Open Source Friday with Pomerium

Heat. Hey, heat. Hey, heat. Heat. Heat. Hello my friends. Hello, hello, hello. Good morning, good afternoon, good evening, wherever in the world you're joining. Welcome to Open Source Friday. You made it. I am so happy for you that you made it to Friday. I'm more happy for me because I'm taking time off next week. But welcome to Open Source Friday. Welcome, Randy. Randy, you're a friend of the family, man. You're family now. Thanks for tuning all the way from Colombia. Welcome Jeff. Welcome Coolface Fashions. Thank you so much for being here. So for those of you who are new to the show, open source Friday is a show about open source. We take this hour on Friday afternoons to celebrate the maintainers, the contributors, and talk about the awesome projects that make our lives so much easier. My name is Andrea at Columbia Deon and all places. I'm going to be blind for you so this glare is not distracting you. But welcome, welcome. In case you missed it, there is an entire playlist and what you just saw is our new promo. Shout out to my friend for the awesome music, but uh open source for the best, right? Like he like gifted it to us for us to use. Um there is a awesome playlist in YouTube where you can actually watch all past episodes of Open Source Friday. I'm going to drop that link right here in the chat so that you go ahead and save it. And then later on or on the weekend when you're chilling and you're like, I don't know what else to do today. I want to watch something that's fun. Fun is guarantee. Uh making promises here, but it is. It kind of is. Um so let me just go ahead and share that link and please let me know in the chat where are you joining from. I want to I want to know where you're watching us from. I already know that Randy is joining from Colia. Thank you. Also uh I want to know if you're watching the World Cup. Very important. extremely important. Extremely extremely important. And then hello, welcome aim. Thank you for being here. Uh let's see. I don't know what this is. It looks like spam. Don't spam the show. Please don't spam the show. But for those of you who are joining here, you're here to learn. Welcome. Uh welcome from the Philippines. This is awesome. Jojo, you are from a long way away. Thank you for being here. Appreciate it. We that's the beauty of open source. We get to be a part of something bigger than all of us. And where you are in the world does not matter. That's part of why I love open source. So tell me where you're joining from. Tell me why you love open source. And then we're going to introduce our guest. Let me tell you, I am a big fan of this human. Um and all levels. In all levels. You know how they say don't meet your heroes. And you know people online and you're like that person seems really cool. They're like, "Anything they put out, they I subscribe to the newsletter. We're gonna talk about that, too. That's not what he's here to talk about. We're gonna have to talk about that, too." Um, and then sometimes you meet him in person, and you're like, "Well, that was a hell of a letdown." Uh, that was not the case when I met this fantastic human being. And I am so grateful that he's not only a amazing open source person, maintainer, GitHub star, I say friend. Welcome to T. How's it going, Andrea? Good to see you. Good to see you. First of all, can we talk about your shirt, my man? Oh, yeah. Yeah, yeah. Yeah. I guess so. If if you want to go to the GitHub shop, they're selling these. They're called Cabana shirts. I call it a Hawaiian shirt, but um there was the maintainer summit recently. I don't know if you want to link to that, but uh after attending that uh Ashley Woof actually sent a thing saying, "Hey, here's a a coupon for the GitHub store and I was like looking at what was there and I was like, I don't need a beer cozy or drink cozy. I've I've got stickers. I'm like, I need a good Hawaiian shirt." And I saw that and um so yeah, it it came last week. And this is this is one big props I got to give to GitHub is their swag is always super comfortable. I don't know. I'm sure everybody who's ever been to a conference and you get some kind of t-shirt from some booth and you're like it's like sandpaper or it's like you're like this will be to clean my windows. Yeah. Yeah. Exactly. Yeah. Exactly. Uh this stuff I I feel like I'm in silk sheets right now. So I'm I'm in heaven right now. So I am loving this. Listen, this is going to be a promo for the shop. Please go to the githubshop.com. And if you want that super sweet t-shirt or actually Hawaiian shirt, it's pretty sharp. I I worn it before. If you go to our YouTube channel, you see I did a download, the last download wearing it. Um I wore it for one of our events during Microsoft Build. So, I feel like you'll get your mileage out of it. It's It's a fun fit. It's a really fun fit. It's got shorts. Did you get the shorts? I did not get the shorts. Uh, but funnily enough, I ordered one of these and I got two for some reason. So, h bonus shirt say only at the gift shop. I love it. I love it. Don't say vary. You might not get to speaking of cool swag. I won a pair of socks with this beautiful face on Oh, yeah. Yeah. Yeah. on an event. Uh, I think it was during Jason Torres's birthday extravaganza uh, marathon stream for like 24 hours and you were one of the the folks who came in and brought some presents and I'm like I never win anything and I couldn't believe it. And what and then they came in the mail and I and my kids jacked it like my kids stole them from me. Oh yeah. I love it. So So the funny story here so like like where I work at in the open source project it's called Pomearium. A lot of people have trouble saying it for some reason. And a lot of people say Pomeranian. That's what I was gonna say. And so, so yeah, exactly. And like I don't know, I guess I'm biased now because I've said the the company name like very often, but I I told the marketing team, which is just basically my my manager and I'm on marketing and engineering, but uh basically I said like why don't we just have this like crazy dog as like not it's not our actual logo. The logo is the arches there. the thing that looks like an M. And so I did this kind of like quick one in like not Sora, I forget what I was using, the chat images or whatever. And it it gave kind of like a Tasmanian devil look. And then we got an actual designer who they used AI, but uh we ended up with this. And I kid you not, like people take these stickers all the time, the socks like you were saying. So uh so here's to not being able to pronounce names properly. You end up with good swag, I guess. How that that was a happy accident if I ever seen one. I love it. The stickers are super cute as well. Like no, this good swag, man. That's quality swag. That Pomeranian looks badass. So, I'm here for it. I'm here for it. Well, my friend, you're that's this is what you're here to share with us. So, can you first of all for those of us who are completely new to Pomerian, tell us what it is, where did it come from, give us a little bit of background on the project. Okay. So, uh, here's a shout out to Excaladra. I'm a big fan of Excaladra. Amazing project. So, so the I'll give a short history because I don't want to bore people with history, but basically uh if anybody's ever used uh Google Cloud like GCP, they have something in there called an AP. It's called an identityaware access proxy. Uh, sorry, identity aware proxy. Uh this is something that internally is used at Google like everybody anybody that works at Google even if you're not on in engineering everybody knows what it is. They call it Uber proxy internally. Um so essentially they had this like massive security breach in I think it's 2009 or 2010. Uh somebody got on the VPN I believe and just wre havoc. And so they like they just kind of went to the drawing board and said like we got to we got to rethink you know security. And so they came up with zero trust uh security as a as a model. And basically like what what it is like like as a concept is you're always verifying things all the time. So like it's not just like that first request to like access some resource. The next time you access it again, it's going to verify it again. And it goes through a few things here. So like in the diagram here, uh folks watching the stream, let me know if you need me to zoom this in a bit more. I I can um but uh basically uh Pomearium here, that's what's called the identityware proxy. So it's an open core thing like you know like a lot of companies that work in open source there's enterprise but we're not talking about that today. Um essentially an identityware proxy consists of three things. So you have a proxy a reverse proxy I should say you have a policy engine and you have an identity provider. So let me pull this out of here actually because it's not necessarily in there. Um but uh the identity provider is something people are pretty familiar with that's like logging in with Google or GitHub or Opa whatever you use at your work and Microsoft Entra. So that's the identity provider. The policy engine is basically something that determines can uh based on a set of rules or policies. Can you know is it true or not this does this policy evaluate to this this entity or person is allowed to do something and then if they are allowed to do something it goes to the reverse proxy part and then only at that point do you actually go to your actual thing you're trying to access. So, uh, this is a lot different than like if I'm assuming people have used VPNs before, but like when you're on a VPN, you log in and then you have access to the whole network. So, like even, you know, you might not be able to log in to like the HR portal because you're not on HR, you're in engineering or whatever, but that HR portal is like on the network. And there's some modern VPNs that uh they segment the network. So, you know, maybe the HR thing is in another part of the network that only HR can, you know, VPN into, but regardless of the segmentation or not, whatever's on the network is available to you. And, um, basically, I think most people know there's all kinds of hacks going on, the CVS and stuff. Uh, you you kind of have to consider that there's bad actors in your network. even if you have great security and stuff, um, you know, the perimeter is no longer, you know, like the way to to to stay safe. And I mean, like there's a reason why like the Trojan horse like viruses are called Trojan horse cuz like if if anybody knows the story of that, it's like a present was given to a king and like the Trojan horse is just sitting outside and then there's a whole army inside it and then once they get in the perimeter they wreak havoc. So uh so that's why like the perimeter really like can't be the security boundary now. So now and and the other thing too is like think like during the pandemic or when people started working remote more not everybody's in the network. Um so like yes there was the VPN but like basically you can be anywhere to do work that that doesn't matter. What matters is are you logged in through your identity provider and for whatever internal resource you're trying to access, do the policies for you pass so that you can actually access the thing? And and the the really big difference here too is uh when you're on a network, you like everything's there. With this, you you have the identityware proxy in front. So you're not even in the network yet. you know, if the policies don't pass and you're not logged in, you're you're never even in this internal network. So, like it's it's like in terms of security, it's like even if there was a bad actor and they they logged in somehow, the policies probably wouldn't pass. U so, you know, they just don't get in to the the internal network. And this is super important because it it's it's a really great way to safeguard things. And the other thing is, so I have a few internal resources here. So for example, we've got like a web app, a database or like an MCP server. If I'm trying to access the MCP server, for example, when I log in, like for anybody that's done any MCP stuff, there's an OOTH flow and stuff that that's what's going to happen. But then there's going to be some policy checks and it's going to say like, does Nick have access to this MCP server? Uh, if I don't, I just I'll get an error and I I never get to the actual MCP server. I only get to the like air quotes kind of proxied server, which you just never got through. Uh, but if I do get through, I obviously access the real resource in the internal network here. And the other thing to mention about that is once I do get access to that internal resource, I only have access via north south traffic. meaning like I came in and then I went straight to that thing. Once I'm in there, I can't say I want to go over to the database or the like I I don't even see those things. Like I I don't even have access to them. Um so they're basically segregated. It's like micro segmentation if you want to get fancy. Um and like obviously like the MCP server could talk to the database, but that's like that application itself. I I mean like the user themselves would not have access to other stuff in that internal network to move around once they're in. So that's kind of like the TLDDR of it. Um, and uh, like I said, Google uses this. Uh, they obviously have it's closed source. Um, so basically my CEO who um, oh, hey from Romania. I was there. I was in Cibu about a week and a half ago. Um, yeah. So like basically my my CEO uh he created this project called pomearium in open source and it was basically an open source version of everything I mentioned about Google and uh these beyond core papers that talk about the white papers that we we can share a link to that if not. So that's that's kind of what it is. It's it's a lot to take in and security stuff can be intimidating I know but uh and and I'll be honest like when I first started here I was very confused. Oh, no. This is super interesting to me though because honestly now more than ever like we have to be so mindful and you said obviously the increase of remote work like added layers of complexity when you're not physically going into an office to tap into whatever network but even then there were problems with VPN right you didn't have what you have with Pomearan like that sort of granular permissions and the fact that that's that for every single resource I love that um so they built this they had this massive issue at Google. Then it was built inside Google. Uh yeah, I'm assuming this is built in Go. Uh yes, ours is built in Go. I'm I'm I don't know about Google, but I would assume it's Go as well. Go is really good for networking and uh it's it's a pretty solid choice. Um I I see a question in the chat from uh Randy Rays. I can answer that if I if you want to share that on the screen. Wonderful. Yes, thank you for catching that and thank you so much. Uh let's see. Oh, I think I missed I missed Ry's. Let's go with Steve's first and then we can go we can address Randy. Thank you, Randy, for being here. So, thank you, Steve. Um, how does it compare to like work OS? Yeah. Uh, I'm I'm familiar with work OS, but I I know they have some newer stuff, so I might not be as familiar with that stuff. But work OS is typically like you can use it as an identity provider and like I know they support multi-identity provider like you can kind of have I think you can kind of have a virtual identity provider which is like maybe you say at your office you're using Octa uh Google and something else or GitHub. Um I think I think uh work OS now has some kind of authorization stuff. Um it might be more MCP specific. I'm not positive. Uh Steve, let me know about that. But from from what I've understood in general, work OS is just really good at the you know the au authentication layer and there's I think there's a bit of authorization that they provide to you. Um but I'm not as up to speed. I I should ask my friend Nick Ni who works over there. So interesting. Interesting. Okay. And then let's go to and thank you for the questions. We appreciate it. Let's go to Randy then. Uh, since Pome forces prere request context authorization instead of just checking the session like a traditional VPM, how do you mitigate the latency overhead for c high output apps? That's a good question because speed matters. Um, yeah. Yeah, it definitely and it's it's a really great question, Randy. So, so the first thing is uh this is something you always self-host like uh even if you're using our paid product, it's always self-hosted. So, you basically install it at your network's edge. So like if you're in Azure or GCP or AWS, you're going to you're going to install this on your network edge close to all your your resources. So there technically is some latency, but I would say it's negligible. And um this is this is a solution that's really good for securing internal apps. Uh you could do it for public facing too, but like um uh I think the big use case is really protecting internal resources. of whether that's like databases or web apps or MCPs, etc. Um, oh, hey Will, how's it going, man? Um, yeah. So, uh, I don't know if that answers your question, Randy. Um, so technically a little latency, but like I mean, we're talking negligible like you blink or maybe half a blink. I don't know. Okay. you know that sounds but listen if you're if you're if that blink is the difference between you having a massive security issue like it's is worth it. Um, so for like traditional BPM, I guess you and you explained it beautifully with that amazing scallop draw earlier. You connect to the thing and then that's it. You're in versus this. I'm trying to like make a mental map for myself. Then it's per application and per resource. So it's much more granular and it checks every time. So it trusts that you logged in like you show us, but then you are maybe you are in a part of the company that you do not need access to this internal resource. So that's not going to be something that you have access to like doing those company policies that can get super complex. I can see how this will be super super useful. Um tell us a little bit about the the way that you've seen people adopting Pomearium then. I know like I can think of like companies that have ton of contractors or like yeah like it would be just an amazing like less headache for the security people but uh what have you seen for teams that are switching to Pomearan? Yeah. Uh a lot of people just like the security model. Zero zero trust has become very popular. Uh there's a lot of people that market as zero trust which aren't really zero trust as well. Not not gonna not not going to throw shade at anybody but like Yeah. No, but they're calling it something that is not. So yeah. Or it's like kind of like but not exactly. So um but yeah. Sorry. Go ahead, Andrea. No, no, no. So okay. So zero trust in practice. Yes, you're correct. there it gets thrown a lot. Um but when you're like let's think about a scenario for example that you've seen maybe in the wild where zero trust caught something that for example let's say VPN security couldn't catch. Um, yeah. So, basically like when you're on a on a VPN, um, you know, so you log in and yes, there might be multiffactor authentication or something with the VPN, but once you're connected, you're just on the VPN the rest of the day, you know, until unless you get disconnected because your internet goes down or whatever. So, you're basically considered trusted at that point, you know. Uh, but that's like I said, that's really not the case anymore these days. There's just bad actors in general. Who knows? Maybe disgruntled workers. So, I guess like for a visual like picture picture like the Olympics people swimming, you know, you h you have your your own swim lane. It's the only lane you can go in. Like that. Think of that as how you're accessing the resources. So, it's like you you get in lane one, that's you you can't get out of it. I mean, you could get technical and say, well, if you you get disqualified if you go into the other lane, but just just just just try just try like that's that's kind of like a a good visualization. Think of the network as the pool and the lanes as really like the application access or internal resource access uh going through the identy. The the other thing is in terms of like the the verification all the time, uh, think about people that have, you know, I'm sure everybody's been to like a club or some kind of event, you know, you get a stamp on your your your wrist or you get a a band, you know, and then like you're going to be like try and be super, you know, sneaky and be like, "Hey, you know, let me give you my armband once uh I'll I'll give it to somebody and they're going to go out and give it to you." you know, that other person gets in maybe, but like you go out and they're gonna be like, "Where's your band?" You know, like because you it's gonna check you every time. You know what I mean? So, it's like so there's not really, you know, uh there's no kind of sneaking around things and like uh like good examples of it. I gave a talk about it. Uh I can share that too. But like there's this person Frank Abbnail, if anybody's ever seen the movie Catch Me If You Can with Leonardo DiCaprio. Yes. But but basically everything he does would not have happened with zero trust. Like yes, it was like the 60s and 70s or whatever, but he was like impersonating people saying like, "Oh, I need a suit. Oh, okay. Now I look like a pilot." And stuff, you know, and so that's why this like constant verification is super important, you know, like even like even think literally at the airport like you go through security, you have to, you know, show your boarding pass. you show your your boarding pass is kind of like the policies like you're allowed to go to this gate. Uh your passport is your identity, but if you have like I don't know this happened to me once like I left my eyew watch in the Apple Watch in the bin and basically I was like oh man I I couldn't go back because like I was going to miss my flight. But had I gone back I would have had to go through security again. There's no way I could just say like oh yeah I forgot my watch. I'm good. Don't worry about it. You know security is going to be like no way. So that that's that's why this constant verification is super important. Um and and having it close to your network's edge is is what really uh helps. Uh but you were mentioning about contractors and that's a super valid one. Uh this is a use case that people find super helpful with this because you have policies and you could say like this person is in the contractors group. Um you could remove them. Uh or maybe it's like literally their email. you remove them. And these these policies, not only are they fine grain, they're dynamic. So, as soon as they change, people will get revoked. That next request, you know, like if if their emails no longer in the policy check, uh they're going to be denied immediately. And I can show that uh briefly. Yeah. Yeah. Let's let's take a look at let's take a look at that because I do want to ask you also like what IDPs you integrate with. Yeah. Um and then Yeah. we can see it in action. That'll be cool. So, here's uh I'm going to share I don't know if I can share links in the chat, but I'll this is one that is public. Okay. I can't share. I'll share it with you. You share it with me and then I can plug it on the on the chat. Yeah. So, this is a live site. Um so, I've registered I I have a domain imveloper.com. So, if anybody goes to that verify, uh I'll show you what it's going to look like. And and anybody in the chat can do this. Uh, I'm just going to log out and I'm going to go to it. So, I'm going to be redirected. I'm using what we call our hosted authenticate. Um, and it supports like email, Google, and GitHub. But you can also connect with like Octa, Ozero, uh, Microsoft Entra, pretty much any OIDC connect compliant identity provider will work. Um, that's that's pretty much the gist of it. And there's configuration. We have presets that you can get like config for, but if you have like a custom one, as long as it is it as long as it's OIDC connect compatible, it will or in theory should work. Um, so I'm going to log back in. I log in with GitHub. So you're going to see here and now I can access and I don't know if if like at least one person in the chat can tell me if they were able to log in or not, uh, I can go ahead and change the policy. Um, so, so I tried to log in and it says that I need to that my something expired or I need to check my email for a link, but I think I didn't. Oh. Oh, it's cuz maybe because you had to create an account. Uh, ah, that might be it. Yeah. Yeah. Yeah. Okay. Yeah. Yeah. Yeah. Okay. So, okay. Well, even if you haven't logged in, um, yeah. Okay. Um, I'll I'll show you briefly kind of what the policies look like. So, let's go to Oops. It would help if I was in the right folder. Okay. Config. Yeah, there we go. Okay. Um, so let's take a peek here. So, there's a few things in here. uh this stuff we can omit for now but let's just go look at uh so like an application it's considered it's called what's uh called a route. So if we look at that verify one here okay let me zoom this in a bit. Okay. So you can see here so there's a route consists of a few things. You have the from property which is essentially the public facing URL. And that and that's something I should also mention. All these links are always public which seems counterintuitive to security. But like even at Google it's it's uh they're public URLs. It's the policies in the identity provider that do the gating. Um so this is where you access on the internet and internally. I'm I'm we support Kubernetes as well uh or you can run it straight on Linux but I'm running it in docker right now and so I basically I have this image running called verify and port 8000 and that's what this maps to and u passing identity headers that's just to show the information about you. So like if I come back to uh where was it here that's just showing this information about me like nicknikity.co and stuff. Um and if we come back and then there's a policy. Now policies can be like super simple like uh in this case I'm just saying any authenticated user or it could just be an email but these can also be more complicated. It could be like you know device posture like me on my personal phone versus like a work phone. Um you know the the uh timebased that it really depends. They can be super simple or super complex. Uh that said, a lot of people just tend to use the simple ones. So now if I come here, uh let's go ahead and modify a policy. So we'll go to that verify. Okay. And let's see here. Come down to Okay. So I'm going to change the policy here to just make it uh similar to this one here. So let's come up. I am not a Vim or VI expert uh for anybody in the chat, but I'm slowly learning more. Uh cool. All right, let's add this in here. So I'm just adding the policy and I'm going to go ahead and save that. Now, nothing should change because it's all I'm basically saying at this point is I'm only allowing myself. So, if I refresh this, I'm still going to see it. But let's uh just for argument sake, I'm going to put a typo in my email. So, let's say Niko or Nick Zero and I'm going to write I'm going to come here and when I go again, you're going to see all of a sudden I'm forbidden this. So, this is the immediate revocation because the policies change. Oh wow. And the important thing to remember here is this is on the identy not the actual internal app. So like you might have application logic you know like if role is admin do something or whatever that's even before any of that application logic is a separate thing. This is like really gating the resource in the identityware proxy to decide whether or not you get access to the internal one or not. So that's that's what makes it super powerful. So, like a perfect example is what you mentioned before is like a contractor. It's like, "Oh, Nick's uh Nick's no longer working with us. Uh, we parted amicably. He did amazing work, but he's got to go work somewhere else." So, remove them from the policy and boom, immocation. Not kind of like the next time you log in, you won't be able to. It's like immediate. Um, so that's super cool. Um you mentioned something earlier about it being the um that is only web based. It's browser based, right? So you don't really need to install like any special client software to use this. Okay. I feel like that's that's a huge plus. No. Yeah. So there's a few things. There's like any any kind of web- based stuff. So the Identware proxy um for our implementation it uses a CNCF super mature reverse proxy called uh Envoy um because that's important to people sometimes. So I'm just going to call that out. But but yeah you um my brain just fried. What was your question about it being browser based? So I don't have to install any kind of client external to just I just have a browser to be able to Yeah. So for any web-based resources exactly there's no client for this. Uh the identityware proxy operates at the application layer or L7 as they say. Uh so yeah it's it's just handled with literally like web tech. Um the other thing is I'll show this now and I'll just get out of here. Um we also support uh native SSH. So like if you look here like this is me I sshed into I just have a box where I set this up. Um this server here actually is a proxied SSH server. So meaning it's not the it's not the real SSH server like it's everything I've mentioned about like in the context of web-based stuff. The same thing applies to an SSH connection and it's actually native SSH. And the way this is possible is I mentioned Envoy as the mature reverse proxy that we have in place. Envoy uh you can do it's it's like any kind of networking coming through there. So we actually built uh an envoy extension that handles native SSH. And so basically that's you don't even for SSH you don't need a client. And this is pretty pretty huge. Um because like I don't know if like GitHub's a big company obviously Microsoft's big company. I I worked at a place called Autodesk before. Even as a dev you're not allowed to install stuff on your machine, right? Yeah. So like obviously the org if they decided to use something that has a client, they would install it. But like maybe there's a constraint that you can't. Um so like this doesn't require at all. you obviously have to have Primarium installed, but um uh and essentially uh I'm just going to show what's a little different here. So, it's a uh the things to be super concrete about are the SSH command here. It's the native SSH client of your operating system. Like, this is not a primarium thing. This is literally uh I think on Mac OS it's open SSH. I forget what it is, but if you're on WSL and Windows, it's whatever that is. Uh, I haven't been on regular Windows in a while, so uh I can't speak for that, but like Linux, same thing. It's just regular SSH. And then you have your user here. Uh, whoops. Of course, I messed that up. Uh, hold on a sec. Uh, hold on a sec. There we go. Let's get back in the matrix. U, okay. So, you have the username. That's pretty common, the demo at. U, but then you're going to notice there's another piece here. there's this jump at uh right here and then there's the actual SSH server. So like I was talking before about applications having being routes in primarium like I showed you that config with the from and the two and the policies. The same thing applies for SSH. You can have a route for an SSH uh connection as well. So the route name in this case is jump. And so this is me sshing into the box where Pomearium is actually running. So, and I'm using uh port 2200 just because otherwise it'll override the existing port 22 for SSH. You you can get around that, but just for like demo purposes, it's easier this way. And then um what you're going to see is I'm going to connect right away here. And I'm on the box now. Now, let me just log out though. So, is it I always forget the syntax. Uh I think it's this. Yeah. Okay. So, let's assume this is the first time I'm going to connect via SSH. So, I'm going to go ahead here. Connect. This looks pretty normal aside from the the thing that looks a little weird there, the at jump. And also just to to clarify about the at jump part, it's not a hack. It's actually legal username usage. You can have an at symbol and a username. So basically when when the connection happens, we split on the user and the route so we know what the route is. So now I'm going to go ahead and I'm going to say like I'm going to connect here. And just like in the uh web- based you would have a login. Now, I'm gonna get get this like login URL, and I'm gonna go ahead and click on it. And of course, it goes off screen, but uh hold on a sec. Where did it go? Let me do it again where I have a browser window open. Okay, do it. Yeah, that's fine. That's fine. Okay. Uh oh, it already logged in. Sorry, it did it here. I basically I was already logged in. So I went through the login flow and it said my signin was successful and now I'm logged into the machine. So basically all those policies I was talking about those apply to SSH as well and I can prove that to you. So uh just how you saw the immediate revocation of that verify web page. Let's go ahead and go to the config again. Uh, okay. And now the funny thing is I'm when I change this, I'm going to get disconnected immediately. But, um, okay. So, let's go up to the top here. Lots of comments. I'm just going to go to the jump route. Uh, where is it? I should probably just look for it. Okay. So, just like the web- based uh applications, there's a route for SSH. So in this case the jump here that's the name of the route and this is the actual server that it's going to proxy to. Uh this is just a fancy Docker URL here. But basically you have the policy here where it says only I'm allowed to log in. So I'm going to go ahead and change this. And in theory and in reality hopefully when I change this I'm going to get disconnected immediately. There we go. I got disconnected. So, this is super important because think about if you're an S sur or you like incident response or something going on. The S sur team will usually have access to prod, but like who knows, maybe they're like, Andra, you were working on this application. We need to bring you in. Uh, we're going to add the policy so you can access some prod resources. Just come in there with us. Let's look at logs or whatever you need to do in there. And then once you're done, they're like, "All right, awesome. Thanks, Ana. They remove you from the policy and then you get disconnected immediately. And this is super important because like the way it works with like bastions and like when people go into boxes like this is they've been given access to do this, there's a there's a key on that specific machine for them so that they can access it. And once you're on that machine, it's like you can be there as long as you want. There's nothing aside from like, you know, some a teammate saying, "Hey, Andrea, can you get off?" You know, like I think you're working. I need you to out. Yeah. Which if I'm a bad actor, I'm going to tell you to uh fly. Yeah. Yeah. Exactly. So, so like that's super important. So like and you because those policies they can be like emails, groups, whatever time based or or even again like uh it's a enterprise feature but like if you had like uh you know like device specific like my work machine versus my personal I wouldn't be allowed to get to prod on my personal machine you know. So like basically those policies just apply to SSH is all you need to know and being revoked immediately is super important. The other thing is the way this works is and I can bring up the demo. We don't have to go through this tutorial but uh you can share this link. Oh yes, let's share it. Let's share it because I look so good and everyone can do it, right? Like that's a it's a free lab. Yeah, it's in it's in uh this is a really great uh website. Uh my co-orker shared it with me a while ago iemuse.com. It's It's kind of difficult to pronounce, but um basically lots of great content in here. There's free and paid stuff. This tutorial I made is completely free. All you have to do is sign up, but it explains everything I was just kind of talking about. And I'm not going to do everything here, but like uh I'll just kind of talk through some of the points here. So, essentially, we have the SSH client like I was saying, and you make that SSH connection. It goes to pomeram where that's the SSH server that you actually connect to and it determines via policies and whether you're logged in or not if you should get proxy to the upstream server. That's like you can get deeper in this uh diagram but I think this is the best way to just kind of show it high level. And a few things to note is you know typically when I want to SSH to a machine I have to have a key on that machine for my user. Um, in the case of Primarium, you don't have to do that. So, like there still needs to be a key on that machine, but it's specific for Primarium. And then basically what happens is when you log in with Primarium, um, it generates these ephemeral certificates for your current session. So, you log in, it gives you a certificate to say that you're allowed to access this particular uh, resource via SSH. Once you disconnect, that ephemeral certificate disappears. And this is super important because again in terms from like a maintenance standpoint for like an S sur or or anybody, they don't have to be like, "Oh yeah, Andrea is no longer a contractor here. We've got to go through all the machines and find where she logged in. We got to remove those keys." You don't have to do any of that. It's just like immediate cleanup because there is no keys. So this is super it's like a literal super valid use case for S surres or just maintaining your servers and um yeah I I encourage you to go through the tutorial. It doesn't take that long. Most of it's just copy paste but it explains how things work and it also shows that immediate revocation that I showed you so you can test that yourself. Um and there's also some resources here. um just check out the tutorial and then at the end I've got links to like native SSH and stuff uh and just the the policy language. So in terms of like the syntax for writing policies. I love that. I love that. And we had a comment earlier and uh thank you so much Mike for being here about how you can get super specific with the policies. Uh that flexibility is tremendous. Um, and then the million-dollar question. I'm surprised it took us so long to get to it because Will has a point that I was also thinking about. This feels useful for AI agents. Can you speak a bit to that? Yeah. So, I could talk it in a few context. So, like I'm sure people have heard of OpenClaw. So, there's um I actually contributed to the OpenClaw project. You got a PR in. What's up, Nick? That's awesome. Yeah, I'll I'll share it in the chat if people wanna I forget where I can drop it to you. Uh I'll I'll ping you so you can see it. Yeah. Okay. Okay. Yeah. Yeah. So other people have contributed to this since but I I did the initial PR and this basically adds a trusted proxy off mode to open claw. So this means like I obviously like part of my job as a developer advocate is like I'm always like can I secure this thing with primarium? So obviously when open claw came out I'm like hey can I secure this and I was able to secure it without this feature I added but this made it first class support and it's not primarium specific. It's basically called trusted proxy off mode. So you could use like engineix with ooth uh whatever you use um so it it's abstract enough like it works for primarium too. Um but that was the motivation behind that and um uh actually gave a talk about it at AI engineer Europe. It was a short talk is like the open claw track, but I can kind of show you what this gives you. So this is my home lab. So this is my open claw and like I encourage like here's the true test I guess. Uh I I'll send the link and people can try and access my open. Oh snap. Yes, do that. I love this. You know, no no no regrets as they say. No regrets. what I want to battle test is this uh so I might get DDoS but uh but basically it's the same thing with Primarium so like I'm going to log out here there's no log out button in here but I'm going to go to sign out and Nick I'm in I'm about to turn your lights off I don't know what you're talking I got a big fat forbidden a big fat forbidden yeah so there's a there's There's a few things here. So, like if I go to it, I'm not going to get forbidden right away. It's going to ask me to log in. I use Ozero, so I'm going to go ahead and log in. It's going to use uh my Google and I'm back in. But everybody else should see that login screen. I only allow Google login in this case. But regardless, even once you log in, you're not going to be able to access this. So, there's that. And then there's like I also secure some other stuff. So just like uh the workspace I have something called uh claw space that I created. It's an open source project. It's basically a glorified viewer for um your workspace in openclaw. Uh except I don't know how to type. Um there we go. Hopefully I don't show anything here. So like basically it it's lit literally mainly a file viewer. Uh, I'll just go into stuff like here like I use my open claw to do like competitive analysis for work and stuff. There's a few things here and this is super handy because I don't have to SSH into my open claw to get my workspace files. I can just look at it here and then of course I'm using Monaco editor from VS Code. Um, you know, and and I basically use my open claw that way. So this hardens access to it uh from a web the control plane for openclaw uh but also SSH like I showed you before. If I want to SSH into my open claw I use pomearium as well. I need this I need this for all those reasons because a lot I've been trying to do a lot like just use repository base but then that's another layer of I need to give permission I need to give right out says to a repository to be able to get the the claw to push whatever. So yeah, exactly. This is right. So I obviously have locked myself out of my machine now. So I I'm going to go by the IP. Uh what is it? Uh and I'm just going to put that policy back. You won't be able to access this anyways because I have a policy on there like in Digital Ocean. But uh let me just put this back because it'll make my life easier. I'm just doing a quick time check. Cool. Uh we're good. We're good. Cool. So, I'm going to just put the policy back so that I can SSH into my own machine. Uh, where was it? SSH. Oh, did I fix it? Nick, it looks right. Nick at Nikki. Yeah, but it's not.com, is it? No. Hold on a sec. Okay. Yeah. No, I I forget what I changed. Hold on a sec. I think it was a.com. No, cuz you're like that that co. Maybe it was the Oh, yeah. I thought I put a zero, but um Oh, yeah. Sorry. Yeah, you're right. Thank you. So, okay. So, one, I've been immediately revoked, but now if I quit and come back in, I have access again. So like it's immediate revocation but also immediate whatever the opposite of revoke accessor. Um okay so another thing I want to talk about is I'm sure people have probably even if they haven't worked with MCPS they I I feel like everybody at this point has probably heard the word or acronym MCP. So spoiler we support MCPS. So MCPs uh remote MCP servers to be specific. It's just web tech. It's literally web servers. That's what it is. So this actually fits really well with Pomearium because Pomearium works really well at the application layer 7 which is HTTP. So we're a natural fit to work with MCP. So we can act as an MCP gateway as well. So like the whole IDP and the policies that applies to MCPS as well. So uh I I never hear people saying I'm so excited to implement OOTH for my application. So so surprise or spoiler, you don't have to if you're using Primarium. The whole flow I've shown you multiple times now. That's the whole OOTH layer for your MCP. So you can literally make a naked MCP in the sense that it doesn't have OOTH in the actual MCP. and we handle that part. And it's up to you to just build your MCP, your tools and stuff. So, let's just go into uh where am I? Okay. Uh yeah, that's right. Okay. And let's do config config.yml. Okay. So, there's a few things here. uh you need to enable MCP for primarium. So it's uh just a flag up here. Where is it? Just say runtime flag MCP true. And then let's do uh where is it? Dev MCP. Okay. So basically there's not much config you need to do. It just looks like a regular route like I was showing you before the from and the to. The only thing that's different is there's this MCP section now. So we're building an MCP server. So we just have to say this is just the way you have to write it in YAML. Uh so MCP and then you just say it's a server. We we also support being a client but uh for this I'm just going to show you the server. Now we handle the OOTH flow like I was mentioning. So you don't have to implement that. But also if you have upstream OASH so imagine like your your MCP you know connects to your Google calendar or something in GitHub you have to do that additional OOTH flow through there you don't have to implement that either we handle that for you all you need to do is provide like the OOTH app uh configuration so like the client ID the client secret but but we handle that whole flow for you um and again it's just a similar breadand butter stuff. There's a policy associated to this MCP, so only I can access it. Um, so let's go ahead and uh get a little more interesting now. Uh, okay. So, I got VS Code here. Okay. No, that's not it. Uh, I got too many VS codes open. Okay. Yeah. All right. So, uh, I have an FCP template. I can share that. Uh, or it's if you just go on my GitHub on my GitHub profile, you'll see it. It's one of my uh pin things. So, I'm just going to start this uh TypeScript MCP template. It has one tool on it. It's just echo. So, like you'll see it here. It just says echo and it echoes a message back. Now, another thing I'm going to show is you can have a route and it's like configured in Primarium and it just connects. But that would be like assuming I had the MCP server installed where I have primarium running like in the network. In this case, I'm actually going to create a tunnel so that I can actually build my MCP locally and then I can expose it with a public URL and then I can because like for people have worked with MCPs uh remote MCP specifically if you want to use it in like claude or chatgpt you actually have to have a public URL. uh for for VS Code, it's not necessary because it's running on your local, but for any any basically web- based uh LLM, you're going to need to do this. So, uh basically, I'm going to do the same thing. Well, not the same thing, but similar. I'm still sshing, uh to the proxied server here, but um this is and again, this is just native SSH. This is nothing primarium specific. Uh I'm just using uh the -ash r for reverse SSH tunnel and this is a pol uh sorry this is the route I have configured in primarium and I'm just going to say I want to I want my localhost 3000 to tunnel to that and if we go back here and look there there is the policy of like only I'm allowed to add to it but there's also this new section of policy here called upstream tunnel. So this is this policy section here is specific to SSH reverse tunneling and basically what it says is only I can start the tunnel like um and that's important as well because like maybe you in your organization you might want to have more than one person being able to start it but this is like typically uh just a good flow for local development. Um, the other thing to mention is because it's tunneling through your own infra, you're not going through a third party, and that's a big no no for some people, especially if you're in Europe. Uh, data sovereignty, the privacy, security are super important. So, it's it's kind of nice. Um, so I'm going to go ahead and start this. It's not going to show any feedback saying connected and stuff. Uh, that we have an issue to do that. But basically I have an MCP running on port 3000 here and it should be accessible here. So if I come over and let's go to chat GPT and let's go to settings. So a few things if you if you start building MCPs there's a few things you need to do if you're in chat GPT. You have to go to advanced settings under apps and you have to make sure developer mode is enabled and there's another thing you can enable. This is for building MCP apps. But basically this checks content security policy. But uh for now uh let's just come here and I'm going to go ahead and create a new app. So I'm just going to call it demo and I'm going to paste in the URL here. And it's using OOTH. You don't have to use OOTH, but we're using OOTH and Primarium is going to handle this. And yes, I understand. I want to continue. So, I'm going to go ahead and create this connection. And so, what's going to happen now is and and just to kind of drive the point home, I'm running an MCP on my local host on port 3000. Right now, I've exposed a public URL for it through the SSH reverse tunnel that's running through Primarium. And now, I'm going to go ahead and sign in. So the whole OOTH flow for an MCP is happening through Primarium through the IDP and the policy checks. Um because it's uh you know LLM stuff is non-deterministic so you never know when it finishes. So we'll give it we'll give it a second but okay. So it says now all right. Okay. So we can see here it's connected that should be it. Uh, okay. Just going to refresh it because I don't see the tools. But, uh, let's see here. Is that running properly? I'll just run it again in case. Okay. So, basically there's an echo tool that's available to us uh, in the MCP. So, now let's go here. And if you haven't used an MCP in chat GPT, you basically do at and then like we'll say demo. And I'm going to say echo what's up GitHub. Now again it's it's going through primarium but it's actually connecting to my local host. It's calling the tool on my own machine here. It's going to find the echo tool and it's just going to echo what's up GitHub. Uh so let's come back here and let's just change something up. So, let's just say uh uh yeah, I I'll be done in a couple minutes here. I'm just checking the You're good. You're good. And I do have a couple of questions that I want to make sure we get to. Yeah. Okay. So, let's see. I'll just say, "Hi, Andrea. Here's what we echoed." Now, this is nothing to do with MCP. I've done a lot of webdev. I'm just running a Vit server and node with watch mode. So, it's just going to automatically update. And let's come back here and let's do at demo. Oops. At demo. Did I delete it? Ah, is it another window? Where was I? Did I just nuke it? No way. No, I don't think there is dev mode. Oh, no. It's there. Okay, refresh. Yeah, it's there. Okay. Why is it not showing up? Oh, there we go. And I'm going to say echo yo or yuo. Okay. So, it's going to echo it again, but I modified my MCP. So, the output should say, "Hi, Andrea. This is what we changed or whatever." And again, good old non-deterministic. I was thinking, hey, okay. I said I said Andreas. Sorry. Sorry. You did. That was But that was you, not Yeah. So this is just a really cool workflow in terms of MCPS. You can do this with just web resources too, like a web app. Um, this I just happen to be doing it for MCP because this is a valid use case for MCP. There obviously other tunneling tools you can use if you want to. Uh I'm biased because I work here, but I find it super useful and it's a way to just showcase the things and like um we don't have time, but like I could obviously expose this MCP to everybody and then they could try it and it they could try the Echo. Um but we've seen the policies change before already. So I don't think we need to go through that. that's very cool. Someone had a question about uh for an application specifically if they wanted to use it with an app that wants to pass through your app using for example a button like open ID connect style. Yeah. Um so this is basically it it proxies in front of whatever app. So like uh I'll show you an example. So like I have graphana here. So you can see here I'm logged in as me. This is like from primarium. If I sign out, I'm in primarium. So if I come back to graphana, graphfana has its own login flow, but they also support proxy uh proxies. So like with some config, uh you can basically give your same security posture to apps you use like graphana or whatever. So, um I don't know if I don't know if that answers their question or if they just want like what's the button they want to do specifically like aside from saying it connected like I guess what else? Uh well, we'll see if if Steve's still in the chat that maybe he can drop that. Um okay. And then finally a comment about the wristband stamp club analogy. That was a really good one. also the airport one too because being able to like you're in the airport but doesn't mean you can go get on an airplane any plane that you want. So thanks I think you clarified zero trust for us a lot. Yeah I know you shared my uh website but there's talks about this. So u the openclaw one here it's briefly AI engineer Europe but the one about the airport um I forget where it is. I gave the talk a couple times at S day. It's oh here zero trust from airports to identityware proxies. Um it's it kind of goes through that whole flow talking about it and the and also this is a side note but one if you've never seen the movie catch me if you can I encourage you to watch it. It's a great film, but also the real life person, Frank Abigail, he gave a talk at Google. Uh, it's it's in my slides here. Um, but, uh, where is it? Ba, basically, it was just a killer talk. He was just talking about all the stuff he did to be able to get into things and and then he I think he was talking at a Google security thing. I don't know. I I'll I'll find it or or basically folks just check it out in the talk section of my uh site. you can find it. Um but yeah, amazing. Amazing. Okay. And well in terms of course this is an open source project. In terms of contributions, first of all everybody go to the repository and leave a star. You can do that right now. And then I want you to share with us like what kind of contributions are you looking for? Uh where the community can be the most helpful. Uh this is super interesting though. Honestly, even if you're not if you're not sorry, like if you're not in this world, everyone needs to worry about this. Like this is important to every single person that's built in. Yeah. And you you'll see um a lot of people are talking about zero trust security now, including even securing agentic workloads. I showed an example with MCPs and like hardening access to OpenClaw, but there's also like the lethal trifecta that you know Simon Willis always talks about like that's you know there there's just a lot of work going into security and AI right now. So I guess a few things one uh infrastructure and security are super just going to become super more even more it was always important but like with AI it's it's becoming even more critical and I think people are realizing this because everybody's like vibe coding stuff or just doing stuff and they're like oh yeah I got to secure that stuff. So um but yeah in terms of contributions uh you know you obviously you would need to be familiar with the concepts. Uh I encourage you to check out the docs and stuff. We we do have open issues. Uh people do contribute. Um you know I've done a lot of front end. I don't think it's the same thing as like you know let's just fix this button kind of. It's it's networking. Some of it is and I don't mean this to gatekeep. Uh what I mean is like some like I'm still learning a lot of this stuff. uh and security can be really hairy like the my co-orker who implemented the SSH uh he knows like the open SSH he knows the SSH spec inside and out I do not you know so there's a there's a level of detail that matters in terms of security as well but I encourage you to like go ahead clone the repo try to get it up and running uh uh hit me up on socials or wherever uh happy to chat if you're stuck on something we have some guides as well in the docs in terms of like if you want to like get it set up with like graphana or like jellyfin or whatever you're using. U it's great for home lab use case too not just like enterprise I I mean I'm dog fooding it because I work there but like for example a year ago I did not have a Kubernetes cluster on my desk I do now. So, um, but yeah, I I encourage you to just check out the open issues. If you think there's something, you know, always start with a conversation, you know, don't just go ahead and throw up a PR. Uh, we also because times are changing, we do allow AI, uh, if when you're contributing. Uh, but we have an AI disclosure that you need to, you know, be honest about. And also, just don't throw up AI slot PRs, right? you know, like if you do totally use AI. I use it every day, but like review what you're looking at. You know, be be critical of what you're doing with AI. It's just a tool at the end of the day. So, AI mindfully. Very well. Very well. Nick, this has been awesome. Real quick, I want to catch Steve's uh comment about his button. So, he was thinking if someone has their own application and they want to use yours as a white label, so they need to pass through their users to your app seamless. Okay. So if I'm understand there's two things I think maybe there's one you would basically you you could like right I I showed like the example of where like you're securing something that's in your own network um but you can still do zero trust like I used to work at netlefi you you could host something on netlefi and even though primarium is not in netlefi because netleifi is just doesn't support that kind of stuff you can put security in place where it checks the jot that's coming in or the the assertion headers. And so you could actually still front something that's hosted elsewhere. The only difference there though is there would be latency because like whatever the latency is between where you're hosting it and like Netlfi or Versell for example. Um, so typ typically people do it for internal applications, but you you can definitely if you got something hosted elsewhere, uh, it is possible as well. And I know it's something we're kind of looking into, but like Pomearium could end up being kind of like the OIDC connect layer. Like right now we're we're the IDP. Uh, sorry, we're not the IDP. The IDP is like bring your own. were and then we have the proxy and the policy engine. But, you know, who knows? Maybe it could be that layer, you know, like transparently it would still be doing all the primarium stuff, but it would look it would just kind of act as like an OIDC connect layer potentially. Um, I don't know if that answers the question, Steve, but uh if not, uh, feel free to hit me up and I can point you to people who are probably more knowledgeable than me about it. Amazing. Well, Nikki, where can people find you? I share your website, but I know you're I feel like you're the most active on Twitter, maybe. Yeah. Yeah. So, uh on Twitter, it's just Nikkiet T online. I'm Nikki T online pretty much everywhere. So, um and all my socials are in the website if you go there, too. So, fantastic. Thank you so much for joining Open Source Friday. Um real quick before we go as well, where are you going to be next? If you haven't seen Nick talk, like go watch one of his talks first of all because you're a fantastic educator. You're like a great storyteller, so I'm never bored when I'm watching to talk. Oh, thank you. But are you is there anything else coming up for you that people can catch up with you in person? Uh yeah, I'm actually going to be in San Francisco for work the week of July 13th. Um I'm going to be there all week. I'm like meeting up with some co-workers. Uh and at the end of the week, we actually have a hackathon going on that we're partnering with like a few companies. Um, I'll share that link. Why do I keep losing where you keep showing me the links? That's okay. That's okay. I'll tag you again. This is not the most the most uh Okay, I see it. Cool. So, uh this is the Luma if you're interested. Um it's it's in person in San Francisco. So, that that is uh one constraint of the hackathon. But feel free to sign up. There's an approval process for it because it's limited space, I believe. Uh but yeah, I'm looking forward to that. We're gonna be doing all things Aentic, building stuff with zero trust, security, and all other kinds of goodies. So, I love it. Awesome. Well, thank you so much, Nick. I appreciate you being here. Thanks for coming to Open Source Friday. You'll have to come back and teach us some more. I feel like this needed to be like a two-parter. Yeah. Yeah. Yeah. Stay tuned. The next For real. There's a ton of content and I think it's content that's so relevant to all of us. Uh you did some bold things here today, man. Sharing your your Home Labs address. You did. I I didn't know what you were going to show, but I'm impressed. So, thank you. Thank you. Thank you. Yeah. Cool. Yeah. No, thanks for having me on. Always great hanging, Andrea. All right. I'll see you soon, Nick. Friends, don't forget to go by the Pomeriium Repository and give it a start. Please do that for me now. And then if you happen to be in San Francisco, this sounds like a great event. And I'm not I'm obviously very biased because Nick is a fantastic person. So you'll get to be a part of whatever they're building. Go participate in this hackathon. It sounds like it will be fun. Give Pomear a try. If this is your jam and you want to contribute back to the project, take a look at the guidelines in the repository. Start the conversation like Nikki said. And Nikki, I can't believe I didn't share your I'm going to take the time to do that because Nikki writes one of the best newsletter there are out there. Honestly, like this is one newsletter that is is funny because whenever I've um started writing my own newsletter, I I was talking to my boss about it and she gave me Nick's newsletter as a point of reference. It's like this is the kind of newsletter that people love to read. And so it's been quite a treat uh for me to be able to see it and learn from it. And I'm sure it's on his on his website as well, but I'm like, let me I want to share the beehive. Nick, if you're still in backstage, drop me a beehive direct link to your newsletter, please. Thank you. Thank you. Let me see. I think I I think I found it. Yeah. Subscribe to One Tip. I found it. Yao do yourselves a huge favor and go subscribe to this newsletter immediately because it is phenomenal. It's literally it respects your time. It's one tip one tip one tip a week and I've learned all kinds of things. I mean literally all kinds of things. So thank you everyone for being here. I will see you in a couple of weeks. I'm taking some time off to rest and rejuvenate. I'd be back ready to just get on with the summer and we have amazing programming coming up next week. We have someone from GitHub, one of my most new favorite hovers, Angela. Angela has been doing she's an engineer. She's been doing some incredible work. She's one of the engineers that work on the uh automot selection, but she's coming to talk to us about open source. And actually, it's going to be a really good talk because we haven't done one of these in a while where we talk about how you can even get started. So, if you're joining this and you maybe you've been a passer by, maybe you've been lurking, you've been watching this episodes and you're like, you know what, zero trust is where it's at and I want to contribute. Watch this episode next week because it's going to give you a great overview of what open source is, how you can be making meaningful contributions there. And I think she's even going to talk about doing contributions with AI, which Nikki was so kind to clarify that they welcome them, but keep the slop away. Thank you all so much. Have a great week. Take the rest of the day off. Thanks for being here. Heat.