOqaG%;DRtwJ=wIccz(
zbcdr3p{`<1fi2;^nKWD$A*59dr^t+>^`)82P;0{s4_y#CfId9Q21D%bw=mcI8pU$S
zfye}<p2qsU#N;K)4L~C{DNaRWw-yRN2SwieK6&59Jd8K+n9|<9qy_7+^mFo_GY~T!
z{bUMzHE_gEzi_RAy!=MDCCqJjvxXChMdurLLsG0T>R*y0*sMc^Z445(cL&g%Fl|MJ
z#mKTg&vx~m1erMI<de<wuB3TYN}%fFD{|N9dtRclR!|l}r%<8)-<<trY$JWgwdHO1
zfy!?UnqttuYg6O?KIY>}B6=F3Z%Mr}58jKjT6e*X#7BqS27&!f;bk`7*U0r*U&RJm
z&jB|iFWoxqtio!4HO$l_c;yXQAyuzV^|K=iR#zwm58|P8^b2!$LLeR4SjUKI{&~SW
zE-)T$qET0MS#pNvCMC+JgDA--_7-x0`f#U^(HQ-VV*$KB9Hr}r+tUh?dHSRs8ymx_
zr4s8oF^(q2`(`ZP+}trY^jqNAQo99OVWkWx--kYNVLzlkzD#If*J)mpp$-FEo>89@
zvDP}x4A!@KpgYSZb=B!BBr?=QgPm*9hM;Y2HaxJ64B#I)NYgJx?)f!m5+;quou2Vv
z-oUoi#_!|uUP$EYc=vv7(gApM>(ZY5g)!pf3^o_FzF|5sba;BWN-=X<fS9mL74d7)
zy1~&Xay-01R8@^5OmxhgWov6~YcuES^1?=jBCt<h6dXl>Fn)N!Qlv$<_L!4L>RaPs
zLG*wPZ2&W!gLKLZm=&vDZ*O8FaFJP&XUA|3MNJ2n$vYdqX@OU#g!mGIq3nx<6-Ghj
zP-fyBvPjK-M7hRcL(EqaS`T5+Cq~6-Tltrbd4<jW6m!~8$^qlQIiLL)g*xGG{=k0m
zC&0h0CW&5UQ9#AAd?N3&pKVmaQUnAXD;Zu5WcaUpDx?m9c5g;F)dGG~8}<3<U`11~
zrYT#qv6M~<xKt!}v6?QfTB(hNiQtF$`N{(!s`4DpjS}rVDlt-4n6mi4KLr4sHAPhy
zS{xb<wSapiwS=X}!zNujAVwK6K8@Y(zKvxX(SAjzpt6nMgFo@v39Y&y2_akv?lx3b
zR%EwUgC|cjuhY<YM5~0lD5@gumC6+H;>{pIdA%UAB#`E?*RZr58Jx;b7-P`D+`9_n
z*vLQ+w6*Pk2Y%xbG>MvI!=m_J*|TroqdlhyaB}!@`<Eo|r_%*}q&}nV*;$6`MUf#b
zp>+b4PQ5Q0W*Y0F;p+d&|M3}5M#}gP=>!`sS#QLonRpu<XM>-)mxeoNtGaLIJCuAA
zX5QAwp`LKY@gB##BZNsY%u)Mod=!oG5z4qY&4_nQjzPU=RIt<m+kJW_>8|4ke1dOz
z9wkyiA;o_{-|qZkYC(Rvw!r4u1}p4vq|I{y@6aYmdXtpK81kWcK)J32z?B262=D?P
z9l-YZ#aDx*GPvwAd1_TNO@VsZdOB729t~YRzR$b2l>BXOckdT_G@BVIHjQLMrHnNJ
z=I2Y%<?ws?i#74KD(r`-y_F2R?lsDVp~<KYq{D9tMtk>>jrWv#h_c_O#%*Js0DEpx
z`LubzLHJRj!8002chsc%-w^iDk!)z~F&YYN5A8jy>=b)E8Os_S-PyvX43i;+q|3h?
zAx1accsMusr4t$VS_q^|=9n;Q#%d!TX&CP{xzWgX?Kz0Wdzw4CcsJKFWGNGG<34F*
z1E^eREZqUJOm*tDpwaXz>)2X>It2DWn(PV9R+Sx?cVMT(JTjn&76}R?TNlVZShNk<
zKg5%GRNwG`S)>jNk__;#o$NFeVWXUQg)zc|z^pe3k(u@W{!_5)_-EXN2d0x53-h$j
znqxX6yw5<}=WH8mKN#Ok%5-glE$>hPMJW5=On$1YwMa3Wg=%VRt*|UImFUuw)O>=#
z$1c;ds!gAonpx@Ch3;-Udo0RO^)NaNT^|7@542v&7$Bvo7V5vuLL7osjNqg<=SOTU
z4{+_x(=fZoKKpIa-0uiy>|CZD(a_5)LW?e+sYwd&Y$I~gTE75(fRh2=|19oyIID&j
zPghM|vei0jG(dy`VkW3!__yb|N|1vo=K@dP!)oiTcf{DBt6usq<q1QVFNW4R6G}|*
zsb--2KJN9XQ9tn@eNdiZ6Sn;TEPiAmN>(N0n}eq8$UuHS=}6<*jzjUEk6tLyN8kf}
z-<_-=WT9LbA$m7_y<#c=YPH>2=jeZ{1>YKm!m$ar=j=W7ZcOYsYWPG{P(0pYHaPww
z$TtiYTm#9_eQEVcLLC165&i-CYmb7?aHue}2TOg217~u5CGnFi{q}(2SZatM#{>>U
z^xfa$j;mOBO6qZ~nJsknr*bonER8t|12+KiY|g3H7~9V0zHdFoGw9YbhDnGJi7=oV
z5+CIR25=N%->__vHxIL-Ya#zdayB%nu=FhhYG&tjx24g`G5}-sI<saN{@yM@6CuKR
zL{lv}!0{dr@emYqx7s#`wldCd4i#)vTux<=O*0V&S^62U=trSc6XT;rr_n5w%>78W
zMl980%;9x^*&BMlcpr%6TjND#K=?hIf?R63G8fmI6zm^G_8tPE#08(mFmD92eo#}d
z!1eEFz>{dByG=ve<|uW_!{j8F?heG7et3Sawddm!ORaKetTDJblBXkM2DT(r=t{1v
zWW9r%+tYIa2_;W10OITj-4Ucen|@k#;7BAQKAo-CpPoC79k&zqRXc{>0_1=m%p1`!
zjTEF@YiiKO%L`#+ju>Y459i)^t0v|LmbA5-|33tEyShPK^K&j}j0q33Rre!~bDh~P
z61iiYvn;b4rz)G;W@H~H#`guh%^*W4tddDkqUtZoLOMaKl7=uiM<tXc19M@Q*`#KH
z(k1aLtM3TB!udbC+SSXc=Z68k9~70pMD0?-IARJEShol+H{n`cq{Oj-nU5h1D)A^R
z4EwAyq^z+pmWu^6unql^+X9AG|BtD6eyA*L+lF&H+qP>@o@`9EHIr@E<eEIyWZSmg
zG;z1HZQFg_@Ap3M{j9%W{cx^x9oKOkATMun?1y|JhL>Z3ggimVPQ^X{Vq%Zji4N()
zR6S6n9Tv3m4c)y2M=acS(J^eo%yWAJ3inYA<B=7CXrQs@T>XH!hMDHVzt0RF558UN
zwr{xtLS4-(<)^-)gtZ$FJ3wd_hAJUftQE4GU*;YRvnJD!s2GebV5(IH*QPF{fV_Zz
z5^iV5qIbnX1s@fXjl|^VSYzBB{D$Cd4jr!WJZ(E?mP=&3C7&yPxIb3;U%}ke96Nq@
ztUKwhLqH#Z4=ZGl8oisCw6Ja#?MlH`d#jC=By5{OP>nI<Fo-1vo<eyOhen@W?v+gc
zM&4BFC;<H{d;W5Qe`K&DvUN=)z@pg6LKT4%wH~d(CO{ThK%=qcD$Eb@Hk`O_Y1tGQ
z5Ktqg)<0t;koH-WUJFQsL0pfZ4Jh&;_Kc1DJZv7U^q&`|RcS`;eQ(m8+)pVvXgHwL
z`keDxuk88l8@BGhdKr69^Xu!Mq;2ct@K)dZmVY{`l9rZ{@3WPg+tudq`N+j;mq)7)
zkVHWZWmc~xP$d{>Ix4EtsDPO<kRe@wk=GT{>(`*m9h^rTYli<VCwqA|GkB%{H_0Fz
zFFvJ6X&tcu;u}r%P<etAy8`&EtI9e_GnFGnp{<@}H#=iu|9#D8!}Fp`DMv`y=jNGl
z?C59(eD=Z<XMcWvZtq}sW=k`QPLFzuAD>Bmiq0kewY31KA`n2F_?ts&?ORt9|E%wu
zQ|sym7ctH}RQr`Bi3JHK1I==a+U@*G(F;BUhz6Yl^<b8L;i=5?pWu$id+0BobXIG<
z0F0~+|0@Lfb#Q1;qapjmj(2gG+bt8^!$0_RubEhfyHYaPyww#mJ~?_Laq}qbP&hU7
zC<CTN1{HW^-Ijl2pG5N54S1~KX4|$~*LGfmrBn|8ToKLT{A?pNdKhGB9o!cg@G{4U
zEcPWHCsS-Js2VAK)|{7+k5m$T%taU`aN557xYQJ!+q`ep`kg&`|K;BiFk(CR?+)b@
z5o*+@HAKj%nEBz8uECk^XpCt|sj-RIek9`(7I8Txlz;7tQXg?SkQ?jHVZpb*EazHp
zC+&jiFaRy(c1Yf^61-udVy<=8C)@AodfVtI2H&hcC#%__7)dG$w|4twZ9vQr{~mk8
zyX&wdCA2i=gy{%5wK}?Hg>E8rlnjE?_L3&+izZ>_+=G&S_&E=D{{N+M$0s=~OmkkH
z8oC7EMF8~*NKwQ-F$0?=`AcryNNFi7_w!!E47?tQw$`bh_!oRe3pmV*^Cy+erD{O9
zb>4z4^re;oiawjEn)z3xR7E2_GhPSpNhx1LN~FKTqFTc*u`WB)wbI#lSUNySz|jtQ
zypqil^9CGT2g+>-@AU8A5lh#<8p9f_e#4t;jqROU`@6ee?LKjM*TAEZ60ddYb!_ep
zIRoVr*3Qc7Zz?_&K>ozAd){Rkr~C6~9uA~ovaQTKC3rO!4T*D0zy79RnJE}(j=BCx
zr!Jh5lh){<EO5aO31MDgW-FJX8@PR|`Ps_XTE6gEAFfKdAa0Q#0rvL8XUxkFYv6Sg
z;l;`hUfpk0fXJeTtQ@xgYzmC^13>r4amX5AX+E`A+v+4!ozM=bsF@B~w{>*++{~Z(
zc$}|wxi#`ffFlBQd+iTd67m7lX}w=~#6|Up@$n_$L@agP(3L$YLg^-yIpzZ$LW4s;
zq9M5Ldr3`{#6gl!KMboqji>6h;#Ruc5YcHnrvKVMEwSF0?#vj^Y`Dc70z>ImU8fQ}
z`R9sAUQD44OV@vOkMW-`3L;-sJw#$C*YYV$1W-7l8B~Yhs;fEBSQpumL~w7?;y#}(
zH=o???{05D-kv`0-oAd<v~`~PfyYgFM*0~S2wJc58Q^tW{8O%#@rlZCa14|oC-E~+
z6@KZs*4dk|>p8D7uL}S0e1QnMDN(<SgI~xLZx!>7He-|1ze!&Hnnf*(FJ-H#=Ae1v
z+u$CX#Y<A5qaMJY*ydc%Um<d^=ssYu!<(W||I<|B!@|!Lw?w(lm3WxnGvGd5D?%qU
zE|??z(qANtE*o}5>DizUV6@oM23~ic?-vO7x`8_7-M>drT0G&zo_ClLsXghcnqJht
zs2hWRVV~mRVs<sTyf{)1!Yh(|g#}34Y0Oxc7M9*ruHSBU|6ehXzkz{NVuRy}IoFSQ
zXbUrE#4<8Ky@+x@HG0Rr2()|xT<hU?6Bg0QV&>~&MxLdx06!!fYl4zdQww&|nBf7Z
zbn0cj8ROi^Q85U-Xl(2U4AS_zBb45*s{m9>c<AZ!eU%)O3}*?DUh-8aZ7*>WT_^>)
zwA=*-ta-qjZy{_b@i#(zlJ8+w)`6xk3M%^ghAdiRH)Bs=i>YqkTV877ANd(oyn<b=
z0>T8teV{WU&0}hkbzWXRznklW5hFo=b~$dXmhWyaS>Y`$a2LZ5@0<JGR<`+r<jP<A
z;syAH{WNfvJULf4mSSe`b6HR%1CmFV;}xsJGTpvQ>T4Nuhn~j#4T3D@VA8^K<V2SL
zTbBnR;z*W{rOz`yVV-7xf`NBPwaI5`kxLR^Z98V`(%5lR6(<x;SMavt@p+kizCLMB
zD3w<wp&)`N#J;TLMu6r`hhr>9t}v8+QpH0G3uVeY!q8jI0W>w1259Im?vTIz0eY4e
z<}`cE7ZR!yPj#Bqg`Q9Xc*%b$81eq>b%XYJz>U$nNc;P!A9%mT+cN(YLrKQBiop5j
zvVG|s)I4VAe64E<(#;V<mO;hfQXA&1wCucIUKIIL&v4=mek}Y!cS1WgkC&2Cvyn;K
z<I9yZb=_GE4#rhzzJ*$mejxQf@c=BPNQ$4(tyHov2B>xnc96Q}W#H=J)lMN(Kv5`X
zo6Rnxz(I@MqbLpQ$Q^eOpDO0YAVGH9c(Yns+U+68YQXjd_qiv=%S6zJ2d6hNco{Zs
zt}mqD)r64<khr&CcLi=#U-Cl;bT33#gUG>pjv^^nbQv8C;k(S|TeUs~ZNCqC;a5FF
zn)@=WwqAoRIJ4Ir>aHa$BtO--uEe5tphnVrHE30)=qHdX$UvmVaG_~`_bZ>6`{9?{
zYn|pvgqi{OGBZ|uU5T8)aMaE^dC*8Vt{-k8NoC56=6|8Lky@1FE8`kJBO9=3L>o8x
zi~qQL7X3;1LwO%Bj&MFpl4Er!Oyj>O_A#v`S}JrAG}0ny)VeHW_+Z}Huko1C@Wvsy
zYCmb^FK<EY+tviq&R^hHz_o(Y)Vt6^ymC-PW7$t!D@R{4wC0T0<qEZCjG&mlIv8e$
znZPsyx7aZ}G2uk>Cyq_K{jZ)UmYxVq%Fn8@u0D+jH}g-vSJzKb|EXMz1&e}{V2tTj
z^!{;$ONYb1z>n?m>5Zed(7kxX3i*3}WIQ-@y0|#V<S<7ciiga8>2>JDxO`zY$I~<N
zeSeB7shKkDB2_9Fb;XR6g3Joxm6a;sjR-~Foa99o^>vIvh+hU@Ixb~+ZO;y17X=6f
ziniQzOPn$jXy2Q_4@j^N*DwYdr(g0JMB&OXZrBzb^*pU@cs-numAdk#+Cq<lPQ)i6
zf}mMxhx0|8CeiFMHimvU4k?yiGTn|d3BTd`>!aCm=&kn(!7BcutR*QL&ggJ$>mjBz
zuA%E#Kh-BE3Y30-l{(FQmb-D=GH|Gb&s?(sBJ~V>tP%lra<W$a^fgmV=RwYucW4a`
zAD=;6BoBer_FwyvXO=bV_SzHMv8~$-vza3mXvW$_#B7_rUBo_o8g#11Dsw{<rFNtU
zbo~@S)Ajz3dK+C%2V1ty`r~+#unmfZIk1rOdq?$~hx}gjS!JW95+g0TH8&IHF-;fw
zqL`sVlz5HQ`e6YVs0>b2fBw)leij$epb0A;W1yE1DMO2VG~MOe9VfXAmUq^-dXZ}n
zvFCS`o+YfhiogfWp$&MF)MgInqnWa!B!{?!G^fRA>=eqGr20rYV2@xJknrK_PG7F?
z+OL{mA>8;}C{ZtJYdTGG`u&I?$4`C@Vkwz%My+-aS+0X0QiEtNY(iu$s5c8TP)Ty_
zFKaT^(mQ>7f?*yQT0r#^)A)pmp-O#$?f-kOo7gR`++UJ`kmZg$yp~BOm|Hf=HnzVz
z*#90UK-}}eD>Sd#M%GhaV$(p<-tHhEYfBXXQL)2S>ltYKk_anNil^LP5f8c)d&83d
zWz2e{M$-fv@*RrOysVSwBuWpHiXhsEkWnmxFf|dONw6F>SvhgHCGn>ZBM4{#sLm7K
zi4#*(tZZy?Y}MV~QkU;{K$6q*vy0O+2kx(VsavK|j?oAMXI*E?9Z{c1acRksm#^%k
zB#v}KNzwmer{<$W_;~>h%^hniAs*cm$2(F^591p=OWJb|?-J2E3F&E%@7*zI<LCA5
zQ_6Mdig3G=>(0DoI~eY_oCLb0ymuc0K%XS&XvX_Qd~_Wcv4u=|hVMRiIf0f)-dN1&
zW?&lQ61XE%pvnFv9g=?<yYLU8fvPN<m(5SQtk{$)yV|F~GEQ>MkR)*JT@_Y1v25Jv
zTXJMcsoYe=(ISh;TDIiSu;jWLcDl}<?`FUwZ0ki3>?@5&))-1pJWosA`f6r&5k<n?
zLY)tBgWO<KaQUT@i6d$g9Wt(t5~yvUp@&k=dZYgF2}Q7NW9qTSigA^*HQoaWyQ+U!
z?96t1CVc_#W~X7!)<Bb;QBQAw&pa!qrlO*<xoM@_>1BVS17_2x%fCrTFb)n(Wb`sT
zzdkW!>*ggiHkMy!9HaKJr$MOz+d)Myo1_R1$spV`_z~YGFXGjtpRDkQ)=8p8I^<NV
ze`XQCudzdNm_yuTyv<-GsdrT>_sZq=AYdZMvsR(P8<>tPt>&%Zo+0KLBFX2v#SHCH
z2}Hpng>a8Qhb5XvBwfF$CbqQ`DGbEIh1=!*D#W4a)Xm%+*4r2OggQns?ZSOo?rNMK
zI1L*~JbwE1E^Xwa6E(D@>U$zf(T{a=4&}T6=v^-@mKQM`e1z$PT|1niU%k;M1MzcQ
z#Ox5V5>y#*c6{*qUa?we=P&=qd2)QRu)v%?e&<-C^HO!+LQx%pmJehebJqAoUC*zt
z+uPfmW84})5WbeE)C(_V$xFc;f%|}{xmuw%QffORwPLJ(c#5MO-<R63p=7;1NJx9!
z?f3A#>giPtvA76FR$c=vH*J{y{^+_1qY;q2r2GXChH)H-+opE3#fDn(DuvdQtM%*d
z<nwoWJ)X$mjYdO@JMZzJO0{+P_x$)2l|pwg>`PPEfNuLa=I7^YZ5|i<TU$#R2f~kA
z4{YW)QA0`wE39#GM>NtsFKhha;T^K{^IFSk$Pfb{7YamkxX2P-^nKZqj)w<2o^`>;
z<M4u>$EY69+c&b#8{;R?LQmS@kGV)*;N^R56OdNZWDya{EL9<DQW&N-qfbXo)64*L
z5Iqox+LxH?GOsx+2l~bJ?=J+RjJycK0r>YIxhljZW?^A01E_j16Q>g;J1_Xy*f)tG
z{O-H^B$eZo*A-l$VcD^)Do}j8#{vQk5MI}P$XQV>KBZ{b0%>r?^fcPpu@45y8P?&U
z8W|2!N1SLX{yq8K6UVtN%%rq&;DRKFo6XCyR@|WMyQ1#80z+a~Ld1;pgye{3k0h{U
zP^K|ZVDrq*>(%vsJvv&kBvu5CLsMm`wRF90+h({xNgUIH`dQ$)Lme&razqCs*Rt_p
z`Eu!4|I@QcyQX?xJ{`|s8H(r*$-KbknDK{h0F07>3NF4sk7EIu0v#-NGx{>?31j3*
zAd!S@kW<g`GJd;oKQIU}h*0{{G*b&gnFDHHdCu6^UT@Wey!Vj4pR7~?P~izARM*II
zV1Hig$!%%bCLvfP1{I;j1RL+Cv+Z5T?7<)Bd9-e$qTM)A&xReoIr0aGfa{~^DJ#WI
zsJZCiaNke4mfPD|5Fhn1V0gO0-x-r5DZPzh7=YvaeRtdEx%q5k?Y4-!)SHZOfq3u*
zJG&@fH@<71n;!ex;or2lW{8|mz2?8axc!ggWVt<(wr1vSZBMrkTQW2Ry2!4QDe`l;
zkDqRKc2Y(v#yIp2Zg+%b6V5=UHte5BL^foV3W`t!r*hu3nS1zdGSRl(r2OC*$)R$)
z<Q9=1+EKp@aO&+ESkmtgeHp7lIUE~uRvTyR8&(!(PzWfDfKtpu9N-Lkozm+C4&>=D
zCtEaBG(;_pE-mepOnpAh9``+E-~sY~*Y&iu`6zyoYirQ`+EEo|-G)3nR!PW!LT1gj
z8K<*r+veOU?xi&kJ3mS7kK5bJVSih_H8@Eu?ly_dM8vP6QClQ4QbqJpi>;u^`P;bn
zMfv9UIN`UAcksr0Zq?oSy=W;yiuR&gg{D=7M#z*D{j&D~KBSt6C(8WHi{v+y1YZpp
z%8-0sg{o-{4NOHOaatNJowa2Ac0S2o*@f|FG-y2vt3S0ucQCi8xE5TwLZTkH68-#{
zP!N1dzrU|m`=-}uiL;mJ+L*U-XbnfUh&$PmX#0m9Z^x{|g?`=FaI-Q$9NVm5Y_gb&
zI#J=Twm%4BsJX*ksM+y=)<%IClOA>0eKToaBQ2@MX<hdS4}TM*>cTOvB56$#I_j1D
z7pki+dbrttZ2P-qq-N@4XT$ILa7eP<2fH0`WIGGdXzu5(p>GiO;uGF-fmXtQK<BW3
zq9H)K;r-F&$f?72^Sv%Vmcul~v$Zq-v!+%yunlGFn(%Kc%XL086EW8KF2ONeZd!_?
zqV=JN^=OcQQX;1Ud?3POz?NFboSy1KNf0&YA5s;Gp2Qykn*+G1xu&o%4e-z()@VzE
z!CS*2AlpsQw9Cm^AUZ%F!CD+!Y#z$mw{0W;z2&50kuK?-_&Q{xPR|M~bBZvUoc0QY
zE`qfIX>tZBw_aIjvJX^WLHpx_campkPBxBMkhxZF{UFK0A^aqB(jW3_c|?&i`ADhv
zbYt5Q-^x`<*5sXTak6*{bbsY?u9mfzIa>p?gDUO7|GnEmDW3){85`LeHdeZh^JL7K
zd+}xT2=(xFrPlC#-MYUr75H`!XB9o04vb9THQ`8_kDTYPb?wAF3&i`olq&ABjRH)$
zx>0vJOB@L{aw2hb;5QwKl-u_>VU5wGU;6q4d4NHk8%rr0M7>MT)Osax>$9`!oHb!_
z(-1Yb<om_Qo?Eg`=OCkg^q=|NwW*G}73OA5xpjNPCpCWY^QEIlq2~E{uOjE?HI_9r
z>-#kuf{sISR59a_W20N`!(~>DVC#$V)$^UX|8q|F!`tclS(XTx4z1*+V3bpS)1-Q-
zRa#Dd7{Pg|vp&Dfx@!2y<9&~;5VTwKaUtyRd99(}Z(3ZI>V#Tnp~6+qEiyS<K^`Ns
z&$69J{KzdLgpqkc6vRbNBrU`1{H2m!bhl3V%QOK36!i+CB0MaN4ZlAhmVJ_0p#ohz
zM$LB;=!+0?PB}`|NUM7T+@$Zzi6;Q=HHof7-myt)$w(VE?4>4q|HsKu)$GQBBk={r
zlx%z0!?P9G>{Y${nJaYg8`RB?+lq|~PNyzY=btG(D*1)G0Al~~ew)@g8_=lN+lgDH
zA1@G!#o0PJjFyV&^Vrz=bUk(;{B%^nmXn3n;((Ih$2h`(R4|<ff?CN!_aLUZ8JZi~
z{x%eB+Wy%P@zrQw=U0V1J%KgGJxftB80I!bX4#G9#O$}U93CE0N^nl98&xzdAQl*0
z5A$AKHZYDPwjm|@hEl>HblT491T-P%?T8VgF;JnkWmpgUof?nDEY)Bd+}u!`-(X_d
zG?+V9`<rG_;g;5HAi0j18rg!On-ETR;Gc)S?`11%?tsgVMQKe0a)X8T-N|O_1-h%o
zGZ>L72Q$zkQ_>`F@XPr7mrkpYH@?DpkkRyaHgc2z3i}D^puJzD_%)R~z*x#-C7{@5
zH!LMO?!SV9G9q1SjqD-U`O>W=^~{DmeKjz`*?$#}Qf{QNM(TDAyhau}zb(9)C&y+G
zIo1d_c=;l>VGR9xV`6I^)Trc|$^~ok<;vW~7w-)Dkat4pv}@UCny<Z?#~Sq!cwBo!
z;Vgf1=!On@f;w&x5RMVzvrPIuicE3f7!eV`@VPAFKqMGRnZQ`@=2pHQ{p`%otbm4k
zdh7!jjBmjmpFt>CtpYi07I;kJ)5L|oLHv>$1``&SVB|YXJ|X|N>+4emi5eozARVHL
zkpj^Dyr+jx209q;z~Q~7=WQ$J<1q2au@)y3&E1`BwZmh_@ne3g&s6{-8TF7V#I-%1
z=v&RjvhDAfu&WE-gNIK}*ZXy^1cvj5(gWia2I1)wAe`hw0#TwPsbEC7io#U7zi*JC
zf0M63fSRepgi!@-{&6x6pzh*9UKRQ+L!MSHeuh$9rZ7RML<8AN*nh_!;1_dEg2zh~
z4`>XSd^L<7JtQOQ3jru4Uk4kI79c9tUSs|2_I<{?m%7%KUYR)e!z1VSohq;y4dV&O
zjfCyYWZioec_+i|NcU(YYj%9_8tCsSzJ02`PXED%A%vtnRm_L(vhz1uxpS$Pv^x3(
zW4Nihe21sz{rzf3smJ$vcQj*Z$eU9LpKNu^RwRol>xhEnlAL6{jRbkyiLWxM(pHX-
zXuy-YQiqwRky*TGfL=sjci=B+m1+Q$d;9*OI^Ub+HwE;JR2KQJ7c{-`@9t#AyGl&S
z4U2~}==U1ek=@Zh9B)C-O(=PLAuhR<9ym}=LzZcdmNsJ@#+EbX%bE%?FaYI^BU$<L
z0|G&A0RRo1olb*|pkQLM1d_QRJx@8@+ZwqD9y7VcNj}ubTYEGRaBn6?BG=5+f71wu
z6J=S7bzN@oYw)vY*&l#Q>~U;|WRB9*;VP%8f$-f=CpZb*3rjX!{AeEVPT%`8Qo&z+
zuv$6N%U+&9EJ4zsAh_xq0i1#wrJv{sN;F5=$lu+`oRqhRlmBsnH{tA$@e99hNKg5T
zku#AaXHoBfJb4M}oWwqkQ69@HKPkjAXVC2Y2WRrB{Lxj{b<&beebeP+nt&QyRjZ5o
z)sY}cwm2}^WB~WkIlvax1JzTA5(WoVkU|WY$cVg>1oVsOBoX5m0!Idn*w%HnrW<7%
z85){}WHg~M@71wp?$`ven(1gdp%2S`1DO4`V^vg2X&``%L?0yd_EQU1pgv!1djs)w
zXBQrWv~oV}djx*-Kw^{ximr*hrzKx^MWtU-R*cJn3yN?@>-V>PSt}m)r=L-1t6gpn
zmxof=gE3Shn2;oGIDW0NKtPe6VfF+o>n2(Ha7bBc4m|)fSpyK~m}@(NWjFc!rLxAB
z`XZpUyh&c>l01W>IAEP{<rz={_q9YuLe+Q{Ou)cm@yo2KYdo^@w>c06egLjm482KJ
zuD8%%HUdS>WXpFD=sLBX4lywJWCM)b5M{X#D{Z{k<6C4o<;vJkkKGuOG;nAJsu=+%
z{=p{`q9&H(gzLBcY=rYG=yTZf2XT9jkZz=T4##<nG_Fa(z#Sn@K2Q2wBVAOXLbc?x
z-aX!pS}5hbogO7l<&d(ma`SyUP+Geh+)9HEecN>G>;E1dO=@;>B`Iu~r_6a9gic0F
z=V@d#3>7<V&3keZODSWk8GS3M-XYPc(7ix`o=i|1Z{DUh8XZ<<)`vsJRS30_sNk@m
zVW@{YY_D6uxbKC7){T&fMqI>$FYC30B^s14mMgJ3qU2FdxU|Ye8tHRHF~1M^ms<zq
zs6w(7e<}7A!5{yU(Z2f@(hNs~BH9l#4ziL#nSiSzJMwVoykmh^cX`Es7hf4nPOqIy
zi8*l&JnHKGi`1`3J|K#+?v-fY$~<)hVBtoojHAR|#OYOm&88Y8Km~lh?7I34u}eT{
zIOWJwoknQJDyZ&278A_#`+Hk?<e#Jyf9L;aXj0J_<=tq1TYr7JpPx5okA;UOL4UNp
z7FaP|G_0wBs=JKN^!=>YCLzj~n}7+`dK04<Wn~h%CAMeqdt_d@e`3}}`{;UAywX-)
zgk#3CLKsY!35R@xI{qS?N=<93gd^q<B0Ya{=PSg|-y_hGi6glO1jf+rU~GktEuCI}
zHw>snVoo~v%7wP^cu2JIjMt;ld`2hyqSLIq)XdUg+oq2>O|L~H#tF|;YVUX1w=jZr
z2(W1Iy+1r!8fCiZ`<}GAv__;PZBojd73Fq6^t2b3-31VSa^;hEICuE@l40~wu<;pl
zw&8^j5A(>#8yfz_<O&nAB@`*B&$V6WV2Lp*pZA*r6j%fg-x4dTeKjd`jvMqPtoZbd
ztd<b-7Fp~jK~!^~uXf%>j;0}(FDErDw=g*Cr?GMGj3ogd24hRv;cTOB3p)wbCV12)
zL7-uYhE8JZ0;oJ+-PN2hXw^)D6&^@5M$I4g*7O6Tz|SH7i0;n7@eADkjDE-5jkwd+
zqn&^PJhj__{}7?8Kh3Y$&>tI$S3`PU=WK6ncUGFw-*LpPJp|Y33XRm~j*c>Fx?hhi
za{Qn6uEuT@=5^B)o6pzYmK}Ln5RZfFi^omnqUbFDt!nnsE6lojFsPp~+HK27Yv{KP
z&CKDT#RW&ggL=z#UFiCUGdB+`#TH*-Ibz8n&5M6=@)GtME*awueP@y_aZIaZ7Ni}k
zXV+7Ez(<jy((Q_N%~O@sTDbm>S4n-4gm7*FF(RtxKypB`SzORPS>9gW6eukigqEAp
zypEf!6r~9%pm#)?w^P#!Z5xlJ*R+V<sz~oB6f08CA%s=7S%WnU$<6{OvZ<=I05vW$
z8RH5!ZaJ>h#iE>=G|Z`-oU{zG4#|_~b~ery@Xn9h^fPaa*t+SlHwJ8l8toE2lMC^f
z)ORJ;;QFHKhjtgjq{-0ymkHcx9M7s*`$LB?f~yf?ykO&g2G=#;L@auoC0iZde#{sA
zZ$ROrK$o5Ga&n$IWAHN_lELAhPj%?YxM~vKGB*GpinuQ~+dnRdTp^J@0v#SE7J+#N
zVLHjHd%beM;b~}S=*bp!;e}it(3YNSRbEk1F=5`ITNBl}n@cUL{G&}<w#ca4zsaSR
z3<bWHg+cDe_|`zU3H~_iftw0;E!KGVM^_KO|GOzW$)|5NCu<_3J}s7xHu5L{4qaHv
zPAzE&@iu}Q5$(RhEz^kQq&%xjz{lVJ>2>$C=WU_q<IKUgwnxweoGpRT$j(wJ%&7<c
zM?>#dyKQs@U|UDI2@+)Nk2!q#8q9}9{HwVVKnJ3W3#O0g8>bMV<Fu6z!0^I67Okd?
zaDXZ4)6I^iR88t7$q@)r9b#vbFlY=d&w%iOj&1~;A=psV75;#bgE=I=abJN&Z#^f;
zY*F0iWSn@RSkPm2sMBkyx|Dn8*}S&#V#z#zeCS!dhpe%FKvQ|U+kIaq!D1SGzlNUG
z+wi*=H~nHa;rFY~01iKF{<bVx=l%Hfwqhhs=<OE#846|3?M9)&v}4KM=JH`PVETM}
zGo^Q8FX+pL`aAC1Bd?ws|InvWQ9ZWg^9&uj8;dbxwhnC_9}xCYXA*TgV7^YPGR`UP
zjV)>^!H_Y{q+mie%8U!?E<_|vNO}%-Q;+#hHvyMdt)PP|iV*+`B0_zkf28sz2dH8*
zGZP_Sh*tG|I`A@~>}*a7(sgW1>XHZrFxDRudO4SWpyhCl@bA10MEFClVs%#A96wfW
zOkWXw!9^D;#?^dLqU)M$vj3MX>zTSPZZ^Y7v$5X)8S3f6D1{{Gx#y{lhUpK$Z~}kV
z>%ANalfVm0)plOB-$Z_q(FH!;bpGR+W%69n)9n;Gh$hTtERfUQT)}MY`Rx1pAMTH*
z$_waiKm4FoLxUcnl-{2k>u*nl;Nc9Pl>>Q`Y{z1(+#jC@eQ&saFsR4JW!Y_;bb|};
z4$5DUK%#|eyd7BW&8LglA&&_L4ia+){3J63S!!`jSpPAasF|EnRGd=OszB)r_XI9y
zozKN&P2inOeC;cs9Me-=Dr})a&nyh)jVy!IuF}eRd$Y*-`TpRViQ+*POii%f@z4iP
zR+-EcL>)&e==~Ws@HBcfI`-r8&kA=0806~VaRDSy0BD*NYHMlyKFC1M4(sm^rByUN
z4%<1JoOI{r|7hrW>(h!OeS7$rBl{Tbc|QBJYi7e>y4+&8!svd1JP#<U3rq~09>!e7
zF0w&{PZ2*=E^XcV#oWx5#QZx_W2Ka&5L$wS0i$;p^VSR)yV#TcOI}2tRpemDEuJ|P
z#)S@$-&M8c8E@(eXR9Fw0?e*+k7HZRV8t64q-ZE;g+V7LwM-mPt1A4}9B7aDlXO~4
z$uAXo+547~8JFY$PwkWZO$p)19lz7T@4?bZaN-Si7H>Oc<k6u1k43IN8=-^OQWdGg
z;*kWvN7=nM1=p4)FRK1)Tj%2wp3&=OqEdFZr^<YjYFz}pE1)ik--kyU96a=NdhOfX
z)uJ?3V1M@AzfGTYn-eAMi<?)Bv5Ev!I-)VIo-8^sc{Pd`oNK*!&Zx)%0)f&3ZdUIF
zg`8ZCaPzLE*4RN<_OGcZZ2GZfY=2C7?ce}|gi<ehEv6Izk)w=lE|k8aZg^mz4>sD6
z3H*`c7DCAnbhdse9<KfjJ^P%-&_qSBCuHO84_9V1ZCQ3ZgnmTsDN%O<-LL?z`S+Qx
zHMUxTQ(0=HCsdD7f{!3|@*Z92K`ol_h5WJd<1mlBMT=kSERlI7d#Rka!YrOTokoFi
zvU2Hq=@5o|uWzt3D`Dy8P?t6;e^jsm>+1!{{&lUCgGxyA^P7tm)FGa_hyS&XI_REQ
z-ZCz?HSwOK^Etx%n=>i$?rjMY)%z58k>Pp_A~lzshgH=F2bAypxD@t`lh|Vrm?x?S
zO7d~Cqik9tbi@G?XZ|*zFIEQoA5O7pl^mq7ZDfwKvH?0QTir)!5v!(8DqGXpCfV2k
zq4>6Vyg?g(hmbcHL9=$)MTu2sk*M8<XgUJ5%r}<6#pUI614Gr4OOP~K)xyaqYAlxZ
z-npblp4hXM@*BH9UpHo-K!UmpiIn3*&ep*E3&qyIJToVjIy-n&Y}EjkgWCC{NY=&s
zLiSPev3C`P_c74(@j&KxIpK=GKnxn7rTO)Z5nQe;v!jkA#<eQd+a?l(R!Sp7E*6$5
z>0Bn&kJDG|mfWy|?i~O~mnVjxXUam0F;zwjbPg5_{l`D!Qi~%xn_jz>`V42r=qivO
zCWl51c0=liA9H14)(3#;26!U_IEZdh7^i1Y%Qm*<j$Rd`w~aZD(%8ov`dHBp_m>&s
zthrQWLR&;N*85j$0K=~&v04i*ujg`iXnlf8d23A+{6w`zJ=DV4Z+CTbgP?L5uZiR1
zxzQzy&vOK5O6cW!6s)0>PM_ektlOV(G-+zn+GHl5WC61==Xnvp#|oA1gpCS+bp5Je
zxF<?nH=&$6@R#yWS+mryVcc6)MYP=Mh=2uyGw25FUOs#Vh^fp^l}A}WzTscObaZz&
z*k)Q0TZ1)q{C%vy$+xJB3H1s#@?}w!EnnXu@7c|a*%PVR*+cC6f*Mj6!CV*yk1$m(
z<|=9N9SyzGW}q*9HtQ=O<8@RGM8$#vSf;#xk41>3JQiuN>EfnV3_S%uFes2?g@wo}
z%ma^+d=0&w8lO;^Dz`LY6lgWGa;jZC>v;b44To+iqA%-B=FB*NISwHmM<wLMKmO8I
zqYi#;w>#2Pz?WFGvthIotA(gYu;banK7pFtnStyw{a@>v1&WHU?~z$At{*sGXL?4;
z(fefq%XYr66eI`m5;+}xa9ASDqE_>MbyrwYvGuVc$PP>z*N4P`i5Qg?`y-XQYr;e(
zf&k}td#RB82`LhJ=nhgWqG&`dzobPc_BnQaCJ|elL=hCIt@Yo-9*c_=f2MWaCP~MU
zf=>#aR85DTp1j7c(tLbgdR|^W_U7;J4|4qOZ<jc{Q-8D1nEQKqMSmu=f4}(8`hK|(
z{Q2(Nw5)A1e>$mRT1j2)LXrLv*Tr-4o26rB;NEdRmFi&Jr{Y)>r(%?Q$y&7DmH=}X
z9`YF_jO_N5EU(8DABgM;6(Z#!XMeXzt3w^dweE9*`gO!}zv1Ejd0xn=qSPLeb}7!H
zp&UPr0K+1B+@b0Y1;z(`?GJS^Lr1#}A=3^spyaL@c+xce8=nlv>%Hfd?5Dp^!%NP4
z_{UYw$IVY%Q<V|6LKjOn=I^4)F{EYkW66%XF@-b0-C{lsh<rPMa1%wKuzNK{u7R2t
zh!g0JoN9*F3hp}<hWYzNzWe_EPo`v)>NvYMmAdWW8LteE1|*)gR2#1&Om!q~y7c}U
zlAYdTnI3rdi}vF1%w0Up?QdEeQ}jq>OFVW+7!qS{nmAsz`7&`-oK`_hkeqypv;s6?
zd(Ke+%*D#Xx>Cu-$qmYlVBCv%!Ma{f!(9iSN081r50iG=sH(=rGxX%s#M;i3|J6y)
z`_WX7@B6Wdk(;aauo|o4nyG;BSD~CKyjycK4dHb`ObEr{#P2<8Rb&=XUdd*^HM!O_
zI=W)%=*=P0aKzOiyKW4Z;8tm#!<9M9nQ?koNt-nLr9*cDzX}*h9F!oG@^KpBf%C<N
z^9mZK{6%tEtr!U|^DNz@-Rwpp5rYQ2x=Zv-`4S80*&FxD@B7`5*vJ_yTP`tv5&v-7
zEe6@oSmmio^ncN~XXs~6DvpDru2VQM!)Udxtu9n}8e|*9X(Tzv8c<A%Z<v1R?IgRU
zivGp-ei@t(&8moW$AW`=nq}p!MMGT}%D5Yu3ERZ{IyB+@n1EGQnVZ2F>j<$}((W|=
zSm0e;>D>MV?8v`vu)?Nnrxbgg(G~u^xfQgf2#uT#=O|ohf?}gRKsfJE=f1QZD$m9f
z2X2+r_9H_&{?L92>p1aw$doUV*ieTpSF0a+&Yz-H^@C%uZO{7+K5fVgJo@okwBUq2
z5*R>5Hj-{##rK0$Gh<~XgU4ar-kk__t?+=3v5+j>Y)!DTCBwiZ$riG?oDtq4U0DoH
z@lHK_>u$o%0G+x9Fo|tu7L&$|J4#O_BAhnve|bgs4gT{xT6(^}msG$nU}#x+8eO^q
zB`Cj6Oq_XglEjo4`97h{;T*YQNUCJxp<a&2g-Av#vzTRCR|X9kgJFy(EHYIY`>j?_
zn}5FZ2$S$^pC0Z?e;lHT#vLwVVnAqkcyjfod%VsrKPYs4@PwqL%Jo)aNrhSV_5b{>
zGm9z_AJFj{(g(P&SidECyIzkDODs)=u%k|F*fRXbr#}&>lrT^l)Js!l?<%s`Q~6oI
z-AFdfRcx;jj<3br7jR_MG-TMv&tOdq(-L!*+K@zj1ekSU9HfLwuP;S}3MTwgfx%w}
zRvEk$fNHe$8y!})exzIyPx^EF&G6pL3s1%Ea>zooE@54EhEEtmC3%QooD<Z@gjO+k
z@Cgcee!d*B34iRHs6mJnt3xVg(N>lz#l{vV>KM%Pw0OvTSKw$rU>^Sw`Mra+!PU!|
zxY#Lm=+0cjfg9wBp+p-2;-VC>5-njwEd9&SH#Bn;;ep!d?QmOz&S2KrC2XVe6ws$@
zaT<FGH%9uqaiKQ9WanYmlT{19h4FkFKJcN>)`@kz`mYnq*B!`h&4UqIPx$@Q+_Cj~
zWC%_I@9*&6{IDrr%BoeOsVs1#$#>f1Up0I0B7O~>=4lw-_nu1#I6+KG)rD<|!5dHc
ztn=etO^k){UY0*-7V3BXc;FQ$4|2t`f8+HZP`r1glC!M+q7=+bY)bapT2&?`vb0$!
zd8}zbM2hwenFt7#Z-i>6!SkXYY8xEIKOi@{M68Z1^zb>*wP9S9CU4vogk%nQWaDJ(
zi{+Bq8pK$Ry{<V`77!w#;l-6srf4{5bA=_5E-ve%LgDjH?KHVR0Sn$@be>}}MG;AJ
zq$o1e*G$i9Xj}#JY~6l04MwlWXDb=SC)=C~4bj}HyRar{;d9Lm`PTf;DhF9!ne>re
zHp|os_Z@2+@3#lUSxZBruHJ6%r#r%)`c+0<zOq0sqvW2)J+_~3V^azAP#vXK^`pCS
zA6H~xp`TAr2kK(j9cx-EuX|%!A$kZBU2Sbg|Lz}8uMZzh1-kVF^;_&@n?ed=GQ5dH
z4CuuObpD(&@$1T$C}me_W^}wri*$l!?I(Ud-j;m4D}B7)cG2Ao6*7EYnFUb(Wgv<t
z)`v<KWj2O8wmRbNp`h?7ORbJ^QSb!Nb2M&hwy<P*dXu6lbvkQ&`S=yU|Jh~Uj@TJf
z<W%KKTx9yyu(2tVjy9v3!WVwQUHb-15Dt+G;eHHom><5P$<wX0KYHXZjGHkdQlM+x
z^V6BzRHUXL!X?-Nr2ey&KXB>L^>B1U?ucNOlsYuRUz<bihirE~Z5M;h5<vj57sqs&
z@aGbp7Ymi&$7_x8i^icG7Y*1Id+HV@@D@PpS7}Wd349!t2!AY1{q%BavDctZbSiAP
z@=cRB&vgc*mL7PiCC_;`*roGL{Bsez;nwAfsj8seP_xp?h-JjY&V4b^I?d!)wH=I0
zg{2X686qDlb92l<0E`Ed=ktaxF>3cUWaEX9U@MkdEXha_tx#x)aBO5Z7{C3E+Nx2>
zd<fBvsK8E=GN9v&?<!9?o)9$H9`z**qxj=wxw10=-5`f;*k7-la)98!9EgSBC0DZa
z<L`i3bIq<2b;P;M+z`$lCo?Lbmz6(91LV~vu&N%oIT08!Rl4qKNV+p>tUpe!C3=;F
z;{Dxx7if^Ji0voB=TJiBBdM4p7uF^{a_u|)@VirQuPx^x&~6xp?YR>y$CDwws|7}Z
zuCg1W5}B~l%EDZOI1m4v`Ty+mXO?7yeCH>_+>aUbRJW%5o|9Xx%y>02?By}|G>sZm
zQ^b)oVTZhY-}ch$d6sV>|0FCg!kqBQ6NJLZP?IvU!NIm!xa$;~NTv11_UEKp9qbvT
zaY2qoNfk5dZZzoz#OS$=II28-4s=Pi+T$Z&kbM^vX7xWi4GzB{8d>%XMX8;oaI&AT
zpFIvjAKRbu!l)katL?9?6K*@{Qq-VP(ACw^k#n6sDGAo9=gnEgXL7NjaN|5Ct5u{x
z8d=xFtsgD~Opfp4*1PBZ#6pk%%f0A;?C>1-wv3@Cwp2S&k$1ODN40hh;9~$$fY@xs
z?@9P$<6|LF__43&Y2m{UvuMs<P8z8gQLIdNaW$8U>?`X2sS;bC)435;KwpG_)P3a-
zJb9+Zv&2}wX2TFHG_|7N&{DiJ_&KZpxC?OQ;lee$`;K5Uq;=50mNK$e-Q8f5MJ5e>
z5e31y18Mv1r%6>|!RR4~2<Li?()!v9z((6KnJ|P`k{Iss_Wb%XR&=rU4WCSl<Mw)6
z9aIxK0X`i3#d;d;Vkbw(z(O(9qyE4LtD`SnE`Iogq=ePLq=N%X#l@lq>}$VIDvD>L
z`}NjB_+!YT$M@;}tlKt-H!9yrx=D(iL<u)UzQV6MsMH>K_8aIUs%uS%weG4zte9xI
zBX4-Ru!3T6K|fh~nR`8X`k+2XEsBeP6QqD<G0IES^b#3pg$JwhqpY#<*0<JGe!$OB
zv#y^Frz8ZOZ5NDNr^3seEuu}^dSx~!xjiXl4%BB44kf#UkzY<$bdm8fOn#})C6u*T
z_WEFm8Pnq7;y7xv?)A`xcu+2ggerxjA_J*&@7e^^LUhAxZ=?Q{Ul!Cit%)(eR~Q&1
z0ug<`7b;Bf;@$5pNbq;<oflkffad@tzj_9EL;HD*qLCNgJ>d*rn+|6*=gT@6--bl3
zsLDznG#v3Vr@0HuZx1@L<$N-wloSad^=$|gtZ?lc(S;@(akazKjrWc%p1c3E?>}e%
z<3r1GVrXB()@J<ft2}sWpbLR^|FQdSq<yseVVP+EwwaeX9Cm;kWnh$^IBq0Sg*(l(
zfKy?c9MLo&m4wNT?xj%WHKt?%!`7fG%3wWuzhvY<$t=E^(vsz}7`NK`*bWs+-~lI)
z5^#_EB6yS60Yq*9@y6zjQmLyZa|xPoXJ7{Syqukkyo49*U55+54_rB?rAQ_h2BLDG
zOzaE{*!NUKCP2VL{u!$n`)o%Oxk!mEkxka%I(13_p8k8C<1wnfI4{j@ZTHq)1Ugv#
z+&r29DTg4poXi;*oZ{<Hl_m8aes+7fx3uvJ`dw@XxsT1UFk>&}W)h(EPH9@%D?twi
zby9sbnR~Xk_$%)=Dvx@i#2Wa6&r2sgH)iZBBuqu)cRrZjf*ZK#{%{G%iH5Xai2MbF
zKnam>ylELE#$<HgC`+~e2R?Pm;>7&T1p3On7Bq@WH;mGyVKFU61R*(JFpwa703oxq
zBH<jey)k5lxZ{2r7jo0Mu0~r6k%~rH5}$-URlSoY3EMKj=7_^e5H1vtPNK0pEsiM$
zq6nBvbaj7!&-U@m_OYw<zU%Pw8Qg;Aku`f|iK%=xi%1m&vcx^M>{_4k6Pv?Gh&yVI
zC@3y(Zze8M*IibTQD)Z{6q>0joMBFr$CN?;XWdZ{$&@*@!yI#nYLh<i2DK+Ky|2zQ
zPvQJq?F5gwuyc0K)4CmdI>9-gs1_JfMep2sfKm;0y7@9~ehU(1@B7nlI`Gr9lcDhD
z3WNA=i1{fX7`hkz*w{wGCy1Q!8B$J*D`Ondd<Nf}RHIoZVNeB`L)Bk=YYx@c_~V@F
z->tv4*38Lt@589kEA-SKsCS-qo4FN}r}Q8cM>og6E0L{UXueZH#D6J>)y_gcdEzK1
z-{ed?JyPAx2+^TDXN<CzRH^A2`0nFUTdSY{1WLq&6;-pRzMw@ZLJj`YoG)6hg8yGQ
zeW`PyuTp>NT93Ej5<UBOuc$N=Dx}o<a(3Btw3a|qKL))#W&hGBZ%j#nsTi6R!&VFs
z3N0PsfVn{8$5b6dEFL6geM^XZzUl4#{`pN!HrBolY0gxf;(;{XjT0`tf%-(Ov8Eia
z&}Bl$#9FXjVEZ<;V!cyR>>);=Mi5iT#Ao`a(96&#fVolP>F`U4{Z!Jye;ks1TqTw$
z0d89~x|VE7NlDi`y<QxB^iFTcqbF;s-!J3d4||?R;|}QPU=r3lpYN~U{Tuv!UyfI_
zrh0URSHUJ^BojG)w@&PWk@bztNMbSQ@bh!-U6T(l<jPB))Lm_!5_c+ZXDv1B-Ci6y
zifn9?JHSG$vc-VT1IykTDc9mV1J!|97luZYWfWy0_^4-X$kHzejBdGdG163gdDGm>
zLR87d$|sU_C^8eTm}B>+VZVqWpYzAz;jw?Hy?CUcG+O_Fj==d!@@oQ@W=c~82I`}b
z%9jwv*1=TQf^Y$IlDVw-TDXXb)J8Ibw3W<B_O=$W@Y_zS4bd`7{KZLm1raQt^7KLo
z6e)Yad*J=O>}loTn(x6)b+2r`WJlMeM~?s1QqRYY@Jqv|+S0+OyZE3m(JHlwr83i%
zE`dCodbH4nuza3b0-b7B&Q5%hL+<<I;6kX4^>WeBbzyl$_=ydH6gaWq$Wy+gSi5GW
zTvZ2=$dkCbtWOEPwUDYRl34c`;}0C9$z*!l89FFPd}_20IHUrP&g=&jVwMnPfiLRu
z&oI6Fx6*~NXDg(8y7c9vN$-K=3j@KiR$&6g^=H+>$&&r%4wxwjea4Wl&UL7R^;a3=
zXg)ovhz5KFcO_JOrg1N#sc&WmAx+uP;JEHZ74*I0rl35|$n!J(_ft3{x&Y_aCvCWU
z4CK?YXcI!=Egz_DTz`QokJXfBhu0g8q|1vzK}%lGwu<uliqBjlZ_NVosl&+G+pqnt
zQYuaI2W&)2xmJOgi(&E$cp`5_Ox)G@y>I`s*n7BI(RRE&ydR1#eSZmkD@7B(qfJq^
za{i%l_oR^wflm=atzMw6FtTM!s5Am;a*aLir`Xg_q_e~y%ryK6^8wY1Dk?((lN;g6
zO|rJJ_WIdz`_oY1XWyb^A;^+DM`>TWU<u?YfaVJGH;Ocmf*w7*?|WNB{$Tkh;ao~S
zA!UK5geyH#F}J^UU&k65Z@hU;O`W@xWJS!pKQ`yxwPLRa&Nk4;yta(a8sFb}>StU^
zG6VReUEY7Hx9+C7+;mPePlp?H_z36h^yc@5mPW69+uM5Bu8C0@a>++VP1(~Y3pfiB
zp`Gi%icBE4jnC}6y)lPbUY$&mp&b~hRM+0i$3Uo=pxznpqOy>mUNX6nKt2<mle=^g
zoygy$kyK-Eia=S%zmV&p1TU#%xhHHJbqtr2=yiPFHtn9d7tntBcw^3L)ASG-A>YG<
zx3uvYgE;#GmNQm+UkovOovngGp!am==KiTyGZ^T7TcHPAE`aPutDW2^qJKdX)Tfvp
z+R8VH>UFfUONx4GrYUA<@=vK>D66I>Hw{7!NBrf34i7h>AOTMCm@abe@7>+ye4H7*
z<$PQzy+1GXEYF>p`f^4khj7_|zT&`+I>l#|dWyM`%<*dIVHDqn(&6yCDqE#nX=;I;
z{*gyF$fg!Pv@A6LEg3W8%u)HGT=iKa6sqW%z{SVT?yMfVWr{U80tm0x#vc+3RS4%p
ztnzaA+y&DI2GaOg<qJ7!K6~N0v@F6PdLw0e8!>p)l8C`TX%xB2^@>SDMmCV9uQx**
z<)9pFu?(1}_^LXVz#1RRDMa+xV}wHx;^*yhhMF&QERzq-*KU68?b?@frbDrYnHu=r
z<zSVIHv7~IepdPE!s&cr_fL)L(;t6^Ssy1-Z83z5b{HR_zfum}FnN$mQHTg8&^K{R
zT@*<{oL`=Y{bLB#oSn>sNK!KD$!@>&l@1vyIH`q}L}B}?(E4Z+Z+cC-66dd$xr@VC
zjQZLCg7Z~cBBc-SHfv4Y8h?enRlO9}C<?*@@$xePtLW4+iH-?FU=>aR=>n$^I7<m_
zgTw5hlSH>cip_{TJPPPs1y>4DHO+i0qJAcanhoEZJDw+RwfVEPySKNMj5BYAl~guG
z)|za6L;cv1AKX|V;_-oR>LdV?hJ95j*>(XwQiWld++yjd(Jy_^e;dtj96yd%9PAw&
z+)pOf)<{f}hOS0?UbQ}sw~wv3)6j#w^lLtad;U*%3kx-dYwP+8W{Lq;UJ_>g&fWUd
zR#Muf^kY0VMmQY`SB}zCO9wB!Bo;e5nWjsg-%2~m%j-**i-WVgu!|bL_Pz6X@ECPI
z4#OTl-X^)r2Pb2T{6r56Xc~qv3x!;TNXr}$^qctj!zblJ5*G+6!dR_`HAgZ<-<d_?
z#>7kK9|Q;%eLPuGE86Xm>xTRZOZQ_mnZl|?i@8`+{gS&igYTJ<F2eAh!U`y1hOPY#
zpGf4qhAwo8PX<`QG*^fZKs2M3!Gi&Zszgw81ll2hZC22;T{IW~%FQ?$P=Qt=+oK+^
zvlTRgxUO+rO=V0$4GELbqI0OY5-<)$RV(GXYc)NO+hf9SaX+6eK8}=(HoEeTEfW-|
z@S<2t`N443oL|Ri52Vc9el=1tw6~WXQSzEL_1hMUH&IFHNR_r$9!jhKOEVRSD%9=r
zgN>cEl`RtK*l0eHh8p(f{9>~Fi(D1vhnxIVl!P1`^S6COE3tbSl{2igtvQB8j_fG<
zS&c_r2kdcz@h|#HZIIXYeUoSi4Z|4E8v%DD5sYpFr0l2aN-d426G7hi)qlJnWKDNo
zt0$r|QNz0BRROa{H!x(m?UWExxJBs-RDS)q&GLVMfj+UfL-C?6sjNw?euyM5>$i<Q
zvFHuiw1Y5y$}Is$Ry8J$L*meY?2g#`ydtQ$5kAMaTV%52302vkdx1GY*8xr%1CkS6
z*IN}@iO0e5;%~p|8Fx4f_`(sbmN%|^6=CWBkn2lJ(7Rr{HFTfd6Y<rE5~6JS|A(Ud
z&yQfk8^e*{;^HW0-9`T~mO38F7RrRrUYxghV4pH(=ZZeftl-Kssn|;FXW{_B&LsY(
zCr7;;wQ$2DO7HjIHrO92wF*&}at&)ZEe|JW-PAIoB8`jZ7i10yR~ub^;G{iMcA>7;
z*3Nc5LH>-%eHiNI+u35PcB%GcMno}^C;yJAmXP#qWg3J`>J{^iUH;{J_nx13+cbG-
zi<|PrT3RW>&mc5m|NAYWDI>v;;`Ivzb)1g1iHw#bPiJp`p|nZm0Q_3XXsiE^sdsFz
zgblj1W81df>0rmUJ4wgt*xE5Vw$-sawv!#(w$ZWeWHRr(&&>S;u5Wc*N7Y(qt%3_3
z5f<89-|X<51H?z0)jvnYWC-gnaSYh4sdJKV9s?CGe}6rY_407x(P6sT_*nb1l|DIf
zK&!(3<2vlB$*|`ym}QzP9|90+g~mxe*%o|Z8u|c=aTNfE(Fsm?MK6|%zWOlgnlDDg
zLYTwXB#YEy9Ytf`ZJ@f-O#<NOH|mWwIdmDDObr_U1q{sd0`r0xt}u;t&iM)508@q<
zg$w!g=*J>@mDIYS@=uSE8k9NfC_W0E;OA1jQzNZhAK)xR{MV_eoSEGtqliVm5%%KJ
zY6ho@MNMag*S@@x-mQ*$-GF1@E4J@pDd+vhT<A5!-oSf*bc0Gc&94zdduw(9sC&#0
zM`OBw<FkVES~cnzuN|-pg^7-W6by!U1*GktyH2%>TG*(xod60FDh#2<KDx{Wtwd$Z
zbGzys03nyjpavMjG*M=cmFI{rv=i-}%RnX482rZmti|^jSmV`x32CBzJIb@Kqfbm+
zsjGOAL*T{rG?rNXB;Sqgt;xLRi4-U`N#r!fmO4`2t@#hL`Y2M<S(%bqOjVTMg>lKl
zf3(>#x4o8Fl}P%9_!A#^)EGV|XuH-1{l&1Z@#t!~*&)?75UoL_;kyDX-C8;D<G5DH
z5cM^2A%O1&=d=s2DKw@XD-#B&Ku$;<c3VP7g<{rWOu*}#E;OBuKoNJ&ep4T%)ON(6
zR40&B2(bFafHwEcpC+$k>>zvXm1pak;pDZo&$pUP7LE?V@Avxu%k(wAYYWhh+IBG)
zT><%u4`wuXwi7IW2+)NX;9XLJ3ceX_+oXG_P5B5nwVMYQ@;_~m*1UnFwq9o+@6LO8
zf~Ti|ox_rtiaC1d4bpqcgGMUYAY9f>-~0WHrD{?xKGF30<F}CoFQshX8h#$sy^4yP
z^OM>N*#^2bm`-Z)7L2>E9hPz@DL-obX!Ckgt}G}=Q7{M43cuar+%d32|M&Gu^<r$S
zV>-(psp8^d<{kk$L3~X}uC@GO?u>gg&|hb^Y{j9Wq5A!qkr5dT805UljZQje2q85$
z@4KGFSfP)rudtTq?RV5KRs#2X@59)$lT5K~#vEoTMlCNsW@q@c19f*Oi7A+*;7gYD
zyNbM|Ta4G+TO)TMth?mxCff-n5?#+m9%V>LBBkz*P6P}aLaA^qB7!iH?tDChmFL?e
zlhs5aQh$g)Gm4z#Y4k00qR)0I9757iHLNq$T_I%8b;+hS>AAO=!6{ihySiQ>Z|`HR
zE8I6_il1EMVA7AVr=mu)!c-+PtKALp78FLJPwWf+wm^+inov6o!E|b)>$272+IE1x
z?s!p}?M7!!mMz>4BW_HJifiVfLbe9H$N^i8Uf&mGAOlPjC6?JXQ3!?h&JhQmtqn;X
z)EcVgH7?sPitx$}BDOhZSn1d<_O`flpyU@C&#Cb4!`ne?Egi|t5o1up^9M7920QNl
z2zu4O&05dUW50#F*TnODhw$7Y<FibH+Roz!@{suyg;wyGO`?p}#+9SfOb|Ldq^WOa
zATS^mEl%&zDWb6(#^>q$EJ1BKpYr@Uq+6^HiCD8q(Yfs55Ni~$C{0l$OEBSjdTOU@
zZNak4s9Kjub3rCS$1l=M(y~gSn?Ja@r+?Biqf`xbOfum+&YD^c_4&c}*ElbsgU(h@
zOSPU7)l3-b{OgCG5<LG-q+i~)Y(u7%EuVOdq%OT=H4a|pRA2V<u}M4+#kvfwsXY+;
z;Q#jfW2=gaNbkf=3ORz2SX4cOOokAc1PYjd`#dEjcPIoI#*VG<v(o!c&Z(n!&@_eX
z#rC7~#kSYcwk7jZWkFmt#)g+t^@9Yu#E6*=4k*8ZVM)ya#b$Nk{@$wo{pFb(s*1Hb
zTVKHI^K9f*DcdLE^5bfu+`jYWru-|36s`$Zg56;JFXw<~c~EpcU7EtK3Bi#Gm5pM}
z^-kWmjngIjkH^pZ-)rkzTGX*hQ$>+H{&o<~8kb#CnuoVjf}pNe8Z7CWQaS`tesgo$
z$Q25CIJFt>j54~%3}o<Ym4wV3q1LuGfRLab39H$h1ezk82!?QZdHOr!jzz-ZzHi6-
zn9}d}g^4{SLEp<E(hjBR9JJJjuN&_{{(IUG@p*8c5Kbp5>4xVtgmqy}*hdR)lREmd
z$^OUW8A)isdS*TFGAJT{*U4T{9bCx=L4{-mdA^HVDfWJ%ZuE2;ru-%}+c9M>VD7|H
z5cS_F-d}Tsivb8BVQgYp{v6(wS+N4$$~^<ple;zRo2>>;Z)iPs=$2D#{tCO&_ZUjW
z+9t@xI8Y(Hv=rQ{A>WK9<Mmls(4oKh%aYZ%z>J}HR=egdP5aB9o0wU)@ZyodGq~bK
zJq1?ey)f6x<;&GN3k#hcsCC-X(Yh6zhs0~3hpXe~!NM(TS7Gnf-7Y(8M3dDwf;??%
zLg<2uwS$E{SqVzctWhfXUN|XvdxB6raZSP-T8KvZ0QR3UW9n$4T}Sd>=JbXZ^6^KR
zfS|5k@sWTI69sjOVsgW5!2-v_WSBTwVJemS`1qYNjLsj*Dt!HOv)Bds(7&LFjW#7D
zBAq!q^fs=LL~1H<Uv!5^8R^RS#`3KJr*cAdMzyT{m2_9UB-_)s?kt8ouTTl`W+qc@
zQE2nTNxo_!%Y!dvfn^vu*$3X^Y#Fp7QZXV}Ob!%<@`S25>YZ+!G;*E1^G{FF`5Y3z
zG){%(5qgVO;O5Ng3oO`~(L|J`!i?;A+rmJN<xUp(Z2re+G=>|~t)&0Qz(PKC)4G%L
zs%w?Gh3(nZO3m~$MrMHNc~K!S|0be4QOmmtuj)5`P6}E6P0qkQ%fh~AXhUH}193~l
z8wO5rSO)#5!6ue&mP&_&n3#C#a1Opc$c1Bcc7P&lg5m+hH2U&!eZ6qn?B@0ulyw-n
z0!zy8^{^u)Rg9}bq%P5+WgFRUqk|bT;_bno%@l;F-EFgcH5D84IU@8-3smNAUNY4x
z(n^mxs`(YIry=xQKpHDq@Mo&46Vz(klNeur{BL9cI`7ejBmeU3@%4TWlKcY@!7@1|
z`24gI`>~x!>V3Dfu<$(dizh3F7FZ?9Ihk;5<J6Fvm6e&9lRbWTdu<}xa`N(W@vLFM
zzrJ-6M>fF`^~;bRS-X8t+>nNEFE8-B&#AXg_B9sxaFgYZ^wf)7k&-5uIL%BA&QGzN
zh!yCb!fudBz8YCOYdZ)%)44EKQq+V=G2-Z$h@WYDThn;EP3#C8;YW^qVMich`ZW05
zb@DGxAl}U+87wYM@r52y@+~%rb+!6%I4qIr8Q{@x<sB)`7}^Y}1A2qPh>W65E#_eb
zDqdRjkE|C~kdoP0{oXB0+In+7keyXNP`ci%ej~|LgqBhC!cm&8arJWT9p@+CwX`D+
zMhSmWbOAt4^7XuI-PUYuZ*LDXpk+;OKLGDaODkY)!fG!H(Ofl|+TkIdxBvVyy@-A^
zA%;m-WDC_jZ_EzaE1%2e9Up9|R~?2nyqu<}6->cR9nwtT9d)FxW>6%FwFcCq^ga&G
z(|@(R<Dm7>Z2m{H5YxfbsDqpO0tvG3=_KnEWzJU94LreT4T#)pNT>*6M+i43^4qtN
zyL)EeWP(?3{Tz1cWT%x7v!BpvkzNh%@(yjbD$!(+P1UaJU8>C&dm2Sa|5ZpN?k@|8
zl!s;8GF-k<#pv9$Vr1|^R}`z65N#1#R+oDY?Qq9>w3t34W#+MtP^QknVBgrN&}#k2
zr}8HqS=~`yw{Vs<4168+|05A<LheBoEMawT*GD@%1>AS^iFES6URaIT1NhN*ol<Yk
z#jKK-{(&z#Q*|gc&faw69q1}u)^6;1Ox?t7!eL%e1mXM9b>txiNaKzT%s4qlw3jB<
z&&?GSP?JAhyJwnMCKVcGPSe0|R*;ZXRm10RVZHLp4Ju{xzhA8k{lV4PyOuv~In`C+
zmJmrD^;0UO6s48neJTDt>*CQKcUxob$y)guQy}rijsh1OFj3vyx?b+)K(8P+gg;V4
z=Edg4v_l0<jODx85#g_1t1JsVfBqcic)#tS{(icaBK3W`8^P{*Ns=Y4ED;Y2iiQxU
zF||Z;;>~psMlIUA26E&l<W`M=UQaVlPtSdoz_N2m-qm_)_1zO^K9F2+CV3Mw3eM2s
zr|xiQzE?N~PyIdWh;*;Qu)MVDrv&pxr9#$p=w;2cW;qwDFT8V5uB%yOe~N)?56ps`
zg_EkPTkp+lKwObXL>D}qkZroX<4nK2VTiF21!*(%xj{AGdfiHrjl{X(n?gUvSLQ%K
zZA#5L&N4KIe=GEFgX~WY*|uA5bet>7wUt<Ee0_7h*W@zYIOmd3l+d3mq`yevkYfsH
zOfREb^)9A#uhYghT%WGZF<By~$1UOp66mb1J$sAb^4p_1@{J}?MS=3mB1LJ!M}Odx
zm(XKfl@#ugIVeeprkkRd(R8Beoimde*<nsgL6V}d`k7fFo++#>6DvN;C-jtx!UtfL
zbia~a>ke}Fkhe(`Vk@Tc11G3K@LG}&>6d6R#4tQC{BB<pSbaigP@|&4C&f|pCFG@S
zX}jNQ@4{v`TR6gPcScj08>u`=g#|0Z!IIJCG3LzAWPb*N&7_VZ{p;j{HkKG*0vs=;
zQJlXy4Y6MQf^nnXTG3$9G1|6JG8vT!J;R`K^fct^L|p?jxmVbtDcUp-MJ}qVw$2Jg
z@f26#!nl5&?Ri^B-}SD4%J=^PZ7%EJip~#k5$H>~Zk`yY<0PyO{1NRVb{aydVO5Dy
zv0MC6muHQKFBKqzur51YLqDoqBCtKPDUj@Omc;{h3gT$fi)f`H%WRw1-tC&#c5|FM
z7#}25)YUhDJPAdkYp2bzZf*v@pTBYn-bUt%|KJ{e-V1dwjGkN^yhKiQxj)|woNv%*
zU()V5BDDx?+HkRwUXol~b~7Nrfkw*4mon~sJ66}rS#OAU3I|56>D>X}D@|0+F6>CT
z*O>G8A&$lp2L_IxSN5L=jz_$Cp__Kdp^N(hYDhvU#82n^A^JYJV^ni`m1AQ{rSUu5
zJiNcc<aTzhGybq{>UIeT^1f`3EL=PBWPRlpsi0Y|$u8Z=YKdMs5J0hn^yI-+P;@VK
ztE0s*LIqWV8`Bn^gJY>;8=Jyy&>s=Vg2eHn6l|9K%47Y&ZNam2?xHJ)mMyTHr?Jo|
z0is6#M8z>>2;J*(5SK?O-~oOC1%2uAXW=w(NYo`J;WV_hqKw^K8M>>E@!d$oG<k08
zRYkUg@sBQ!K9M=ZFCtf9S~;-DC5jfL@{EDAuAs8j1L`ci()dU)>#@P8*=rL)=)esu
zA_r@z!m5-#U-YdpeI=)yg7~kf%3~dSeP4ypc3qOJ%q+ELRH%i$87f{yP#JyaTN(XW
z5=+Xop0(8i2Fm2%o(zwVZgn|@c|pc7_kb2By7)JMHIQZdWKz!z>znq>H3k^1jgpXT
zD)r?UKFY0V$BbhFqaI*CX+avr57BDa4V{J=g$Xb2RUm)xFhsf5lHf3sK?tW-uyuS{
z&@w_uyZiOc*w6EH;CdBxzQh-sIYj)!cu31-y=jR0fJG3Z5DnNZbc$Rrx*=t)0^W!G
z30HSAA3`p`*YK0ewqq*=6_s<{m{^icMELVBJ3Y!T-kK(cwYndU;>kP~+A17blQeTY
z=R8^JFX)NB+B5%PXuft8tX2Q8Dd!vi4PcNq;rP#}x}+ZU=YD3NscR?9BWB`mR{Nh0
z`xDIK6`uZmzjZhK)Z5XTmm#F}g0a_wK~SS7>P4C-1t5rofS(YJAtBRgi(SGm4&_ka
zvWTKT(&n4OiJiVWS#>oxXd)#}U+)Wyv%8^TEju@RcW`^X*D%P*$`QzOx!;7H67+q!
z3v6Cmn#vLSeScFv6bd?bt>41swm0}IlT;LB*w<tSR~Yb587BykjA9n~4CE@7aIYxO
zcwOk*dx`g(_U7#Z@O8BFg8)JT{#%oD(W;tCPP=qv7}$<utHBs=#x#k9G%HVuuzsY{
zSK391b940t6K0R@UUK$IbUC9b#}?iVsiefrIQ0?)L*!SrcEPq8i>f()&*5N09GSFR
z(9)}Lg2=Ezhd~aS#R{(N0x}u3<X<cOo~M#yDdMxepFujUwy;7ti(^(nhptR3g<@n>
zF#7E&Mr1vsB~}AfZ?;Ng;FOtO%^xR_*UstmO=F9%YRn!4@hUA1y@`!S!9?o)KMbPV
z8H<de{c^|A{F@+Q&I$Ctbth6tlFy)v|4~tfo$)!fi)63XMl2yRr(EVdZ}M7Q<7egQ
zO61N?QnOta6aMo}-&-C4Dmg*=D~%<7?5eXaRG~OoJt^P3asG`bpL9HBZ?3(90b-kA
zc##8WRVknEz@KJgY5Yn|zN#`<fHY92D*qSDe35JW@QD`=18d^M^l-n4tPa>BqkJZl
z*&p&f141)*mUh75A@G5SkSHv#7c3n<2-Qz55bk@Es;JChgFDg)nyv7bJwGZ5DfUA(
z2V9P73#9;f&SYM9?6Ow!X6oOC0PN)|)(MXSIv9Y-C@LoZR*ZA~aycvp!~{(G_(a6h
ztsUj6q3S`o`g_Ysgl_KNsS#ZC^cRr?_|@y85JR$<<2W@#n!9Ih7R;!clV4qo%H`ZR
z^<lDH*zA}kXq;@Hd2;mVy0|jLS`K;tn<x7}tmGxk#oY7WO-K2zq{Ba&A$#`V+&`n9
zu2S1ZT~68O;2&YPiwyD&hJhD>lz_T&{wovI&cLD+o!Qky%p^ZIIJfWqtQBlm0S(M#
z^xObSQ3I{Bl*E@a3)E8E#;uFR@`<t<j|H1Y(773C>XB97`~7Wzdu)Fuv7DCF=WS+x
zVSj(FxcqA(d^#vUH1Kis`mCW0OC9J{5F<`{_U-VkD5pRQ*qfVMu}Pu8kZyMI`R&!b
zX2-W?QZTds{9JE7RmC!uQjatx^JBx9g7;3?qn55^E#{dn+ko;5{wrW4l^!4lHb{Wj
z!j+U_QtC@R%x*Rwc0M|pB2Gb|wa`~bUJ_F_@`%8GCtY0f9XJy@9^!#|n?erq{VMR)
z`rb8z-pe9H-EF+(=WBQ`POArYe|vdpzj|Avq(E}NU9@j@`w;SST>A55f#T>oMg&_S
zunQ5<E`?%>m5vdcf%<-ajEwl{km62=sp^gL?>ja+Ju4ajLjL8MqfJQGkocmk>nQYt
ze7JSC1dq>>TP$J04NP<$dYO{I`_a`y(A#;ZMMXq@JYs&6v%^TWj%diDYk?z?1i@Sp
z8BSXhM3n1<xAQo6=C+MtBWpPm{GZ}twe5}$5FalepO8S2R~1uP7MY*rUgF%tb>7$*
z-M9&wioh%ZVUu3iTS?1mMJW=|UrH)w2T?Y+E0JXGGm*e~+8Em+Lfp9YDSBd`4GvRP
zs}(-7S|@_$*!!Es$r9fh=u(dHo1Tu#qkQ%|b9S73u(*ia(u>=5uEmLbGn9s69*;?Z
zsbSquSLw7smcU4Ms0oDM2U&*@j_3Qq-y-CI1`%~&fe#zfzY!mm3>S&zZ+HYW=4~;P
zf_g!`TRqk#<>C-7F(GOq<p4=bohEg~MpZ&3bCLA)vLC}m#IU@%s7rRu<#N-$$~mcv
zjmb5f>e&=fa&jTVe#%C>4x!cs3;!{ih&6Eg%ST%GKd1}5OeO5SS*AaY*}0{(ct_x6
zBa$1|Yc5?pg;`cHp-_CEUkpo^Pp!ad8Vs*`wxI-+8p3ywMhXpJF}<g7L!S8nRA81A
z@-7&$!Gsxm&?0XN`#(WW^&4ldK@X1^?;nmG1+2ecj{Ayp-gj?KMqV$4ydE~|KOeeY
zafQA}ft=sZ3-@bF)doJdPglxkOE5Ay3qW=O0f8(<^B}#5eBJ7w5}o!Zyo7&A1$-WM
z>QPyySpP^#)mx?na|wI0xT3Ma`e((btU6_+KBOvebbO23TZKLMihU+>o@k9m?sIbp
zpm<A+nM|P_Dk_U?UuJ(iI=DcGMTNaCs<^G9FA&Dq7Rpvo!kyb2Nj*V@oeyp912qOX
z_#7>Rf?8+N;{;z5w2P1W(GL^?YjD)iv45mfA<Y0Um94L0EUUeOY-4Si^{^n)^u)}C
zMt;EiAr{Ev-S%w-uk4N!8d+5FU@qZ;rz3j{7lQZhXQ6kl7yM?^k6T=;L@a`H<S7P-
zf^#c`DLONo!nT}<GQ0{yIt62tH?>YihPKy;B$(coopU`GS&o~5Y%{oGME%R-L(tEc
zaYBSJ0ufEBV8GA8;T}sk0?Mi&nd@da2o;b>jb%~$a@m{M_2~67X?Q1A^BpB9f0Qjb
zc+Em1^&0Z0;k^2&tEp?lf?x4#fYOs2Q-*L?zpouH!tP1%hDD=mBP}p<g*c6<CStku
za1N`#31&i0_z`n7Ruxx@NKRjIPrnqu1XLO?N040H>tfvga#P%6q%K^@U;o8Taww#e
zUk$}Zux(POf5zlfJMlxWO)tn)O6TI^acf@|x{(0_UlT(Zw8qi+_=aUVV{^1Sf5#_g
z7H<;HA^DYy-`ZZNg!^M;H!S8y6SI@U-_c{^HmxO7nWY%xnUc7n=%_U`(o0Qip_9A-
zR<sBP5fd&xIH~{q)@@BIPPkKM3ka2}i?+OW&$BtMFJp|F`|ylHMW@=;bHL5?jG4?+
z0X6~4AyokXs2i+?{7}lt=1;u`0o}d|sEK*QkkQRArGG1g_!=G-qwt%>IIkvm(cHBK
z4oj@=TBe#p$I3x$Y&qyW#_xuO^-`l;quN05^PpU*Sn7*NME%$f&3XG5>w6QZ<Xf}x
z_U~(7;Cc6yRRT+Ivf8X(3-9<>j>cWtdraKQuTJ;Rlarf~eV*aRp~Mj^!Q5V`I`Va_
z9(-u>g7pxT_LCX9@>GLMl)=F4n8KMPvoL7j03dv1R=y3a-zj1OJ<%k-FtUL1Uow}i
zeo`#x+^T*A^h+JfB^wc<V=!j-Xk-BYe9eZP91ROX%t%$((>5}uwC;@=IHBT)USezL
zNs$H<O^mZlHd$@*EBIjn_cq5nj7>R1_(L5+i&oiph~!}0!yl4iR^8tizsGtEUmAlF
z$xx_MF^0M^`#1CuH4&L#)y)fdZ_M%^w%s5$X|QfVjdvXnh0-6A)@!+M?0?bAi*z*Z
zI97{mj7Ohb8&~Zf91|udV`5@sD{M>HAUH$x%OQ`!E%9<i#is}Y3<9p6Sz-e%IJ7l&
zW(KVx&Yn9jN|X~^G<sQR6i(YK2{CEfo5PA09MdQMjz4;pbv~>qB=z%W!c!E&eJ_T4
z0JMbKPU&z*Nnk&2BX8Y~a@7F)*+iW!`xV*19=#FBWNJE-_RB_I=Mg7eA0(fkyi0TU
zs=5M2d!Ktp8V9#51HgF&Q16kr)~<_#o@FB#nYbqY$wz?YaIv~vbMTG>un?JuLg4EH
zOCW>GZy>oRs+!?)&Iw!xnybo?d^BANiKK~UbaZfjs+xwEB1Py~2&-|07gMexmw^MI
zgy$6kTSK8YB8Nzc-(!p<GpcpT`g5nEAT#Luv*dBHoc!#-{vXJGVf}}>3RkIki4mCJ
zBYXvglyWtbWARnk>3+X*Tf6L*+aU4K_)!~Ze2`GrUWm^e`8$QAZCm5LQemZ$HksXs
z(h{pBgogt^(xv#B&;&0q^?WZ9>huasf7ZiCN2`;m+9sX>6B^B>Jl5>E2KqcZHf<Ky
zHoiou_lfhVj~Ai06I>yX_sd-$=?8hw!|&&6p^u%3iHDtsi-Yrn>ncx8>}TV`g^}y)
z=YeNcPZ&BvIgZo#i4m}*X%)2ZQ@sDGd@4+im>JOz`|`!F%9D>3m>r|MZDwoAetH+v
zf7tQl1R$#Qp>VJ@!S_l~74Kc0n56tEUeoK`ywJ#a-}7{SeR|rT%9b*y%I0r<JEH1H
z4~o1_nr0~es(N&PYL;Z)!7+4y?}iv;i){xMndKR1$s-h&O!*#RE-cq($Q)@zY;t8R
zl9vd>1|w3JzuL#4?Bm7Y!2~pa35xbx?8t(EHRmQEJUS1^A*|cUno(R+2#^79)tjgy
z;0orQ?82QEM>K&YiQ2P+%c?NXs_46s6>z?7h<(lNoGw2-*HKSZ#5{hkRW>0g&MozC
zn1@8-3Sfh$jrOR!056EN3@=_|8qIe|O{A=-Y&AbX&c|A3r843G99+h>#Ve}!CzKZX
zoubtDGD0#bHnNzs6gIPzqGwmtLod8INw(oyhLALcC9>ObHn|WFmb|cK=;50@t?ZSn
za3rx~oju^^&#Y>Xc$BeS^ZBr>Y6*VFL62Tsf5R*5Cn-TgyzSKoQid)C5(U4PMJFX<
zd-NdXes%#lcF0g_RG?nNjz6lPGruU9)umxX1REnAOGAvq9$P3KTBiJX_ZmYuKl{vC
z#xLVXLS7%T)Baj<-P#){4u*9LFJ|Idizo<21yejNxnx>wEUpM+IJDJtnRlRG(iJuI
z%On51F$@`^7n-WAk7S^&I*9l`EZ1vU-<grq{^mzgZouvZ$UC$**&OEXg2*QGusvn!
zwbZ?-`Uumm>$dX^q{HLB0s6=@ho~V{Qj!Ni*)kl|Gul_qT6?vEP|0bm5c>p_JVl90
z=w!?j?{?ox?ACm04XRyZAIsO)UNxHCs`Wcw4))7eydOSZNp-XJpj2A)1UfyRfANp7
zuuhl${_J>+O}X7Gc>cwUC}JP#5hjif31AgH)*8|F81cUng|h2?nF+q_WL@vOv<>hM
z+%*37xdq97`n#I}YAGY|rBD-Di>ZqfywaULi}}yJ)BkQIH!dHVV?l?k`WxO^q<?RK
z9(Q-UyWXvUbcJ{>1O!;#g(j;&GzYi|hqZ7;_m76#`ozs6B9GjfRdgJE*4~UC6lzgE
ztjS8u`-jjaYEQG8ixDKN9f|{nVE2FGI`F}F--1OC*LL602r76k7K!1=Kbo!&UInSk
zxuI`lVH7nWs{Tf9N7R+&;Z3h6H3!|xCkkT=AodoPX53qem2fIZ$)u>z_sM%bO%TRe
z@vef4yDUUMJXB_uHfY&bRomz2W`zQ0Z+sF4LyE!o=8_z|z)6RBA$AYa$F%%jsfrl>
zuJ1F*OHu~0xw|4wLScAt+Ts2ag}28+t&?AK)sq__)>FW?zNDK9_QUp0ewl)n)#y`Y
z99Df|^2BfK5;5!yhtMXf%gXCokPjV_dq&=#-#au<Sy603d!I)F+jQQE6NMHdKT0nE
z`!=GFzF9|sht<v&l@P?G$SLr;Q-HVKyRqwAlh0gk*2U=((-BR9?=Y2JjC?127mo9U
z3+<3VA&Zm<iTwk-TTz&(o9L>F9eTW$!Ou!8xD%|*^y!*XeFDKAKNt*BXCJcV{~9fi
z+8HyBm2>@S*+SiZ>CTnY!b`9%m;7qRc7nW1`s0W2kh2~PAAD4w8Bd$EMWb#bKX1VF
z-oE?)L-i%?Os(-D25UgxlgDL~G@FxDo=SVQi9fZ}vEGIAXxqC!1M-|^3(}un_||)Q
z-Cn)CoS$k``@WCm_}-o>VW$3ECH1}82_^0P?da<5>dK$PJcxg01*n6aWCNFj69dj4
zUon$@dzc_=4Y$tft7WS{>Xv=+<=I0&d+fX$Kk&`$@x6sT#i&B{&imKS$IB0fzC$>$
z!XZ%g=T*<qvu^7$@>l)D66%!w;#PZ`V0z5&w>~97kIxP!5$=xiG7iHH232PHz+u{W
zDz%)Nu}G5u0cVkl;7n|1EJV?yUxB!&AHkwZX)(myV3}IV{(cBS+T?1T#b?a;J=ljh
zwe0%R75LR|XOZv`f(L@*r_b49Wwhzv!S${xAS*2qZyHm`A>7f22zHBRvrzH@C#h60
z0BJnD{5>XX?fNZSSCBeh=?KuNfxp!4wW^jZ4AT#)s9N}b2OYdVTs;0zHz54p%o*4o
z1s|y)5f{Qc@o@U;U?9yKQe-1GgB}nIA)2kGHB2TwSg`U-e?eUpn;dJ3><=HueDt4s
zPfyId5vIUkP=SBG)@#6gZ+Zd`^I%SxSVhL2F&dpRAUPG02}@o-uGa}=ClNX~AFej;
zD|GmY>~p?Ryi9i+-ykFoFn4E3`))Dr`GKl^33Q@NrKx3%?-S(mMTje;*Rwj9;Suu7
zMc!e~`d8#Tr)H~j$VvWM)~iM*98kT_FrnlOm;U;kUGqK-9so6+fb=_COWClJl$;G3
z);@40?yL{|37Mx8JTW2#rSJ12cc`iCKd|>@<JVH=`EG~#W0zSA0vX=ZWZnHDw+(P=
z-sun}+FRIr>%dL0;EuTT@p28~d;KS(g3s0s?8V*Xwr9iG_$vucpcn)ZJcZvi3Vk-G
ziR~|eFZDf+<OGl%BNaLDFA%jV;wEvS@8saYu3jH=UO+%!H;a@N_x9SIJ<SZt7;q1J
z57Dzn6;R-o%USM8c&KeKbf=Rrn8?xztKok=;0Ct!`T0mg`W|@s_nrie6<12J%}u7$
z#tee&^!0@y&QThK6?$tK@nPxPz9F=7`SbKOBV%Z7;q$frbfNFdX{;MhP+RG=i&!rH
zkzQo?X6mP%{MsTP)$<dX+n3L79wSwZbb&83-y}c<y+X~fsW-{@q8;M^<*je>E)YQ!
zs2g!jo|}x^8_uzehsMJV^uiwmF>dk!dciRd*!^mJj_^0E<A78@B$%W8iH6vF%4r>V
z3&-$-OjYswRf6}cPTE2ka7PegsEFk**1R;NfQ6;=_|a-fY7&Zk%BmvMTtL0Uu{k!G
zik8FyhEysmUgt;Db5B;O+7qXExr~`|xSbn2*oFlQ4`9RE`OQWXLsRZGCIQYSDwbs>
z9g~8w)p!<vDvrEL0>2QtxA|)4?2}!7urd^u(7P=)b-U8>XAAq$8(Ns^D1dU3&<F+`
zxEd0DbPR17ab-rH4pTw&`)NJ-()JSll7Q{%z$gsLtN1%}tm*aw>L^yr6Pj^uYB#Oi
zYRJVyij01V`HgE%Mwwq4Iw@9}PPT>$Hcd}+g1+zedHm7)k+7}SmF?N335$e-vpcqb
z2=R{`o5S1g={eZEs8Gg9Kjy{IyPv@p<^OTuyecWuHYT#Y9bOruCU&YI@EDQ3)nBj}
zufpKBWF>>L6ZT4bEiS)%Ui<jiC4RiaeQ>Wnhstgfw>>hsEEStvH*=gV-@DP_e;zMq
z1-^dS#`tjd?J@>H!wg8`@~ZFP5Mc?=fDT@Pj~&!(k;PJCk>(^aXFSmbOT0C|+uR?8
z;e#qzm?!=a^DYhnA`i46Iri!ez%`2CwQk@-TwS%TxDrJ|Xwj*?q4%S}AO>uZ=!(_r
zJfm;Dn|a_pO6D{bg*c>0eQF3pwA6|?rxe_acYBV|y20nk{@82iYizb|=Wi#I<Io_t
z8P8%y9Cp~v9@QCwV3JyqDl05Zb`IZyVN_$g<~=C7rU0V>7CFP2`onq1$zsz$?=EZL
zBrl9LIcf3SPj~qhf2(|~CqVojV!r3gENBG9^LcP+r<XT$C(Dda0e$<VbXt33MxQV9
zu1SnUR8%J-|Jr?h-d0azgidy@!44~#Hnx0-Dh9W>xWUbI%~fKArt)lUbWwqN1I2J`
zNMdc;&a6O&oy1tMwzE1P@caZIn9$XeDs^qeR=1Ro%o<#V@upc7@jN$SFNHf^G=<le
zm0!RS@ecG`p1c#OnGRyG#|^q#KG@I<aT&`ygdxVW2@ojqE^(MrK0OsVhiLl!HT%*F
zbFtkm0tZiHup8Cvc80OUJo=KD%;X$PzCFG{(lOT1<}Qj|+O!qj2uhK?%vHgDgSC+{
zS$8ESJPgte1qMtU+N!TIT;8mw!2JsVgZ$P}7HHn3%-@N&`f5tg`u94xa$g0ypMl5~
zxfJEssUg{ZIo2U_3t8rQWnp_?(%u;tU0NRKTwb+>9k=MeE#jqi>{JvIR$;=R2M+j4
zv)@AzCc}+zKlgm&1F`Mpm7~SP!{)<>{rh8oqmQ|^Z*||hUJhYRc7gq0zM30q?&ns;
z>Fiw!0b!W35HV6dcI})v1Z+C5VK|@%<;AOx{g!15s{-p31;@S%nT@Ir8#RD!z6Y6x
zN}hCXio&4_+!Z>L%zsR@G+lq%+DB!_8soSeeu_T?HSB)t-V?&hkf7Efj&${sv=-K*
zv$D!XX|(4j-xzIlJlSqERQdOnq#q$<dX&b^;il=wBm4rqdYkRfuFhV!r?}OZq+GOf
z19Nj<ydQxn`2szA?g{iawFFz(l{00BQ0^MRrTGj7StLrNp<US~zGCF2s~z&7NLm1?
z^4gM)!%R}9C!%lgDgQ`BrS3Ay53;eO2smBe(^6c4eQEe6t@-z)&@4iKtQ||Sk`x4v
zvtPkk=w;4PZ)lU&8BKY&$<dN)dfAtwbewxLsSzm~u5y15fV@+KiA7dwk@F1ZNTP8x
zn3JhxX`v?hGKCAk$E&A@1?#L_>neHB?-unbLHVM{hlfS-JB@jXnWWdrn0O*E%Ed{1
zI_2Uyt+Y$7Q<sdxprpVORYwFKt2OCr!aQdSZ7`36$Q{6T3u(<OHE_UNj9o0u9{&<*
z%*p1{v4?q-6!lVl4|*b#LGE&`p^3W!w$3ajc^e&r-T9qkLZb;S{0MI{HADz&dQcg9
zR=Z`c1fU2gPc4?XV=nF4IK&{98M=$HEnaOa9kXlR8RVf6;ziH{^I^`1W8=!z3oGP?
z9H0wRZ_%w5Rt7hhx5)31syaW#Q<IT@-zCTBaeuSAe##cQ23io$T|qBNC|Iuj03s7#
z{YMn_SrXJ)AJ5UR?0QIYQ$njbb1G2V$~hguIm_Q2@ZG$^a9^!qpDz7`U><7g8tc78
z?>xKxqWv6+5)^${4M_O8gQq^=r!yb1$YAIeUCubdCaIlU<Inqn7$X}-$V;{m8VZ)$
zLu|OMibipgMhVluds839J*XyhAx3`b^Cp17OB@*5&dK?AxIYMU*7}I_RfYA+Ne7?m
z32*%7YE|B}?i3R1m<L0`q7In8BrMkkKYFG6){?O&Fa9&Ax8Fa)G_{{yu6M<zj#p4`
zYpZe*1p2d7ec61OV}@&9zqgl2r2xQaajBs8(~~pgd_`rKybZ&YHMmTpTsa%yPUHy#
z7;f^jl>Nwqy$0N?8AHV!@}hZbllD^SO)VS#<gC;1!0Q&yh8Hr_@8gIsrw#6=!Gdw{
zD%>qNS4T#Gr1ZxEKN7;;98%kG?U17hM^O*jtsvJ_imP3>T|4)6_2}dmj1RkDFj}H4
z%V(ew!J*ZvT}uWLEvqdzor@CBf?sS0ro}cC{is^4TwCCcKDas<VdSkXnpitG=Ew>$
zo=E>?x%|i}Q$GS!Idk4VQ{-yGQW$HX!a=+`f*i-G`QdOV{0FUW&2m~wvh`!o=_uxV
zc_nv}8wpfk9`Gvu{+F@8YlnnO4}!Jp-{y+mdtJ92t!|nZe&~GU*^wx~`~v5Cf?Lor
zPp%(|h6hH>Eay-<xs0Z$a6pQXdaFxhxw-~Qlc<-*zkpJ~E8_^!a*8%wW`Le9HNr%W
z!honnkWL<gdYd)xfFS=e6^dRxE=r^su?a~@JLj;3xBVS;<=uvlJQSbQa3>2ixz`$8
z71@9LKhTYdFW+yc=ci;bdz22Z5}E}*yi?HRrS^s3BZfDa<YwH`J@}&^tLz)`O^5S^
z(3XjPO##X}@=(LAzV)d~>A1z!8zie?F!jDa^gmjt6lTJ-y)kBCO5Uwh@xj?1F=c;k
zlkJzUj!?dU&X~UtaD~nKvx8MAH_OFG61#wQAK43Kd-Fca^U>}n`K!nf_^}slW_J19
zsRb%5lNVy{miYTw5+ua$C7Ei>hYGVhC*(sh%avzc-2mAjb+O7_Hln`;b93eQeJ=;+
z6X)l)&o}pb2Oq#h13lg7p)@2>nh0S7oh4*q!=SffJbqe*!{Hp3Lpknn1~_w3XG!`q
zX?zJ7`9r{&sZ!oy2=gwSrf7LbX`GO!@ryY7UB~OM=xDzdk11U4qhf*e=|}G9yUlMD
z+Z=SdlrM^qH_c%QYzXu23Fu54hb}1jtujS(&%3FHCSuD;O~%MC8@)K7j?-?Dh}~hv
zjN@UxnV^ERqqDbv|K{!NTnHlXS2x#JB5PBr%JNkeH9PAvLe03EEhYJ)lIVI*!8Pd%
zu5CD0Y`Lvj)+#C)Uj&b=fJwmC7M18GukP#w@2d5kkjp0<2he&u2-mv|`?JexHQhJg
zp+&!vDGy*6s(JSj7^glk+>~6wWG<zNh2eLm@-N!cu-}qc5&9p-pyN?WQ5~m@1$PNm
z*;<UV*^YNC1W`f+%2IWncJ4R5(-YaBjTQvDdJik&H0dTiFdu~Ow1j<2@}k?3wWx=x
zVs}JAn{t>7Y>8)qXvvUurJ_}C0EL|^Z&R&9qhoy$L0sDodOba`m5h)Me+UcokgehW
zo0yS3#?X<jn_p~YOWHz}W-rnb<*~Zxh)Wc$j|2UHY`8!u`2e=A)9Z~o?hCu$WuJU|
z@!Ad1={1#QbIi;gd|q#l+S1h=b4Kj3o~IASgk&_Iw~`c}wZ&;Htz^P2h&8WW{idF$
zm=B2h#mo~k`pvqnSOBunOIBeDBOv+3t!9&0o?n7he!<82B{%u(_aL!@*B2$A@tU0o
zWP|(xt2F(Aw^@p%Oeb?Eo7Ozx3^u@Q!Yc<;C6Vb#=qLr)hFg{nx%S}KBbkW(13IlH
zbvu2XGT0P6`;s)WGD%1$%=}YMFYLNDEX>Tz6XRajgF=zBuGzrisNZtX(0~b7*@wPt
z_r1<vV1}GIE)ZYz)nOVHi^(VHlrvKw1$jE;C(mK=O<v7F%)>f%DhWw{%bk_$*bW)n
z04q9+Aw46aucH;OwDlU>gs7j-w=8)$x`Q>H-hkV=Il6GT?_2FYa@%~w(cN0I`MC&@
zL&@}G$1`8Mhm{cl)fCwB%>JV`Nt3j<3Bv!}DRzfm9M5rd1QcBmf41aS9uj6;z5!^q
z?8@pQ>Ss*E`EX43WIDH0qp7rVBEG?5DnhN!lEVQSV$nU%TJp9__BMcTd4AA?#<|0c
zCIxgi>qKKo*rZwuUS$D-tR@(pa*@I<klZ(EC*ssvu*O8o^wbHo!~_+1asxVR&*(V*
zw`g{}XIm$7%q33P59ouLQ1@e_TK@(_2W2(NX>9afLpo4Yv%9xBkFLMtlk8)fEaITo
z_m+32X)D#}O<zI<l7~AAj(|1e9GV;9EneM<48*^iqix+M5izJ}&-|>T*G&$DgK|y$
zyw9s7_<yqCC)$_F{WEcHZ$oD)VP{%1<;mZzhe0C8cJ%i>cI<``%y2eq_8;(KELv2(
z=PnJ+S4B}qf!^e^{9a~#59L{>O9LO+#xA*j2-gdnDF^cpq%dTp_T<p*w#!@R5#i}?
z|D61h=^KBWzxcuy)gGPmX$GCTRCd6k8Oz)66j!kK-dcJ(Y|SNmA?EdwYh41Tp6;`(
zV~)-*D_J2jL%r#6=j}5INRqCe`tXr20xrs-&(sjrs9O$YQK{O_A<ow)p-08@f*#n=
z4smbiR$@o*5AHLTSnaB+FYUKLZErhLq&Yb(QUy_DdXPOPkYL=%D@C=?!7%?w_bQd%
zN1Dg~n8$O7XjL~sor|+ij3Aa&#!@P0`kYeQ{jJcMhnz;QkxiIz+-_XSAx$}v&HlL4
zXME?pxB7L4#_j63!PvVkfsgnF(k22bZuRhD4sM@aHCF31Sz;^<Hrss~H*5;X@;ZbB
zwTdXJZt@EmbrxK-1`DDdO6eJ;RSRmWPMZ9(e5@Pi(!!+l^hP#}lR9X39oGPaA#BN|
z2%1Ye&0FU;Lyd|zt}04Jn9%`j)?);9OMu=|D;_7nJlr+1v1oJ9Y?^%EAP-9SAD6xg
zBo&Nb=Kzshrcjt^3A2unvDu_f8=b*@hktpDq_z2woW#vLufuydK6VV<mXYDyb4g4Z
z=jm;Br6^X*xyhXEM&iOGb`Rsf5IB=b8<^X+Q?f$@1$=TkkE~3;{)`4&-m>=II6ava
zQ&|66G~qrBIIJ|h1*%^jX^RrvkaLcBRdcq|5<=q8+gJWc1zK)n7&=v&1Pov6v$$0a
zpb&a_Hf&o4mHnd49sfheYqa6oBa{EQEsz!bdh3&0LM!dyD5l&U-D`7{0%hdxI}j^n
zKWapzqgsE<M_Lk3g7(3dYJ*hkw%lU31kT<&BV+isz3l#!Z$|z#UwSmbJLa}|e-uC-
zmf9dGIR)>UzGoKk#kAY9_PC<CrqlLVL=0-dkr78yG>K(Vm`XQiN4l&ueH(p<C+Zg)
zvPNkf=CecBp9wufa6}{g?FPJ2-gGx7Z+KaWu9JEbY?t+Y)INPHVhc2^k~N^XcF6xO
zQjDi%i5(yeDNW*tWo^#qDMFyliz^wM;GU_78~Zq9Z_x4dHdYP)?{j;_i?ri6Cw}zk
z1{bSSqr{=!P4??%y&FwMc?b`g?pUj!4Ia{EUz%ITEwafdo5T(xbrx%$VKS-nT`4Ws
zGZB=9XIl8=><=F}2IpBuPtL@e3OIGJKMEyH<j;REQzR7ee9~!FEc&04tr7sTUsx>d
z!-G-RmVeiU2?6bXCqsbG+g-w@FLtFG5n;`x^N5k+ovabaoxe!+UrT4}mThx6@tMhw
z)0^mW9iDW)rC+3l=Mj31E2GCj7d|shMQgZWO|ywM{AuI4+yjKYTuF)qFMCGve<4Nj
zDr}>;^UYVj892@N<EfI>F4b?Y$o(Lr7Dj;Brnq~VM**)S>)WnvPM5II8RMyIXZ{d|
zM_xpwLTkv2<Ka@6TQrqW5}RbQrHyzWLV)@WSN3(sb{Qs_*k{bi9mid5v4LxgXYNQ`
zLfZxCMN^vdBaaC^?=B$)g%^QW`X6TG<Q7BjK<V_o3t1-Ld;E>mutz{LxA-paM%}lP
z+wTItknPcxgeq87tC2<Xbps|~J`m&E-JS?yS?_DVx!)v7{)hU1)cpx9qv2cg5pYHN
z-g=Q)8pTLZTfS<mQtA4<;px^jLJAMDe_v#CJBnRt0WXgkAR`q<V;U3?BsY*&MfM6d
zvU16};|0@nM1Ou6)cS*%tu|rH<x}0B?CA9+yY!16A~`z0*cLth?i_qe!Wa5bbA-IK
z@)EKZF5usNk0P)u-0pEGHFAdQ`t%#O;xwnAliTIU?NKj8BS&xH58aP;FIj_SZ;gfF
zK*cBS2=M!h^(WH2#4(l~i=jF_f&NHA+@!0&5MnSwK!SJ2Br<lVqo&iZQ!5!$@XG>K
zBnIv79&Vq)039%skN_79<sx3#v7tbA0tR`&$u=0ik>!Y!sS<{HvcFgWqyN4>9s}6M
zOqtXNU8XzSUhi>SaP4+F)cSA9$ki#a%*$J`1^6EbYn;4_J`q$MX>>tI!SSpbYh6Aa
z2DoMzp(`fqtyN5;Z1N6Dy@7QrhhLZ*kmGN2*`r62$=)%C|Ff4UXcg;~WeYt(VJML<
zf{@{Nrozx38&WC83NGk<jc|o?2JoGeSPv&FGk<A4sc8h%lqiA`JJ`^7|I)J`j3C9J
zP%uI_EUM#XdvVNI^8&w@s&#KG=VHG`F@%dNufxLsdRl}XivqUGC%%xMFkfM5m_a<R
zLGB$#(R&&+&!gx!VNQ-z{8$y=-F?~J%w(O?Gaz!Jsj6YBHT#{?<oE|R#_(oJGE2?*
zu}KU<CQi%~FrZSUO03Yf@y~*OpYdkRlBwF9qIp`^&CdaEGXI=We;FlZo#QIwUGHuy
z?XW}6;(G+&?FsdF0oI*J)GabZgwCHNyOEpgqb*If_nX*+GiTyD3`>5SQxtknG{@4C
zrG;gdPcHobL%RtLuNIDJu*{-zn<|t9ZwuQ5I10DG-vu&7?U;~QyqIMoUVExHx=C<Z
zDaK0DMsAz%^N#k?mDps+u?dSGs?l=1cKXrmSsq2b_;BDfucD579@O8#z4KYHZh5Sa
zLHa(D>3CWpfj}kt#V6i#%Oh?n9HJi18G&ude9!K&KRb;V0M|ag(YH3FX!$<WWUX*;
zMq4o?g-2qghG5kI{$Y~#X91}!OP+T-o#V}cX<w;+BMkYiOrd$kP`zW+EWWJHiE0}<
ziQ#^)Pf-qE6`ya<(A|QwWbB%lKmsw?jTPy^Id=@DDWxidu2!%2gNHd*oXGu!<B@$P
zWN&!%U_JZv7@B71A{rv3vm#N%!FnTO#fj32L0+ZoA+cktrR!%gc?Rynou`X(q9oWD
z<*eLFU`>|IihmZmz?AMA`0VE1nWsz8)i;Qrs{7L=PUhty<#-Llgk?Mgxc#}|sVWrX
zR7}<#)w!U4KFK_|yOSM}^cCPY)x%<!TCMY+MP>4*2_}oKRb>y?792u+j!n)A*r!!?
zR+hygnF}8AjrSIrwx@e-%dMe=pbm8nTt^&h70`z4z^!MeX1Qz9$jmPrH(M=Rl_%*k
zOF0G@<)Rvu(iryDy+z@yN}iBWr?|wxorG(1FetB~C<3B7BX~~IR?CdG9&-91Y7h<s
z+}=~^7u^0*rg|S4=cNBr5Aod^E4cl;Z4e&90D(adJ+vB|i^2lC2I&NloWO`c>yH^I
zWRy%6Sz1<Gvexf@A1<wRH*R^`UdCP3QWtpSy(17j1@Zn<`Qp>~vLl5GRL4|HS?z$$
z@I8K7opWKq(+tq?&8b3W4>IQ|=M5}9J`=XHv34ZQ$jt>_O$56^8h>>FTgtK8r^?G+
zoJL$7@)pQF>o*MdSWaBKC}>?BjIQ0Z`AGh+P)Ce|l@;pVXMELL)j^o`3FdtZOb(|u
z@jZDxGu)NllkAnh3gt)MSRsRoqPmtA{?O#Rrg1dqqNedX+X8Lt+fzZg+g7Xo%O*W-
zWEfFi8xw8N059q4rtORG3df%%4UMt#(}g<!F_UI3)<1tVevT9jv@=9Zx?E{34fYsP
z4sF_iHbqTKeYh;~U#{`H$}=ceT)UeOc=(Pd7ZHUD+>&kC2NbKj5`klS#k%V^=l%{k
zpC;W|u4`M5w<|F#MOn}#>n|^nmBOKf4KGFHUEc>+GPvVF;d8hw_Y>fkmUp+O^M)Mh
z#{Sf9{t}bmvMV&wrAB$+jFiteP8F7l^1DYGI?H9*<7Un;QdXeVyQ%CP7FI>Qt!}lP
zToV;M>t>c{Z#}a0Zb8b|9NGuB{-7f+4erOn<K5?^WC?~XPMo}d5-~~d>uE?wB11X9
z$IGF-9)r~x9FA2+n%Q|OPq!Cnr@kyqlh%u1l$k}-grb!@;IGA!d@5no<{>f;k+n|S
za93^XJeDB<O-lHY(O*crCF>(C(OkJ7EJXu0>^T!$#Z%SU-jzI5<1XUbsGf&#2|puS
zHR`q+ZrZ@Dz0X?!nJx8lk8hdo`r1hy!DzN+w58N)9r6Jit6H`R_N_Z4u2%pT93uK!
z^-AH$-aVpLot!Y}QlcM`!FZ`Fd{RrZ+9q=M4sa(g*>gilCb$Iq#}7eqdae}3^pWR_
zBCt_L`*;l>JXjjG9U0TFk30+$eRg&Baj5%TrPj-E*oc5Orm>X@%Yv-Q;}*bgTy(Q`
z*P;2@-P(xf)~H`>OG{duw9(((-8G?u4_Qg^vICO}Se7+Ncj<Pq#f`+fa8Ab>+Ww*I
z|ABUIUsQ$D`J10|FJEAL`QI|bJ{cI;(W!%<(^A1wC2z1^#2s5GeJnTIXs{mI^au-}
z2$PB{XRALh6ymkRz5Py3;`6+7`*mE!{_9TI=|JH9%_u0BaSY%<YaM?^Ak_VD-3j-V
zvgHN_-rj|skIkq2{e9MPBagH*`1r>#E)!tRuhlK#X(tj`4{{G&f_0dz`b<-)QI8oe
zZHJs`fzQEij<q5b^E?D=s)tL^$qwJSbXZ;cwjMR@+V<w|?1N?PVsg@oJxZ_ooCNmQ
zIOPUTvZ;oM0R<IjZlq(cAhJI4D~A%T<@e{U)YpwrgYhlj+vuG3=eC)$HIBdE)YZ|(
z-Ks95G=_7Nd;7>F>ME&GajAxFsYE7|IJC!XVDSMF*ki<aRT3Gix9NyFIp(jV)S4+1
zVvS(k=sc3}RRT3bL4N!on*YVrH-%RgZOz8EZFFqg>9CV@Y?~e1wylnB?AYqqcCuqz
zH~-Z+5Bq6--+ozR%{gjRjVe=oiTt0u(amlpjupZALsIBCD(HLF-@1G|4;Ne?KL>X?
zw-U>avqR73&RmAmp}yT&x>`!ZweR4!&t&0`n}Jp{sXte5cO#0aad||YpLM>>H;PjR
z)S8%CcYiw4Q`tJwiJvXc_su+B{>e89a<jK!U6i-a)Oh|?oiACi(pody3o*_nq<H)3
zh=vnz&sdSqEL9oA7#gr^2%>9-MSC005Gn{_(dCvK2K{^!)#YY8Z}O+;pVc2_JeceN
zWMn9lMlE=cezWU}eher{`xBKhMzy*@!vo?_nppqYMVwa*-dWE3KdKmDLHHVu38Q%p
z$}WTVXu4)&yQ9})-#wDgOh>*OF_mw>`%Uafi6h-1V+mRRI`nTv>!Yw5Yd*agOAdjm
z@4)$}i)I~N)Q00P`1E&aiL$gv6Ims!hG3O={Z{feV(Y5<VLa<9;;Ox%W!-YF3y*m{
z9_-AP)hf;`yG_?D>7D{ZOJKr^OwTsFab-iT`K{G1Qf#CZVAV$O>;7(}^w{so?Q3B7
z{Q32imA$X`r{bV3Th1;pp9PyqvGWysAwTYm6YtuH*eC2fEEPC4tB;5eE=k7zw?UE`
zAM5g4%^WF)(b1{5rJCqg@bS6*q@VdH{*h3-wD~lK&nX_ytzo<4iv&MDIuISOj0K~k
zX{x$c5JB(BdYwdHVddM@=I;Ccz1_5E<??v{GW5`Jwz+QKCCTRkG$gO^uQSJIHnW*k
ze>~s#OFH16<vFhO7cZgRrUJ>_dyv#X19t=g0Y1*1(>(a+gzIjI?mD#nGtdB;2?3fs
zq=;=S;BnxmW{Rrrf(kbN?m)>?Q)}<zrL!fl>vv0CScwjUy6$|*%z#JnS;r(Vpk!TR
zxns=P)BUT@)bkR6$QKGIZ_YYw(5(UQ+}u1kC<4@SIa>{)Pcf>OPREWz&#&$t`EKe8
zJWNmFt1R4!-JODe9YWupTe1k9nm5e)>YW57C6(BpczU&1hJ_#*+x?g#54O3EXAQvQ
z7_NwHgF8zMx1>B+vI;KQy|Td>?|x2Hs5s+gUtP_{5XEvn6Odi6r|b)8MxC9}$Pp1|
zU?WBP0)tRYC`Y}q4LojYpMf9zz4JQWEw4KPuM{BhkV%ZDi_y#kJgMJNq5StPuc@Tk
zz|KfB1xjgj!)7SKSh|~ql;v_7Ajji*=;bTrTv3#&SW+NaRIS0nB+azA<y<q+1*Tel
zdxCOkASt7`E9h!l^hC;Fq%_^n`~+Z?>&EQ({-08-_ia1+xS=zD(sTJb{5pqSa|_6s
z*q<Q@RWS^01$JrSM64ufIvR8WYY9N&-rrYGmZue9Q$MD^=D*yTv+Tb!27G9(!Mu9z
z;&Y8SWK-$HUH%RwymdcwnX#^izM|N?bUpXhOy&*B^1kzpyx<Fei5{emR_x>d@f|Y;
zv*f$X{Nr=Ud9tWC@g)K5+4R`Rot;7HN;oL3HuPPqhS~UW3oU_`r?(d9V+RJ!Ie*|l
z7H!j@2eX~Z+?X~hE!w)YpsG1-CiRr6u0Bm91n~Yma3l6!@OpZsdqO&`xbn(ZwSmW(
zZj_U%C!s+m{{ulsmW+ZVyrP82hEg>ckn#5@VlFw_4GD^M%yEVZg*HH{g*S5bk28+A
zKNh}VmWHJ;6L!tz8j3YdNK4)3litKyGG(I9iPSao1+0j*w&JOk2c`PAW<0L^A8em*
zqh&OWrM?VLA)Kk{+4$Vy)!M^J26<6OdTS0_HJ!qx%S1Doi3jtA`ov?EPIf2lRSIj>
z<f03|c85ChKWpUshxyOjxorKjAv|L=wbc2D<;-igDyBE2;Gq%QT+kv$|6U?pH>C1I
zN3g)Qtyv$@4f+5})W))iAJ{%<ynss|sRLRgEUm_%A4FAy^oG*)rpNNmXZ7GCj-VTx
zBU0#~5LCxGFS*D8(uBPNYRleCx^W(AgGc?btT&*TqRUC;>QKhra1CBmsHyuS4Kzsj
z+FIaViU+?f$3V5R{}ecNG8DL{?m>^WJihE>tURVHV^Dy8fTZPew%{Lfm3LuX$PDEI
z&H4`*Hx;uY@q~$83ssF&{;t@HZ^vf7{qJ+Fe)x5_BG)BOQ14^l3u{gFl#8rMnVd+~
zs!bE&gca^$qoRh0fUxJ|`m@LL@Oo=Dunv|qa4YP4kxNS7=coUEsePv_bG6uV-7kv2
zs?|l^kbARB$3lF?FPue>P}7%|m-dy{Lpi<l-#c+oY&q4^pQhdhwc0&Bec0=#mJ=vY
zJ&)D;AD0$kZ50Hxl`Rq4Vj$Qg7mRIcmxCO99G~#Fg;{qdTjXH{fnC@QdSPLnVVI#+
z2L|O_008*)v|ehqSQgg+p{uqW)q^u{##B^=&HCf(X<|I3A)hwRAn8MI$c{0oMbWz?
zrT`WkiVOUNDA>NPNz^a~^sZa?H<?sKfDOW)UX2{aPya8zaD5Vso<_FgW(x?r{G{ap
z)<cFFr+&Gt$aPF7^%f(u*cdTXWVW}Uwc1YfhiC#*b=h_Hq1#%R-6q1EZYXF-L}@8)
zI*&_TT|#xbWd7|5spH{xb|lYLFd15^2|Ku7!OEHrC2n<r%T|NKjB~aT@8$QP8DCg(
z!-+UninXXlD;4Anx)_SC<0S}`zM<hykQ{}iq&XBw!<mnk7W#2k_%re^`e`PUbuS{0
zK4mD~)U9TSiwpsCvItNZENaWt%YAax{KI3N(Bx{J*+p|6^p^6VFlZ#7Mr%~5!}SFY
zh*-#7uj6a`mQs^`Y7G<cXgeTJ*;x_0BdQVx<4NHUASu}qguGB`B295ijY6cVFqox|
zczu3W|8Gtqd!7<(WPv!<B7(<g#Q-<j`*Q8DNm|<)W3f?RhL8b66k`@n(g53%vkc~9
z3WvBNL)4QUF1lSw2cd7A@IPQd$fg<pL;o{Q)6)FT3Q(t7je1LNY}ZhFjsfct&;sDk
z#YDz>eco|k&3ZxMBEm6q`OcMkG*MF(@_VyoP$4F;cDX^8t%YXK4uKvR1QP9Rn-O=x
z02gz}yVf1CR|S#`ePmj@EFSez65C?V^&ws@Wf>2UHrSYP=WN1=%RxgM3G~N&(qwrM
zHj#jCbqA|aH=89O;Z4Vt?J;L~_a9C$OKY>yecXp;MkJLFhxr#rn&U-_kIIgD`~%jK
zFLRQnD;;xaqj{63I|GM@LygDgk=^Qw23vEkV-IuCz1DWe^MrQ}lZFmlD@2GI9C7??
zQ_$xoY|8hcj^jZGpGTaO*aw^pbbN_UuH{OBAcbt@%mB~1`yS5*Pv1oinn1FJunf)q
zlse;u$liCSX1!`I+vP|3%9OHk<say;@qiZkC_v`@+2reaQ&q*w&CRS4XXEP_wO^b2
z{ckmu4({}SNGUX#-OYn$<6!8;bC1hsI{>E=dEI*vK(p)_6fAfc@}Nm>P3_<dIqv#z
zbyPz|sI=re)5c06r*4ETItGOZiy#Kt{wpyVylv`kVW9jmt_h5q=bjqj^v-xTkFYwp
zhhkO5h{_Jw2<px@+NGRjeh^U_s$tV$2S2k9kSjgyq1u7ahqN%LJ2Y#bd40?f@||XY
z7rYdq4FqnV$8<S8keFn%&orEnCuS@xKY21h$H<{fF_huu&kR9Uz$<|l)*k{~M^O~v
zyv*U&vo_5kM7+n~Wz08zSYs4ivq+P8suCMY=W^~3`j=QeCIE+0DC$Ps|A5f%;zHJx
z8T4A#?>5a`CfefT%}{p%9pY#(Y|IRq*GszBBYE;|M7U_U3$FcrHDB^zyN)ffyY~3H
z_wHW*ygKa*xP<Y(KmktGpyj9}pqHQ!crBBf*Y$UvrT)QQx@x^{y|_JhOS;uDQsX)Q
zKxLxc9r6`jB-sF^nmQu3G_PP|KY=dwp?o@9Vim&(D)={*ofq)@SnI?*wwh_S#d^A$
zgt^IEhj8Ec^cBPKH3{Q{CnxMy&>hqr-u!AqOPpk;Pgs<I7F@LcTfS6$iLoYidYVZK
zyTYg<M6$^GiV)(q3h8)>)o{A^3}nYR;ksp7u!ug*yiX`>p`VrA%uDQ=Cxep6-RPe4
zMY=A;tR)$h7nRJF)rHoQ{6aI&*KLhoU|S=65S(<Pq7GJ5H}OtG*Ca_=0;oCa+NHd<
zH1A=7H``*W>v8;jbgeY-`o3Mf7_n4WE}k^j3c07bY7=bJoqDijpqa;X*=G)8v?Q01
z$&e2n?a{kdI<Y7o{zI?7@d3V?lpI})XW-Q2J}*-C%{T$dO3`^Kc+EYh3Zh4xD`~>1
ze{&uYd2Q5Wqg<NL(A~kM5U6Q|e?8Xh^Od>}2f<($g0&geyhNBPj-`7&)|oX|m4{s*
z=spHFW0ZLTVy;pP?EhY&OPYaq)ROTD|52t_)cnJZ!FVA&!44sYXT>my=Uoi1B8>Gr
zv%56Ly=Cs7Z;sJZ=Uy%{c(=zK_EfINsk$xpj)8XsxpSd?v9*|2%2HaPuCa{NQ3_#7
zmHf9q<|?*|(gIi`U$%`bL5XIF86~qPsnmZCFOxAVC$!qns*m?;2ea=xw+3ENS`_G@
zc;ghtl0dg$!^kw1o2M(#rIE|DJkfFtqVn(4_IpO|Qrq+JI6KzG(Z}Sm|K4`ydga#L
zn)r%8J7N1WInnpQkS`RxTY~R1JyX<kcf3xE7|>x9HoUN8>W8mY3{^ZP%O%jsu$g`v
zj?XuhrM{&+cU6slF6<5HBC9`cYyWf9;{$0Rm(+2X{w&{~AQT*Q3u7D$0?89J2ga7?
zU))l0JTfARU79u#b?7PI%Z9QMS|Ae^UjmGG$K%BY+VK*j?0tt@8b6kWB_R>G7@d2k
zIq~V6)eFf+t^5v)6~Fsscb(lD8QO~M?-lB@Lb$OX<h>TUt>4yorY2%Z)RdA`L1uCV
zC|RwFVW?Q`BzHI`H}oWfJDZ>romq4)gui$#>C!{H<@da+_NwhtN;6%zfmv-WRa`Vt
zCf=sDxP+0+bkdsAS$94=lhKr2&y(|6Zow`U$E129vQm*Ig1(NSUeP3+p^P+acEXlj
z+c&9CSEQb5mv6k0m*OhSTqyYw=;o}=d^?_0dLB&P;KJ`St;M#o<`09qC5fWe{V<xw
zvE;;y+nMgJoI=8?^>MChoZtV{)Pn)QAn?8tbGR6<O~pwKNwSQs+LLCT%yie?iDgTX
z<u;v+Z1}fPuK<FprfEpfkMkOB|Jq$e70|_Y*MPb3uI;5V5c3W)&hkswbz*^j2v##P
zG)qCfmj^SbWZx#$@DJr0qGR_3IBf_^`40(>v_rYIh+mYcG$a<0V;pvW7<2}bc#K6a
z{@)C(x7tgk<T8fotIuWg5YW?Yr*_t2DUirWE?29Wkrco*fWnlj+h+HANY(oQUirF|
z%+Z&4b|{&?SNrv9@7bCfL?z)USGqA@YJ%yzLH0)fl)}?uu88=xne+CMcgfG*GmTri
zj^>RuH+a!HuRu=WYUNpPy}fO>we1ic04VFae9PHS>tOt<7TfOs>Ov1(k+|I84Owe>
zc3Y-2ofxBE*bX^5`dyXv-FT7zbn4LR7xl5O_{o!{4b)J0E%JTX8oBbmUtROkRTafw
zS?3<<^4fE`E-mPYV`j5E92SX5h+ZTeEU^rSc3@3K@E$~P#e{hCiR-17_J+xLO%BpP
zHP-?jBwIj43p_M(e%{{PR+eHHOE21p9@H<GX??fy*tYAF$g!{<`g+xB@^ledzcFz}
zPcvtpO$49LhF^RiuXo4rYp0QrU<vXBy*k_Z;dSZY`hg=!LFBda%Wuk>Ywq(k>l3o+
z05unmjQL%TWx8PNNvZ;28EY*&GL}fK%zfMs4xQSMhhjIvz|?Uv%0q%-(}0N8$1UM?
z2uS?tb|*MY*<;NFGwudBD9PXyTP3m)I!S9=%W=?5Dffg>0(_`l`CbrupfK?(=R>tW
zXC#O-{@bJhrqC}VEF;VNuan5XiuNSLd*ZA)B!kMUS}A(|IJ>=}FGy~XSM-%jZ-w+g
z^jw2jn#L)!GxNwvsc<U|LFh1f$e8YhsfQQX=<^QRlj~Q>SG7l59sLqJn!oE0=O@0D
z+7V7A743{>u<dF#cd(O*@SB--MF@nh1^;z!IfvB9UVS>f3>}vqFQ=(zJpk-^w_lQv
zUzuN|G~_(p3uG~k4kb{NAMW9`G4HiEQd3$~QNH_18$j!p=l*V&#4=w(Xzs_-m-a>c
zF^N(;p$_HMfuav~+qNN4mr+$_d*0xfb1AHd_XvV&tEv+-q<N9HD5qnx8tJW9p(XaQ
z!<p^|%_L9hjWCg9PT{Br@}xEE{x%f${1a;Rpa0daWbhCqL|0*};OH~D;hDusVlI!r
z<gcowk}BR~v#^oc?uX&D>FLj&r|)!t{o`pSrnCv`<p=-k!BbDgtE_Yxsrf2S`R!XE
zL@;mP-?N+yjcvE!J2}uGiT*=}z2ieL!7*kC0$3~t(s^21gd!{&c9v>UY?C~Nq}Pk#
zT(0ur^O8<I-3gSEhu}+N&EHMUhn|0$b!JJObLhsc8Z_K-*N)bn5D9-NDH3(wtld=B
zK9cF`<hq_=%DHh`=T8qAy4>~x0oFSBuX8K=tAUrdi-!{1?VgVO8A8%qwaeI}%c^S5
z7vc})UD8=<bLe&xCLxyE$REn)R4RNKR{cOx^g~J+a{q;ZBLV2SIqW);V)WoG$+oSK
zE!3*o%1l9`x;~Le>{@sC?Kw=y1<7cLH?2A7pfcgOIMPsySyb$9#hNgB=>1L+q(&Tq
z0FVy6Dx_X!y*2SVBCMoP2hRgd>%Or*jYgJ10E!edg6xd3oh;bXy#-FpF9u+9bm-Lf
zUrI#?S|-t(#;SA|Nu(;}fKuz7BwC8vtuhF|YO3bS6&-Zt<pL#|G8;w-6Y$Y)$#p$N
z;7zYsCih(W)@1~sDp;Rf5<9cN2;%AgPy#UzVnJTE(?Tyh=fq#W?dP01SGx*G^7baq
zLO9%J7d{O?Qv;zvaV;Al+AFA%GOD9u&T29r`l?>n_1`<M5(>v=C9V8qT=7TPoU;#O
z#@?f@KMotR`SN+dUpG6t&F_4BqJ&oD>~`;5)i^IGZ4bLW5?dW!E^++5pMvkW^d1M!
zOfJi#vL0Wz_If!Ht=+ocYE!*%b({<cy)TT2x+O-qkeq{|{hyk|e!?g1m`o{KW*~@I
zGk9IOuw)PkzQ3Q%`@L?4DdG{Ic~CD50eHIX7&$*G6!FtM3tiV}b^GnRb)}9C3I^*<
zkb=?$sT1J}y;<8)w4@y!8vHYUnaD2l>~@BXuA||FjFD5rYFsHhSRb$B;4!6DUy81w
zXvH;v7u>5_9w+_OO^>>}n~$1E)d1<++@kB1Q8Wn=?%r|MRas726%ojDwf*yWuDN#{
z<Ij<rMQdFO@5#J7wU0mRk}|vKT~UR^%B$fv+(2()%Nriw3Dh-(C5mb}>D2`4z<D+>
z=)$z>Kw{f+6m;Qg_x}D7$0`;_MAA+}>%PLaTR;~KvxzgF=>L&igT|!mJj?gW&a>@?
z$eO#lkUSqsUK__9%~8sK?qAZqE`f`Dcf_AH6<1II9;A*!#6uaLDts24ZUih{Nmdq>
z9-7}wz<l7pKwOtEByUlcAdQ)dmFk?!UyXov>ktnkGR8zX5c!QP!mmax-g0weV|WU?
zgg$_lrFxoHD1odOj?_wk_y)G$IE3;23toxYNw~BroPKd&=rM)eSNM)wyuj=G|726I
zscdUE;5)7fHKNJq94t)f^4d;vi$0F>x@4vcAEamzP%$3#cfjjOk!l`5J=3D8Mf3G&
zF7)>*>SK0>Gz`6BpS{c(N?6Fb+kXF<Z%40FF7hwy<x85Wu`O~)@rd?Y7NO*}a$MWu
z;nkJG)=WyZM^|U{?Y5JDdMRj2jfisR`*e$Crd><k*MRLdgXQQ+4H?OBc*h<{1{_mF
zM$jRy*+IopAAZ3dMWbTkwdt=GZot>Dd0fqB-q-CGw)w;_`9+gdxy^DXhKIR%;`-D5
z7blO+rtsgC_p4Q+>tuTvR$lHo;!st==Y9D3^r)yxQa@iTfT#sR&Mbsjpcd0uz%6lE
zev<GVsxFy69Sp~m?6x&v)Y;jV59VIVvU{bnYIy`P7Fo7_cAoBBy@l>SO51|<qLykI
zvP7x5WTjK#U(2WcnP$!B>m@bTVA~3G=IpV`xElRl%M7(|X6OZ>%Xb4qdlr{(@_#%)
zZGY+xm^8XTHBnalypWNtN=4E`fhFlwjH}1?Z7;Oe!k`2_`&DKLgV~Y}p#%R|C3TG*
zm%HcD;y+6jJmYNJi^E7}*>%N@-fNkv^|NTXrQROR5!)Gf2f|iq$lV|lC@OZJs?kX%
z-<K+O{{aRIZsD0F*PcLb!+qi3#ig2hhA_V<>3)EQa}bhpp8b2LU4$U@8V4Fmwlqq0
zwV@$}TpYRQU130Vd!TfF1tyPR1g}8vMQyJ7imR|4Wz)q8Kf#lK7h#WFjUQ%pTDf_q
zWkD`0saS>iU!m7(t%_I9T8clS1*M4u@+6MY{{@j6Lf#qbU#d4t`eRaghL;J@lsvxS
zH=W~U7)x8qkXZK(O<02dmU?L;cdKKw2{cwTavhdaxjBBHtH)nQJuj`yPf-e8bqf9m
z#oDxYLZ~_0j-4;q1@CS4hU9j##&a`@elMB5sh~p_!B_CmEsd=&^HXl-+N@PnCcDim
zcu)~JcGQRzAcDs@mLxOP=Zv7j1KFFYcR_D)(~Q0^XWRTdeAMFVXqRwZwATH9mE9qo
zj;C09R&}e?6sM;2a+Z-xhX(P^j20j6UTl;xRev%m_^g-n>r@)thT8#Jh<=aa2ul`1
z67ke@QEa6D<`j-OAI>wP36hZj#{JEc{8@X;_<iZJ<L%d68Qp%HEsYF?6wX0rvvB?D
z#*uxySlt@I<H(r=;$$w$4FATH1?jX{x&SmouynNv3JjbEMkSrRUjy|t_db+DmGKIx
zbeBc2#CoyGb8F7lMHSDB;0B}AVvDZ<8uU#yS?1I0hcZiPl2nRmauyJv^FtvPgu=Q5
zXrumJAli*jrpvqJ!MNJl+NYUS3)4|_;Z-rYQ;3|8ViQ6QMKZ9)&r|&fQqtmv0os9V
z6v$xMchHH|$6?>>;#FBwN_!u7o?ux-f{!!lL^m)!v#i3FLVOKyD;7Ttz%?@Y$-Qj6
zM|Mj(&L4NS6M#{GQHY;pBqfySLk^%M;L-FhCYfft{z*%#sSuJwp>4$E9Bbn;eKI+i
z7Ea{Mudw5uG3M~ufb*X->AF}!ulDoy3UGIP-_hof<2H&QQ%8Y39Ns@Vhh{eiQ)^-)
za$RxKnW|TkFPhAVx|Xr_vO$2t>izoe;ZGs#1r{5sG@5HeiSOvALM$+F&)%jXL+Y1&
z*Oe5}p&Nzb7g%9VTwjWhlh=whgzN~$Lm*Rk8fbeoD?$u`@8y)w{+<Owo!>c2ga_}Q
zG|#~SNKZ`~m@xhNj*?K1%M(~OwbY5n$yC4tAF|Q>8NyhZ*yVi-oIsw+C6YhQ6YTW+
zdanC+Ez2Bg$WeQ=VBypIC!^~`OLy+LVFo$z0bnI?T^A1AV<xKzk?kr8f^A4%lRUh(
zd1!btMKdj@o_AUsv1-StNn*h=)m06N^PP9@BEK)sM_R3_Cq6bR;JR27*+moWpgC3n
zdqN4EzX_|;swSDxtTvs;P7*Vw9#nyCuUsP{ARr<j3PV{sQ=O;pN=kYG4Za$~E|xF2
zVq`SxNOe?R@md1b)G^00LCWp^t%sJH3R~jav_rWIv7sh|gLH&MZpq|^lmUXR);ZhY
z|EqAVD^4!I+8xXQqkb0s6@suXVnI$%Pmh~uY?UL--v|MizNQ$rHfMc1+XtQb7L#w7
zxvZ9Boz#0+1zi>_wh2PX@)shHrwe2IG@>pgC(-uALT7t$sw3oaa8EyxXnOF6wxQd&
zqZCWz-4uO8Xs|;c2SP(<fM%f^fl}1GS%MF&k;+0vHcSgtVcxTCZ}vZH$Q)yIMkKY8
z4k$q|x19f)TIpN5migXn1HSHi$lFV*qWb5U_Gh?eZDDNwl{}2?_U#!c$=jd>$7eP+
zR-)9LaM&*E>FG-tR$7Uz6wP4nrcWF;oV-=gdu<~_U2{!7WUbC`>YPU<)OYALNpt1r
zc?F+R_P#1AulwOE_k6S_&n?A#F2&jFI67(jt#58;T~0Dh+VQW$?qKhH!XNuiyx+Ef
z&`3!a=O}zB02%bj`z)K4tRWC+)QqV$lauyUkH0f{K0Yg@umPE(%A)JAu($T2kF2NX
zZ+{~(9u`k;E2+)T%u5xUyuDpLoV+{Jr?FgI*sGDvlZIXn=|-gN1-%a)v<8HsHaBu(
zD{QskvoK~KtFgEIk?{KM6r8uvr&>*CNQYZ4(A>)Y{F^O|XX|f=ox9gK89Se$aPx5#
zdCo;wLFD6dA$zoL`pY4Z_ux#6nve~XkDiaL!7Z)3{Ghw8TWjK)@!Qaeo#Bi|<RS(*
zbX2HWTU(pP$_=)wHP1oXR;kfGKYXOjPKUkhsZ|Ecf(v$unSgzjCD>F*i)bPMCxuqT
z9_-z<tbi%e<X>W8K>oaJP|(MN8!?^lakc6jKIL1vyoYPy+)%)EOq%L{$P(jk5G^<`
zrEJJS!t4>{*nyVpqbP<|GvGo+>c?4IGe&@&9r9qKn!)W687qTdd8*Z-oBuIsE}=Uc
zw*t=QfK?4?FI)uaW2M`#ra}}xHjV0w^}H)JhimxCiCR_4Bud>&z2hP_s(1ZNpNb)u
zk*peyi^U&5eGc(Ya7S0Xf;lSNArNneh#Gw!=5pklr~W2&&ZKA_))dDFpeKjeUMKBs
zSZHWbPhE}0EP^XePiAk%KAenltbN)VT2z*xMIA(|Giy$!Z0d96uo8x_Cmy~f0TngP
zj7H9AuUhSxtL7GdK}SzFuYy(G=oilGkY9FDAKE57Oo5*t4CfctPo9o^=CnTMcRn5P
z?e<DSWgbuh-2_H8pGA_NTfE?(brPihIcOc6myap5#}6{rh@eK6BnPn~%Z>Xr>OJq1
z#DbrD5san5$X)gUGz^;}E%S!+V!0s?=88R^r^tDnX>^9vWP=kEk4`Va*OyJSL>qkG
z4ow=rAMcG^e4Bmm9-!}D7K%)Ey>MSqYL~5TSNW6T8FL!{z*uqk2L@a-YTZ;(z^3Dl
zzR0tg##Omz>kxOkVQphH*y^r7s(!B>AamOGbejqA77>maSh1fp)Zx|DtyV2pHnT9p
z(>BGZro5`jEH|s$wq}o^^R9MZh1?5}K1`Z!RN<4{pq+k}ql(kOtac!FQMz`w^ELvi
zsMw5Us6C<6aLSaK)8YPjJ|=(`++?+#kV4S%(8=Ih8*VG&v|pXDU!y^T%e-O%_W6UO
zkORi3ibpZ;Sdc34TJRvVhs*qlNCe3}i2Mv&mF!xNBceBSq=2ff6*1wVg=gSW_#s0`
zxlt1HKCI=;o;wDA%c;>7-<D}zV{1A%C~Z?G1-w8nx;Uf<lxNWTvbJwAK&Qbeq#yjx
z-_*p7G(~zJlwm4yH`M!=0zchE6tj+mo;7il|0cvsZ1mEY*o%}6Rci9r*JyfR{FeZS
z8x!d=OaFcSb=i-YfZ&gbCUG{wNKjB^)ZK8q`EgbZA2~Y^wh4v#TuwQu%vh0m9-2}&
z!CASkTS^qMX)w5mz&tIJy*H78U2z+J=Ti8Qt61~m*V`vt@6)Q2tED&SQ)!x0=#^u3
zger8<K<lWF2@68YC5@Tu=A#hcG3Lc(3f)xRwY$PH3%kyXhkC+jgN-I|!O_WK!Q-QH
z+wVGTy1OAs0=Zd+<eN~G1hbQ*l$@yJj6B)9->XCxvYkq6$aYdLH*blDX?UDG^4#?O
zcz)?*jK!Lt&K3Lso+PR3`-Fge7A(#KepEQk^VXkWMXe5Eb-M%yz_Oi!IS9ebOXY4i
zNlGfx*Z(f0kJ6+g!gy7|T-(AtB>~h)hO2gH)<obdl-_x=hFJ0oXiq}zU8Mue#Gvgf
zU<q04V}l033&G6eh~<x>UOu4Dj;EcYTbj<gwR449<6jr*Htd&R?XsrSRE!WSa>L1}
zw%ZqGr-QF&TG?fntC9t-1zYS8g~p2-6Zje9VOGzCSWZU@CAMY36%N!%QH@C*qBX(u
ze295!R4e%J<WRbHerg$UOTztCnZDL7CxJ$%*zx^$gxAOTL?AL@GimS}v~L>EeOoHG
zdNYIHk=|Bqlv+V~luFg1Lo`<P2i5!-D5|}Sha+CRzHIykT9RzXIaqMogE+i<6M@R+
z4n7)rD;zJy@mne*0EQv1v{yQc@J61((^y7n;ivixq9x#$0k<<G^LKRCZ{9B9L1Aa>
z+2;NScSfGSyo#YS16+aspLSM~AriQ*{m^{<26SBl2>|&XG-=qyRD%Hh(m6LZ>h$YA
zIEkeOxC%ESD+AjU8^8mgoywh^4zUgc(41(1WIKT)ZPVE69|FEge20(7_*C~e$pyWg
zfukSk<EFo%2`%l#n}Hp0dy#e#<vr-jCDcWK<oXrg0uR3~hQrU0aNEA_v_(S!D;jQ3
zNy@s(dy9?4u{HWm$t?JW+c)FwZm)1qsD9G_;_B#(X8N)9M%?o@X0EqZM9;!Btx`SX
zfkKOjn#;MCN|P(-dw=3}<#wEQ?MuxZuB4s>?oiB#0g|n43s^jQb#A7S)fDn&|9X#7
zSBUlV^uAxCdy0)iis4kT4c|Lqtg8cr+oCXtR%g#96}pOgr4JY+&ezYs7%K5sog12J
z5yxWv0qdzeOQEr{jXXOx&stJcAi}`9k)zdGLt5*};tUa735;jo7qgj1GZO-+tDC-^
z_t%OSAP_pPyV^CT&i`I)hAp8lfx~*B1idlyp?TAg8I?d2(a;bh(}^NsN(iH%56ika
z2wQ@vP1)_$FPlTZNeVWEa-IY4WLo_Z_RA*Vh)du`=5B{av0%POKo{h1@EmS=<s5A_
zDyQsKAPc4V1AWQ3+9S|werVv_!*a(D`Fmd<2%ZaXOwU<^+r96hVlfYGvV<o`S_!hd
zv@<X6XSqzrJK)JudyKy30|ZjdJQT&*E0$US_b*^qD|;`cr86cPLDR$C#E&D8BD#l&
zcXv~QPe3E0;Q_so@jk_oym0uMPRSox;(D;ka^gNCN;-(W0!!rd^Ip-|#}a}6X|dvh
zFN=Neu)mE$na5XXdEGpGQ43&x*eYSEHgmVReF62#5sD^jtc~2d+PB!PaY8zl+Cxd8
z<kXwWE6eLmr}b!3n$uZL>f6YyNLttK1$uo(iuEq5whycGBC(wxw`Zi%+)%!V7bDC&
zeZ9KXoQlfY=+45F$)q@ba+2WE+WA!+kc1C&{qe4r6Mg^L2-=!TZ<mB<w?vhrd-?LC
z?L#JCK|N`|jOxngd6kdYcVRZAULvk<IG(SiPBtKqic}S+M<-kG?Y8R)U_Q-CKcHg{
z=RI&c2$F{l|Eus9Qh%E7qD?N7dYmFtcSYr2k8hDi5SO0UMM_fAJ_!=F_+8{$Dnt-^
zz}w8zsNX4UAURkcM~D+FXHvLlPO%0RSNXpMu#)3?1xtFu2z|X;;|gTtWJ(0Q(7%qO
zvK5gH7uSl0lY0+bjMQmbmY$ClL$fc9D$9Hv)uyCpXj9phHC$?GVbB*=hq~sloZ6z(
z_4*70o)J>Xz4W?KnMg)xNk~Lm?yA3W@Ifwz*Fd%3O3&pplQhEajQ~Bt74T8?E8#C%
z;U*3q5!e>&$Cb)dkVm~2E`^{oFa8V`v044f@bQdMOWYvz-_A7%ts#8?=nMKl9H>c5
z_bQx9u(quDR}+2Be^~R|^`j(U)2hau1yw-u=!{jE2qAaki{huuq?Cvw6eYt_GCA>J
z6pB4`AVyB18_MOCrd1w+zSmeKlrv@(dox95(FtdtdouoKRmVOmjK%5hnqqWOT76Pe
z`2mj;&oSj)r-<t%!Phq5{}VDOmwVN&_B^|NTz%?q^Vvp<@A#w0Ckw;3a13`o9BB)A
z?AsRnTRb|wlhXISUzIv5LA=){?kTM=A=VM%X@7cE^jm^l$!`4NS*wY(k9@-b#o8M3
za9cd{_4ap{@b(kQM2KKZ5E^Aqp_Pb}gK74{#@u`e#W7`eTHaV-9-&_T3Xiq%GCoFV
zX;8&3>+NkDAHlDslC0*+MS$V>N$~SN%1!WjpkWi{`%=De5L#tbF*CugUJ6N8SIqOf
zS>LY76{KRXKv+1eD-GzC5|i!HmMU=T?}0Rg4D`_j24|@WTx8839wm)nFTUk%@bSK$
z;MacKH;38tw>_QC-iYYJCoP`AI4WaGx<wE>-&dg=MQOP-00%bKqHv~&{1|K`G+M5*
zTsN=Lq!6-9Ww{sdz&bKfgg~n1mvC&?zVjdT2)8<fGNv+@7;0-v;d%U?9lrBRVIakK
z>u(smUWGqnQMa@dk<2)QyDb4{)~$eFFfZff2E)n4)n^nHGt?Rzy>@!&8i;b&Z4AV-
z&Sp$9CTs<!#QF4G?e+{Aqr0zYsly5V@wpm-5xFzn=HOm!3wQZqdQ(Q+Q&9>y9y`ZB
z4~J?%MDWE7A#vz2`wzKcHB2axiAu9Q{w3j{{;8VVo4Mv-wKzdR^bUY&bZa{aD0Q-o
zt2s-if%xm;TZUFjJ&NI8hXqCf%_IwuWhnU4yPk1S=-O#(AUg?6a`ZTE`u?l5TW8SE
z05I5%{GXdtFR>xdsa-E8Mv%Zi2LEdROB16umZbim|Ni!w^Of~IX4F5%*(cAJ3LorH
z^?UfIm!18-s%`&qaBL4>Iq~!6{`}iq1-0fN7!dz!VOipZ%kL)b`zf{jI=VtxC7!Xz
z#=R;6TI=L<4(nmb&z>mXuA4;<P-wq5x4{V)`jcXrkE=11mJt|@4wb<T&_gfM##bsb
z&h>*Le)&q*+ILVJpF#ORhFZj;>e%oe=!8G^QAVEE*LPB-J+GT1(@ZrIN|b*+*@q14
zYq;s@LY)m{_H3{f^SnPUuhbR0hk0X$oT&?V0cYG+oyk5}n&vq?ByoSxyqnI~k&>@|
zlii1n6rCy568rdg-fUs(ce#E&m(~h;-!-epAswNknxUcP#oS4zO5zmpM(9zixbr1=
z)~Bn<r=`YY%sSS<y4I?%s4MLl<gbJ(3N4Vs{6TD}0M6dpZns`|wo}Z+fzJY5?0Bn@
z_4xn*ey)bb6r`MacMN&eB~#UZSmK_iQB2c9zE9;Ho{TWee_U~dE9&_<NDCyBXgMty
z<`*fo5^cj*k`qC=_(?o`f_w}yQFqChf=w`DHO);;3ef!7;spk5rH>4`;QS`DnGovv
z&7;dN0E&94eR04$_H;uy*P8qA=p9#IgMAN#pB8@;K8nLY*9=bygtfiIXAL<-x!W8H
zd-4qW$g5*FG>@ktMMu-i{D+N2-K-0Ufx7XNd=@eO{jG+J1d&k9U5p`;v{+f5w;G5o
z!<T81#*1X7-m~OV{FUZig7dh%VGzpVP4I}Iym9|^(?MNE$$Y(UQ?#u@i=vP5r00gk
z?k6p1_V||S+SV|Ap5E(kdp)F_RUUWihuK|lX04zPpN{vxSLS`)+kYMD&zFcgl+;xr
z2`eVYysykDA+_`Uv@4L6oKoJrnO?oh?ZH6yLzni=pg-=&eA))wbapYcwZBYno~(=5
zCre00yq!h&nQjn?tyRm|aPXf<H0Gy~zVHRLS*9-%R!Q8slX>>{?y#Wv^Yik0c(#AT
zQlaP9o4atB#W_&NA(KR)3KlBnnw-3&%j0?Fc8}Y`1G#~5aYF>+?Fa%N?Geg`ty};^
z=5Z(sS_*~@yJ2Tp=gylAyi!4R_x;E1%gJ)-^w!5SveZ*7arf)^bR4p;vLe=@+;`xt
zjC{fH5Bd&Zy23wMJ|$ikd>m%jE<HQ7w6tJ^izeFB$k+fF6KN53EQe<66HA(^V(`ZM
zJ8tc2b@^q6*w~3xeqr&gDbvPI-#M;}F}f$eo4Z!O$EAS*2~&m~KcOsan$?~jot{=r
zc%!-%q@!e57g~g=Zv&mZB2p1n$q1q}+EM<WeLfHTRd5p?Fm}JOL_jadDKw7o#VCHl
z?!%Jo&mJLlHSnHfDJ5llB76oPYz-<rI7tT$$MYgdHRw~Q4H^-(?C}5iVW&|uMN6~t
z>>uO!Mr_<7Cqn6Y5`P3A4dHCd()i$w<xRmkDDTG%PA~b~TkV$`%k!MlFiizjR_}ls
zguqCQe>KrRErm09c*+X8ia$gpigMxKVgxnVtJzb^FwddfB)>fSB{tI{HJ!`ELFX#0
zmw4;+A4<<S74THzdpA8`-m_0dJYkO7gu8n(%dYR^@p3-4|K$5MeYZbgGI@CG>EnpI
zrpIj_bsNLA^?aB2<w5g380xH<&{P$+N2aVXQeu8}jW+w;lCsJ%WKWhK3Zhp3l_%74
ziL@zmV{}^8Mkx4jfufHje_Qp#?00d?c4uSSAbI+WY&+W!L0d1p)ms|S(eB6CXLEvE
zY%XCx?uerhw<8mlByT4^M;39F*UiNCcc1=ON-v|Z$^nfLPfyi<AtzzSMA`ZHIPdF{
z>p0I(ZhKjx@8}Su8kR))PA_bM;xiQmT;DKg=D=_(@q_zL3t_7$gvOz6t9?qBGwXYI
zX}ZVvebwYOzvdhIGV1vpra(XW0=T(zu_ZKRa04-&4Uom2He5=xKCAR|b@jRW#$FbF
zyO0(<%}_aq8(!=Uqu2hRvrfKTSHo^e|ED9~WEHM3k7cXWv|Py~cqaJ4{j8w6J5BVy
z==ZcN#3NV*2Jxsqujx}y_3un~8!p_Ep7$C?R<)nZA_`kwN1A93XGKhu5?t5INH)_O
z6DHp?ZwxobY3dJ^0;HiJ`&0Z7+Yln{+nSVXKk2VnWED<{nAM%c5%z0FU^K8O(A+r}
zfo-oh<_|q;vT5+Zk=pj~SF9s*>S3@}Do~tBc=XPlW2J-<ez{q<k<===J+CQcX?%>)
zweACT>zL*#S@#mw>B&|G@tPOoPT>GKxgmZJWZb$)Z5O<H<$#*aRgg)1na1HYUl&+>
zR<sXNJ1WxToZ|REAheaMdwJqz_n(^j8~C>TkLk1P>pIUv+OAS?<R8`7sY1DSj$oJj
z?LB(>4hl{nT7Txr-p&Kp_UBOE*WUB9Lo;ulVk}nDOA{jlzZk@q9&s`kZt{=fOOSP4
zJyoJ#1l<qcoa-Y8n|6#>XH@=^$o&M1uU**)!%Qj{TF&{6<6X_>YvAasIh3~2MsHnO
z?;T;=cH9}E2JGJ|{OR2H!u4g^A4xl1dmd|~7OzmqK4=>)4<byF`aN%-SArkTG)B6L
zFo3zuMo^iE-fQJD={omDO`nHPdm^7#B7U}sNNPTpQ7lGQMahO?BQIv{gangGiD1<@
zr1U#+@HI1Zzk54JJRC~QMY&{j(U<xQVy0T632S4f5`BIip6njqtLI5*<Sp+*U`o)-
zcZzJJ(1THTy7xx7TP}m5m~m-wmCgBvSu;z(by<9~Tb7GeA{P2u(%EZ^TjUmR79&y|
zO!&7cX=-J&9zoS~o{ryxgaaLKsGtq!<jcdWrV;~;0D7h7!|mDKWKt!iTR$uSA18oz
zPgbI?nF>U9Sq&8c?GkYFgZ(aa4AGyTN<4wPxS%Ue)7iM8mrxx9DOG7@kg+hn0Y@Pv
zG9%UzP8`EyK`V&q;HULyLB5NKnBY!VD7U2KdieLZGa|K+{!@%wSb=ljM(arbITQ1Z
z%#&A=7w%_pFg9NJby>yfnq;*)3G5(mFDNSgKh8UrO1oZk!=Lu~r%y4_hylLw!Jw;R
zO~K4s6sowUyLuF%r07Ik5d%`|C<1{>bh}>W0M%RTfO-QQ)|<x4{Cz2YD1kOs>AhUv
z|5O-xYBo`_-@|s;*O?zA6*%vh-70RW)jc$|WC^b^p>dQGs{k*L@7ZMQmiNcx{@?wV
z&fLj>GwP&<x=0r=r>K|$ErS~m@1GR5YXeV#stm0i7fe$_zDe3sIZQ2N&-e&k+oIdX
zU{3Z`oELEr2)#b`zc{Iv#(g}Qots-b+E@D+n0rPv9_9V@+%0oAyC{o$9tNUc?#e-X
z>qB!53K*yx$^_pJCbm1@b^(7{$}qe0b`p@verU>~RVuf3f1L+?$7Kz8k#Y;<nB^!Y
zYKjhm7py-r>(|NgX_O3Pq4wTen8JfU(>2UQrm^jevaTSC6vmvF0x-~ZShwFQqZSue
zU#RnZJ(zPkA9l8;x7|Ntz9Sc%n%uc_x;<-ul$7L749(xpS6;FPr~HmV(!CDemFG#Z
zMc7ovC?JREx)~>9qHC)uqb{DCXuLbRr%xSvIQ`e06Q4p)%A((zRXUxES|Y&116$Fi
z<x1@P`mkSGnr)(LsTbXcLX+c9+5l&b*Wx+omh<Fnc0Nb08gM1~SQ0R*Yl$^skd498
z10{}S19HSdJ8=vxG@h(W46d(vKg@A2I6f;Con%>1B(;zKRi~7IwjLHF!5Y980gEya
ztKvEOS@8OEeP%D2%?9(I6R;Qw9jry12um88iBeTnKuBY-dqBYv07ZwS7I;jVO}%8p
zJ`oHvEta$oS;ai?7&LvO4)8A_vdVVK3y_RHkiml4y+PQz!vgGZ_H)R^w{J5U0LJ^8
zJGUUV!W)VH!}7JM_I#vKe_aX<QtNYbuHq!xff;kb=2X)#6i7ns6VNNfDqMayEzS<i
zr2P6RQA0+&S?VqcZ_`G=CAJ!jTdI}Mj)SWp_m8l$`@~wkHL0HZ)*jPb@+;ObzF4m9
z;bgn2fTCy4v)9hm0BjRvc}G66rzNux=6G+fSkV3u33vh2ioA@my(p<^--oG=w8|33
zl4}&HuN(nbk<oaR3B%IeGh`w6`^%03mx|o_5F?WZ>CP-j*T#l~pNMgMBhlwEb6S`)
zMt3G6YWH<oFgWRsh6LdO!R|T}iCtG+=-oY9HCvjDLND((T|qBd$VA;ANv%YkTHT&T
zzMrSwnUR2wcjx`-(#6~7e6jm;6RjyRmoF`!LzDO<*eKQD^8C1V&(~3X-R5s;=j}MD
z8!evfVA6GKWn^UT@8ym|Czr3!%J0`B=<|9qlBX{yggsuT>mw~jhTc`|52iEMAq(~$
zV9l&9x3lFTR)#kL&BGl@%6rjo(bQfr9T9rXTVndBL_@C*&xUAzNisC$soiHfG=3v%
zTHjy^q_G4_Zh(9$t!3(w2jW0p&swJa*uFTpU1$`#z*ixwKNF56<{zvPQRa03;$NUs
z+e!--FIA<@eU5sL;(6IXXgP4uJP@1|_1)IH2>-wx(rm{$d`WZ$G?j6|VNi+s{{1k1
z2SMsBTw@c+3()J13+Mos^G_#2pv@&DK0=1R=py(}nT)#Jo(6qg_hff|Av24cTO&O_
z$Xd|g(ch-2Dq$=Z(VO3`+VIlQTk)2koHdyApcZrn(Q$UsKMhds3pLw9_ptvw<)r_#
zdw&-wwJCOwn4E(DW?mi@p6G24IHx$f2aiAF05u)im1()>QynTcgq%I5Z@+Ai$BB1@
z6gBE{G3JB5MSfrJQytTcX@E?$cexEMr0Da21<@bu6vTPn_n+oHFV!7-q7pd*-wD8n
z`TZ|YnaMv<YY&-6(W`nD+I_O2MFX^N*g(9?#2i+iOZlIp)D4r9e(@0YI2Aa49Gf5C
zA9Lk-J6`#|G%g?6|5K!8VG2~b7!Ik)-p(T=RCo0(D>>TPdCxyjq&s7+7m=NJ`v!<M
z3dB(lTE#7OphwqD>izZTo*0wfEIhota<GgU!M@aY17>#zFOBfaE^|v{Bkyp6WrcHx
z5W-kT_o=^H(~!z^t#C%Ji$acmtTY*0M#flSh<L*sqDPrJn_OmY<~5uX&J~NqP2J6l
z|KK;gw9$>UuDw-`-YbV~Zl(eYg6TK6t3pg-MXD$iiy|?W9*8lj6M}SuVc|1DV;r#p
z--O1ED3pbcoO`mp_W>b<^{}LrtqZ-;cHN*LTX7Tk{mk55^v#gQ5cltePRZSIr6|(x
z_LXs8>E1mhnR`mF+xOLpP6rbBW;$d*c)?4s$Q3jHE3H)e{a=fttvX#6TklapwZ1%U
z_m)_vg$$N*0ik6K6BQM3e_<Vxmy&}oCkmTFBo};`Frry7!yH+K$9OWelkSBqB_H*b
zPar*}b9&d(_E&PI%oKCJMhahqZn^FETJ2{3Dl;95Iu~=qsmuuxHds`i^nIMke@(dg
zey#pJ?pK)Mh($?+9#$p_Wh$u3XY_kNH1~U6tj&y)HAT2|Xfa=9Al~4q=uD4){DSMi
zfc5fDiVg+k-yH=)p^ad%LH$yg{hVDK?!J>jxK$3}oB>ex{-(#mSSyPJIc_*x)_>9$
z0Q@+_z8lk7KT#!CW6hW!IrOgQZWrqM!ZVboBVcu@O$+X28C$dWZY{LVuaFkT=)Q)K
zBiu9)>s(lReLetgjg7sYHa%@Y@@}01Zm_ZGb_tI_S(Wylsf8_vYp*?m1AmnLkTEL7
z;!)`W_f}8M7ewxz^9`i7sNVev{^qs(#7_eMB%85<73N`Rfc?%N7Qdh6WakLuP}X!P
zzRySrJSKMx?|sFVSC6TQzza>g8&`L2gqGdGHTEuJug7I9q;e?fPiJRAV+P-I%3PHe
z|4ZBsZPeK3V0Xoys%N2yb7CrkwK{|G%nwiq?S(i0=g5vch4uqle;((&*c@s(Y`$K@
zSA3ma_*AnKJMk*P>ri`FD}%wAIfG&0S}5QmX|TRigZ;<we+(0zn|a(N6iSP)xDk^K
z1@Qe*+E^e}HB-I=G>1Wm_j-QO^S$RPUf+k3;2OZ*g7g6b`dp5*NgujH4rLn)yD?*X
z4pP94x;G=b_lq0DmY*I;LP_SZZ=Se1pD4x25dXBjq=4H@QSrXnZxBvz(f2(LY0FLX
zUg>%>4QGqp1GDHhrKJBHMeQ$5Y<GX%Q0EEV1gELiFNzme>ze7~sA3<jrs;P+DSox_
z3KYLd)$aUTNPZh6NW`<3e?C%?(RSf_`it(o1}CBpwUev6X_&(VGh~j)QABTp4SqiQ
z>UG5vidmpZL;Y}c2LYT!m6rJpCHTx(6RhpEHWP{@Ie&L=a`L?rnk!_d_adqQx2oNG
z>vN^?Tg)NpF|v%td4zPH<^wMQo_FwJ@lbA23Oeeg&%2A4I&~L@iEFd*Sp95*a=Pc}
zhw6{$87)aG{1$M^P6K;Ixp~@L<z84vE6n6ehv1Qj-h0#;f-~)al;>Z0jhlisNI+S*
z>uAMwaW>c&ez)~`6!8#h2IQ$*Q>14@K}KtMqP!so_^z-Oe;V11vFM{lK0zIp)rrI!
z@&tT;d&|T}us4V<k@4CoPnwl&sk-ETjMX~mL{Iniy9T%s$Jt>>HPX;kkRlt$%G_u1
zL`_PFasO;k#2}yWzZyn^s0+;B8|D)UP5d1(`(Y%|kD^tC$^*@#j|GK463hQfsQv8>
z^>;%3^E~DoV&}`j*de|a-9si1kA6TDMgL;%#XyNfCdwg9WJ9;+UlE}|3b<psFYQsJ
z_9Cv`cC5wT#x#0hAlMm#sc=r>r?g*t-2Nw^2X}VZnltevu-ZwNUz{v}7Pe~)Tnp>D
zo%Z0bf2zm6y*@}OtK5FS9QbZQ4W&%RQ%NbS<!?O_lTg&ne^=PH^9#N0EcXE1UlID#
z`${E-8E)1T57zh^*8OlP<Ur~~!LN%8Cg@g)F{H+KB@!ADpEWoHSc}C)t&soV6tuX0
z$soY<{p*<#=M>epG^Wi#>AF@5`z68c-clJwS1*%71{RMO-3@0gzT<~JK9cK<78)iy
zF-jCmCi+7tLp~y;ff)uIa<atF)p5~Pfg%Uhz6EXQukMm4mUQqQjRE(zIF1pOsiqq%
zOkywO%K4Ts26BWz{D*4;&-5~!&Y##!BmEqN8#a|FmM|h1wNH?<dFqJpUnm_nr|Hlp
z&@@Tn8kpqQ0X3#c6WN5Q!Xyxlv2wc*5Ta;*S_4)P=)A+DN&&7HCF?ff{<9o~14#G6
z7O1beTO@b4h!?18Sw08BjD~RDM-j{@fyY7v(BzUsL0}vIEBXlq_KT0%u{AQkq4&cS
z-}TbBNVH9??crxa4+*+E%haqwQo1NqJsZLOSYwSf)>vcx=+)LoXZL>k=Cj|j92X%v
z96X6WCYqZA>WDcWHRoS4yvQ<^B)8MBym-IoTJx>2{!VZHu2&}G`|mWz{LUA=6qoP&
z<S<5xdxNBL`$gKt%YMTm!*?H>yv+f2Ay&IgtM5GKVF3W$TtZLs;P8Q|rtf_4$#36#
zf7x|KHH~l?1Z?!tYh?oaluxI1w^@Jq>t8?r{0rbYqj@X1J#xEJ@Qq|iZrk@_SO-vp
zc079;DS%<=B@E$rwnAWc{7x_tTUQz;?VamAU?OYBc|==@otqKPz9Sq9$q|fYup~e`
z@C1CN?4d8$P#47w_NFUg1#3mP1soM9g{K!-Le)^+!*5YmlPUd!Ay*dryOhqCtJBMC
zVnBkvUl{3m;FCjHExO1SZZL)}o05Sbzs^Zj0y3Du{;i6xD<}##vGW+NU_W~-Tk#cx
zrk+hG^G)lWqZ>l}CIA7mhb3~KfXDN+`fw$=r=MAz5e7fHF^5%r(J(TRg;?n2=T<u_
z<~1ASLjdIAt3zZbZS70xz#yNq#FC17IyHrM*Nr455xg=~Hsp;&77F40USzLMQz&Zz
z?)d|(p~)H6z;M<q5(+%gn>9x%Iy`o`4nbld*dyImvNxvGISp+`OITloQ~_fPGivU~
z8f&bv#v1FtLecN;tHU?4^`RINQqj9(B*>sG?i$HJ{b<!QY~x039tq^uqsg!}+k6c8
z{yThf(p~$@9qRp)@@3N>F$FusUG02&_FMRQA~o)GGUAV#`rQs;?wm09)(zx7&De9{
zd<o9pF@fHBq4n(Wq?j(={phn_zVqJYy47~#S><63-HzBJuc#L>%qL~)x=(-i&Q~9N
z5IYCah+^$_;=xM&?Psy|H;S2;K%pWD_A%y;?12Kb9Ua3r)^c;$FprROLsux@c0qE>
zmnB6kU{Nt&oG5n2NJ+UQJNkj?fL^ikBeWx^s^L2+j0L@-BQaf40S{Sj{`2z&;Yid>
z$}IkX_`s@_MP$gby}Z17{PgUit*)0Vys?Dk69H7(6LMLLGQpivvNDB`FRM+EoeG^1
zkp&-v2@yu~gTMwM&R!7pFxytN$N-iVI(qPW<#}3>;d3?_ReAiCjdgP0J%=;P8*-R`
z1anb#s?w}$8<-M*$cS8d#7jk^*eoADnj!BYkKy(_c$-&z=m<T#@mJINWLjRfPISck
zJc7H7#(hJA1x9?C5%JXoAuAy5=L}jt3Z_7i*zqJRI0f+nOypt$gTI!Tub@AU{zwee
z(oaDTWOn!8YTX99q6$^jL^zBcHTPqUHP%>TjrCupn#sx8y+3<+@k#cmCIpuf=h72w
zgb9a`u*L?62{NcbXCXt{nWt<~_3*`?GLCu&mw$grj~Eboj$*poEWaB*b@N5Mf%3aX
z{tHY)h=0*!?VaNp2-3F_kIbVovS&{lp>0_$4s=of?t_p1`JMMqFIUpk^lk5ZmUhQ1
z{O(*gLzt`h^us@V{F`^&a;>z*NCez7*}wcHxw$W3d%3+DS#nP>8-fi?YO?zxy2c1b
zf-fSTjBG54)f|p(C5YO?b)IR5);w0qOFo>gyR{F>w1$u@VQ6WB=GZ5CuoP@rH2X(l
z5h$@gPa%>`DJw%V=#BhdUPYj{dBURwu9CvgcTp0Ctj;da&VT!xpiVYTD`0sEcNgwT
z<AgL}SsVmL0+=vx^BbVsB-im8iOhEaSI;O;nFX5muzf_A9o{vG5x2;OI{AVrA{X53
z&ldMMT}<3EU*@4!^!}yDva7)NH^CtXt!?ETE+Ur8Xpg|p5i>6AVF~9Mm584ZD(^gT
zJ<n0On$wD5x{o0Q?+u6LV&>WP>#NJy!uk{I5_DcE$C-heC&%`eU~Zh7Rn*d!JjDy~
zRfN<k?2;&W*(C-hxjbkuvCtBHq>Z>vIEP_n!uJuw(+bX=k=G?SBnywQ7RrjUGG%Rx
zsu;ojSYwSf)>vcx*Qrf?`260_AD(|ESY;Dg6ddsDK4d>_cITE!!Qn4*Pg0?q$1y)X
zrmP$wM4~m^J9h2iZ*Jb-?qT0}w`^xp?`rP9J;X|EHy~fKBeC0f+Nz~*i)vnKvMJIF
z5P$DD)5~UX)7Ihs<;QtroG-Iui`eGCz6{@^6^fr#WmQcVUC{4;^w~fC_Pz6Er;92i
z9dOkZ><+na9SF!*g*N)j&p!L$o!_o6FEmD=>1B+}5G0yIt-gIBWzfvzB?X?UMCTu^
z^j)->V8e1e9cY)!A**XhA{K%D()q7~r!couwrLwxw#({*C<lPvWaAs21AuHB9{qs&
zBB)?wC<*NbV-fNSs~Iqg$ex_Mfham5dJVNoQD^{svsfHd_2iQ;zgoGArtM@|Nd+(V
zAv1tcC_m2lf)KM&#v=+UN^M0jigh~hsZ5!g5D@n)atF%i<qD+F2A-6KXJyvQWI{rR
z8uJ7#-|HdX3wM*pQi&)bH#fxm4#^|3bnA44Th2~kqj-?krEE;ep#m_)#JsP{1M3=N
z0Q5<OT83?GaMiF~n=twu{QCT?FHK$4L^UAF2jmXibB{w%9ma|2oC;Z3X{^daxB2eE
z{ECCNMAlQ~+m`1v0`x{9N;)G48%_E`@uP@mO!GKz<WCQbcaXEIY$>hP#v)q)Yae5c
zHP%>TjWyPfUqRc`!?yw}N{~&zO_dF3dBSKf=go3rPT~X`{QictK@4{1{6?TWb>oxs
z9Ubp)n3t8``QqCZ#o#28;>+I{Z@2BgkJ=~2Z^Oa=qP(raZgQ|t+5VjeIF;DO`zq<V
zd0&-fQPs;%y!+9oAAa=lri-?m1oo9DY!%p{9Bp7=Hb1XsXOF*n|5yKX@#Jf^sKk6^
zhFW>-`5Ug#oipP&QJJB$fi-?nMO~mtjRzykPGq*h$yO*S`>g=oX0I7w=s|9s^RV&&
zGOQidjSvbD7DAc8rZn4#VmxUY@(<4<9?i3}nm5AM>~e_C;yhfa#+Yu<b1LVvYBEv2
z_tSFm_G@pQU56*1F5BKKwx0wSV)GxC|A-u4g-BbFRYKBzVi^j|F6q+AfnRZ#eF!q+
zt~j>iy;nTOz~_wB6$~OM>q3ATD7`DcAGVN+d*y=tD*4K0uNyYK;hwq(JT)DIBlwHK
zU_#7t7(|WU(}lnhf-lJ|!UwC?oIr&+Uq!&2_RA|7%6r&V>AJFQO~+77E3w}6eJ4es
zh#k>+x;{BfWei?Gbbkv=6ekQT4a2+zX5yn5#Pc%GUhs5q@O1GA&?`un8sR$;I$pgn
yl94^nb;LnWC7AFi=<ta`2~!DG5_9_h1sDL;Oy)l);otHA0000<MNUMnLSTXo;F3xJ


From dc273b2d637a5dd5a18dbf0fea587d8a7cd6cfeb Mon Sep 17 00:00:00 2001
From: Ali <83188384+testA113@users.noreply.github.com>
Date: Tue, 5 Aug 2025 18:53:41 +1200
Subject: [PATCH 211/212] fix(helm): don't block install with dry-run errors
 [r8s-454] (#976)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 app/portainer/react/components/index.ts       |   2 +-
 app/react/components/Badge/Badge.tsx          |   6 +-
 .../ExpandableMessageByLines.stories.tsx      | 115 +++++++++++++++
 .../ExpandableMessageByLines.test.tsx         | 137 ++++++++++++++++++
 .../components/ExpandableMessageByLines.tsx   |  76 ++++++++++
 .../ChartActions/UpgradeHelmModal.tsx         |  16 +-
 .../helm/HelmTemplates/HelmInstallForm.tsx    |  17 ++-
 .../HelmTemplates/HelmInstallInnerForm.tsx    |   7 +-
 .../helm/HelmTemplates/HelmTemplatesList.tsx  |   2 +-
 .../ManifestPreviewFormSection.test.tsx       |  11 +-
 .../components/ManifestPreviewFormSection.tsx |  45 ++++--
 11 files changed, 408 insertions(+), 26 deletions(-)
 create mode 100644 app/react/components/ExpandableMessageByLines.stories.tsx
 create mode 100644 app/react/components/ExpandableMessageByLines.test.tsx
 create mode 100644 app/react/components/ExpandableMessageByLines.tsx

diff --git a/app/portainer/react/components/index.ts b/app/portainer/react/components/index.ts
index 9b2f7325d..1b6d0df7a 100644
--- a/app/portainer/react/components/index.ts
+++ b/app/portainer/react/components/index.ts
@@ -98,7 +98,7 @@ export const ngModule = angular
     r2a(Tooltip, ['message', 'position', 'className', 'setHtmlMessage', 'size'])
   )
   .component('terminalTooltip', r2a(TerminalTooltip, []))
-  .component('badge', r2a(Badge, ['type', 'className']))
+  .component('badge', r2a(Badge, ['type', 'className', 'data-cy']))
   .component('fileUploadField', fileUploadField)
   .component('porSwitchField', switchField)
   .component(
diff --git a/app/react/components/Badge/Badge.tsx b/app/react/components/Badge/Badge.tsx
index 5babb5733..f0a4fc55c 100644
--- a/app/react/components/Badge/Badge.tsx
+++ b/app/react/components/Badge/Badge.tsx
@@ -1,6 +1,8 @@
 import clsx from 'clsx';
 import { PropsWithChildren } from 'react';
 
+import { AutomationTestingProps } from '@/types';
+
 export type BadgeType =
   | 'success'
   | 'danger'
@@ -73,7 +75,8 @@ export function Badge({
   type = 'info',
   className,
   children,
-}: PropsWithChildren<Props>) {
+  'data-cy': dataCy,
+}: PropsWithChildren<Props> & Partial<AutomationTestingProps>) {
   const baseClasses =
     'inline-flex w-fit items-center !text-xs font-medium rounded-full px-2 py-0.5';
 
@@ -81,6 +84,7 @@ export function Badge({
     <span
       className={clsx(baseClasses, typeClasses[type], className)}
       role="status"
+      data-cy={dataCy}
     >
       {children}
     </span>
diff --git a/app/react/components/ExpandableMessageByLines.stories.tsx b/app/react/components/ExpandableMessageByLines.stories.tsx
new file mode 100644
index 000000000..2a3c5a2a2
--- /dev/null
+++ b/app/react/components/ExpandableMessageByLines.stories.tsx
@@ -0,0 +1,115 @@
+import { Meta, StoryObj } from '@storybook/react';
+
+import { ExpandableMessageByLines } from './ExpandableMessageByLines';
+
+export default {
+  component: ExpandableMessageByLines,
+  title: 'Components/ExpandableMessageByLines',
+  argTypes: {
+    maxLines: {
+      control: {
+        type: 'select',
+        options: [2, 5, 10, 20, 50],
+      },
+      description: 'Maximum number of lines to show before truncating',
+    },
+    children: {
+      control: 'text',
+      description: 'The text content to display',
+    },
+  },
+} as Meta;
+
+interface Args {
+  children: string;
+  maxLines?: 2 | 5 | 10 | 20 | 50;
+}
+
+// Short text that won't be truncated
+export const ShortText: StoryObj<Args> = {
+  args: {
+    children: 'This is a short message that should not be truncated.',
+    maxLines: 10,
+  },
+};
+
+// Long text that will be truncated
+export const LongText: StoryObj<Args> = {
+  args: {
+    children: `This is a very long message that should be truncated after the specified number of lines.
+It contains multiple lines of text to demonstrate the expandable functionality.
+The component will show a "Show more" button when the content exceeds the maxLines limit.
+When clicked, it will expand to show the full content and change to "Show less".
+This is useful for displaying long error messages, logs, or any text content that might be too long for the UI.`,
+    maxLines: 5,
+  },
+};
+
+// Text with line breaks
+export const TextWithLineBreaks: StoryObj<Args> = {
+  args: {
+    children: `Line 1: This is the first line
+Line 2: This is the second line
+Line 3: This is the third line
+Line 4: This is the fourth line
+Line 5: This is the fifth line
+Line 6: This is the sixth line
+Line 7: This is the seventh line
+Line 8: This is the eighth line
+Line 9: This is the ninth line
+Line 10: This is the tenth line`,
+    maxLines: 5,
+  },
+};
+
+// Very short maxLines
+export const VeryShortMaxLines: StoryObj<Args> = {
+  args: {
+    children: `This text will be truncated after just 2 lines.
+This is the second line.
+This is the third line that should be hidden initially.
+This is the fourth line that should also be hidden.`,
+    maxLines: 2,
+  },
+};
+
+// Error message example
+export const ErrorMessage: StoryObj<Args> = {
+  args: {
+    children: `Error: Failed to connect to the Docker daemon at unix:///var/run/docker.sock.
+Is the docker daemon running?
+
+This error typically occurs when:
+1. Docker daemon is not running
+2. User doesn't have permission to access the Docker socket
+3. Docker socket path is incorrect
+4. Docker service has crashed
+
+To resolve this issue:
+1. Start the Docker daemon: sudo systemctl start docker
+2. Add user to docker group: sudo usermod -aG docker $USER
+3. Verify Docker is running: docker ps
+4. Check Docker socket permissions: ls -la /var/run/docker.sock`,
+    maxLines: 5,
+  },
+};
+
+// Log output example
+export const LogOutput: StoryObj<Args> = {
+  args: {
+    children: `2024-01-15T10:30:45.123Z INFO  [ContainerService] Starting container nginx:latest
+2024-01-15T10:30:45.234Z DEBUG [ContainerService] Container ID: abc123def456
+2024-01-15T10:30:45.345Z INFO  [ContainerService] Container started successfully
+2024-01-15T10:30:45.456Z DEBUG [NetworkService] Creating network bridge
+2024-01-15T10:30:45.567Z INFO  [NetworkService] Network created: portainer_network
+2024-01-15T10:30:45.678Z DEBUG [VolumeService] Mounting volume /data
+2024-01-15T10:30:45.789Z INFO  [VolumeService] Volume mounted successfully
+2024-01-15T10:30:45.890Z DEBUG [ContainerService] Setting up port mapping 80:80
+2024-01-15T10:30:45.901Z INFO  [ContainerService] Port mapping configured
+2024-01-15T10:30:45.912Z DEBUG [ContainerService] Setting environment variables
+2024-01-15T10:30:45.923Z INFO  [ContainerService] Environment variables set
+2024-01-15T10:30:45.934Z DEBUG [ContainerService] Starting container process
+2024-01-15T10:30:45.945Z INFO  [ContainerService] Container process started`,
+    maxLines: 10,
+  },
+};
diff --git a/app/react/components/ExpandableMessageByLines.test.tsx b/app/react/components/ExpandableMessageByLines.test.tsx
new file mode 100644
index 000000000..d403fcb9c
--- /dev/null
+++ b/app/react/components/ExpandableMessageByLines.test.tsx
@@ -0,0 +1,137 @@
+import { render, screen } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { vi } from 'vitest';
+
+import { ExpandableMessageByLines } from '@@/ExpandableMessageByLines';
+
+describe('ExpandableMessageByLines', () => {
+  // Mock scrollHeight and clientHeight for testing truncation
+  const mockScrollHeight = vi.fn();
+  const mockClientHeight = vi.fn();
+
+  beforeEach(() => {
+    // Mock the properties on HTMLDivElement prototype
+    Object.defineProperty(HTMLDivElement.prototype, 'scrollHeight', {
+      get: mockScrollHeight,
+      configurable: true,
+    });
+
+    Object.defineProperty(HTMLDivElement.prototype, 'clientHeight', {
+      get: mockClientHeight,
+      configurable: true,
+    });
+  });
+
+  afterEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('Basic Rendering', () => {
+    it('should render text content', () => {
+      const text = 'This is test content';
+      // Mock non-truncated content (scrollHeight === clientHeight)
+      mockScrollHeight.mockReturnValue(100);
+      mockClientHeight.mockReturnValue(100);
+
+      render(<ExpandableMessageByLines>{text}</ExpandableMessageByLines>);
+
+      expect(screen.getByText(text)).toBeInTheDocument();
+    });
+
+    it('should show expand button only when text is truncated', () => {
+      const text = 'This is test content that should be truncated';
+      // Mock truncated content (scrollHeight > clientHeight)
+      mockScrollHeight.mockReturnValue(300);
+      mockClientHeight.mockReturnValue(200);
+
+      render(<ExpandableMessageByLines>{text}</ExpandableMessageByLines>);
+
+      expect(
+        screen.getByRole('button', { name: 'Show more' })
+      ).toBeInTheDocument();
+      expect(
+        screen.getByTestId('expandable-message-lines-button')
+      ).toBeInTheDocument();
+    });
+
+    it('should hide expand button when text is not truncated', () => {
+      const text = 'Short text';
+      // Mock non-truncated content (scrollHeight === clientHeight)
+      mockScrollHeight.mockReturnValue(50);
+      mockClientHeight.mockReturnValue(50);
+
+      render(<ExpandableMessageByLines>{text}</ExpandableMessageByLines>);
+
+      expect(screen.queryByRole('button')).not.toBeInTheDocument();
+      expect(
+        screen.queryByTestId('expandable-message-lines-button')
+      ).not.toBeInTheDocument();
+    });
+  });
+
+  describe('Expand/Collapse Functionality', () => {
+    it('should toggle between Show more and Show less when button is clicked', async () => {
+      const user = userEvent.setup();
+      const text =
+        'This is a long text that should be truncated and show the expand button';
+
+      // Mock truncated content (scrollHeight > clientHeight)
+      mockScrollHeight.mockReturnValue(400);
+      mockClientHeight.mockReturnValue(200);
+
+      render(<ExpandableMessageByLines>{text}</ExpandableMessageByLines>);
+
+      const button = screen.getByRole('button');
+
+      // Initially should show "Show more"
+      expect(screen.getByText('Show more')).toBeInTheDocument();
+
+      // Click to expand
+      await user.click(button);
+      expect(screen.getByText('Show less')).toBeInTheDocument();
+
+      // Click to collapse
+      await user.click(button);
+      expect(screen.getByText('Show more')).toBeInTheDocument();
+    });
+  });
+
+  describe('Text Content Handling', () => {
+    it('should not show button for single space strings when not truncated', () => {
+      // Mock non-truncated content (scrollHeight === clientHeight)
+      mockScrollHeight.mockReturnValue(20);
+      mockClientHeight.mockReturnValue(20);
+
+      render(<ExpandableMessageByLines> </ExpandableMessageByLines>);
+
+      expect(screen.queryByRole('button')).not.toBeInTheDocument();
+    });
+
+    it('should show button for single space strings when truncated', () => {
+      // Mock truncated content (scrollHeight > clientHeight)
+      mockScrollHeight.mockReturnValue(100);
+      mockClientHeight.mockReturnValue(50);
+
+      render(<ExpandableMessageByLines> </ExpandableMessageByLines>);
+
+      expect(screen.getByRole('button')).toBeInTheDocument();
+    });
+
+    it('should handle different maxLines values', () => {
+      const longText =
+        'Line 1\nLine 2\nLine 3\nLine 4\nLine 5\nLine 6\nLine 7\nLine 8\nLine 9\nLine 10\nLine 11\nLine 12';
+      // Mock truncated content for 5 lines (scrollHeight > clientHeight)
+      mockScrollHeight.mockReturnValue(240);
+      mockClientHeight.mockReturnValue(100);
+
+      render(
+        <ExpandableMessageByLines maxLines={5}>
+          {longText}
+        </ExpandableMessageByLines>
+      );
+
+      expect(screen.getByRole('button')).toBeInTheDocument();
+      expect(screen.getByText('Show more')).toBeInTheDocument();
+    });
+  });
+});
diff --git a/app/react/components/ExpandableMessageByLines.tsx b/app/react/components/ExpandableMessageByLines.tsx
new file mode 100644
index 000000000..36bf1035c
--- /dev/null
+++ b/app/react/components/ExpandableMessageByLines.tsx
@@ -0,0 +1,76 @@
+import { useRef, useState, useEffect, useCallback } from 'react';
+
+import { Button } from '@@/buttons';
+
+// use enum so that the tailwind classes aren't interpolated
+type MaxLines = 2 | 5 | 10 | 20 | 50;
+const lineClampClasses: Record<MaxLines, string> = {
+  2: 'line-clamp-[2]',
+  5: 'line-clamp-[5]',
+  10: 'line-clamp-[10]',
+  20: 'line-clamp-[20]',
+  50: 'line-clamp-[50]',
+};
+
+interface LineBasedProps {
+  children: string;
+  maxLines?: MaxLines;
+}
+
+export function ExpandableMessageByLines({
+  children,
+  maxLines = 10,
+}: LineBasedProps) {
+  const [isExpanded, setIsExpanded] = useState(false);
+  const [isTruncated, setIsTruncated] = useState(false);
+  const contentRef = useRef<HTMLDivElement>(null);
+
+  const checkTruncation = useCallback(() => {
+    const el = contentRef.current;
+    if (el) {
+      setIsTruncated(el.scrollHeight > el.clientHeight);
+    }
+  }, []);
+
+  useEffect(() => {
+    checkTruncation();
+
+    // Use requestAnimationFrame for better performance
+    let rafId: number;
+    function handleResize() {
+      if (rafId) cancelAnimationFrame(rafId);
+      rafId = requestAnimationFrame(checkTruncation);
+    }
+
+    window.addEventListener('resize', handleResize);
+
+    return () => {
+      window.removeEventListener('resize', handleResize);
+      if (rafId) cancelAnimationFrame(rafId);
+    };
+  }, [children, maxLines, checkTruncation, isExpanded]);
+
+  return (
+    <div className="flex flex-col items-start">
+      <div
+        ref={contentRef}
+        className={`whitespace-pre-wrap break-words overflow-hidden ${
+          isExpanded ? '' : lineClampClasses[maxLines]
+        }`}
+      >
+        {children}
+      </div>
+      {(isTruncated || isExpanded) && (
+        <Button
+          color="link"
+          size="xsmall"
+          onClick={() => setIsExpanded(!isExpanded)}
+          className="!ml-0 !p-0 mt-1"
+          data-cy="expandable-message-lines-button"
+        >
+          {isExpanded ? 'Show less' : 'Show more'}
+        </Button>
+      )}
+    </div>
+  );
+}
diff --git a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
index 7be9f0b9c..841dc2f46 100644
--- a/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
+++ b/app/react/kubernetes/helm/HelmApplicationView/ChartActions/UpgradeHelmModal.tsx
@@ -7,6 +7,7 @@ import { ChartVersion } from '@/react/kubernetes/helm/helmChartSourceQueries/use
 import { EnvironmentId } from '@/react/portainer/environments/types';
 
 import { Modal, OnSubmit, openModal } from '@@/modals';
+import { confirm } from '@@/modals/confirm';
 import { Button } from '@@/buttons';
 import { Input } from '@@/form-components/Input';
 import { FormControl } from '@@/form-components/FormControl';
@@ -181,8 +182,19 @@ export function UpgradeHelmModal({
             Cancel
           </Button>
           <Button
-            onClick={() => onSubmit(submitPayload)}
-            disabled={!previewIsValid}
+            onClick={async () => {
+              if (!previewIsValid) {
+                const confirmed = await confirm({
+                  title: 'Chart validation failed',
+                  message:
+                    'The Helm manifest preview validation failed, which may indicate configuration issues. This can be normal when creating new resources. Do you want to proceed with the upgrade?',
+                });
+                if (!confirmed) {
+                  return;
+                }
+              }
+              onSubmit(submitPayload);
+            }}
             color="primary"
             key="update-button"
             size="medium"
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
index 2bed5b58f..0671612c0 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallForm.tsx
@@ -1,4 +1,4 @@
-import { useRef } from 'react';
+import { useRef, useState } from 'react';
 import { Formik, FormikProps } from 'formik';
 import { useRouter } from '@uirouter/react';
 
@@ -7,7 +7,7 @@ import { useAnalytics } from '@/react/hooks/useAnalytics';
 import { useCanExit } from '@/react/hooks/useCanExit';
 import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
 
-import { confirmGenericDiscard } from '@@/modals/confirm';
+import { confirm, confirmGenericDiscard } from '@@/modals/confirm';
 import { Option } from '@@/form-components/PortainerSelect';
 
 import { Chart } from '../types';
@@ -34,6 +34,7 @@ export function HelmInstallForm({
   isRepoAvailable,
 }: Props) {
   const environmentId = useEnvironmentId();
+  const [previewIsValid, setPreviewIsValid] = useState(false);
   const router = useRouter();
   const analytics = useAnalytics();
   const helmRepoVersionsQuery = useHelmRepoVersions(
@@ -78,6 +79,7 @@ export function HelmInstallForm({
         versionOptions={versionOptions}
         isVersionsLoading={helmRepoVersionsQuery.isInitialLoading}
         isRepoAvailable={isRepoAvailable}
+        setPreviewIsValid={setPreviewIsValid}
       />
     </Formik>
   );
@@ -88,6 +90,17 @@ export function HelmInstallForm({
       return;
     }
 
+    if (!previewIsValid) {
+      const confirmed = await confirm({
+        title: 'Chart validation failed',
+        message:
+          'The Helm manifest preview validation failed, which may indicate configuration issues. This can be normal when creating new resources. Do you want to proceed with the installation?',
+      });
+      if (!confirmed) {
+        return;
+      }
+    }
+
     await installHelmChartMutation.mutateAsync(
       {
         name,
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
index 77ba91ca1..922f1dca0 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmInstallInnerForm.tsx
@@ -1,5 +1,5 @@
 import { Form, useFormikContext } from 'formik';
-import { useMemo, useState } from 'react';
+import { useMemo } from 'react';
 
 import { useEnvironmentId } from '@/react/hooks/useEnvironmentId';
 
@@ -23,6 +23,7 @@ type Props = {
   versionOptions: Option<ChartVersion>[];
   isVersionsLoading: boolean;
   isRepoAvailable: boolean;
+  setPreviewIsValid: (isValid: boolean) => void;
 };
 
 export function HelmInstallInnerForm({
@@ -32,9 +33,9 @@ export function HelmInstallInnerForm({
   versionOptions,
   isVersionsLoading,
   isRepoAvailable,
+  setPreviewIsValid,
 }: Props) {
   const environmentId = useEnvironmentId();
-  const [previewIsValid, setPreviewIsValid] = useState(false);
   const { values, setFieldValue, isSubmitting } =
     useFormikContext<HelmInstallFormValues>();
 
@@ -129,7 +130,7 @@ export function HelmInstallInnerForm({
         className="!ml-0 mt-5"
         loadingText="Installing Helm chart"
         isLoading={isSubmitting}
-        disabled={!namespace || !name || !isRepoAvailable || !previewIsValid}
+        disabled={!namespace || !name || !isRepoAvailable}
         data-cy="helm-install"
       >
         Install
diff --git a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
index 3d9e86578..bf7de44bb 100644
--- a/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
+++ b/app/react/kubernetes/helm/HelmTemplates/HelmTemplatesList.tsx
@@ -73,7 +73,7 @@ export function HelmTemplatesList({
           />
         ))}
 
-        {filteredCharts.length === 0 && textFilter && (
+        {filteredCharts.length === 0 && textFilter && !isLoadingCharts && (
           <div className="text-muted small mt-4">No Helm charts found</div>
         )}
 
diff --git a/app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx
index 6ca6f2841..1a3b56545 100644
--- a/app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx
+++ b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.test.tsx
@@ -106,7 +106,7 @@ describe('ManifestPreviewFormSection', () => {
     expect(screen.queryByText('Manifest Preview')).not.toBeInTheDocument();
   });
 
-  it('should show error and no form section when error', () => {
+  it("should show error when there's an error", async () => {
     mockUseHelmDryRun.mockReturnValue({
       isInitialLoading: false,
       isError: true,
@@ -116,11 +116,18 @@ describe('ManifestPreviewFormSection', () => {
 
     renderComponent();
 
+    expect(screen.queryByText('Manifest Preview')).toBeInTheDocument();
+    // there should be an error badge
+    expect(
+      screen.queryByTestId('helm-manifest-preview-error-badge')
+    ).toBeInTheDocument();
+    const expandButton = screen.getByLabelText('Expand');
+    await userEvent.click(expandButton);
+
     expect(
       screen.getByText('Error with Helm chart configuration')
     ).toBeInTheDocument();
     expect(screen.getByText('Invalid chart configuration')).toBeInTheDocument();
-    expect(screen.queryByText('Manifest Preview')).not.toBeInTheDocument();
   });
 
   it('should show single code editor when only the generated manifest is available', async () => {
diff --git a/app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx
index fa651fe1a..282450d06 100644
--- a/app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx
+++ b/app/react/kubernetes/helm/components/ManifestPreviewFormSection.tsx
@@ -1,14 +1,18 @@
 import { useEffect, useState } from 'react';
+import { AlertTriangle } from 'lucide-react';
 
 import { useDebouncedValue } from '@/react/hooks/useDebouncedValue';
 import { EnvironmentId } from '@/react/portainer/environments/types';
 
+import { ExpandableMessageByLines } from '@@/ExpandableMessageByLines';
 import { FormSection } from '@@/form-components/FormSection';
 import { CodeEditor } from '@@/CodeEditor';
 import { DiffViewer } from '@@/CodeEditor/DiffViewer';
 import { InlineLoader } from '@@/InlineLoader';
 import { Alert } from '@@/Alert';
 import { TextTip } from '@@/Tip/TextTip';
+import { Badge } from '@@/Badge';
+import { Icon } from '@@/Icon';
 
 import { useHelmDryRun } from '../helmReleaseQueries/useHelmDryRun';
 import { UpdateHelmReleasePayload } from '../types';
@@ -49,26 +53,39 @@ export function ManifestPreviewFormSection({
     return <InlineLoader>Generating manifest preview...</InlineLoader>;
   }
 
-  if (manifestPreviewQuery.isError) {
-    return (
-      <Alert color="error" title="Error with Helm chart configuration">
-        {manifestPreviewQuery.error?.message ||
-          'Error generating manifest preview'}
-      </Alert>
-    );
-  }
-
   return (
     <FormSection
-      title={title}
+      title={
+        <>
+          {title}
+          {manifestPreviewQuery.isError && (
+            <Badge
+              type="dangerSecondary"
+              className="ml-2"
+              data-cy="helm-manifest-preview-error-badge"
+            >
+              <Icon icon={AlertTriangle} size="md" />
+            </Badge>
+          )}
+        </>
+      }
       isFoldable
       defaultFolded={isFolded}
       setIsDefaultFolded={setIsFolded}
     >
-      <ManifestPreview
-        currentManifest={currentManifest}
-        newManifest={manifestPreviewQuery.data?.manifest ?? ''}
-      />
+      {manifestPreviewQuery.isError ? (
+        <Alert color="error" title="Error with Helm chart configuration">
+          <ExpandableMessageByLines>
+            {manifestPreviewQuery.error?.message ||
+              'Error generating manifest preview'}
+          </ExpandableMessageByLines>
+        </Alert>
+      ) : (
+        <ManifestPreview
+          currentManifest={currentManifest}
+          newManifest={manifestPreviewQuery.data?.manifest ?? ''}
+        />
+      )}
     </FormSection>
   );
 }

From d00d71ecbf0a8b5108e6e1758755bcca9788a11e Mon Sep 17 00:00:00 2001
From: andres-portainer <91705312+andres-portainer@users.noreply.github.com>
Date: Tue, 5 Aug 2025 09:23:07 -0300
Subject: [PATCH 212/212] fix(linter): add linter rules to reduce the chance
 for invalid FIPS settings BE-11979 (#975)

---
 .golangci.yaml                                |  3 +
 api/crypto/tls.go                             | 15 ++-
 api/crypto/tls_test.go                        | 24 +++--
 api/git/azure.go                              |  8 +-
 api/hostmanagement/openamt/openamt.go         |  5 +-
 api/hostmanagement/openamt/openamt_test.go    | 14 +++
 api/http/handler/websocket/proxy.go           |  5 +-
 .../kubernetes/local_transport_test.go        |  2 +-
 api/http/server.go                            |  2 +-
 api/stacks/deployments/deploy_test.go         |  2 +-
 go.mod                                        |  3 +-
 go.sum                                        | 97 +++++++++++++++++--
 pkg/networking/diagnostics.go                 |  6 +-
 13 files changed, 140 insertions(+), 46 deletions(-)
 create mode 100644 api/hostmanagement/openamt/openamt_test.go

diff --git a/.golangci.yaml b/.golangci.yaml
index c3a176c27..c036175a2 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -18,9 +18,12 @@ linters:
 
 linters-settings:
   forbidigo:
+    analyze-types: true
     forbid:
       - p: ^tls\.Config$
         msg: 'Use crypto.CreateTLSConfiguration() instead'
+      - p: ^tls\.Config\.(InsecureSkipVerify|MinVersion|MaxVersion|CipherSuites|CurvePreferences)$
+        msg: 'Do not set this field directly, use crypto.CreateTLSConfiguration() instead'
   depguard:
     rules:
       main:
diff --git a/api/crypto/tls.go b/api/crypto/tls.go
index d06108ae4..d6b7c3b09 100644
--- a/api/crypto/tls.go
+++ b/api/crypto/tls.go
@@ -10,12 +10,12 @@ import (
 )
 
 // CreateTLSConfiguration creates a basic tls.Config with recommended TLS settings
-func CreateTLSConfiguration() *tls.Config { //nolint:forbidigo
+func CreateTLSConfiguration(insecureSkipVerify bool) *tls.Config { //nolint:forbidigo
 	// TODO: use fips.FIPSMode() instead
-	return createTLSConfiguration(fips140.Enabled())
+	return createTLSConfiguration(fips140.Enabled(), insecureSkipVerify)
 }
 
-func createTLSConfiguration(fipsEnabled bool) *tls.Config { //nolint:forbidigo
+func createTLSConfiguration(fipsEnabled bool, insecureSkipVerify bool) *tls.Config { //nolint:forbidigo
 	if fipsEnabled {
 		return &tls.Config{ //nolint:forbidigo
 			MinVersion: tls.VersionTLS12,
@@ -51,6 +51,7 @@ func createTLSConfiguration(fipsEnabled bool) *tls.Config { //nolint:forbidigo
 			tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,
 			tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
 		},
+		InsecureSkipVerify: insecureSkipVerify, //nolint:forbidigo
 	}
 }
 
@@ -66,8 +67,7 @@ func createTLSConfigurationFromBytes(fipsEnabled, useTLS bool, caCert, cert, key
 		return nil, nil
 	}
 
-	config := CreateTLSConfiguration()
-	config.InsecureSkipVerify = skipServerVerification && !fipsEnabled
+	config := createTLSConfiguration(fipsEnabled, skipServerVerification)
 
 	if !skipClientVerification || fipsEnabled {
 		certificate, err := tls.X509KeyPair(cert, key)
@@ -99,8 +99,7 @@ func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfig
 		return nil, nil
 	}
 
-	tlsConfig := CreateTLSConfiguration()
-	tlsConfig.InsecureSkipVerify = config.TLSSkipVerify && !fipsEnabled
+	tlsConfig := createTLSConfiguration(fipsEnabled, config.TLSSkipVerify)
 
 	if config.TLSCertPath != "" && config.TLSKeyPath != "" {
 		cert, err := tls.LoadX509KeyPair(config.TLSCertPath, config.TLSKeyPath)
@@ -111,7 +110,7 @@ func createTLSConfigurationFromDisk(fipsEnabled bool, config portainer.TLSConfig
 		tlsConfig.Certificates = []tls.Certificate{cert}
 	}
 
-	if !tlsConfig.InsecureSkipVerify && config.TLSCACertPath != "" {
+	if !tlsConfig.InsecureSkipVerify && config.TLSCACertPath != "" { //nolint:forbidigo
 		caCert, err := os.ReadFile(config.TLSCACertPath)
 		if err != nil {
 			return nil, err
diff --git a/api/crypto/tls_test.go b/api/crypto/tls_test.go
index 551397fce..77abdff73 100644
--- a/api/crypto/tls_test.go
+++ b/api/crypto/tls_test.go
@@ -10,8 +10,15 @@ import (
 )
 
 func TestCreateTLSConfiguration(t *testing.T) {
-	config := CreateTLSConfiguration()
-	require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12))
+	// InsecureSkipVerify = false
+	config := CreateTLSConfiguration(false)
+	require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12)) //nolint:forbidigo
+	require.False(t, config.InsecureSkipVerify)                   //nolint:forbidigo
+
+	// InsecureSkipVerify = true
+	config = CreateTLSConfiguration(true)
+	require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12)) //nolint:forbidigo
+	require.True(t, config.InsecureSkipVerify)                    //nolint:forbidigo
 }
 
 func TestCreateTLSConfigurationFIPS(t *testing.T) {
@@ -26,11 +33,12 @@ func TestCreateTLSConfigurationFIPS(t *testing.T) {
 
 	fipsCurvePreferences := []tls.CurveID{tls.CurveP256, tls.CurveP384, tls.CurveP521}
 
-	config := createTLSConfiguration(fips)
-	require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12))
-	require.Equal(t, config.MaxVersion, uint16(tls.VersionTLS13))
-	require.Equal(t, config.CipherSuites, fipsCipherSuites)
-	require.Equal(t, config.CurvePreferences, fipsCurvePreferences)
+	config := createTLSConfiguration(fips, false)
+	require.Equal(t, config.MinVersion, uint16(tls.VersionTLS12))   //nolint:forbidigo
+	require.Equal(t, config.MaxVersion, uint16(tls.VersionTLS13))   //nolint:forbidigo
+	require.Equal(t, config.CipherSuites, fipsCipherSuites)         //nolint:forbidigo
+	require.Equal(t, config.CurvePreferences, fipsCurvePreferences) //nolint:forbidigo
+	require.False(t, config.InsecureSkipVerify)                     //nolint:forbidigo
 }
 
 func TestCreateTLSConfigurationFromBytes(t *testing.T) {
@@ -75,5 +83,5 @@ func TestCreateTLSConfigurationFromDiskFIPS(t *testing.T) {
 	})
 	require.NoError(t, err)
 	require.NotNil(t, config)
-	require.False(t, config.InsecureSkipVerify)
+	require.False(t, config.InsecureSkipVerify) //nolint:forbidigo
 }
diff --git a/api/git/azure.go b/api/git/azure.go
index 9fabeb066..b712cfd79 100644
--- a/api/git/azure.go
+++ b/api/git/azure.go
@@ -60,15 +60,9 @@ func NewAzureClient() *azureClient {
 }
 
 func newHttpClientForAzure(insecureSkipVerify bool) *http.Client {
-	tlsConfig := crypto.CreateTLSConfiguration()
-
-	if insecureSkipVerify {
-		tlsConfig.InsecureSkipVerify = true
-	}
-
 	httpsCli := &http.Client{
 		Transport: &http.Transport{
-			TLSClientConfig: tlsConfig,
+			TLSClientConfig: crypto.CreateTLSConfiguration(insecureSkipVerify),
 			Proxy:           http.ProxyFromEnvironment,
 		},
 		Timeout: 300 * time.Second,
diff --git a/api/hostmanagement/openamt/openamt.go b/api/hostmanagement/openamt/openamt.go
index 5843c1bdb..4b5f51186 100644
--- a/api/hostmanagement/openamt/openamt.go
+++ b/api/hostmanagement/openamt/openamt.go
@@ -33,14 +33,11 @@ type Service struct {
 
 // NewService initializes a new service.
 func NewService(insecureSkipVerify bool) *Service {
-	tlsConfig := crypto.CreateTLSConfiguration()
-	tlsConfig.InsecureSkipVerify = insecureSkipVerify
-
 	return &Service{
 		httpsClient: &http.Client{
 			Timeout: httpClientTimeout,
 			Transport: &http.Transport{
-				TLSClientConfig: tlsConfig,
+				TLSClientConfig: crypto.CreateTLSConfiguration(insecureSkipVerify),
 			},
 		},
 	}
diff --git a/api/hostmanagement/openamt/openamt_test.go b/api/hostmanagement/openamt/openamt_test.go
new file mode 100644
index 000000000..a3bfad49d
--- /dev/null
+++ b/api/hostmanagement/openamt/openamt_test.go
@@ -0,0 +1,14 @@
+package openamt
+
+import (
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestNewService(t *testing.T) {
+	service := NewService(true)
+	require.NotNil(t, service)
+	require.True(t, service.httpsClient.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify) //nolint:forbidigo
+}
diff --git a/api/http/handler/websocket/proxy.go b/api/http/handler/websocket/proxy.go
index c8ee8b82b..9233031ea 100644
--- a/api/http/handler/websocket/proxy.go
+++ b/api/http/handler/websocket/proxy.go
@@ -73,10 +73,7 @@ func (handler *Handler) doProxyWebsocketRequest(
 	proxy.Dialer = &proxyDialer
 
 	if enableTLS {
-		tlsConfig := crypto.CreateTLSConfiguration()
-		tlsConfig.InsecureSkipVerify = params.endpoint.TLSConfig.TLSSkipVerify
-
-		proxyDialer.TLSClientConfig = tlsConfig
+		proxyDialer.TLSClientConfig = crypto.CreateTLSConfiguration(params.endpoint.TLSConfig.TLSSkipVerify)
 	}
 
 	signature, err := handler.SignatureService.CreateSignature(portainer.PortainerAgentSignatureMessage)
diff --git a/api/http/proxy/factory/kubernetes/local_transport_test.go b/api/http/proxy/factory/kubernetes/local_transport_test.go
index a22b1e1c3..f346bba50 100644
--- a/api/http/proxy/factory/kubernetes/local_transport_test.go
+++ b/api/http/proxy/factory/kubernetes/local_transport_test.go
@@ -9,5 +9,5 @@ import (
 func TestNewLocalTransport(t *testing.T) {
 	transport, err := NewLocalTransport(nil, nil, nil, nil, nil)
 	require.NoError(t, err)
-	require.True(t, transport.baseTransport.httpTransport.TLSClientConfig.InsecureSkipVerify)
+	require.True(t, transport.baseTransport.httpTransport.TLSClientConfig.InsecureSkipVerify) //nolint:forbidigo
 }
diff --git a/api/http/server.go b/api/http/server.go
index 8f073ce58..54089a254 100644
--- a/api/http/server.go
+++ b/api/http/server.go
@@ -372,7 +372,7 @@ func (server *Server) Start() error {
 		TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), // Disable HTTP/2
 	}
 
-	httpsServer.TLSConfig = crypto.CreateTLSConfiguration()
+	httpsServer.TLSConfig = crypto.CreateTLSConfiguration(false)
 	httpsServer.TLSConfig.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) {
 		return server.SSLService.GetRawCertificate(), nil
 	}
diff --git a/api/stacks/deployments/deploy_test.go b/api/stacks/deployments/deploy_test.go
index 9d13f22a5..cda695b4a 100644
--- a/api/stacks/deployments/deploy_test.go
+++ b/api/stacks/deployments/deploy_test.go
@@ -128,7 +128,7 @@ func agentServer(t *testing.T) string {
 	cert, err := tls.X509KeyPair([]byte(localhostCert), []byte(localhostKey))
 	require.NoError(t, err)
 
-	tlsConfig := crypto.CreateTLSConfiguration()
+	tlsConfig := crypto.CreateTLSConfiguration(false)
 	tlsConfig.Certificates = []tls.Certificate{cert}
 
 	l, err := tls.Listen("tcp", "127.0.0.1:0", tlsConfig)
diff --git a/go.mod b/go.mod
index 2966d54f1..c300e78cb 100644
--- a/go.mod
+++ b/go.mod
@@ -236,7 +236,6 @@ require (
 	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/portainer/agent v0.0.0-20250713222305-88cd348ec200 // indirect
 	github.com/prometheus/client_golang v1.22.0 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.62.0 // indirect
@@ -274,6 +273,8 @@ require (
 	github.com/xhit/go-str2duration/v2 v2.1.0 // indirect
 	github.com/xlab/treeprint v1.2.0 // indirect
 	github.com/zclconf/go-cty v1.16.2 // indirect
+	github.com/zmap/zcrypto v0.0.0-20241123155728-2916694fa469 // indirect
+	github.com/zmap/zlint/v3 v3.6.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.60.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
diff --git a/go.sum b/go.sum
index e2eb682a8..5c8d30256 100644
--- a/go.sum
+++ b/go.sum
@@ -1,3 +1,4 @@
+cloud.google.com/go/compute/metadata v0.2.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
@@ -36,6 +37,7 @@ github.com/Microsoft/hcsshim v0.13.0 h1:/BcXOiS6Qi7N9XqUcv27vkIuVOkBEcWstd2pMlWS
 github.com/Microsoft/hcsshim v0.13.0/go.mod h1:9KWJ/8DgU+QzYGupX4tzMhRQE8h6w90lH6HAaclpEok=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2 h1:+vx7roKuyA63nhn5WAunQHLTznkw5W8b1Xc0dNjp83s=
 github.com/Netflix/go-expect v0.0.0-20220104043353-73e0943537d2/go.mod h1:HBCaDeC1lPdgDeDbhX8XFpy1jqjK0IBG8W5K+xYqA0w=
+github.com/ProtonMail/go-crypto v0.0.0-20230217124315-7d5c6f04bbb8/go.mod h1:I0gYDMZ6Z5GRU7l58bNFSkPTFN6Yl12dsUlAZ8xy98g=
 github.com/ProtonMail/go-crypto v1.1.3 h1:nRBOetoydLeUb4nHajyO2bKqMLfWQ/ZPwkXqXxPxCFk=
 github.com/ProtonMail/go-crypto v1.1.3/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/RoaringBitmap/roaring/v2 v2.5.0 h1:TJ45qCM7D7fIEBwKd9zhoR0/S1egfnSSIzLU1e1eYLY=
@@ -117,6 +119,7 @@ github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembj
 github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o=
 github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE=
+github.com/bwesterb/go-ristretto v1.2.0/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0=
 github.com/cbroglie/mustache v1.4.0 h1:Azg0dVhxTml5me+7PsZ7WPrQq1Gkf3WApcHMjMprYoU=
 github.com/cbroglie/mustache v1.4.0/go.mod h1:SS1FTIghy0sjse4DUVGV1k/40B1qE1XkD9DtDsHo9iM=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
@@ -129,6 +132,7 @@ github.com/chai2010/gettext-go v1.0.2/go.mod h1:y+wnP2cHYaVj19NZhYKAwEMH2CI1gNHe
 github.com/cloudflare/cfssl v0.0.0-20180223231731-4e2dcbde5004/go.mod h1:yMWuSON2oQp+43nFtAV/uvKQIFpSPerB57DCt9t8sSA=
 github.com/cloudflare/cfssl v1.6.4 h1:NMOvfrEjFfC63K3SGXgAnFdsgkmiq4kATme5BfcqrO8=
 github.com/cloudflare/cfssl v1.6.4/go.mod h1:8b3CQMxfWPAeom3zBnGJ6sd+G1NkL5TXqmDXacb+1J0=
+github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
 github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
 github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
 github.com/codahale/rfc6979 v0.0.0-20141003034818-6a90f24967eb h1:EDmT6Q9Zs+SbUoc7Ik9EfrFqcylYqgPZ9ANSbTAntnE=
@@ -330,6 +334,8 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.4/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
@@ -342,9 +348,15 @@ github.com/google/certificate-transparency-go v1.1.4/go.mod h1:D6lvbfwckhNrbM9WV
 github.com/google/gnostic-models v0.6.9 h1:MU/8wDLif2qCXZmzncUQ/BOfxWfthHi63KqpoNbWqVw=
 github.com/google/gnostic-models v0.6.9/go.mod h1:CiWsm0s6BSQd1hRn8/QmxqB6BesYcbSZxsz9b0KuDBw=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-github/v50 v50.2.0/go.mod h1:VBY8FB6yPIjrtKhozXv4FQupxKLS6H4m6xFZlT43q8Q=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -552,6 +564,8 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/mreiferson/go-httpclient v0.0.0-20160630210159-31f0106b4474/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
+github.com/mreiferson/go-httpclient v0.0.0-20201222173833-5e475fde3a4d/go.mod h1:OQA4XLvDbMgS8P0CevmM4m9Q3Jq4phKUzcocxuGJ5m8=
 github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
 github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
@@ -569,6 +583,7 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
 github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
+github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -663,6 +678,7 @@ github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp
 github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.0.6/go.mod h1:pMByvHTf9Beacp5x1UXfOR9xyW/9antXMhjMPG0dEzc=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
+github.com/sirupsen/logrus v1.3.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
@@ -730,8 +746,9 @@ github.com/vbatts/tar-split v0.12.1 h1:CqKoORW7BUWBe7UL/iqTVvkTBOF8UvOMKOIZykxnn
 github.com/vbatts/tar-split v0.12.1/go.mod h1:eF6B6i6ftWQcDqEn3/iGFRFRo8cBIMSJVOpnNdfTMFA=
 github.com/viney-shih/go-lock v1.1.1 h1:SwzDPPAiHpcwGCr5k8xD15d2gQSo8d4roRYd7TDV2eI=
 github.com/viney-shih/go-lock v1.1.1/go.mod h1:Yijm78Ljteb3kRiJrbLAxVntkUukGu5uzSxq/xV7OO8=
-github.com/weppos/publicsuffix-go v0.15.1-0.20210511084619-b1f36a2d6c0b h1:FsyNrX12e5BkplJq7wKOLk0+C6LZ+KGXvuEcKUYm5ss=
-github.com/weppos/publicsuffix-go v0.15.1-0.20210511084619-b1f36a2d6c0b/go.mod h1:HYux0V0Zi04bHNwOHy4cXJVz/TQjYonnF6aoYhj+3QE=
+github.com/weppos/publicsuffix-go v0.13.0/go.mod h1:z3LCPQ38eedDQSwmsSRW4Y7t2L8Ln16JPQ02lHAdn5k=
+github.com/weppos/publicsuffix-go v0.40.3-0.20241121092442-c6cbe8e9f6f1 h1:xivnSZBZAOd6o3L30GFlVS5BlTx18uyR4jcEls6X7/0=
+github.com/weppos/publicsuffix-go v0.40.3-0.20241121092442-c6cbe8e9f6f1/go.mod h1:vuIH6F4fhalyBwt2P2bLeqrZnRgJf5Dj4olpUlwEO2Q=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
@@ -752,10 +769,17 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
 github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
-github.com/zmap/zcrypto v0.0.0-20210511125630-18f1e0152cfc h1:zkGwegkOW709y0oiAraH/3D8njopUR/pARHv4tZZ6pw=
-github.com/zmap/zcrypto v0.0.0-20210511125630-18f1e0152cfc/go.mod h1:FM4U1E3NzlNMRnSUTU3P1UdukWhYGifqEsjk9fn7BCk=
-github.com/zmap/zlint/v3 v3.1.0 h1:WjVytZo79m/L1+/Mlphl09WBob6YTGljN5IGWZFpAv0=
-github.com/zmap/zlint/v3 v3.1.0/go.mod h1:L7t8s3sEKkb0A2BxGy1IWrxt1ZATa1R4QfJZaQOD3zU=
+github.com/zmap/rc2 v0.0.0-20131011165748-24b9757f5521/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
+github.com/zmap/rc2 v0.0.0-20190804163417-abaa70531248/go.mod h1:3YZ9o3WnatTIZhuOtot4IcUfzoKVjUHqu6WALIyI0nE=
+github.com/zmap/zcertificate v0.0.0-20180516150559-0e3d58b1bac4/go.mod h1:5iU54tB79AMBcySS0R2XIyZBAVmeHranShAFELYx7is=
+github.com/zmap/zcertificate v0.0.1/go.mod h1:q0dlN54Jm4NVSSuzisusQY0hqDWvu92C+TWveAxiVWk=
+github.com/zmap/zcrypto v0.0.0-20201128221613-3719af1573cf/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ=
+github.com/zmap/zcrypto v0.0.0-20201211161100-e54a5822fb7e/go.mod h1:aPM7r+JOkfL+9qSB4KbYjtoEzJqUK50EXkkJabeNJDQ=
+github.com/zmap/zcrypto v0.0.0-20241123155728-2916694fa469 h1:dML8+gao2ANCuJ2vFOChvPH0FSwKaGxPXa86U6XvMmg=
+github.com/zmap/zcrypto v0.0.0-20241123155728-2916694fa469/go.mod h1:sUuKi10EbW7faJAE9weL6EkhX+/yqBhb+iommU6P4VA=
+github.com/zmap/zlint/v3 v3.0.0/go.mod h1:paGwFySdHIBEMJ61YjoqT4h7Ge+fdYG4sUQhnTb1lJ8=
+github.com/zmap/zlint/v3 v3.6.4 h1:r2kHfRF7mIsxW0IH4Og2iZnrlpCLTZBFjnXy1x/ZnZI=
+github.com/zmap/zlint/v3 v3.6.4/go.mod h1:KQLVUquVaO5YJDl5a4k/7RPIbIW2v66+sRoBPNZusI8=
 go.etcd.io/bbolt v1.4.0 h1:TU77id3TnN/zKr7CO/uk+fBCwF2jGcMuw2B/FMAzYIk=
 go.etcd.io/bbolt v1.4.0/go.mod h1:AsD+OCi/qPN1giOX1aiLAha3o1U8rAz65bvN4j0sRuk=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
@@ -822,9 +846,16 @@ golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201124201722-c8d3bf9c5392/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
+golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
 golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
 golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
 golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
@@ -832,20 +863,35 @@ golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5N
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
 golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190613194153-d28f0bde5980/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
+golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
+golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.31.0/go.mod h1:P4fl1q7dY2hnZFxEk4pPSkDHF+QqjitcnDjUQyMM+pM=
 golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
 golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
 golang.org/x/oauth2 v0.29.0 h1:WdYw2tdTK1S8olAzWHdgeqfy+Mtm9XNhv/xJsY65d98=
 golang.org/x/oauth2 v0.29.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -856,6 +902,11 @@ golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
 golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -869,6 +920,7 @@ golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201126233918-771906719818/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210331175145-43e1dd70ce54/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -876,6 +928,7 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210927094055-39ccf1dd6fa6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211007075335-d3039528d8ac/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211110154304-99a53858aa08/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220405052023-b1e9470b6e64/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220412211240-33da011f77ad/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -884,19 +937,42 @@ golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
 golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
+golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
+golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
+golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.26.0/go.mod h1:Si5m1o57C5nBNQo5z1iq+XDijt21BDBDp2bK0QI8e3E=
 golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
 golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
 golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
 golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
@@ -906,12 +982,16 @@ golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
 golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
 golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=
@@ -919,6 +999,10 @@ google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a/go.
 google.golang.org/grpc v1.0.5/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
 google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/airbrake/gobrake.v2 v2.0.9/go.mod h1:/h5ZAUhDkGaJfjzjKLSjv6zCL6O0LLBxU4K+aSYdM/U=
@@ -927,6 +1011,7 @@ gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLks
 gopkg.in/cenkalti/backoff.v2 v2.2.1 h1:eJ9UAg01/HIHG987TwxvnzK2MgxXq97YY6rYDpY9aII=
 gopkg.in/cenkalti/backoff.v2 v2.2.1/go.mod h1:S0QdOvT2AlerfSBkp0O+dk+bbIMaNbEmVk876gPCthU=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
diff --git a/pkg/networking/diagnostics.go b/pkg/networking/diagnostics.go
index bf1b05f6b..e952f6c99 100644
--- a/pkg/networking/diagnostics.go
+++ b/pkg/networking/diagnostics.go
@@ -1,7 +1,6 @@
 package networking
 
 import (
-	"crypto/fips140"
 	"fmt"
 	"net"
 	"net/http"
@@ -73,14 +72,11 @@ func ProbeTelnetConnection(url string) string {
 func DetectProxy(url string) string {
 	client := &http.Client{
 		Transport: &http.Transport{
-			TLSClientConfig: crypto.CreateTLSConfiguration(),
+			TLSClientConfig: crypto.CreateTLSConfiguration(true),
 		},
 		Timeout: 10 * time.Second,
 	}
 
-	// TODO: use fips.CanTLSSkipVerify() instead
-	client.Transport.(*http.Transport).TLSClientConfig.InsecureSkipVerify = !fips140.Enabled()
-
 	result := map[string]string{
 		"operation":      "proxy detection",
 		"local_address":  "unknown",