From b9aaad95cd1770deeb7a78d9d137fc807c12a365 Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 12:01:47 +0800 Subject: [PATCH 01/44] refactor(media): centralize temp media dir path --- pkg/channels/feishu/feishu_64.go | 2 +- pkg/channels/matrix/matrix.go | 4 +--- pkg/channels/matrix/matrix_test.go | 3 ++- pkg/media/tempdir.go | 13 +++++++++++++ pkg/utils/media.go | 3 ++- 5 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 pkg/media/tempdir.go diff --git a/pkg/channels/feishu/feishu_64.go b/pkg/channels/feishu/feishu_64.go index 5dbbcf0af..9c462e41e 100644 --- a/pkg/channels/feishu/feishu_64.go +++ b/pkg/channels/feishu/feishu_64.go @@ -618,7 +618,7 @@ func (c *FeishuChannel) downloadResource( } // Write to the shared picoclaw_media directory using a unique name to avoid collisions. - mediaDir := filepath.Join(os.TempDir(), "picoclaw_media") + mediaDir := media.TempDir() if mkdirErr := os.MkdirAll(mediaDir, 0o700); mkdirErr != nil { logger.ErrorCF("feishu", "Failed to create media directory", map[string]any{ "error": mkdirErr.Error(), diff --git a/pkg/channels/matrix/matrix.go b/pkg/channels/matrix/matrix.go index bec5dfdac..4cbe95c5c 100644 --- a/pkg/channels/matrix/matrix.go +++ b/pkg/channels/matrix/matrix.go @@ -35,8 +35,6 @@ const ( roomKindCacheTTL = 5 * time.Minute roomKindCacheCleanupPeriod = 1 * time.Minute roomKindCacheMaxEntries = 2048 - - matrixMediaTempDirName = "picoclaw_media" ) var matrixMentionHrefRegexp = regexp.MustCompile(`(?i)]+href=["']([^"']+)["']`) @@ -1105,7 +1103,7 @@ func (c *MatrixChannel) stripSelfMention(text string) string { } func matrixMediaTempDir() (string, error) { - mediaDir := filepath.Join(os.TempDir(), matrixMediaTempDirName) + mediaDir := media.TempDir() if err := os.MkdirAll(mediaDir, 0o700); err != nil { return "", err } diff --git a/pkg/channels/matrix/matrix_test.go b/pkg/channels/matrix/matrix_test.go index 07a35c021..7484c8d87 100644 --- a/pkg/channels/matrix/matrix_test.go +++ b/pkg/channels/matrix/matrix_test.go @@ -15,6 +15,7 @@ import ( "maunium.net/go/mautrix/id" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/media" ) func TestMatrixLocalpartMentionRegexp(t *testing.T) { @@ -165,7 +166,7 @@ func TestMatrixMediaTempDir(t *testing.T) { if err != nil { t.Fatalf("matrixMediaTempDir failed: %v", err) } - if filepath.Base(dir) != matrixMediaTempDirName { + if filepath.Base(dir) != media.TempDirName { t.Fatalf("unexpected media dir base: %q", filepath.Base(dir)) } diff --git a/pkg/media/tempdir.go b/pkg/media/tempdir.go new file mode 100644 index 000000000..45942b34f --- /dev/null +++ b/pkg/media/tempdir.go @@ -0,0 +1,13 @@ +package media + +import ( + "os" + "path/filepath" +) + +const TempDirName = "picoclaw_media" + +// TempDir returns the shared temporary directory used for downloaded media. +func TempDir() string { + return filepath.Join(os.TempDir(), TempDirName) +} diff --git a/pkg/utils/media.go b/pkg/utils/media.go index 3e1c5d88e..82e9f5f45 100644 --- a/pkg/utils/media.go +++ b/pkg/utils/media.go @@ -12,6 +12,7 @@ import ( "github.com/google/uuid" "github.com/sipeed/picoclaw/pkg/logger" + "github.com/sipeed/picoclaw/pkg/media" ) // IsAudioFile checks if a file is an audio file based on its filename extension and content type. @@ -67,7 +68,7 @@ func DownloadFile(urlStr, filename string, opts DownloadOptions) string { opts.LoggerPrefix = "utils" } - mediaDir := filepath.Join(os.TempDir(), "picoclaw_media") + mediaDir := media.TempDir() if err := os.MkdirAll(mediaDir, 0o700); err != nil { logger.ErrorCF(opts.LoggerPrefix, "Failed to create media directory", map[string]any{ "error": err.Error(), From 1bc05e83927ad0f914e96d6546a016f6fb9fbc6f Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 12:02:06 +0800 Subject: [PATCH 02/44] fix(tools): allow sandbox access to temp media files --- pkg/agent/instance.go | 27 +++++++++++- pkg/agent/instance_test.go | 86 +++++++++++++++++++++++++++++++++++++ pkg/agent/loop.go | 3 ++ pkg/tools/filesystem.go | 48 ++++++++++++++++++--- pkg/tools/send_file.go | 17 +++++++- pkg/tools/send_file_test.go | 39 +++++++++++++++++ pkg/tools/shell.go | 44 +++++++++++++------ 7 files changed, 241 insertions(+), 23 deletions(-) diff --git a/pkg/agent/instance.go b/pkg/agent/instance.go index 0c7baa1ee..1c3635322 100644 --- a/pkg/agent/instance.go +++ b/pkg/agent/instance.go @@ -10,6 +10,7 @@ import ( "strings" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/media" "github.com/sipeed/picoclaw/pkg/memory" "github.com/sipeed/picoclaw/pkg/providers" "github.com/sipeed/picoclaw/pkg/routing" @@ -66,7 +67,7 @@ func NewAgentInstance( readRestrict := restrict && !defaults.AllowReadOutsideWorkspace // Compile path whitelist patterns from config. - allowReadPaths := compilePatterns(cfg.Tools.AllowReadPaths) + allowReadPaths := buildAllowReadPatterns(cfg) allowWritePaths := compilePatterns(cfg.Tools.AllowWritePaths) toolsRegistry := tools.NewToolRegistry() @@ -82,7 +83,7 @@ func NewAgentInstance( toolsRegistry.Register(tools.NewListDirTool(workspace, readRestrict, allowReadPaths)) } if cfg.Tools.IsToolEnabled("exec") { - execTool, err := tools.NewExecToolWithConfig(workspace, restrict, cfg) + execTool, err := tools.NewExecToolWithConfig(workspace, restrict, cfg, allowReadPaths) if err != nil { log.Fatalf("Critical error: unable to initialize exec tool: %v", err) } @@ -282,6 +283,28 @@ func compilePatterns(patterns []string) []*regexp.Regexp { return compiled } +func buildAllowReadPatterns(cfg *config.Config) []*regexp.Regexp { + var configured []string + if cfg != nil { + configured = cfg.Tools.AllowReadPaths + } + + compiled := compilePatterns(configured) + mediaDirPattern := regexp.MustCompile(mediaTempDirPattern()) + for _, pattern := range compiled { + if pattern.String() == mediaDirPattern.String() { + return compiled + } + } + + return append(compiled, mediaDirPattern) +} + +func mediaTempDirPattern() string { + sep := regexp.QuoteMeta(string(os.PathSeparator)) + return "^" + regexp.QuoteMeta(filepath.Clean(media.TempDir())) + "(?:" + sep + "|$)" +} + // Close releases resources held by the agent's session store. func (a *AgentInstance) Close() error { if a.Sessions != nil { diff --git a/pkg/agent/instance_test.go b/pkg/agent/instance_test.go index 4f41ecd1c..f8057bb2f 100644 --- a/pkg/agent/instance_test.go +++ b/pkg/agent/instance_test.go @@ -1,10 +1,14 @@ package agent import ( + "context" "os" + "path/filepath" + "strings" "testing" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/media" ) func TestNewAgentInstance_UsesDefaultsTemperatureAndMaxTokens(t *testing.T) { @@ -160,3 +164,85 @@ func TestNewAgentInstance_ResolveCandidatesFromModelListAlias(t *testing.T) { }) } } + +func TestNewAgentInstance_AllowsMediaTempDirForReadListAndExec(t *testing.T) { + workspace := t.TempDir() + mediaDir := media.TempDir() + if err := os.MkdirAll(mediaDir, 0o700); err != nil { + t.Fatalf("MkdirAll(mediaDir) error = %v", err) + } + + mediaFile, err := os.CreateTemp(mediaDir, "instance-tool-*.txt") + if err != nil { + t.Fatalf("CreateTemp(mediaDir) error = %v", err) + } + mediaPath := mediaFile.Name() + if _, err := mediaFile.WriteString("attachment content"); err != nil { + mediaFile.Close() + t.Fatalf("WriteString(mediaFile) error = %v", err) + } + if err := mediaFile.Close(); err != nil { + t.Fatalf("Close(mediaFile) error = %v", err) + } + t.Cleanup(func() { _ = os.Remove(mediaPath) }) + + cfg := &config.Config{ + Agents: config.AgentsConfig{ + Defaults: config.AgentDefaults{ + Workspace: workspace, + Model: "test-model", + RestrictToWorkspace: true, + }, + }, + Tools: config.ToolsConfig{ + ReadFile: config.ReadFileToolConfig{Enabled: true}, + ListDir: config.ToolConfig{Enabled: true}, + Exec: config.ExecConfig{ + ToolConfig: config.ToolConfig{Enabled: true}, + EnableDenyPatterns: true, + AllowRemote: true, + }, + }, + } + + agent := NewAgentInstance(nil, &cfg.Agents.Defaults, cfg, &mockProvider{}) + + readTool, ok := agent.Tools.Get("read_file") + if !ok { + t.Fatal("read_file tool not registered") + } + readResult := readTool.Execute(context.Background(), map[string]any{"path": mediaPath}) + if readResult.IsError { + t.Fatalf("read_file should allow media temp dir, got: %s", readResult.ForLLM) + } + if !strings.Contains(readResult.ForLLM, "attachment content") { + t.Fatalf("read_file output missing media content: %s", readResult.ForLLM) + } + + listTool, ok := agent.Tools.Get("list_dir") + if !ok { + t.Fatal("list_dir tool not registered") + } + listResult := listTool.Execute(context.Background(), map[string]any{"path": mediaDir}) + if listResult.IsError { + t.Fatalf("list_dir should allow media temp dir, got: %s", listResult.ForLLM) + } + if !strings.Contains(listResult.ForLLM, filepath.Base(mediaPath)) { + t.Fatalf("list_dir output missing media file: %s", listResult.ForLLM) + } + + execTool, ok := agent.Tools.Get("exec") + if !ok { + t.Fatal("exec tool not registered") + } + execResult := execTool.Execute(context.Background(), map[string]any{ + "command": "cat " + filepath.Base(mediaPath), + "working_dir": mediaDir, + }) + if execResult.IsError { + t.Fatalf("exec should allow media temp dir, got: %s", execResult.ForLLM) + } + if !strings.Contains(execResult.ForLLM, "attachment content") { + t.Fatalf("exec output missing media content: %s", execResult.ForLLM) + } +} diff --git a/pkg/agent/loop.go b/pkg/agent/loop.go index dfa339dee..8a0303b50 100644 --- a/pkg/agent/loop.go +++ b/pkg/agent/loop.go @@ -117,6 +117,8 @@ func registerSharedTools( registry *AgentRegistry, provider providers.LLMProvider, ) { + allowReadPaths := buildAllowReadPatterns(cfg) + for _, agentID := range registry.ListAgentIDs() { agent, ok := registry.GetAgent(agentID) if !ok { @@ -195,6 +197,7 @@ func registerSharedTools( cfg.Agents.Defaults.RestrictToWorkspace, cfg.Agents.Defaults.GetMaxMediaSize(), nil, + allowReadPaths, ) agent.Tools.Register(sendFileTool) } diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index 6b1cb1475..21385b01b 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -22,6 +22,10 @@ const MaxReadFileSize = 64 * 1024 // 64KB limit to avoid context overflow // validatePath ensures the given path is within the workspace if restrict is true. func validatePath(path, workspace string, restrict bool) (string, error) { + return validatePathWithAllowPaths(path, workspace, restrict, nil) +} + +func validatePathWithAllowPaths(path, workspace string, restrict bool, patterns []*regexp.Regexp) (string, error) { if workspace == "" { return path, fmt.Errorf("workspace is not defined") } @@ -42,6 +46,10 @@ func validatePath(path, workspace string, restrict bool) (string, error) { } if restrict { + if isAllowedPath(absPath, patterns) { + return absPath, nil + } + if !isWithinWorkspace(absPath, absWorkspace) { return "", fmt.Errorf("access denied: path is outside the workspace") } @@ -73,6 +81,39 @@ func validatePath(path, workspace string, restrict bool) (string, error) { return absPath, nil } +func isAllowedPath(path string, patterns []*regexp.Regexp) bool { + if len(patterns) == 0 { + return false + } + + cleaned := filepath.Clean(path) + if !matchesAllowedPath(cleaned, patterns) { + return false + } + + resolved, err := filepath.EvalSymlinks(cleaned) + if err == nil { + return matchesAllowedPath(resolved, patterns) + } + if os.IsNotExist(err) { + parentResolved, parentErr := resolveExistingAncestor(filepath.Dir(cleaned)) + if parentErr == nil { + return matchesAllowedPath(parentResolved, patterns) + } + } + + return false +} + +func matchesAllowedPath(path string, patterns []*regexp.Regexp) bool { + for _, pattern := range patterns { + if pattern.MatchString(path) { + return true + } + } + return false +} + func resolveExistingAncestor(path string) (string, error) { for current := filepath.Clean(path); ; current = filepath.Dir(current) { if resolved, err := filepath.EvalSymlinks(current); err == nil { @@ -625,12 +666,7 @@ type whitelistFs struct { } func (w *whitelistFs) matches(path string) bool { - for _, p := range w.patterns { - if p.MatchString(path) { - return true - } - } - return false + return matchesAllowedPath(path, w.patterns) } func (w *whitelistFs) ReadFile(path string) ([]byte, error) { diff --git a/pkg/tools/send_file.go b/pkg/tools/send_file.go index 1a03e58ed..a67bd4210 100644 --- a/pkg/tools/send_file.go +++ b/pkg/tools/send_file.go @@ -6,6 +6,7 @@ import ( "mime" "os" "path/filepath" + "regexp" "strings" "github.com/h2non/filetype" @@ -21,20 +22,32 @@ type SendFileTool struct { restrict bool maxFileSize int mediaStore media.MediaStore + allowPaths []*regexp.Regexp defaultChannel string defaultChatID string } -func NewSendFileTool(workspace string, restrict bool, maxFileSize int, store media.MediaStore) *SendFileTool { +func NewSendFileTool( + workspace string, + restrict bool, + maxFileSize int, + store media.MediaStore, + allowPaths ...[]*regexp.Regexp, +) *SendFileTool { if maxFileSize <= 0 { maxFileSize = config.DefaultMaxMediaSize } + var patterns []*regexp.Regexp + if len(allowPaths) > 0 { + patterns = allowPaths[0] + } return &SendFileTool{ workspace: workspace, restrict: restrict, maxFileSize: maxFileSize, mediaStore: store, + allowPaths: patterns, } } @@ -92,7 +105,7 @@ func (t *SendFileTool) Execute(ctx context.Context, args map[string]any) *ToolRe return ErrorResult("media store not configured") } - resolved, err := validatePath(path, t.workspace, t.restrict) + resolved, err := validatePathWithAllowPaths(path, t.workspace, t.restrict, t.allowPaths) if err != nil { return ErrorResult(fmt.Sprintf("invalid path: %v", err)) } diff --git a/pkg/tools/send_file_test.go b/pkg/tools/send_file_test.go index 08d129674..6daaab31c 100644 --- a/pkg/tools/send_file_test.go +++ b/pkg/tools/send_file_test.go @@ -4,6 +4,7 @@ import ( "context" "os" "path/filepath" + "regexp" "strings" "testing" @@ -128,6 +129,44 @@ func TestSendFileTool_CustomFilename(t *testing.T) { } } +func TestSendFileTool_AllowsWhitelistedMediaTempPath(t *testing.T) { + workspace := t.TempDir() + mediaDir := media.TempDir() + if err := os.MkdirAll(mediaDir, 0o700); err != nil { + t.Fatalf("MkdirAll(mediaDir) error = %v", err) + } + + testFile, err := os.CreateTemp(mediaDir, "send-file-*.txt") + if err != nil { + t.Fatalf("CreateTemp(mediaDir) error = %v", err) + } + testPath := testFile.Name() + if _, err := testFile.WriteString("forward me"); err != nil { + testFile.Close() + t.Fatalf("WriteString(testFile) error = %v", err) + } + if err := testFile.Close(); err != nil { + t.Fatalf("Close(testFile) error = %v", err) + } + t.Cleanup(func() { _ = os.Remove(testPath) }) + + pattern := regexp.MustCompile( + "^" + regexp.QuoteMeta(filepath.Clean(mediaDir)) + "(?:" + regexp.QuoteMeta(string(os.PathSeparator)) + "|$)", + ) + + store := media.NewFileMediaStore() + tool := NewSendFileTool(workspace, true, 0, store, []*regexp.Regexp{pattern}) + tool.SetContext("feishu", "chat123") + + result := tool.Execute(context.Background(), map[string]any{"path": testPath}) + if result.IsError { + t.Fatalf("expected whitelisted temp media file to be sendable, got: %s", result.ForLLM) + } + if len(result.Media) != 1 { + t.Fatalf("expected 1 media ref, got %d", len(result.Media)) + } +} + func TestDetectMediaType_MagicBytes(t *testing.T) { dir := t.TempDir() diff --git a/pkg/tools/shell.go b/pkg/tools/shell.go index 9ea05bb12..0dc85ae21 100644 --- a/pkg/tools/shell.go +++ b/pkg/tools/shell.go @@ -23,6 +23,7 @@ type ExecTool struct { denyPatterns []*regexp.Regexp allowPatterns []*regexp.Regexp customAllowPatterns []*regexp.Regexp + allowedPathPatterns []*regexp.Regexp restrictToWorkspace bool allowRemote bool } @@ -95,14 +96,23 @@ var ( } ) -func NewExecTool(workingDir string, restrict bool) (*ExecTool, error) { - return NewExecToolWithConfig(workingDir, restrict, nil) +func NewExecTool(workingDir string, restrict bool, allowPaths ...[]*regexp.Regexp) (*ExecTool, error) { + return NewExecToolWithConfig(workingDir, restrict, nil, allowPaths...) } -func NewExecToolWithConfig(workingDir string, restrict bool, config *config.Config) (*ExecTool, error) { +func NewExecToolWithConfig( + workingDir string, + restrict bool, + config *config.Config, + allowPaths ...[]*regexp.Regexp, +) (*ExecTool, error) { denyPatterns := make([]*regexp.Regexp, 0) customAllowPatterns := make([]*regexp.Regexp, 0) + var allowedPathPatterns []*regexp.Regexp allowRemote := true + if len(allowPaths) > 0 { + allowedPathPatterns = allowPaths[0] + } if config != nil { execConfig := config.Tools.Exec @@ -146,6 +156,7 @@ func NewExecToolWithConfig(workingDir string, restrict bool, config *config.Conf denyPatterns: denyPatterns, allowPatterns: nil, customAllowPatterns: customAllowPatterns, + allowedPathPatterns: allowedPathPatterns, restrictToWorkspace: restrict, allowRemote: allowRemote, }, nil @@ -198,7 +209,7 @@ func (t *ExecTool) Execute(ctx context.Context, args map[string]any) *ToolResult cwd := t.workingDir if wd, ok := args["working_dir"].(string); ok && wd != "" { if t.restrictToWorkspace && t.workingDir != "" { - resolvedWD, err := validatePath(wd, t.workingDir, true) + resolvedWD, err := validatePathWithAllowPaths(wd, t.workingDir, true, t.allowedPathPatterns) if err != nil { return ErrorResult("Command blocked by safety guard (" + err.Error() + ")") } @@ -226,16 +237,20 @@ func (t *ExecTool) Execute(ctx context.Context, args map[string]any) *ToolResult if err != nil { return ErrorResult(fmt.Sprintf("Command blocked by safety guard (path resolution failed: %v)", err)) } - absWorkspace, _ := filepath.Abs(t.workingDir) - wsResolved, _ := filepath.EvalSymlinks(absWorkspace) - if wsResolved == "" { - wsResolved = absWorkspace + if isAllowedPath(resolved, t.allowedPathPatterns) { + cwd = resolved + } else { + absWorkspace, _ := filepath.Abs(t.workingDir) + wsResolved, _ := filepath.EvalSymlinks(absWorkspace) + if wsResolved == "" { + wsResolved = absWorkspace + } + rel, err := filepath.Rel(wsResolved, resolved) + if err != nil || !filepath.IsLocal(rel) { + return ErrorResult("Command blocked by safety guard (working directory escaped workspace)") + } + cwd = resolved } - rel, err := filepath.Rel(wsResolved, resolved) - if err != nil || !filepath.IsLocal(rel) { - return ErrorResult("Command blocked by safety guard (working directory escaped workspace)") - } - cwd = resolved } // timeout == 0 means no timeout @@ -412,6 +427,9 @@ func (t *ExecTool) guardCommand(command, cwd string) string { if safePaths[p] { continue } + if isAllowedPath(p, t.allowedPathPatterns) { + continue + } rel, err := filepath.Rel(cwdPath, p) if err != nil { From 345452fba840d1839e82bab58f9e8894c4844abe Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 12:08:11 +0800 Subject: [PATCH 03/44] refactor(tools): remove unused validatePath wrapper --- pkg/tools/filesystem.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index 21385b01b..d25ec1254 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -20,11 +20,6 @@ import ( const MaxReadFileSize = 64 * 1024 // 64KB limit to avoid context overflow -// validatePath ensures the given path is within the workspace if restrict is true. -func validatePath(path, workspace string, restrict bool) (string, error) { - return validatePathWithAllowPaths(path, workspace, restrict, nil) -} - func validatePathWithAllowPaths(path, workspace string, restrict bool, patterns []*regexp.Regexp) (string, error) { if workspace == "" { return path, fmt.Errorf("workspace is not defined") From bb1a4145274c78e1b8267af89a1816cd7b0107f5 Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 19:58:23 +0800 Subject: [PATCH 04/44] fix(tools): harden whitelist path resolution --- pkg/tools/filesystem.go | 42 +++++++++++++++++++++++-------- pkg/tools/filesystem_test.go | 49 ++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 11 deletions(-) diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index d25ec1254..92946ef98 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -82,22 +82,19 @@ func isAllowedPath(path string, patterns []*regexp.Regexp) bool { } cleaned := filepath.Clean(path) + if !filepath.IsAbs(cleaned) { + return false + } if !matchesAllowedPath(cleaned, patterns) { return false } - resolved, err := filepath.EvalSymlinks(cleaned) - if err == nil { - return matchesAllowedPath(resolved, patterns) - } - if os.IsNotExist(err) { - parentResolved, parentErr := resolveExistingAncestor(filepath.Dir(cleaned)) - if parentErr == nil { - return matchesAllowedPath(parentResolved, patterns) - } + resolved, err := resolvePathAgainstExistingAncestor(cleaned) + if err != nil { + return false } - return false + return matchesAllowedPath(resolved, patterns) } func matchesAllowedPath(path string, patterns []*regexp.Regexp) bool { @@ -122,6 +119,29 @@ func resolveExistingAncestor(path string) (string, error) { } } +func resolvePathAgainstExistingAncestor(path string) (string, error) { + cleaned := filepath.Clean(path) + for current := cleaned; ; current = filepath.Dir(current) { + resolved, err := filepath.EvalSymlinks(current) + if err == nil { + suffix, relErr := filepath.Rel(current, cleaned) + if relErr != nil { + return "", relErr + } + if suffix == "." { + return filepath.Clean(resolved), nil + } + return filepath.Clean(filepath.Join(resolved, suffix)), nil + } + if !os.IsNotExist(err) { + return "", err + } + if filepath.Dir(current) == current { + return "", os.ErrNotExist + } + } +} + func isWithinWorkspace(candidate, workspace string) bool { rel, err := filepath.Rel(filepath.Clean(workspace), filepath.Clean(candidate)) return err == nil && filepath.IsLocal(rel) @@ -661,7 +681,7 @@ type whitelistFs struct { } func (w *whitelistFs) matches(path string) bool { - return matchesAllowedPath(path, w.patterns) + return isAllowedPath(path, w.patterns) } func (w *whitelistFs) ReadFile(path string) ([]byte, error) { diff --git a/pkg/tools/filesystem_test.go b/pkg/tools/filesystem_test.go index 0bbf6caf0..78d69273f 100644 --- a/pkg/tools/filesystem_test.go +++ b/pkg/tools/filesystem_test.go @@ -521,6 +521,55 @@ func TestWhitelistFs_AllowsMatchingPaths(t *testing.T) { } } +func TestWhitelistFs_BlocksSymlinkEscapeInAllowedDir(t *testing.T) { + workspace := t.TempDir() + allowedDir := t.TempDir() + secretDir := t.TempDir() + secretFile := filepath.Join(secretDir, "secret.txt") + if err := os.WriteFile(secretFile, []byte("top secret"), 0o644); err != nil { + t.Fatalf("WriteFile(secretFile) error = %v", err) + } + + linkPath := filepath.Join(allowedDir, "link_out") + if err := os.Symlink(secretDir, linkPath); err != nil { + t.Skipf("symlink not supported in this environment: %v", err) + } + + patterns := []*regexp.Regexp{regexp.MustCompile(`^` + regexp.QuoteMeta(allowedDir))} + tool := NewReadFileTool(workspace, true, MaxReadFileSize, patterns) + + result := tool.Execute(context.Background(), map[string]any{"path": filepath.Join(linkPath, "secret.txt")}) + if !result.IsError { + t.Fatalf("expected symlink escape from allowed dir to be blocked, got: %s", result.ForLLM) + } +} + +func TestWhitelistFs_WriteAllowsNewFileUnderAllowedDir(t *testing.T) { + workspace := t.TempDir() + rootDir := t.TempDir() + allowedDir := filepath.Join(rootDir, "allowed") + targetFile := filepath.Join(allowedDir, "nested", "file.txt") + + patterns := []*regexp.Regexp{regexp.MustCompile(`^` + regexp.QuoteMeta(allowedDir))} + tool := NewWriteFileTool(workspace, true, patterns) + + result := tool.Execute(context.Background(), map[string]any{ + "path": targetFile, + "content": "outside write", + }) + if result.IsError { + t.Fatalf("expected whitelisted write to succeed, got: %s", result.ForLLM) + } + + data, err := os.ReadFile(targetFile) + if err != nil { + t.Fatalf("ReadFile(targetFile) error = %v", err) + } + if string(data) != "outside write" { + t.Fatalf("target file content = %q, want %q", string(data), "outside write") + } +} + // TestReadFileTool_ChunkedReading verifies the pagination logic of the tool // by reading a file in multiple chunks using 'offset' and 'length'. func TestReadFileTool_ChunkedReading(t *testing.T) { From f71eaaf7f8d8189319453314c157d3ab969798a4 Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 21:03:23 +0800 Subject: [PATCH 05/44] fix(cron): default scheduled jobs to agent execution --- pkg/tools/cron.go | 6 +++--- pkg/tools/cron_test.go | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/pkg/tools/cron.go b/pkg/tools/cron.go index 648cc3c6c..25608a54c 100644 --- a/pkg/tools/cron.go +++ b/pkg/tools/cron.go @@ -96,7 +96,7 @@ func (t *CronTool) Parameters() map[string]any { }, "deliver": map[string]any{ "type": "boolean", - "description": "If true, send message directly to channel. If false, let agent process message (for complex tasks). Default: true", + "description": "If true, send message directly to channel. If false, let agent process message (for complex tasks). Default: false", }, }, "required": []string{"action"}, @@ -174,8 +174,8 @@ func (t *CronTool) addJob(ctx context.Context, args map[string]any) *ToolResult return ErrorResult("one of at_seconds, every_seconds, or cron_expr is required") } - // Read deliver parameter, default to true - deliver := true + // Read deliver parameter, default to false so scheduled tasks execute through the agent + deliver := false if d, ok := args["deliver"].(bool); ok { deliver = d } diff --git a/pkg/tools/cron_test.go b/pkg/tools/cron_test.go index 1776abc65..f1e857949 100644 --- a/pkg/tools/cron_test.go +++ b/pkg/tools/cron_test.go @@ -114,3 +114,25 @@ func TestCronTool_NonCommandJobAllowedFromRemoteChannel(t *testing.T) { t.Fatalf("expected non-command reminder to succeed from remote channel, got: %s", result.ForLLM) } } + +func TestCronTool_NonCommandJobDefaultsDeliverToFalse(t *testing.T) { + tool := newTestCronTool(t) + ctx := WithToolContext(context.Background(), "telegram", "chat-1") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "send me a poem", + "at_seconds": float64(600), + }) + + if result.IsError { + t.Fatalf("expected non-command reminder to succeed, got: %s", result.ForLLM) + } + + jobs := tool.cronService.ListJobs(false) + if len(jobs) != 1 { + t.Fatalf("expected 1 job, got %d", len(jobs)) + } + if jobs[0].Payload.Deliver { + t.Fatal("expected deliver=false by default for non-command jobs") + } +} From 71e2b636d66c9d30250f027085d142d93d4246be Mon Sep 17 00:00:00 2001 From: BitToby <218712309+bittoby@users.noreply.github.com> Date: Mon, 16 Mar 2026 03:58:37 +0200 Subject: [PATCH 06/44] fix: Use secure defaults for Pico channel setup and stop leaking the token in the URL (#1563) * fix: Use secure defaults for Pico channel setup and stop leaking the token in the URL * fix: Derive default allow_origins from the setup request's Origin header instead of hardcoding localhost ports --- pkg/channels/pico/pico.go | 31 ++- web/backend/api/gateway.go | 2 +- web/backend/api/pico.go | 24 +- web/backend/api/pico_test.go | 237 +++++++++++++++++++ web/frontend/src/lib/pico-chat-controller.ts | 5 +- 5 files changed, 281 insertions(+), 18 deletions(-) create mode 100644 web/backend/api/pico_test.go diff --git a/pkg/channels/pico/pico.go b/pkg/channels/pico/pico.go index 8d8b62a67..206e71f92 100644 --- a/pkg/channels/pico/pico.go +++ b/pkg/channels/pico/pico.go @@ -251,7 +251,13 @@ func (c *PicoChannel) handleWebSocket(w http.ResponseWriter, r *http.Request) { return } - conn, err := c.upgrader.Upgrade(w, r, nil) + // Echo the matched subprotocol back so the browser accepts the upgrade. + var responseHeader http.Header + if proto := c.matchedSubprotocol(r); proto != "" { + responseHeader = http.Header{"Sec-WebSocket-Protocol": {proto}} + } + + conn, err := c.upgrader.Upgrade(w, r, responseHeader) if err != nil { logger.ErrorCF("pico", "WebSocket upgrade failed", map[string]any{ "error": err.Error(), @@ -282,8 +288,10 @@ func (c *PicoChannel) handleWebSocket(w http.ResponseWriter, r *http.Request) { go c.readLoop(pc) } -// authenticate checks the Bearer token from the Authorization header. -// Query parameter authentication is only allowed when AllowTokenQuery is explicitly enabled. +// authenticate checks the request for a valid token: +// 1. Authorization: Bearer header +// 2. Sec-WebSocket-Protocol "token." (for browsers that can't set headers) +// 3. Query parameter "token" (only when AllowTokenQuery is on) func (c *PicoChannel) authenticate(r *http.Request) bool { token := c.config.Token if token == "" { @@ -298,6 +306,11 @@ func (c *PicoChannel) authenticate(r *http.Request) bool { } } + // Check Sec-WebSocket-Protocol subprotocol ("token.") + if c.matchedSubprotocol(r) != "" { + return true + } + // Check query parameter only when explicitly allowed if c.config.AllowTokenQuery { if r.URL.Query().Get("token") == token { @@ -308,6 +321,18 @@ func (c *PicoChannel) authenticate(r *http.Request) bool { return false } +// matchedSubprotocol returns the "token." subprotocol that matches +// the configured token, or "" if none do. +func (c *PicoChannel) matchedSubprotocol(r *http.Request) string { + token := c.config.Token + for _, proto := range websocket.Subprotocols(r) { + if after, ok := strings.CutPrefix(proto, "token."); ok && after == token { + return proto + } + } + return "" +} + // readLoop reads messages from a WebSocket connection. func (c *PicoChannel) readLoop(pc *picoConn) { defer func() { diff --git a/web/backend/api/gateway.go b/web/backend/api/gateway.go index 1813cac92..f50f7609a 100644 --- a/web/backend/api/gateway.go +++ b/web/backend/api/gateway.go @@ -281,7 +281,7 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { gateway.logs.Reset() // Ensure Pico Channel is configured before starting gateway - if _, err := h.ensurePicoChannel(); err != nil { + if _, err := h.ensurePicoChannel(""); err != nil { log.Printf("Warning: failed to ensure pico channel: %v", err) // Non-fatal: gateway can still start without pico channel } diff --git a/web/backend/api/pico.go b/web/backend/api/pico.go index a4590dcde..2d2201e16 100644 --- a/web/backend/api/pico.go +++ b/web/backend/api/pico.go @@ -65,9 +65,14 @@ func (h *Handler) handleRegenPicoToken(w http.ResponseWriter, r *http.Request) { }) } -// ensurePicoChannel checks if the Pico Channel is properly configured and -// enables it with sensible defaults if not. Returns true if config was changed. -func (h *Handler) ensurePicoChannel() (bool, error) { +// ensurePicoChannel enables the Pico channel with sane defaults if it isn't +// already configured. Returns true when the config was modified. +// +// callerOrigin is the Origin header from the setup request. If non-empty and +// no origins are configured yet, it's written as the allowed origin so the +// WebSocket handshake works for whatever host the caller is on (LAN, custom +// port, etc.). Pass "" when there's no request context. +func (h *Handler) ensurePicoChannel(callerOrigin string) (bool, error) { cfg, err := config.LoadConfig(h.configPath) if err != nil { return false, fmt.Errorf("failed to load config: %w", err) @@ -85,14 +90,9 @@ func (h *Handler) ensurePicoChannel() (bool, error) { changed = true } - if !cfg.Channels.Pico.AllowTokenQuery { - cfg.Channels.Pico.AllowTokenQuery = true - changed = true - } - - // Make sure origins are allowed (frontend might be running on a different port like 5173 during dev) - if len(cfg.Channels.Pico.AllowOrigins) == 0 { - cfg.Channels.Pico.AllowOrigins = []string{"*"} + // Seed origins from the request instead of hardcoding ports. + if len(cfg.Channels.Pico.AllowOrigins) == 0 && callerOrigin != "" { + cfg.Channels.Pico.AllowOrigins = []string{callerOrigin} changed = true } @@ -109,7 +109,7 @@ func (h *Handler) ensurePicoChannel() (bool, error) { // // POST /api/pico/setup func (h *Handler) handlePicoSetup(w http.ResponseWriter, r *http.Request) { - changed, err := h.ensurePicoChannel() + changed, err := h.ensurePicoChannel(r.Header.Get("Origin")) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return diff --git a/web/backend/api/pico_test.go b/web/backend/api/pico_test.go new file mode 100644 index 000000000..46149fa09 --- /dev/null +++ b/web/backend/api/pico_test.go @@ -0,0 +1,237 @@ +package api + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "path/filepath" + "testing" + + "github.com/sipeed/picoclaw/pkg/config" +) + +func TestEnsurePicoChannel_FreshConfig(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + changed, err := h.ensurePicoChannel("") + if err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + if !changed { + t.Fatal("ensurePicoChannel() should report changed on a fresh config") + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if !cfg.Channels.Pico.Enabled { + t.Error("expected Pico to be enabled after setup") + } + if cfg.Channels.Pico.Token == "" { + t.Error("expected a non-empty token after setup") + } +} + +func TestEnsurePicoChannel_DoesNotEnableTokenQuery(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + if _, err := h.ensurePicoChannel(""); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if cfg.Channels.Pico.AllowTokenQuery { + t.Error("setup must not enable allow_token_query by default") + } +} + +func TestEnsurePicoChannel_DoesNotSetWildcardOrigins(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + if _, err := h.ensurePicoChannel("http://localhost:18800"); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + for _, origin := range cfg.Channels.Pico.AllowOrigins { + if origin == "*" { + t.Error("setup must not set wildcard origin '*'") + } + } +} + +func TestEnsurePicoChannel_NoOriginWithoutCaller(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + if _, err := h.ensurePicoChannel(""); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + // Without a caller origin, allow_origins stays empty (CheckOrigin + // allows all when the list is empty, so the channel still works). + if len(cfg.Channels.Pico.AllowOrigins) != 0 { + t.Errorf("allow_origins = %v, want empty when no caller origin", cfg.Channels.Pico.AllowOrigins) + } +} + +func TestEnsurePicoChannel_SetsCallerOrigin(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + lanOrigin := "http://192.168.1.9:18800" + if _, err := h.ensurePicoChannel(lanOrigin); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if len(cfg.Channels.Pico.AllowOrigins) != 1 || cfg.Channels.Pico.AllowOrigins[0] != lanOrigin { + t.Errorf("allow_origins = %v, want [%s]", cfg.Channels.Pico.AllowOrigins, lanOrigin) + } +} + +func TestEnsurePicoChannel_PreservesUserSettings(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + + // Pre-configure with custom user settings + cfg := config.DefaultConfig() + cfg.Channels.Pico.Enabled = true + cfg.Channels.Pico.Token = "user-custom-token" + cfg.Channels.Pico.AllowTokenQuery = true + cfg.Channels.Pico.AllowOrigins = []string{"https://myapp.example.com"} + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + h := NewHandler(configPath) + + changed, err := h.ensurePicoChannel("") + if err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + if changed { + t.Error("ensurePicoChannel() should not change a fully configured config") + } + + cfg, err = config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if cfg.Channels.Pico.Token != "user-custom-token" { + t.Errorf("token = %q, want %q", cfg.Channels.Pico.Token, "user-custom-token") + } + if !cfg.Channels.Pico.AllowTokenQuery { + t.Error("user's allow_token_query=true must be preserved") + } + if len(cfg.Channels.Pico.AllowOrigins) != 1 || cfg.Channels.Pico.AllowOrigins[0] != "https://myapp.example.com" { + t.Errorf("allow_origins = %v, want [https://myapp.example.com]", cfg.Channels.Pico.AllowOrigins) + } +} + +func TestEnsurePicoChannel_Idempotent(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + origin := "http://localhost:18800" + + // First call sets things up + if _, err := h.ensurePicoChannel(origin); err != nil { + t.Fatalf("first ensurePicoChannel() error = %v", err) + } + + cfg1, _ := config.LoadConfig(configPath) + token1 := cfg1.Channels.Pico.Token + + // Second call should be a no-op + changed, err := h.ensurePicoChannel(origin) + if err != nil { + t.Fatalf("second ensurePicoChannel() error = %v", err) + } + if changed { + t.Error("second ensurePicoChannel() should not report changed") + } + + cfg2, _ := config.LoadConfig(configPath) + if cfg2.Channels.Pico.Token != token1 { + t.Error("token should not change on subsequent calls") + } +} + +func TestHandlePicoSetup_IncludesRequestOrigin(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + req := httptest.NewRequest("POST", "/api/pico/setup", nil) + req.Header.Set("Origin", "http://10.0.0.5:3000") + rec := httptest.NewRecorder() + + h.handlePicoSetup(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if len(cfg.Channels.Pico.AllowOrigins) != 1 || cfg.Channels.Pico.AllowOrigins[0] != "http://10.0.0.5:3000" { + t.Errorf("allow_origins = %v, want [http://10.0.0.5:3000]", cfg.Channels.Pico.AllowOrigins) + } +} + +func TestHandlePicoSetup_Response(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + req := httptest.NewRequest("POST", "/api/pico/setup", nil) + rec := httptest.NewRecorder() + + h.handlePicoSetup(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + var resp map[string]any + if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil { + t.Fatalf("failed to decode response: %v", err) + } + + if resp["token"] == nil || resp["token"] == "" { + t.Error("response should contain a non-empty token") + } + if resp["ws_url"] == nil || resp["ws_url"] == "" { + t.Error("response should contain ws_url") + } + if resp["enabled"] != true { + t.Error("response should have enabled=true") + } + if resp["changed"] != true { + t.Error("response should have changed=true on first setup") + } +} diff --git a/web/frontend/src/lib/pico-chat-controller.ts b/web/frontend/src/lib/pico-chat-controller.ts index be3397bae..0e77d1ad0 100644 --- a/web/frontend/src/lib/pico-chat-controller.ts +++ b/web/frontend/src/lib/pico-chat-controller.ts @@ -165,8 +165,9 @@ export async function connectChat() { console.warn("Could not parse ws_url:", error) } - const url = `${finalWsUrl}?token=${encodeURIComponent(token)}&session_id=${encodeURIComponent(activeSessionIdRef)}` - const socket = new WebSocket(url) + const url = `${finalWsUrl}?session_id=${encodeURIComponent(activeSessionIdRef)}` + // Send token as a subprotocol so it doesn't end up in the URL. + const socket = new WebSocket(url, [`token.${token}`]) if (generation !== connectionGeneration) { socket.close() From 45c01f4d91bd2f1ec7d0945fbca09372571850b9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:42:04 +0800 Subject: [PATCH 07/44] chore(deps): bump golang.org/x/oauth2 from 0.35.0 to 0.36.0 (#1596) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.35.0 to 0.36.0. - [Commits](https://github.com/golang/oauth2/compare/v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f29ef7207..a2ce5c511 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/stretchr/testify v1.11.1 github.com/tencent-connect/botgo v0.2.1 go.mau.fi/whatsmeow v0.0.0-20260219150138-7ae702b1eed4 - golang.org/x/oauth2 v0.35.0 + golang.org/x/oauth2 v0.36.0 golang.org/x/time v0.14.0 google.golang.org/protobuf v1.36.11 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index addbab56c..c8ee84e87 100644 --- a/go.sum +++ b/go.sum @@ -270,8 +270,8 @@ golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= -golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= -golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= +golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From dd936302d1223613693c7942364eb4d4d8597b4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:46:54 +0800 Subject: [PATCH 08/44] chore(deps): bump github.com/mymmrac/telego from 1.6.0 to 1.7.0 (#1598) Bumps [github.com/mymmrac/telego](https://github.com/mymmrac/telego) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/mymmrac/telego/releases) - [Commits](https://github.com/mymmrac/telego/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: github.com/mymmrac/telego dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index a2ce5c511..c0e2fa60c 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/larksuite/oapi-sdk-go/v3 v3.5.3 github.com/mdp/qrterminal/v3 v3.2.1 github.com/modelcontextprotocol/go-sdk v1.3.1 - github.com/mymmrac/telego v1.6.0 + github.com/mymmrac/telego v1.7.0 github.com/open-dingtalk/dingtalk-stream-sdk-go v0.9.1 github.com/openai/openai-go/v3 v3.22.0 github.com/rivo/tview v0.42.0 @@ -87,7 +87,7 @@ require ( github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/valyala/bytebufferpool v1.0.0 // indirect github.com/valyala/fasthttp v1.69.0 // indirect - github.com/valyala/fastjson v1.6.7 // indirect + github.com/valyala/fastjson v1.6.10 // indirect github.com/yosida95/uritemplate/v3 v3.0.2 // indirect golang.org/x/arch v0.24.0 // indirect golang.org/x/crypto v0.48.0 // indirect diff --git a/go.sum b/go.sum index c8ee84e87..11be48d87 100644 --- a/go.sum +++ b/go.sum @@ -136,8 +136,8 @@ github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFe github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU= github.com/modelcontextprotocol/go-sdk v1.3.1 h1:TfqtNKOIWN4Z1oqmPAiWDC2Jq7K9OdJaooe0teoXASI= github.com/modelcontextprotocol/go-sdk v1.3.1/go.mod h1:DgVX498dMD8UJlseK1S5i1T4tFz2fkBk4xogC3D15nw= -github.com/mymmrac/telego v1.6.0 h1:Zc8rgyHozvd/7ZgyrigyHdAF9koHYMfilYfyB6wlFC0= -github.com/mymmrac/telego v1.6.0/go.mod h1:xt6ZWA8zi8KmuzryE1ImEdl9JSwjHNpM4yhC7D8hU4Y= +github.com/mymmrac/telego v1.7.0 h1:yRO/l00tFGG4nY66ufUKb4ARqv7qx9+LsjQv/b0NEyo= +github.com/mymmrac/telego v1.7.0/go.mod h1:pdLV346EgVuq7Xrh3kMggeBiazeHhsdEoK0RTEOPXRM= github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w= github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= @@ -216,8 +216,8 @@ github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6Kllzaw github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZyVI= github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw= -github.com/valyala/fastjson v1.6.7 h1:ZE4tRy0CIkh+qDc5McjatheGX2czdn8slQjomexVpBM= -github.com/valyala/fastjson v1.6.7/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= +github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4= +github.com/valyala/fastjson v1.6.10/go.mod h1:e6FubmQouUNP73jtMLmcbxS6ydWIpOfhz34TSfO3JaE= github.com/vektah/gqlparser/v2 v2.5.27 h1:RHPD3JOplpk5mP5JGX8RKZkt2/Vwj/PZv0HxTdwFp0s= github.com/vektah/gqlparser/v2 v2.5.27/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo= github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU= From e9d240d760bab164ceabf13f58f33d2909a45f37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:47:46 +0800 Subject: [PATCH 09/44] chore(deps): bump github.com/caarlos0/env/v11 from 11.3.1 to 11.4.0 (#1599) Bumps [github.com/caarlos0/env/v11](https://github.com/caarlos0/env) from 11.3.1 to 11.4.0. - [Release notes](https://github.com/caarlos0/env/releases) - [Commits](https://github.com/caarlos0/env/compare/v11.3.1...v11.4.0) --- updated-dependencies: - dependency-name: github.com/caarlos0/env/v11 dependency-version: 11.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c0e2fa60c..e48b3006f 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/adhocore/gronx v1.19.6 github.com/anthropics/anthropic-sdk-go v1.22.1 github.com/bwmarrin/discordgo v0.29.0 - github.com/caarlos0/env/v11 v11.3.1 + github.com/caarlos0/env/v11 v11.4.0 github.com/ergochat/irc-go v0.5.0 github.com/ergochat/readline v0.1.3 github.com/gdamore/tcell/v2 v2.13.8 diff --git a/go.sum b/go.sum index 11be48d87..810bdac62 100644 --- a/go.sum +++ b/go.sum @@ -23,8 +23,8 @@ github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uS github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k= github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE= github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo= -github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA= -github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U= +github.com/caarlos0/env/v11 v11.4.0 h1:Kcb6t5kIIr4XkoQC9AF2j+8E1Jsrl3Wz/hhm1LtoGAc= +github.com/caarlos0/env/v11 v11.4.0/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M= From 2f40a8c165810a88442630b231d25fbd17937ea3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:51:55 +0800 Subject: [PATCH 10/44] chore(deps): bump github.com/anthropics/anthropic-sdk-go (#1601) Bumps [github.com/anthropics/anthropic-sdk-go](https://github.com/anthropics/anthropic-sdk-go) from 1.22.1 to 1.26.0. - [Release notes](https://github.com/anthropics/anthropic-sdk-go/releases) - [Changelog](https://github.com/anthropics/anthropic-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/anthropics/anthropic-sdk-go/compare/v1.22.1...v1.26.0) --- updated-dependencies: - dependency-name: github.com/anthropics/anthropic-sdk-go dependency-version: 1.26.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e48b3006f..6f5de1605 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.25.7 require ( github.com/adhocore/gronx v1.19.6 - github.com/anthropics/anthropic-sdk-go v1.22.1 + github.com/anthropics/anthropic-sdk-go v1.26.0 github.com/bwmarrin/discordgo v0.29.0 github.com/caarlos0/env/v11 v11.4.0 github.com/ergochat/irc-go v0.5.0 diff --git a/go.sum b/go.sum index 810bdac62..0fb4be1b8 100644 --- a/go.sum +++ b/go.sum @@ -11,8 +11,8 @@ github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNg github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= -github.com/anthropics/anthropic-sdk-go v1.22.1 h1:xbsc3vJKCX/ELDZSpTNfz9wCgrFsamwFewPb1iI0Xh0= -github.com/anthropics/anthropic-sdk-go v1.22.1/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE= +github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAfT7CoSYSac11PY= +github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q= github.com/beeper/argo-go v1.1.2 h1:UQI2G8F+NLfGTOmTUI0254pGKx/HUU/etbUGTJv91Fs= github.com/beeper/argo-go v1.1.2/go.mod h1:M+LJAnyowKVQ6Rdj6XYGEn+qcVFkb3R/MUpqkGR0hM4= github.com/bwmarrin/discordgo v0.29.0 h1:FmWeXFaKUwrcL3Cx65c20bTRW+vOb6k8AnaP+EgjDno= @@ -38,6 +38,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/elliotchance/orderedmap/v3 v3.1.0 h1:j4DJ5ObEmMBt/lcwIecKcoRxIQUEnw0L804lXYDt/pg= @@ -354,6 +356,7 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= From 43eb6fe20c5670fa15ce261174e0c1a2ac1f3c80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:58:18 +0800 Subject: [PATCH 11/44] chore(deps): bump github.com/github/copilot-sdk/go from 0.1.23 to 0.1.32 (#1603) Bumps [github.com/github/copilot-sdk/go](https://github.com/github/copilot-sdk) from 0.1.23 to 0.1.32. - [Release notes](https://github.com/github/copilot-sdk/releases) - [Changelog](https://github.com/github/copilot-sdk/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/copilot-sdk/compare/v0.1.23...v0.1.32) --- updated-dependencies: - dependency-name: github.com/github/copilot-sdk/go dependency-version: 0.1.32 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6f5de1605..130db73ff 100644 --- a/go.mod +++ b/go.mod @@ -73,7 +73,7 @@ require ( github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect - github.com/github/copilot-sdk/go v0.1.23 + github.com/github/copilot-sdk/go v0.1.32 github.com/go-resty/resty/v2 v2.17.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/jsonschema-go v0.4.2 // indirect diff --git a/go.sum b/go.sum index 0fb4be1b8..a4d8ed3d0 100644 --- a/go.sum +++ b/go.sum @@ -54,8 +54,8 @@ github.com/gdamore/encoding v1.0.1 h1:YzKZckdBL6jVt2Gc+5p82qhrGiqMdG/eNs6Wy0u3Uh github.com/gdamore/encoding v1.0.1/go.mod h1:0Z0cMFinngz9kS1QfMjCP8TY7em3bZYeeklsSDPivEo= github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3RlfU= github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo= -github.com/github/copilot-sdk/go v0.1.23 h1:uExtO/inZQndCZMiSAA1hvXINiz9tqo/MZgQzFzurxw= -github.com/github/copilot-sdk/go v0.1.23/go.mod h1:GdwwBfMbm9AABLEM3x5IZKw4ZfwCYxZ1BgyytmZenQ0= +github.com/github/copilot-sdk/go v0.1.32 h1:wc9SFWwxXhJts6vyzzboPLJqcEJGnHE8rMCAY1RrUgo= +github.com/github/copilot-sdk/go v0.1.32/go.mod h1:qc2iEF7hdO8kzSvbyGvrcGhuk2fzdW4xTtT0+1EH2ts= github.com/go-redis/redis/v8 v8.11.4/go.mod h1:2Z2wHZXdQpCDXEGzqMockDpNyYvi2l4Pxt6RJr792+w= github.com/go-resty/resty/v2 v2.6.0/go.mod h1:PwvJS6hvaPkjtjNg9ph+VrSD92bi5Zq73w/BIH7cC3Q= github.com/go-resty/resty/v2 v2.17.1 h1:x3aMpHK1YM9e4va/TMDRlusDDoZiQ+ViDu/WpA6xTM4= From b8dfd0befc44233c2193f599797aa0c0a781c687 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:58:48 +0800 Subject: [PATCH 12/44] chore(deps): bump jotai from 2.18.0 to 2.18.1 in /web/frontend (#1605) Bumps [jotai](https://github.com/pmndrs/jotai) from 2.18.0 to 2.18.1. - [Release notes](https://github.com/pmndrs/jotai/releases) - [Commits](https://github.com/pmndrs/jotai/compare/v2.18.0...v2.18.1) --- updated-dependencies: - dependency-name: jotai dependency-version: 2.18.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 373b4d468..8d5b77fb9 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -24,7 +24,7 @@ "dayjs": "^1.11.19", "i18next": "^25.8.14", "i18next-browser-languagedetector": "^8.2.1", - "jotai": "^2.18.0", + "jotai": "^2.18.1", "radix-ui": "^1.4.3", "react": "^19.2.0", "react-dom": "^19.2.0", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 75acacfa5..a1ea2a512 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -42,8 +42,8 @@ importers: specifier: ^8.2.1 version: 8.2.1 jotai: - specifier: ^2.18.0 - version: 2.18.0(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4) + specifier: ^2.18.1 + version: 2.18.1(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4) radix-ui: specifier: ^1.4.3 version: 1.4.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) @@ -2669,8 +2669,8 @@ packages: jose@6.1.3: resolution: {integrity: sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==} - jotai@2.18.0: - resolution: {integrity: sha512-XI38kGWAvtxAZ+cwHcTgJsd+kJOJGf3OfL4XYaXWZMZ7IIY8e53abpIHvtVn1eAgJ5dlgwlGFnP4psrZ/vZbtA==} + jotai@2.18.1: + resolution: {integrity: sha512-e0NOzK+yRFwHo7DOp0DS0Ycq74KMEAObDWFGmfEL28PD9nLqBTt3/Ug7jf9ca72x0gC9LQZG9zH+0ISICmy3iA==} engines: {node: '>=12.20.0'} peerDependencies: '@babel/core': '>=7.0.0' @@ -6501,7 +6501,7 @@ snapshots: jose@6.1.3: {} - jotai@2.18.0(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4): + jotai@2.18.1(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4): optionalDependencies: '@babel/core': 7.29.0 '@babel/template': 7.28.6 From a93bd0132933b6a6251395ca4fa8c6fcf67ab3aa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:04:50 +0800 Subject: [PATCH 13/44] chore(deps-dev): bump @vitejs/plugin-react in /web/frontend (#1606) Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 5.1.4 to 5.2.0. - [Release notes](https://github.com/vitejs/vite-plugin-react/releases) - [Changelog](https://github.com/vitejs/vite-plugin-react/blob/plugin-react@5.2.0/packages/plugin-react/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@5.2.0/packages/plugin-react) --- updated-dependencies: - dependency-name: "@vitejs/plugin-react" dependency-version: 5.2.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 8d5b77fb9..189b93fc0 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -48,7 +48,7 @@ "@types/react": "^19.2.7", "@types/react-dom": "^19.2.3", "@typescript-eslint/eslint-plugin": "^8.56.1", - "@vitejs/plugin-react": "^5.1.1", + "@vitejs/plugin-react": "^5.2.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-react-hooks": "^7.0.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index a1ea2a512..2510d06ee 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -109,8 +109,8 @@ importers: specifier: ^8.56.1 version: 8.56.1(@typescript-eslint/parser@8.56.1(eslint@9.39.3(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.3(jiti@2.6.1))(typescript@5.9.3) '@vitejs/plugin-react': - specifier: ^5.1.1 - version: 5.1.4(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) + specifier: ^5.2.0 + version: 5.2.0(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) eslint: specifier: ^9.39.1 version: 9.39.3(jiti@2.6.1) @@ -1790,11 +1790,11 @@ packages: '@ungap/structured-clone@1.3.0': resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==} - '@vitejs/plugin-react@5.1.4': - resolution: {integrity: sha512-VIcFLdRi/VYRU8OL/puL7QXMYafHmqOnwTZY50U1JPlCNj30PxCMx65c494b1K9be9hX83KVt0+gTEwTWLqToA==} + '@vitejs/plugin-react@5.2.0': + resolution: {integrity: sha512-YmKkfhOAi3wsB1PhJq5Scj3GXMn3WvtQ/JC0xoopuHoXSdmtdStOpFrYaT1kie2YgFBcIe64ROzMYRjCrYOdYw==} engines: {node: ^20.19.0 || >=22.12.0} peerDependencies: - vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 + vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 accepts@2.0.0: resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==} @@ -5641,7 +5641,7 @@ snapshots: '@ungap/structured-clone@1.3.0': {} - '@vitejs/plugin-react@5.1.4(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': + '@vitejs/plugin-react@5.2.0(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': dependencies: '@babel/core': 7.29.0 '@babel/plugin-transform-react-jsx-self': 7.27.1(@babel/core@7.29.0) From 3bf8a27570112488d1a0f0bdec892e80dee23fb3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:05:03 +0800 Subject: [PATCH 14/44] chore(deps): bump react-i18next from 16.5.4 to 16.5.8 in /web/frontend (#1607) Bumps [react-i18next](https://github.com/i18next/react-i18next) from 16.5.4 to 16.5.8. - [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/react-i18next/compare/v16.5.4...v16.5.8) --- updated-dependencies: - dependency-name: react-i18next dependency-version: 16.5.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 189b93fc0..d6d13a8fd 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -28,7 +28,7 @@ "radix-ui": "^1.4.3", "react": "^19.2.0", "react-dom": "^19.2.0", - "react-i18next": "^16.5.4", + "react-i18next": "^16.5.8", "react-markdown": "^10.1.0", "react-textarea-autosize": "^8.5.9", "remark-gfm": "^4.0.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 2510d06ee..38820d871 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -54,8 +54,8 @@ importers: specifier: ^19.2.0 version: 19.2.4(react@19.2.4) react-i18next: - specifier: ^16.5.4 - version: 16.5.4(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3) + specifier: ^16.5.8 + version: 16.5.8(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3) react-markdown: specifier: ^10.1.0 version: 10.1.0(@types/react@19.2.14)(react@19.2.4) @@ -3323,8 +3323,8 @@ packages: peerDependencies: react: ^19.2.4 - react-i18next@16.5.4: - resolution: {integrity: sha512-6yj+dcfMncEC21QPhOTsW8mOSO+pzFmT6uvU7XXdvM/Cp38zJkmTeMeKmTrmCMD5ToT79FmiE/mRWiYWcJYW4g==} + react-i18next@16.5.8: + resolution: {integrity: sha512-2ABeHHlakxVY+LSirD+OiERxFL6+zip0PaHo979bgwzeHg27Sqc82xxXWIrSFmfWX0ZkrvXMHwhsi/NGUf5VQg==} peerDependencies: i18next: '>= 25.6.2' react: '>= 16.8.0' @@ -7310,7 +7310,7 @@ snapshots: react: 19.2.4 scheduler: 0.27.0 - react-i18next@16.5.4(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3): + react-i18next@16.5.8(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3): dependencies: '@babel/runtime': 7.28.6 html-parse-stringify: 3.0.1 From 99304d1f8e779294439660a443d5d45e5832cd9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:05:17 +0800 Subject: [PATCH 15/44] chore(deps): bump dayjs from 1.11.19 to 1.11.20 in /web/frontend (#1608) Bumps [dayjs](https://github.com/iamkun/dayjs) from 1.11.19 to 1.11.20. - [Release notes](https://github.com/iamkun/dayjs/releases) - [Changelog](https://github.com/iamkun/dayjs/blob/dev/CHANGELOG.md) - [Commits](https://github.com/iamkun/dayjs/compare/v1.11.19...v1.11.20) --- updated-dependencies: - dependency-name: dayjs dependency-version: 1.11.20 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index d6d13a8fd..6a4719adb 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -21,7 +21,7 @@ "@tanstack/react-router-devtools": "^1.163.3", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", - "dayjs": "^1.11.19", + "dayjs": "^1.11.20", "i18next": "^25.8.14", "i18next-browser-languagedetector": "^8.2.1", "jotai": "^2.18.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 38820d871..3c6c4c7cf 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -33,8 +33,8 @@ importers: specifier: ^2.1.1 version: 2.1.1 dayjs: - specifier: ^1.11.19 - version: 1.11.19 + specifier: ^1.11.20 + version: 1.11.20 i18next: specifier: ^25.8.14 version: 25.8.14(typescript@5.9.3) @@ -2060,8 +2060,8 @@ packages: resolution: {integrity: sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==} engines: {node: '>= 12'} - dayjs@1.11.19: - resolution: {integrity: sha512-t5EcLVS6QPBNqM2z8fakk/NKel+Xzshgt8FFKAn+qwlD1pzZWxh0nVCrvFK7ZDb6XucZeF9z8C7CBWTRIVApAw==} + dayjs@1.11.20: + resolution: {integrity: sha512-YbwwqR/uYpeoP4pu043q+LTDLFBLApUP6VxRihdfNTqu4ubqMlGDLd6ErXhEgsyvY0K6nCs7nggYumAN+9uEuQ==} debug@4.4.3: resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==} @@ -5894,7 +5894,7 @@ snapshots: data-uri-to-buffer@4.0.1: {} - dayjs@1.11.19: {} + dayjs@1.11.20: {} debug@4.4.3: dependencies: From 4178b2cec5028ab0b86cc0bdd5c0ff0c2ffbca9f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:05:31 +0800 Subject: [PATCH 16/44] chore(deps): bump @tanstack/react-router in /web/frontend (#1609) Bumps [@tanstack/react-router](https://github.com/TanStack/router/tree/HEAD/packages/react-router) from 1.163.3 to 1.167.0. - [Release notes](https://github.com/TanStack/router/releases) - [Changelog](https://github.com/TanStack/router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/TanStack/router/commits/@tanstack/react-router@1.167.0/packages/react-router) --- updated-dependencies: - dependency-name: "@tanstack/react-router" dependency-version: 1.167.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 85 ++++++++++++++++++++++++++----------- 2 files changed, 61 insertions(+), 26 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 6a4719adb..f3bae6d6a 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -17,7 +17,7 @@ "@tabler/icons-react": "^3.38.0", "@tailwindcss/vite": "^4.2.1", "@tanstack/react-query": "^5.90.21", - "@tanstack/react-router": "^1.163.3", + "@tanstack/react-router": "^1.167.0", "@tanstack/react-router-devtools": "^1.163.3", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 3c6c4c7cf..ac2168798 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -21,11 +21,11 @@ importers: specifier: ^5.90.21 version: 5.90.21(react@19.2.4) '@tanstack/react-router': - specifier: ^1.163.3 - version: 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + specifier: ^1.167.0 + version: 1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4) '@tanstack/react-router-devtools': specifier: ^1.163.3 - version: 1.163.3(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.163.3)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + version: 1.163.3(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.167.0)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) class-variance-authority: specifier: ^0.7.1 version: 0.7.1 @@ -92,7 +92,7 @@ importers: version: 0.5.19(tailwindcss@4.2.1) '@tanstack/router-plugin': specifier: ^1.164.0 - version: 1.164.0(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) + version: 1.164.0(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) '@trivago/prettier-plugin-sort-imports': specifier: ^6.0.2 version: 6.0.2(prettier@3.8.1) @@ -1587,15 +1587,15 @@ packages: '@tanstack/router-core': optional: true - '@tanstack/react-router@1.163.3': - resolution: {integrity: sha512-hheBbFVb+PbxtrWp8iy6+TTRTbhx3Pn6hKo8Tv/sWlG89ZMcD1xpQWzx8ukHN9K8YWbh5rdzt4kv6u8X4kB28Q==} + '@tanstack/react-router@1.167.0': + resolution: {integrity: sha512-U7CamtXjuC8ixg1c32Rj/4A2OFBnjtMLdbgbyOGHrFHE7ULWS/yhnZLVXff0QSyn6qF92Oecek9mDMHCaTnB2Q==} engines: {node: '>=20.19'} peerDependencies: react: '>=18.0.0 || >=19.0.0' react-dom: '>=18.0.0 || >=19.0.0' - '@tanstack/react-store@0.9.1': - resolution: {integrity: sha512-YzJLnRvy5lIEFTLWBAZmcOjK3+2AepnBv/sr6NZmiqJvq7zTQggyK99Gw8fqYdMdHPQWXjz0epFKJXC+9V2xDA==} + '@tanstack/react-store@0.9.2': + resolution: {integrity: sha512-Vt5usJE5sHG/cMechQfmwvwne6ktGCELe89Lmvoxe3LKRoFrhPa8OCKWs0NliG8HTJElEIj7PLtaBQIcux5pAQ==} peerDependencies: react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 @@ -1604,6 +1604,10 @@ packages: resolution: {integrity: sha512-jPptiGq/w3nuPzcMC7RNa79aU+b6OjaDzWJnBcV2UAwL4ThJamRS4h42TdhJE+oF5yH9IEnCOGQdfnbw45LbfA==} engines: {node: '>=20.19'} + '@tanstack/router-core@1.167.0': + resolution: {integrity: sha512-pnaaUP+vMQEyL2XjZGe2PXmtzulxvXfGyvEMUs+AEBaNEk77xWA88bl3ujiBRbUxzpK0rxfJf+eSKPdZmBMFdQ==} + engines: {node: '>=20.19'} + '@tanstack/router-devtools-core@1.163.3': resolution: {integrity: sha512-FPi64IP0PT1IkoeyGmsD6JoOVOYAb85VCH0mUbSdD90yV0+1UB6oT+D7K27GXkp7SXMJN3mBEjU5rKnNnmSCIw==} engines: {node: '>=20.19'} @@ -1646,6 +1650,9 @@ packages: '@tanstack/store@0.9.1': resolution: {integrity: sha512-+qcNkOy0N1qSGsP7omVCW0SDrXtaDcycPqBDE726yryiA5eTDFpjBReaYjghVJwNf1pcPMyzIwTGlYjCSQR0Fg==} + '@tanstack/store@0.9.2': + resolution: {integrity: sha512-K013lUJEFJK2ofFQ/hZKJUmCnpcV00ebLyOyFOWQvyQHUOZp/iYO84BM6aOGiV81JzwbX0APTVmW8YI7yiG5oA==} + '@tanstack/virtual-file-routes@1.161.4': resolution: {integrity: sha512-42WoRePf8v690qG8yGRe/YOh+oHni9vUaUUfoqlS91U2scd3a5rkLtVsc6b7z60w3RogH0I00vdrC5AaeiZ18w==} engines: {node: '>=20.19'} @@ -2648,8 +2655,8 @@ packages: resolution: {integrity: sha512-e6rvdUCiQCAuumZslxRJWR/Doq4VpPR82kqclvcS0efgt430SlGIk05vdCN58+VrzgtIcfNODjozVielycD4Sw==} engines: {node: '>=16'} - isbot@5.1.35: - resolution: {integrity: sha512-waFfC72ZNfwLLuJ2iLaoVaqcNo+CAaLR7xCpAn0Y5WfGzkNHv7ZN39Vbi1y+kb+Zs46XHOX3tZNExroFUPX+Kg==} + isbot@5.1.36: + resolution: {integrity: sha512-C/ZtXyJqDPZ7G7JPr06ApWyYoHjYexQbS6hPYD4WYCzpv2Qes6Z+CCEfTX4Owzf+1EJ933PoI2p+B9v7wpGZBQ==} engines: {node: '>=18'} isexe@2.0.0: @@ -3476,10 +3483,20 @@ packages: peerDependencies: seroval: ^1.0 + seroval-plugins@1.5.1: + resolution: {integrity: sha512-4FbuZ/TMl02sqv0RTFexu0SP6V+ywaIe5bAWCCEik0fk17BhALgwvUDVF7e3Uvf9pxmwCEJsRPmlkUE6HdzLAw==} + engines: {node: '>=10'} + peerDependencies: + seroval: ^1.0 + seroval@1.5.0: resolution: {integrity: sha512-OE4cvmJ1uSPrKorFIH9/w/Qwuvi/IMcGbv5RKgcJ/zjA/IohDLU6SVaxFN9FwajbP7nsX0dQqMDes1whk3y+yw==} engines: {node: '>=10'} + seroval@1.5.1: + resolution: {integrity: sha512-OwrZRZAfhHww0WEnKHDY8OM0U/Qs8OTfIDWhUD4BLpNJUfXK4cGmjiagGze086m+mhI+V2nD0gfbHEnJjb9STA==} + engines: {node: '>=10'} + serve-static@2.2.1: resolution: {integrity: sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==} engines: {node: '>= 18'} @@ -5365,31 +5382,31 @@ snapshots: '@tanstack/query-core': 5.90.20 react: 19.2.4 - '@tanstack/react-router-devtools@1.163.3(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.163.3)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': + '@tanstack/react-router-devtools@1.163.3(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.167.0)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: - '@tanstack/react-router': 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4) - '@tanstack/router-devtools-core': 1.163.3(@tanstack/router-core@1.163.3)(csstype@3.2.3) + '@tanstack/react-router': 1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + '@tanstack/router-devtools-core': 1.163.3(@tanstack/router-core@1.167.0)(csstype@3.2.3) react: 19.2.4 react-dom: 19.2.4(react@19.2.4) optionalDependencies: - '@tanstack/router-core': 1.163.3 + '@tanstack/router-core': 1.167.0 transitivePeerDependencies: - csstype - '@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': + '@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: '@tanstack/history': 1.161.4 - '@tanstack/react-store': 0.9.1(react-dom@19.2.4(react@19.2.4))(react@19.2.4) - '@tanstack/router-core': 1.163.3 - isbot: 5.1.35 + '@tanstack/react-store': 0.9.2(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + '@tanstack/router-core': 1.167.0 + isbot: 5.1.36 react: 19.2.4 react-dom: 19.2.4(react@19.2.4) tiny-invariant: 1.3.3 tiny-warning: 1.0.3 - '@tanstack/react-store@0.9.1(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': + '@tanstack/react-store@0.9.2(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: - '@tanstack/store': 0.9.1 + '@tanstack/store': 0.9.2 react: 19.2.4 react-dom: 19.2.4(react@19.2.4) use-sync-external-store: 1.6.0(react@19.2.4) @@ -5404,9 +5421,19 @@ snapshots: tiny-invariant: 1.3.3 tiny-warning: 1.0.3 - '@tanstack/router-devtools-core@1.163.3(@tanstack/router-core@1.163.3)(csstype@3.2.3)': + '@tanstack/router-core@1.167.0': dependencies: - '@tanstack/router-core': 1.163.3 + '@tanstack/history': 1.161.4 + '@tanstack/store': 0.9.2 + cookie-es: 2.0.0 + seroval: 1.5.1 + seroval-plugins: 1.5.1(seroval@1.5.1) + tiny-invariant: 1.3.3 + tiny-warning: 1.0.3 + + '@tanstack/router-devtools-core@1.163.3(@tanstack/router-core@1.167.0)(csstype@3.2.3)': + dependencies: + '@tanstack/router-core': 1.167.0 clsx: 2.1.1 goober: 2.1.18(csstype@3.2.3) tiny-invariant: 1.3.3 @@ -5426,7 +5453,7 @@ snapshots: transitivePeerDependencies: - supports-color - '@tanstack/router-plugin@1.164.0(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': + '@tanstack/router-plugin@1.164.0(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': dependencies: '@babel/core': 7.29.0 '@babel/plugin-syntax-jsx': 7.28.6(@babel/core@7.29.0) @@ -5442,7 +5469,7 @@ snapshots: unplugin: 2.3.11 zod: 3.25.76 optionalDependencies: - '@tanstack/react-router': 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + '@tanstack/react-router': 1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4) vite: 7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0) transitivePeerDependencies: - supports-color @@ -5463,6 +5490,8 @@ snapshots: '@tanstack/store@0.9.1': {} + '@tanstack/store@0.9.2': {} + '@tanstack/virtual-file-routes@1.161.4': {} '@trivago/prettier-plugin-sort-imports@6.0.2(prettier@3.8.1)': @@ -6489,7 +6518,7 @@ snapshots: dependencies: is-inside-container: 1.0.0 - isbot@5.1.35: {} + isbot@5.1.36: {} isexe@2.0.0: {} @@ -7517,8 +7546,14 @@ snapshots: dependencies: seroval: 1.5.0 + seroval-plugins@1.5.1(seroval@1.5.1): + dependencies: + seroval: 1.5.1 + seroval@1.5.0: {} + seroval@1.5.1: {} + serve-static@2.2.1: dependencies: encodeurl: 2.0.0 From c8065989b0f04336d94ed8aa815a5280778c7462 Mon Sep 17 00:00:00 2001 From: wenjie Date: Mon, 16 Mar 2026 11:58:06 +0800 Subject: [PATCH 17/44] chore(web): upgrade eslint deps to resolve flatted vulnerability (#1629) --- web/frontend/package.json | 4 ++-- web/frontend/pnpm-lock.yaml | 28 ++++++++++++++-------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index f3bae6d6a..973586519 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -40,7 +40,7 @@ "wrap-ansi": "^10.0.0" }, "devDependencies": { - "@eslint/js": "^9.39.1", + "@eslint/js": "^9.39.3", "@tailwindcss/typography": "^0.5.19", "@tanstack/router-plugin": "^1.164.0", "@trivago/prettier-plugin-sort-imports": "^6.0.2", @@ -49,7 +49,7 @@ "@types/react-dom": "^19.2.3", "@typescript-eslint/eslint-plugin": "^8.56.1", "@vitejs/plugin-react": "^5.2.0", - "eslint": "^9.39.1", + "eslint": "^9.39.3", "eslint-config-prettier": "^10.1.8", "eslint-plugin-react-hooks": "^7.0.1", "eslint-plugin-react-refresh": "^0.4.24", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index ac2168798..20f0a7342 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -85,7 +85,7 @@ importers: version: 10.0.0 devDependencies: '@eslint/js': - specifier: ^9.39.1 + specifier: ^9.39.3 version: 9.39.3 '@tailwindcss/typography': specifier: ^0.5.19 @@ -112,7 +112,7 @@ importers: specifier: ^5.2.0 version: 5.2.0(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) eslint: - specifier: ^9.39.1 + specifier: ^9.39.3 version: 9.39.3(jiti@2.6.1) eslint-config-prettier: specifier: ^10.1.8 @@ -469,8 +469,8 @@ packages: resolution: {integrity: sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew==} engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0} - '@eslint/config-array@0.21.1': - resolution: {integrity: sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==} + '@eslint/config-array@0.21.2': + resolution: {integrity: sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} '@eslint/config-helpers@0.4.2': @@ -481,8 +481,8 @@ packages: resolution: {integrity: sha512-yL/sLrpmtDaFEiUj1osRP4TI2MDz1AddJL+jZ7KSqvBuliN4xqYY54IfdN8qD8Toa6g1iloph1fxQNkjOxrrpQ==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} - '@eslint/eslintrc@3.3.4': - resolution: {integrity: sha512-4h4MVF8pmBsncB60r0wSJiIeUKTSD4m7FmTFThG8RHlsg9ajqckLm9OraguFGZE4vVdpiI1Q4+hFnisopmG6gQ==} + '@eslint/eslintrc@3.3.5': + resolution: {integrity: sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} '@eslint/js@9.39.3': @@ -2362,8 +2362,8 @@ packages: resolution: {integrity: sha512-f7ccFPK3SXFHpx15UIGyRJ/FJQctuKZ0zVuN3frBo4HnK3cay9VEW0R6yPYFHC0AgqhukPzKjq22t5DmAyqGyw==} engines: {node: '>=16'} - flatted@3.3.3: - resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==} + flatted@3.4.1: + resolution: {integrity: sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==} formdata-polyfill@4.0.10: resolution: {integrity: sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==} @@ -4285,7 +4285,7 @@ snapshots: '@eslint-community/regexpp@4.12.2': {} - '@eslint/config-array@0.21.1': + '@eslint/config-array@0.21.2': dependencies: '@eslint/object-schema': 2.1.7 debug: 4.4.3 @@ -4301,7 +4301,7 @@ snapshots: dependencies: '@types/json-schema': 7.0.15 - '@eslint/eslintrc@3.3.4': + '@eslint/eslintrc@3.3.5': dependencies: ajv: 6.14.0 debug: 4.4.3 @@ -6077,10 +6077,10 @@ snapshots: dependencies: '@eslint-community/eslint-utils': 4.9.1(eslint@9.39.3(jiti@2.6.1)) '@eslint-community/regexpp': 4.12.2 - '@eslint/config-array': 0.21.1 + '@eslint/config-array': 0.21.2 '@eslint/config-helpers': 0.4.2 '@eslint/core': 0.17.0 - '@eslint/eslintrc': 3.3.4 + '@eslint/eslintrc': 3.3.5 '@eslint/js': 9.39.3 '@eslint/plugin-kit': 0.4.1 '@humanfs/node': 0.16.7 @@ -6270,10 +6270,10 @@ snapshots: flat-cache@4.0.1: dependencies: - flatted: 3.3.3 + flatted: 3.4.1 keyv: 4.5.4 - flatted@3.3.3: {} + flatted@3.4.1: {} formdata-polyfill@4.0.10: dependencies: From 2f10b47f59f01a34ef989fd919d84c6212b5f0ad Mon Sep 17 00:00:00 2001 From: sky5454 Date: Mon, 16 Mar 2026 14:06:32 +0800 Subject: [PATCH 18/44] =?UTF-8?q?feat(credential):=20part1=20add=20AES-GCM?= =?UTF-8?q?=20encryption,=20SecureStore,=20and=20onboard=20ke=E2=80=A6=20(?= =?UTF-8?q?#1521)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat(credential): add AES-GCM encryption, SecureStore, and onboard keygen - pkg/credential: new package with AES-256-GCM enc:// credential format, HKDF-SHA256 key derivation (passphrase + optional SSH key binding), ErrPassphraseRequired / ErrDecryptionFailed sentinel errors, and PassphraseProvider hook for runtime passphrase injection - pkg/credential/store: lock-free SecureStore via atomic.Pointer[string]; passphrase never written to disk or os.Environ - pkg/credential/keygen: ed25519 SSH key generation helper used by onboard - pkg/config: replace os.Getenv(PassphraseEnvVar) with credential.PassphraseProvider() at all three call sites so that LoadConfig and SaveConfig use whatever passphrase source is active - cmd/picoclaw/onboard: prompt for passphrase with echo-off, generate picoclaw-specific SSH key, re-encrypt existing config on re-onboard - docs/credential_encryption.md: design doc for the enc:// format * fix(credential): address Copilot review comments on PR #1521 - credential.go: decouple ErrPassphraseRequired from env var name; message is now 'enc:// passphrase required' since PassphraseProvider may come from any source, not just os.Environ - credential.go: Resolver resolves symlinks via EvalSymlinks before the isWithinDir containment check, preventing symlink-based path traversal for file:// credential references - store.go: tighten comment to describe only what SecureStore guarantees (in-memory only); remove claims about how callers transport the value - store_test.go: replace the meaningless GetReturnsCopy test (Go strings are immutable, equality across two calls proves nothing) with TestSecureStore_ConcurrentSetGet that exercises atomic.Pointer under 10-goroutine concurrent Set/Get load - config_test.go: update error-message assertion to match new sentinel text - docs/credential_encryption.md: remove reference to non-existent 'picoclaw encrypt' subcommand; describe the onboard flow instead * fix(config): encryptPlaintextAPIKeys: struct-based encryption, fail-fast, remove raw []byte * fix(credential): require SSH private key for encryption/decryption, remove passphrase-only mode * lint: fix credential keygen lint, fix test keygen * onboard: make encryption opt-in via --enc flag Encryption (passphrase prompt + SSH key generation) is now only triggered when the user passes --enc to 'picoclaw onboard'. Without the flag, onboard skips the credential-encryption setup and writes a plain config + workspace templates directly. - Add --enc BoolFlag in NewOnboardCommand() - Pass encrypt bool into onboard() - Guard passphrase prompt, SSH key generation, and related env-var setup behind the encrypt branch - Adjust 'Next steps' output so the passphrase reminder only appears when --enc was used --- cmd/picoclaw/internal/onboard/command.go | 7 +- cmd/picoclaw/internal/onboard/command_test.go | 5 +- cmd/picoclaw/internal/onboard/helpers.go | 133 ++++++- docs/credential_encryption.md | 168 ++++++++ pkg/config/config.go | 72 +++- pkg/config/config_test.go | 365 +++++++++++++++++- pkg/credential/credential.go | 335 ++++++++++++++++ pkg/credential/credential_test.go | 283 ++++++++++++++ pkg/credential/keygen.go | 62 +++ pkg/credential/keygen_test.go | 115 ++++++ pkg/credential/store.go | 44 +++ pkg/credential/store_test.go | 81 ++++ 12 files changed, 1649 insertions(+), 21 deletions(-) create mode 100644 docs/credential_encryption.md create mode 100644 pkg/credential/credential.go create mode 100644 pkg/credential/credential_test.go create mode 100644 pkg/credential/keygen.go create mode 100644 pkg/credential/keygen_test.go create mode 100644 pkg/credential/store.go create mode 100644 pkg/credential/store_test.go diff --git a/cmd/picoclaw/internal/onboard/command.go b/cmd/picoclaw/internal/onboard/command.go index ec1012959..9f8b288c6 100644 --- a/cmd/picoclaw/internal/onboard/command.go +++ b/cmd/picoclaw/internal/onboard/command.go @@ -11,14 +11,19 @@ import ( var embeddedFiles embed.FS func NewOnboardCommand() *cobra.Command { + var encrypt bool + cmd := &cobra.Command{ Use: "onboard", Aliases: []string{"o"}, Short: "Initialize picoclaw configuration and workspace", Run: func(cmd *cobra.Command, args []string) { - onboard() + onboard(encrypt) }, } + cmd.Flags().BoolVar(&encrypt, "enc", false, + "Enable credential encryption (generates SSH key and prompts for passphrase)") + return cmd } diff --git a/cmd/picoclaw/internal/onboard/command_test.go b/cmd/picoclaw/internal/onboard/command_test.go index bc799a079..56936190b 100644 --- a/cmd/picoclaw/internal/onboard/command_test.go +++ b/cmd/picoclaw/internal/onboard/command_test.go @@ -24,6 +24,9 @@ func TestNewOnboardCommand(t *testing.T) { assert.Nil(t, cmd.PersistentPreRun) assert.Nil(t, cmd.PersistentPostRun) - assert.False(t, cmd.HasFlags()) + assert.True(t, cmd.HasFlags()) + encFlag := cmd.Flags().Lookup("enc") + require.NotNil(t, encFlag, "expected --enc flag to be registered") + assert.Equal(t, "false", encFlag.DefValue, "--enc should default to false") assert.False(t, cmd.HasSubCommands()) } diff --git a/cmd/picoclaw/internal/onboard/helpers.go b/cmd/picoclaw/internal/onboard/helpers.go index 4db8bdc8b..6f1d4bdd7 100644 --- a/cmd/picoclaw/internal/onboard/helpers.go +++ b/cmd/picoclaw/internal/onboard/helpers.go @@ -6,25 +6,71 @@ import ( "os" "path/filepath" + "golang.org/x/term" + "github.com/sipeed/picoclaw/cmd/picoclaw/internal" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/credential" ) -func onboard() { +func onboard(encrypt bool) { configPath := internal.GetConfigPath() + configExists := false if _, err := os.Stat(configPath); err == nil { - fmt.Printf("Config already exists at %s\n", configPath) - fmt.Print("Overwrite? (y/n): ") - var response string - fmt.Scanln(&response) - if response != "y" { - fmt.Println("Aborted.") - return + configExists = true + if encrypt { + // Only ask for confirmation when *both* config and SSH key already exist, + // indicating a full re-onboard that would reset the config to defaults. + sshKeyPath, _ := credential.DefaultSSHKeyPath() + if _, err := os.Stat(sshKeyPath); err == nil { + // Both exist — confirm a full reset. + fmt.Printf("Config already exists at %s\n", configPath) + fmt.Print("Overwrite config with defaults? (y/n): ") + var response string + fmt.Scanln(&response) + if response != "y" { + fmt.Println("Aborted.") + return + } + configExists = false // user agreed to reset; treat as fresh + } + // Config exists but SSH key is missing — keep existing config, only add SSH key. } } - cfg := config.DefaultConfig() + var err error + if encrypt { + fmt.Println("\nSet up credential encryption") + fmt.Println("-----------------------------") + passphrase, pErr := promptPassphrase() + if pErr != nil { + fmt.Printf("Error: %v\n", pErr) + os.Exit(1) + } + // Expose the passphrase to credential.PassphraseProvider (which calls + // os.Getenv by default) so that SaveConfig can encrypt api_keys. + // This process is a one-shot CLI tool; the env var is never exposed outside + // the current process and disappears when it exits. + os.Setenv(credential.PassphraseEnvVar, passphrase) + + if err = setupSSHKey(); err != nil { + fmt.Printf("Error generating SSH key: %v\n", err) + os.Exit(1) + } + } + + var cfg *config.Config + if configExists { + // Preserve the existing config; SaveConfig will re-encrypt api_keys with the new passphrase. + cfg, err = config.LoadConfig(configPath) + if err != nil { + fmt.Printf("Error loading existing config: %v\n", err) + os.Exit(1) + } + } else { + cfg = config.DefaultConfig() + } if err := config.SaveConfig(configPath, cfg); err != nil { fmt.Printf("Error saving config: %v\n", err) os.Exit(1) @@ -33,9 +79,17 @@ func onboard() { workspace := cfg.WorkspacePath() createWorkspaceTemplates(workspace) - fmt.Printf("%s picoclaw is ready!\n", internal.Logo) + fmt.Printf("\n%s picoclaw is ready!\n", internal.Logo) fmt.Println("\nNext steps:") - fmt.Println(" 1. Add your API key to", configPath) + if encrypt { + fmt.Println(" 1. Set your encryption passphrase before starting picoclaw:") + fmt.Println(" export PICOCLAW_KEY_PASSPHRASE= # Linux/macOS") + fmt.Println(" set PICOCLAW_KEY_PASSPHRASE= # Windows cmd") + fmt.Println("") + fmt.Println(" 2. Add your API key to", configPath) + } else { + fmt.Println(" 1. Add your API key to", configPath) + } fmt.Println("") fmt.Println(" Recommended:") fmt.Println(" - OpenRouter: https://openrouter.ai/keys (access 100+ models)") @@ -43,7 +97,62 @@ func onboard() { fmt.Println("") fmt.Println(" See README.md for 17+ supported providers.") fmt.Println("") - fmt.Println(" 2. Chat: picoclaw agent -m \"Hello!\"") + fmt.Println(" 3. Chat: picoclaw agent -m \"Hello!\"") +} + +// promptPassphrase reads the encryption passphrase twice from the terminal +// (with echo disabled) and returns it. Returns an error if the passphrase is +// empty or if the two inputs do not match. +func promptPassphrase() (string, error) { + fmt.Print("Enter passphrase for credential encryption: ") + p1, err := term.ReadPassword(int(os.Stdin.Fd())) + fmt.Println() + if err != nil { + return "", fmt.Errorf("reading passphrase: %w", err) + } + if len(p1) == 0 { + return "", fmt.Errorf("passphrase must not be empty") + } + + fmt.Print("Confirm passphrase: ") + p2, err := term.ReadPassword(int(os.Stdin.Fd())) + fmt.Println() + if err != nil { + return "", fmt.Errorf("reading passphrase confirmation: %w", err) + } + + if string(p1) != string(p2) { + return "", fmt.Errorf("passphrases do not match") + } + return string(p1), nil +} + +// setupSSHKey generates the picoclaw-specific SSH key at ~/.ssh/picoclaw_ed25519.key. +// If the key already exists the user is warned and asked to confirm overwrite. +// Answering anything other than "y" keeps the existing key (not an error). +func setupSSHKey() error { + keyPath, err := credential.DefaultSSHKeyPath() + if err != nil { + return fmt.Errorf("cannot determine SSH key path: %w", err) + } + + if _, err := os.Stat(keyPath); err == nil { + fmt.Printf("\n⚠️ WARNING: %s already exists.\n", keyPath) + fmt.Println(" Overwriting will invalidate any credentials previously encrypted with this key.") + fmt.Print(" Overwrite? (y/n): ") + var response string + fmt.Scanln(&response) + if response != "y" { + fmt.Println("Keeping existing SSH key.") + return nil + } + } + + if err := credential.GenerateSSHKey(keyPath); err != nil { + return err + } + fmt.Printf("SSH key generated: %s\n", keyPath) + return nil } func createWorkspaceTemplates(workspace string) { diff --git a/docs/credential_encryption.md b/docs/credential_encryption.md new file mode 100644 index 000000000..448eaaa10 --- /dev/null +++ b/docs/credential_encryption.md @@ -0,0 +1,168 @@ +# Credential Encryption + +PicoClaw supports encrypting `api_key` values in `model_list` configuration entries. +Encrypted keys are stored as `enc://` strings and decrypted automatically at startup. + +--- + +## Quick Start + +**1. Set your passphrase** + +```bash +export PICOCLAW_KEY_PASSPHRASE="your-passphrase" +``` + +**2. Encrypt an API key** + +Run `picoclaw onboard` — it prompts for your passphrase and generates the SSH key, +then automatically re-encrypts any plaintext `api_key` entries in your config on +the next `SaveConfig` call. The resulting `enc://` value will look like: + +``` +enc://AAAA...base64... +``` + +**3. Paste the output into your config** + +```json +{ + "model_list": [ + { + "model_name": "gpt-4o", + "api_key": "enc://AAAA...base64...", + "base_url": "https://api.openai.com/v1" + } + ] +} +``` + +--- + +## Supported `api_key` Formats + +| Format | Example | Behaviour | +|--------|---------|-----------| +| Plaintext | `sk-abc123` | Used as-is | +| File reference | `file://openai.key` | Content read from the same directory as the config file | +| Encrypted | `enc://` | Decrypted at startup using `PICOCLAW_KEY_PASSPHRASE` | +| Empty | `""` | Passed through unchanged (used with `auth_method: oauth`) | + +--- + +## Cryptographic Design + +### Key Derivation + +Encryption uses **HKDF-SHA256** with an optional SSH private key as a second factor. + +``` +Without SSH key (passphrase only): + + ikm = SHA256(passphrase) + aes_key = HKDF-SHA256(ikm, salt, info="picoclaw-credential-v1", 32 bytes) + + +With SSH key (recommended): + + sshHash = SHA256(ssh_private_key_file_bytes) + ikm = HMAC-SHA256(key=sshHash, message=passphrase) + aes_key = HKDF-SHA256(ikm, salt, info="picoclaw-credential-v1", 32 bytes) +``` + +### Encryption + +``` +AES-256-GCM(key=aes_key, nonce=random[12], plaintext=api_key) +``` + +### Wire Format + +``` +enc:// +``` + +| Field | Size | Description | +|-------|------|-------------| +| `salt` | 16 bytes | Random per encryption; fed into HKDF | +| `nonce` | 12 bytes | Random per encryption; AES-GCM IV | +| `ciphertext` | variable | AES-256-GCM ciphertext + 16-byte authentication tag | + +The GCM authentication tag is appended to the ciphertext automatically. Any tampering causes decryption to fail with an error rather than returning corrupt plaintext. + +### Performance + +| Operation | Time (ARM Cortex-A) | +|-----------|---------------------| +| Key derivation (HKDF) | < 1 ms | +| AES-256-GCM decrypt | < 1 ms | +| **Total startup overhead** | **< 2 ms per key** | + +--- + +## Two-Factor Security with SSH Key + +When a SSH private key is provided, breaking the encryption requires **both**: + +1. The **passphrase** (`PICOCLAW_KEY_PASSPHRASE`) +2. The **SSH private key file** + +This means a leaked config file alone is not sufficient to recover the API key, even if the passphrase is weak. The SSH key contributes 256 bits of entropy (Ed25519) regardless of passphrase strength. + +### Threat Model + +| Attacker Has | Can Decrypt? | +|---|---| +| Config file only | No — needs passphrase + SSH key | +| SSH key only | No — needs passphrase | +| Passphrase only | No — needs SSH key | +| Config file + SSH key + passphrase | Yes — full compromise | + +--- + +## Environment Variables + +| Variable | Required | Description | +|----------|----------|-------------| +| `PICOCLAW_KEY_PASSPHRASE` | Yes (for `enc://`) | Passphrase used for key derivation | +| `PICOCLAW_SSH_KEY_PATH` | No | Path to SSH private key. Set to `""` to disable auto-detection and use passphrase-only mode | + +### SSH Key Auto-Detection + +If `PICOCLAW_SSH_KEY_PATH` is not set, PicoClaw looks for the picoclaw-specific key: + +``` +~/.ssh/picoclaw_ed25519.key +``` + +This dedicated file avoids conflicts with the user's existing SSH keys. +Run `picoclaw onboard` to generate it automatically. + +`os.UserHomeDir()` is used for cross-platform home directory resolution (reads `USERPROFILE` on Windows, `HOME` on Unix/macOS). + +To explicitly disable SSH key usage and use passphrase-only mode: + +```bash +export PICOCLAW_SSH_KEY_PATH="" +``` + +--- + +## Migration + +Because the only secret material is `PICOCLAW_KEY_PASSPHRASE` and the SSH private key file, migration is straightforward: + +1. Copy the config file to the new machine. +2. Set `PICOCLAW_KEY_PASSPHRASE` to the same value. +3. Copy the SSH private key file to the same path (or set `PICOCLAW_SSH_KEY_PATH` to its new location). + +No re-encryption is needed. + +--- + +## Security Considerations + +- **Passphrase strength matters in passphrase-only mode.** Without an SSH key, a weak passphrase can be brute-forced offline. Use `PICOCLAW_SSH_KEY_PATH=""` only in environments where no SSH key is available and the passphrase is sufficiently strong (≥ 32 random characters). +- **The SSH key is read-only at runtime.** PicoClaw never writes to or modifies the SSH key file. +- **Plaintext keys remain supported.** Existing configs without `enc://` are unaffected. +- **The `enc://` format is versioned** via the HKDF `info` field (`picoclaw-credential-v1`), allowing future algorithm upgrades without breaking existing encrypted values. diff --git a/pkg/config/config.go b/pkg/config/config.go index 190341224..2937c36e4 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -4,11 +4,13 @@ import ( "encoding/json" "fmt" "os" + "path/filepath" "strings" "sync/atomic" "github.com/caarlos0/env/v11" + "github.com/sipeed/picoclaw/pkg/credential" "github.com/sipeed/picoclaw/pkg/fileutil" ) @@ -837,10 +839,24 @@ func LoadConfig(path string) (*Config, error) { return nil, err } + if passphrase := credential.PassphraseProvider(); passphrase != "" { + for _, m := range cfg.ModelList { + if m.APIKey != "" && !strings.HasPrefix(m.APIKey, "enc://") && !strings.HasPrefix(m.APIKey, "file://") { + fmt.Fprintf(os.Stderr, + "picoclaw: warning: model %q has a plaintext api_key; call SaveConfig to encrypt it\n", + m.ModelName) + } + } + } + if err := env.Parse(cfg); err != nil { return nil, err } + if err := resolveAPIKeys(cfg.ModelList, filepath.Dir(path)); err != nil { + return nil, err + } + // Migrate legacy channel config fields to new unified structures cfg.migrateChannelConfigs() @@ -857,6 +873,48 @@ func LoadConfig(path string) (*Config, error) { return cfg, nil } +// encryptPlaintextAPIKeys returns a copy of models with plaintext api_key values +// encrypted. Returns (nil, nil) when nothing changed (all keys already sealed or +// empty). Returns (nil, error) if any key fails to encrypt — callers must treat +// this as a hard failure to prevent a mixed plaintext/ciphertext state on disk. +// Symmetric counterpart of resolveAPIKeys: both operate purely on []ModelConfig +// and leave JSON marshaling to the caller. +func encryptPlaintextAPIKeys(models []ModelConfig, passphrase string) ([]ModelConfig, error) { + sealed := make([]ModelConfig, len(models)) + copy(sealed, models) + changed := false + for i := range sealed { + m := &sealed[i] + if m.APIKey == "" || strings.HasPrefix(m.APIKey, "enc://") || strings.HasPrefix(m.APIKey, "file://") { + continue + } + encrypted, err := credential.Encrypt(passphrase, "", m.APIKey) + if err != nil { + return nil, fmt.Errorf("cannot seal api_key for model %q: %w", m.ModelName, err) + } + m.APIKey = encrypted + changed = true + } + if !changed { + return nil, nil + } + return sealed, nil +} + +// resolveAPIKeys decrypts or dereferences each api_key in models in-place. +// Supports plaintext (no-op), file:// (read from configDir), and enc:// (AES-GCM decrypt). +func resolveAPIKeys(models []ModelConfig, configDir string) error { + cr := credential.NewResolver(configDir) + for i := range models { + resolved, err := cr.Resolve(models[i].APIKey) + if err != nil { + return fmt.Errorf("model_list[%d] (%s): %w", i, models[i].ModelName, err) + } + models[i].APIKey = resolved + } + return nil +} + func (c *Config) migrateChannelConfigs() { // Discord: mention_only -> group_trigger.mention_only if c.Channels.Discord.MentionOnly && !c.Channels.Discord.GroupTrigger.MentionOnly { @@ -871,12 +929,22 @@ func (c *Config) migrateChannelConfigs() { } func SaveConfig(path string, cfg *Config) error { + if passphrase := credential.PassphraseProvider(); passphrase != "" { + sealed, err := encryptPlaintextAPIKeys(cfg.ModelList, passphrase) + if err != nil { + return err + } + if sealed != nil { + tmp := *cfg + tmp.ModelList = sealed + cfg = &tmp + } + } + data, err := json.MarshalIndent(cfg, "", " ") if err != nil { return err } - - // Use unified atomic write utility with explicit sync for flash storage reliability. return fileutil.WriteFileAtomic(path, data, 0o600) } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index c5bdbf3c3..4c4dd9421 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -7,8 +7,22 @@ import ( "runtime" "strings" "testing" + + "github.com/sipeed/picoclaw/pkg/credential" ) +// mustSetupSSHKey generates a temporary Ed25519 SSH key in t.TempDir() and sets +// PICOCLAW_SSH_KEY_PATH to its path for the duration of the test. This is required +// whenever a test exercises encryption/decryption via credential.Encrypt or SaveConfig. +func mustSetupSSHKey(t *testing.T) { + t.Helper() + keyPath := filepath.Join(t.TempDir(), "picoclaw_ed25519.key") + if err := credential.GenerateSSHKey(keyPath); err != nil { + t.Fatalf("mustSetupSSHKey: %v", err) + } + t.Setenv("PICOCLAW_SSH_KEY_PATH", keyPath) +} + func TestAgentModelConfig_UnmarshalString(t *testing.T) { var m AgentModelConfig if err := json.Unmarshal([]byte(`"gpt-4"`), &m); err != nil { @@ -482,13 +496,19 @@ func TestDefaultConfig_DMScope(t *testing.T) { } func TestDefaultConfig_WorkspacePath_Default(t *testing.T) { - // Unset to ensure we test the default t.Setenv("PICOCLAW_HOME", "") - // Set a known home for consistent test results - t.Setenv("HOME", "/tmp/home") + + var fakeHome string + if runtime.GOOS == "windows" { + fakeHome = `C:\tmp\home` + t.Setenv("USERPROFILE", fakeHome) + } else { + fakeHome = "/tmp/home" + t.Setenv("HOME", fakeHome) + } cfg := DefaultConfig() - want := filepath.Join("/tmp/home", ".picoclaw", "workspace") + want := filepath.Join(fakeHome, ".picoclaw", "workspace") if cfg.Agents.Defaults.Workspace != want { t.Errorf("Default workspace path = %q, want %q", cfg.Agents.Defaults.Workspace, want) @@ -499,7 +519,7 @@ func TestDefaultConfig_WorkspacePath_WithPicoclawHome(t *testing.T) { t.Setenv("PICOCLAW_HOME", "/custom/picoclaw/home") cfg := DefaultConfig() - want := "/custom/picoclaw/home/workspace" + want := filepath.Join("/custom/picoclaw/home", "workspace") if cfg.Agents.Defaults.Workspace != want { t.Errorf("Workspace path with PICOCLAW_HOME = %q, want %q", cfg.Agents.Defaults.Workspace, want) @@ -621,3 +641,338 @@ func TestFlexibleStringSlice_UnmarshalText_EmptySliceConsistency(t *testing.T) { } }) } + +// TestLoadConfig_WarnsForPlaintextAPIKey verifies that LoadConfig resolves a plaintext +// api_key into memory but does NOT rewrite the config file. File writes are the sole +// responsibility of SaveConfig. +func TestLoadConfig_WarnsForPlaintextAPIKey(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + const original = `{"model_list":[{"model_name":"test","model":"openai/gpt-4","api_key":"sk-plaintext"}]}` + if err := os.WriteFile(cfgPath, []byte(original), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + cfg, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig: %v", err) + } + // In-memory value must be the resolved plaintext. + if cfg.ModelList[0].APIKey != "sk-plaintext" { + t.Errorf("in-memory api_key = %q, want %q", cfg.ModelList[0].APIKey, "sk-plaintext") + } + // The file on disk must remain unchanged — LoadConfig must not write anything. + raw, _ := os.ReadFile(cfgPath) + if string(raw) != original { + t.Errorf("LoadConfig must not modify the config file; got:\n%s", string(raw)) + } +} + +// TestSaveConfig_EncryptsPlaintextAPIKey verifies that SaveConfig writes enc:// ciphertext +// to disk and that a subsequent LoadConfig decrypts it back to the original plaintext. +func TestSaveConfig_EncryptsPlaintextAPIKey(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + mustSetupSSHKey(t) + + cfg := DefaultConfig() + cfg.ModelList = []ModelConfig{ + {ModelName: "test", Model: "openai/gpt-4", APIKey: "sk-plaintext"}, + } + if err := SaveConfig(cfgPath, cfg); err != nil { + t.Fatalf("SaveConfig: %v", err) + } + + // Disk must contain enc://, not the raw key. + raw, _ := os.ReadFile(cfgPath) + if !strings.Contains(string(raw), "enc://") { + t.Errorf("saved file should contain enc://, got:\n%s", string(raw)) + } + if strings.Contains(string(raw), "sk-plaintext") { + t.Errorf("saved file must not contain the plaintext key") + } + + // A fresh load must decrypt back to the original plaintext. + cfg2, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig after SaveConfig: %v", err) + } + if cfg2.ModelList[0].APIKey != "sk-plaintext" { + t.Errorf("loaded api_key = %q, want %q", cfg2.ModelList[0].APIKey, "sk-plaintext") + } +} + +// TestLoadConfig_NoSealWithoutPassphrase verifies that api_key values are left +// unchanged when PICOCLAW_KEY_PASSPHRASE is not set. +func TestLoadConfig_NoSealWithoutPassphrase(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + data := `{"model_list":[{"model_name":"test","model":"openai/gpt-4","api_key":"sk-plaintext"}]}` + if err := os.WriteFile(cfgPath, []byte(data), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + if _, err := LoadConfig(cfgPath); err != nil { + t.Fatalf("LoadConfig: %v", err) + } + + raw, _ := os.ReadFile(cfgPath) + if strings.Contains(string(raw), "enc://") { + t.Error("config file must not be modified when no passphrase is set") + } +} + +// TestLoadConfig_FileRefNotSealed verifies that file:// api_key references are not +// converted to enc:// values (they are resolved at runtime by the Resolver). +func TestLoadConfig_FileRefNotSealed(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + keyFile := filepath.Join(dir, "openai.key") + if err := os.WriteFile(keyFile, []byte("sk-from-file"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + data := `{"model_list":[{"model_name":"test","model":"openai/gpt-4","api_key":"file://openai.key"}]}` + if err := os.WriteFile(cfgPath, []byte(data), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + if _, err := LoadConfig(cfgPath); err != nil { + t.Fatalf("LoadConfig: %v", err) + } + + raw, _ := os.ReadFile(cfgPath) + if !strings.Contains(string(raw), "file://openai.key") { + t.Error("file:// reference should be preserved unchanged in the config file") + } + if strings.Contains(string(raw), "enc://") { + t.Error("file:// reference must not be converted to enc://") + } +} + +// TestSaveConfig_MixedKeys verifies that SaveConfig encrypts only plaintext api_keys +// and leaves already-encrypted (enc://) and file:// entries unchanged. +func TestSaveConfig_MixedKeys(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + mustSetupSSHKey(t) + + // Pre-encrypt one key so we have a genuine enc:// value to put in the config. + if err := SaveConfig(cfgPath, &Config{ + ModelList: []ModelConfig{ + {ModelName: "pre", Model: "openai/gpt-4", APIKey: "sk-already-plain"}, + }, + }); err != nil { + t.Fatalf("setup SaveConfig: %v", err) + } + raw, _ := os.ReadFile(cfgPath) + // Extract the enc:// value from the saved file. + var tmp struct { + ModelList []struct { + APIKey string `json:"api_key"` + } `json:"model_list"` + } + if err := json.Unmarshal(raw, &tmp); err != nil || len(tmp.ModelList) == 0 { + t.Fatalf("setup: could not parse saved config: %v", err) + } + alreadyEncrypted := tmp.ModelList[0].APIKey + if !strings.HasPrefix(alreadyEncrypted, "enc://") { + t.Fatalf("setup: expected enc:// key, got %q", alreadyEncrypted) + } + + // Build a config with three models: + // 1. plaintext → must be encrypted by SaveConfig + // 2. enc:// → must be left unchanged (already encrypted) + // 3. file:// → must be left unchanged (file reference) + keyFile := filepath.Join(dir, "api.key") + if err := os.WriteFile(keyFile, []byte("sk-from-file"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + cfg := &Config{ + ModelList: []ModelConfig{ + {ModelName: "plain", Model: "openai/gpt-4", APIKey: "sk-new-plaintext"}, + {ModelName: "enc", Model: "openai/gpt-4", APIKey: alreadyEncrypted}, + {ModelName: "file", Model: "openai/gpt-4", APIKey: "file://api.key"}, + }, + } + if err := SaveConfig(cfgPath, cfg); err != nil { + t.Fatalf("SaveConfig: %v", err) + } + + raw, _ = os.ReadFile(cfgPath) + s := string(raw) + + // 1. Plaintext must be encrypted. + if strings.Contains(s, "sk-new-plaintext") { + t.Error("plaintext key must not appear in saved file") + } + // 2. The pre-existing enc:// value must still be present (byte-for-byte unchanged). + if !strings.Contains(s, alreadyEncrypted) { + t.Error("pre-existing enc:// entry must be preserved unchanged") + } + // 3. file:// must be preserved. + if !strings.Contains(s, "file://api.key") { + t.Error("file:// reference must be preserved unchanged") + } + + // Now load and verify all three decrypt/resolve correctly. + cfg2, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig after SaveConfig: %v", err) + } + byName := make(map[string]string) + for _, m := range cfg2.ModelList { + byName[m.ModelName] = m.APIKey + } + if byName["plain"] != "sk-new-plaintext" { + t.Errorf("plain model api_key = %q, want %q", byName["plain"], "sk-new-plaintext") + } + if byName["enc"] != "sk-already-plain" { + t.Errorf("enc model api_key = %q, want %q", byName["enc"], "sk-already-plain") + } + if byName["file"] != "sk-from-file" { + t.Errorf("file model api_key = %q, want %q", byName["file"], "sk-from-file") + } +} + +// TestLoadConfig_MixedKeys_NoPassphrase verifies that when PICOCLAW_KEY_PASSPHRASE +// is not set, enc:// entries cause LoadConfig to return an error, while plaintext +// and file:// entries in the same config are not affected. +func TestLoadConfig_MixedKeys_NoPassphrase(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + // First encrypt a key so we have a real enc:// value. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + mustSetupSSHKey(t) + if err := SaveConfig(cfgPath, &Config{ + ModelList: []ModelConfig{ + {ModelName: "m", Model: "openai/gpt-4", APIKey: "sk-secret"}, + }, + }); err != nil { + t.Fatalf("setup SaveConfig: %v", err) + } + raw, _ := os.ReadFile(cfgPath) + var tmp struct { + ModelList []struct { + APIKey string `json:"api_key"` + } `json:"model_list"` + } + if err := json.Unmarshal(raw, &tmp); err != nil { + t.Fatalf("setup parse: %v", err) + } + encValue := tmp.ModelList[0].APIKey + + // Write a mixed config: enc:// + plaintext + file:// + keyFile := filepath.Join(dir, "api.key") + if err := os.WriteFile(keyFile, []byte("sk-from-file"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + mixed, _ := json.Marshal(map[string]any{ + "model_list": []map[string]any{ + {"model_name": "enc", "model": "openai/gpt-4", "api_key": encValue}, + {"model_name": "plain", "model": "openai/gpt-4", "api_key": "sk-plain"}, + {"model_name": "file", "model": "openai/gpt-4", "api_key": "file://api.key"}, + }, + }) + if err := os.WriteFile(cfgPath, mixed, 0o600); err != nil { + t.Fatalf("setup write: %v", err) + } + + // Now clear the passphrase — LoadConfig must fail because enc:// cannot be decrypted. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + + _, err := LoadConfig(cfgPath) + if err == nil { + t.Fatal("LoadConfig should fail when enc:// key is present and no passphrase is set") + } + if !strings.Contains(err.Error(), "passphrase required") { + t.Errorf("error should mention passphrase required, got: %v", err) + } +} + +// TestSaveConfig_UsesPassphraseProvider verifies that SaveConfig encrypts plaintext +// api_keys using credential.PassphraseProvider() rather than os.Getenv directly. +// This matters for the launcher, which clears the environment variable and redirects +// PassphraseProvider to an in-memory SecureStore. +func TestSaveConfig_UsesPassphraseProvider(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + // Ensure the env var is empty — passphrase must come from PassphraseProvider only. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + mustSetupSSHKey(t) + + // Replace PassphraseProvider with an in-memory function (simulating SecureStore). + const testPassphrase = "provider-passphrase" + orig := credential.PassphraseProvider + credential.PassphraseProvider = func() string { return testPassphrase } + t.Cleanup(func() { credential.PassphraseProvider = orig }) + + cfg := DefaultConfig() + cfg.ModelList = []ModelConfig{ + {ModelName: "test", Model: "openai/gpt-4", APIKey: "sk-plaintext"}, + } + if err := SaveConfig(cfgPath, cfg); err != nil { + t.Fatalf("SaveConfig: %v", err) + } + + raw, _ := os.ReadFile(cfgPath) + if !strings.Contains(string(raw), "enc://") { + t.Errorf("SaveConfig should have encrypted plaintext key via PassphraseProvider; got:\n%s", raw) + } +} + +// TestLoadConfig_UsesPassphraseProvider verifies that LoadConfig decrypts enc:// keys +// using credential.PassphraseProvider() rather than os.Getenv directly. +func TestLoadConfig_UsesPassphraseProvider(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + // Ensure the env var is empty throughout. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + mustSetupSSHKey(t) + + const testPassphrase = "provider-passphrase" + const plainKey = "sk-secret" + + // First, encrypt the key using the same passphrase. + encrypted, err := credential.Encrypt(testPassphrase, "", plainKey) + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + raw, _ := json.Marshal(map[string]any{ + "model_list": []map[string]any{ + {"model_name": "test", "model": "openai/gpt-4", "api_key": encrypted}, + }, + }) + if err = os.WriteFile(cfgPath, raw, 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + // Redirect PassphraseProvider — env var is empty, so without this the load would fail. + orig := credential.PassphraseProvider + credential.PassphraseProvider = func() string { return testPassphrase } + t.Cleanup(func() { credential.PassphraseProvider = orig }) + + cfg, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig: %v", err) + } + if cfg.ModelList[0].APIKey != plainKey { + t.Errorf("api_key = %q, want %q", cfg.ModelList[0].APIKey, plainKey) + } +} diff --git a/pkg/credential/credential.go b/pkg/credential/credential.go new file mode 100644 index 000000000..83af3fc9f --- /dev/null +++ b/pkg/credential/credential.go @@ -0,0 +1,335 @@ +// Package credential resolves API credential values for model_list entries. +// +// An API key is a form of authorization credential. This package centralizes +// how raw credential strings—plaintext or file references—are resolved into +// their actual values, keeping that logic out of the config loader. +// +// Supported formats for the api_key field: +// +// - Plaintext: "sk-abc123" → returned as-is +// - File ref: "file://filename.key" → content read from configDir/filename.key +// - Encrypted: "enc://" → AES-256-GCM decrypt via PICOCLAW_KEY_PASSPHRASE +// - Empty: "" → returned as-is (auth_method=oauth etc.) +// +// Encryption uses AES-256-GCM with HKDF-SHA256 key derivation (< 1ms, safe for embedded Linux). +// An SSH private key is required for both encryption and decryption. +// Key derivation: +// +// HKDF-SHA256(ikm=HMAC-SHA256(SHA256(sshKeyBytes), passphrase), salt, info) +// +// SSH key path resolution priority: +// +// 1. sshKeyPath argument to Encrypt (explicit) +// 2. PICOCLAW_SSH_KEY_PATH env var +// 3. ~/.ssh/picoclaw_ed25519.key (os.UserHomeDir is cross-platform) +package credential + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/hkdf" + "crypto/hmac" + "crypto/rand" + "crypto/sha256" + "encoding/base64" + "errors" + "fmt" + "io" + "os" + "path/filepath" + "strings" +) + +// PassphraseEnvVar is the environment variable that holds the encryption passphrase. +// Other packages (e.g. config) reference this constant to avoid duplicating the string. +const PassphraseEnvVar = "PICOCLAW_KEY_PASSPHRASE" + +// PassphraseProvider is the function used to retrieve the passphrase for enc:// +// credential decryption. It defaults to reading PICOCLAW_KEY_PASSPHRASE from the +// process environment. Replace it at startup to use a different source, such as +// an in-memory SecureStore, so that all LoadConfig() calls everywhere share the +// same passphrase source without needing os.Environ. +// +// Example (launcher main.go): +// +// credential.PassphraseProvider = apiHandler.passphraseStore.Get +var PassphraseProvider func() string = func() string { + return os.Getenv(PassphraseEnvVar) +} + +// ErrPassphraseRequired is returned when an enc:// credential is encountered but +// no passphrase is available from PassphraseProvider. Callers can detect this +// with errors.Is to distinguish a missing-passphrase condition from other errors. +var ErrPassphraseRequired = errors.New("credential: enc:// passphrase required") + +// ErrDecryptionFailed is returned when an enc:// credential cannot be decrypted, +// indicating a wrong passphrase or SSH key. Callers can detect this with errors.Is. +var ErrDecryptionFailed = errors.New("credential: enc:// decryption failed (wrong passphrase or SSH key?)") + +const ( + fileScheme = "file://" + encScheme = "enc://" + hkdfInfo = "picoclaw-credential-v1" + saltLen = 16 + nonceLen = 12 + keyLen = 32 + sshKeyEnv = "PICOCLAW_SSH_KEY_PATH" +) + +// Resolver resolves raw credential strings for model_list api_key fields. +// File references are resolved relative to the directory of the config file. +type Resolver struct { + configDir string + resolvedConfigDir string // symlink-resolved form of configDir +} + +// NewResolver returns a Resolver that resolves file:// references relative to +// configDir (typically filepath.Dir of the config file path). +func NewResolver(configDir string) *Resolver { + resolved := configDir + if configDir != "" { + if linkedPath, err := filepath.EvalSymlinks(configDir); err == nil { + resolved = linkedPath + } + } + return &Resolver{configDir: configDir, resolvedConfigDir: resolved} +} + +// Resolve returns the actual credential value for raw: +// +// - "" → "" (no error; auth_method=oauth needs no key) +// - "file://name.key" → trimmed content of configDir/name.key +// - anything else → raw unchanged (plaintext credential) +func (r *Resolver) Resolve(raw string) (string, error) { + if raw == "" { + return "", nil + } + + if strings.HasPrefix(raw, fileScheme) { + fileName := strings.TrimSpace(strings.TrimPrefix(raw, fileScheme)) + if fileName == "" { + return "", fmt.Errorf("credential: file:// reference has no filename") + } + + baseDir := r.resolvedConfigDir + if baseDir == "" { + baseDir = r.configDir + } + keyPath := filepath.Join(baseDir, fileName) + // Resolve symlinks before enforcing containment to prevent escaping via symlinks. + realKeyPath, err := filepath.EvalSymlinks(keyPath) + if err != nil { + return "", fmt.Errorf("credential: failed to resolve credential file path %q: %w", keyPath, err) + } + if !isWithinDir(realKeyPath, baseDir) { + return "", fmt.Errorf("credential: file:// path escapes config directory") + } + data, err := os.ReadFile(realKeyPath) + if err != nil { + return "", fmt.Errorf("credential: failed to read credential file %q: %w", realKeyPath, err) + } + + value := strings.TrimSpace(string(data)) + if value == "" { + return "", fmt.Errorf("credential: credential file %q is empty", realKeyPath) + } + + return value, nil + } + + if strings.HasPrefix(raw, encScheme) { + return resolveEncrypted(raw) + } + + // Plaintext credential — return unchanged. + return raw, nil +} + +// resolveEncrypted decrypts an enc:// credential using PassphraseProvider. +func resolveEncrypted(raw string) (string, error) { + passphrase := PassphraseProvider() + if passphrase == "" { + return "", ErrPassphraseRequired + } + + sshKeyPath := pickSSHKeyPath("") // override="": consult env then auto-detect + + b64 := strings.TrimPrefix(raw, encScheme) + blob, err := base64.StdEncoding.DecodeString(b64) + if err != nil { + return "", fmt.Errorf("credential: enc:// invalid base64: %w", err) + } + if len(blob) < saltLen+nonceLen+1 { + return "", fmt.Errorf("credential: enc:// payload too short") + } + + salt := blob[:saltLen] + nonce := blob[saltLen : saltLen+nonceLen] + ciphertext := blob[saltLen+nonceLen:] + + key, err := deriveKey(passphrase, sshKeyPath, salt) + if err != nil { + return "", err + } + block, err := aes.NewCipher(key) + if err != nil { + return "", fmt.Errorf("credential: enc:// cipher init: %w", err) + } + gcm, err := cipher.NewGCM(block) + if err != nil { + return "", fmt.Errorf("credential: enc:// gcm init: %w", err) + } + + plaintext, err := gcm.Open(nil, nonce, ciphertext, nil) + if err != nil { + return "", fmt.Errorf("%w: %w", ErrDecryptionFailed, err) + } + return string(plaintext), nil +} + +// Encrypt encrypts plaintext and returns an enc:// credential string. +// +// passphrase is required (PICOCLAW_KEY_PASSPHRASE value). +// sshKeyPath is the SSH private key file to use; pass "" to auto-detect via +// PICOCLAW_SSH_KEY_PATH env var or ~/.ssh/picoclaw_ed25519.key. +// An SSH private key must be resolvable or Encrypt returns an error. +func Encrypt(passphrase, sshKeyPath, plaintext string) (string, error) { + if passphrase == "" { + return "", fmt.Errorf("credential: passphrase must not be empty") + } + sshKeyPath = pickSSHKeyPath(sshKeyPath) + + salt := make([]byte, saltLen) + if _, err := io.ReadFull(rand.Reader, salt); err != nil { + return "", fmt.Errorf("credential: failed to generate salt: %w", err) + } + + key, err := deriveKey(passphrase, sshKeyPath, salt) + if err != nil { + return "", err + } + block, err := aes.NewCipher(key) + if err != nil { + return "", fmt.Errorf("credential: cipher init: %w", err) + } + gcm, err := cipher.NewGCM(block) + if err != nil { + return "", fmt.Errorf("credential: gcm init: %w", err) + } + + nonce := make([]byte, nonceLen) + if _, err := io.ReadFull(rand.Reader, nonce); err != nil { + return "", fmt.Errorf("credential: failed to generate nonce: %w", err) + } + + ciphertext := gcm.Seal(nil, nonce, []byte(plaintext), nil) + blob := make([]byte, 0, saltLen+nonceLen+len(ciphertext)) + blob = append(blob, salt...) + blob = append(blob, nonce...) + blob = append(blob, ciphertext...) + return encScheme + base64.StdEncoding.EncodeToString(blob), nil +} + +// isWithinDir reports whether path is contained within (or equal to) dir. +// Uses filepath.IsLocal on the relative path for robust cross-platform traversal detection. +func isWithinDir(path, dir string) bool { + rel, err := filepath.Rel(filepath.Clean(dir), filepath.Clean(path)) + return err == nil && filepath.IsLocal(rel) +} + +// allowedSSHKeyPath reports whether path is in a permitted location for SSH key files: +// - exact match with PICOCLAW_SSH_KEY_PATH env var +// - within the PICOCLAW_HOME env var directory +// - within ~/.ssh/ +func allowedSSHKeyPath(path string) bool { + if path == "" { + return true // passphrase-only mode; no file will be read + } + clean := filepath.Clean(path) + + // Exact match with PICOCLAW_SSH_KEY_PATH. + if envPath, ok := os.LookupEnv(sshKeyEnv); ok && envPath != "" { + if clean == filepath.Clean(envPath) { + return true + } + } + + // Within PICOCLAW_HOME. + if picoHome := os.Getenv("PICOCLAW_HOME"); picoHome != "" { + if isWithinDir(clean, picoHome) { + return true + } + } + + // Within ~/.ssh/. + if userHome, err := os.UserHomeDir(); err == nil { + if isWithinDir(clean, filepath.Join(userHome, ".ssh")) { + return true + } + } + + return false +} + +// deriveKey derives a 32-byte AES-256 key from passphrase and SSH private key. +// +// ikm = HMAC-SHA256(key=SHA256(sshKeyBytes), msg=passphrase) +// Final key: HKDF-SHA256(ikm, salt, info="picoclaw-credential-v1", 32 bytes) +// sshKeyPath must be non-empty; returns an error otherwise. +func deriveKey(passphrase, sshKeyPath string, salt []byte) ([]byte, error) { + if sshKeyPath == "" { + return nil, fmt.Errorf( + "credential: SSH private key is required but not found" + + " (set PICOCLAW_SSH_KEY_PATH or place key at ~/.ssh/picoclaw_ed25519.key)") + } + if !allowedSSHKeyPath(sshKeyPath) { + return nil, fmt.Errorf( + "credential: SSH key path %q is not in an allowed location (PICOCLAW_SSH_KEY_PATH, PICOCLAW_HOME, or ~/.ssh/)", + sshKeyPath, + ) + } + sshBytes, err := os.ReadFile(sshKeyPath) + if err != nil { + return nil, fmt.Errorf("credential: cannot read SSH key %q: %w", sshKeyPath, err) + } + sshHash := sha256.Sum256(sshBytes) + mac := hmac.New(sha256.New, sshHash[:]) + mac.Write([]byte(passphrase)) + ikm := mac.Sum(nil) + + key, err := hkdf.Key(sha256.New, ikm, salt, hkdfInfo, keyLen) + if err != nil { + return nil, fmt.Errorf("credential: HKDF expand failed: %w", err) + } + return key, nil +} + +// pickSSHKeyPath returns the SSH private key path to use for encryption/decryption. +// +// Priority: +// 1. override (non-empty explicit argument) +// 2. PICOCLAW_SSH_KEY_PATH env var +// 3. ~/.ssh/picoclaw_ed25519.key (auto-detection) +// +// Returns "" when no key is found; deriveKey will return an error in that case. +func pickSSHKeyPath(override string) string { + if override != "" { + return override + } + if p, ok := os.LookupEnv(sshKeyEnv); ok { + return p // respect explicit setting, even if "" + } + return findDefaultSSHKey() +} + +// findDefaultSSHKey returns the picoclaw-specific SSH key path if it exists. +func findDefaultSSHKey() string { + p, err := DefaultSSHKeyPath() + if err != nil { + return "" + } + if _, err := os.Stat(p); err == nil { + return p + } + return "" +} diff --git a/pkg/credential/credential_test.go b/pkg/credential/credential_test.go new file mode 100644 index 000000000..138af3134 --- /dev/null +++ b/pkg/credential/credential_test.go @@ -0,0 +1,283 @@ +package credential_test + +import ( + "os" + "path/filepath" + "testing" + + "github.com/sipeed/picoclaw/pkg/credential" +) + +func TestResolve_PlainKey(t *testing.T) { + r := credential.NewResolver(t.TempDir()) + got, err := r.Resolve("sk-plaintext-key") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "sk-plaintext-key" { + t.Fatalf("got %q, want %q", got, "sk-plaintext-key") + } +} + +func TestResolve_FileKey_Success(t *testing.T) { + dir := t.TempDir() + keyFile := "openai_plain.key" + if err := os.WriteFile(filepath.Join(dir, keyFile), []byte("sk-from-file\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + r := credential.NewResolver(dir) + got, err := r.Resolve("file://" + keyFile) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "sk-from-file" { + t.Fatalf("got %q, want %q", got, "sk-from-file") + } +} + +func TestResolve_FileKey_NotFound(t *testing.T) { + r := credential.NewResolver(t.TempDir()) + _, err := r.Resolve("file://missing.key") + if err == nil { + t.Fatal("expected error for missing file, got nil") + } +} + +func TestResolve_FileKey_Empty(t *testing.T) { + dir := t.TempDir() + keyFile := "empty.key" + if err := os.WriteFile(filepath.Join(dir, keyFile), []byte(" \n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + r := credential.NewResolver(dir) + _, err := r.Resolve("file://" + keyFile) + if err == nil { + t.Fatal("expected error for empty credential file, got nil") + } +} + +// TestResolve_EncKey_RoundTrip tests basic encryption/decryption round-trip with an SSH key. +func TestResolve_EncKey_RoundTrip(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-key-material\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + const passphrase = "test-passphrase-32bytes-long-ok!" + const plaintext = "sk-encrypted-secret" + + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt(passphrase, "", plaintext) + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", passphrase) + + r := credential.NewResolver(t.TempDir()) + got, err := r.Resolve(enc) + if err != nil { + t.Fatalf("Resolve: %v", err) + } + if got != plaintext { + t.Fatalf("got %q, want %q", got, plaintext) + } +} + +// TestResolve_EncKey_WithSSHKey tests that the SSH key file is incorporated into key derivation. +func TestResolve_EncKey_WithSSHKey(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-private-key-material\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + const passphrase = "test-passphrase" + const plaintext = "sk-ssh-protected-secret" + + // Set PICOCLAW_SSH_KEY_PATH before Encrypt so the path passes allowedSSHKeyPath validation. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", passphrase) + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt(passphrase, sshKeyPath, plaintext) + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + r := credential.NewResolver(t.TempDir()) + got, err := r.Resolve(enc) + if err != nil { + t.Fatalf("Resolve: %v", err) + } + if got != plaintext { + t.Fatalf("got %q, want %q", got, plaintext) + } +} + +func TestResolve_EncKey_NoPassphrase(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt("some-passphrase", "", "sk-secret") + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + + r := credential.NewResolver(t.TempDir()) + _, err = r.Resolve(enc) + if err == nil { + t.Fatal("expected error when PICOCLAW_KEY_PASSPHRASE is unset, got nil") + } +} + +func TestResolve_EncKey_BadCiphertext(t *testing.T) { + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "some-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + r := credential.NewResolver(t.TempDir()) + _, err := r.Resolve("enc://!!not-valid-base64!!") + if err == nil { + t.Fatal("expected error for invalid enc:// payload, got nil") + } +} + +func TestResolve_EncKey_PayloadTooShort(t *testing.T) { + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "some-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + // Valid base64 but fewer bytes than salt(16)+nonce(12)+1 minimum. + import64 := "dG9vc2hvcnQ=" // "tooshort" = 8 bytes + r := credential.NewResolver(t.TempDir()) + _, err := r.Resolve("enc://" + import64) + if err == nil { + t.Fatal("expected error for too-short enc:// payload, got nil") + } +} + +func TestResolve_EncKey_WrongPassphrase(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt("correct-passphrase", "", "sk-secret") + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "wrong-passphrase") + + r := credential.NewResolver(t.TempDir()) + _, err = r.Resolve(enc) + if err == nil { + t.Fatal("expected decryption error for wrong passphrase, got nil") + } +} + +func TestEncrypt_EmptyPassphrase(t *testing.T) { + _, err := credential.Encrypt("", "", "sk-secret") + if err == nil { + t.Fatal("expected error for empty passphrase, got nil") + } +} + +func TestDeriveKey_SSHKeyNotFound(t *testing.T) { + // Encrypt with a real SSH key path, then try to decrypt with a missing path. + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + // Register the real key path so allowedSSHKeyPath validation passes for Encrypt. + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt("passphrase", sshKeyPath, "sk-secret") + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + // Point to a non-existent SSH key so deriveKey's ReadFile fails. + // The path is still under the same dir, so allowedSSHKeyPath passes (exact env match). + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", filepath.Join(dir, "nonexistent_key")) + + r := credential.NewResolver(t.TempDir()) + _, err = r.Resolve(enc) + if err == nil { + t.Fatal("expected error when SSH key file is missing, got nil") + } +} + +// TestResolve_FileRef_PathTraversal verifies that file:// references cannot escape configDir +// via relative traversal ("../../etc/passwd") or absolute paths ("/abs/path"). +func TestResolve_FileRef_PathTraversal(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + // Create a file outside configDir that the traversal would point to. + outsideFile := filepath.Join(t.TempDir(), "secret.key") + if err := os.WriteFile(outsideFile, []byte("stolen"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + r := credential.NewResolver(filepath.Dir(cfgPath)) + + cases := []string{ + "file://../../secret.key", + "file://../secret.key", + "file://" + outsideFile, // absolute path + } + for _, raw := range cases { + _, err := r.Resolve(raw) + if err == nil { + t.Errorf("Resolve(%q): expected path traversal error, got nil", raw) + } + } +} + +// TestResolve_FileRef_withinConfigDir verifies that a legitimate relative file:// ref works. +func TestResolve_FileRef_withinConfigDir(t *testing.T) { + dir := t.TempDir() + if err := os.WriteFile(filepath.Join(dir, "my.key"), []byte("sk-valid\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + r := credential.NewResolver(dir) + got, err := r.Resolve("file://my.key") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "sk-valid" { + t.Fatalf("got %q, want %q", got, "sk-valid") + } +} + +// TestEncrypt_SSHKeyOutsideAllowedDirs verifies that Encrypt rejects SSH key paths +// that are not under PICOCLAW_SSH_KEY_PATH, PICOCLAW_HOME, or ~/.ssh/. +func TestEncrypt_SSHKeyOutsideAllowedDirs(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + // Make sure none of the allowed env vars point here. + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + t.Setenv("PICOCLAW_HOME", "") + + _, err := credential.Encrypt("passphrase", sshKeyPath, "sk-secret") + if err == nil { + t.Fatal("expected error for SSH key outside allowed directories, got nil") + } +} diff --git a/pkg/credential/keygen.go b/pkg/credential/keygen.go new file mode 100644 index 000000000..c57564a76 --- /dev/null +++ b/pkg/credential/keygen.go @@ -0,0 +1,62 @@ +package credential + +import ( + "crypto/ed25519" + "crypto/rand" + "encoding/pem" + "fmt" + "os" + "path/filepath" + + "golang.org/x/crypto/ssh" +) + +// DefaultSSHKeyPath returns the canonical path for the picoclaw-specific SSH key. +// The path is always ~/.ssh/picoclaw_ed25519.key (os.UserHomeDir is cross-platform). +func DefaultSSHKeyPath() (string, error) { + home, err := os.UserHomeDir() + if err != nil { + return "", fmt.Errorf("credential: cannot determine home directory: %w", err) + } + return filepath.Join(home, ".ssh", "picoclaw_ed25519.key"), nil +} + +// GenerateSSHKey generates an Ed25519 SSH key pair and writes the private key +// to path (permissions 0600) and the public key to path+".pub" (permissions 0644). +// The ~/.ssh/ directory is created with 0700 if it does not exist. +// If the files already exist they are overwritten. +func GenerateSSHKey(path string) error { + if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil { + return fmt.Errorf("credential: keygen: cannot create directory %q: %w", filepath.Dir(path), err) + } + + pubRaw, privRaw, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + return fmt.Errorf("credential: keygen: ed25519 key generation failed: %w", err) + } + + // Marshal private key as OpenSSH PEM. + block, err := ssh.MarshalPrivateKey(privRaw, "") + if err != nil { + return fmt.Errorf("credential: keygen: marshal private key: %w", err) + } + privPEM := pem.EncodeToMemory(block) + + if err = os.WriteFile(path, privPEM, 0o600); err != nil { + return fmt.Errorf("credential: keygen: write private key %q: %w", path, err) + } + + // Marshal public key as authorized_keys line. + sshPub, err := ssh.NewPublicKey(pubRaw) + if err != nil { + return fmt.Errorf("credential: keygen: marshal public key: %w", err) + } + pubLine := ssh.MarshalAuthorizedKey(sshPub) + + pubPath := path + ".pub" + if err := os.WriteFile(pubPath, pubLine, 0o644); err != nil { + return fmt.Errorf("credential: keygen: write public key %q: %w", pubPath, err) + } + + return nil +} diff --git a/pkg/credential/keygen_test.go b/pkg/credential/keygen_test.go new file mode 100644 index 000000000..1e21ea0b9 --- /dev/null +++ b/pkg/credential/keygen_test.go @@ -0,0 +1,115 @@ +package credential + +import ( + "crypto/ed25519" + "os" + "path/filepath" + "runtime" + "testing" + + "golang.org/x/crypto/ssh" +) + +func TestGenerateSSHKey_CreatesFiles(t *testing.T) { + dir := t.TempDir() + keyPath := filepath.Join(dir, "test_ed25519.key") + + if err := GenerateSSHKey(keyPath); err != nil { + t.Fatalf("GenerateSSHKey() error = %v", err) + } + + // Private key must exist. + privInfo, err := os.Stat(keyPath) + if err != nil { + t.Fatalf("private key file missing: %v", err) + } + + // Check permissions on non-Windows (Windows does not support Unix permission bits). + if runtime.GOOS != "windows" { + if got := privInfo.Mode().Perm(); got != 0o600 { + t.Errorf("private key permissions = %04o, want 0600", got) + } + } + + // Public key must exist. + pubPath := keyPath + ".pub" + pubInfo, err := os.Stat(pubPath) + if err != nil { + t.Fatalf("public key file missing: %v", err) + } + if runtime.GOOS != "windows" { + if got := pubInfo.Mode().Perm(); got != 0o644 { + t.Errorf("public key permissions = %04o, want 0644", got) + } + } + + // Private key must be parseable as an OpenSSH ed25519 key. + privPEM, err := os.ReadFile(keyPath) + if err != nil { + t.Fatalf("read private key: %v", err) + } + privKey, err := ssh.ParseRawPrivateKey(privPEM) + if err != nil { + t.Fatalf("parse private key: %v", err) + } + if _, ok := privKey.(*ed25519.PrivateKey); !ok { + t.Errorf("private key type = %T, want *ed25519.PrivateKey", privKey) + } + + // Public key must be parseable as authorized_keys line. + pubBytes, err := os.ReadFile(pubPath) + if err != nil { + t.Fatalf("read public key: %v", err) + } + pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(pubBytes) + if err != nil { + t.Fatalf("parse public key: %v", err) + } + if pubKey == nil { + t.Fatal("expected non-nil public key") + } + if len(rest) > 0 { + t.Errorf("unexpected trailing bytes after public key: %d bytes", len(rest)) + } +} + +func TestGenerateSSHKey_OverwritesExisting(t *testing.T) { + dir := t.TempDir() + keyPath := filepath.Join(dir, "test_ed25519.key") + + // Generate twice; second call must not error and must produce a different key. + if err := GenerateSSHKey(keyPath); err != nil { + t.Fatalf("first GenerateSSHKey() error = %v", err) + } + first, err := os.ReadFile(keyPath) + if err != nil { + t.Fatalf("read first key: %v", err) + } + + if err = GenerateSSHKey(keyPath); err != nil { + t.Fatalf("second GenerateSSHKey() error = %v", err) + } + second, err := os.ReadFile(keyPath) + if err != nil { + t.Fatalf("read second key: %v", err) + } + + // Two independently generated Ed25519 keys must differ. + if string(first) == string(second) { + t.Error("expected overwritten key to differ from original") + } +} + +func TestGenerateSSHKey_CreatesDirectory(t *testing.T) { + dir := t.TempDir() + // Nested directory that does not yet exist. + keyPath := filepath.Join(dir, "subdir", ".ssh", "picoclaw_ed25519.key") + + if err := GenerateSSHKey(keyPath); err != nil { + t.Fatalf("GenerateSSHKey() error = %v", err) + } + + if _, err := os.Stat(keyPath); err != nil { + t.Fatalf("private key not created: %v", err) + } +} diff --git a/pkg/credential/store.go b/pkg/credential/store.go new file mode 100644 index 000000000..9c72974b0 --- /dev/null +++ b/pkg/credential/store.go @@ -0,0 +1,44 @@ +package credential + +import "sync/atomic" + +// SecureStore holds a passphrase in memory. +// +// Uses atomic.Pointer so reads and writes are lock-free. +// The passphrase is never written to disk; callers decide how to +// transport it outside this store (e.g., via cmd.Env or os.Environ). +type SecureStore struct { + val atomic.Pointer[string] +} + +// NewSecureStore creates an empty SecureStore. +func NewSecureStore() *SecureStore { + return &SecureStore{} +} + +// SetString stores the passphrase. An empty string clears the store. +func (s *SecureStore) SetString(passphrase string) { + if passphrase == "" { + s.val.Store(nil) + return + } + s.val.Store(&passphrase) +} + +// Get returns the stored passphrase, or "" if not set. +func (s *SecureStore) Get() string { + if p := s.val.Load(); p != nil { + return *p + } + return "" +} + +// IsSet reports whether a passphrase is currently stored. +func (s *SecureStore) IsSet() bool { + return s.val.Load() != nil +} + +// Clear removes the stored passphrase. +func (s *SecureStore) Clear() { + s.val.Store(nil) +} diff --git a/pkg/credential/store_test.go b/pkg/credential/store_test.go new file mode 100644 index 000000000..63299743a --- /dev/null +++ b/pkg/credential/store_test.go @@ -0,0 +1,81 @@ +package credential + +import ( + "sync" + "testing" +) + +func TestSecureStore_SetGet(t *testing.T) { + s := NewSecureStore() + if s.IsSet() { + t.Error("expected empty store") + } + + s.SetString("hunter2") + if !s.IsSet() { + t.Error("expected store to be set") + } + if got := s.Get(); got != "hunter2" { + t.Errorf("Get() = %q, want %q", got, "hunter2") + } +} + +func TestSecureStore_Clear(t *testing.T) { + s := NewSecureStore() + s.SetString("secret") + s.Clear() + + if s.IsSet() { + t.Error("expected store to be empty after Clear()") + } + if got := s.Get(); got != "" { + t.Errorf("Get() after Clear() = %q, want empty", got) + } +} + +func TestSecureStore_SetOverwrites(t *testing.T) { + s := NewSecureStore() + s.SetString("first") + s.SetString("second") + + if got := s.Get(); got != "second" { + t.Errorf("Get() = %q, want %q", got, "second") + } +} + +func TestSecureStore_EmptyPassphrase(t *testing.T) { + s := NewSecureStore() + s.SetString("") // empty → should not mark as set + + if s.IsSet() { + t.Error("empty passphrase should not mark store as set") + } +} + +func TestSecureStore_ConcurrentSetGet(t *testing.T) { + s := NewSecureStore() + const goroutines = 10 + const iterations = 1000 + + var wg sync.WaitGroup + wg.Add(goroutines) + for i := 0; i < goroutines; i++ { + go func(id int) { + defer wg.Done() + for j := 0; j < iterations; j++ { + if id%2 == 0 { + s.SetString("even") + } else { + s.SetString("odd") + } + _ = s.Get() + } + }(i) + } + wg.Wait() + + final := s.Get() + if final != "" && final != "even" && final != "odd" { + t.Errorf("Get() returned unexpected value %q after concurrent Set/Get", final) + } +} From 4d4243b919accb4969f2cfe71011e4a9989b80d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:08:29 +0800 Subject: [PATCH 19/44] chore(deps): bump docker/setup-buildx-action from 3 to 4 (#1595) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-build.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index dadbed212..c03c6346f 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -31,7 +31,7 @@ jobs: # ── Docker Buildx ───────────────────────── - name: 🔧 Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 # ── Login to GHCR ───────────────────────── - name: 🔑 Login to GitHub Container Registry diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 0103fcff1..375e2e211 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -59,7 +59,7 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry uses: docker/login-action@v3 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4a584773d..56d2f2b23 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -77,7 +77,7 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry uses: docker/login-action@v3 From 44ac304e5b122bac7fbc9c9b6699ff335f0da0e2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:09:01 +0800 Subject: [PATCH 20/44] chore(deps): bump actions/setup-node from 4 to 6 (#1597) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 375e2e211..b29881d6c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -48,7 +48,7 @@ jobs: go-version-file: go.mod - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 22 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56d2f2b23..84aade578 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -66,7 +66,7 @@ jobs: go-version-file: go.mod - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 22 From f247c3bc00cb8bba874712535ce07de8c6b1b613 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:09:36 +0800 Subject: [PATCH 21/44] chore(deps): bump actions/setup-go from 5 to 6 (#1600) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 1e9a7919a..902d4d4eb 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -34,7 +34,7 @@ jobs: persist-credentials: false - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version-file: go.mod From b7b8d1eeca7a750f3c42820727135dca8f080ced Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:10:19 +0800 Subject: [PATCH 22/44] chore(deps): bump docker/build-push-action from 6 to 7 (#1602) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index c03c6346f..8b4c033c2 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -62,7 +62,7 @@ jobs: # ── Build & Push ────────────────────────── - name: 🚀 Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . push: true From 0c94e6f7b3d2a19d4e0f85bb1b5647dda14355e0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:11:22 +0800 Subject: [PATCH 23/44] chore(deps): bump docker/login-action from 3 to 4 (#1604) Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-build.yml | 4 ++-- .github/workflows/nightly.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 8b4c033c2..784c404a6 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -35,7 +35,7 @@ jobs: # ── Login to GHCR ───────────────────────── - name: 🔑 Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} @@ -43,7 +43,7 @@ jobs: # ── Login to Docker Hub ──────────────────── - name: 🔑 Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.DOCKERHUB_REGISTRY }} username: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index b29881d6c..e001dc3e9 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -62,14 +62,14 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 84aade578..19c8e5404 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,14 +80,14 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} From c513ad22d73a579bb3fb30efc5b012b07c71a32c Mon Sep 17 00:00:00 2001 From: wenjie Date: Mon, 16 Mar 2026 16:25:16 +0800 Subject: [PATCH 24/44] fix(web): refactor pico chat flow and fix proxied websocket URLs (#1639) - move chat controller, state, protocol, history, and websocket logic into a dedicated chat feature module - improve chat reconnection, session hydration, and send gating based on actual websocket state - preserve gateway status during transient SSE disconnects and update stop state immediately - generate wss websocket URLs behind HTTPS proxies and add backend tests for forwarded proto handling --- web/backend/api/gateway_host.go | 20 +- web/backend/api/gateway_host_test.go | 53 +++ .../src/components/chat/chat-composer.tsx | 4 +- .../src/components/chat/chat-empty-state.tsx | 2 +- .../src/components/chat/chat-page.tsx | 23 +- .../chat/controller.ts} | 337 ++++++++++-------- web/frontend/src/features/chat/history.ts | 68 ++++ web/frontend/src/features/chat/protocol.ts | 81 +++++ .../chat/state.ts} | 0 web/frontend/src/features/chat/websocket.ts | 57 +++ web/frontend/src/hooks/use-gateway.ts | 12 +- web/frontend/src/hooks/use-pico-chat.ts | 4 +- web/frontend/src/hooks/use-websocket.ts | 47 --- web/frontend/src/routes/__root.tsx | 2 +- web/frontend/src/store/chat.ts | 2 +- web/frontend/src/store/gateway.ts | 12 +- 16 files changed, 509 insertions(+), 215 deletions(-) rename web/frontend/src/{lib/pico-chat-controller.ts => features/chat/controller.ts} (53%) create mode 100644 web/frontend/src/features/chat/history.ts create mode 100644 web/frontend/src/features/chat/protocol.ts rename web/frontend/src/{lib/pico-chat-state.ts => features/chat/state.ts} (100%) create mode 100644 web/frontend/src/features/chat/websocket.ts delete mode 100644 web/frontend/src/hooks/use-websocket.ts diff --git a/web/backend/api/gateway_host.go b/web/backend/api/gateway_host.go index a499c1ea2..5ef3ba2c5 100644 --- a/web/backend/api/gateway_host.go +++ b/web/backend/api/gateway_host.go @@ -57,10 +57,28 @@ func requestHostName(r *http.Request) string { return "127.0.0.1" } +func requestWSScheme(r *http.Request) string { + if forwarded := strings.TrimSpace(r.Header.Get("X-Forwarded-Proto")); forwarded != "" { + proto := strings.ToLower(strings.TrimSpace(strings.Split(forwarded, ",")[0])) + if proto == "https" || proto == "wss" { + return "wss" + } + if proto == "http" || proto == "ws" { + return "ws" + } + } + + if r.TLS != nil { + return "wss" + } + + return "ws" +} + func (h *Handler) buildWsURL(r *http.Request, cfg *config.Config) string { host := h.effectiveGatewayBindHost(cfg) if host == "" || host == "0.0.0.0" { host = requestHostName(r) } - return "ws://" + net.JoinHostPort(host, strconv.Itoa(cfg.Gateway.Port)) + "/pico/ws" + return requestWSScheme(r) + "://" + net.JoinHostPort(host, strconv.Itoa(cfg.Gateway.Port)) + "/pico/ws" } diff --git a/web/backend/api/gateway_host_test.go b/web/backend/api/gateway_host_test.go index afd600359..43e84ff0e 100644 --- a/web/backend/api/gateway_host_test.go +++ b/web/backend/api/gateway_host_test.go @@ -1,6 +1,7 @@ package api import ( + "crypto/tls" "net/http/httptest" "path/filepath" "testing" @@ -57,3 +58,55 @@ func TestGatewayProbeHostUsesLoopbackForWildcardBind(t *testing.T) { t.Fatalf("gatewayProbeHost() = %q, want %q", got, "127.0.0.1") } } + +func TestBuildWsURLUsesWSSWhenForwardedProtoIsHTTPS(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "0.0.0.0" + cfg.Gateway.Port = 18790 + + req := httptest.NewRequest("GET", "http://launcher.local/api/pico/token", nil) + req.Host = "chat.example.com" + req.Header.Set("X-Forwarded-Proto", "https") + + if got := h.buildWsURL(req, cfg); got != "wss://chat.example.com:18790/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://chat.example.com:18790/pico/ws") + } +} + +func TestBuildWsURLUsesWSSWhenRequestIsTLS(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "0.0.0.0" + cfg.Gateway.Port = 18790 + + req := httptest.NewRequest("GET", "https://launcher.local/api/pico/token", nil) + req.Host = "secure.example.com" + req.TLS = &tls.ConnectionState{} + + if got := h.buildWsURL(req, cfg); got != "wss://secure.example.com:18790/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://secure.example.com:18790/pico/ws") + } +} + +func TestBuildWsURLPrefersForwardedHTTPOverTLS(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "0.0.0.0" + cfg.Gateway.Port = 18790 + + req := httptest.NewRequest("GET", "https://launcher.local/api/pico/token", nil) + req.Host = "chat.example.com" + req.TLS = &tls.ConnectionState{} + req.Header.Set("X-Forwarded-Proto", "http") + + if got := h.buildWsURL(req, cfg); got != "ws://chat.example.com:18790/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "ws://chat.example.com:18790/pico/ws") + } +} diff --git a/web/frontend/src/components/chat/chat-composer.tsx b/web/frontend/src/components/chat/chat-composer.tsx index e8bae89b8..7d696b898 100644 --- a/web/frontend/src/components/chat/chat-composer.tsx +++ b/web/frontend/src/components/chat/chat-composer.tsx @@ -42,7 +42,7 @@ export function ChatComposer({ placeholder={t("chat.placeholder")} disabled={!canInput} className={cn( - "max-h-[200px] min-h-[60px] resize-none border-0 bg-transparent px-2 py-1 text-[15px] shadow-none transition-colors focus-visible:ring-0 focus-visible:outline-none dark:bg-transparent", + "placeholder:text-muted-foreground max-h-[200px] min-h-[60px] resize-none border-0 bg-transparent px-2 py-1 text-[15px] shadow-none transition-colors focus-visible:ring-0 focus-visible:outline-none dark:bg-transparent", !canInput && "cursor-not-allowed", )} minRows={1} @@ -56,7 +56,7 @@ export function ChatComposer({ size="icon" className="size-8 rounded-full bg-violet-500 text-white transition-transform hover:bg-violet-600 active:scale-95" onClick={onSend} - disabled={!input.trim() || !isConnected} + disabled={!input.trim() || !canInput} > diff --git a/web/frontend/src/components/chat/chat-empty-state.tsx b/web/frontend/src/components/chat/chat-empty-state.tsx index 624ff9c59..0574c44d1 100644 --- a/web/frontend/src/components/chat/chat-empty-state.tsx +++ b/web/frontend/src/components/chat/chat-empty-state.tsx @@ -34,7 +34,7 @@ export function ChatEmptyState({

{t("chat.empty.noConfiguredModelDescription")}

- diff --git a/web/frontend/src/components/chat/chat-page.tsx b/web/frontend/src/components/chat/chat-page.tsx index 1906a0367..ebcde8981 100644 --- a/web/frontend/src/components/chat/chat-page.tsx +++ b/web/frontend/src/components/chat/chat-page.tsx @@ -15,7 +15,6 @@ import { useChatModels } from "@/hooks/use-chat-models" import { useGateway } from "@/hooks/use-gateway" import { usePicoChat } from "@/hooks/use-pico-chat" import { useSessionHistory } from "@/hooks/use-session-history" -import { hydrateActiveSession } from "@/lib/pico-chat-controller" export function ChatPage() { const { t } = useTranslation() @@ -26,6 +25,7 @@ export function ChatPage() { const { messages, + connectionState, isTyping, activeSessionId, sendMessage, @@ -34,7 +34,8 @@ export function ChatPage() { } = usePicoChat() const { state: gwState } = useGateway() - const isConnected = gwState === "running" + const isGatewayRunning = gwState === "running" + const isChatConnected = connectionState === "connected" const { defaultModelName, @@ -43,7 +44,8 @@ export function ChatPage() { oauthModels, localModels, handleSetDefault, - } = useChatModels({ isConnected }) + } = useChatModels({ isConnected: isGatewayRunning }) + const canSend = isChatConnected && Boolean(defaultModelName) const { sessions, @@ -68,10 +70,6 @@ export function ChatPage() { syncScrollState(e.currentTarget) } - useEffect(() => { - void hydrateActiveSession() - }, []) - useEffect(() => { if (scrollRef.current) { if (isAtBottom) { @@ -82,9 +80,10 @@ export function ChatPage() { }, [messages, isTyping, isAtBottom]) const handleSend = () => { - if (!input.trim() || !isConnected) return - sendMessage(input.trim()) - setInput("") + if (!input.trim() || !canSend) return + if (sendMessage(input.trim())) { + setInput("") + } } return ( @@ -143,7 +142,7 @@ export function ChatPage() { )} @@ -168,7 +167,7 @@ export function ChatPage() { input={input} onInputChange={setInput} onSend={handleSend} - isConnected={isConnected} + isConnected={isChatConnected} hasDefaultModel={Boolean(defaultModelName)} /> diff --git a/web/frontend/src/lib/pico-chat-controller.ts b/web/frontend/src/features/chat/controller.ts similarity index 53% rename from web/frontend/src/lib/pico-chat-controller.ts rename to web/frontend/src/features/chat/controller.ts index 0e77d1ad0..5e6eb2229 100644 --- a/web/frontend/src/lib/pico-chat-controller.ts +++ b/web/frontend/src/features/chat/controller.ts @@ -2,24 +2,24 @@ import { getDefaultStore } from "jotai" import { toast } from "sonner" import { getPicoToken } from "@/api/pico" -import { getSessionHistory } from "@/api/sessions" -import i18n from "@/i18n" +import { + loadSessionMessages, + mergeHistoryMessages, +} from "@/features/chat/history" +import { type PicoMessage, handlePicoMessage } from "@/features/chat/protocol" import { clearStoredSessionId, generateSessionId, - normalizeUnixTimestamp, readStoredSessionId, -} from "@/lib/pico-chat-state" -import { type ChatMessage, getChatState, updateChatStore } from "@/store/chat" -import { gatewayAtom } from "@/store/gateway" - -interface PicoMessage { - type: string - id?: string - session_id?: string - timestamp?: number | string - payload?: Record -} +} from "@/features/chat/state" +import { + invalidateSocket, + isCurrentSocket, + normalizeWsUrlForBrowser, +} from "@/features/chat/websocket" +import i18n from "@/i18n" +import { getChatState, updateChatStore } from "@/store/chat" +import { type GatewayState, gatewayAtom } from "@/store/gateway" const store = getDefaultStore() @@ -31,81 +31,51 @@ let initialized = false let unsubscribeGateway: (() => void) | null = null let hydratePromise: Promise | null = null let connectionGeneration = 0 +let reconnectTimer: number | null = null +let reconnectAttempts = 0 +let shouldMaintainConnection = false -async function loadSessionMessages(sessionId: string): Promise { - const detail = await getSessionHistory(sessionId) - const fallbackTime = detail.updated - - return detail.messages.map((message, index) => ({ - id: `hist-${index}-${Date.now()}`, - role: message.role, - content: message.content, - timestamp: fallbackTime, - })) +function clearReconnectTimer() { + if (reconnectTimer !== null) { + window.clearTimeout(reconnectTimer) + reconnectTimer = null + } } -function handlePicoMessage(message: PicoMessage) { - const payload = message.payload || {} +function shouldReconnectFor(generation: number, sessionId: string): boolean { + return ( + shouldMaintainConnection && + generation === connectionGeneration && + sessionId === activeSessionIdRef && + store.get(gatewayAtom).status === "running" + ) +} - switch (message.type) { - case "message.create": { - const content = (payload.content as string) || "" - const messageId = (payload.message_id as string) || `pico-${Date.now()}` - const timestamp = - message.timestamp !== undefined && - Number.isFinite(Number(message.timestamp)) - ? normalizeUnixTimestamp(Number(message.timestamp)) - : Date.now() - - updateChatStore((prev) => ({ - messages: [ - ...prev.messages, - { - id: messageId, - role: "assistant", - content, - timestamp, - }, - ], - isTyping: false, - })) - break - } - - case "message.update": { - const content = (payload.content as string) || "" - const messageId = payload.message_id as string - if (!messageId) { - break - } - - updateChatStore((prev) => ({ - messages: prev.messages.map((msg) => - msg.id === messageId ? { ...msg, content } : msg, - ), - })) - break - } - - case "typing.start": - updateChatStore({ isTyping: true }) - break - - case "typing.stop": - updateChatStore({ isTyping: false }) - break - - case "error": - console.error("Pico error:", payload) - updateChatStore({ isTyping: false }) - break - - case "pong": - break - - default: - console.log("Unknown pico message type:", message.type) +function scheduleReconnect(generation: number, sessionId: string) { + if (!shouldReconnectFor(generation, sessionId) || reconnectTimer !== null) { + return } + + const delay = Math.min(1000 * 2 ** reconnectAttempts, 5000) + reconnectAttempts += 1 + reconnectTimer = window.setTimeout(() => { + reconnectTimer = null + if (!shouldReconnectFor(generation, sessionId)) { + return + } + void connectChat() + }, delay) +} + +function needsActiveSessionHydration(): boolean { + const state = getChatState() + const storedSessionId = readStoredSessionId() + + return Boolean( + storedSessionId && + storedSessionId === state.activeSessionId && + !state.hasHydratedActiveSession, + ) } function setActiveSessionId(sessionId: string) { @@ -113,8 +83,35 @@ function setActiveSessionId(sessionId: string) { updateChatStore({ activeSessionId: sessionId }) } +function disconnectChatInternal({ + clearDesiredConnection, +}: { + clearDesiredConnection: boolean +}) { + connectionGeneration += 1 + clearReconnectTimer() + + if (clearDesiredConnection) { + shouldMaintainConnection = false + } + + const socket = wsRef + wsRef = null + isConnecting = false + + invalidateSocket(socket) + + updateChatStore({ + connectionState: "disconnected", + isTyping: false, + }) +} + export async function connectChat() { - if (store.get(gatewayAtom).status !== "running") { + if ( + store.get(gatewayAtom).status !== "running" || + needsActiveSessionHydration() + ) { return } @@ -130,12 +127,15 @@ export async function connectChat() { const generation = connectionGeneration + 1 connectionGeneration = generation isConnecting = true + clearReconnectTimer() updateChatStore({ connectionState: "connecting" }) try { const { token, ws_url } = await getPicoToken() + const sessionId = activeSessionIdRef if (generation !== connectionGeneration) { + isConnecting = false return } @@ -143,56 +143,71 @@ export async function connectChat() { console.error("No pico token available") updateChatStore({ connectionState: "error" }) isConnecting = false + scheduleReconnect(generation, sessionId) return } - let finalWsUrl = ws_url - try { - const parsedUrl = new URL(ws_url) - const isLocalHost = - parsedUrl.hostname === "localhost" || - parsedUrl.hostname === "127.0.0.1" || - parsedUrl.hostname === "0.0.0.0" - const isBrowserLocal = - window.location.hostname === "localhost" || - window.location.hostname === "127.0.0.1" - - if (isLocalHost && !isBrowserLocal) { - parsedUrl.hostname = window.location.hostname - finalWsUrl = parsedUrl.toString() - } - } catch (error) { - console.warn("Could not parse ws_url:", error) - } - - const url = `${finalWsUrl}?session_id=${encodeURIComponent(activeSessionIdRef)}` - // Send token as a subprotocol so it doesn't end up in the URL. + const finalWsUrl = normalizeWsUrlForBrowser(ws_url) + const url = `${finalWsUrl}?session_id=${encodeURIComponent(sessionId)}` const socket = new WebSocket(url, [`token.${token}`]) if (generation !== connectionGeneration) { - socket.close() + isConnecting = false + invalidateSocket(socket) return } socket.onopen = () => { - if (wsRef !== socket) { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { return } updateChatStore({ connectionState: "connected" }) isConnecting = false + reconnectAttempts = 0 } socket.onmessage = (event) => { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { + return + } + try { - const message: PicoMessage = JSON.parse(event.data) - handlePicoMessage(message) + const message = JSON.parse(event.data) as PicoMessage + handlePicoMessage(message, sessionId) } catch { console.warn("Non-JSON message from pico:", event.data) } } socket.onclose = () => { - if (wsRef !== socket) { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { return } wsRef = null @@ -201,42 +216,42 @@ export async function connectChat() { connectionState: "disconnected", isTyping: false, }) + scheduleReconnect(generation, sessionId) } socket.onerror = () => { - if (wsRef !== socket) { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { return } isConnecting = false updateChatStore({ connectionState: "error" }) + scheduleReconnect(generation, sessionId) } wsRef = socket } catch (error) { if (generation !== connectionGeneration) { + isConnecting = false return } console.error("Failed to connect to pico:", error) updateChatStore({ connectionState: "error" }) isConnecting = false + scheduleReconnect(generation, activeSessionIdRef) } } export function disconnectChat() { - connectionGeneration += 1 - - const socket = wsRef - wsRef = null - isConnecting = false - - if (socket) { - socket.close() - } - - updateChatStore({ - connectionState: "disconnected", - isTyping: false, - }) + disconnectChatInternal({ clearDesiredConnection: true }) } export async function hydrateActiveSession() { @@ -250,7 +265,6 @@ export async function hydrateActiveSession() { if ( !storedSessionId || state.hasHydratedActiveSession || - state.messages.length > 0 || storedSessionId !== state.activeSessionId ) { if (!state.hasHydratedActiveSession) { @@ -267,7 +281,13 @@ export async function hydrateActiveSession() { } if (currentState.messages.length > 0) { - updateChatStore({ hasHydratedActiveSession: true }) + updateChatStore({ + messages: mergeHistoryMessages( + historyMessages, + currentState.messages, + ), + hasHydratedActiveSession: true, + }) return } @@ -307,9 +327,10 @@ export async function hydrateActiveSession() { export function sendChatMessage(content: string) { if (!wsRef || wsRef.readyState !== WebSocket.OPEN) { console.warn("WebSocket not connected") - return + return false } + const socket = wsRef const id = `msg-${++msgIdCounter}-${Date.now()}` updateChatStore((prev) => ({ @@ -320,13 +341,23 @@ export function sendChatMessage(content: string) { isTyping: true, })) - wsRef.send( - JSON.stringify({ - type: "message.send", - id, - payload: { content }, - }), - ) + try { + socket.send( + JSON.stringify({ + type: "message.send", + id, + payload: { content }, + }), + ) + return true + } catch (error) { + console.error("Failed to send pico message:", error) + updateChatStore((prev) => ({ + messages: prev.messages.filter((message) => message.id !== id), + isTyping: false, + })) + return false + } } export async function switchChatSession(sessionId: string) { @@ -337,7 +368,7 @@ export async function switchChatSession(sessionId: string) { try { const historyMessages = await loadSessionMessages(sessionId) - disconnectChat() + disconnectChatInternal({ clearDesiredConnection: false }) setActiveSessionId(sessionId) updateChatStore({ messages: historyMessages, @@ -346,6 +377,7 @@ export async function switchChatSession(sessionId: string) { }) if (store.get(gatewayAtom).status === "running") { + shouldMaintainConnection = true await connectChat() } } catch (error) { @@ -359,7 +391,7 @@ export async function newChatSession() { return } - disconnectChat() + disconnectChatInternal({ clearDesiredConnection: false }) setActiveSessionId(generateSessionId()) updateChatStore({ messages: [], @@ -368,6 +400,7 @@ export async function newChatSession() { }) if (store.get(gatewayAtom).status === "running") { + shouldMaintainConnection = true await connectChat() } } @@ -379,23 +412,43 @@ export function initializeChatStore() { initialized = true activeSessionIdRef = getChatState().activeSessionId + let lastGatewayStatus: GatewayState | null = null - const syncConnectionWithGateway = () => { - if (store.get(gatewayAtom).status === "running") { + const syncConnectionWithGateway = (force: boolean = false) => { + const gatewayStatus = store.get(gatewayAtom).status + if (!force && gatewayStatus === lastGatewayStatus) { + return + } + lastGatewayStatus = gatewayStatus + + if (gatewayStatus === "running") { + shouldMaintainConnection = true + if (needsActiveSessionHydration()) { + return + } void connectChat() return } - disconnectChat() + if (gatewayStatus === "stopped" || gatewayStatus === "error") { + disconnectChatInternal({ clearDesiredConnection: true }) + } } unsubscribeGateway = store.sub(gatewayAtom, syncConnectionWithGateway) if (!readStoredSessionId()) { updateChatStore({ hasHydratedActiveSession: true }) + syncConnectionWithGateway(true) + return } - syncConnectionWithGateway() + void hydrateActiveSession().finally(() => { + if (!initialized) { + return + } + syncConnectionWithGateway(true) + }) } export function teardownChatStore() { diff --git a/web/frontend/src/features/chat/history.ts b/web/frontend/src/features/chat/history.ts new file mode 100644 index 000000000..886148184 --- /dev/null +++ b/web/frontend/src/features/chat/history.ts @@ -0,0 +1,68 @@ +import { getSessionHistory } from "@/api/sessions" +import { normalizeUnixTimestamp } from "@/features/chat/state" +import type { ChatMessage } from "@/store/chat" + +export async function loadSessionMessages( + sessionId: string, +): Promise { + const detail = await getSessionHistory(sessionId) + const fallbackTime = detail.updated + + return detail.messages.map((message, index) => ({ + id: `hist-${index}-${Date.now()}`, + role: message.role, + content: message.content, + timestamp: fallbackTime, + })) +} + +function normalizeMessageTimestamp(timestamp: number | string): string { + if (typeof timestamp === "number") { + return String(normalizeUnixTimestamp(timestamp)) + } + + const trimmed = timestamp.trim() + if (/^-?\d+(\.\d+)?$/.test(trimmed)) { + return String(normalizeUnixTimestamp(Number(trimmed))) + } + + const parsed = Date.parse(trimmed) + return Number.isNaN(parsed) ? trimmed : String(parsed) +} + +function messageSignature(message: ChatMessage): string { + return `${message.role}\u0000${message.content}\u0000${normalizeMessageTimestamp( + message.timestamp, + )}` +} + +function comparableTimestamp(timestamp: number | string): number { + const normalized = normalizeMessageTimestamp(timestamp) + const numeric = Number(normalized) + return Number.isFinite(numeric) ? numeric : 0 +} + +export function mergeHistoryMessages( + historyMessages: ChatMessage[], + currentMessages: ChatMessage[], +): ChatMessage[] { + const currentIds = new Set(currentMessages.map((message) => message.id)) + const currentSignatures = new Set( + currentMessages.map((message) => messageSignature(message)), + ) + + const merged = [ + ...historyMessages.filter( + (message) => + !currentIds.has(message.id) && + !currentSignatures.has(messageSignature(message)), + ), + ...currentMessages, + ] + + return merged.sort( + (left, right) => + comparableTimestamp(left.timestamp) - + comparableTimestamp(right.timestamp), + ) +} diff --git a/web/frontend/src/features/chat/protocol.ts b/web/frontend/src/features/chat/protocol.ts new file mode 100644 index 000000000..5e5220c77 --- /dev/null +++ b/web/frontend/src/features/chat/protocol.ts @@ -0,0 +1,81 @@ +import { normalizeUnixTimestamp } from "@/features/chat/state" +import { updateChatStore } from "@/store/chat" + +export interface PicoMessage { + type: string + id?: string + session_id?: string + timestamp?: number | string + payload?: Record +} + +export function handlePicoMessage( + message: PicoMessage, + expectedSessionId: string, +) { + if (message.session_id && message.session_id !== expectedSessionId) { + return + } + + const payload = message.payload || {} + + switch (message.type) { + case "message.create": { + const content = (payload.content as string) || "" + const messageId = (payload.message_id as string) || `pico-${Date.now()}` + const timestamp = + message.timestamp !== undefined && + Number.isFinite(Number(message.timestamp)) + ? normalizeUnixTimestamp(Number(message.timestamp)) + : Date.now() + + updateChatStore((prev) => ({ + messages: [ + ...prev.messages, + { + id: messageId, + role: "assistant", + content, + timestamp, + }, + ], + isTyping: false, + })) + break + } + + case "message.update": { + const content = (payload.content as string) || "" + const messageId = payload.message_id as string + if (!messageId) { + break + } + + updateChatStore((prev) => ({ + messages: prev.messages.map((msg) => + msg.id === messageId ? { ...msg, content } : msg, + ), + })) + break + } + + case "typing.start": + updateChatStore({ isTyping: true }) + break + + case "typing.stop": + updateChatStore({ isTyping: false }) + break + + case "error": + console.error("Pico error:", payload) + updateChatStore({ isTyping: false }) + break + + case "pong": + break + + default: + console.log("Unknown pico message type:", message.type) + } +} diff --git a/web/frontend/src/lib/pico-chat-state.ts b/web/frontend/src/features/chat/state.ts similarity index 100% rename from web/frontend/src/lib/pico-chat-state.ts rename to web/frontend/src/features/chat/state.ts diff --git a/web/frontend/src/features/chat/websocket.ts b/web/frontend/src/features/chat/websocket.ts new file mode 100644 index 000000000..6b132e9a6 --- /dev/null +++ b/web/frontend/src/features/chat/websocket.ts @@ -0,0 +1,57 @@ +export function normalizeWsUrlForBrowser(wsUrl: string): string { + let finalWsUrl = wsUrl + + try { + const parsedUrl = new URL(wsUrl) + const isLocalHost = + parsedUrl.hostname === "localhost" || + parsedUrl.hostname === "127.0.0.1" || + parsedUrl.hostname === "0.0.0.0" + const isBrowserLocal = + window.location.hostname === "localhost" || + window.location.hostname === "127.0.0.1" + + if (isLocalHost && !isBrowserLocal) { + parsedUrl.hostname = window.location.hostname + finalWsUrl = parsedUrl.toString() + } + } catch (error) { + console.warn("Could not parse ws_url:", error) + } + + return finalWsUrl +} + +export function invalidateSocket(socket: WebSocket | null) { + if (!socket) { + return + } + + socket.onopen = null + socket.onmessage = null + socket.onclose = null + socket.onerror = null + socket.close() +} + +export function isCurrentSocket({ + socket, + currentSocket, + generation, + currentGeneration, + sessionId, + currentSessionId, +}: { + socket: WebSocket + currentSocket: WebSocket | null + generation: number + currentGeneration: number + sessionId: string + currentSessionId: string +}): boolean { + return ( + currentSocket === socket && + generation === currentGeneration && + sessionId === currentSessionId + ) +} diff --git a/web/frontend/src/hooks/use-gateway.ts b/web/frontend/src/hooks/use-gateway.ts index 848f4d59c..65ec2b776 100644 --- a/web/frontend/src/hooks/use-gateway.ts +++ b/web/frontend/src/hooks/use-gateway.ts @@ -67,10 +67,9 @@ export function useGateway() { } es.onerror = () => { - // EventSource will auto-reconnect - updateGatewayStore((prev) => - prev.status === "restarting" ? {} : { status: "unknown" }, - ) + // EventSource will auto-reconnect. Preserve the last known gateway + // status so transient SSE disconnects do not suppress chat websocket + // reconnects while polling catches up. } return () => { @@ -105,6 +104,11 @@ export function useGateway() { setLoading(true) try { await stopGateway() + updateGatewayStore({ + status: "stopped", + canStart: true, + restartRequired: false, + }) } catch (err) { console.error("Failed to stop gateway:", err) } finally { diff --git a/web/frontend/src/hooks/use-pico-chat.ts b/web/frontend/src/hooks/use-pico-chat.ts index 1b97a2a9c..3ac2e1613 100644 --- a/web/frontend/src/hooks/use-pico-chat.ts +++ b/web/frontend/src/hooks/use-pico-chat.ts @@ -5,7 +5,7 @@ import { newChatSession, sendChatMessage, switchChatSession, -} from "@/lib/pico-chat-controller" +} from "@/features/chat/controller" import { chatAtom } from "@/store/chat" const UNIX_MS_THRESHOLD = 1e12 @@ -33,7 +33,6 @@ function parseTimestamp(dateRaw: number | string | Date) { return dayjs(dateRaw) } -// Helper to format message timestamps export function formatMessageTime(dateRaw: number | string | Date): string { const date = parseTimestamp(dateRaw) if (!date.isValid()) { @@ -48,7 +47,6 @@ export function formatMessageTime(dateRaw: number | string | Date): string { return date.format("LT") } - // Cross-day formatting if (isThisYear) { return date.format("MMM D LT") } diff --git a/web/frontend/src/hooks/use-websocket.ts b/web/frontend/src/hooks/use-websocket.ts deleted file mode 100644 index c41b5ed34..000000000 --- a/web/frontend/src/hooks/use-websocket.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { useCallback, useEffect, useRef, useState } from "react" - -export function useWebSocket(path: string) { - const [message, setMessage] = useState("No messages yet") - const [connected, setConnected] = useState(false) - const wsRef = useRef(null) - - const connect = useCallback(() => { - if (wsRef.current) { - wsRef.current.close() - } - - const protocol = window.location.protocol === "https:" ? "wss:" : "ws:" - const url = `${protocol}//${window.location.host}${path}` - const socket = new WebSocket(url) - - socket.onopen = () => { - setConnected(true) - setMessage("Connected to WebSocket server.") - } - - socket.onmessage = (event) => { - setMessage(event.data) - } - - socket.onclose = () => { - setConnected(false) - setMessage("WebSocket connection closed.") - } - - socket.onerror = (error) => { - setConnected(false) - setMessage("WebSocket error occurred.") - console.error("WebSocket Error:", error) - } - - wsRef.current = socket - }, [path]) - - useEffect(() => { - return () => { - wsRef.current?.close() - } - }, []) - - return { message, connected, connect } -} diff --git a/web/frontend/src/routes/__root.tsx b/web/frontend/src/routes/__root.tsx index 6431d9490..31fdb7804 100644 --- a/web/frontend/src/routes/__root.tsx +++ b/web/frontend/src/routes/__root.tsx @@ -3,7 +3,7 @@ import { TanStackRouterDevtools } from "@tanstack/react-router-devtools" import { useEffect } from "react" import { AppLayout } from "@/components/app-layout" -import { initializeChatStore } from "@/lib/pico-chat-controller" +import { initializeChatStore } from "@/features/chat/controller" const RootLayout = () => { useEffect(() => { diff --git a/web/frontend/src/store/chat.ts b/web/frontend/src/store/chat.ts index d79a1a93b..da5fa6670 100644 --- a/web/frontend/src/store/chat.ts +++ b/web/frontend/src/store/chat.ts @@ -3,7 +3,7 @@ import { atom, getDefaultStore } from "jotai" import { getInitialActiveSessionId, writeStoredSessionId, -} from "@/lib/pico-chat-state" +} from "@/features/chat/state" export interface ChatMessage { id: string diff --git a/web/frontend/src/store/gateway.ts b/web/frontend/src/store/gateway.ts index b7655839c..c5eee8451 100644 --- a/web/frontend/src/store/gateway.ts +++ b/web/frontend/src/store/gateway.ts @@ -31,7 +31,17 @@ function normalizeGatewayStoreState( prev: GatewayStoreState, patch: GatewayStorePatch, ) { - return { ...prev, ...patch } + const next = { ...prev, ...patch } + + if ( + next.status === prev.status && + next.canStart === prev.canStart && + next.restartRequired === prev.restartRequired + ) { + return prev + } + + return next } export function updateGatewayStore( From 8fc36a4f9bdd4ea1c9784d2570102a5a1d16dd57 Mon Sep 17 00:00:00 2001 From: Dmitrii Balabanov Date: Fri, 13 Mar 2026 12:06:48 +0200 Subject: [PATCH 25/44] fix(logger): mask bot tokens in 3rd-party logger output --- pkg/logger/logger_3rd_party.go | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/pkg/logger/logger_3rd_party.go b/pkg/logger/logger_3rd_party.go index da50d686a..3c311520c 100644 --- a/pkg/logger/logger_3rd_party.go +++ b/pkg/logger/logger_3rd_party.go @@ -2,7 +2,19 @@ package logger -import "fmt" +import ( + "fmt" + "regexp" +) + +// botTokenRe matches the secret part of a Telegram bot token embedded in a URL +// or log message: /bot:/ → /bot:****/ +var botTokenRe = regexp.MustCompile(`(bot\d+:)[A-Za-z0-9_-]{20,}`) + +// maskSecrets replaces any embedded bot tokens in s with a redacted placeholder. +func maskSecrets(s string) string { + return botTokenRe.ReplaceAllString(s, "${1}****") +} // Logger implements common Logger interface type Logger struct { @@ -12,52 +24,52 @@ type Logger struct { // Debug logs debug messages func (b *Logger) Debug(v ...any) { - logMessage(DEBUG, b.component, fmt.Sprint(v...), nil) + logMessage(DEBUG, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Info logs info messages func (b *Logger) Info(v ...any) { - logMessage(INFO, b.component, fmt.Sprint(v...), nil) + logMessage(INFO, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Warn logs warning messages func (b *Logger) Warn(v ...any) { - logMessage(WARN, b.component, fmt.Sprint(v...), nil) + logMessage(WARN, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Error logs error messages func (b *Logger) Error(v ...any) { - logMessage(ERROR, b.component, fmt.Sprint(v...), nil) + logMessage(ERROR, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Debugf logs formatted debug messages func (b *Logger) Debugf(format string, v ...any) { - logMessage(DEBUG, b.component, fmt.Sprintf(format, v...), nil) + logMessage(DEBUG, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Infof logs formatted info messages func (b *Logger) Infof(format string, v ...any) { - logMessage(INFO, b.component, fmt.Sprintf(format, v...), nil) + logMessage(INFO, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Warnf logs formatted warning messages func (b *Logger) Warnf(format string, v ...any) { - logMessage(WARN, b.component, fmt.Sprintf(format, v...), nil) + logMessage(WARN, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Warningf logs formatted warning messages func (b *Logger) Warningf(format string, v ...any) { - logMessage(WARN, b.component, fmt.Sprintf(format, v...), nil) + logMessage(WARN, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Errorf logs formatted error messages func (b *Logger) Errorf(format string, v ...any) { - logMessage(ERROR, b.component, fmt.Sprintf(format, v...), nil) + logMessage(ERROR, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Fatalf logs formatted fatal messages and exits func (b *Logger) Fatalf(format string, v ...any) { - logMessage(FATAL, b.component, fmt.Sprintf(format, v...), nil) + logMessage(FATAL, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Log logs a message at a given level with caller information @@ -75,7 +87,7 @@ func (b *Logger) Log(msgL, caller int, format string, a ...any) { level = lvl } } - logMessage(level, b.component, fmt.Sprintf(format, a...), nil) + logMessage(level, b.component, maskSecrets(fmt.Sprintf(format, a...)), nil) } // Sync flushes log buffer (no-op for this implementation) From 64ceb5ab760703b0b27e933f1a022f7b64de64aa Mon Sep 17 00:00:00 2001 From: Dmitrii Balabanov Date: Fri, 13 Mar 2026 12:09:03 +0200 Subject: [PATCH 26/44] fix(logger): show first/last 4 chars of bot token for identification --- pkg/logger/logger_3rd_party.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/logger/logger_3rd_party.go b/pkg/logger/logger_3rd_party.go index 3c311520c..d0cb178c5 100644 --- a/pkg/logger/logger_3rd_party.go +++ b/pkg/logger/logger_3rd_party.go @@ -7,13 +7,14 @@ import ( "regexp" ) -// botTokenRe matches the secret part of a Telegram bot token embedded in a URL -// or log message: /bot:/ → /bot:****/ -var botTokenRe = regexp.MustCompile(`(bot\d+:)[A-Za-z0-9_-]{20,}`) +// botTokenRe matches the bot ID prefix and the secret part of a Telegram bot token. +// Groups: 1 = "bot:", 2 = first 4 chars of secret, 3 = middle, 4 = last 4 chars. +var botTokenRe = regexp.MustCompile(`(bot\d+:)([A-Za-z0-9_-]{4})[A-Za-z0-9_-]{12,}([A-Za-z0-9_-]{4})`) -// maskSecrets replaces any embedded bot tokens in s with a redacted placeholder. +// maskSecrets replaces any embedded bot tokens in s with a redacted placeholder +// that keeps the first and last 4 characters of the secret for identification. func maskSecrets(s string) string { - return botTokenRe.ReplaceAllString(s, "${1}****") + return botTokenRe.ReplaceAllString(s, "${1}${2}****${3}") } // Logger implements common Logger interface From be4a33cc150c6ea0f41b3bd939b15dc526f84603 Mon Sep 17 00:00:00 2001 From: Cytown Date: Tue, 17 Mar 2026 09:35:52 +0800 Subject: [PATCH 27/44] refactor gateway/helpers and add server.pid to health (#1646) --- cmd/picoclaw/internal/gateway/helpers.go | 121 ++++++++++------------- pkg/health/server.go | 3 + 2 files changed, 55 insertions(+), 69 deletions(-) diff --git a/cmd/picoclaw/internal/gateway/helpers.go b/cmd/picoclaw/internal/gateway/helpers.go index 3562f03ef..85e93bcf9 100644 --- a/cmd/picoclaw/internal/gateway/helpers.go +++ b/cmd/picoclaw/internal/gateway/helpers.go @@ -7,6 +7,7 @@ import ( "os/signal" "path/filepath" "sync" + "syscall" "time" "github.com/sipeed/picoclaw/cmd/picoclaw/internal" @@ -43,7 +44,6 @@ import ( // Timeout constants for service operations const ( - serviceRestartTimeout = 30 * time.Second serviceShutdownTimeout = 30 * time.Second providerReloadTimeout = 30 * time.Second gracefulShutdownTimeout = 15 * time.Second @@ -121,7 +121,7 @@ func gatewayCmd(debug bool) error { defer stopWatch() sigChan := make(chan os.Signal, 1) - signal.Notify(sigChan, os.Interrupt) + signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM) // Main event loop - wait for signals or config changes for { @@ -150,7 +150,8 @@ func setupAndStartServices( // Setup cron tool and service execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute - services.CronService = setupCronTool( + var err error + services.CronService, err = setupCronTool( agentLoop, msgBus, cfg.WorkspacePath(), @@ -158,7 +159,10 @@ func setupAndStartServices( execTimeout, cfg, ) - if err := services.CronService.Start(); err != nil { + if err != nil { + return nil, fmt.Errorf("error setting up cron service: %w", err) + } + if err = services.CronService.Start(); err != nil { return nil, fmt.Errorf("error starting cron service: %w", err) } fmt.Println("✓ Cron service started") @@ -170,26 +174,8 @@ func setupAndStartServices( cfg.Heartbeat.Enabled, ) services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(func(prompt, channel, chatID string) *tools.ToolResult { - // Use cli:direct as fallback if no valid channel - if channel == "" || chatID == "" { - channel, chatID = "cli", "direct" - } - // Use ProcessHeartbeat - no session history, each heartbeat is independent - var response string - var err error - response, err = agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) - if err != nil { - return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) - } - if response == "HEARTBEAT_OK" { - return tools.SilentResult("Heartbeat OK") - } - // For heartbeat, always return silent - the subagent result will be - // sent to user via processSystemMessage when the async task completes - return tools.SilentResult(response) - }) - if err := services.HeartbeatService.Start(); err != nil { + services.HeartbeatService.SetHandler(createHeartbeatHandler(agentLoop)) + if err = services.HeartbeatService.Start(); err != nil { return nil, fmt.Errorf("error starting heartbeat service: %w", err) } fmt.Println("✓ Heartbeat service started") @@ -206,7 +192,6 @@ func setupAndStartServices( } // Create channel manager - var err error services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) if err != nil { // Stop the media store if it's a FileMediaStore with cleanup @@ -238,7 +223,7 @@ func setupAndStartServices( services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) - if err := services.ChannelManager.StartAll(context.Background()); err != nil { + if err = services.ChannelManager.StartAll(context.Background()); err != nil { return nil, fmt.Errorf("error starting channels: %w", err) } @@ -251,7 +236,7 @@ func setupAndStartServices( MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) services.DeviceService.SetBus(msgBus) - if err := services.DeviceService.Start(context.Background()); err != nil { + if err = services.DeviceService.Start(context.Background()); err != nil { logger.ErrorCF("device", "Error starting device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println("✓ Device event service started") @@ -386,17 +371,13 @@ func restartServices( services *gatewayServices, msgBus *bus.MessageBus, ) error { - // Create an independent context with timeout for service restart - // This prevents cancellation from the main loop context during reload - ctx, cancel := context.WithTimeout(context.Background(), serviceRestartTimeout) - defer cancel() - // Get current config from agent loop (which has been updated if this is a reload) cfg := al.GetConfig() // Re-create and start cron service with new config execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute - services.CronService = setupCronTool( + var err error + services.CronService, err = setupCronTool( al, msgBus, cfg.WorkspacePath(), @@ -404,7 +385,10 @@ func restartServices( execTimeout, cfg, ) - if err := services.CronService.Start(); err != nil { + if err != nil { + return fmt.Errorf("error restarting cron service: %w", err) + } + if err = services.CronService.Start(); err != nil { return fmt.Errorf("error restarting cron service: %w", err) } fmt.Println(" ✓ Cron service restarted") @@ -416,31 +400,12 @@ func restartServices( cfg.Heartbeat.Enabled, ) services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(func(prompt, channel, chatID string) *tools.ToolResult { - if channel == "" || chatID == "" { - channel, chatID = "cli", "direct" - } - var response string - var err error - response, err = al.ProcessHeartbeat(context.Background(), prompt, channel, chatID) - if err != nil { - return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) - } - if response == "HEARTBEAT_OK" { - return tools.SilentResult("Heartbeat OK") - } - return tools.SilentResult(response) - }) - if err := services.HeartbeatService.Start(); err != nil { + services.HeartbeatService.SetHandler(createHeartbeatHandler(al)) + if err = services.HeartbeatService.Start(); err != nil { return fmt.Errorf("error restarting heartbeat service: %w", err) } fmt.Println(" ✓ Heartbeat service restarted") - // Stop the old media store before creating a new one - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { - fms.Stop() - } - // Re-create media store with new config services.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ Enabled: cfg.Tools.MediaCleanup.Enabled, @@ -454,13 +419,8 @@ func restartServices( al.SetMediaStore(services.MediaStore) // Re-create channel manager with new config - var err error services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) if err != nil { - // Stop the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { - fms.Stop() - } return fmt.Errorf("error recreating channel manager: %w", err) } al.SetChannelManager(services.ChannelManager) @@ -477,7 +437,8 @@ func restartServices( services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) - if err := services.ChannelManager.StartAll(ctx); err != nil { + // Use background context for lifecycle to ensure services persist after restartServices returns + if err = services.ChannelManager.StartAll(context.Background()); err != nil { return fmt.Errorf("error restarting channels: %w", err) } fmt.Printf( @@ -493,7 +454,7 @@ func restartServices( MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) services.DeviceService.SetBus(msgBus) - if err := services.DeviceService.Start(ctx); err != nil { + if err := services.DeviceService.Start(context.Background()); err != nil { logger.WarnCF("device", "Failed to restart device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println(" ✓ Device event service restarted") @@ -544,6 +505,10 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf // Debounce - wait a bit to ensure file write is complete time.Sleep(500 * time.Millisecond) + // Update last known state to prevent repeated reload attempts on failure + lastModTime = currentModTime + lastSize = currentSize + // Validate and load new config newCfg, err := config.LoadConfig(configPath) if err != nil { @@ -561,10 +526,6 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf logger.Info("✓ Config file validated and loaded") - // Update last known state - lastModTime = currentModTime - lastSize = currentSize - // Send new config to main loop (non-blocking) select { case configChan <- newCfg: @@ -613,7 +574,7 @@ func setupCronTool( restrict bool, execTimeout time.Duration, cfg *config.Config, -) *cron.CronService { +) (*cron.CronService, error) { cronStorePath := filepath.Join(workspace, "cron", "jobs.json") // Create cron service @@ -625,7 +586,7 @@ func setupCronTool( var err error cronTool, err = tools.NewCronTool(cronService, agentLoop, msgBus, workspace, restrict, execTimeout, cfg) if err != nil { - logger.Fatalf("Critical error during CronTool initialization: %v", err) + return nil, fmt.Errorf("critical error during CronTool initialization: %w", err) } agentLoop.RegisterTool(cronTool) @@ -639,5 +600,27 @@ func setupCronTool( }) } - return cronService + return cronService, nil +} + +func createHeartbeatHandler(agentLoop *agent.AgentLoop) func(prompt, channel, chatID string) *tools.ToolResult { + return func(prompt, channel, chatID string) *tools.ToolResult { + // Use cli:direct as fallback if no valid channel + if channel == "" || chatID == "" { + channel, chatID = "cli", "direct" + } + // Use ProcessHeartbeat - no session history, each heartbeat is independent + var response string + var err error + response, err = agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) + if err != nil { + return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) + } + if response == "HEARTBEAT_OK" { + return tools.SilentResult("Heartbeat OK") + } + // For heartbeat, always return silent - the subagent result will be + // sent to user via processSystemMessage when the async task completes + return tools.SilentResult(response) + } } diff --git a/pkg/health/server.go b/pkg/health/server.go index 5609ebdf6..b9ee9f496 100644 --- a/pkg/health/server.go +++ b/pkg/health/server.go @@ -6,6 +6,7 @@ import ( "fmt" "maps" "net/http" + "os" "sync" "time" ) @@ -29,6 +30,7 @@ type StatusResponse struct { Status string `json:"status"` Uptime string `json:"uptime"` Checks map[string]Check `json:"checks,omitempty"` + Pid int `json:"pid"` } func NewServer(host string, port int) *Server { @@ -112,6 +114,7 @@ func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) { resp := StatusResponse{ Status: "ok", Uptime: uptime.String(), + Pid: os.Getpid(), } json.NewEncoder(w).Encode(resp) From fcb69860c4807bbe1da4ef9144fc38fbcaf49fd9 Mon Sep 17 00:00:00 2001 From: wenjie Date: Tue, 17 Mar 2026 09:44:32 +0800 Subject: [PATCH 28/44] feat(web): add configurable cron command execution settings (#1647) - add tools.cron.allow_command config with a default value of true - require command_confirm only when cron command execution is disabled - expose cron command permission and timeout settings in the config UI - add backend tests and update i18n strings --- pkg/config/config.go | 5 +- pkg/config/config_test.go | 23 +++++++ pkg/config/defaults.go | 1 + pkg/tools/cron.go | 34 +++++++---- pkg/tools/cron_test.go | 61 +++++++++++++++++-- .../src/components/config/config-page.tsx | 12 ++++ .../src/components/config/config-sections.tsx | 36 +++++++++++ .../src/components/config/form-model.ts | 13 ++++ web/frontend/src/i18n/locales/en.json | 5 ++ web/frontend/src/i18n/locales/zh.json | 5 ++ 10 files changed, 174 insertions(+), 21 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index 2937c36e4..ad5618907 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -699,8 +699,9 @@ type WebToolsConfig struct { } type CronToolsConfig struct { - ToolConfig ` envPrefix:"PICOCLAW_TOOLS_CRON_"` - ExecTimeoutMinutes int ` env:"PICOCLAW_TOOLS_CRON_EXEC_TIMEOUT_MINUTES" json:"exec_timeout_minutes"` // 0 means no timeout + ToolConfig ` envPrefix:"PICOCLAW_TOOLS_CRON_"` + ExecTimeoutMinutes int ` env:"PICOCLAW_TOOLS_CRON_EXEC_TIMEOUT_MINUTES" json:"exec_timeout_minutes"` // 0 means no timeout + AllowCommand bool ` env:"PICOCLAW_TOOLS_CRON_ALLOW_COMMAND" json:"allow_command"` } type ExecConfig struct { diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 4c4dd9421..fc835f78f 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -405,6 +405,13 @@ func TestDefaultConfig_ExecAllowRemoteEnabled(t *testing.T) { } } +func TestDefaultConfig_CronAllowCommandEnabled(t *testing.T) { + cfg := DefaultConfig() + if !cfg.Tools.Cron.AllowCommand { + t.Fatal("DefaultConfig().Tools.Cron.AllowCommand should be true") + } +} + func TestLoadConfig_OpenAIWebSearchDefaultsTrueWhenUnset(t *testing.T) { dir := t.TempDir() configPath := filepath.Join(dir, "config.json") @@ -437,6 +444,22 @@ func TestLoadConfig_ExecAllowRemoteDefaultsTrueWhenUnset(t *testing.T) { } } +func TestLoadConfig_CronAllowCommandDefaultsTrueWhenUnset(t *testing.T) { + dir := t.TempDir() + configPath := filepath.Join(dir, "config.json") + if err := os.WriteFile(configPath, []byte(`{"tools":{"cron":{"exec_timeout_minutes":5}}}`), 0o600); err != nil { + t.Fatalf("WriteFile() error: %v", err) + } + + cfg, err := LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error: %v", err) + } + if !cfg.Tools.Cron.AllowCommand { + t.Fatal("tools.cron.allow_command should remain true when unset in config file") + } +} + func TestLoadConfig_OpenAIWebSearchCanBeDisabled(t *testing.T) { dir := t.TempDir() configPath := filepath.Join(dir, "config.json") diff --git a/pkg/config/defaults.go b/pkg/config/defaults.go index dc534d852..a029eeb59 100644 --- a/pkg/config/defaults.go +++ b/pkg/config/defaults.go @@ -452,6 +452,7 @@ func DefaultConfig() *Config { Enabled: true, }, ExecTimeoutMinutes: 5, + AllowCommand: true, }, Exec: ExecConfig{ ToolConfig: ToolConfig{ diff --git a/pkg/tools/cron.go b/pkg/tools/cron.go index 25608a54c..aa22f9aa6 100644 --- a/pkg/tools/cron.go +++ b/pkg/tools/cron.go @@ -20,10 +20,11 @@ type JobExecutor interface { // CronTool provides scheduling capabilities for the agent type CronTool struct { - cronService *cron.CronService - executor JobExecutor - msgBus *bus.MessageBus - execTool *ExecTool + cronService *cron.CronService + executor JobExecutor + msgBus *bus.MessageBus + execTool *ExecTool + allowCommand bool } // NewCronTool creates a new CronTool @@ -37,12 +38,18 @@ func NewCronTool( return nil, fmt.Errorf("unable to configure exec tool: %w", err) } + allowCommand := true + if config != nil { + allowCommand = config.Tools.Cron.AllowCommand + } + execTool.SetTimeout(execTimeout) return &CronTool{ - cronService: cronService, - executor: executor, - msgBus: msgBus, - execTool: execTool, + cronService: cronService, + executor: executor, + msgBus: msgBus, + execTool: execTool, + allowCommand: allowCommand, }, nil } @@ -76,7 +83,7 @@ func (t *CronTool) Parameters() map[string]any { }, "command_confirm": map[string]any{ "type": "boolean", - "description": "Required when using command=true. Must be true to explicitly confirm scheduling a shell command.", + "description": "Optional explicit confirmation flag for scheduling a shell command. Command execution must also be enabled via tools.cron.allow_command.", }, "at_seconds": map[string]any{ "type": "integer", @@ -180,16 +187,17 @@ func (t *CronTool) addJob(ctx context.Context, args map[string]any) *ToolResult deliver = d } - // GHSA-pv8c-p6jf-3fpp: command scheduling requires internal channel + explicit confirm. - // Non-command reminders (plain messages) remain open to all channels. + // GHSA-pv8c-p6jf-3fpp: command scheduling requires internal channel. When + // allow_command is disabled, explicit confirmation is required as an override. + // Non-command reminders remain open to all channels. command, _ := args["command"].(string) commandConfirm, _ := args["command_confirm"].(bool) if command != "" { if !constants.IsInternalChannel(channel) { return ErrorResult("scheduling command execution is restricted to internal channels") } - if !commandConfirm { - return ErrorResult("command_confirm=true is required to schedule command execution") + if !t.allowCommand && !commandConfirm { + return ErrorResult("command_confirm=true is required when allow_command is disabled") } deliver = false } diff --git a/pkg/tools/cron_test.go b/pkg/tools/cron_test.go index f1e857949..e46b13b13 100644 --- a/pkg/tools/cron_test.go +++ b/pkg/tools/cron_test.go @@ -11,12 +11,11 @@ import ( "github.com/sipeed/picoclaw/pkg/cron" ) -func newTestCronTool(t *testing.T) *CronTool { +func newTestCronToolWithConfig(t *testing.T, cfg *config.Config) *CronTool { t.Helper() storePath := filepath.Join(t.TempDir(), "cron.json") cronService := cron.NewCronService(storePath, nil) msgBus := bus.NewMessageBus() - cfg := config.DefaultConfig() tool, err := NewCronTool(cronService, nil, msgBus, t.TempDir(), true, 0, cfg) if err != nil { t.Fatalf("NewCronTool() error: %v", err) @@ -24,6 +23,11 @@ func newTestCronTool(t *testing.T) *CronTool { return tool } +func newTestCronTool(t *testing.T) *CronTool { + t.Helper() + return newTestCronToolWithConfig(t, config.DefaultConfig()) +} + // TestCronTool_CommandBlockedFromRemoteChannel verifies command scheduling is restricted to internal channels func TestCronTool_CommandBlockedFromRemoteChannel(t *testing.T) { tool := newTestCronTool(t) @@ -44,8 +48,7 @@ func TestCronTool_CommandBlockedFromRemoteChannel(t *testing.T) { } } -// TestCronTool_CommandRequiresConfirm verifies command_confirm=true is required -func TestCronTool_CommandRequiresConfirm(t *testing.T) { +func TestCronTool_CommandDoesNotRequireConfirmByDefault(t *testing.T) { tool := newTestCronTool(t) ctx := WithToolContext(context.Background(), "cli", "direct") result := tool.Execute(ctx, map[string]any{ @@ -55,11 +58,57 @@ func TestCronTool_CommandRequiresConfirm(t *testing.T) { "at_seconds": float64(60), }) + if result.IsError { + t.Fatalf("expected command scheduling without confirm to succeed by default, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "Cron job added") { + t.Errorf("expected 'Cron job added', got: %s", result.ForLLM) + } +} + +func TestCronTool_CommandRequiresConfirmWhenAllowCommandDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Cron.AllowCommand = false + + tool := newTestCronToolWithConfig(t, cfg) + ctx := WithToolContext(context.Background(), "cli", "direct") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "check disk", + "command": "df -h", + "at_seconds": float64(60), + }) + if !result.IsError { - t.Fatal("expected error when command_confirm is missing") + t.Fatal("expected command scheduling to require confirm when allow_command is disabled") } if !strings.Contains(result.ForLLM, "command_confirm=true") { - t.Errorf("expected 'command_confirm=true' message, got: %s", result.ForLLM) + t.Errorf("expected command_confirm requirement message, got: %s", result.ForLLM) + } +} + +func TestCronTool_CommandAllowedWithConfirmWhenAllowCommandDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Cron.AllowCommand = false + + tool := newTestCronToolWithConfig(t, cfg) + ctx := WithToolContext(context.Background(), "cli", "direct") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "check disk", + "command": "df -h", + "command_confirm": true, + "at_seconds": float64(60), + }) + + if result.IsError { + t.Fatalf( + "expected command scheduling with confirm to succeed when allow_command is disabled, got: %s", + result.ForLLM, + ) + } + if !strings.Contains(result.ForLLM, "Cron job added") { + t.Errorf("expected 'Cron job added', got: %s", result.ForLLM) } } diff --git a/web/frontend/src/components/config/config-page.tsx b/web/frontend/src/components/config/config-page.tsx index cbce7d27e..130498ba4 100644 --- a/web/frontend/src/components/config/config-page.tsx +++ b/web/frontend/src/components/config/config-page.tsx @@ -14,6 +14,7 @@ import { } from "@/api/system" import { AgentDefaultsSection, + CronSection, DevicesSection, LauncherSection, RuntimeSection, @@ -164,6 +165,11 @@ export function ConfigPage() { "Heartbeat interval", { min: 1 }, ) + const cronExecTimeoutMinutes = parseIntField( + form.cronExecTimeoutMinutes, + "Cron exec timeout", + { min: 0 }, + ) await patchAppConfig({ agents: { @@ -180,6 +186,10 @@ export function ConfigPage() { dm_scope: dmScope, }, tools: { + cron: { + allow_command: form.allowCommand, + exec_timeout_minutes: cronExecTimeoutMinutes, + }, exec: { allow_remote: form.allowRemote, }, @@ -279,6 +289,8 @@ export function ConfigPage() { + + + onFieldChange("allowCommand", checked)} + /> + + + + onFieldChange("cronExecTimeoutMinutes", e.target.value) + } + /> + + + ) +} + interface LauncherSectionProps { launcherForm: LauncherForm onFieldChange: UpdateLauncherField diff --git a/web/frontend/src/components/config/form-model.ts b/web/frontend/src/components/config/form-model.ts index d868c4bb4..8c850b2c4 100644 --- a/web/frontend/src/components/config/form-model.ts +++ b/web/frontend/src/components/config/form-model.ts @@ -4,6 +4,8 @@ export interface CoreConfigForm { workspace: string restrictToWorkspace: boolean allowRemote: boolean + allowCommand: boolean + cronExecTimeoutMinutes: string maxTokens: string maxToolIterations: string summarizeMessageThreshold: string @@ -56,6 +58,8 @@ export const EMPTY_FORM: CoreConfigForm = { workspace: "", restrictToWorkspace: true, allowRemote: true, + allowCommand: true, + cronExecTimeoutMinutes: "5", maxTokens: "32768", maxToolIterations: "50", summarizeMessageThreshold: "20", @@ -106,6 +110,7 @@ export function buildFormFromConfig(config: unknown): CoreConfigForm { const heartbeat = asRecord(root.heartbeat) const devices = asRecord(root.devices) const tools = asRecord(root.tools) + const cron = asRecord(tools.cron) const exec = asRecord(tools.exec) return { @@ -118,6 +123,14 @@ export function buildFormFromConfig(config: unknown): CoreConfigForm { exec.allow_remote === undefined ? EMPTY_FORM.allowRemote : asBool(exec.allow_remote), + allowCommand: + cron.allow_command === undefined + ? EMPTY_FORM.allowCommand + : asBool(cron.allow_command), + cronExecTimeoutMinutes: asNumberString( + cron.exec_timeout_minutes, + EMPTY_FORM.cronExecTimeoutMinutes, + ), maxTokens: asNumberString(defaults.max_tokens, EMPTY_FORM.maxTokens), maxToolIterations: asNumberString( defaults.max_tool_iterations, diff --git a/web/frontend/src/i18n/locales/en.json b/web/frontend/src/i18n/locales/en.json index b099dec13..2fa32ebb5 100644 --- a/web/frontend/src/i18n/locales/en.json +++ b/web/frontend/src/i18n/locales/en.json @@ -394,6 +394,10 @@ "restrict_workspace_hint": "Only allow file operations inside workspace.", "allow_remote": "Allow Remote Shell Execution", "allow_remote_hint": "When enabled, shell commands can also run for remote sessions or non-local contexts. When disabled, shell execution stays limited to local safe contexts.", + "allow_shell_execution": "Allow Shell Execution", + "allow_shell_execution_hint": "Enable scheduled shell commands for cron jobs by default. When disabled, users must pass command_confirm=true to schedule a cron command.", + "cron_exec_timeout": "Cron Command Timeout (minutes)", + "cron_exec_timeout_hint": "Maximum runtime for scheduled shell commands. Set to 0 to disable the timeout.", "max_tokens": "Max Tokens", "max_tokens_hint": "Upper token limit per model response.", "max_tool_iterations": "Max Tool Iterations", @@ -434,6 +438,7 @@ "sections": { "agent": "Agent", "runtime": "Runtime", + "cron": "Cron Tasks", "launcher": "Service", "devices": "Devices" }, diff --git a/web/frontend/src/i18n/locales/zh.json b/web/frontend/src/i18n/locales/zh.json index 78093e5c7..badf5bb3d 100644 --- a/web/frontend/src/i18n/locales/zh.json +++ b/web/frontend/src/i18n/locales/zh.json @@ -394,6 +394,10 @@ "restrict_workspace_hint": "仅允许在工作目录内执行文件操作。", "allow_remote": "允许远程执行 Shell 命令", "allow_remote_hint": "开启后,来自远程会话或非本地上下文的请求也可以执行 shell 命令;关闭后,仅允许本地安全上下文执行。", + "allow_shell_execution": "允许 Shell 执行", + "allow_shell_execution_hint": "开启后,cron 定时任务默认允许执行 shell 命令。关闭后,必须显式传入 command_confirm=true 才能创建 cron 命令任务。", + "cron_exec_timeout": "定时命令超时(分钟)", + "cron_exec_timeout_hint": "定时 shell 命令的最长执行时间。设置为 0 表示不限制超时。", "max_tokens": "最大 Token 数", "max_tokens_hint": "单次模型响应允许的最大 Token 数。", "max_tool_iterations": "最大工具迭代次数", @@ -434,6 +438,7 @@ "sections": { "agent": "智能体", "runtime": "运行时", + "cron": "定时任务", "launcher": "服务参数", "devices": "设备" }, From 8d97896a0dfc485b6a8400d80b2859f852421aa3 Mon Sep 17 00:00:00 2001 From: Zane Tung Date: Tue, 17 Mar 2026 11:52:58 +0800 Subject: [PATCH 29/44] fix(providers): handle nil input in GLM series tool_use blocks - add defensive nil check for tool call Arguments field - replace nil input with empty object to comply with Anthropic spec - prevent API errors when GLM models return null input in tool_use blocks Zhipu AI's GLM series models may return tool_use blocks with null input field, which causes their API to reject subsequent requests with error: "ClaudeContentBlockToolResult object has no attribute id" This fix ensures compatibility by converting nil inputs to empty objects {}, matching the Anthropic Messages API specification while maintaining backward compatibility with other providers. --- pkg/providers/anthropic_messages/provider.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/providers/anthropic_messages/provider.go b/pkg/providers/anthropic_messages/provider.go index 8a83a7058..c201dfe00 100644 --- a/pkg/providers/anthropic_messages/provider.go +++ b/pkg/providers/anthropic_messages/provider.go @@ -221,11 +221,17 @@ func buildRequestBody( // Add tool_use blocks for _, tc := range msg.ToolCalls { + // Handle nil Arguments (GLM-4 may return null input) + input := tc.Arguments + if input == nil { + input = map[string]any{} + } + toolUse := map[string]any{ "type": "tool_use", "id": tc.ID, "name": tc.Name, - "input": tc.Arguments, + "input": input, } content = append(content, toolUse) } From cef0f28881169fa52d9eadd8414e0cc3f2f18607 Mon Sep 17 00:00:00 2001 From: wenjie Date: Tue, 17 Mar 2026 14:10:11 +0800 Subject: [PATCH 30/44] fix(tools): normalize whitelist path checks for symlinked allowed roots (#1660) - keep regex whitelist matching for existing configs - add normalized directory-prefix checks for literal allow-path patterns - support allowed roots that resolve through symlinks - add regression coverage for symlink-backed whitelist paths --- pkg/tools/filesystem.go | 105 ++++++++++++++++++++++++++++++++++- pkg/tools/filesystem_test.go | 35 ++++++++++++ 2 files changed, 138 insertions(+), 2 deletions(-) diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index 92946ef98..ae356f248 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -98,14 +98,115 @@ func isAllowedPath(path string, patterns []*regexp.Regexp) bool { } func matchesAllowedPath(path string, patterns []*regexp.Regexp) bool { + cleaned := filepath.Clean(path) for _, pattern := range patterns { - if pattern.MatchString(path) { + if pattern.MatchString(cleaned) { + return true + } + if root, ok := extractAllowedPathRoot(pattern); ok && isWithinAllowedRoot(cleaned, root) { return true } } return false } +func extractAllowedPathRoot(pattern *regexp.Regexp) (string, bool) { + raw := pattern.String() + if !strings.HasPrefix(raw, "^") { + return "", false + } + + literal := strings.TrimPrefix(raw, "^") + + // Recognize the common "directory prefix" form: ^(?:/|$) + literal = strings.TrimSuffix(literal, "(?:/|$)") + literal = strings.TrimSuffix(literal, `(?:\\|$)`) + + // Reject patterns that still contain regex operators after removing the + // optional anchored-directory suffix. That keeps arbitrary regex behavior + // unchanged and only enables normalized prefix matching for literal paths. + if containsUnescapedRegexMeta(literal) { + return "", false + } + + unescaped, ok := unescapeRegexLiteral(literal) + if !ok || unescaped == "" { + return "", false + } + + return filepath.Clean(unescaped), filepath.IsAbs(unescaped) +} + +func appendUniquePath(paths []string, path string) []string { + for _, existing := range paths { + if existing == path { + return paths + } + } + return append(paths, path) +} + +func containsUnescapedRegexMeta(s string) bool { + escaped := false + for _, r := range s { + if escaped { + escaped = false + continue + } + if r == '\\' { + escaped = true + continue + } + switch r { + case '.', '+', '*', '?', '(', ')', '[', ']', '{', '}', '|': + return true + } + } + return escaped +} + +func unescapeRegexLiteral(s string) (string, bool) { + var b strings.Builder + b.Grow(len(s)) + + escaped := false + for _, r := range s { + if escaped { + b.WriteRune(r) + escaped = false + continue + } + if r == '\\' { + escaped = true + continue + } + b.WriteRune(r) + } + + if escaped { + return "", false + } + + return b.String(), true +} + +func isWithinAllowedRoot(path, root string) bool { + candidate := filepath.Clean(path) + allowedVariants := []string{filepath.Clean(root)} + + if resolvedRoot, err := resolvePathAgainstExistingAncestor(root); err == nil { + allowedVariants = appendUniquePath(allowedVariants, filepath.Clean(resolvedRoot)) + } + + for _, allowedRoot := range allowedVariants { + if isWithinWorkspace(candidate, allowedRoot) { + return true + } + } + + return false +} + func resolveExistingAncestor(path string) (string, error) { for current := filepath.Clean(path); ; current = filepath.Dir(current) { if resolved, err := filepath.EvalSymlinks(current); err == nil { @@ -144,7 +245,7 @@ func resolvePathAgainstExistingAncestor(path string) (string, error) { func isWithinWorkspace(candidate, workspace string) bool { rel, err := filepath.Rel(filepath.Clean(workspace), filepath.Clean(candidate)) - return err == nil && filepath.IsLocal(rel) + return err == nil && (rel == "." || filepath.IsLocal(rel)) } type ReadFileTool struct { diff --git a/pkg/tools/filesystem_test.go b/pkg/tools/filesystem_test.go index 78d69273f..5ebf38df2 100644 --- a/pkg/tools/filesystem_test.go +++ b/pkg/tools/filesystem_test.go @@ -570,6 +570,41 @@ func TestWhitelistFs_WriteAllowsNewFileUnderAllowedDir(t *testing.T) { } } +func TestWhitelistFs_AllowsResolvedAllowedRootAlias(t *testing.T) { + workspace := t.TempDir() + realDir := t.TempDir() + linkParent := t.TempDir() + allowedAlias := filepath.Join(linkParent, "allowed-link") + + if err := os.Symlink(realDir, allowedAlias); err != nil { + t.Skipf("symlink not supported in this environment: %v", err) + } + + targetFile := filepath.Join(allowedAlias, "nested", "alias.txt") + if err := os.MkdirAll(filepath.Dir(targetFile), 0o755); err != nil { + t.Fatalf("MkdirAll(targetFile dir) error = %v", err) + } + if err := os.WriteFile(targetFile, []byte("through alias"), 0o644); err != nil { + t.Fatalf("WriteFile(targetFile) error = %v", err) + } + + patterns := []*regexp.Regexp{ + regexp.MustCompile( + "^" + regexp.QuoteMeta(filepath.Clean(allowedAlias)) + + "(?:" + regexp.QuoteMeta(string(os.PathSeparator)) + "|$)", + ), + } + tool := NewReadFileTool(workspace, true, MaxReadFileSize, patterns) + + result := tool.Execute(context.Background(), map[string]any{"path": targetFile}) + if result.IsError { + t.Fatalf("expected symlink-backed allowed root to be readable, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "through alias") { + t.Fatalf("expected file content, got: %s", result.ForLLM) + } +} + // TestReadFileTool_ChunkedReading verifies the pagination logic of the tool // by reading a file in multiple chunks using 'offset' and 'length'. func TestReadFileTool_ChunkedReading(t *testing.T) { From e41423483e46aa8fb506bbe1c9b4bf735ff39c4d Mon Sep 17 00:00:00 2001 From: Cytown Date: Tue, 17 Mar 2026 14:12:32 +0800 Subject: [PATCH 31/44] add systray ui for all platform (#1649) * add systray ui for all platform * update from getlantern/systray to fyne.io/systray for fix test --- Makefile | 53 ++--- go.mod | 6 +- go.sum | 4 + pkg/agent/instance_test.go | 2 +- web/Makefile | 62 +++++- web/backend/api/events.go | 21 +- web/backend/api/gateway.go | 373 +++++++++++++++++++++----------- web/backend/api/gateway_test.go | 54 ----- web/backend/api/router.go | 5 + web/backend/i18n.go | 120 ++++++++++ web/backend/icon.png | Bin 0 -> 104580 bytes web/backend/main.go | 56 +++-- web/backend/systray.go | 133 ++++++++++++ web/backend/systray_unix.go | 8 + web/backend/systray_windows.go | 8 + 15 files changed, 674 insertions(+), 231 deletions(-) create mode 100644 web/backend/i18n.go create mode 100644 web/backend/icon.png create mode 100644 web/backend/systray.go create mode 100644 web/backend/systray_unix.go create mode 100644 web/backend/systray_windows.go diff --git a/Makefile b/Makefile index 2f673d3b9..4f4a7a6cb 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ GIT_COMMIT=$(shell git rev-parse --short=8 HEAD 2>/dev/null || echo "dev") BUILD_TIME=$(shell date +%FT%T%z) GO_VERSION=$(shell $(GO) version | awk '{print $$3}') CONFIG_PKG=github.com/sipeed/picoclaw/pkg/config -LDFLAGS=-ldflags "-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w" +LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w # Go variables GO?=CGO_ENABLED=0 go @@ -107,7 +107,7 @@ generate: build: generate @echo "Building $(BINARY_NAME) for $(PLATFORM)/$(ARCH)..." @mkdir -p $(BUILD_DIR) - @$(GO) build $(GOFLAGS) $(LDFLAGS) -o $(BINARY_PATH) ./$(CMD_DIR) + @$(GO) build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o $(BINARY_PATH) ./$(CMD_DIR) @echo "Build complete: $(BINARY_PATH)" @ln -sf $(BINARY_NAME)-$(PLATFORM)-$(ARCH) $(BUILD_DIR)/$(BINARY_NAME) @@ -128,16 +128,16 @@ build-whatsapp-native: generate ## @echo "Building $(BINARY_NAME) with WhatsApp native for $(PLATFORM)/$(ARCH)..." @echo "Building for multiple platforms..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=amd64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) - GOOS=linux GOARCH=arm64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) - GOOS=linux GOARCH=loong64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) - GOOS=linux GOARCH=riscv64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) - GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) + GOOS=linux GOARCH=amd64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) + GOOS=linux GOARCH=arm64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=loong64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) + GOOS=linux GOARCH=riscv64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) + GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) $(call PATCH_MIPS_FLAGS,$(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle) - GOOS=darwin GOARCH=arm64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) - GOOS=windows GOARCH=amd64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) -## @$(GO) build $(GOFLAGS) -tags whatsapp_native $(LDFLAGS) -o $(BINARY_PATH) ./$(CMD_DIR) + GOOS=darwin GOARCH=arm64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) + GOOS=windows GOARCH=amd64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) +## @$(GO) build $(GOFLAGS) -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BINARY_PATH) ./$(CMD_DIR) @echo "Build complete" ## @ln -sf $(BINARY_NAME)-$(PLATFORM)-$(ARCH) $(BUILD_DIR)/$(BINARY_NAME) @@ -145,21 +145,21 @@ build-whatsapp-native: generate build-linux-arm: generate @echo "Building for linux/arm (GOARM=7)..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) @echo "Build complete: $(BUILD_DIR)/$(BINARY_NAME)-linux-arm" ## build-linux-arm64: Build for Linux ARM64 (e.g. Raspberry Pi Zero 2 W 64-bit) build-linux-arm64: generate @echo "Building for linux/arm64..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) @echo "Build complete: $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64" ## build-linux-mipsle: Build for Linux MIPS32 LE build-linux-mipsle: generate @echo "Building for linux/mipsle (softfloat)..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) + GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) $(call PATCH_MIPS_FLAGS,$(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle) @echo "Build complete: $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle" @@ -171,18 +171,18 @@ build-pi-zero: build-linux-arm build-linux-arm64 build-all: generate @echo "Building for multiple platforms..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) - GOOS=linux GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) - GOOS=linux GOARCH=loong64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) - GOOS=linux GOARCH=riscv64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) - GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) + GOOS=linux GOARCH=amd64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) + GOOS=linux GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=loong64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) + GOOS=linux GOARCH=riscv64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) + GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) $(call PATCH_MIPS_FLAGS,$(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-armv7 ./$(CMD_DIR) - GOOS=darwin GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) - GOOS=windows GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) - GOOS=netbsd GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-amd64 ./$(CMD_DIR) - GOOS=netbsd GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-armv7 ./$(CMD_DIR) + GOOS=darwin GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) + GOOS=windows GOARCH=amd64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) + GOOS=netbsd GOARCH=amd64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-amd64 ./$(CMD_DIR) + GOOS=netbsd GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-arm64 ./$(CMD_DIR) @echo "All builds complete" ## install: Install picoclaw to system and copy builtin skills @@ -223,7 +223,8 @@ vet: generate ## test: Test Go code test: generate - @$(GO) test ./... + @$(GO) test $$(go list ./... | grep -v github.com/sipeed/picoclaw/web/) + @cd web && make test ## fmt: Format Go code fmt: diff --git a/go.mod b/go.mod index 130db73ff..4442b28fe 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/sipeed/picoclaw go 1.25.7 require ( + fyne.io/systray v1.12.0 github.com/adhocore/gronx v1.19.6 github.com/anthropics/anthropic-sdk-go v1.26.0 github.com/bwmarrin/discordgo v0.29.0 @@ -28,6 +29,7 @@ require ( github.com/tencent-connect/botgo v0.2.1 go.mau.fi/whatsmeow v0.0.0-20260219150138-7ae702b1eed4 golang.org/x/oauth2 v0.36.0 + golang.org/x/term v0.40.0 golang.org/x/time v0.14.0 google.golang.org/protobuf v1.36.11 gopkg.in/yaml.v3 v3.0.1 @@ -43,6 +45,7 @@ require ( github.com/dustin/go-humanize v1.0.1 // indirect github.com/elliotchance/orderedmap/v3 v3.1.0 // indirect github.com/gdamore/encoding v1.0.1 // indirect + github.com/godbus/dbus/v5 v5.1.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/lucasb-eyer/go-colorful v1.3.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect @@ -59,7 +62,6 @@ require ( go.mau.fi/libsignal v0.2.1 // indirect go.mau.fi/util v0.9.6 // indirect golang.org/x/exp v0.0.0-20260212183809-81e46e3db34a // indirect - golang.org/x/term v0.40.0 // indirect golang.org/x/text v0.34.0 // indirect modernc.org/libc v1.67.6 // indirect modernc.org/mathutil v1.7.1 // indirect @@ -90,7 +92,7 @@ require ( github.com/valyala/fastjson v1.6.10 // indirect github.com/yosida95/uritemplate/v3 v3.0.2 // indirect golang.org/x/arch v0.24.0 // indirect - golang.org/x/crypto v0.48.0 // indirect + golang.org/x/crypto v0.48.0 golang.org/x/net v0.51.0 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/sys v0.41.0 // indirect diff --git a/go.sum b/go.sum index a4d8ed3d0..f0e3fc132 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,8 @@ cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw= filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +fyne.io/systray v1.12.0 h1:CA1Kk0e2zwFlxtc02L3QFSiIbxJ/P0n582YrZHT7aTM= +fyne.io/systray v1.12.0/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/adhocore/gronx v1.19.6 h1:5KNVcoR9ACgL9HhEqCm5QXsab/gI4QDIybTAWcXDKDc= @@ -64,6 +66,8 @@ github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg78 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= diff --git a/pkg/agent/instance_test.go b/pkg/agent/instance_test.go index f8057bb2f..5a13c8f1b 100644 --- a/pkg/agent/instance_test.go +++ b/pkg/agent/instance_test.go @@ -190,7 +190,7 @@ func TestNewAgentInstance_AllowsMediaTempDirForReadListAndExec(t *testing.T) { Agents: config.AgentsConfig{ Defaults: config.AgentDefaults{ Workspace: workspace, - Model: "test-model", + ModelName: "test-model", RestrictToWorkspace: true, }, }, diff --git a/web/Makefile b/web/Makefile index 559005956..653dd77e1 100644 --- a/web/Makefile +++ b/web/Makefile @@ -1,5 +1,59 @@ .PHONY: dev dev-frontend dev-backend build test lint clean +# Version +VERSION?=$(shell git describe --tags --always --dirty 2>/dev/null || echo "dev") +GIT_COMMIT=$(shell git rev-parse --short=8 HEAD 2>/dev/null || echo "dev") +BUILD_TIME=$(shell date +%FT%T%z) +GO_VERSION=$(shell $(GO) version | awk '{print $$3}') +CONFIG_PKG=github.com/sipeed/picoclaw/pkg/config +LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w + +# Go variables +GO?=CGO_ENABLED=0 go +GOFLAGS?=-v -tags stdjson + + +# OS detection +UNAME_S:=$(shell uname -s) +UNAME_M:=$(shell uname -m) + +# Platform-specific settings +ifeq ($(UNAME_S),Linux) + PLATFORM=linux + ifeq ($(UNAME_M),x86_64) + ARCH=amd64 + else ifeq ($(UNAME_M),aarch64) + ARCH=arm64 + else ifeq ($(UNAME_M),armv81) + ARCH=arm64 + else ifeq ($(UNAME_M),loongarch64) + ARCH=loong64 + else ifeq ($(UNAME_M),riscv64) + ARCH=riscv64 + else ifeq ($(UNAME_M),mipsel) + ARCH=mipsle + else + ARCH=$(UNAME_M) + endif +else ifeq ($(UNAME_S),Darwin) + PLATFORM=darwin + GO=CGO_ENABLED=1 go + ifeq ($(UNAME_M),x86_64) + ARCH=amd64 + else ifeq ($(UNAME_M),arm64) + ARCH=arm64 + else + ARCH=$(UNAME_M) + endif +else ifeq ($(UNAME_S),Windows) + PLATFORM=windows + ARCH=$(UNAME_M) + LDFLAGS=-H=windowsgui $(LDFLAGS) +else + PLATFORM=$(UNAME_S) + ARCH=$(UNAME_M) +endif + # Run both frontend and backend dev servers dev: @if [ ! -f backend/picoclaw-web ] || [ ! -d backend/dist ]; then \ @@ -15,21 +69,21 @@ dev-frontend: # Start backend dev server dev-backend: - cd backend && go run . + cd backend && ${GO} run -ldflags "$(LDFLAGS)" . # Build frontend and embed into Go binary build: cd frontend && pnpm build:backend - cd backend && go build -o picoclaw-web . + cd backend && ${GO} build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o picoclaw-web . # Run all tests test: - cd backend && go test ./... + cd backend && ${GO} test ./... cd frontend && pnpm lint # Lint and format lint: - cd backend && go vet ./... + cd backend && ${GO} vet ./... cd frontend && pnpm check # Clean build artifacts diff --git a/web/backend/api/events.go b/web/backend/api/events.go index af44d1824..5c85b149a 100644 --- a/web/backend/api/events.go +++ b/web/backend/api/events.go @@ -40,9 +40,13 @@ func (b *EventBroadcaster) Subscribe() chan string { // Unsubscribe removes a listener channel and closes it. func (b *EventBroadcaster) Unsubscribe(ch chan string) { b.mu.Lock() - delete(b.clients, ch) - b.mu.Unlock() - close(ch) + defer b.mu.Unlock() + + // Check if the channel is still registered before closing + if _, exists := b.clients[ch]; exists { + delete(b.clients, ch) + close(ch) + } } // Broadcast sends a GatewayEvent to all connected SSE clients. @@ -63,3 +67,14 @@ func (b *EventBroadcaster) Broadcast(event GatewayEvent) { } } } + +// Shutdown closes all subscriber channels, notifying all SSE clients to disconnect. +// This should be called when the server is shutting down. +func (b *EventBroadcaster) Shutdown() { + // Close all channels to notify listeners + for ch := range b.clients { + b.Unsubscribe(ch) + } + // Clear the map + b.clients = make(map[chan string]struct{}) +} diff --git a/web/backend/api/gateway.go b/web/backend/api/gateway.go index f50f7609a..424b21e96 100644 --- a/web/backend/api/gateway.go +++ b/web/backend/api/gateway.go @@ -3,10 +3,10 @@ package api import ( "bufio" "encoding/json" + "errors" "fmt" "io" "log" - "net" "net/http" "os" "os/exec" @@ -18,6 +18,7 @@ import ( "time" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/health" "github.com/sipeed/picoclaw/web/backend/utils" ) @@ -48,6 +49,27 @@ var gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, return client.Get(url) } +// getGatewayHealth checks the gateway health endpoint and returns the status response +// Returns (*health.StatusResponse, statusCode, error). If error is not nil, the other values are not valid. +func getGatewayHealth(port int, timeout time.Duration) (*health.StatusResponse, int, error) { + if port == 0 { + port = 18790 + } + url := fmt.Sprintf("http://127.0.0.1:%d/health", port) + resp, err := gatewayHealthGet(url, timeout) + if err != nil { + return nil, 0, err + } + defer resp.Body.Close() + + var healthResponse health.StatusResponse + if decErr := json.NewDecoder(resp.Body).Decode(&healthResponse); decErr != nil { + return nil, resp.StatusCode, decErr + } + + return &healthResponse, resp.StatusCode, nil +} + // registerGatewayRoutes binds gateway lifecycle endpoints to the ServeMux. func (h *Handler) registerGatewayRoutes(mux *http.ServeMux) { mux.HandleFunc("GET /api/gateway/status", h.handleGatewayStatus) @@ -62,12 +84,35 @@ func (h *Handler) registerGatewayRoutes(mux *http.ServeMux) { // TryAutoStartGateway checks whether gateway start preconditions are met and // starts it when possible. Intended to be called by the backend at startup. func (h *Handler) TryAutoStartGateway() { + // Check if gateway is already running via health endpoint + cfg, cfgErr := config.LoadConfig(h.configPath) + if cfgErr == nil && cfg != nil { + healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + if err == nil && statusCode == http.StatusOK { + // Gateway is already running, attach to the existing process + pid := healthResp.Pid + gateway.mu.Lock() + defer gateway.mu.Unlock() + ready, reason, err := h.gatewayStartReady() + if err != nil { + log.Printf("Skip auto-starting gateway: %v", err) + return + } + if !ready { + log.Printf("Skip auto-starting gateway: %s", reason) + return + } + _, err = h.startGatewayLocked("starting", pid) + if err != nil { + log.Printf("Failed to attach to running gateway (PID: %d): %v", pid, err) + } + return + } + } + gateway.mu.Lock() defer gateway.mu.Unlock() - if isGatewayProcessAliveLocked() { - return - } if gateway.cmd != nil && gateway.cmd.Process != nil { gateway.cmd = nil } @@ -82,7 +127,7 @@ func (h *Handler) TryAutoStartGateway() { return } - pid, err := h.startGatewayLocked("starting") + pid, err := h.startGatewayLocked("starting", 0) if err != nil { log.Printf("Failed to auto-start gateway: %v", err) return @@ -125,10 +170,6 @@ func lookupModelConfig(cfg *config.Config, modelName string) *config.ModelConfig return modelCfg } -func isGatewayProcessAliveLocked() bool { - return isCmdProcessAliveLocked(gateway.cmd) -} - func isCmdProcessAliveLocked(cmd *exec.Cmd) bool { if cmd == nil || cmd.Process == nil { return false @@ -157,6 +198,28 @@ func setGatewayRuntimeStatusLocked(status string) { gateway.startupDeadline = time.Time{} } +// attachToGatewayProcess attaches to an existing gateway process by PID +// and updates the gateway state accordingly. +// Assumes gateway.mu is held by the caller. +func attachToGatewayProcessLocked(pid int, cfg *config.Config) error { + process, err := os.FindProcess(pid) + if err != nil { + return fmt.Errorf("failed to find process for PID %d: %w", pid, err) + } + + gateway.cmd = &exec.Cmd{Process: process} + setGatewayRuntimeStatusLocked("running") + + // Update bootDefaultModel from config + if cfg != nil { + defaultModelName := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + gateway.bootDefaultModel = defaultModelName + } + + log.Printf("Attached to gateway process (PID: %d)", pid) + return nil +} + func gatewayStatusOnHealthFailureLocked() string { if gateway.runtimeStatus == "starting" || gateway.runtimeStatus == "restarting" { if gateway.startupDeadline.IsZero() || time.Now().Before(gateway.startupDeadline) { @@ -238,24 +301,41 @@ func stopGatewayProcessForRestart(cmd *exec.Cmd) error { return fmt.Errorf("existing gateway did not exit before restart") } -func gatewayRestartRequired(status, bootDefaultModel, configDefaultModel string) bool { - return status == "running" && - bootDefaultModel != "" && - configDefaultModel != "" && - bootDefaultModel != configDefaultModel -} - -func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { +func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int, error) { cfg, err := config.LoadConfig(h.configPath) if err != nil { return 0, fmt.Errorf("failed to load config: %w", err) } defaultModelName := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + var cmd *exec.Cmd + var pid int + + if existingPid > 0 { + // Attach to existing process + pid = existingPid + gateway.cmd = nil // Clear first to ensure clean state + if err = attachToGatewayProcessLocked(pid, cfg); err != nil { + return 0, err + } + + // Broadcast the attached state + gateway.events.Broadcast(GatewayEvent{ + Status: initialStatus, + PID: pid, + BootDefaultModel: defaultModelName, + ConfigDefaultModel: defaultModelName, + RestartRequired: false, + }) + + return pid, nil + } + + // Start new process // Locate the picoclaw executable execPath := utils.FindPicoclawBinary() - cmd := exec.Command(execPath, "gateway") + cmd = exec.Command(execPath, "gateway") cmd.Env = os.Environ() // Forward the launcher's config path via the environment variable that // GetConfigPath() already reads, so the gateway sub-process uses the same @@ -293,7 +373,7 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { gateway.cmd = cmd gateway.bootDefaultModel = defaultModelName setGatewayRuntimeStatusLocked(initialStatus) - pid := cmd.Process.Pid + pid = cmd.Process.Pid log.Printf("Started picoclaw gateway (PID: %d) from %s", pid, execPath) // Broadcast the launch state immediately so clients can reflect it without polling. @@ -351,30 +431,22 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { if err != nil { continue } - healthHost := gatewayProbeHost(h.effectiveGatewayBindHost(cfg)) - healthPort := cfg.Gateway.Port - if healthPort == 0 { - healthPort = 18790 - } - healthURL := fmt.Sprintf("http://%s/health", net.JoinHostPort(healthHost, strconv.Itoa(healthPort))) - resp, err := gatewayHealthGet(healthURL, 1*time.Second) - if err == nil { - resp.Body.Close() - if resp.StatusCode == http.StatusOK { - gateway.mu.Lock() - if gateway.cmd == cmd { - setGatewayRuntimeStatusLocked("running") - } - gateway.mu.Unlock() - gateway.events.Broadcast(GatewayEvent{ - Status: "running", - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) - return + healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 1*time.Second) + if err == nil && statusCode == http.StatusOK && healthResp.Pid == pid { + // Verify the health endpoint returns the expected pid + gateway.mu.Lock() + if gateway.cmd == cmd { + setGatewayRuntimeStatusLocked("running") } + gateway.mu.Unlock() + gateway.events.Broadcast(GatewayEvent{ + Status: "running", + PID: pid, + BootDefaultModel: defaultModelName, + ConfigDefaultModel: defaultModelName, + RestartRequired: false, + }) + return } } }() @@ -386,19 +458,54 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { // // POST /api/gateway/start func (h *Handler) handleGatewayStart(w http.ResponseWriter, r *http.Request) { + // Prevent duplicate starts by checking health endpoint + cfg, cfgErr := config.LoadConfig(h.configPath) + if cfgErr == nil && cfg != nil { + healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + if err == nil && statusCode == http.StatusOK { + // Gateway is already running, attach to the existing process + pid := healthResp.Pid + gateway.mu.Lock() + ready, reason, err := h.gatewayStartReady() + if err != nil { + gateway.mu.Unlock() + http.Error( + w, + fmt.Sprintf("Failed to validate gateway start conditions: %v", err), + http.StatusInternalServerError, + ) + return + } + if !ready { + gateway.mu.Unlock() + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusBadRequest) + json.NewEncoder(w).Encode(map[string]any{ + "status": "precondition_failed", + "message": reason, + }) + return + } + _, err = h.startGatewayLocked("starting", pid) + gateway.mu.Unlock() + if err != nil { + log.Printf("Failed to attach to running gateway (PID: %d): %v", pid, err) + http.Error(w, fmt.Sprintf("Failed to attach to gateway: %v", err), http.StatusInternalServerError) + return + } + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + json.NewEncoder(w).Encode(map[string]any{ + "status": "ok", + "pid": pid, + }) + return + } + } + gateway.mu.Lock() defer gateway.mu.Unlock() - // Prevent duplicate starts - if isGatewayProcessAliveLocked() { - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusConflict) - json.NewEncoder(w).Encode(map[string]any{ - "status": "already_running", - "pid": gateway.cmd.Process.Pid, - }) - return - } if gateway.cmd != nil && gateway.cmd.Process != nil { gateway.cmd = nil setGatewayRuntimeStatusLocked("stopped") @@ -423,7 +530,7 @@ func (h *Handler) handleGatewayStart(w http.ResponseWriter, r *http.Request) { return } - pid, err := h.startGatewayLocked("starting") + pid, err := h.startGatewayLocked("starting", 0) if err != nil { http.Error(w, fmt.Sprintf("Failed to start gateway: %v", err), http.StatusInternalServerError) return @@ -475,27 +582,16 @@ func (h *Handler) handleGatewayStop(w http.ResponseWriter, r *http.Request) { }) } -// handleGatewayRestart stops the gateway (if running) and starts a new instance. -// -// POST /api/gateway/restart -func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { +// RestartGateway restarts the gateway process. This is a non-blocking operation +// that stops the current gateway (if running) and starts a new one. +// Returns the PID of the new gateway process or an error. +func (h *Handler) RestartGateway() (int, error) { ready, reason, err := h.gatewayStartReady() if err != nil { - http.Error( - w, - fmt.Sprintf("Failed to validate gateway start conditions: %v", err), - http.StatusInternalServerError, - ) - return + return 0, fmt.Errorf("failed to validate gateway start conditions: %w", err) } if !ready { - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusBadRequest) - json.NewEncoder(w).Encode(map[string]any{ - "status": "precondition_failed", - "message": reason, - }) - return + return 0, &preconditionFailedError{reason: reason} } gateway.mu.Lock() @@ -519,8 +615,7 @@ func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { } } gateway.mu.Unlock() - http.Error(w, fmt.Sprintf("Failed to restart gateway: %v", err), http.StatusInternalServerError) - return + return 0, fmt.Errorf("failed to stop gateway: %w", err) } gateway.mu.Lock() @@ -528,7 +623,7 @@ func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { gateway.cmd = nil gateway.bootDefaultModel = "" } - pid, err := h.startGatewayLocked("restarting") + pid, err := h.startGatewayLocked("restarting", 0) if err != nil { gateway.cmd = nil gateway.bootDefaultModel = "" @@ -536,6 +631,43 @@ func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { } gateway.mu.Unlock() if err != nil { + return 0, fmt.Errorf("failed to start gateway: %w", err) + } + + return pid, nil +} + +// preconditionFailedError is returned when gateway restart preconditions are not met +type preconditionFailedError struct { + reason string +} + +func (e *preconditionFailedError) Error() string { + return e.reason +} + +// IsBadRequest returns true if the error should result in a 400 Bad Request status +func (e *preconditionFailedError) IsBadRequest() bool { + return true +} + +// handleGatewayRestart stops the gateway (if running) and starts a new instance. +// +// POST /api/gateway/restart +func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { + pid, err := h.RestartGateway() + if err != nil { + // Check if it's a precondition failed error + var precondErr *preconditionFailedError + if errors.As(err, &precondErr) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusBadRequest) + json.NewEncoder(w).Encode(map[string]any{ + "status": "precondition_failed", + "message": precondErr.reason, + }) + return + } http.Error(w, fmt.Sprintf("Failed to restart gateway: %v", err), http.StatusInternalServerError) return } @@ -573,83 +705,74 @@ func (h *Handler) handleGatewayStatus(w http.ResponseWriter, r *http.Request) { func (h *Handler) gatewayStatusData() map[string]any { data := map[string]any{} cfg, cfgErr := config.LoadConfig(h.configPath) - configDefaultModel := "" if cfgErr == nil && cfg != nil { - configDefaultModel = strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + configDefaultModel := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) if configDefaultModel != "" { data["config_default_model"] = configDefaultModel } } - // Check process state - gateway.mu.Lock() - processAlive := isGatewayProcessAliveLocked() - bootDefaultModel := "" - if processAlive { - data["pid"] = gateway.cmd.Process.Pid - if gateway.bootDefaultModel != "" { - data["boot_default_model"] = gateway.bootDefaultModel - bootDefaultModel = gateway.bootDefaultModel - } + // Probe health endpoint to get pid and status + port := 0 + if cfgErr == nil && cfg != nil { + port = cfg.Gateway.Port } - gateway.mu.Unlock() - if !processAlive { + healthResp, statusCode, err := getGatewayHealth(port, 2*time.Second) + if err != nil { gateway.mu.Lock() - data["gateway_status"] = currentGatewayStatusLocked(false) + data["gateway_status"] = currentGatewayStatusLocked(true) gateway.mu.Unlock() + log.Printf("Gateway health check failed: %v", err) } else { - // Process is alive — probe its health endpoint - host := "127.0.0.1" - port := 18790 - if cfgErr == nil && cfg != nil { - host = gatewayProbeHost(h.effectiveGatewayBindHost(cfg)) - if cfg.Gateway.Port != 0 { - port = cfg.Gateway.Port - } - } - - url := fmt.Sprintf("http://%s/health", net.JoinHostPort(host, strconv.Itoa(port))) - resp, err := gatewayHealthGet(url, 2*time.Second) - - if err != nil { + log.Printf("Gateway health status: %d", statusCode) + if statusCode != http.StatusOK { gateway.mu.Lock() - data["gateway_status"] = currentGatewayStatusLocked(true) + setGatewayRuntimeStatusLocked("error") gateway.mu.Unlock() + data["gateway_status"] = "error" + data["status_code"] = statusCode } else { - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - gateway.mu.Lock() - setGatewayRuntimeStatusLocked("error") - gateway.mu.Unlock() - data["gateway_status"] = "error" - data["status_code"] = resp.StatusCode + gateway.mu.Lock() + // Check if this pid matches our tracked process + if gateway.cmd != nil && gateway.cmd.Process != nil && gateway.cmd.Process.Pid == healthResp.Pid { + setGatewayRuntimeStatusLocked("running") + bootDefaultModel := gateway.bootDefaultModel + if bootDefaultModel != "" { + data["boot_default_model"] = bootDefaultModel + } + data["gateway_status"] = "running" + data["pid"] = healthResp.Pid } else { - var healthData map[string]any - if decErr := json.NewDecoder(resp.Body).Decode(&healthData); decErr != nil { - gateway.mu.Lock() + // Health endpoint responded with a different pid + // This could be a manual restart, try to attach to the new process + oldPid := "none" + if gateway.cmd != nil && gateway.cmd.Process != nil { + oldPid = fmt.Sprintf("%d", gateway.cmd.Process.Pid) + } + log.Printf("Detected new gateway PID (old: %s, new: %d), attempting to attach", oldPid, healthResp.Pid) + + if err := attachToGatewayProcessLocked(healthResp.Pid, cfg); err != nil { + // Failed to find the process, treat as error setGatewayRuntimeStatusLocked("error") - gateway.mu.Unlock() data["gateway_status"] = "error" + data["pid"] = healthResp.Pid + log.Printf("Failed to attach to new gateway process (PID: %d): %v", healthResp.Pid, err) } else { - gateway.mu.Lock() - setGatewayRuntimeStatusLocked("running") - gateway.mu.Unlock() - for k, v := range healthData { - data[k] = v + // Successfully attached, update response data + bootDefaultModel := gateway.bootDefaultModel + if bootDefaultModel != "" { + data["boot_default_model"] = bootDefaultModel } data["gateway_status"] = "running" + data["pid"] = healthResp.Pid } } + gateway.mu.Unlock() } } - status, _ := data["gateway_status"].(string) - data["gateway_restart_required"] = gatewayRestartRequired( - status, - bootDefaultModel, - configDefaultModel, - ) + data["gateway_restart_required"] = false ready, reason, readyErr := h.gatewayStartReady() if readyErr != nil { diff --git a/web/backend/api/gateway_test.go b/web/backend/api/gateway_test.go index 06803722d..fb4f7d943 100644 --- a/web/backend/api/gateway_test.go +++ b/web/backend/api/gateway_test.go @@ -494,60 +494,6 @@ func TestGatewayStatusReturnsRestartingDuringRestartGap(t *testing.T) { } } -func TestGatewayStatusIncludesRestartRequiredWhenModelsDiffer(t *testing.T) { - resetGatewayTestState(t) - - configPath := filepath.Join(t.TempDir(), "config.json") - cfg := config.DefaultConfig() - cfg.Agents.Defaults.ModelName = cfg.ModelList[0].ModelName - cfg.ModelList[0].APIKey = "test-key" - if err := config.SaveConfig(configPath, cfg); err != nil { - t.Fatalf("SaveConfig() error = %v", err) - } - - h := NewHandler(configPath) - mux := http.NewServeMux() - h.RegisterRoutes(mux) - - cmd := startLongRunningProcess(t) - t.Cleanup(func() { - if cmd.Process != nil { - _ = cmd.Process.Kill() - } - _ = cmd.Wait() - }) - - gateway.mu.Lock() - gateway.cmd = cmd - gateway.bootDefaultModel = "previous-model" - setGatewayRuntimeStatusLocked("running") - gateway.mu.Unlock() - - gatewayHealthGet = func(string, time.Duration) (*http.Response, error) { - rec := httptest.NewRecorder() - rec.WriteHeader(http.StatusOK) - _, _ = rec.WriteString(`{"ok":true}`) - return rec.Result(), nil - } - - rec := httptest.NewRecorder() - req := httptest.NewRequest(http.MethodGet, "/api/gateway/status", nil) - mux.ServeHTTP(rec, req) - - if rec.Code != http.StatusOK { - t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) - } - - var body map[string]any - if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil { - t.Fatalf("unmarshal response: %v", err) - } - - if got := body["gateway_restart_required"]; got != true { - t.Fatalf("gateway_restart_required = %#v, want true", got) - } -} - func TestGatewayRestartKeepsRunningProcessWhenPreconditionsFail(t *testing.T) { configPath := filepath.Join(t.TempDir(), "config.json") cfg := config.DefaultConfig() diff --git a/web/backend/api/router.go b/web/backend/api/router.go index 5f081dee9..b56438784 100644 --- a/web/backend/api/router.go +++ b/web/backend/api/router.go @@ -70,3 +70,8 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) { // Launcher service parameters (port/public) h.registerLauncherConfigRoutes(mux) } + +// Shutdown gracefully shuts down the handler, closing all SSE connections. +func (h *Handler) Shutdown() { + gateway.events.Shutdown() +} diff --git a/web/backend/i18n.go b/web/backend/i18n.go new file mode 100644 index 000000000..9cda9e5d5 --- /dev/null +++ b/web/backend/i18n.go @@ -0,0 +1,120 @@ +package main + +import ( + "fmt" + "os" + "strings" +) + +// Language represents the supported languages +type Language string + +const ( + LanguageEnglish Language = "en" + LanguageChinese Language = "zh" +) + +// current language (default: English) +var currentLang Language = LanguageEnglish + +// TranslationKey represents a translation key used for i18n +type TranslationKey string + +const ( + AppTooltip TranslationKey = "AppTooltip" + MenuOpen TranslationKey = "MenuOpen" + MenuOpenTooltip TranslationKey = "MenuOpenTooltip" + MenuAbout TranslationKey = "MenuAbout" + MenuAboutTooltip TranslationKey = "MenuAboutTooltip" + MenuVersion TranslationKey = "MenuVersion" + MenuVersionTooltip TranslationKey = "MenuVersionTooltip" + MenuGitHub TranslationKey = "MenuGitHub" + MenuDocs TranslationKey = "MenuDocs" + MenuRestart TranslationKey = "MenuRestart" + MenuRestartTooltip TranslationKey = "MenuRestartTooltip" + MenuQuit TranslationKey = "MenuQuit" + MenuQuitTooltip TranslationKey = "MenuQuitTooltip" + Exiting TranslationKey = "Exiting" + DocUrl TranslationKey = "DocUrl" +) + +// Translation tables +// Chinese translations intentionally contain Han script +// +//nolint:gosmopolitan +var translations = map[Language]map[TranslationKey]string{ + LanguageEnglish: { + AppTooltip: "%s - Web Console", + MenuOpen: "Open Console", + MenuOpenTooltip: "Open PicoClaw console in browser", + MenuAbout: "About", + MenuAboutTooltip: "About PicoClaw", + MenuVersion: "Version: %s", + MenuVersionTooltip: "Current version number", + MenuGitHub: "GitHub", + MenuDocs: "Documentation", + MenuRestart: "Restart Service", + MenuRestartTooltip: "Restart Gateway service", + MenuQuit: "Quit", + MenuQuitTooltip: "Exit PicoClaw", + Exiting: "Exiting PicoClaw...", + DocUrl: "https://docs.picoclaw.io/docs/", + }, + LanguageChinese: { + AppTooltip: "%s - Web Console", + MenuOpen: "打开控制台", + MenuOpenTooltip: "在浏览器中打开 PicoClaw 控制台", + MenuAbout: "关于", + MenuAboutTooltip: "关于 PicoClaw", + MenuVersion: "版本: %s", + MenuVersionTooltip: "当前版本号", + MenuGitHub: "GitHub", + MenuDocs: "文档", + MenuRestart: "重启服务", + MenuRestartTooltip: "重启核心服务", + MenuQuit: "退出", + MenuQuitTooltip: "退出 PicoClaw", + Exiting: "正在退出 PicoClaw...", + DocUrl: "https://docs.picoclaw.io/zh-Hans/docs/", + }, +} + +// SetLanguage sets the current language +func SetLanguage(lang string) { + lang = strings.ToLower(strings.TrimSpace(lang)) + + // Extract language code before first underscore or dot + // e.g., "en_US.UTF-8" -> "en", "zh_CN" -> "zh" + if idx := strings.IndexAny(lang, "_."); idx > 0 { + lang = lang[:idx] + } + + if lang == "zh" || lang == "zh-cn" || lang == "chinese" { + currentLang = LanguageChinese + } else { + currentLang = LanguageEnglish + } +} + +// GetLanguage returns the current language +func GetLanguage() Language { + return currentLang +} + +// T translates a key to the current language +func T(key TranslationKey, args ...any) string { + if trans, ok := translations[currentLang][key]; ok { + if len(args) > 0 { + return fmt.Sprintf(trans, args...) + } + return trans + } + return string(key) +} + +// Initialize i18n from environment variable +func init() { + if lang := os.Getenv("LANG"); lang != "" { + SetLanguage(lang) + } +} diff --git a/web/backend/icon.png b/web/backend/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..e0b4aab9c42f1b84b3ff7ffb145a965bcd67e925 GIT binary patch literal 104580 zcmYgXb9`L=(vOn{jm?IQZQD*`JB`)Yjcwa)jK*qgHfU@&cC!2KKJRmH??2gm&d#3S z%$)CdPNa&GGzuaCA_N2kimZ%;8UzFs=wB!Z1US>>?ls1Oys{tc0kBC*+wQyfM+> z9pJ(8;m-oqc-KQPN?C>>ak~v?LQ}L#u=9 zP2k`E(f{uiV|0irNaI?lf4(+GuR}lfQgz-q{uh>*8`FF{84CW!SCK!~5XtxoCwKNGzw(gkh6 zMF?xDpF{uU08b1-8`>Bl*KYOGzii;0AlO~>a6HM(w{Zon+TY<9gbC{|KZIZ zECLR?kKJEM1HqE^%Kk8D`YY)RKo7b=keX}o9|eI`!Y=@|2(i4aTz_8hAGNu|{Csvq z31rc*%lh|{Hp~|%kap`r@{Lyo|BCwcVUqx2yLDOPzYpPT2CR{Ap{^gUe?=Wx0EucY zHdOXkRCphN0&oXGIwvi@K068_;%p!$dUU+#{oKpH+m{*dkXU)2$#LE1u` z1=9TbGWstoVSG@zU}1C3%;o<95*U`o;o{(9*JzuG|L0gOu{th2y5&|Dn@*0pE|@V*D>1{6BOvqfG|?L$~w~otcIFzo-E7 zCknpbL}e54|Im4W&;3(iG5(hh{vW!L$fouGmEQpN>y>RX_#e85f9T9CZU5?Jh5`h5(Evny_O=eISl{ca zqyIsH7ubMY&+HWcixy;EutTv{&c$B)i-N9W5cs@9@~UnBix$x+kfFgHM>d-Ns{ydD z@BoAF;|MIWJS-{cg`r#N0v zsK%N)-Hw@Mp5LJm`*izTQ>XSyxdCyPD3Lo-O2Bs zy%{+O8^kxAzYTR@o{551`b12xbYpz2hh z;aN7)n@}Gf!nch7koG;A4;@BV(5E8A!r+B$4{0N7O-$r_oZPbi(KoiNVK5V?fC`$+ zSEwCbV87t`skjX_$LX}7D7Gs{+onjQNVM;b-X_=NtINRzzsHWIPf_Fmb9)}+I4`#@ zR=fpQ`w@7Jf3aom$|RltmMV6@j{jxc3&xw7>|%a{y`BghY6?So*P=YptxkLvykHMM zI@efDJ7SkIoB1-3@vHizh;Bi>N*)r9XFGpHEs}N(P>#s?`S|&q;{BCl@X@$sF1oPg zvkkYhex0#1jJR|0s=vVcqxw|0t0PUMD|xq1EQYrV6ox4?DQ2I4VBY%?Ck$-fB9_BG zw5C2rxPpvjf}BIdJr3RB(_*ZUl|A(Z~A4O>lO3hD|zf zFfMJHPsZ;z9@YGGT>S4s61*zUpP4SdQPh)EFC_L`^~bfOuCfoQr0Oo-SS)S1pqa2o z(06vJKVH!7Z_n@^uJNpSLq8vSUv#FPr5uGv)A9%FGJ(93h%iO3`ysy7Mtw4UqB32n zqw(oW@$9eo8pk3XE=4(~^0>w)-9Ow3NtF2u)o6H7f#W(SM5xb90D%R zC@1>&?@|f)6D3G{y~4x?6mkN3A4yBJAgdhM-uwRX;FKt+ZwYMFI6A$FdX)sbJY=4b zKXf7bbXJS2#k1e~v2sqA%cCV0>=0seYu?Ffi;Bx5-`na~@E*I*jh6t?ceP|3T?4Rf z=xHTQF#`Be(Sy#0Z(O_PT>4_JG6we}KU^bA9d02@MA|i1HVlqjgQMLSG#H+ne4(jT zY&j!kST{N!&ft(9mMOGg9e?QN(HDkWhFzM9j2=-%e|Cf6bn--f{mfn}ydTGET{iRO zgczT2%Wa(!@6~XhZ1npYJgkiZlwTfc0|Tt9wd%Tb%aXCx`4Dmn5nI$ml$?p$=!?t_ zC!LHk+0ABKCNMAX7*-eN9SMjNkKPd_IO6nO4Rqz;p-sK_F}`HYOKl!Fv0!|jZi32# z*n<}Ue5-xqZ@$74{`L-H8`g^sWrU+*xme^_;|7DF90}bpfXynGm-7ITxsda)xO_r!Tg@)+vUH{ zyrY*6d~_wPdUSprw1^)HXs}E3omJ-a)h+LuM%bgr+O^V90h+iH;uF?Fd9cGnPGU2< zLIAyaT&Tvl&iG$~nXwzg5?pu@x^T<}BXg-$mZFTAA#!Ooe`{7)wzU-A6aUxvfRX& z=DGujodHZ&r8GkU;Q}Wk(cx=IC_@M$yfBA0S_W0&v1=;?kcA?5&ZhUvprq1ATUQAu zNHo5;$#n;_`Ba~RJep?)*L~&#-G?sOmuDTiSjWfT9iN}*e9Z=nTe|8@N7Lzocy9PB z*170O9u&JQgu73LF9f__*0Y1g=ej+xt*Raxk8X6$a^d(mU?hyiB1LkGQ`-mS7f3k| za|p*pUgc^&)2=L03;ns3cX|Wn9X=3mZ&w~y+yd>HcKEc z-A6_TlBc9i8q_`hkr^uDq9_L?7$QpfB=k9w1wgb6mmO>ixn1%IzIO?6DFInyJANnv zfBHK}vbp^N2F>#Q;N^F1%q=jxo@PCNjSXKsuU==mH12L=ps!Kr_6%^f)J0AV!Nx)y zWOJVO!?aTEODg4cGVl`cTEoPYJMU0-HKwFRfBf#%SX6w)BU#!L<$6g2!f~W|uwmL` z@rBTR+d~?|lczLdzLOi)4xl4`v(sUv_)6N1?THrU4I4#ZnBagn2$@G6Q51c8)JB*0 z(BT`v>G}N~4jg~}_=oHUceg%^M&faBem7zQGr=&$i1$T+3>U!-pNC4~F>Rrjusf}m zX6`x^JAUJ?C{r~IcT()LK%W2U)#LaDrD2D-4`5I~#Q$qU7py38n>rRC42F&dXV4ej z-EY7{Is5AU(0)=9f!{r6s27KlM5VHt?@b_;J;a}8q_Z$76qFj^=c}GvrQP=ZcwXfU z3v8Up<$wcse!RSKlI~sj$|jG}`zzP#`Y;7Pwv(vTBX)x;CvlzEWw1pAW~|@ILv3hK!shF zj_}ExRG<(_8&zTjU}}tX__!$krD~o#2)EBiKg>qvlcBip1)Mo=U@!M-a z6Gyia?}j-vu>fwtQC~u15#2>W8@BU{H(4J6gD47)Xmt)aQs$G98T$2+2j!577>40g zz}MxB9o=}T-IS-3b}#x)(1_0hWVul58TDeP%Toi0^?a4Y=M~?d(2+F1bAz67=;H~} zKN+4YR|1ks)kP#c3o7t38`5=mCnYfzKoD=geF*JXRe%0IP8!#Pc)MMdj}i(?0C_i# zS-T-`*Mm4hSb`I>QIfYa&zuoU8dKNw#fn?j8vd8 zlsdC$Ucg*a)Tw;yW=~|`YN=Wo>qmmHPFwz}}G*jM4`)`!F_GRgyYN{X|;`a&2BSwn|)Rc$_!HqD9 zP-`_QeLfdvP4mF6~4uUf?d>~h}tL#wDhvv8cFSW1WA2~0sFu)< z@}q^9yzTev5s=+s=;$=CX8R>uEs?&)L+dU*{{|{0elvo+1roST2qwQAWTBOYBLwZ9Q9^0&i3OkJhCfSU1lO zO&mh8fk5z!tm{#`(I^0mHF^@~UFR+iDGx|UYc!8pM)WIM!Su)pnB2aLji z-Qu_}QyD7gq&T{i(UFJ%d=8l*Xg=r-@2>kdpCpu0<`2aac$eqv(n2pdzWMT4p1D6S zueTjL$jr7+DRNntiw)8gM`%HHaDsYyKcX4>5j;%HDt{0y2gG|EGGAo0jHOo+O|!7t zezMiYHCN?aB`)98u`lnIO4tQj&^#eyc7&;zcSw;!WJ&K_$0D!TBBob_#YhD>hH&=v zcX$Ae-_!IzZAzP($J%q0=9NtJ6yI;6O{FX&-lOA6bG=0$T$*w<6C&Iy&R%BsIR0+X z2dCylBE~~E+2nDa!_HC!r-EIP42_}TGq5Pwz%*wiq ze-b6GpxxCUUwm6%#T`+KqU$Y0!)F#bIwK9<=g{=OS%m)szhYDG*w)!inRn|eAXdDe zZ$~TnnUrG;hNrGzgdMns@MT;PtcC2uK{*TbBX*b~$$kp*6K!-EZHk7Z3O)Dl z$$CoAMRsA&xzLLcS5V?^&|gTQSNrDAzjl8EmCfB^i`UHvd*o1V?lh(-W;`MnNvZ;| z``t=Ft4YC@B`b#ckeE>`KZmNQA)(T30f-SRvXkUBVAA(>qba<2M+N?y#V(Pjgl5HC zAKP3lqDSG9B0qez-(1!`HYuv_Nb!GpNjp(9jqEHw`UWwOjpJ1sph3nmyghWn>8vub zr(>ouT+PY8PQe3YRS17d{F>=UI56}-zMNRn)t1a&bOigK&4M2&Ixuh~L2b2tzx+3R zQE100V<7^Z$u}&`)iRC%mO|)+SD5gK3#PN)MA$|`fdWHRXqk|GPjWfZl#Z?%MaBINo8vGpBu@COD?qNach4*3i{UOT9W$ELw-7R^qyd-I=^R{Eul}!Z4 z<60R(Bl5WP&G{TbrMKi*Zf{3G_^qGTYO@_Rz7b>bmCrE!es9=rm)YDJ5KUJ6<-^b` zG&zPKSN51(|7NJ~&9b9Z^=gS$FxNYPWQd*LY0eqRq|kQzPG-H<^k_JsRP97H=*D`i zpSe8W`Lt4mxjO_c{^dBuo1j;o0O1ab#gPH!JM4TeFm|^ag%{lQb~*d1?aTn>7bzmj zhyro+l=&NtF}rzdlGCv`Bmj_9`Q_kNrlj}R4z9IK#kR?3!~!xlg}~673t!vk<12AR zZ!YW7hu`o*uQVK&q}OHxn?FR&gGGqBe);*4G&I#SH*&gB#^grS%qO&{9lw67d$lW3 ztY~H1q@U2MXl@smnD8P+s;Hl7=y1tlo)EwuE+``3kTN^8gSNro8D-0GJUd8Ig!}0N&B=Wb%ip-A;&@eA(+2>$Z{GKC<$)b zp9te$I9BsYS#J`=RP;k9&J!lSj|NT*-yUY^-0xqXrVPyJ9Ees-Mwu)fUVo+A z&du~-FitnfwKhNvMX15s*XRxIBc`2vifBZ_Q^Ls{TAA$r^10G?vH>aDLU^yd*wV%f zjyHU?mt$pR_Rp{4^rgKFLKwMPwWj%d#cft{;)C571@G=mE4%{ z8$OnA=@VSYy_b%hEI&)wl=sXz`jp!IX`!%Y0@HFp-_D@mwRZ+QUTV4F9D!qKbKmJC zdZKL2X%@}@V3`z-t9D_xplv&f}B}G&;x+tlxTtXB0-$GL5Ey?=XBlN1kli74&BSVbfv{1f@QHh!DilyZQ>DT-y;H{Ms;V zMSa>C`N}FWVN-FP3Ee0CpcizA;5-NU0~^K)cxyN^bIiS$%iM&VDylBd$^y-o6Xx!F z(!~Uo{y5^2K$i@Nm*7Y@OPiID{IQT+@>XIryueQKL_MBi&<7_tQHMpRzR2M6JHG8z&k6ha5v`8 z_^X<{SHDC=zt~rU=1*iD*aciBaei;6d5BzOo;{kyA4{V@Cl>HFRb&wNA07o&s3<^2 z@&|{oVAXq%oNr1>BMFYls~=__-hpN|J~8%4I6*n0fr!J!a0s7dq-3gnY1UO%ZK-TM z-GiERaAX$vm{nIc#;>>8T?!Gg6{PFAv&Yo5YnDXqD}6T~t{9s9g<~?USy2Zk-34wB z?l={Zj5${k2DAN`9{ljxx0}cEXxCZ##ODm#5A!riYW^^yTu4i>4QxRsZzJSDhjU}y zY2%z%?4O2!*9CFN`5Q8=AbB3&HL*B7d`xK$- z)D>8v4kt46QylcQs&v{!U|WasqI35Qq@2rp)89K7{8k2j64$h}lQuj2txcK6+S3^G z{Omqs3MfqUiY_s*$?JEy5&#Vx#i<1fh1I-JZ>8CPpnzvs1?bxCXx$gGobaY*Fkho6 zdRwhA9IP!jsXjXw>-iq_sGWud1jsG#h=fH+1F#WRtBXF_z)Z_`RRl`~xD@Ap# zP?Asnc5Wm4)-EI97V{Y*Z?Qpy)}!1xde?Hako`;7m@*exH7A=l1P7(^shbeC+cXQ; zG^Dj7qw{KDf+88L?kVf;A{jH~Ds{71LBM;EaSQXTYBE6a1_oNo7QH91Ov9l=g+I5{%FvpGvV+>rj-(^_!X$=znuqvG>g_eopQ4ysHS`2 zk5}sPLEBQMF7{rOMGZ!J|5H%_NgSq|r=esULDx!?Z8tC4XNVcJs08;+^-#8DMjEuE zOVg2e@2b(j*1CxH5i%*KuuF-8%&p)M*}m%HJFnlHv95M_)5VN9N-^cn2GKV0rMcPY z^N{8Oy*2LqdV}Pk*eB~bec5svtC0&H-VE&i*Wu33fl}{v9h)q9;J){#M0ZUJpWEbS zuNNEJNSoSQT^I z|I-V2`;}l19^&G8!W?ZVzYs8gPP|9$Ru!0%x`8>VgKB9)du#ioq4GjwlYcb#K5Koi zhW)uT1Y>;?5v$2Nmj>zqqv(@@86gFq68ynNrR#!U~IV<#N8JbPb;Pr59G10OmS znAJzQ3t5x`4cMKFu3894jzS^bJbpcMPT642ZFQ~KPD*sf zWveLIq`J|nC=g%2we$Lla~A2jb`I6?MRLRM_2$%XggH}H_A~C$y;Fq?sxyaD#-E9k zE8Su@JJXuLFhlD+MP#(29#YUS zlXUS1RdjDJMcv-6KSyH0&l{uhk1@tsnt*y&YAQMQv{4tS5+)rw6?jp!Z|0m$_Z)_~ zKP)oh865Wq3AyQS&Y%E!aa7zKjx2~ctZgFG#wWG6=Vk=^+DJAZlZ}-}9aAtTlcrcm*oj7*_ zzxCd<$VeRZtrVIQQbWSj73iNrDeFq7b^QF3NQNQ9vbUm zJ5#R{UBD02M#NptzwgN7D`gs@8ketkz@Q{miq|;R^Y}^YX zqZ+mL&zDC8@g%Wu1XzXBwlmCVCj7AWrz^YX2)BoMoDk2L_N!@#vo~73=s*QQ#)6fJ?OUsfMxC@c<-G9bRr3fvN~!iBTV{$??Vh~X zG3xRr_lSVoft)~?C~wC@XJTt@(gyQ#yp=V=SD+b*$%VwdS`kx}+(tck7G&xpcA}c0 z;%os}Y)5?vJ~WW(-{JX@y)A%v$Cjt?%Y-V;SD*=av~xd~#wb+#9V_(Uv)GFqc@ZA@ zxvSln2zV7FNM!wo4LY6-%#QOWv)jgY)#VZahR{|t4-{{Zu$6+dVg9lfYPn*?qi*+o zT{(i1iBI7l8?n@~#+@bGp}XILikjOWQore4M0bjR$~az$P}|`o?eb*WIj73ko9q@U zXnx`=_&Sw9Yw%T@NTgjs060NgK5PZgJ~+HTC>LL@>e?KU16L8#=svhxgC}T_Z+HQJ?Uvi2Zt~&}iuLY?a*KsvVl8gpTn-})Lr1piE zUcZ|2lOBI1k5*_()X@#`u(0cwjaS(&RsZv4_P*Bg8`Dqxw0*oO#x!FXWq7^^)#yh4 zA)fk;y7^x}$#-w`4sC{$&2wX17qZwtOWdAdb6totl!m>s@|zm+BO6VjWgL>-W2mM} zVhI(GhZD2k#5{7a7h4_DQU|QUvyOAlPxpB3#9Z-koNTExxP)Nv2C=60OldHS>X3Z* zkT=vPh%eXqu_T(Z8-1X2%1JX`Pz&y(8&TLj>A|?52YIf=Q=13{-tY{v*ZQ-5Cgh-r z|J)heK5{dcpTRn`S}OalnQ{5ttoW54^Sh-D=^?^xy?KHSgPcvDBXw1nPW}?Zl9uR8 zFsJS~|29fQ|LwMn3EVD8c&hv^ifRdIVR>ICc3ol&+nuZ^OKj#Loob6(zF{UVqoCjK z%obufGvgNC@*%59p1ZVT_33ttd+>C9z2sCeTUnaz8h^1v@tqJw!urT29%hVK$P?R^ z+QC|*gSWll?nd~MA$$8~A@a9}i7=9Iz@K_S*|*qM`)Tq73IuScLxF0}1L=~SgKYv( z;V(%ovWM}}U6Mi5d%>V)^F>s@GhEpdZ|GL zo}%FmrkfZq{;XC=$)TQU@s<;6`&`6lJmz)9>Po+pxp=7OMdT7-xWSJEks@*u3Mj~hb%MUV@FOD1mCK?i$*j`ws|QK< zouaJICPgicEO8h9%yLwOYDKYE9qO?eT3dn}>*xTDcpbM5N94Yn)ph26KG53J$S}`) z_hLm2kb-n7EmrUBs;Kflc`j~(6DP{CBT1a85Xf(b5(pSx`(X{PddD{OUkK@b_*6u+ z0&=$td!?v|u`AXkw{@q8E?m^Lb0VI@C;6C#tQL>2&^ZvUvq*4C-UqIj_XQ6ouHgDs zdQRC~(UQj8pt|@yV5*#ap_^xy&|qD)W3nA_R-}{^rDHK8Uv$lNRZDqF}4RM~zG{xqpC<3pr}*R*iiAmOnI^7jk2bM#R0I>oEdaky-ax z#J}n)&-K57)H{sfU6WtTKjD3rqq?RlU2rFFfd7SS6%nTOF^_iak`DXV(uV&L4gpo6 zMMFMb{0o|037aAIkUq33dd#nVS#QRla&G*J%mHUL0raRwR2Zm@>n$UNK`D14D_%-> zx{!HaFNU=QzPwB~^4>V&v~n1v)D|LnRmqrqkcAG)%dM*_%;iGsns!Tq6T?|81GQ&a zL=fycf#bgnt6zmlpQW+34d{xIr(sxHXb~vmJ6!SeM}ziU$)DlJ`qp<^H}9~!$5&n+ zV8#T@da2;rkjZ@@kDTlY60lGbTPo|iyL{8037@@gntu=Y`=TvYiSXZQr|_xblcsI< zbG+T}UU7daM!$5gzT&?3Gtj!ckn`EwPyR9Im~QPJj*7&bFxXblL(5e6eth@#|!^tVk*CCo}vhkkS$r zHHJ$6QTIC4r7Ud!jyhJVcjz7aWx?XcWMFsvd5?&$be?`K?jM)h@xGLFtmy0(WPo(> z&Tuykw?y)FTT7bny+PT7j!M1tyV!K(`~)0Ef;+@xMnCG_0t*3_V2}MWBD_(%@8Hb0 zhoTNNwET2@y4xdO>Wq6#Tm6PYG&AqVfRHUFXfO;6x$vXtdVYH`^gbpp?tN}uxj!3> z)KFXXmyyKYuoCUo{Ot0Q)upTh^89U-mud#3zHw_cGjJejo!TWmaUIp@Remyg?=I7dp%18kSD zy3pIXVC&&T_^sin`v@SQLptn#ktZ}F;O%$3&aMVbeR!P@T$3)nrVFG?Qss$hz#Uno zurKj>qgC@=u{#8$%9EBHe(shdWYT;)ce2+gbmGWJon68_MDc#ea9e~(#`XI zE3=3nNC)?qUhF3gBv8r^NaN}hMT+I<+!;QDCPG{6D&dO|cpvxdJ3#FVY2zn~D~sjM z(xgHkAr_bkk*SgmH?oXDg27uj?4kJ16#b_u3J-t-*&4`kT+InSl&mN> zA}5%n(XrC$Hdcw&>n)yzyn)KV2XJ5zKsKDj+k_GW-6bXtS6}g z(f$zp+S%<7;<^^2B-|f1@(u9uk{^+(on=>GjQJ4zc6=mKrma zz-yjtut_-VDwqcG^$7bJmg7h7!(@4`&On$Y3>@2gUR7w?ID2rX7mon}4;C^*FiCg^>5d?65pnO03bIUqYu(y^<5u-^1K%OB9Rv;7!76qlOxQGz+%$smiC4Jfv^Lt++TFN6h#%J*qM??eNca zNpL^1KO1MaRR6Q_8MG!=fKl&l#E*{xfzsN2fjZ4t39p&8LbHG!WqlJ=l318zy+YpI z*>SeI$u%AJ6{kM(Ek5uBNNpbt@@Am^s|Wfr3o6P?yRNOuQcJozgcj|)fVnQes}G4u zAL%lbTB(sFLftb&YUVFD-;EQF*+8#9%p`Nph^^fJvt8N?LB1tkVkmL))4YJq)tV?J zY#-$phxF^pfGuJH6*9ExkHrTy$FKV|n`F^iV7o!a;E6^kYy_ z5=Qj?40YC$IENwY$HfTI5);;K;HP@rI?{C{iW^(jy z9JcSDW+k|Fg*KyGipBu_RfbGOm*Upe1J86-tR3h#y@?&@1s&L)=Tj}7l^66d$7i|( z)Z0zMlm^wXk@Lo(;H_krcaX3a0C^KO4eDxa81#csS^;X*+`6Pc0aOj_T~viYh={R( z;za=A1$JkP^HITEYTkhqek!47 z4uQ71hMQ_1=FoNlj!Q;N$(|BUnHOWg-xlw$zUm)$gGM;}3fjEj@dBvFSn3!5^D8st z3}-=eoJ4dOstszO7MCwqb%_DQy8tS+x}cgQt?+$N?(=0_7CgF4E+0g+0D&Hv63T{k z`l$~Ove4A&q&7(vdHsr=M62fd9`|U4k_MTwj2U`wlX=}W(H&U4pT_?p{s1+V>uO8| z-l}tX4|&3n>ngS%Bci?;6$7&%6!;Z*Ln;~^m$amo)Km-n;K6MRvG=E~KIxx*>mbk? zjHsz&JJ17%OjtvN@jKad{)46@_tyi|?E(Fhc92NNcG@~%k=8^-$TC9{Kb(?+t7ajh z=7ePhnoyHH+oL6cS!NR(fk`&5y^m0I()$gj|9@{tagjdfWzR=(e~mZYgqrU^6Eqy+ z^qL6kbwnnO##;SmSb%a*!ehg$b$Wy_E~hgD5N+;4RUBZ*F_CS3EDUCs67jK-r~q!` zmT+76%GCLl5>u9vlf-^JL@;HK7DW6-3UjDP3P2hs>FUa|umf!&i76YuAGehRzqIfL z83qf7$&IyzJc{;kAC|*R6&VS~b&;5R7sGv`*L^|R>%a)mzKt={hw?an5{}9XZTu~o zH&7_BHHIuS6mHg&HAxc)*$Us$EJ3z(KN*{5%ckQ6Rs`|8ARg>zNL;LR63@OS6Zjkt zl_$ur1%R_PZ3eTn<O&&L`c0%^C#<+T`MHL?F*@FCD7!1DrgUw3ng_6|2i(?eues@e$~K7V|< zSsv!3C@@7|qUWVlg zh4oiM2ODD&6iC4PL>5~H%Lq+UbgE)DH(uDj9)bOy2rAMCwiNuIqisv>8zF5pDXAmi z=#Yb;uv|;tCdXj zc`9xb)*-veXd#t|QxCqWaI4uecK_bm`duKa)9o?n@B-Q!8v^0k7!wv(goKvi@wc>} zwp7|277jy1FGJ)+s{ow%YPwXzf&}-*Zf%ld=%RG4TW z#6_hjSt<4`*s|?ma2TUdR)J@^wxve`&U@6Qx9%ESxCnbr-;Od7gmCHK_foidVW#cj zQ5_iET&-=Q%1x0OlzwPQ6E~7Y?FSSe<{OL%sHdrF20!jdkI;rdirg_*nE7)B$K>d# zYP3Jll+E=!lcfs^X?6p>aMKPad+e5vShZ5)tGXPPkA8n2H#=5FUA^d1P9t^d8R%}M1zJ|{ZdxAh9RoEDS@~C^;<0~!LbKTc^71!%fjXpA1 z?BC|;QopN74USKQ2m_y109Fc2--+IwVIRC<+oI?ISlh@XBIvR*E6C_U3Rtm{G0er` z+Xotn?X9nYu7_~!2USg2xUv*sI z*n_axX9J>@AZ1YVdn9Z$j66{ z#+4?*77X&s3s)E?5B>%9_8>u$rYc1U_YUfF!idcv_=P7I&rj9-pCCt?%{Tj}xC$MID1 zy<5xj*;%=cF&_Ty(#U;4J*GHXr2+O+Q{={2I(`gZQ2K2Ih=wFQpsxQ8O8n6y*J6h*5o84y} zj?7a~Iv537<8jY=qr@hZ|0pxI0-8YVJ7tZTtW;Tp*?doKY?)aTJ`d}Xioq)f!LDwx z;BKOWiasoA$PpaeX)W?pk5E(tJ!Ll=!blzL$NK_|!R#BfIJUVF+5ZJCl)=(KNq&h` zdAo*u*9NntWjSJ-tiO%C`GCnUTXiXB#LMkm_KF|Gry?=YAOF6g{vB2zThNAlflwib zgHp$aWdDO;z(t;EU>T!eksbF~r;M9ZT(+8?1c6NiApE}bkeeZL>BmTY2P4|ZF9X-@ zy>E7!OkiBMpe4+8P3L`cyCss|Q;RrLy1JIhg_C|Khj`6m|0;9VG495|XDp<|YwDQe zH38r`d<=1#a)#foGD97xls=E%McsggzhEWgS0oOo$N)M;q=88l-7Te#QOR7%o zxR-$ZHu5ZRO*^$lD~q&%X?>-?;AO%Oju)iE*N^Q?{9d1vUq4t)R69?H& z@xSNx-6?LpN+un=!_5mkW#S=OGVm05h)11sG<|l*%?VV_cgA88xI!a<=`c&j$5d6z zfNwzd^th!Uw_Ja9)5?hscdT4N(HJ03bD;{ zE8p=51ZA{0#5wwDu0qfPJkSb4S+1TQP&N#h7BFKc;$o;jl{08yVmUv+ZU<4IJ* z)TTh7+e602#Wt4kdRI1Myc}&9oE*Ofua)D&;LvtNsqeKo%X41wR(GhR4qYmPKQpR1 zz=r*MHlIQMk>CArSJW#hzZ|wS^U?OGsrFZy!jlEkG`%>7dlrHN1#zzn$H&L)4?J=v z+Rl)ciUc8Vhts{Y@MlrUsH>Re#9gFQJO>atKdgmwTpkU1?hDqPX8ts?q%X&Qq?h_S zPIcrNEm}vPdfQC!2ewZ-g^#I+(PPYODNa*2m$8V()#k&3)2wbS%&Ra*iLIvHcWVzg zY$)Q5fsk)Bn%W?67bv5#G_F`{D4{1dRw__8B*yH9WtJ-8aUx6q>0lQcTmdv6l7`R6 z^F!QNDoLoagwVjV9esAH+@p>o4l={}6Lfk+)ta^uqW*r9kewz@ieu-?P?-!Fsd~{A zLE5_>OcJynjT9L}RR! zNeDd=Bt}>Sc%U*x#JAL19|s~rrU(cPt0Yf;ww{(D#Zyc}Lw=eew_2@%I~lz}6NVOAbNwztA&6`@!-Ql9v7uF->5!w&@47d(pHVCSkY-nylz4$q&BU6riQJU`A5>=$MRPIvx( zSlVj_Xti*pU?koGif$Qa$^?Jl{p_teyx{a85c0YfTbn42WpAZq^ZD($cQ{BkCrYY& ziGe;)gszaugGfVK?{T^I)$7Mj!MatyG5S#GCoHmlSQmWL%H0s)&xrfgqsCg=m|ouS z{V$fFSH3Vx2)cpvshYs;-vMkTfr`JwL>w+Ii$?4rtKC3?_V$vYwKhuT4lh1XTIdgR zjR6y2U7ctRmZRVQCbpoGWY}owbHShX4@uYHHALh$h-dGA@ zRFZ(m9s*gQj%L?8*V zl*K1T!3l$TM)F|QetGB7O6e_7c;o7(%YY=nVbmg*mQL;9=dnel=dz$G((PoMNKN=*s{KcPqVq0-K5-`pR1k9Z9S;25bAGcVXO@^**yze~rx3K<4QO#1@LYagQs&x==GhM{GIh*da!Wy* zwavP>7&xl$H=x3uC1z=$t^Q}?ME1YcP|O6HtLDFKI+6D6CxGH5|0N7E{iyk{^-aMpwpXRjZeXjJ z&I*a#v3x;kE912NFafwcQKa2iY}`H8am%-Ri1?%B~& z2I9(BUIOp)TS6WKE_?&S%-eVGUcbzdsZ{Y#WD#s~j zs9rrK&ePQ}=Yl&8I70?Yk=Wv=i3Gnzm#M9dujw$#7zCKp!dl8j;?NwZtEpyJ1O2|_ z#mOrPWAu;9LE-Bia9 zOT4%2%a&1iFKUAVsO8pxX*md5d*p;VCift%ft|ME_bU0)r-~TPkP#ApCdlk*P;C%| z^A07FaznoxQP_89x^Pxe7(!Oy}YKyVAe z-5r9vyE_E8;0%&rL4vzGL4)hy1a}DT?hZ3B^UZUr-a3C_*RH<1SFgTS)Ie1;>CK(E zXaZ>uDL*?)EPs`KqvkZ((<~38{eU=kZTsfY* zeHr|5$*;ed5E$@sm{lS4)F65IFD6jKfqBEcn^f@cRJHXUw(qGb=#u6fp9~PqIdbTj zi)9Mf@uEf+*Pq|dw&#OfW^-$+A^(m^5dUpIx+d}#LPm=zWu_`Nc=xo_mdD>+#kuW z_zP!iO~>&{xpZH)ZK^fJgVLM)>8R&h&%3{J(p2`q7lcZMs(m3A{c{gKkyHWl&7P0{ zTDJF6td`rgBwN4e=@bjcDy)34qL#C*2ut|tInlHMkWoU5kmB6jY_dBQu%1d*0c zewlvGbqzt&?jPbJH2#}8EP5u|MD5n{B&_4}Z)=yc@)Dg#YkZ=9_^m=Wg(?k)Z@<@h z_lS~op?=?@4sR9L_4seLp+(49))U#8XnXZ(SXtiC6FC~D#Ih4{aXDzq)%HH1PJHd> zPWk4dQyUP*fMy~>h{v*j4miqupSaxj9$KkQ!mj=Tcxn*eO@Iaxpi$W2GZVUV`mFkr z1@{J?5{+tCE1l4U`89s-3ry}62~4j{%2(}IqYHOxIgW}lcuz^YkcpduLVOWCNE_zB zz7zYAx5_Jt;YmFT(@`%L&8lq^FnohT!%lKJDjz^$>USm@xDyHNt!u~p)7%l?yc!u@ zJnjy2-J6%6ykGf1=WJFo@Zk=MguUvC{g}Zm*pwrYqwQ=Gy42+SMNxf?-hN-?(AW3d z#(-H37NceI7rc*T(O=!797_Ka0y^U0>>e=)x5y1}ft}{9%oGf34`Yo=VuEB7u89jEOUjJr}q& za+b3qcK;i=cV)cw3ysqj=kH}Yb zZ&4vwE{dw(L#>e6Z80IA%`@Dldi>cHR&*tc{&UKUMgy;uipG9(V)G{QJoIKzp3!q5 zXa1ujU%SU5a$s~L#LnRp?oyE5Rx7g1l|ZYD%eNTR2v5e{h2qCjy)Qp>Re5>f zc8;PR&yD;EqxLLsM_`IVaX}t$M_Wg!s0v@mm>8*T zs{Biq>N0?3U}EV5m)dVA$Q9aWX68%YGyCmx1LD|E*{l@r0Gk!b=2(MsjBlB|#D_rK zLm8T#1BUc6yaK`ZIP5cGsX7ud(dJnm>&2FI2f_rgAAfdP6z>qG_D2tz$A+Scl8ns4 zxtWxUzAsx?rgxi865j*50x4M#IT)=z@^)bkL=xCdTq(-JI_SfE<~T|XLc{f(t0vAb z|Ju{u*_S<bz}9TWtk#uT}#xS&1=s-umXeVFfjf+vcDNwdqSpGB?w!c?9tJGAviz z^QuB`#C3)DPxGVp%>&Whtx_;v++bd`v=z{kCXt=_AcuNvMJgrbXHpbu2|;IBxU~vF zs`0bFE7N)V9Z$xC|B`FftPoct)D8;fgS@UYS2){yHMFwLLgb|jw7*3bi7<6<94hxk zVW-$_zbn8CaVFKtJK1m9;}f2cg)_3E#tUU2axsOs96I<*$%*}PV5Kf*`N8t#rNU93 z`r>7fy8^Y*foY}O%pVZ|IAPUZTF5TJR`|ZshqFh4j2HSMv=`brIq{b|SH9&Tpd`bs zPWN)F=1iQ{DO`-U(`Ta~a^M^6h-?7$c-R1va!2uZ?dAPb{Hjgh!{%uJUzwBLF3Prs zf0TEY@6;;w@8wh%x|Q3fLKQ1#X?CL|zAqR|zj~2SZ1k;e)z%v>ahknl^V*Q5DoBp+ z>w-!7^>)naSO$bCs~uA}XC=cLr*Zh5PAcSE@1&80r!ztl$v?tnjcv{F9U>r|-)@?r*JtOZ}XUY8$j^$(A&ZtKVwzs5;kj{|$6yt6wW$;rcy z(#Eo`Wu-J#NU2Bvj{h{D&MlYf=gK^!cYt%cdyQJ^Z44H=*}jczNL=Cb!U*lt`bPp6 zeq?N*5Xppa)0Wi_ySmnUb(?ObUoh4bG8R3?90zBU#z98oq=7OvfELZEKs+59gcC;P z!$JWoq!2A22SxFil7%gFRvx)kh`GDRlGoIvg(>6ZwqB{QtQH;`bl0uAvBR24ER$Zc zW4@bq!unLMN)~rJM}wQ3HoEr6OOW^2?aX~Y`~Y=c*%9{Y`fk^xT2qn@Rf8J9nuI6e zoTnH1>+LJk-l_+qn@jN7_1LY>J@zLfy}xevB;!5Zw*$^xwhV;(%S%gE8z9!c;5848 z<)QP+J={1XN{C}N7JK(wvoe+|ZQ)CGRh8d#2V_mMS&HsI`jSv?3%4*T0@st)O;Nkv zCbw%p+H$Voh02kzj1a8W)oo9!@;qYE@9GM~XAKeC6*6!d>2_SuO)%T%fNi$YN~JdB!7S>x+hZktv@dwQ z%!KYj@vlH`1*}|g~ zU6>`UCr|i9sO?e?rMO#em+els@wqEcF^?K_*yYG*2y5HjKQ9hd{;rVYje#TFWayN^VZ-kUC>*#lC zX>-*7h(pQgIHuh*-o8n@H6H;hwMK>Y7O%dVzRX{Y{rk>F#nBey6?lME+oSKmiqIY> zVf_1q2mn}M%ZKc6cAA2(k1%AV0egh9fXhJ|AEpt(h#2##s1$@Gxvi$`s^5eMvbd}) zwwg=yulB9P7Yl6e0bh6sLp``~h@-7Z4nxH@5(ye|O*%#I4tmR>cZ6&`cVg==-TB*< zfS!KdyJla&Br+RLSDdTnXl~HJQ~f?Wdr?adywO+EUyod8jF!>%Ea)Sgs>$CbdFh%e z)et2Dc;M!+yFM$HlRfjmg`DRi<~h0vqBJD!l;HJ=eaZoHlAYo!bX|iK18+jNwyU#y zB9m*Mg;cvAjoNOqp^@Sq(FIAeVbfvokIo(63A5$P_`G72BwFcTK?nM`Hy1caO%;wl zJ|ak5Ta&`3X3hyL2ygNKQHs2#2)6S7j1xTN3Iaieoj;XgAlrur8%GR720iEH1;ZF6 z(jg2#*1n0Cot>FeXnI=t;f`47x*&~ZYTyzuuudy6!@rRLaHTUde(q#3aWysmRx~4Gt7Ogp?aeWH* zB9xod2D`a?jV++uSq%Z*ts0<5ZBr+T3v6Wja-J=E$}u5A1sQV%8+dEPbA^kKITJqv}PDqhg|X%~)to>xOZQq%GzTAXa^~QoEG=BX`c8 zXcflgMsoj8Lioa&1rypiDmtrjCA47!H#@)l@=?!rzZ#*}?dz_^3t ze4?R$JEiK>vfnF{3wE>>>J$V#P4x84j9}L2$fLCda=iZ_by0SUkCi~YUyL^>w}-~x zp4jf{I-v8kWtTVVpVEMX-X?pi(2A%D>P(+o!J+WXDW3}JH!t+c4nu|!cr27h8TlZ} z6s4hgNi7|1icxLbD>ruwim@1sUk=DI6i%`u4tMW0eO~RECNLXKwARZTG)e#Fya>Y2 z=BQY&wPmC9ZFCqW&Sw*_Qwx378r24msrBaG#Ca&9XuL zV0OY>WnSx0%;bL3fz@h6BZJSK=W_!2ELXeQqY2Yx(BZUnFiTbnr1Hp_X*P&q2mEwv{Hw6&co)kF4`|JCzywuG* zH6lwGxplaUeEj)n|BED+yqU`g$v-Lt# zQVrD3d7MSQmUOt*`v^S^FfDsfY~KZt5+( z-l5@lNnz04kN%5kVJ~fN5_b!TW5ElGv@Outz|-Y-)!FqrV9OzU(Tl~PAnBqScPy1=8mSUvZ+aIP0pqva%D?_4|JO&b%MhHzI z`sf!=6&9YPMICwmg@GL>X2Ff)K??@yfA}OE6bQgEi)w-jknUaH-r{#F~;BIQ$$+9xneE&c5(LXXI&Ee-2 zTkcaP%43#zDdbPl>tFs2{rjKsdx4sQr*2HacSr!iH8+JI5>2nS@-smUAF_-U;C%sa zafUZXqZ+Nwbf##kzbHZA#jr{R?V{^SjI<6x5^uBoBJa%FuaJ=ki~KRk#=Q51b7>Q- zKp2of|8dhW0|#P_?+TNf$O5h}1?-PaNd7kHf!7Ik*=pxX2wA zP6E1LvGaob3_3-Udk+JnUY)GM9XH`P6w>@ddd+L_gHf=SHuc+C5lp1bU0$P)r_#j* zf*_0HLN#qX&|3M0w?D->%qd9;=+-#cF;;NV2)OqHwkf(rUoi+gL_e57`zEx7Tvr$F zD%(iyo|^3|s=sG$klL8Z4QSDrm5nJ$;nLRVRPVH3!h$#FqLDwHz+VgAIr6~ur@9qf z#|eukZhJ_wp0=v*xUQ2i1U2SYRDGtLx)cOI;VV2F>(21t_NN5t6Uhj2n8M)^q>(c$ z0HI)&t}jpih%b?ZmPPKg39&#&XieIs8#waW9Gxx^ak14ntwx;Ge0&YJ(1|Zq0lEjG~ zsSYVn8if3w5<_k^4a8@A{#VGM#9BJ^uCR!NjL)UAUk&;!V(NRbF*9EWZy4rVH21Kq z{{&!&HBlz(8tT8g?OUT{ZkH(_N9aQg%7^q#Y*dx!m=@gb;T>#BzCALc#%mQFM*roA z`tG>?Z5{NP+Q4L#*q<&?CymxmFh81q_FkBAL0s+C71R3S$ae>O{SfyS{lx;_{`Fd2o{#YtN)48e*$kJ4WY_t4b8mV zUF;7J?f^VPo#S%E@JYGHjL`A+LH9j+wZV(@Kuj1hE9{xBeEV>Seg~Zi+6a>c|8CyF zmZPZB$5?+qW%;S!;iy4z#KGej95}8KDct3k8!5gC7AJ_0cR*@5tRJ6Xa?X!N5oxdh z?D#Ns0(cr4M4Mc0N;t{frA2n+uW`yU2d|B=C-Vt?XA5p`FTjE6wk8w-M;b45g!ct$ z`GhpKzx+?#S{H#W&^^MeRb|JK1jY6f&Z*6boXjomL_DM1$ML44y({+aXdv(!88)1v zG5=w$Y2%;_xD+8L%JZ<_{!=Ru=sJ-jAasrTw?(tYhbA8JPGN1J@;EjdjNZ|az1%Lt zwfMzcw$=JiwED`n}aJOCg+(jQyq#vmS~x#7}$<|zQx>*8m;L)XyA(RyEgpbg2ka!V$jWs%^bWCu zJJRU#QX5et{kBvwNx6V(-7|pV-CBJug&i7$Zue*-o+AYGAFG^|hs4E`wksHWCl)W@ zA!JU#^T;NJ_Q`13@h7Rh%X2XVx>i*0lRyX;T=WyXEWuL$#7veQ(l{d|01U4j$`j@G zlggR868hg}^7Sg*@}CF9Z-D$;Qb`m)XTnsXX~O!$L?*I?*nGdfttU`~DXEFaxLnAz zf!3|ud6%E!`hl=Qd!yiwp(nVtGYyCDMK+Hbb8K*O@ce@sLPudp*iRilbx*It(4T7$3d?xn^mJB{8jC2WRdb^Vz z4W{`jfP~01$Ild4+&drrDM{sOYk5A^3|KmwyQOY`#XZk|20h#n-=8TXBkB_`)yUl8 zR)l6kyT}=G^)~%+Dpg}c4lmoadtfy#gUjN>w_NUb;B%q(;G}Q){8-#D%+|F9-LZX8 zXQrBGm&=~6$m{R&n>9N~B&!!dYn0cnIi~#{kzO}sSdB&LcUP!b2EX5jLuHC+n18HQ zno|vwZ2&dP3wXB`bdKYjf!up`Rf|TkglSRo&Yyb&VQVYw50FFrz4pW(3kIr!h%fZc zl(0FsY>*O$Z;GN9uRDLQL7#D9h9j3tS9B;duKCqGxijq?SXtOU)0Gz@=EpvL!yPy!4tVrXvK<*q;>0T zO|G$Zyk~q?CqUBy9KbD6Aoxan`v?$(M#(X098S$LLC_*2MWNF1jF$)Y50WR&UQj_o z4!8-X{DdNGt_um3G4D?`8{c{v13!}K?y%kTKiI0fl8f7^7W&&pQ}Bb4a8H3-vu3bMj{NxF;eaK5 zVEs3r{#3R7E02e8jEK$w7#L|bTVM?+$>`0Mo<=YAX)gb5*Brh0esaV|)7#s=qN=EW zi$opK4s{~pAQ9?7IK9H-JbwfNgc3{g=U+f(x;(l z2=eVWNImfCJYUQa-PFhd5?n=Ig+C4jPbUGl`|_b!IB&bIvFW>!JYGG^CD*{m;;r56 zgjX@QCvoU0I$OZP4arzYWkh@1QbXp*d=f-=(evpC0G~t3J9`}uAzYk&cfd>nFOVnZ&#rr$=vAm>4fpqD6+Fn{h=4Gcre190lj*AUM4~69S zHal;sJ&6F7TCfUnY#)Z--XK|6&tQzYJvrbjY0u-#)pgKRyqQVE=e@|_ENWalfreLe z;(;A}I1gtl`gttx`w#BKQQ*nl(&$9@BhtO$Kz~2xxEw<^#1fG^IDls*w&kP&P`32( zLA*`qftCLNur~E7-1|GyK=?~Dgjn7Osle0k&S79uMsey%*~4NiuKzmarazM zQyqaj`*H%6!vvi(x9Bbv z!PXzmpY9$yu(FvfD9*WE2}B-V9rbS`kHTzzux~suGePNZS^>c5uW7tTf18q{r9Y`d zX8ScWY%s4s3btgf0MiTLf9-TaML)E{&$v3yiW45Qrw+e@`MR#RS1E4)EW)xTKsFK^ zeVk1j;|K`l17Mwws-5Q z4wV6p5{C{Do;di)73WChjzou5Zs`4w`Sr)<*jxSuF*^yZ9QhA;OxpZ)sJm?@Nu|`8 z{cA86hZ^)2f#CV-x;-E`6#BGX*FN=zvi>v=+@&T#J=}PZ1Ar5@b$U>OA3yX!0f7Ex zN)W3UbinLaF!4t`_U;!`Ih^+9B$?w!pIdZXMy4Mz!*C~e<0uZI?$W6)-^dhaELD9~Sk&oD0%-`4yFD#;@Mltp$aDxSrQ*{Sts`*4r#**>oYl z`pg^?@v|K_TEv4#bS!EqIOJ+IpS`7o;1O=c#8aSWu5NOgckK=NKEtGaYWQ z#)pHR)$E!-X4)EA;%VX6{V{y-<7e5I-}0DA#bfz)lz9f=a(Mek3pQ`5wSdfB7p%${ zZ56H?-QhE|NyVB6X52R)iQr+-Rxtsdt9m7AD;e+0<|#n*o-d8%q)-RG(;F|8yflLs z?pq4C;9n5u(-=5HW}HS&c&vTJebJfb6fS;;GjWO5Lbp?9ayNj&q)q|J?2udSCVK_4 zR5iRJma3t$OUWILN>d%F*lFYS3&UNOxmjK(wh*)J z66K^^QyUA_UMcR$z*z;NK}XU-xt2WrNyCvKAsudfe~tXUiD?yZhYZRIgY4#Ph^uxU zTbPaG$eh*vtlP`0t5xJ{({qaH0hdlri#~%p$|+xPZ`!s}AHj9X#xSrf48oSkh_UDQ z{;`t_05h|`D^3vUbldM&BWNy}y_;qu^LgD3LnAO7=bwg$g->9eA|P}=5F>QmgJN54 zobXWPLR_FxF%#a#?FuPEcrA@I@p;*&dY^cPb0wo=r0=LKyWWkX)Jr(0n58$gv=haGJio63`ZhLd*e$l?d4CkKM%bk)kJgiH^^ zz_I=0%T$p+Kd}MV1(*$wPv`Rv**&n>BFd=)??S3TD^9AZLL#9ZhPvDg$xIXR~iWNuSb0Gf^#(V#EgC z&F866mY@nSQwHtx{;*;a6Zh~KGSMp6S#KX7)LVr2FJVzUE1D0yFg`EOCEeb=qq$Xa zU%=TO>yEDoD16v3oD;{T6EB#1q1XnbTkl>;R$ehKzx8-v^x$Yr5cvx&1R4GgAYXo| zt;?zF%zOXjy?-jdAP8hI3{%RPF~+puygq0Epqs-&v&XIrnzi-u z&Fb62^*X#+-**%hzziw4qS1ck?ATUH)DuGJn}h2{l-2mTH$!+lq%O5-Yg@OD8taZ% z*pR5lhu`oA&&|>gx0K@}pXWvC*>8uyxwdht`Y6>ovu0hIMHp#VsxnxyjEmd=k3B2! z_Gno3ML+Pd#Nx8&g^q4S&I^>><>mTBwdEsCf#*)4tr%qVNq@{};#r#MA-ur4CrY`r z)hZ{wnzYZc1M~h-14JWntKb*m8?-NX`}1e6elXgd5_~LS-zN>OaBx6$g;e2!gW5vz@)QPG!uZ_HwBEyy zHtJMVnz-bQ*xwFR*j7^XJ+--F#BIb@wG5&SVR9=EFkQKj)+SqpxT9YwKpQUiBTZQ> zg#^2d9tcl2BAhpNE`fy3M3GL#ib_)-J#siiV^cQz=iZkOaR{YUMQ}Sdz51A$Jjo+m zWz{<}Lm~1OoR)M0iTq9#!wAm=;ih?T!+mq3u#(3Uv(kcigND|T{YLRXLqk_4} zbSJ7sS0%@GDGIlu7q`2gRC85d$1Tm{VWt%%d2Q)2d2ad0=!zk?1)`L_O-h0%$&n}E zp<_GE)=2bT_wrMgmq%dM4Q@s$I#sQCt23%TM~kF|4+t^z-OsCULnHd36Jxpo9R@d^ z!)8ElM~*!;ZQX&Z$nuwfIg|@JhXm`qH`2T;*)Z%hcp)~svBOVj)Af73aR&pwh_?}O zCASol24DuJTaU8T{)5%-0q+3*0tBYeFPfaGL1?i_3A4U`*(u{*EsFh&DL&$n?NieT zt{lXF=Q`pt(HpwE^wyr(uPJtJBYtab0jiv+iQJ?)q~?)r+aCo|fuLm46h!Vr&EQPs8l#U4xiVzzlpf=HYI8WAV2yT}p8eQwHqC5$YVPJf(qTn|6VyBoqGj}=1L z{eI^c3;LM11MYsGND~o*FL!Y{vv{4;2h5>1N@j9Z8*$9xaB~U{ZI=&Sx&pPN6mwx` z=BtbH%h_j1$^NE|( zu*nG~$Zq@#;yf^>4PMmHGVQCrq2CY)94;ESa*~&qV*B_j!noWy5(PU{-t^7Q{a%#} zB{xq=a!BpTmnrdk=FM_#`EDH_qEmU}?>zp@(yT1r)^+Ndc`yui(B}4A&sz$r%{%EYsR?Po<7QT3-x4*dTo}Gyc;&GvQ*CfA$c;I?hMCFE5vzJdkOlZOt2(vn3 z?0-hcT6U~z!553`nWFnpBeUrm^}O-`H@Fw02sD2kU5-;Da1mUH6Uz4~K5ZRy?}6oQ zNQWw#3C|4#a5b4}gKQtKO5Yc*?7BVXk9Y$PmZ8T2|I-4#A3j;obShkh6nvloGaYPF z)!qSIO!qfI^0#551B+~j#He>HNH(~0*yON4I;s54p39uHx7t@jNbER}z)C51i^WSA zq)toak3R0hY+ti8>+SL(coOsgTa*-0Oui8VI#oT)7fNawytkD8BvgK5aq6d%>@{wT zCV7q)%5&MMoLNv-D7Eo^Sn8@$#qcSGfq!N5gH(2omvcsEGd#ZzGIp2^zKI`HsA;~a zSO?^8HJUh-s}MVbCRc#@WA*!zKc(Cs>x%rGzheI_bR#WGA){98sZIrn%l+=G($W`r zD|wdR_AUST)@+L5OL{#g+T959bJbiM-o)gga!oTF~MDe_$zhJBwrGWGn z#K@iT*`PS!LBB5o{!1@IkCzEAmTm_mZlrwN<2W_%S(FnF2?Hkj=LU{w14=q*NXEf* zWZsbscJWaaZ2b8@!d53B;q=f+-nG0!hIe-h;vl{1$1pEOnV)b!zF)(+ue%Cy9uYB* zEx!8?6CLW?W#)d7)F#T%B;{3v^46jQ+bn)(&i}jh^0KPd(Qw=AJn+6syL;oYOH}CJJ~Gv-mM%nnHioJ$IbUox z|89q8##gAz#(^7N9DKiPMX#3GCNS*|pmr0(NLLui*f`#g{=UdADG5M-;Zvr z00gXuaV5m0FX(DPwjX`~v!Ans$^$jJK6SlrE9ivFX)~Wl&~QL^uM$Xh7Pg4pXq_agmwb+xBzpQDO;mt3l@r%=M6J<`xBalLLQN{*2Pyb`>h%KO>p)<}lIxWes4SB!SGYe;!=;9V zjqG-3|C({en~YjS=Ej%HD10<8czM8>C`wl0N!&LIFY~y^@fB<7@Euy?X&0_YO;^+!R#UER;7%()>zcZHY^8E9 zLq8amt}D8H-A~=Hyoa{d3KBXMN~1|-?`igJ-CWmmvbi?A8H$974a?S$ut&0ki92G_){l`!PhWKLbG(5T*+0HBV?(h1fW*n;+>^<=xIq2-v_Dg@Kd=3@S1au*3t|b31XFjp)O-MjB|i}ZVj}YFOkd6Wt~ zfqu{-p6h#SqKEant;dVQTLtU0MNRcvWbc1C(N5Ec-b@#sTbfY@UaE^vxKn2` z8DbqKy5ryF-TmN|uu!C9la%T4`=o-svn$DxZR3orI9$ur#5VFPS6Q_|j+L+cG%7Z@ z6OSirGVB{95v|1L0poTYRyn`_I5Gi>pS8SGMMOnA;#Eoy6uTyH;MnwyId*&R5*91> zTVJ(Lze?DCL9ohtqCgIuAC^COpftY9RhUPlZR1W0%HE>(!ISKX%BnT?_H1DDw_ZnU zojCmQ>-|xw)M#dD$K= zv%Kf!typU#uFNt#mK6KFsC{XBt)}ZNfw=KHyy3bep(6B0VCKbG@jCe)L4Acs@@uiN zM92~B=$7B0G1DqoF8OJqUlR=O(oU1n<{5;W;o9x>w8dgq-at*PyX_D{xQ>Kh9i3YfoB{VBy~fM)cAX!%=Sc~^waKs6oRW*VX769RK)}hlz15}&p%5~ zlDgK`<@dShEMYQaN%3JN=m(L8c4;^Ec&RZkq!BU)nl!Tb+jUqjcXFLf~WXHZ${E? zgPBgeCxzX|J;8qhCMU6v-MdIhFXX8;291UF-{uc@MpsE@ZI`Ay%ZqQ@vqpM6MDt_v z&%mQqD%VNgGhToqO3?1|7qSwErw7CiWBe2 zB`u3yGQJ$~=-uOT-730H#N^F|H(%-1KvBZxMB6&T`)2)6Wg5zvC|pguYrYKpz*d zAQ;T)gUhvsw-5djQOL-PO9zs{>JMY+Yph6zfWw}ZS^YkK=}N1UuVllCWk$@? zZv}-<>Q@jp$!*Bf{`M(vUUMMo{)vdmAKUr}zpCUpVdsi0VVd7KDZ5u(mqvnIpcP)N z;E4^p!#NZQku@M31aPx%rricju@GN&1Jd?RJEiZV_k|<&lRWsIVKUSxp!i=WQ%M;; zvxym^mYf|5u$FJ*%|rIWv0DZVdg{sVF$9A&dD?JlH0rv#4sV`^OO^J>FgvFC^uBsI z7EBWq){q%UNx*_lpvDAofhuI)-z5|U)_z@j5Ycf)pUR^=ASn{#NKzwDmbL3e8_TFe`mQ)&R=`7wMM9c0iK7viF;h&D; z&ezaYJ*v_!B2Solq`efk-*`q5OYP(~!=pGGr*cQ~*yd%snf2F#R-&;p+t)PswogZ7cVT`9SD_!nYNkh&eu2v=JMn0|Nmd%OJo3|SM%Ea{psj@lAgJ)fJg zgQg#2Wr2mZz>mBHA$&$@0oE4bPO(vcZNm4ay8>eHSYyBA#{qGk4ixZ$XOes)=R{po zI@)VRIvyr@)5>-nFGIC2bRUB-CPWjfS3in8XH~3*q_m5_UaE!hu5rmW?>Mf`tK8mO zBy^5t6&=^~TtO8ap|&^>mH782w-EL{*J}OSQbnpupHz)94 zVjSaO&@4)i|3p8hnzpvrq0HpqpOF(-Y5=EKc$+26X2+IYety}}z|Ke)`K4q4Ceijx=<88h=Lp=Un_xwou0_^p)jDna;oFP(s^%Yxt1yAbFz_8nnxkDOE zUOI%AcGhHhU_|IpO92%BJ?!ZvE;=YifCUWInLx6ZBg^`}*4lZ#k%Z4OtZZi$9`%20 zm31$V)2v%r|5BOFZ;0t^omDv5MZ`zzFt(^eV`7F?SBUIDA~7t$@fzDFp;Xksyz#oo zLxu_bkiMLiu8k?K^3plV#5}a(5?A+T7dY!fQ{(z2=mHko_*_?`?}11l?(bFHkksYZ z2R}4EE#Pu^+NdgEx!68p`UkW@1k7Q1x{4NPTlQXemAK~@(E~VoOlB!T+U@h(fkr&V zTf+*e1p6$>lHn5XQlaZN&7Bn@M~#Zs)Tw|vJ5mIbl9cR3H3BAb`>p-XcJ!2d)pv-- ze{3;O+6^-#--{AQNmHqQP;G*9kwl~UF@Vd;83)e4W5+L9CcZR{W3%covc4)l#*8mGp(w@DBCYZ8jRYV-<>NQ#-u+3klsYqC^` zI!4o8G@b3DAA`$qhTG&dE~R;Gs`v0Q4(y$#n;N?VDK8q5K?D*2tpJaoN4_{fU^X=W z2>>2qmFQaIhWJbyWjyuyjZ6kYbF9QVKl+bG?uU0x*7r&&oIairXA@Fh&-2U5PAKj(iBg9`reH3nk`GGYr=g2v3Zxx+PE zvx>O%Tv*hfXLs?U2yx^}>_5`Hvnj!6dfSy{VmNeXyc@%_=|RVYKhf1%!*I06p0Pzf znD<@Db9wsnBcvTWmWbgRna;8D>D8%Wb4sqj92FKqoUIWfYd``E;0jaItfa3LAWa47 zmN+1lRL)F#Cr*_th@J|wc@mpO%v3Kl7R(4=N&2GEM!MD>S)0tD%+p(8W>J-!?DAeX^=d?yTC z^;tZ6#cOCh#>>D(`2ey%;~ozBRA;j$g+!?N;#x)4ncOy2Q?!tXFe=5~>O~U`Q-pc6 zb%^}Dc@M*|5029b(Na)*l}Otg-#NZvEpmjHk2I@t&lkp;d{C!~$KbDv8tWpP-My7) z&$i-E!=c9yx9nj+i7N@yZ^sju?J6)WsmD}hkA<5I70wVPUUB&ArQv2&je%;v>tH)D z%yA#SQZY+lQt@wD#&?R8z(!QW9}vhS=Xu_$aeBBaQNU5D3oS);#{|=344Ef>mgkYAG~ds{~pPvb)joJ;~G7Ys-27=^T;q z1x~h)kiAOwHRuthm-HY<2TG=N;M3T}RM5(IMw^Sg5Zth|#r{}eW1v%Ki5g}dwr6s{ zdtax!+P!mJ{3y7OBR9ovZMYOZCL}k`afGY?F`+ZNihf#Mb<^8z-~QwvOWYT+jD)1( z`NX5T@}OE!=L?Pn9`1CYr~?y#FV^^9Q^ZIgx6Kl-pw+FwKYQ$I6MPkb=49j?|$^mzB$Yk3OiL3e$#$|l_pyx%re`@ zoT{4dob?@n&OF@p?%!~?gTBUkBs^8!e9ZtaenhBTt-02G;5brfRDL3Pk7Edw0#S=x z-8uL|?I^B|Ud+1+dGjCTw0Cd64)qu5*pauML4G{s?{k1;qCC@SPdzj&ZC_A4;5f#z zt*EsFursw{@u=p$p8t(BXOqq^OYyYIH1b^n#;-dTB~o*zUmkfW{k?2#P$jc&maSSLg>dj-BC=BpP`U>vbvbb`Cu;59KhvzL~H@t#iR%auHY`+b? zffC0<$BmWtIUTb4iTO9P$NA{19)8OQ?%!#Hq~g5`l5%;5Z8Ii-O-?J_T+i288<`*c zy+cQWB*t`#xqV+zqW^xPIC3|W-@vZMkz>qgQ?aoqGGG&sE)c8P_-ivw>9nmB) zY1P^8J<2xFG~pG2d0LcOg-zr_J|g3QZ&o?bhjHA_l?%OcyIC_uktTvjjjwpN=kMn} zIkvcQX`&@4@!A@&58|39nO2HIsprz^E};A2W`W-XFGtTW`R97td?l?XiAR+4cuTKS zKCBz1BpD%{($J0hYSt3Q3Y2MprX~2;2hME6Opy?HWMnY@-ocQ`%sg!(Y#E3D^to%iMYe#aw zT2T>w|J+5>$0Wv{t|QJZfLzbv>s%4+Cy)^U6e+90Q3@i`5l@pjRv^cVqpxsEaoj%_ z?NicGg|6hOt`xFm1|I@*E_s< zN#LL2n3vIIX%t!GU|0jcEBz$XAsq;&Pp?p#MpKG2e~(6h!Ei`pGDtgb&Re5bfD@G3 ztw`2x;XPly*-NK>#hc-4$)xx2nqS@e_DlC%l<^@yT~XnzKL4W=OY-VYcEq95m+PqN z&k|9)0%F$n1%0$RN82s)N*E5 ziLMUrq8yl6zgtiS^B%uhqZd)^vXBNW7y(}QeSJ4AsYfWqicAKTF>pM(Mh*GC$D%fb zA)vXOWxPU0@tb8Kqde%L3M*>U1``4tpXe3PG=x_s>#HA1HdK8rmDEqJ`E`6FyFn)! zf7=8m%3G%&KVns3?Gd~#u5^^TPDIWi&6CErrKC-jtRE^RV0&HSOL+?b*_%GqPsOx< zVsDH9GqAvJI}QR17T;Y^6fNFI9CfiMwF`SDq#gyM@Do+lRQ{Y%rZ{uvm6wr`V6@g^ zmKoZ$7p-3DvuaXnkV!@kSe^V%@(Vq++2 zyJXS=ph3Uu(Kvp^*ZS^+pZxB+`jQu^{OdCH>Vt}k{59t++N~&p3kA*%O34MHWH&$x z(T|%l;}5ADP3E!q9xQ)x)Jvbx)8znb01&|)B~bZC5{2$uIPNES5g#BxkI%1B{teYs z{?$|>^a6B-kpLsLuSZ~E+-X~OC8kjEYxCc0xPH(!H~YuI08h8Bar^t`VJ;5(9kn9L z;jBNOGk&i1=a;~V#2~^RbyO*fdD_g>JCu>ah|CbBr)>E9gUgVPJVbluey#Oe;g$pa z1XTQ~`YIR&XAFWYiaTgo8JxXjec%x?GyiP9;%Cga!9;`hBz7P;@i*hl^Sm#<<3!X0 zRZH((jtu{;kGGqwJnN{jZeiVVy#KF;!sS%L2a$a#ssC<%HfDl|fbDm4+>xk2b_LX8 z(dwvYE4u$+pn~0Y3zYyiX6B!)u7&nOCz)Z4OGT+s zBTDMpKb^WX?m{WR-u29Sdle9lNU zHF|Sec&sP*N==(Pw<5CXxgV_Y9a$pKk8#jjm7zS(T?)nsND~j!MtHd$Kh&lU0o+~p%!%=L_Wsx(tNN-0U;IoDT$Ldun*m8O#?Ae z*iDpL9IcUqo?5ujMK?BU0CWSa94;z5Z5=zB^VXA~qsQ$q#P zW#tbIF|VqOjr#ea&jDx;<|%gL1?Z7nombNEQi(?8Pxr3&(;Zh4f#OWxJm43}FU9t? ze)R9gsfaODjFRf8Vd7iD!C}h!;ls=_i{8BS-qqTZpNN)UvtA7;G-!GP(lh{q884SY zhSEB>HrUbwWR`+bwUubbKzC|vg+du5>fpEehi4=hvRlT@d70vtW!vs&s?##PZJn0K zEz4!vZ(rW@$xx;mxt^}IuIH)#vp~KQsgC?^>(U3eQs&Suy?fq?Wv*ZR5e4T8CF)av zEFk4!fHx6=qu2w+==LTBtg?>}EH27V?81%+dd!s=UJ>>Kr99 zx~IZ!Q~q@OYmb*xHyH7XW7B$qa%D_NH7$-`&vf%&wHReN@a{LtKN#Qx<=?U4B8sXTj5 zgrPoRZkQV8hRi+}lNzJJ^{X}4_vMf5#g_{t{q&lb?%{F!F7Wn}Rc9`m5Y_3El)^PE zaSClW^L7-g@~9~cWTYsV^jw-^h#U;a`7a!~SMwNw&NgcRbcRrl=g+wOcd?Y0zd#&0 zSCq3;PsR1P&Yx&n^EV2kCww$ylIu9*!t46=bXjNL0N|Y+D1XlIf+zhuQEtQtPOOm1 zzbuH&ak#wwlNzi;cWs%4LxUc#eKl#DWG~&5N_h?cCGJ0A+6GeQK%CN4{^tK4r0ELx zIWx{&cyQ)uo_o_TkIFt(w-x3CG3f>>etJQ&*CU<=7;3|jNxBmXs%f9d38uZK-9ZrPdiLiJzUO^$L*bg|S1x@p^mD#XnAiKxJ!Yng zxaWw-)gm|;B89ouLC&Bk*7kGJ1Nla1k>j*-PWfLK|95~j0D6FO&Qz&*!YOpu&!FLW z8Wq_=ymWeWKD|Ks*UAgCpQuFB6HnTi0 zS;r}i-yu8U`o5c2OyzG}{#-EONYG)0KF;(xBQ>v|Y2C5MqFD?PHQEtrg>U6Ek8SmR zd4^E@od9$)erwK*lfjHQW&Q_3vYy_DjxlR)JC|ea`@!;$M`fR)A(*V$%%vb+%YowW z1d=XxtdR@vu(suyqz!>T=6dRYH1jmeg%b17MGEE9)w-Y=PEj?9yDfTS5*iP6W0dQ^ z310Jm_5Ji0H*cx^H=cabd@G}!%$jTB`{gI*L7a;<3rL1_at!FElt4s!BZH|t zQAC|ykNo}PK&Sek(*nJb#@6jy1a=yq7^NL$zVH80UN^Cxv_|WhGo@N2Dyy=f45W-V z*`x`WSK3yVv`%qE)*E@#>b7}3IwqrS%0E@#sqPae0ynP&Zb31WYaUmS9yOcIN`A5d zIvxIPh46NC8Pms(+%PhqadXhF6I~&`|0E!r(1lIY@JQEJAz8f%DS89ER03x9+=Z$+ zQ$+Lpo7eX|8Zl}1!FVj$ zD>x+Xn<{O|@M)}T%CJsYebx=inaXU|M9tKk-Z>9;hJ3(^8r%#YMvbA>L1R)5{!;D~ zPyaJM^yfEis{b!uUlRIo@v9XT(GSMw?XKW|hPw4Ec6$Oua<-GgYel5j;<*r+qa5dg zV~*U*JlNRb8MFpKhw$WX=G;$xw5AIu0-2 zscs6B+N49=RIP^Yl7ebmx81RxtjY%f01yC4L_t*6!Hmxg`W`(1;BmV$EfRzZKT=Qv zH@^sqhCqv~0oyfr2TK-I#@!Gi&lf$)L(&)m+p29?`n_5x^%62(hUzo0$&tb@(FmDIxGhhx1k`7c|p0B?YH1#^1wVD)CGb%;6}0d z+Y}lPbkkAJMH)UWseeQJcWvHS^I}KJzpSuk4=3VY#Xg_RzK&#H8av0GurSbRisvO8 z0+L4&1P5vrJ>}Jkxn{PLv1`2YGUnNgTt$Gce>bmSXXU7mL&?0Ji0K>UUss3vEmZ#9 zeBdurdyUtxOw$oDUmxUkxV>a_OS(pjUe61&mt%{Dmrl@)y(KULK&7y~m9~2VGuw}t zcl+~<@^_Idn^C?#`=NEWT=0%)J;L|38O&OCMMop4_c`nRD-%Q4L7AQ*5Kk_jq>MM9 zc1z$oHwso8!=yuOGqB5YvZf4179*3H?WgFuNYQ9XR&PYAt`Y{vj<12<2^4m*>fp*2 zm{<#A)l5xF+i8jw<6z$jl(|vBz9n5O1%qgZk2rhabqm@}^Bg zK|LNf#hPi_w9!N`G1!qH?j1(`SX*-pd0T7$3meDOJeNuNn}6a{T2#Bc($3WaIfh+q zWia=nyxnR_cn(FRTXn(;^O_Y68N<_iYJE*nb+Z03DUrJqEqW(#BL zIju7nWsY(q!Fs=I-tSiqQ*t9{D*be#7TQmDTObiNEUNu>9-r0a^;@-;{}Pe+y3Ldo zj7(mlj>|!tV2pt@6|GUYM#1X-GzPRLEpznREKr_xzV^Sesc7x*u_WB> zZ@%Y0COLYZ`084S97QVWn!p2JN<=6wW4*@kFZ+ zm}p)JWYohzTsJ2>STZ8t^vPo0TevYJdd%|OqHbjMMX622_l?vBsB#CnTjYgnd z7mazUF{Uy$irY7Jo5<|9EaQI>NdV z$iTWx^G$v7)|_b?qJn^-=Ci2TE#&5=xm9!QxPNo1_VG*){Kex?@5ZWUXy3V7i8>4- z#ktv?aH$OZA_57|?sh7bdnuV66{*qYlfj|&Stc~yCgv~#(d6a^y27d;lI)h49B|El z^Q+%N<)2J-t7=yZ^ZMn;hdG`jv)k6ua4I?2tZtj$m1CnIlC@L>iFy_%7yf1n;<%jo zm%zO4r&R9D{EfVt=fJGD>mJPh8|$M)Lk~0iZ7BtJgND4Ik)8j!V3fUir7l^siL>tw zRK^=&&Vexq(wv1Gg>5_pemd1?7*LVxfP5Hb-AEqyn}|x@l=ag|n7SSf4X>dNW-UL( z8Gf>A0}_?%+0G^|MO4#3O|Y)twwrx^O#EP|v7zn5u?}{Hc_d!wMv-gAexOvT;2i}g z62b71!!Tv)1WcPg5o5-VM6AF#?3$G@%Qcs$;trI#!#t+>%7IYv7nKxY+=S7XI&C5* zP8x^OVWn_l5%}aEln=_159|BQ`-}s5$ivNxVfd(W$}m3Q(JX_h-(23v9h9g197hlk zT5b{?Y{wxu9H<|TbLz=NQvM&FTSC`gxEL3%IBsmrbv{j)7C}&kZfvPEMQmaroc4HNL{Dx?~xm89M4vb4q9Ae0msk|112K@U*_V zT0q>it4$nGqY+>fs!^mquQkOP_r%F#aq{sCan9+BaL#E*dh+2gJkC1xC>-{Yy)bs%C>Z`w9MefbJ(h2d&5YkrBrl37 zlgHtNMF-*R(~rT~l%e9J!?5f8S%}gw2xM)luX!sgN@ce&mc%S9 z*{0<*0!!m*-pG}_P|PPUyCkZ|wf;nP4U#prT`J$3LK-qc1H06v(E6i59yV*}m9#~e z-L)2c%H60;synS9qTuEi!_Bb={?N3U*}qw5H%0)^WeA#TH%B^;DzXp@7gEVCVIhf4Gv($`3b57sKnnMLP`dU6)_4fzgVS7ddMygt2p ze^<))wu}Idi0rIghigyUhZ9d@D-_-p(Op`92xgs}^_$rvI@?6xaJ}EnD~94gh+N!! zAL-!XKMqwrluv7kh(^H_OmV|lDD785%WGkIHf=is92mDB1bf2Ymc&C7wk0+0XkKSp zai&c2MFmO}RQ_hYeZqt>7&m4lYnif)nnGbg9(I~F1<|~GfQlL{ACN;E&QVM=|x;4`SqJUl?na0ToYUj5eF_*bpOz_SiA84+5`sT8sM8O`|J+nTdTIQ002~ zUUez&s#MyWMA;-$*};%5B4Eg_sKyJRaa2?#C%0wHE3a*mJsu1QXh&5-u)Z@{jSZbn zB+#&RE6sS`9-URlQa&%@nQU#(5hq+<)XZ{C-fIbX{#we^x!hEi9@qPmH5t8r&1{2M zxiLfvN})Jd1_?R#!#-2_*TKwuc_Ml&od7Nse5@9=ZWxoggj3~f|1GU)9)=aLY2bC) z0tF(<8>vOYwq4CEQ&#h0)+}RUn0=B@GD;Lm0g8%TxhN{kXEqh8<{557#l`f*^4e^y zW6B#+O?4e;D)aop0z|3AjQ~70-*z^WZ4es;=Q9qEJ#) z2ysojjpUnhOxKDsoBoghVKB#l*+r|3c}>UcUK<>nGO`z?D8}RTCjw=faqXoNco*U1W+AX2=IM6Rw_b4*-oOfx6beHPfby7EC*r&(K;J&-fx)?P z0Bj*RQEG8yc1^x!vLS#fsBuJwHnEam#%~mGGl7b?dEXZ*UKkbBp1`_k$AL%kjp7Z+ zp+Z+M&kqFY#z4r#gEDzdJdCjrP*dB6pWzYkH+(?@q@5gqFssqSjvS~+x7%D(<-Oe2O9OfexKary!+csyx68xPb@hY8fO9$Jn^4Qd!W&P z?rphMIyeO)*%wOSLS%M2Qp{!9?d+`qupNs*wU=`BRuTD-H;Nx7xLNm4*4Dv%>NhOE zf6`r@8MlO&flc!>6$AiLxr*bnoAR1Ejb+&f8UjAkjBye4jmJ9ZH`}AkMs7o3T`g#{ZBL-cZSs12 z=xNdKyD9k^mM%?a;_}}U7nb@^*ZGjKEE5Qlq5>5#{RHxTna5?(kFDN6hL*p~dQ z0nieSL9}1AHQk`KZ8Yoqwg)`8g|*0N65|)BNMoSpl-qd01yC4L_t)mg+ClZ4q-Yp& z_KANqZl+)6`}HPnOzHKnPg6b>U09qt3@BI#1I_dxzh%9)`^Jc%>>L6@IM5(4sVrk;@S0@TO>LV#nSIk|pZzp_ zX*Pf$Gz7%RMPe{)C{7S%_eauH=yRRd@FCMQ!4cvUv<+BlaGa3|F6Q!;AwX=MfDW@V5|d#ThG-qx*VdcnGX zbv0+vU2~yl;GNB6b2;znxX#B%oN!&SVNA`no;T|YByEnh=1rSQ1n-cuKPIVDa`Q`| zB6;8ija=O{JD5(?L8o~xxSu6CQv|JkUEM~)7|zl4q6r1Hflab#c$uM`syV)Db5(-s zhOtqs0Vzc#?!c!~^r-LyWyshlMo`&mDosNsKh6C#%fTpr6Z06t`b0d;{mx`)aR5^; zDBogValeU7xlHvz`C#fRmZy?Nz{hRDlf$_vX!a|NhtG7hs28}A$j>L~7Q9UVJRWab z7NAk2n@O55;{~LJKW&0;bKIRnt^F z_^nej9SzC!eE5-%H20iWO!Kada|MC<*L>?5DZSuEkOYk;C&Ng~zeHh*P;qYyW?MU$1$y>U1hl{<@2w#|>Qn#sE+p2+1&K z1N&w^exuE3oIN3FO`rzL_Q|*e5Ot990UC$s&3K$Wi3f<&_Rh;T2^y7_ITo0G4emE7 zH=hdDr-JmU{2CP^uP<|r83jp2Z(Qzy``nGdD9>%m-;@!D{EYGiG+S#=Y=?ZoHekvJ z`_23r2gj^0lq*AhEgY^*-AqIoz%uRICPNd1GMKvT4@`TEO+QlXn@`fs#tzd>{|ycX z6U{oBa%k<2lQU@qU%~#?~YWqpuW?2&r zvYDgJd(<=3qZ%o?{u`>QIRf$YHW$i)*j&>hvXdz1^ob|M=dD`u^#(uDu+mF5yp^ii zjE1TW@RCNabxqjdsecYqT`N6sr93nHr)PsFBzr<=UCVR66^K*EhqJABk%IQC=pxOn z3n5(G{!0ypJT}MJ0He)NOXY8roJS>R$S6Id{J>-I8Z%1Yr^5G0sV4Fw5i}})&b}3i zKB`zpOEpj zKLC>U{7VS&DE3hyWHSbU&rFsH$!(o96pwiN9MS%~XAV5D%=AALM3Z4@U=Wy4@wI%{ zagI?+=8ICLP%_;cJ#j>sG_kx$r7!XUIFsgb0Fre5`^jWj(OgK2a?ChTIqH(pM_x0s zu3^*aMAe3;Q*~8Zn+N2m)w&|26Dx#@()cH{u9P3BGTQf%s;{IX$f&1#B$|k9QI6i& zQDry1#bd)Ypap;-x@}hg+m%v~CY-er6K#^IP>o^>$f05*!D&>Eno8cu&%^N1BQS5? zOdPQ9t~l&~J#fVSyW`0HcEb@oK4PC;aKv8oaKwV0aM&KRFmH0^uh5PzE5gCMOvmAS z%qGpj;jDASg2wo86El6E*^@D>D4)``4@G%V>@s;Q4&R;i7Z}>9i3j67$cMCW*BO{I zVO0CdOc4>37Z*}a*4=Xs<(`Wp_SqRn?lT`p?#I6EzZ>@2eJ;jL8V9$q06H20=n*i6 zfH84X&se$XcyZ6lsR42u+{=9vbR`LUEc2$W44b|9ek(vTvaEczAo z?1DVE-6tH4#4i`EsMp$G<9q&wG+qDZbH64%7fJgbyoTD+MCFEK{Q4~yrZ%PObt?Hh zpsA?3D6uF+3Q8d=_b*#7Q460-8_4pewchA?D&rcdX)czS;AwH|q4{SLECB*;jmjUw z1CnkcpVyO_-8L$J2PzuH*zu!rg{zB4A^pq-}Rpt(~6I&ki^AUrH|4kSU|qA%`uoqCgqdT9H}+HW&T2sd!7v&Z2U5<1*lx4zrY{G~ zpN#`|+X+YPw;N79=3rDDyAX3`Pe-JHh5$VT0WJn3Mk(HDd{rF?7inL`9t44FbyiSjr6q=6>qCMT)b3 z2nenC)wS2IBGd=PDjI)64bA+PZfW)iuzZb>>D-wo73Yf11kB{0F#X^=9Rz z>L+N?=j0XPEO9{Z1-ks*dh^b|a-$F-I@_DbxjmmV5PCK^0-Mv5Rq?1BWUc6w!7U@> zyt1^fv`%ou^fDIOfirYS--5K@vN1*giPw-(W`?#Yf8`)brMJ^g({aq9`(gf^=@>q& zH28-)Q5pr&NCfT4MbvF1M^QntA@j&bTM`jOn#x7p#`00ObxhA6012LAZ(Cn8-7)gD zsS|Zu^Dt%F)@?pEyrXW5@@@KK{`pWzQ4yw29D}15?u~=?+Z`q59}uw)9L`0QYI;3T zpoRPF6AZx|qs0~g4c#K8lil_3{am{H}3L|vHj#*s3V$f2??E-Jw8JI};kd(4CRFNa_n zh?6mx3L>(<6a|E*Oyl6-sw9GA4-qg^ptgqXU zP9)!?W~FuwEz$3ZzWJa}eKnHRo8U3_y%fdM+vE^{R=iAy$SK_4_DagO0wFu*wLdWr zCWYkXQj+#PG|v9F_cv?u3D!b;%QruttnHBJieVg|-4yX1QXYWTi1W&72@(%AsPGL5 z4@d-wdPf0NY;YWm9Xk@c&7FY}!%88-8Ln=;Y-vbgD3b9A%qJdGrc6MD#u1d$h?NkV zCgrcuh$&1gXt8ZS&`dSNs9n&|n^^LxjsLhm<5FP$iWM>6*JtodaolLfqFsXV00h>r zIce>3Z2}QcJRg(tN7NS+Qy$td;0P3zPufE%cQ1jIwiJfr6mK`oQ{v8Hx{z9hW&5B; zD_NeoCw^!A{Nc< z%hmKhc6Wuk;jCQCY1?BWeAA1DX37FhG@YCZ~f1wp>q4@lrs=?AWV z;Wfqmg2Dn!o;Vic#*BpGadY*d9v9^2VHYlml#~{u884s8-xon(Kr!Zx$^Ay8w86J= zm%rw~5O*2OIcO#x(z=2f9M+1jm-1MX+6B#}&+?Hm^T67kEWnf1u1LEC8Vg8s8IHqI zyS&DPA^$51Qr6&=j8;P)iW~r7VLa}-u5%=SSrE|7MypL6HA#z_H*N9VC9N{dK|Icp zo-Sc6Zx{t+k_Lh_XTIr%nn3w`T=UmP33hr1n$ZI^1UitIMFQoY!?S;O(?GBNbW*1q zs=4ozz@N6nXkJge zmk^Lq^no%{C>>UYabrgz%5`z#9GsQ5vClhgN2a#@HOC-;<3^1@`S4+I&6@!RGpY}R zpHD17GMECym;2zR1H8GjEwoE8Y@tQd{jcAWg4D8YMceGW_SzFJn>?0c6t&6f@G$N9 z!OhoUp`o4W`VmaA20#v61Y0V{&4#G`1Q;GBj@FV7CA*XqM`wlQN1@l!oc=Ec=(R6D zouu2l5^3`t|5O9A`7ol;?HCvULUb@Nn>KTAnAwU>a<>LrZy>#+wf_?7uYmV6?WG^{ zQ;8q=p7&My*FFpJ?_k-Rw~@vzl-{I$4x+xw-h594KjOglQ}X(Q*4n%g!KEC0$bIuv zbb@*GWCpEsSKa~Sg_-!ST1pi)9{@tP@-!o+#<$o0-pW_I6oA|h1 zYx%S`A35>UpM>a(eXXx1@6WT$y;|^F4gIr}$n#jzx%+>{he198*cO|8Dk-D*b+FH&kFifh2G>Q5uI{|NsIl@|QHt7U&E`t{?d7-e;#({6 z(wpy+R*;tCr8h{gFT+c(z0))5Rb96EI;m~jufBtSzxH-3+9sbVZ^+1P=uP(HEki5u z-0LgwzZI(yC{9A?w;&BcNpTUJXcU?TIUHhVuw-oT)7%HK+!hP-%`uE|Kt?{4beI2w$ zI#GvI-Bx(URW&~yxpMXI-*aF4+sgloKmXoOZ~M>tOX9Du{(1cEb$|ToyPKEZyK3Xp zk9@fPFZZrn`}6}FYFf~Sr4O#%`1Cy=nlfvbKDctj()*Te`un|atbgYI|808uz85w= zGv)6a>tcV*OV<3tQ~slX`+bh1UsfJ&NvGw(%38ImE2p(#>ssaeDyp?sT`51<%Cx?~ zWxM!hm!!cT0;f%mi49TF`y|~&U<@iVZOCyThJ-U(R^m0mOQO*ekftknYfU}YZrY04 zy81?{twU{19qMXo(LhR&%;&carD|%>NVUNyxlLMk$?$7S?RnHR@~^E$$`EBpHBqvf zX|1RRDaw^3H88!Nq89NaeOq)qF zJs_rYJfat%`8){s&B@qKY$By0tJ8V%*7nradrLQLi16k-gr_sVbx!9;=Dhhd-gpnR zDV*bnx_{(jGv?%sRsGYPZ6y-|k^F-FMPw(4Z&k7C@f7E{ZJD&D$ z;IQ`@cI!r+PJT6=uDjpaq<{YY&+yj|ej0yq$@k!PLJ{V-rEPV#@gko<1`iI?S`lS(T9A>^$mFI{h_Gyg zG8);1^zXeh5@|qr6cy{ypHNNuzfGu z&}m`D<=={lat>#Y$CJ!CVU!^-mzTzzblTf%^x4-Gwk_3=$X}4s{g>#N|W*i>IAe+n$3IQuVvFh(yo;^yQ9S~`< z+bH|f#E>^c)1FZbehN*1HyEpP=na)v%K^L@icbGmok}rPzG=xRQQI3%H7DP7&}Ze@*6T~ zL0Qu`@}>iT{Y3~7Z{p}v>6_02o7i9o9-G*w2gMKa)plc`l_5YtL1T<;f<3_&UX-ul ziHgvB%sl;{AE_Tnk>;E7J)x8_+{mD1-CW-{;+pHPALJAT8Ls-FA=^X-1Y(iGIih4& zffQ#b(kj_YrAm`kHG4)Hip*;NRJ)P!7t=}q-a@5+z3Qj8{cGhf;wv{l z8Lz_9c)CXo_Ec1wWE7U?xbR8l7_850hL=p^W!=0VC`8RRjDn;>S53-aQHd&}V2z?R#B?yf z6*bifn8GkId>A(~?`cdn+k)W{2uVF^+HY>t>>IgE9LVOu7y<#&2-s!_G?yU{b6GS} zYYa>i8U|Abns}v2p6kN=(;&@d0T543@|%f9fx+B(TpEdW4Ze&(K3WI{4FK1bH()l+ z6ce|g*Is+V)eb$Q&?8zTcWXDz^W(8!-KsQn3Jb@AGHU<~+zA&Y&Y^%z;ypp18amv3 z-o)wp29>I>o9~Kqz>Gzg$68g0$9*NTN(0ZdO3%^(6(@q3KWG1bI@LHrWQliMHX;Hi zRsh9;1l`;?fTc*nEe5c$&0{`@CGZH%P*EVFOLFU217O z*1VCl*;mvsGysee3dk{vi?8D*6KGR{YF_zUrgTd4%SKXF0Q%FK(ssi$0 z;&#eDP`)h7`n*Ac-|at*GO`K4$k-b~XB%apyn*3Cc|p01?Azq!u}L$1FcjnkX;cYh z&Dz0@(JH3+nm9Ep`!umk6F-Bc=6-X!IX1ZZ#MO6*Y16qd_?mue!w2GN$figv?|s~H z2UFN+o3LTSsHhfaPe6LS2AE3w@J#>Fyybq(dy@wXN3avF0qnqvAI+ ze{Gb1Fg$cxt;Yp~gNG9>=uUm!F}jL3&p)-VzpMX0d*1;d$5E{PRnP41CFLwx!P%Cx z1%r8*_{bP1Fwr6#EMshtgDl%v;3y|qIfu))ai;tK zYIgUuce;FgC)wOw*L13`uCD3ss_vehb2jM$TxY}d57*b@&b7b0>e*HIe7UK3Zr>le zFLPXRTkpQDt#Qc@*6dhv<9$^@>(9c#e8a)%ta~*dDT!WwXYgg@guT7U zt^<{RQK>pAbE^<3C@OyTClFjQ9(t<$eUubelqV(cMbUxO%4#j47+9mq?R-oaP=A}D@DiJX+$Yl`Wn}C&39D%Rzdkx z&~}hVZ8wxhL6-iOF?ACflek8!-3|QOKovg?fZekCoS^RjSQ-HA<9#l(rx7W3C=3T5 zeAYGWHN#QWNFALe5KmMc&Eb3y)2j$QI;*SyOcr5Q7p?jkT^wuRozZz0VC&sqNpTj_ z4+8zGM}qyxbX5L9rj=*@EpXiS#87unP7o#*hw019f7E20t+w+l@ovsvUqcvvA;<<_ zUnlmL>wbUray`qh^wz#h!aTijVSL-dg>~!S`-btW-|@ydYc4$d&@Gp|>4*&%opbVr zi_Sh{?FDDOe%*yC1)MI`P~cVGHw4=?|ki)e_b+v z>_ZDru6Fb1`wrkti=nvO27S5kp_|t3y#JQJjjpM=NrK$<5SxUvUlx%+IAAR&%czqL z1p}3#*^PKKnV?F>sud)Dr*sKcfd)uOKUBXQjEDBL@^Cp$S=bWCGOn~W>=<{XixP+-YvhCX z^4=tc#zbw2_-9+x*ETVcK^;)&(0)rA3MyA&o#Ocr%1|O1#!!%F4Epbr+hywc0C}-R za7KWlOdJFv(q@d=c-UccbI;6OB+$#bg3qu6#OAYgfSZd!T>9LiUjsN&90Z-=EUG*Y z6T6hR#I>gkXZuF#iX@Pv{*Jvy#7u$kFG}nF7UpsYboEbbRkTT^;k}Y72Xf@#HFqT;+S-m7XzIa#C&wPrNH(ysLP8bCnVQYB>LD-*{Ii z5;a#(cB4K!t9JayHqWa2(3XqOxp3np=bXFo;`2`3c)@uGue|Wg$(t@cx5kklPGiz1 z=KFxOa`Csb+n4=x<&OJq{Zr5u`;HTPoptV7h}=XQZ#hZ4Jaz@xPaJ4U6QJQDSo*pe ztsOlYv-h2i!wx?LM;vh|jyn8c95eSI9COHlIOgE}am+#c;iv;=W5&dBFj~g3pf986~)V1TK`@YuRq z96D<{<+X1CRCX#u%JRs$2jhsMd=ICL4>)LljGH(CM!%{k22Ob>f{KapR`JZnantrw z>PUW0Q(0HhEtx;x^L&{?F;6Kb4cLob1mx;qzyyZ5pkt#8f*<;d`P>s`=&Kp2p|b?` z|F0<%Ma+pD6CJ+$-x*KimP$XbtA82+8ZUsv1v1Y!@iV8No2)6M74BmvZE9d>85~y8 zAGl*j46><$@*jq6{}Q9ZNzCi+%AX@Dwle$lboGf62LrY`FNG*Pc?7J|7d@W${Gyr=4%E;)Hai81q>J`3#@kCm^_7 z#C%YUTr4nehsb{b@XD{DWleuK$#b=+j@!jVfyW#u=`#imHew`XA82sfLmfz5{ zW68~r)tgm64kWx@48A}?eg|-s)8Uk{)A(2+`OZ3{IN&k#G?<#Nk`7b$wwZ7lMX)!C(S(&CmymtW>1+&@l#om zl+x`0jF3D;ea9Pd+8yge5j-lqapT8P`Hjce2?Q#^F%u?W4E?baH9j8W7$3**IHrvw z&iKASgkPXLE((t){RymR0t$2|U=-`E8dV3xG*V5O1Zrxkjx$DPGbv8!(S=m}0Sy4hV}K5bBGa9b*GiSq?*gJPu+Z2pUO zbHfkU|Mu#~wl7MyBAS{}xcYc!i{vq`@Hb!b#yRURIA{K}?6eC^P5dJ<=RR#j6|h|C zAfGU*@Sq~Edb;`3g$_FZT1_uP9<9p#b{J+d-Dw`57s zxa8I~+m_t)`<$Qu8U$aY5%4X-T@G%eLu3fh8zB8k784~V*u@MJC?pV^7#Oag_d9Su z9Lm+{)TvW2ipsIJrW)-~U4^;`5~!_8AnyASElWjM4va?WT3b7?4q#V(U|ftrqP7Od zQu(O@JYE$c72*l=j=)J&h9@0!I8LVVaWa)<0p>E^A2^Ko9pNO>Q#g_IPoQyg3~3*z ztM5q@;AjXq8q;V88aL!qd5r+OUn)z5^7fa)o-wFN#8F3C)m0~;va6;1YHO-?$+V^h zwUogG8Yu@JbN~+EE3=lf zycu#4rHZxxrH8+S%9~?tcq$g;&G6JTQcJr8l1al!{WWkhzCEp*fMdrExb+{>2Xgvel7qt&;l!;U|B(V6 zPQG+VIoL;>b>Bglzc$FaZ?FIDwU2FB_Kh^L`o$cPWgAz{FI{xjK^rbQ_l?uXyZ2ed zK5l%uN`zqKf4E9NA0qP^Kaenvb*Pf3H~dZtRmSL#B~SZ`;3Np%A|n3Fk2)MP zX72-2RR!mHfCBl05r7U6&kU%K^2_ltbI3DE+c_AB(O8%`aU#Z!8;htu@Y4E39BWS1 zB>aX0a3B-s6N=7h7GSbA#(up&Q-v@nr^;VJ+cGFZ!&I2_T=WcvqdJN^M>!8iRU>tj zByi-GDHFwb^JoZ1goQT990k8OD=Rjb1wX1+m@Cuulwz_OE=w- zOc9|w#+bFcdwSu*_{MjiIdkKM=bn+TuDc`-^D!~*8W^LB|56co4JWC6S+b768I$+D z*YS}fMxMus;2_THuQNv8>xub{IP-a~^R6_$cloU9i2#*AYQGn)z3A-MuD{^C1N69H zpv~E_^yZfOB{x32Bj5U6gzgKZ^KHUks47Z30*vlOjzUpxd~QAap3k5}6RKm683>R- zm4J^%?pEOBhHUl_*1QsOLS589fRI)7Y4I17e;#3vs!%aR5hbZnFE0$9ty zfT;{mLAIH~A)m_h&{wGyjTit!FXxUm*y{MvVq_mqB!0)7jxp^FK{ksp-{WG-kj^38 z0snvd;>ZKaDP;4p?GEmD&bdDC0yy1qNVg))P{+D{*$w4Y4=l_H$#^k{7t@LxXnovc zo&84Wf@|0PI{D`vORw*C!sx0(_HNn!p7TbnzvQeV#?_|&12%CPJX}rLU+H=BZmynB zWI1l-qsQk!oR@=Bqh%Cm5J1dXobW%)o!_Kyyrk#bE5=lhdiT1E&pA_fKAyPn%vzOA zzZ{Zs?{R+m0%?3toc%ks#Wse+e$yL*0%{ovnN!kPj-8g~7Uc5*S!8cw zBKf5L>1UXQ=vcbUNmLV{zL?0T%wZYU>J@)af=9z=>g0(y;;@4;e$qr(#vMBZ$X|iy zBLAQ-1n{CC@yuH#+F&`C=>JP-ZRH6aX|jfb;02)pQq_~Er&dD0S+*p~D&2@GG2|1D z$6=+k!TLd9q5KS%&Ty1>6h37z994mjKh0->k!#o_;KVcD>8x%Xp*Zpw>cZI|M8LCu z^}EP!Pa=_8F>gdWvXshfy_ z7fYzM^CAc9PlF)$`Sq(e{7ApS&pP@xCJKn6KhN86;aMl-tv%m3^GShx0Y*N|&i*Qh zOabJTp!Ctr#i<-|K&CQq3dH=U@#OO!6Jn3wai7 zIY@d0(%@KObI=ZIjXF(KHbrkm&~Oo`tfkqVG{44{8KVnJ@u|9DD!_k3*bc z?^obB1C((9!rc+Dtps&!ez^$SWuR@L=%_?ppFoYSojV(_cI`Se*3*_(s!E)`IA(XO$_3Cxx5JIDCiOlqPhJjDsAi){lFhV9h3wP ze$UNyV&nus>d?cbogiBM=lc4^J(zINWFKa3SgyPDkSZ5*+`Vtg&3N2fat zdhYLd1kfYmkYsAlM+=O%)Q0w3*)aUV#@}7Ltgrw4Mp@!aB5U7u_PC7~opX`|@rymr zTm_iVi81ehnEeGvP)76=``-q%y&i94#mGEkd9yD!t*P!n&DOJHel8IO?YX;X1ug<3trl^m9Pz~w(P);mNpI*$0igMqKl~U z)~(Z;3*f{Ql)u@fP)p_aq#ujNFmu{e?gC7pf#QLR7ZCDX0`Sr>n8u*G?)Ys@XR&U3 z176y^9WQO#Mxg9ehAPVqn<&?fSWWq^p`2H)T#YB6cp9r;T8$hRG5Rc2GF1L5+(4|$ zOy74>fEBFqK0>*BW})OIR%1aUpgesL;ebb|(R%>eF9tzpsEexX?eOvF#Gz@#02u10 zT1MZibq7GaeL38?LMzMY6m;A^3o;qlAn26SZPXKyLj>~fZ96v~g=8{%t}7Q`md$zD zC!7m^&8e;1iP=)=2dO65Fv|+G8`2v-7qZW9wl4ewXNNCNUc2E(TYs0_*4OIEt-N^t zg3;^GKleBjlM6-6=P8S;A!Y#tlS#)TjJSdXsG=~|895ok9TAalIM2Jb#&_@AT$6t7 zx{DX=uirjUnHJD{zqdU4lbt&sxaE$(*e_UTzv-NdemcmK!@i9qj+_%Xu|dN@K99Al z*5DtHJcgx9AHf659>bDHmSf33{)HuvJ%J_vd>Tt0e+KtI`5abm+=}R|m?Uf`V3f@% zIuTHIh%SazsZyRa0E7ybh5(T}m)}!y2SIgJ0<&gJ=P>{c0K;iPfqbI`Y=~o%=)v(u z@u4ezw>CE8k>_8+k|$PR$>UE`c25;#_>ada(|=+KW&6NGk7DVAkKkd-`o-s7K&quR zdJg(56i6Nr1WqJV+m?0X_RF|u=FZn@QM#VNGoH0(tiV*ELRZKJDRii)LbNMM#&X_Q z`B#!=_q0?RuF-UlFp^Vg3HWjEWHB`%CDnB4fM z>+fB@{02?yQ|&Ku3w!g0XCG4Kn}uEspZARUym;~&5sU>e(zhvuZk<4l#z`XbM$eaP zVdR@eypOr@c+-Z9&O73zg|8dqk_AH&y~E>wiw+RO z0fOSCVS>gqO;~ZHa5$lYkfSl(*4%>Dre^4S0nH3IQ#nP@+J@$~Hl%rEpq424MrR;7 zB~4K3^wdc)Okb;}QUf&1NaylWb9LcVQ;R3WYH=|8~@@=J`Nv9AkUW&w`XQ4z2V7b$u8#N{Epr4zDO=JBxK(vhR7H;aN8+EJ^DB?OQ3K{gH#)$&?PxGFMmsaJEDG zP)FF&bA;!~(+#ARG3doG>*Lhs+Ck$As)P*txX>Wbcmc>3)1ok(Qi$#v>I?;(2xZreGpI(| zl`12h%XN;ck)hwH&xaNrA>`G} z`eeV`_H )&V7Xv2G}k7nQ00KLM37G(W;~q)KooJPUwvusocE2(gmkqDx)_Vj;RV zq|;<7^brX)N~*{$A6V!vKt+fR5s~P5s!WH7emPkRS!>#E$`ePzLnna)rfwN8B1f=e z_qes?XsHIdEYu$eH{vi2Fc-Rb)jMaM{Uw_I!1hJSwv=c81cy6FvwekaZHRod_1~Vv z?4frY?RvKH5}f;?NY(fCH|Kq=RX>Znv#jxb000mGNklr9++? zT2olNy&h|}?jUT#nk|IQTd^jBE%XVSI>BbfqkQ6RQP{@w_?_6^)Pjue6q0Utbt;D( zBM>n(01P6%s=OD$p}@1^DLCG`q6N*+TNjyzd4}miP+6*$CmDK<)D;+u^1wK(^<1!J zYNr%Z6f%OId4wtcDUQV9Xs;5?6;kB&ycdyfoe-z z|4bN0=Y%$igZxIU{CNA4@3r=&ZU@M!cb+#TOxriY$5+_Ck3nQVCUf-)j9e9zfCwKE z>R`+n5c5SE17EF;xr^3UwH>qeU1yKGy)Qcg%a`Yy9=PRSCZ4|DS^HJ$jz`I1Gl7qi z_aS$ks?nLX1X10k{Gv}!v!kp|H)eH6=^QU*YI=7xN;ofW-WI)caPL2##J!I_fqNhQ zCt*4M_V8o4m*?pB@*I74_(viCk>$kw7w-KB%RTlamOk?W4S{-URPJPyD(K`ZKMEWx zaKgPof`;4C^hp;Z%0GCcE2i}B6^i%0glOfV?l^T#yQ*rG;cmrf<_e)=PT%hcx$DCD zuVOSSNl5v!G*Hy9B;D?5IcKcdG-3dBFQJO&aJ71ZKx%p->YRnX{crpJ@?Ur449D4i zo^L+kjQ7@A@8V7Xj{@T3y=ScruXoOEv0*-1{i`9+9g!hQ&vHU~RIIse$I_cy`cj9x z^wQXdOU^kU7Iz=?Jo8-nX`Jsz;6!M{E6o|Xa zQ8r9tQ6`Zt?_D}(QO1U-Uh9^1jO~uqn9Yl`*4sU2a49N_fChm2gQGNbr7eZ8vLCt{ z$|yUbxnVc-Hh{}Yj06WPfrYnwFy3+O_&q8uUHRKw4jcdjuBxn{#}Rgb_;Mw3!39&^ zlAOHe)?_wg+#Rgv#vs$$tmpq__`?un_jYbQVDH@V;E!}$xW_ssVrm&yWB`IWz2L>h@?LV<_VzFX<>gD^hz3|rX+%C{Xn3SRumqK(`-OyY({qk(_G0oZkY?sFtui2C_J#7LqLtL#1Ck*6xz%2KTiHO`C}<{gSq zkRLGsD)abyrlRNnGK|ofG|@e!mC~4q0*nc`7hY|51_aiB>WRv*EpO7?(GRH~KzqU>nXMensC5 zCcP2Y9|`aw5WS9l`E1`aUysB8Oso;7>W7zle^D@Lx8Hy3i&?mDI)^V?xMxXg@b3i( zsn9tT0*;=OqQapMLP zv#IU4E{X_1IVn>2{1ZpzBxN#-Wa&W-fP!o}-IQ>Y9>E!wqeJ^89z|8vQe7>WS4d3a znnHm0Am(#ziVTAlce(=*a@|{T!WAH>I}-}70<`)-!a>lIZmX{6)9eHK2+E)&P$M<^ zM!ufK_bBg>tADEldr-A?Dl8CQQ^lB%#bWOI88fFJ=GNuYZMpE%fc+b>2R{juNM9TW z{#H&_4>c~iwZ{(=xn$B@vhod6B=9cg{P81ka)`E~n>t34hg$;dP<)nC*tOmlGv0TQ zi(R_5Ds|B6OXgQOK+wb0`oJyQ<0=0q*2<@;Y#xJi12aNd3+pP>#IV+?iXXyA85lo? zcvTguYHLwdSBq-;1*k!F4WXJ)RgJxJxKHz-un=}rNZ5LsjNraQ<`S#l}6gAZpB zDQ_xqk7M1ZZwRW?g>l^#i1N9@hXV7|*F2Bm7;y|i(_l$Um*_p!OSY9KK)Gbw=o1~~ zS1Dfb1&ZGpJSzLDM1nG_CQxQ7J3>uu4QlFYDcd?EYU}9NBEfV|{|A7fLBMBW2`B=& z@L6~DrpIz#!>TITzG4!Sm{N54M9f(MEt_IO1-+0MKc@q_Ym`Bya+K9_5WZDh{^p=2 zSm5P@Y&OId>~xP1a)Tn?m%^-s?SBad_Yu7?*D%o8F+*NhzGQqD%7?}HU*Nnk79wQ7 zGv-Kqk4iwFh(y;Ro+nqvJab*l)xLJ!yUreadoM2uZd!grs$pvLUoG4x_`Ltd>8JwV z3y2tk0~MGQz@zdXKY23d9(g2=Klvn_a?(jS?S$iT`f>Ac+OfwHj>M@)AC8lcn2UX< zO@(lEOO=Yw;K~GDsAX3|6lVjd>e#*AZe=^uinJ>gw@2{95QZRJ#YYNV!vsw$fwb=! zgaGmM=XRd6G&n5dlpyP7sQY@!Jl!sa%R*7QHlUd1AkgWjD|!>gj>54AAAnPjJRGMU zbp%d3<|v#t?`WK+vONBHoO zjH`7n__#p+$w8spZe+1?^>v^ml48@J8(Y2ksSfF#B1`7aPqez=6LL;97&6tj3sF)5t;&9BKH4FMhyjjzyVHTDB?5UG6o5sPM$&)a9(gcj-DprK_ z95@tq0kxJo>~>L;ln{ksLxAJF>UO6QWfkdyieHtxDu1Cu2jeAB<-R+FkTM*_)wqf3 z()t|A>3134jrpz;C_^Tb%`WNH#1oh?ejMgZo`^Y9D6=V)-;^nsHI+bls$6GM-ZN+J zgM$w_1oKWj5pxba5MIoOJ`Sfh0Wa|==9-;5Q(e9f)zUJ`!iCL5bwnPlbCie9YpX=$ z1|#wT9$npOog3cYJ@=s%`dx>iTKw%^Jv)!XOO&xSyJwE1421+TO)bA^{^ zix>BJ9A&M0Q!XDQvMLkDk`>}%gv?M%z!~b?{dxPO5${VI(wk3Nzi?qSpC0F# zZt7jMC~R0Vb4A|TtEqB-POJeK0W4K?tP4(99i8X!@ma5*RYR98D|tc5nRkUG$N!1nAkf?pHf7xy#Q9Dl;=?)H7}p90a3Qw@}E#mlM8 zc{~B_I~6D1H9^kv_Ib@RdK-bEm%z$fF54akxu398Zf9-ucrUsz2w-^x;MnhrNfq}j zC!8R?YiEt~q!E$noH0HM$hY7m4$i`aA#fbo4(mMNUp*10Pz-XpN%UW%gP|prA$yE< zUuYy}?~_2C5%V9Ohp(HO^gC9bzd%3gBHgo@v`r7*yqeGZS{i;g6Hixc^!nktpkAeC z`!%%?<8flefWfi*DHOOVMxumb7%tLPs;>-{xn|K0=(0XN=LN^OZvPuaEP|F5r9&vx z19Z_OpqLuvIkaC&rn@>Vu{57vM<=AB&@mO=(qVo5$ zEnI}`$|{ALW^S`F&u;;w$AtpAzsPCy65(UM*vl!~kDRi2+5N}eu{K zK7%l~``jwgh4CUdlAuOF<=Jp1!>+x`h1*y5MEveEkF3roVn-8qmf{7JNn1M0IfE&h zFaj?Z33w1Wmhgq@nE%NQ7o9VmPf(}-?)Z20_usO?WbAd;x*rj#!}wslXGh|l5!9&G zRTaB_=d6Cmm3+j!21=zhti&U&XdzTB3YuI(Y4?d2(8%AgaTB&~+JqpV1DqukunYHg zZ0aUvF{-;6C7>)(0?UD_=}{bNI-vWD#996B`I@LumZMRHvZO%;Eyu5p;Z8(E9BP6f zKcVn}$d0-5rY{fkL9QOor8?&HDHalI3+aE&<#XqsbmGImIOQ+P>X}9<@J^RT=1Cf; z&q18xGG)&@H4JG04;Ld&AnB@@c|j{2F#uEw!vxRY{K=MlKL34)Y+#j9r*s@~fo^qk zurO^%T(tVn=m+3DihtJj;X4y<0N{90G=YLY}5dtQqbt` zFp{!YOF+28#0UA`o|x;lod2dndtugX|HrLcGin65@J9BTeoxTC3b^8nw5R? zBb~{Bs&-J&VbpNEq68&X9mQD-jR3`EsJ*_Bc{>{#u=J5fu=Js&XxzCIPG9U(L?OpT zaP+MhSe~P_gT@IwT!CXg=M5-m*qK7vC=9gMS6+81tW^;O5#Ldu`U>#ox$w zYkQ-5l`v(YHPfpJvu^U1S^7EPC7M(Ku-ldV000mGNklGW_8kn-wB!h@6m71U@L_cj}|Ut9OCvtE@MdCb-oT`TKd{`lj#=e{Law{{K3V6H%v z6v(*VfudqpC2u{0kVh5~@C-%cj%k_)8U_lM=^?=qPvazjQl0JWu>STiSS6u%=g2+_ z60yB3qouIQNM%(HnpOanYY}MN=({`XR!@#^AgSjFY$5M^(2;%Q zgAi69;_&bhipXJs zdIPM$57RYmaT+cgz7FnmvJrE7J$WeoFn5qt( zbx)S+VlONONBrTEz|+$=ueL$>LpZlC$mX5n%4A6D<|JT)Ji=^$chf4$4Xtszp{aK4 zrkf4<*+6Oy)m zR?}va%YB;K<37i0H(bu%Qc7f4gTnsKF-6_sSj<6{PngT0rM@29Hmt{{wQI3~uzvk| zY}mK~8#ZmkMxM!U+_D9Y%`MRFdX}P^!Y&|9O;h@XM2#shg?WYgxC6kj3j=IqJxi(h zpIZJHQcX?Z)&mg>^eh#BXbdcutCq^#6#?`k#qUuhW#AZgz7O>+!+{?|K;J2T(J*jA zdZeoybq89na-i}uY=rs|Q^i|*oCI_sN{?7tVi&ZfGuX0y8#Zpa5P=0Ld`t|Fu ze%(53q+Bnq%Ov+z))GEcITAZD-ZqwGpq`BL*I!$heQR$XE zU{*)0990O%4elg%TeA4(#@2w~**a+E-fM!=Dt@jt%btlIN? z{Cx1DMd9|uhBZ6_`Uo4UyJhscaITOhC7)3$0^VK02;dmd{_m)q5dpVbg8){6@vbR+OFk3MxYa2%@s3@0hOgj);($6c_+mKypyc~;ittUTaMFxn9tFQm?!CX->Zw;D|p25?~+en(Fh{zqd7$YWr?JoqCKNJvxu+8gt;O z&W3w>^{>otaiLkwfFpG2m?0Us(GYV~mk3OxjL_1Sh8@1a!dgdMr6s^;9TUM}G2>mn zu`2Vf9*uw{OM-@->E|r)QL3M<-SHxkb|Gat)nG#HqM+dts3J04Z5d}F1hfMS5g!EY zW4qPC>|JSP5#mSbC7(Pv8zP@!Pi8$}BNbZ}zcpNU6Lh7ot9MoMA(ePQC7+MQk)v|Y zsUJ@u8;?hjqpxXsrUwK|0P!R6xJkyH06&pHO-&8rK6efxX1cj4Bg!X12%WJ?#*?Ni zs`|TumTLzK4n(NTlwKrPwpqiabY@b{4*G1`!L?I0%pV(Oa{ELn*IctJhY2k$qjC;* z1t7bfjdDV563C~k;r-vMPPu>M8SEn%z!m1~^VYd%*`yv9CIcYd=OWtQ@_8DcWTMZ7 z28XEfTstlmZy!s15QC#QQo4Hy9Qf|9ojrcR`}RSy%NL*Av}d=yqTz949!dAN~pUSpP1v?6!nH)Bq^PclY$`e_nvu%+dduK(A|;=L#dGKbdr{YlM;1 zmxTn_*JIQShlwvA-CUD?N009WtXPz*$+tXUL;D#vu9eV(BjsXlq>M_@lCOC>*_Psw zueSndmfDx)5asAi%a%Y9OJViP<3iQOG)DtK6~E>77pVM&3cGgnXiT0m6;q~8$K+`< zFljnr+Vq02;RyC&T!DEr2uz!-K)lHcEI)b56ilOk(Cj%lV8%Wq@1dOM&f$nXwn1g0 z%3ghFq5^r{cus>ocI9>VNgvqo zaFCx~lGxofBA%5IVReOOipRwPlI5?x!3)YeAbC z6}lX^;&l6;BeX&k`%lI>!O`=I zc*o#`qmIT2M;?U}jyMu09CkS79eOAZnmH47)iqu6tU9Ftj``%73j$UAMhB5HUi8%< z(5QkYQO3mYLJo@10g7!^uS0rSgn6vFETKbi3~X?4hm>MOi2YxG=Bw;Q^aq=@CN$*`XP133fx4^e3rTQFh(6a`Un zFX@c$#|}%>)V;MTll#D!)83^Wjk51p)7HDc+UDoeKj+~5J)G6A1a?FiP|T53fH0RH zQ0WR5YT+Q;)Ur9<(i2VJ1-0VrA=phiyO#=iR@<7+KnKt6xg#n4kpPt`EN6Z7OVFS4 zgT>|Jjyu7T#&{oH|E}{+?}=XhBR^|)LGGInxsNR8JK~a3lu+_@hGSTju>uNV$1o3n z0s8F#%|moW3X`Eo36}dEv>5TVOaw$KcckltQ!F8%5g^>Q-*>dNRMRg)qKc;hF+^=554-VPOrxxz&lXfRk@BY@zyu12jnYgww!{&; z;54Z#S_O=N(w@Tl@HMG01#5gu8YMBbfP5vLgfBS?^%(EVx4Yt8j_7xoxfxWj{rK7?Nqea=!**%Oya!sR)IMKK#Z_QT#noSp?13Ashvu}wK@s@ zSzetfkBo#XCxJO@ZjBqyOsyI}X{<5we&4Hp=lB!PAJtV2tN-}LZMj_bht9ft;9QT& zva9l)(;NqTs6Q{{nPlg@;f!-WsOM1Kh!u-EP1qf|5EHKvBL@L2f!?olCWmY;4^>{h zV~=2TCjs4l+|kquh5F_;G_|Fo9Tt7rGT;u9Dh`G2%2y&?AXS`%j`L#fVR1wgN0XhvSIEI~eCj~=AL|@}p3{**jK7>d`aP*bnZa|Gi zrzCd)i$S53!m=pQGY0ymzh702!{#1|gAY6eW57nlpbsM|iN5HLfD*7pc9zdcwVr)-%qc81VJjym>Khnk-;5-b~ge z4w%p&3+lMa1v-bRbO%YSZ^c6=Zey;g`K5Anj=l2eNVrlGs2La52xLm4Zj6alRZlY_ zA2qS~*;CHEuy*%4#BFN!UxI|+Wk-L2u=_WAcQ4d!ilgGUdw%t={Otfle`?e1piKfM z2RGV5qR;=L_bXETt*I<5C$&DHkDzoT0rp9xvw5`9plZovX#iwV-AWC z7d5tYrJ|EoH>3uaEK(yzPV+tUu}$whw}(kNX&dHDe~fzU|D2%3m1-44%0}akvw8`@ za0ygNse)1;R9FyBeF~*8sIW*++t>j#jlgW)SrPB;P8cr(rLA=cmHnY}568?|v$*1~ z0f^IqCKc~+#X~Cp)|O@neKi8Oz@V@wDe?fl)Mr$K3Q?4|-T7lNwnN(jm01~Ro7L#C zLgPx)>BAIc<5)&P%SFCcQUD@jd?v^pR)}`IOEPI2y>J7m{I9X{^;1rKXf?yGBUb-o zQxBVVoWOf41bY0yPJlgfQN+;)fK<-I#6Z?K{Og{j&$pG=x5orf&crJ*?9%z^5UKWJ zo>WhmEaG|liIGp|)Bb`kjesS|K8bd5I* zsbpn)AU%I_^ZzZJ>x*#{;4q;-Eaf<%rPCuuK!0S`8P{;K_PNihJ1Lf1ks%GLfJZF3 zAVek?M210ATN>M&+Gq^4K#hT1K7itPrZvbo)r5>DjW^hsyX>KbCs#AvwY%k-Y_>Xf zJJt1{0qJ+4*l)iBu;0G> zW8c|xFn-*40HjJ4!+zVYCn*+oP4HqKetOF%000mGNklE6IqpP8j`*zIgtEeQ21xO^i8JAYC3k^pE1e zu>+2=kYi2dJa8)gDCv-Pp?NTgj&d9^0Qw=r{-ByfVg@@m;`KuU!c|%#9_zM*D*A#!5Fo{! z0yPG9Hn*aYy9DW64%Sv~`_jP~h)fb=-aa!i;Xl}Sq&vo1Pno*I`2Kfbuo7I`BDxe^ zl{9^JCenf`p;?C=f&Gs<7OMPbA8;_{?0+Ek<+=R6bN0i2RQ&tRnvH$;nThc{pN|wc zY3ax*fwqvmFtw8_)}i%8P&5E)$BxG=()Q!=Xr?XE*%N-2&uH70O=#Y}4f<0(J}^%I zYz^lKP7nac5Tyl5EovO2P@|zMUTbS=FmviO?8{w^{btXm?DoZeZ0EjeK<$43<$4fi z(Xg6z@LcSB&)D@?l^a*hwX$-3at&iSTu!brR_ z65y(KUs4hRym%F=#!rIrJdb1HC}Z#`xYUC2C!RlA^UGoDZ69xwZ2Ink5n%ttC#U1F z9HqywqvBTsphu+P$;^nuj-72T`kx2gRoND#5)d<$`5vKPPL)$DcLBoT8%X`)Z*ND| z&RG?UK{U_{vyR$9<*hpdEj)gyZ%&~>4FMVkwsMAm_JKLZmk+GHXu;7vvE=VR?Fljd z%?@DyVgu-)08Vub2nX3DDyT`b_CxL1@kmtHB2iV1M4|*$NF)gH1QG<#^Hm>0yHZD> ziXu&Qj&#+B3QPg4Pz=DZDmP0S(`L>_qPnIFIvBPzwY;;rJXijku;In$VKbTN9RQRm zemL-oZuIH+d^Hv_qhtFEd<)wdkHt|%StU51B~*416y>S1t*T+$Yf(LVEGBRVWYX;Y zP&H~aiL0Cl3~3!sg9S(cZjPVH>0HU&p>tlo?p2(8|ARHm;S)9V_n4!oksF$wwC>uJ z1LTDX{?2vibnQ_=bmHX|6&2%6V}m033MZqQiId?cY5);mAV)jreT-*?Zys~n2gae( zweHXV+Ys8!pI|L_0_@`)G+`%{Zldhk-0HJ?!S+8HY-L-w;mQ3wZqqWO+=Y3s3gV_P zO$fcY-SV?kK$&c1SEIXC@(NCFV~ zOZBIqNBhSA$m&bxkL?OAiED7s^jGKN<3|6MV{0jKI`%OEd@85W6DCt3MPm+*NCO5f zNSY)8C&hq9G)&N)1IsZkT=h?!qPDC+i|h%|XVbBkV3BZeC#}%^2 z)v^A(ueZ9i&sr+sP=V*bVHpGrtAfb$XiFi-t>P@V@=K86nSLgnhC-UYLMlbsx3*yW zwyjvR@_D@Y)Z^GhzpZ`;^yNQL*?@IHcK{;ak?9hE_BWy{O5v?H{`;CQo)1Hah<9@n zC*$~lPsaOi@Vh}7RPwfk3+s%DzttG?8WI{!*rQJ8s0^QJ$gwj_j5v;gCQgqJbX6Z^ z-&OKR+Mp$1xUKEbE?*Hr4Ob-bx-k%Az)8+$9Y@grZyVT4C!cche(3aH(zY!6%=WDK zf3P!EU=CU6$x3G0)ze%48Ah z1aoWnxxl~-5`hv1QTJ*d;fFQ zf}^^^(tjdTH+7bqI(zm*#xr*T(u}eygIpHrwpIk(sjxtF9zRgu73n%M1+qqRyBy=3 zU||he_Bo`*>$R>Ojg5G5?HW9{@&!D{E&69)coxq-zXH#4#s2KGPh-WiPvO}W3QywM zXP(50r%UhzR#3S=^Yr6TSn<@qu;R&o;#tD;gjG*JflV(yhlY*ok!x=1sQfuL^d-RP zXMoCmsZkm(f}^i6P&t*C3rRndYD0#G2^c16I;BoeT`4H8mf3U1u6%MjWm`&Bj6p*Z zFxjfqna;Sk@G;FGK_To>rv`u;bxw`3;o(Ge#u^(lPjywD=_+v~ZIBY6B4>x22H{^B zDW5BZy2;bwC#nG=0Pwh3cnBcx4P)L%CT^}d8VeTiTnz1(8UZ1X1Jnp`&h_{cK}Q3? z?j;5Q1oa%vy&3>9CqD58ZJDdm$?!P9a-wS&-bkQN5~zw(arFtadn8WcP(!ShhFD`; z8m&Bc4s_+&eUV;rcvL2Gs5SnF)_49@z%|#f%K+mVGVa*7AJ<%4SN$vYx0gsT02xsw zXSvGSzIHX5c5EYG0d&DNU?Aa=(~6yr-6Ck%GHk`b5h5i>q@L<(qEg(nb#w7Q>aD}Z z^=q+l-5SDbY+Adj9X6ByE$dce>-qw0V|d$!HQ2FXEq1WXPWttP28J6qtV7$jEy%0l zr|}~^3M{PrLqv+745?g%yg{MVpmLw-ec_*^dX%RcgsnV!s3%Y9=0=pBiLfrMUx7iU zM|W;NxoKiECr7ag-rjTJ*>lB{cNj5;k!*~x$DNK5-Qi(39Tr~rNZTm)NA&B7T~#<@ z0CXjlL8i^AJuC*1i5zH@eHk%M6p7JeQ9XV#jQ(SfC`*J$vp6W;0popQVrt5nW9MJe z;p|h71H8~JwxRn!XYF4|cejrP(KvvOw*PxQDTrzv;+vy^+YrR;j^66Yxt!0o*Y<`7 zphpzTSt*syBA*XA->}>Fh&_^7E`bDBu10%ddEx-W`W*CFpozNy3Rx;*H}Ki6irV39 zuXf@ax?^WldLK9IgkzuaJ+qh^r6E#s>k zn>S#~mQC2q{LNIFTefe7D&>IX^aZ+dU=oKLYo~l%5f}r1z!u?o4Z zUjXi0MwDUPr$YA`_vpu1&ZkWMd=5T+Pa(*| zm4k3F(mVm#17%bMdUP&o69bw{1Z{6ueCsc6w$<;1%1h<8W$Px&aAQH1l&Q*g8;y~z z>sDbScQe*=mqLvbOMXS4e+eRKI@ab`sRF?9Kc4U!%)2y(3SAp6dhG-%{&yOf(@3(8 zu*aRYHlw>^DvROa#&Ln!0Bi5zqt)tnt98Tx*i9sZPLO!j=n3r5wcz0DOwDkzjqw;j zUkDUw7r*eDB#?8&c^`{~xN!1m@7b^XNMOzHla0C7s(VB0{?9u5TWYzEKd*_xD-AL=0@AuOqlx_|&tV}G*`GeJ<-#*3N5zFBi-E&dEOakyZgE>$vu@h{`({Rs z9s37?JWmCe6DmAad?6KPlPde?pTWjwpTq_l1M6rEta)JtR=@Zx*1YsQ)~tFFYq;v( zLFE>(-)PS%hmdu#e%=etK>*nWj^Xk&RiNeNy9ztjqX0`|U4c6#LQo~{vk%8Ojum_= zbd5*pWnqnb#8-uH=nKa_+JQB){a_uSFO)mE#jcAn^4#7AW;gMV>nyLO%2p#0ts_94k|x z*X~4Wn0NH3YFCk813Y%=ycneVY%y{!n^WjF?Un7hK*(p6)gvkGB*Vi-o{xV`)@$wX z`QP%Y+ci*m;z)Qf5^(UV#!Ui*TltQ|3cFn#m+-3UVB%GP4n`C&RfK|5oiQH@ja)Wy zOWkP`Pkqm*VlKAc{qeTy^tgv;GJo4S`xED!ZhPu@<#-QagIo!9kNRwMMj#DMTN+Zm zF%q|wk?X_vxO*eSe4SU)w6HT&I3q>?1=2?+B8ZLw==ZTmpV0Ifq%t|^uLRm?41{6S zRr^%749R0(IysQUTW;skS}9#$1l0Ec#_<@Swk_-SJNl>>J>UB)C$xGh6R5&5R6dRh zHLqvU4Lgyp-+>GvMQCf>iPpw?v^F&m8j($>VL4lN2JKS{QN5Ip6Pg&{x{3*!?wDo? zV48xab*9ld&T$Jw3Y+qvQiznlDtLlNh?IIUU5KYp*v=<%1h(jsRArgoxg82A^(osN@tm&w$)`R8 zp%3MWKn}?HFU^9i*@SZO|Ju!3q#ybCJ#E`55^O zD?qQ0B$@^C;OT#Us-Zi4(_O|$`T!-6{G9lLnGkf@@pSN84kqKr5vv{zFGf3ogAcnd zo$wA4;6jM`1U&byN%P-(Kxuny<>Je->u|{9Vb1=LX8QLyfc`$eYTkBs1a8h3-T|I~0_ws2qzR#8rseqhS)%xX@R+g*_Y+r)%fhxpCs; z^^@i=9MpFGwoA^MYK3zr%GltiVHkYF*>JH7g9gVz*{Qlc6>YY#jX=`&#sGDL&UKVVkC^?+%u)HP z5fG@H`&IJa7dh_xFsdAeKmH{(#RI{>P540jz=5fv1dg-}^}>=!=y(UmqB2jkFj$zEtlyaQ+& zfuj!KptJ-hfQx*AW;rl{PSY$?I+O>{IUX4RDikVs<$xzJu$DRJ(Q%WxhZv9?tM6R@=xX^5oJ%8>lVOI3q>J zbb*0jvh(Ckj^Sd+$xc>v?}?8*vfB&e zOmBClJv0)ihym`^QwN)#KWDkcpy2_K`1dLzf<$x-&}Fx+m@M=~yVguD`o}_gCd$6rXWAli zI6QOa`Hw7!MTM@pChFsdEnL`c1WbO_Q7a6vj7q0bIN{Pqq>Lg36> zgmGQn5*=MZR0%sYMBoUj_`{-aIes-AP`L>#NM3=3x}v3Nst}+JR{#--UvQ*Bx+sBR zOB6J&evjY*s?4d>5dk+!yfWYpk7L~WFBs3Wd25?FY<=hcpyC-4pdy0$9pUdd<2HV{mr|3KW1-iIJ0avb@YD#%)9C6f^G>M$ z_EDh(s$$fu8en)RT}b87mdTf0` zGrrs{7!sGt>8Q7eR0{R|p{zX0%use32IVG9lPJxW$<`rK_*y0c5+yY$czQ2_ zEBYvk!ucXHEAHHRJU%2t=+pJYg=f|xk$5``yapnp`c!C`khEXv>VH^wA|0Ao?<2C^ zt?I3rlv!^mBl&%jfO9f;QrjdW@?XT)6+69-jt>Qv$_Q>($1hSi)nOkl+X)Jt2MZC`QkR zVZ5rE3vlv6X>^c*@~=CW!d1Vn@I@0SD_gUD+zZ+TS|>*baN%y{d)3W5s=Q;05vy~gRhqeqdB@)!=L*mz6WXq{br-16nU z&cbFmnEE%UL*{+zhS9NFv(O066Jb~ErqPzG(r!Bg3;Ky_#ApO~GzP?Q3$GhG0(i`t z!jX0si+##ieBSrnhjTUIdE$FhLeJdeZ1_c3{E$QKL4qn-dMq{6PS}2*lITM{zKdlY zOs`)I>;tJTQB>AxZaHW44O~uGT_TMnMiMZ_Am$s02!`XboD_9+)ZCUvu8WP&J6W)O|2^;uL^84;|VMwuR3rmrg-~JcO%%P<~LOis`~|N!hCpO;dpvePMY%1K!J> z)=-FRej(I;&x*y`>Fv>;1Mj`y4f}Dv`!9Cc0|D`|mt86DbOoUuHm)eyHYe`MSeXAu zUn(_yK^np7NdiuezWkOkA*#<7F&_m?b+_0Y6jle24v=n<1Rhr$vDz{4t4G23ae%!W z-CiOBj3v&=06q-k{ug4d_H1~ugEtFs_XFkz=KY4%KTd_%%rN^2??dD`<8uCu43u7L z$Ro&dg4jgFu6bg{V4YgwIuQG_(j07^FURsirW5*q0q75xD;NQJ=m&#xx;xf~ij60) zbwPTzTewh-V6gAI2*8cwYv68QxX?o4OR12!1?qxGEwl4S%85SHAyi=Pii}&?VX76m zwl+j|fkV5`Abcw3iB!rn4m<+W4>|(lX$-JFL;$^1atgc3b*57uCkre@d{Y2x3<3gb zM`6rHzv3>_>Z+nU7fbz+=HpA&}`y;u9h!j7SzhPsf2nG4FX;EDLBG4;1 zM^Aws9b3YKh4Dl+caF9 zQMhgsoZL025%*8e$4_T`9jSUqs>pnJt3zAm%C-`8q^C?!+F(^rrxKA0W@M`eyP% z4?}XXt{5keSYL>HUYOyOvw_UmzTgiOM^~6>TH|@{zzmeeE4`eE6kY_RKb&nX7y-FH z8v*QJlj0`!+O1VhRUP;gaqRC-m^jx?SW83nUrcF;6cYzsq^Q_24WXdG9Ki7?G|KZW zO-MKFK%lz;#I+p&a8%HSTks~HfZ^6TtLW&oQi68kj%6J>$5|^tT&SE0O51XhkFlzp1we>%w8C6qBm+IzE1?0fbpnPSxGO&G+X&d078RA&KBU~j>n`BIg^uMj^Re; z^{InkU{}mo7w=2ay1JGO7ZsZXt}BbbFC_YmqsIVg8UX=UG<`1gZ-yB6J$QyaW|-S; zsXS7gF!h~)UX3(I9dG39T)t`yJMr$!(hykk_iI7}`yiXKfs-P;JVQiQMFn;^_RnY) z3o0;$Fx7_C_ASUXH!|v=I;|_v@vCG=4RGzDD5^JYM_1*_(+Z`?wvJ_E00oZ*K79-6 zw(fEo!xav=>Tlk(1|fF?w!HrvOSmgLK+b1qSJ)2=qER5&(8O z$nWCm*dLhb2tB%Wb*%@Bm=9BgdRjms_J}_0nL5X$vRQVKUYk-W-W>b+W@qJ|yZ^Rq zb6<(>b%N_F<9i5C4*2l55=UQt%j|I}DpTM4l<~Z)*b%8{q5Zo@wj2izA5xDvyJfP6 z>ybd5MnGf;wC@J=T3tISV)}$}gt_GMR1Q)-8ep^?rP6_ff$O+B>!yZZFIo{;=WVB4 zI{t5iZtw?_tdny(n?r_R^;ryt*ekTGXAELA0z`(gd!WlppO60kfR!|K5>8*=OahF%u} zt1o%;Sl@adWFI&V5H57ES6!CYSt^}Hs0P#UamGF_&%ovXlH`->Yqh4Yi2v4j3vc(R z_(vc6(cAW~N{oITXUNN)_}>s?&PVjK6K=9|0?`$IPjYg)eHIOtp0K*k6K)Us+zp7= zjfY=78YUKpaNDqJ>>g5O*VO~opt2lXbx7z7k=+Rq4*&oV07*naR3tlVOu{Bk7y5q< zIu;p%SionXE6r>!51q(|po*6@N%oH7F~FW_hCY*)R2FIo=(`);bK%DD=}e8&~6L$sP@p8yq_&7_dpxE9T8UO=v;86l60IG2Mo zI)IipYCy0|lu=~BF~bp=E=umsFQ8K`iUMQwIFCSqT=iJCJDQbDR|S^Oq|v%%0~%j^ z1_4+9P-VvUM)IPsMnJ?U+pJETfG)1?(o3ig$P-p@2K`~t_n2gW+jquQoCIt=6~K#Ke5xc;>&2$bOtrBnn1=A0^=tjW^a3pQZ0f$zm((Pw{h*W0y=y4T^a+%)b|0@2*~&K z&GP}*^ztm2i1}du-eb&%oH_NSKz&A*%BD+3M1%_9HDkrrcA2k4{0IWl-g;2u_l{s{E8-@tln$bc7pyBx^c_gq2IV!(=HiLkDC7_WX83kbgk7d;e zV4vkQ;8+`hj^q&1?+I)H8)O90#il@X43oPa%Bu0I%B6d-2*_8rb(6UcWoh69Wsv8J zU*GmmH||8!+85FA+~WwEXghI^Qv*OKA8m8N2yhUUA%OyjT-27bo0NsS3_4iu8f;+R zFY9H^-|6@2rsk#`CLXSUfqv?@*D87?SYZS;T6G62q^v7Ux?6I51X&tkPq5C#6o~5< zv5O4tbzLO?n?dwJB)0Fqrv^d%omS#k88J6{p8s8AybHwh zW>S%Rx;+-8Q^++nA+vKk{YK!_ulOgL*RDj{mUU>`x`D6}xrUvQ0pO92r^W+)*1Ri~h=voU3ER}0G$ zcMCdzJAdx4*;fB2Sh6J84WU!Q`h{;8FHSxIkwaOp-zj^KN7)|a*k3a|VjM#lRx_P>VrRV)2Mk@{BYt?AN}!+!#{rO z{zo+4!mX*FVWUeX$x0r!e?)a;BoxwDpwUAm;A8Y z(aWq~g{G(ff%@eSpy9Fm(fH2?(e~og&?5sar#k@}Rs(=a2_)GoX!Sr*ZK|ihxTaf> zGy|RKxV7NZ`jcbE}mYvFfKLz+r^kSQC#uf@b^T1NLlIXpIvJ>tIrt0W4X|~GYM$-=~vw^ ze*=Ju9Xz9-o4h@K@<(s4p8LV?)*XHMEn`pk^p7XZ{rD|YkNWJ7XUzTRP5U3wH2bi8 zZTzIP8TW>&(0gZI5|@jI>wPh|8sGfR_q;_CGvA`Z|1UA}DiN7MU`MlJIRS+nfVv&1 z|4%%#V;h3j)=1%ZmUhS;fNXOkEIUKzJa+cok_MYV%a3(&pbnN$CCdxqG`U7inUJRZ zdM7MPmIOIxwm2uN+p&is5OU(z57A_3v0K;YiE9`*+p|@$-=mr*t)7U!m+`!VTgSe; zl@qW2kBL@tmjm3e7zSBxQL7OUbTyvHsBdrr`RRTOZ21j&fly=17Vr_%XdpVMd%z|* z2>XD7DmFud!(%;$bqWF8>Q@lm0;fWBMF3aQYA8hI*l!F03M8q{@zxVCyUYp03iOJu z+p;{SaOA~tf#JwQ0rGH~Rs;}7$?Qgh3654pR94%;`OM|B0Ou<&n}tvCNY{{#aK4LH z{`3vypo(8XC@YYLu&oN(=G{5h+It4F60+*&%c;J?Q^^DEO#5umUs_htod6D& z>-(|K8sC4HG2UskDrZya*K$5FG;5_4NodX|VJ5C<1*K zAmCPj7-zm}z91 z?%rre)Ky4DJ9>&cHBGH)sKLhiIylyQY^F8jaZ`un4v_%f3MOoh1}-^cKV#I9ZO0_E z8v(*GZ`25&67>|q5QZQGlz{0V9vqvgKB1rtL0S%$Lg@_({fu?92n+G9VMl$4Zp*t; zeaZ*xZ0DzFq-b2{ELB83)eq%Aq7gvY_kD(Aq+zJ+g#f03ac#3#l!YOVXq{ate`TF5 zD0h4&<P zT2qpvY*VHJEQT4cuU)> zU64IL2ofL3BHzB=aJ2Kn1A>YyrwVa_M->qO538a;6q_L1= zhhVsb;mX3Lw88m&{2ZK)R{P-SRJgRjP*h_~V8)=27bo5pC-NxKIkSS^@Hw^G)d(1Q zDR7s}<1yb)c>cJW+W4AN7eDm3lkZ%5Nfv<$(ha%KfeQeVK+te${H z6tw`3UOR9+Gu&NSr}d};w`@k_Q>^NfM`#)qH^^I;JVe!SXhk?dyYlxL7Xr$_ke;^N zkhYLs0UXrOX_pu26`QOff+K+PL@$@nP;?I%!Hrw*zOAhnWNf|g%$j)I{-+puEphiQ zeMN@Ug_M(i&f4mO(}dxH&^h;{6Z_i}?|pRVKÐ(DO2QQ;r?v9Hw5{pgM358g3j zwrd)0a65tzw#!MT^2SmMm#K;qLp_AOEKZ9zA*S(qEmjc-gfZN6ok-muXxe z24@;^@1#-iX=8Asf&7hOJx1UWf@|WqOp#8WKDAMSZeQ-IUK(0b$mRoBc9K#V2N`b? zX6Es=+jZBel-$8@Tr#KG!LFk6YHZJNph5$Oql^4Vxsk3=$wt7*+*k`Cs6td_=xLas zX&iVg%lxQJfsT$x%OKTqWbt(8D~=-`Se8T>(inm9Zp$#w(Fg&Rb5CH&pVHrr4#`Jy zqp}jx@FSoh5Gj6QGp^~X_)G09wO?4b@=E!UU00Y`9ocSog$SQ(drDUUN3(-GJVE|$ z+Is(uy&m_uOD~NDCVrBLxq|dO!d~atp6ERyoj-<|xow`{FX>eE1B0p845sja$|jR$ zZu0i{+z;MfcjRS1n~|@Hoi1+DM`K?6)|#5Czxr|iu9z45zVTz18{aH2#y?Puj2Dr( zK#YhCsMbEeM*z!^)Hgt@%kD&n3(MHuKG5f!2SGC;TSMvQ=h?0nzMb%@s$ zVm;sA78wRBT2H<6p|vy!?mOkKWjD|`_@B|E8s22`_BAmvZ{f(jf~&@xL}V%bbp#$A zxReNTq~7a01)+7QZ%$GFQDL!wIx3}@5$p$ytNLXgoS4X&&QGq}@{T-# zbC)V=!*TBwLFiK`&^!>wl2TXoGYi7G$RqeHqv5C=Wv+kw&oc#^w%|TT@Oa_3Hg}2}C=?i*CHBUbv*3$O&cy;CnrrO=-C*ptc zVzFyI-#b@~*&kwRAmWKYdXq!%`Hp>;zz(h}@gS2yj@$VeZtb^i*@X1g&B!%1LRb2Z z9lm#Z{m01hC?U+G3w$^Z7P|gZ>AHmDAl~b?|BI|T$T&`hlZw&4crK`M&76=2WzqJf zqV8}kC%kkfhqhD}8txA7-yvN@;2H0rM3o(@lQ9NxaR9r+7p=&hbnhcuPg=b6VHyQD zoqE?pm&Lbb&a4j8r^XE4>Kl_J-XFPZp#P&nSLj(*r5fJR-_2#YTi2-X15imtnIh~m zazKr56H&aIo3+6zah3)EwPR--)%SR}&qNb!vpWeXBnU8)j~Y59O#>JAdW=93Zpi=NG@R8R7Pwrc`rFv3iLKvYw2d* z?#d>DANS=ae{0q}K00vzM-Aiz@ENyPv=;?}z@oXe4f@Q6jV*Q_CvF9w$8S%%=i%oD zTdx@`fu74dK{Dwddg%>QpMSXJ&9U0rADCG6U%goTW)t(yH^%J8hwJxDqwl$t4dr5C z*`b464!O2AWE%@F@U>Clr>O9=^*a&0pvQsGcglmnWUtRQ)Whbv$YFR8ly)oXxEk2& zUH~j|$w_gn2*wwqee+sIwc5}<2sjF>Z$&DN6>{=RWwJ;Uv_Dmv{>zD;?|Ea8$DGZ} zmseGi@8gy)&ma5Oe{DK(@k4(*@y?}R*-$s*9dSSR>bQ01c)(}4qQ8TEN8f5zV?g!j zE=@y5TGCl=yXIi|tQh4KBKw6d=$S{G&=(f<=Vqj*y)n*hK0z2RDQ=CIz%bo$+I72? z2YI&eIcFFGBCrtRYZ(QxE{dyxqcVsTJ~e(M6NgUMt_02Rl-W6INo$z|_)*KfKk4|TK*1q1 z0Q5_Gb3gi{xkt3j`BY+T&7FQc@l#`B?-DVy$myVzzD~>vB}Jc4QPDRwBE54vQd>5o zZSw}C2pMke=b9Q2rc;Pk$~r1o`EWbS;|4WE96L?L>SkLU2eGq3#Yk3^kdx6|Kup5i zg>m%pn!jX8HWa8;+wTur^s$OQp#^+S`aVD=o8!DY=rPu(I`>8-PB0v<-eIY+*}9?R zPmd3dyJPu|6YgI2&`Eba^o?vfzAz{Glj6p`*%$d1mC@6zKU4lN>RVIM5<-(+b)ow{2f`)4#ewX;0Sw^5=!M z2N=&>3z43Uy7p4T8?cm_{!bBoDRp>jM#yLMci-R_$KA8MsS=l zG%q%1zyD3ds{as+#q>*hM*&hrTdptt1)VSLxVnX(=T>@FxA3`&PjNLLDf%rNk*1>0 zHgIL%+5-I@e)M4;cIwV__GDal9c(ts=cfZ`@SHdu=sE%HW$kQlnVIQinv3KeOwFO24wT z5Aa+wn1AO#wjO`Nvb#@A$39L4JfBAdZ=_=SI`g07;|O%8rh!I)PR1NmQ(#SX66kh5 z+j{qHDFbf{aa*MWM>-x$&>;h=_zJiV1)uq>ygke)=|y>}K((Jx*?|k`oHm$75Yv8Xc5A& zmR04ib!#|k2lwl>0>O|l189nKo`PIBTmp#)dZ@|%R2TZ>yCX;6FM{hVR z){?r`_p5*5dEN*35cegWcwZl+3bz0jp>E-~wjf=<1F5Z>xT4>P43&PC@qBADLU!~> z(d$59$7MZxy%QR6(EzIer;hD*I*=Iff6*duB*?0J>@%XMQJ1Sp7)U$$weau%T|B2b;{e&x-F}7Z-OC zj|u*k$>me6sjLo#8o03fnuQCcD_X@g2iPru=z9j7k{ALaAMF=WBCV%>F_A&hApIyy z!zGC39cIuk;J65dDLwjyOk!CJRlurWVU6m~UxZgzHyAxXYkr3S0iHUwJPAv{ntX-j2>O zs(?sdQCrdbMc#8P^;d5F-?n|p_j>(x&-VA6H!2sedXv$A^aE5*H}%eHpD-wzXhG22 z#^+?&vObln2$DX`tu!tdIm!P;09z5NBvKI}AA0!@rybq8-(`t-&5upY|8FiF_9t!K zzUh@dI|)>gg|u+y-s%wFJE)_XmL!hTB`W|D$#Y`>9NVGt;7I-)_)jfSk=g1-KXcSY*i1w7=;N zKucSi3oOg7H>`tx$lBE(!hDD`jSZ&ge_`uSxk}=a2dBpbXDwcwJ^4?|Hr0-5`i)l= zyp2li-7V?NqkKkQ4j9d4k=Ikb&bY1IijE9`ay-)SLa~)S>$0HgNOlAW2ep>dcob%w zeYQYW@p}R-r1%8GaqLk+D;O$vyJ0ngl}{nuz6mbX3fr_3`4^u=u;w|q40R}RRe>uA zjR3>l04b$0ju={h3K!T{_KG2T z+7NUhAM|#ypgc@X^^@&yn5jp4jCWt;>4gj9sk}YPz6$ zoi+N(USmB{+qQ6(zXj1Yej7VIjRD=NavU5w*gAGdQXf9Y=k9W1%uc_iw!Uh@q@ZT< zR3yfZgYi9R8+u~JX=#FW24N8#dv{M|`kEKXMhAXh3+w?r_JxUjcKtE{1aPBkY8oh~ z#SFSVz;=f!opZ?K^3j%`9bT)y10Q=ZQsZFuAJ;HW$Mqg$qfoW>kHZ(O$esARN4Zx# z?hht(7pF40Kj!ked~NOap68ta+r^>Bvs2P9RJ7aOL3i&opETGtiNL;52%umPuzzTh zLm{_Xz9F7R@CjbA zY^2O-2pEEX&CfMAAph)R$UnRoxrY`b|HOlEG$=Gr%SXVnT7PMNjoQS)TJYI`$Y~3} zcBB87bE}1L{V%XcRFbL7AM}nLShLtyg_Nu=* zXMVP^ZpIq+KZ>hz9P~I~daCA_4}WV?FzS@cyhQBl#>hEjY$EZw?aO-?j-3IP7F4A4 zd0wB|wi%fn+lnjvEFAM3J7v@%yC^?gNtCYsil)gq`6rC|d3^NPUsq3=wvEca&Pycx zAf1*Bk0FA#qBY(FW2D8s8l%ICSd`Gfh7!x}?o?Km6UXj3dsB*|0pMm};Xic1v1EY9VtMTE{fUkxX#Ja=a0wGc_WDwAI+NpEKCHEK>aqW#3Gm|yvh^Rj3s&jc2V?*o ze)*3MbyZ_OXMF#15i^%eRYUm4Kxb#!;R0^qXPX+3-o6c)9owN>{kF8qXMQwDIu{(? zxMg>5ptK*d&VF4y|BC7f6MtJfb)V^6?Z3hJvHinLHkPg5A^NKV%K_@F?U6%Af|jd( zbS)MP{$d5g-5vYOw8I!SfBKZBs;d4JJ#5j6eAZ^4wbuQ!KjnrJm%Jd8%|nj^tW((! zWo>&AZO+PYa(L+5F?$hL?X2je_|oWoRKJOg_aTPioS(m ze-xHA3XzdeFa{!pPkKtn(>#LWiPoiM2+E7D`h`5h>1`K8X}h9*4TTVMFG>A!=NtCh z%t8$E-i=$oaA9?g^G@P|AKKH0A)rrZ4g2dY@v6jM z4_v%5I}~-2em}@2ljevkZhe)PsJhm8=4~R-f6mb5L3p&<=NXo+mLsLFAH<;{uxq8? zk9vmymAz8u@kR%?%v$>u8`?{}SoNoBCQV&aJ7dP1W1~i0YGU4rVLlj7<0YPH*e-#- zc*ud+d7yN~p6e>Hi?lGGMnG#nv7oCwzjo7L5dI(w@1f5*mZtXgQHzr062EfA{hEQEPDeGAyU?= zkQoMj1y#cFVZYDy=FK}d% z*o#;jGFGSz$Iu8kTa5Xl@#DAEPWHaB?xJ(vzUIO+_tlrThOFWW6W;pd{%OwSDYmCq z1EA}wqk&f#)qM6+1WwdY#cDW5IL?0sEKV0B(p8vq5Il};A%IGoJVAY>p-`^0jdc-i zO&6_CRz?=A9Cj;#g)Hq{fCrm1*Fqw5_}vjd@MhO zF~3+jcKTNKS0?qjc)t*Jg6_QlSN=!MPM>FD{>O~q6f#uDLiBhqI!lF>qoT}E>2t-5 zAf1B#cHgn%6;bw_=Xf^gu$q1UHVb!|3*7tjg0Dzo)B|<1X3eOXJo$h8c;ZTU=4?*t z`-YiJZMLyqa!rj;1?>jZh7RKCvF%FVg?WVe4CU5>T+2>mnzzxfkK#7SL2*h%v^O~R zkWzfF_MJ?z@aFW&Vw39j~9RA8{FSUItY`(h8g!0lB`DaRt<(M;QQ| zNE8Z+ml;&Ps=$$ML%8w@*i4EzEXJ&8n0E4o_=a&)+3mKtxMV8cAr@CY-l$Z=Vurh@LAUwK=w5vr#LZ}c)q#buS(p!u{!nn^%tD=#uXR5VcOnn445oL@)+o) zV~(J!X7=l7i(RO&BPFgoom*ItfcLq)BiX-XHw z6{ZPsK_41tSmiT<|l;!ZInXeNQ`!JRNJP4}W8Da+uvRUMs8X_pH_&Kha-i|ZO0aon*$@BIi zoW0S8_A=|-Cp^#IJa+8H2iM}@b+HMvr$u`y_-`oUM zzK(+u1Grc>tQac&1ggi4MeU>ssF^Shi7}&KJWzxdo+sd>2@xPN06fmA8bSHxK)&F( zvtsjE9t*S~pK9W+zz*b^cOcZ?1hco4m)IM_d?sTAGHdi-){pIhzb>=%r7jbTJ>{G% zp)g#RNP93bpz+(5%0LYP=k_}GhFUVh3gYax6GY@72Xlro-usO2eR+(R`0mD<%%|30 zaL)Ya-#LFGC1Z%YS2!zHSO2u2duK-*SdJxZh{g-b({Yhj0K>UL2;f+iYzEl58FuBr zU}+5K_;oB)4w12-_(c%*9qFu~nZ`bkLS2aJ0>^t42bfMEQRPYbEP!J=fn_6_<$ift z2PMT@xzoh*ct64pD~Y|xwfT==#Uhn2qg^}JB2zO{_NC!?fxsLCV6W*Ls{GqBh4CB? zv-0Ny(H)dO`Qmk8P<*{{$>AuhA9*YV8e!-C*?E*t;2<}f_@!Y`6LT1L$qbHwb-+Y?o> z>qPwjX1_a`gK1J2IOVl!rMgV%aw2?M|9tY@Afek719?D$u%~j z)pzz5i0qXO4%lDx_rd?BMnLJ2iU_!sg~=jvxCq`T1|Rf1`O2vHsBdk&@a&JSx!~+m z*1qfPaW0uOr9ykccUE4av8MlTg3|*BRlk|gQLcsPTL&Q+g6RAgLC7Tt7ed?tu&bX& zxb9gvj(ye%>fjYFSpdj+tZdhU5_|T_2SK#upGxNt@_7s^ zH_qkxT<>6)_^$P`kDan?S$eqY?{+XA{=u7PnnacU%Z{b2gDrrI6*ZMZTq($~lXHuKJ@Ei05LX#-MuqcqHoT;3pCgV^A=bNM9!b zDvJo0Hz^tcUfe^hx)xr%3M_y=U5hmyk( ziG}$G1afugaFv7n8V;*jZI;l3bM1MeA&nALQ41Bff}zq-fR1qmDimqu)U^IZ*q0s$ zS{ioEFFJOKFC}1H$^cQgP*Hn*8m&065k;C>k3uopS1$zIU#(|<*N8bASZEhPMmoFI zm(1s}zno}{TqKamo%8oZ+)>uqTplfLndm=E4!iOPvK%je6wiFek7ph^?vCZD;go~v zs&<}lQ_LxcLKTSM-729$?1$~$ZYHg4gRriSp}Qfrx;UBaMX^;&r3p#SbOme`Sbn$wvGMItsOtRk#hbK%W`SO`(EfuMu6@H=%lh2vbZN$()p!^eR`IN zIZ2H9e`4f+JkR@b4Ugc~Uv&1n*Ijt_;hWAqw`RDQ+xpOL+qO?>UK-?aTWIrN2%Y=5 zweD+tX7>SZCpc_-<0V>=6Os5_nL7x_wkZSQQVu$&s3DN%M#GjhurL0L)HfC88scgh z;m(2KWF`bo7$oPSs@do1J4C)?u!GZt-k?K)vPkE0i0X*yLH{qx>`B1h?#F_su_W2! zu}U%t6GP1*l->Cvau_QfXtk)+MgEbY^4Bq&;V!o2bEy>VzR=-g&rlA(=A`&7k@Ta( zt^Aco9iZx$0jFv=@jrM_z0inEAcO4BHd18m3R63HS&88aQef=CZij>Wbr=Sp3LL&5 zZRQuNeu;l>Sd^^CqD7(dvd>4qUVYRRx1E`&8FQsE<}&uQSFzJg%aG1BqafH% zL|#oe-!tYD+?D$ZCb(-BjQ3z)zm4_w1jYXTC26 zS908b#tClbc%@=PE5*eq@8ym&P!y#v1ola&0vFCBB_lwn_=RW4>VskEfAQPC0d6IY zfDJDKnG}TiMt2WbE-KGCqC_vEsg)>w^&`-TLKLAG(E-rmQoOF9fTXia2?{9#xw|b+ z7Cni@qyzfD$EB)waeyMb11PuRpbAV^1i56~7Kj_1ocy|GwdH@%;CRnAscNBqm5Yh8s-#K=N{*|U?Bc2Run*y*0Hnj0kPptPfve=e&DeX7EE9%41MNQ@rG9f2x{NT15R zERdXwJGhw%ANviEUw8WAf9l?(aoLDSJ_dsa8!pmsK_SnWT zB62W0Iu(Mv+wgdfx>*#It1Y4rlG3wlA5p zt+(=9Ern>4sjgg}%6)MdDxt69#`P)Eu)%n=V3k-3XOL1*_l4$E z>SwC>x8D6#wL04wI^e_KN*w*MTjnQX=2POC4{<^{g%ive2#swjVr_@6{B;L_9e2Q- zvqCjCxK-$Gk5yIOTs3~e{>F-`4iv!Um%n|j35Pi?sP?6X(CFfAsGO)`CU=ll}@L4OU5m0~-UeO3p-{aiiHP^#5 zH^8Vt5aF}MEUVo+0){CIbi9begx%AbIP8v60G2ty?e%qaFO@I8x?)9t4w^OI(Gc&Q z6qvpTw8xsEoa=eN?$GJm{%QzN++DFfRB768C^Pph!25yOntf)t-uCaVLFEPj4d9wH z#dzmZD0O-+u5ZUj=l$%s?D*Z$7@BkkHO*dtv)|@U+2_QiZd|=6`RI;6>dXBdxjFJ< z-=ADlHReL`yiXb9y&jC{5jE$hEaV&-_`xCiNRAfB1=N_;G@tfERryz#|gV8uB@s` zT)Sab-A6aP``p*88IErZ@H~6V1GjA7dEc#%?KJlGF!aA+MLx%=;|o;9zu?$@mU7Q9 zPCdvJI$gzUk5mJo1cnNJ7lddJ(wV7+)slbvmAZ++TZ$`);XSd{{fNH*&ZHu^S%e1j=@wW2Q|vm+3c{7Nj^oc zVeu%9ysrhu-LkfJ+DpUnJOAE9ZAu7pKX}U&&v^eSkZDx@CfCx;t@0KyTtXQx-*SM} zTW5dI(RFRs`rlf0d-C2@i@w~n8w1YCk(b?gxRIKV7~@?I@#c%jScvYfg~+$I7PkCT zZG&z{^Z6F_j-YxE5MlE@P{Iw zj|IBT-xj@_lZNg9ST(qYqOz`OIykiPLEpiC@#R<|{)?0Uv~1Jc78TxC>$=GBr53b_ zbK+IWTa7U%x-g8Z^3S)b@(+iPlc*+_;{$t!&*xj>!v9@m-J%VPuH4A1-G+s3`5*Z| zx4uED;-BEE`F$cdl$|U=T!gtCk1m=CO_4%&oQO4j5D>8JDnWQdXxz<-u`_dCEcR|s z%u!5-(}(cm+o5fCH9;l~mY=&pb<9>7N9Wpa^KF6uB7 zo_F+MSU%-1%jyBSk$q$vpSQ(ce(7YBj#eINpQ<-Aew$5r-?V}+lAkY# zey76WF^+v*q%av!LqL_e@Oc*ioEs1+_$W@TQ1DSmkKzn>aIQma4@W`~caIqRn?^gc z%Q?B6KX>V+v4jgwFrF+F5qrbOCo#pro`G|&9rjCzw10V2> zu(&>zNi06*_e&Znh+$=-CrL*Jz}%1AFw^tRMPznVzO6-uU-|1$KockRzgXw4H!kzN zmlj>S9MRADc4vRi<+qHji;a4x@%>Ly3I9KKFkLC=Z|@LfGLhoXx3s|05a1Kvoj^ZQ z_@qL@YCg%EvXEPArtQ=0C)~N9Rm)NCIV%4klZ`%s42ChtOO2Jt0I(f(8`}s~`ko(y zABz)c3~*;a<1~O+E4vl%d$*J6&fr+gyEGQ@Ilx;k=9X}Ry~_c#xCTgM7>lt_Bh5ad zzctS0qQ&Ac*8YmBN{0cDkYqMQ&NL$L2Mmw>x%e$*(^Ukhk&~odCci44ZS5@2*vU2I*`* zdKYKd7${VfXFqt@!hSt;_M2-*&3N>TB}+1eti9*1N>gI7*joj1SU%O_=ehM?T73=& zo9ryyX0RLi(0|C^R(U-P&SNAa=x^ecHnE5a9{Er*YoW_ZuT5%l}X5qZQ zkw+J;aQZu3%@`bzH@w9DbaM>uHt&$x^_~|ymV^BgV=$gPN4pIHxBeZ^^#)f}p|lOy zZ@5xypCAg!9qu9qhQ|S3WB??fM+6$yG|lUPycb3Itj9XY+_8z)>4RbGv_CFw@gO(z zx#&czyEB6!H!NkzD<`5{v>M59RiZls!&31px)Q0PMQ|YD95(aAo-dy^G4t7~n(B{i zUcLM+YcD?cu$}tBp=2^z=n$u}PQ>BP59hYs`@>Z`C%*Pi;iL)Qz zVc1;Ac{o+vackwOUkw5BK5X^#c{>NU70&(~kS_(z=BAVGdU);I_L41sbh^yJAHI2- z@%{6|Y_=-b+zcD$JE06|GzaHiu+IGmLH--77Jcr)ZeJ|nAU^VAHy)1K*kxP^Uk*NC4SDCcm(>=GVf>Px4}a^86v#GP=Re_CzieV~$YT zmWo=p{#9vfe6XM$HRP^^wQ6_tPK^@`3@s7k`S6Ro0-hQLUJPP95)i`P60w(a+zFy*NaFrT6g7)ga#o2b}iIF^aC^URuNp` z1Xsm?Pi1`Xzc#K~e%6MI&N}Gnh4bs!Q51I&Rdp(=Mu5WY3vI*g|J%Id-XH#J{s&)s zt8uaGtZ`q2m2V1gyFi|Rb4||bHX*qHflj>$+R2s@0l}WXsLXQYi09YAAGSWU|Bl`` zdhx>x5;b1zG(i4?FyQxn(9g?qEM>UT*O&ZS+S16-2+*{Ck{K{MpB2S~l!Gi4>;5km z*e@P`;)8!aZRygMV%~sh4`o3UkK=3`*tyx}M$hJR)OkZ$-7eY=$WY-u&6Mvull$SS z-+bXkhP!sjqqi9K;?FIbQi(VsNhaWzt|TcM+8HquSWuY zJV93DFfIs9i1}a3>%W{nxR8 zD;D;(p|0}ZhrWnFWVDDJB}U#UVm`rPa25TJkEyA9&$0tv`LAd#k6^eGB4W%jExs;07ANf1$!(O-R!qAPdZCce|pMW2~L{ z00Pd5lYa>0Cp$)sSqmh&DC(X}GMO~-W^=f6=Kry+`mPUc^zQL1k;92Pda+Me`>Oc$ ztUnr4l_1_%8V-3rxfl67f64}5m#}T$I_9sByeLWZD6hVfA4)v(E3ePBG{wUVk5io+ z%DUQVvli|Ak8|StuK4c9tABCb*7nR!fjO7lQgwLC>@(oUJ}bt12Si2zwC{=R3nLbFTM7D_FH!jTG%3Xpqq()lGpt+KZP$}j-?mMNxHq_b5TZ4m zK^sBC`uz6>zFtW@a3FgSOn}GysPuZ{SU^v^EY37*6ADH{id0#FPUFe zv39EwP=af&aT{*`dS=JpzW2h8`7>@0#?)QsjQt$7>eu1$a|b-kdO7zwZo4wZh&s{R zUH}fVF0}ThAnrZU?api&pYL7u*fbC3Eh0EWAeED8SskUI<)BwXI>qtRlFFc!tNtt( zgTp+I^!Rb31OCKC+t)0@YmZyJ^sb}sezL8^=ics{Fqi*l(AuJBJi}wHIAq1zrx3dD zw>7r@YUR(8&D{t|^nVhJ8D|&7JpW4Z{5L`nFW@=^*(`D`jnPMnTxHJt3#5U1T5^kR zD7Qqr63L_)Gd@2Hp0`kpQL7fZqmpFX2{Bi+(l|Devxbs{5)yM+O>BQ79JPMBp5l(H|G7~na?@# zuHnReSu7m2aQ%g6ofv&%;L-|yeXwK*sGm&Q#@~ITY3JW>d2}ac{s4)pt1aXUoJ4-W zZv1B&1kVy$#KB^(xST4nUl}KVX}G8N|MIu#(sOILyYV{CJLf`V%1|{y6?`rqAjR{2 zUGXi1wA^nZd>wC@x$>T@ubJIzSAK9RDQWyApZIVfC*!%-- zqyHGrZFd;*&ZlP#&+=K_#OL?x;@AAT5RQ`rKK!jwMkbymvDj4*bGisb5uLLLGMVW2 z{krw9t8q=Q2spG@=ax7}<-h1^J)Xc3nFGf_Vy_V~=dlj%I)}(}w?vgS;}vsiR78f1 z<5Q>vRV7m?T9x3ZjD|p_0q*oEM_yQ4mOP-~;Y*gZBET&MSk4LbWpxyw4Q78sI+H~! zS1}px0CB~o$s;g?65!CF5sGOdat1^$6HmS<#=9o&$3CznKkZFxE;#4dl^32l`LRkG z1KJ)n1laMhBpK}Z>vuLa+<)WZs(j0rt#zMuF1(%!^fvBo-p^sXj%d2QNLIDrutNxk z`$NHPJ7TN!Q@=g(ar?rBp3BNHl;uJZb11ou=4$#CbCyEMafM$}{4H%Mq*d|T9$Bkc z{Yr>6>56{~pVR$(J~w#QCG(B;8zPL96(n`3IKMxPDwuQuWxEdo(oMFex8G@?GOpJ`JKg%v=MWv2pn?}GuEh3#IY*Q?qwKQ0 z5864GCZ&LM=wXMzYsjEl=Yys>oCL^o^bbi| z+A>Jd7zlVgz%DVIEd0CHB_fCuW*Q?49Ly&z!D?P@;m;Okh4)D8-MquozC;W4C{W$_*S;q(yyQs_9<+Gvwz6t z+J4dHSN)>eob30>8%BrTxU-Gnw!fIesQUQ~*sYx7%0CTN{*eM^JStLw8{4Z&<5?Ko zmdUukW6|3*F7X+&r;9P?ikK4xPQoBh!=qxqGHB=AS&L`~fPQ;o1p;hW1*njOK;L9t z%TS6icqcFpGRt}HwU|GjTeBF{#SY>|$K?-V-5q>R`lhlQ6u~`II3EPjPCy&C$26=4 z?;c|1-?CZ}8UqmhrO$Z=a;3n0)$`=D62>pulxTa+stewD@JsrQfgv&m8t%EFso{Z} zmhSLoeIpFKPjb?{);Zit_#1$ggcdk1Q5YC1$3EBS;BL;l^h0W#^j6RI_nbE>9{0}y z#+|WdD*fixG&0#dRn%||ZKvQ8+k^lB5CBO;K~!wCQWi9Z z+}(hDPeS|IpwWJbEB*&x?usA9%M^XA{>5jv+HCGil(6muY^0b~36`=4=R2#*^(8ix z+t&Z_`b}LEqw>G>hS9aQ`b^LBJ}Zzzg*U}@-1g6>Q^+>#gw19&sgl5^Vm$}e?Xhh7 zj?&J=+z)=YmeawhFrNObC}F9bL)KmCt$%Gu$Xx};4zJ;gfwqb>M`h@l8p`K!4u)sx zSHuY5vzA|1r&ue?6{C67f z`Ou!sBNUw@_b0Lt2IL$YrF~yl`+6j%{lBp#1zq)LdFHSA10vkNLXPMvSN(RwKNP*gAM9ROO%AaSXU6mbVS_75ZpPaS7evUgK z5v_%{dnPgJ5IFCxa5Bp|2UYw5&;BWw2&Gat){9DS|L@|>?FtSm}Ecr6@hBdjr(}r*ziBzyXu_dR=(rRnd=uWtmfE|LD$!r z!15bX`uX7<_uqJ9&d+}gMm|YCe&FE#N_gHu8d#(fi!}$hXT-Q~)MKA5;GRBuxQHwV zOt0IQyu1sL;{bSsemU*ay0FsSE?wQL;oHQOzAAp*1q&*@DC(L!PHo7+VJGGJ9C^Bz zrwc!_BA@ZnnJZ4XbLmYd-udVYXDsRcD5Puhdv|IF13+2T``BI7Y;nSNY8V|1*Bd=9nY!LAHA%lvq(pjO>jM_#?F(m=&11Z{EMz;+V0CqbJ~`c2SH+%Z-_CG{tCh!HOD))7?#FD)Ro2-Lty|mhg_G`F`q$%@EZ@P0$Yf%?Lfvi# zfVQ*#XUXPqFKzse3xh8^>y|lZn<)jWdHn<1CgScvXn(tXQL?qGvIl(lTZvpv)lr^! zR~X};D6&iW>xw&9KV-^3WKFbq@r##U+VCiOV-tb73vZA6vDk5*n70Bl%5e);SO2>G zk4j(8arK{tu2g{l41P_7RgtRZ}!5N3pKi3hvj&$ZZ!HFG{ z2Oc|X@ye_Z?r4f8R}uVr|<#9ys$~97A7W)?yC% zXX)>t-=7_@EXT_)!{+c0Joo2sahou#)Mn**mw-aN(Zx0VHAcgA$BW6w*+TW1c z0~}0g`h#*Jm_~T(^m*sj42n=$;bRv+u-zE>A(QSWylmeGAn%c5H;KM>*39kEHW~xE zWvYEA${e}v4H7VF3>afhHsXEC8S@k8neSNNzJFt8>S^mPUa>6(>g|r=H5O zylMFzsfGt`d~)aHmhWX+(;sk7F0;=@*oK zuT{0v?PEX*TDDh>AKeYvLEWV?cm_`HBaNTYQ2IPu{C;GE_qJu?pF3gk!*?8a&(d}O zPD-D0Xm=eRUVCaOkWAV&zq$4iFNG_p%)icu`wt3~OLB0FNL&f63qQwBxPrpIO?H^S z16|-IlcuR9LVLlq5nAx!q(r=W4kN@P?S6 zC3NoR+%{W5LSZ-PT_x|H<}g|Wr{+gZI(GNWfu|h*=ZBsNti6H#^)b%4L-PO!&fb7Z z>ZIC|%0SOabtN_Og5ZF}IMjtWr^1o-gm7l%90r>UW(r>&5dI zjMf+EP|0i2qOfK8FLvy_|Hi-VG^?(%X?s4b{S>FL-*OC40XqE$YdQ`%WZNrtoTE2U zVJDkv)~^SW-5UzUA}lO1_{TZ8ItRO+3&VAs7q(h!>+?a_lFj8aZJA7-eKe%9xAl!J zu94gO`ulz6gLILk}6d0a@kDcUQReaVc&e7WYyB5_wshyZ!*~&jes_^(HN+}r26s}$ll7mjupU& zU;=le7VwDRdf$uvD(-t0a%aBz z13V(QfaCpo&SUp+@au}W1(1N@HV6B?o%JpE_vQEg;3b?Gy&CzQCBV4e4zj6Z8gUq4Fzm=4%GkAyC-c;B*~)4+GQ5`kewzavfAGPEx6w!A-NL#u1GbMA3#-H)xaS9mQAKdE1w)Gejm=+3$1mV}YmDPsH&i^w=dVA*J; zoo#G@rDD{yA%ZOy@~bxImX=$*M{J!u2F5!Bg4eK<8)qHV2(bZAJ%)f0$1O6)?J-ze zaq1i(d?ekHwai}&Cpyr&Md~htWygzir@`dMTI2nSbSOvY%A&g>yVAQ2xiOA%Z_b%x zxziXUbvOqO=|n?707yuWfI(Z+Bt- zeQ@^291~B9!`(YGx$k1dqJB+s({H#VHT~yzuHENniyxl(<2!#d=Vy0*_rPD@d(F}F z&UpXo)eQ@+3(xTbIY+F#nf>>nb~<*$=^mpD@l{&CdG2o^@Y04&P!EzTXk#dk*gZ z$lKQ}+!u&@rC9q>CwM>MqA>5?%1wrIvtrKK;kLhJ?c!zcJ#q0vR~~=ovLBxK=VgC6 zY4IZ~baj9Dq7^v-9BGfZ9wgB3&bES`Wz`?9eQNculV1(D;q93qb(YNrZ^~w~Z?fs^ zIjdjVc*UwkpL=lS;%|4Y6q5RFeRHVq;XlQg!f*YlRVcu-jmS!%yO zNIrY__VSk!$&*)8eVjn_gBD{zexlVs&;B($s5-kS>`33{a&Xpmkz1K0hpuT05Q@0< z5NsYuO`OEU2wvq|yMO)PUwq!e{gK1$MQEc2LNF>rs*oAt%lk0DqPqal-|d=M;zz7u z5v$^Ag2HFumEct5dY0PQ+!nn-ozDkg|9&Mj?UmaGc0@pY5i{E}=6oaOMicXXQ&Zzz zXR2Gz+qmk{16E)1=CRxrh_k11xS~>*!{fI$?tJhk_iVra=F8CLpX1uH|BXj}*5x9t zzm<|vC&{GMvvexq=41c5bkp&7Eq(r!zbt$7gu9mAd*WToes|(s5C8bM#SeY|gvHCg zdfZ(Pec`ypORwPy{nMS`Gbi5pQ1bZ2ORqa=@v?8S>?#VZ;r9N<-(J5#4TAN*yY6ZIjzHN9 zb>*n-;X@mzO@ZgmrSe}O0#PF^3(SL2xcTF)(eDDVU-XFEugv4_ShB+g-uD5ygY9o2ae8>g zT>36RYdQ=4DV2UVK;w=N_!ZN@S8_uHF%dbC@Ln;oTOj5)z70RWu_pEUP478#A3Y+d z{L6#lb}YYP^N!^|9nd1+mHasV-P$%N1E9ac;?{qaZ{nvJ@!lh1Vp`q?Ar*fs@~u3U z(uAP`2mLAIFMWfDkWB7c9xuGzi;b!})flsYb7u4|f~7$cWVwOCgrQ)^26^s=@kn}z z=qu0NDgfOYaBd@yZ1klWMI8W0l@XjI@b+na;Fj&A^(R@PI?Dh65CBO;K~$cYJTbUk z00?x86!PDgw{SEne4Tjr{i_k;n*jdo;L`M8QBI#X&s@>SBLRi%$Zo*P>-mbX|D&4o z(BYoJe~Xw!a8-ZIn^YpR#PFVR{=YKzZH+%qJCSDk zUAw-eRsrtB@wKD=AJK(SQFp>$mafRV@LK};D}fK8qU84qV%ooS7oef375cNmfCjdv z?G?<8Fwr*&NOV<;;Al_G6=KY9a`1i^N8P73R=1q6`jYu$TynmjOkz0aZ;V{8JP8b2 z2Rh;d-y7>Z?+nA0HaoWHq!i>b$Tc-U4S}H&E%mvB!)oi?Z&!`mpkIC3Rn@|U9-Mm> zL|zYpuNk^J56KtPHClO~;P}t!$Rq3!U$@RKA*22N zCB&d=AI8FZ4A7cNV@Fdn+EN)<_B$PO!^px&Rh5tc2Lwb$8}YI;?hL3Qpy?y{noQ5^xxtuc3PI4tP!!pr<*(vMYDy;=-jB`9pA=}+@QZvA(oJW+`& z$YwCq1^^Ws9aY=z3{xVmEhqjqF<#T|+5Jlq=Z^A_)#Du5`s8hGPQv?WVLaYHD!XHg zxLPOX&Ern3J!SXY!KWkv+nTEWJC88FMnmW!Qrz`U2qUjFM}rEvd>FkXxU;DR`j3Vz z6Nj>&ztUv5m$gSYv-tv3JQ1m4V1^iTuJ3vO7pwArx&Q3i zvoLavNT3%947mYt%!g-9FrGOHMh;hALQXn)edFH_?anLbIy$?=z<*%f&p)MKmO|;8 zpZvRTd@~>7PUR5tG~I?_bR6O6YkVjmjDA@#w0ee(=7ioY_n|=6VblvbxUj8TtUhKq zpjKcG99M;j;MH)?4b41i<{3MlWpuDEE^w!hs|#K?SVG;E*WWCsvNiWQabKa(?kC>R zc1l*TH#ju}GPykJo7xC1$YgV{+Hv*<=0lF+Sx{jGnI>; zC|u5l@))(rV~m!RDT4!Y;vl1Goqf2{9|tPuhC2b7umSg4$d@>A-ow1X@=X#i4`(?* zviUsp`vE%}o1y<`NM9bL5_x$vV1&zZ3FvtKyG3}pZ}UGnY|)ZI8~EkKN5Zd62@I(L zFz?bI*1&T|^IZ5CNBM=B4Dzk5+-=nu6NbofUegNh;@Q}vD;8bTaUd*Q=o!y{wTPSm z0riWr@`mn$-(+~23(c6S@c&d9@i z#Xj=NH7uI6D@U#)rEIl1Kp^^cz1nE&Kivk$bMTH>Ll6@*T7%zZg1S`z7n0a@9Wm>y z1C7C{N~-3R-8wU8ofcQSl<=u7`8BVl=xYq{F`3dL-{)U(~XBF^m@ z0I$gJ1av0=_Jzn0(9a3Cq%u4jXoVUCSsoRrfuNnGyRswc!!H4S9-*_@Fbp5%^SRmy zzPQhR%_|Q4_Tqo5emneQSV&oXkEGEpR5vGU!18khg931WtYaidR z=zlUD9#=AHjF?wL{}}jpagGhO+!4qJA@pCkHZ-?FA(hD@;1ZK^A;yT?QxdQ|N~BTd zT2q3l}7;0|rsXQmkMWI$%3cqvad$iZ@QD<)Oc(+M;BuE21# zy~w%idI!J?u(P2d6MX_$yqFc?6DpP&xF;lw+2Xv(B^u3dnAs>I&p2RhDQytGu!2!W z@Bz#}!y5#hJ{3K1@#1XVnEIz+>9q;|b4@bR%l!5Rx zfS{n^6_AHR3qk_vBtYmS{Ypaf5C}qI-gF+_>36-)-fRA=`jP6cO48{*)v2mp)qB@D zXP1=VwqbrF0NElU#D+gRBRz8#WP6fO$oSFfO)0M}@s4Lgzcs`+ z!2sC-uw2M8i&?f@yQ1*rIRWtmboRtDUV)xioG=@4m4TH3t}3844D(W zkhyGTZSA1(Mg{!LYHm(%oATZrA>TX0_eBLbbS7UR5vndks#wu(i z$Iq{>wo5Op-^(fgNpj{|GUj=-Q%78Y$FS~Xlq$~($P_^o27o9mF$TJOW0|)NilHFW z2*|D>i-53`=rAZsrF@FUlO*gg%7^lgWww)W`GYOGCigBFF7b@H%1b04ec^?=Eiz4& zB~DkBz^Dlnq$54|egAYklX*Wz*3+#hKwRjfuHi@zG}L1aJzWuxLE#L2@_*)K4@~kZ zLKmR}Kbs8x`en+&=z^j6oftppECUsM2w^PkK$&@VOATTsO>buQz4@lG zCOj##9>5n9O=3f*O-tDm2F2CZ`kvu!Fv{K;OdI2hA$o5pT=C_ZwcE$V3n0~vM95XW zu%SKGL(f@fuSa_xVWwW$r?HO!1IR&RAeB*IVg!gn>%w$FFN_0GXx2L5W4TKE4xB*W z1B~Flr-jwL@OedURMe(0&jG2+W4+aW3 z8^nX~*;4z~<%Y-f2eGw%3FGjcDKozTV9}ZEWsYNN1Qls*1qzyqwO|6X2mYr`G8HFf z3k-W^7tAd&0D^)bQx@~PojH{VCP#K*1zd;W!57un_ncx*YIJ08Glp+Raq`AB#!^ET z0o;oj1tyA26k0ry%qX}nD7?;|-poUU;w?xd)8ymcz~~m2CJ)9eQ6;x3_g{7t28m<} z?N4OdE#8sNo+$Oe#UBNiL@GsM5Xgg;!lAFh;=|+3j_5AjI}3oQx@LLZ7I|S+-+uj8 z0>Kd|hyeiS^2u!7DK3>T-f?fas5CBO;K~zm$9t~@Vk6$QV)G}Ux#$4eu5M1_%(_|`ZDyi7`A-k zp`{)D9z*67^33$?BU_q(7e|4+m`vuUhuQl^yKW3sLIHoJEoEi8!HibUXph54%s>B` z`dt;1j(ePazSfX=0XN9>(&`m`b@h7VBE}sTEB-=2vf$fz82ux~2pICg24uFCz}O z=J76_I>EuB&ml}6xSG>+(npL5eHb0}6zc!T&FyTu&j9F83vway zW%Mu0Amtub7J3lQ@6Es-(`!A~JaGIuXLVq}ZibB32lkD6$uuKmG6sM-D8q0V%HI%g zKbSW5H8g0>ah2xdbk4lNmpP4H>c}Oaf&9s*YCB`81A0BX-#@dF2>6R%Ar`%k33|1f%!9a-;o*Nfd@jjHGPY-;2C47%+0I$PsxNWseJj z(Y6r;ANR&vhWV}#@wFAkTe9nfzj^JF+D+oA8=;61l%iRbz##|}!~n3?PQwUT;vtF+ zE*bY)E9~p%D(SecT&ZlrVKaveeE<>t_CO9MhmHYt97qUuiAu@Ck5CA~$~}xU=|~wv zh}-QT5qF@tZ7(n65 z{JALVXe%}rtM*nDD zl)M-UqU6OB;9J-4#^=$r76>EUd7 zX|ioh4$}Y>;M0}{r_}s|XU!QfIOM^=>>|f?-9#d8PR;svC;3w!^POGD#P_2D`*H0v zmKq8`fN|eu-11@|;9mA&B#2TL-dGAC4P^m~Ia99EbF#!BzDg*^s@QxXsZIa17 z<4>I`uWQY@PtD|t4>Oswh|DC)`Zx=l8}o8mNrA2&tI+?rSf6byY3#@&Udbxj&_ZUd5j zRALN<{hwI1D!OZB(~IFSEi#5~AVZBvPac&Z&0MYoaC=aXVOm4Xi;U$P;I({c&WiP~ zUr^nc^TyJ0g`n*!J^}?X09-om*!SHyGGD&!4S$h8sQu{(eh zupj$_3>AjVr8Zh24<4Ez1&>zNd?I`P(#9>l(T;l!yaAB&FuWo#emL*R!F~gA967k>Wm$+5kf&okz<@~wqN!o3oIG5pXFRw)4HV(hmwi z&-$SFkyKXg)y9-4fr1zSJ(H(ywASA0h;Jft_dz|ah9cSuMp4`ufn5BMnef?PF{$@J z-rtx{p~Fm}M63@92E@4N#4t1Jl!T%8nn!$}W4fM9>ZUnW4a?>(UB6GB7r}lF zN}y;66vP17_xm43cRX?JD>J6IJeZ2p4c78?xHoP={4G28B$oBKQ_vYw8J zb>qagqD(B15L|$B!TgU(n}U~zO>km^lQe5tb8Jpc!*eO(TMWBJ#3Y_EnGUhRm73YKUuYW<6aY?gZCdYX;1>iLZBc9z(C`g7cWllS{iBD z{>Mn|RzBw*o8;?!PF`c#UW<9*o1wRUMb6y=P4x(~dy1J?u;VrCTpiZyB|7GM=iFMv z=h^Yo$p5&5SHW5Sbu3NoD2owuLMUwh8xl`K91Sun+zlweSxpf?I>=r=5FR;G7mMt%^Y5Ij_|C%)ORes$6nM=~ow#{gH ztYul`kp6bh3!Me0^aAJVJJ`s6Iyan5;7d*G^kC9c|pMar& z<&Hl^R`003wsB{5WYdmi*KHF+g5X_%NZfz;9v+wtd*=O2JPkJ|*>sxH@dPD%d&y5E zNtE^QL&mZ#WpEl!UU(PABIjt2m2w@seC-h~?UuP#7-!2(#HLkxWd6IsCp$feb=0TQ zxpa;J(00O}lryFqBcx;yM7-55+q=Dc;dZ=~w~^6ZdkE6=5bTqkk-e6ni9D z=!no3nMxko9&E`-dzbP3rlB&}guDbs$}$BobWadlhD;bGgmPp}o926-i5j9r&b|N= zAopX=3(ur^$L7_*qiF)_%pY5|cGsLaUs&Q9dkqxJubJIyVs0U(oR?aSrVKqM5CV*I z6~#TZ8Os_d{ofeNSDSEhLDllc6`y-ygZ#u5y8|gpg(!h>B~X?Iz;V{Egwl`4+dKSN zdj}=Dx-s&H;O-4dpo*N^{QfttSnc@(DtAp=HRE z;pacw^j0j^au>0=hRFPmnd^vnA5oBRPlPlLBO(Ark4rVfzKxh)A*LrVU9-qD?x$0x zb}gz})z}~pcaBJyW>Nx0OrR_cfSr&2q!R`}eL9}p55+Txzi-75JI)vZ#B!harH=L+ zoi*7M-2ZtL@n~g^}BXgMH*hCROZ8on=fe5w*7 z^eThT@O?pS8zu~%avcC7+c^U(i3&5`hNKh3Ap#TVx@K%@#K5oKgKcg6a;M3;Ai zCB6!m=z}=d8`Tgf*y&?PPJ!`$Fn)~K$mvHRwRal}bd}rw?8LOanN}gd0D5$I-1rIQ!_P{qY^3Nu5RcyPVNKx-i4i zk=1rL-q$g#F(#CBQ;AL0u=LN$~)-ov#{v%djT*MW_SW%0gU?eGCYPZ z1)T;%VAMiJbs%HzABG3Y&psR)!J;Z#jiu+2j!k?Igo`5~_A39z81tclq@b55+Zsmc zc?6q~k-8P^;Wj8ojQq{HGYfu7Z zPoQiK06BBJx3|1y9Lrk=TV;EAbT9zM;ss#m$jZxqh6^s}HfNN-b2g_GbZqUgYns|V zf9B@lJ5NdPoa`BQ0Xn?O;roKxHblN9C!K7LNaI9Nao&A7nMacV%LX0#C&=2eG5`ip z$Y^x#s=DUT{^ZS`<9{b(7UEn!1EWjcBhW^~DddHY!?&P&7$*P#5CBO;K~#nT0=OLr z7COlb!?xo3Yy_uAjq$Fj@cnN`W0gOK(yu;mb;FKJYHJI3Z4T5%mr9_>2$Zz}K+TKO z?5CD9^Bd?Hb8m1YGL$&M5IEZN0-5B}X=0lz_Go1tO@4IvBz0!dr`ZRJT|o3#H0c?N zM20;4C)rGen`%7sS?EdhgOU<_L~rYiM>%B&U(z8Z{$0qK88mNR{s$2bd06S}nAO~z zK7VE7ma66T_f^DWmm7B9XXeFdK^@|D#7@M5d0HU5*n?QcF))#-uy>ef9gNQDv_tTfb^t#eHeh78i zfVdNR#26@Z&p^f!7De8Hdtx`@>)`MVI<`faj=J21{jc{XDt}z{Y}1pUTG6y!pW?@r zp+O1s6Tp4azgDJ;P1V&YYg4PxJn;g^=m4u(0b0XZM|?C!0EXdmj7v-3nkB2it0+h12!12!JTtyfvfIEMcH}u2SO=3 zHB;sU{E{hxxi#x|SJgBvn?0xg#})DDm)Ou($niDS*=k~HM%+cr2Mi1XAcDch&Ja?u zQA7ckHOW7;lF@xP>eU8CzZ2Db6?I=q9xWnrmme1nUAjMvOx zSP`}dP0*kOiiXw>2lkl9cf)afby^70MFH!0&o&fYR`Sxe0F=L!5Pyc5p z7I>XeF9!pF(U2iUF}il*w~R4Q?{2&;_jmT^%&UNN<1DoMQ$vm`zy=e?0arTg9O)ny zMyFhO*Sv9OgpcD%ITe_I2_`~LrU~XOuYaj(MZ;b3c+w4*|6e8iE)^1M7G;o>6=$Yi?C!v|z8?i` zcaC2+%uf@$+fjq>d*r^v$NB%@?N9#iInOpM6eH&o%hqnYbXl`1d;rs+1df)#1TX;l zkW34?jbt+J(2l;8q2KHXBkU3MapGUKHMjyl?ws-wUG?FW4^-1{!9_yvOss!W$X`1(wkA zl3McTys+WG+*RwFF(1C9s;2&mXuRQn`j#(*hwKY5;J$@(v;ZdM1BPh@PG~cc*^D&I zty3!z!9d_HoNM_{lTmDop%6ztG5Ur^Lz#WZBi94+vKSVf%p||P-|v`rK@JQL-hgsz zaD6T@>=weQ_PvmC|0|r1U9_`{FJ4~L@U^O%#%oa5|D0XZ_{y9=Z8$IsQy!43K?x{< zF%pEL|9v09cLD4$&Md;Fo?Hky1aKYPg9R2sz3CiEX;6U#= zP!Cx$86TB>**N+mZK{@0lq6@xh?gY$UXS@p@DP}+9R*m0$}rTM4uz%T&ygPryD%Fn z_{bc*PJqXwBBuhHke7fM1#p|U&syI2`kb1^r>bh|e>rjOe`wa~0+pzCOLlhxn{sZUb z`|z@T6AFHwCH_aU{w32KU*zpeetyT)_kDSGO~b!et!TV)?uv##%v#>G{=Da2X_?>H z7>~d%C;cb^B~TCoUO}W5kh_z2GeFfxsY0l-l9jItbD z{?<z_8=w8|F#N_R>ZKwCXHf&#JbNWT^Ob=1`Gf=!|WfBVc1r2~2^-NAU8S&+m zb|$9+nlNGlfXAk~+J0fxs_1z&ue5&pg$?h(NZ2s9reRgp%BIKX ztf;?lc1`{5P}*?A*IzSxdEJjO2miyWXB)4OhdNI4daYtT)E%(;`;af zdOe@<{;cQuKHt|9Ir&~E(fJNdQ$u=R>Kg2pfVMiqnHM!ZL-i5%k%^Hvc4T|KykJx_ zfU+p;I7m1>L;WUE{6HRqRG0qm@u}Gd*aZ)s?sIVUp`2!YsZKuEl!8jZXaC@IVy9P? z--XS#XaQ+f8SO?Bt1+s8Z^9@Gs5dQ=r`HJo=0N0x6lrM1%<~mTAOG5eda8Uvms>Um zRZ(7pO~XVtafi*Ne6f^c`Tx&4;(DOG-Y0eU3$K((N)mFs%Y_o;`~NP|<>h3RZ;Uh0Zf7LuLih_{KGBIl`9v@^c3ixixASS;!{ z8}R{k1VIQPvQDWf3$LCuP}G(o&G95%Q*=?c}1df&t6 zp ziuiuY{zGsM4;F&K3v&d19xrWC5&4;2Af)Ofgy(7~Q}s44h4XU*hC7_a12@38-+x@v zf?Ac}L;PMzu^*2lp!3PX9_Aku zgGzeH3Q{+(4t|W16wrM!7W=yi3MBYler{^+M;i_zYjh8f$z8c2%|(p90x>bnvy5w* ztG~-RdA%duyH^J%R3oQ_{S#1KcGI)Wk^T|U>Pa`}@7RXJ&|BI=)K8(Ms8;Z=ZIsYg zUr)WKcYQbh%jmHnXoe?x3hhG}M&5pcUKK;?CmUDJZ0@vu8uvkdUz3DR)Sdwj$n@%^Q>7dMtwE&s{pywqJ3|en)Ds z{qpj*qUTdleYS8UM0zVj4dXeQQcQ^(`4$&)QoE?R(tNv|p8i-!91>d#ZJQCw{ctE= z?W=bXKi~-TQAvJ;9_&x;^R#er^HqGFWG>ivj#q1RQ7zuMd-<0{G{0h0L$cF8}C+E($Oi8PmYHRJ{=AERO7RUH%hYb93 z=(bG#&_?2y@NYq>d7k&IJtta&S4NxXMcpPH8zp=?t(9fX|bJfaWQY+iRUU7I9!!z`+EU?;US%>vdla?@oTqVw2P@(VYE2@`}u^bE7rKS(}i6Xtf z`eDRX4L6(i75y@BnGDFBR4u1mG}fl|*@jmsS`XiFT5OKE=1?cF_656HxPavlR(;r} zb$Iam^sQ~dxlJxxZV~K|ZKA=aOZO)G-#7%TOZy>I9xa`vvx34EisPYxc~8Z4B1OOv zC@~vf;5HpBCd4xh<@=V#phDej-@IM3K5lcc-hq%sQ8%KIQyWKO-c)7`Ah-h&wj@W| zbV=Tj@s>EA2Oc`Krdu}e{DqMcDJQag7KDUgQwTaU1oVt2|*4$X@y!c>@S z&Z704riPBWZTR)mxG6`B^zWWI>oiJXou!RSAt-kwJJ>X4n7gHOVX+@QxPl zdNn%Y8K1UH7Tg^fK7VbvTr@i**G-U`~zW$K6T%-+c9R^_8>};*~yb#^_v|`&r4jA#x*+0K zdiuuQZ2d+1O_K@F6i1(VR|Y+H;ua9SP^?t9*D4P%fp-AI?&ZlpmcW~jYnAb7wXYGQ z6+322|Atf-X_@v5*T+2kW**2~>zviGPCwi5&- zyLZOV)%hD2hAlFi=`V4)?XU|5=Mb9uJAa-@kLtjS^k_N4d}~Ao-cK6!RZ@3d#H)e) zVROD*(RBap#Im4%@PH2a)JfP+U_NaOdVsbHr8t;3|z3EC{K zW~1V|m+h(y`Bx*>A?`0>IgvtuWH_W|dpC=~&ZUPp<%}Fwx^U0(PZI$*gg&5Eaz1aH zYtQepECqgPkOQQaxBe?RMrR!~UVsk_pJ9v{_dk1!utb)=HUPB<$Jf~GK{t-GmonWr zUh0v_(3LEYd!Py=%j=wQ+?5QLE)Q6`5*FFk_IpU%ID6VFCb`<~`C-N~DH%|i)c4FW z|6TQM(NfqEXj`=QO=94#IarAE5j?a_VES7DV-Y4D&2bngPB=fmx5vOtkHfLd)8qNf z<+$A(1V8LcW2>NTuTn=KyGa3#78t0j@2iWu)ozH;9EoY@cp(7kl}EPPa}3Y23d1rV zLGYO|5GFFH0bb!3{D1fYlLo)Zo`z?_h90aj{A*(p7>#28?&=l> z0y%>9g`xp3YZwEO(xf~8OA-(48ssF-gOX=<63-L&ddYBO8VuM$O{?_M-Q5%h|CJ*x zjS2fhsV0gc1`|yWyl-K376XZrz@CPpQwFT}8XBHON`&+QR*5Wqc<10Zfs5_XG+ zo_JmsQm+mqlIGFA5ipg%1FX)=Le5Y zNRZ~VVZyr-1|o12C$0(@5;+I{oUQ(76sC8ZcKv?!z0)seK9RPZeHun+*>e&#mEaD+DlWSSNFZ1yjJ z#EB~d39$6hz0E=zdW$}=LI;a$^%+@zhl976Np6B 0 { @@ -113,7 +136,7 @@ func main() { mux := http.NewServeMux() // API Routes (e.g. /api/status) - apiHandler := api.NewHandler(absPath) + apiHandler = api.NewHandler(absPath) apiHandler.SetServerOptions(portNum, effectivePublic, explicitPublic, launcherCfg.AllowedCIDRs) apiHandler.RegisterRoutes(mux) @@ -145,16 +168,10 @@ func main() { } fmt.Println() - // Auto-open browser - if !*noBrowser { - go func() { - time.Sleep(500 * time.Millisecond) - url := "http://localhost:" + effectivePort - if err := utils.OpenBrowser(url); err != nil { - log.Printf("Warning: Failed to auto-open browser: %v", err) - } - }() - } + // Set server address for systray + serverAddr = fmt.Sprintf("http://localhost:%s", effectivePort) + + // Auto-open browser will be handled by systray onReady // Auto-start gateway after backend starts listening. go func() { @@ -162,8 +179,15 @@ func main() { apiHandler.TryAutoStartGateway() }() - // Start the Server - if err := http.ListenAndServe(addr, handler); err != nil { - log.Fatalf("Server failed to start: %v", err) - } + // Start the Server in a goroutine + server = &http.Server{Addr: addr, Handler: handler} + go func() { + log.Printf("Server listening on %s", addr) + if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed { + log.Fatalf("Server failed to start: %v", err) + } + }() + + // Start system tray + systray.Run(onReady, onExit) } diff --git a/web/backend/systray.go b/web/backend/systray.go new file mode 100644 index 000000000..58ce4984f --- /dev/null +++ b/web/backend/systray.go @@ -0,0 +1,133 @@ +package main + +import ( + "context" + _ "embed" + "fmt" + "time" + + "fyne.io/systray" + + "github.com/sipeed/picoclaw/pkg/logger" + "github.com/sipeed/picoclaw/web/backend/utils" +) + +const ( + browserDelay = 500 * time.Millisecond + shutdownTimeout = 15 * time.Second +) + +// onReady is called when the system tray is ready +func onReady() { + // Set icon and tooltip + systray.SetIcon(getIcon()) + systray.SetTooltip(fmt.Sprintf(T(AppTooltip), appName)) + + // Create menu items + mOpen := systray.AddMenuItem(T(MenuOpen), T(MenuOpenTooltip)) + mAbout := systray.AddMenuItem(T(MenuAbout), T(MenuAboutTooltip)) + + // Add version info under About menu + mVersion := mAbout.AddSubMenuItem(fmt.Sprintf(T(MenuVersion), appVersion), T(MenuVersionTooltip)) + mVersion.Disable() + mRepo := mAbout.AddSubMenuItem(T(MenuGitHub), "") + mDocs := mAbout.AddSubMenuItem(T(MenuDocs), "") + + systray.AddSeparator() + + // Add restart option + mRestart := systray.AddMenuItem(T(MenuRestart), T(MenuRestartTooltip)) + + systray.AddSeparator() + + // Quit option + mQuit := systray.AddMenuItem(T(MenuQuit), T(MenuQuitTooltip)) + + // Handle menu clicks + go func() { + for { + select { + case <-mOpen.ClickedCh: + if err := openBrowser(); err != nil { + logger.Errorf("Failed to open browser: %v", err) + } + + case <-mVersion.ClickedCh: + // Version info - do nothing, just shows current version + + case <-mRepo.ClickedCh: + if err := utils.OpenBrowser("https://github.com/sipeed/picoclaw"); err != nil { + logger.Errorf("Failed to open GitHub: %v", err) + } + + case <-mDocs.ClickedCh: + if err := utils.OpenBrowser(T(DocUrl)); err != nil { + logger.Errorf("Failed to open docs: %v", err) + } + + case <-mRestart.ClickedCh: + fmt.Println("Restart request received...") + if apiHandler != nil { + if pid, err := apiHandler.RestartGateway(); err != nil { + logger.Errorf("Failed to restart gateway: %v", err) + } else { + logger.Infof("Gateway restarted (PID: %d)", pid) + } + } + + case <-mQuit.ClickedCh: + systray.Quit() + } + } + }() + + if !*noBrowser { + // Auto-open browser after systray is ready (if not disabled) + // Check no-browser flag via environment or pass as parameter if needed + if err := openBrowser(); err != nil { + logger.Errorf("Warning: Failed to auto-open browser: %v", err) + } + } +} + +// onExit is called when the system tray is exiting +func onExit() { + fmt.Println(T(Exiting)) + + // First, shutdown API handler to close all SSE connections + if apiHandler != nil { + apiHandler.Shutdown() + } + + if server != nil { + // Disable keep-alive to allow graceful shutdown + server.SetKeepAlivesEnabled(false) + + ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout) + defer cancel() + if err := server.Shutdown(ctx); err != nil { + // Context deadline exceeded is expected if there are active connections + // This is not necessarily an error, so log it at info level + if err == context.DeadlineExceeded { + logger.Infof("Server shutdown timeout after %v, forcing close", shutdownTimeout) + } else { + logger.Errorf("Server shutdown error: %v", err) + } + } else { + logger.Infof("Server shutdown completed successfully") + } + } +} + +// openBrowser opens the PicoClaw web console in the default browser +func openBrowser() error { + if serverAddr == "" { + return fmt.Errorf("server address not set") + } + return utils.OpenBrowser(serverAddr) +} + +// getIcon returns the system tray icon +func getIcon() []byte { + return iconData +} diff --git a/web/backend/systray_unix.go b/web/backend/systray_unix.go new file mode 100644 index 000000000..0f9d2bb51 --- /dev/null +++ b/web/backend/systray_unix.go @@ -0,0 +1,8 @@ +//go:build !windows + +package main + +import _ "embed" + +//go:embed icon.png +var iconData []byte diff --git a/web/backend/systray_windows.go b/web/backend/systray_windows.go new file mode 100644 index 000000000..cc1885155 --- /dev/null +++ b/web/backend/systray_windows.go @@ -0,0 +1,8 @@ +//go:build windows + +package main + +import _ "embed" + +//go:embed icon.ico +var iconData []byte From b402888bfacd559852d2c245d33b578d4d8e2e5a Mon Sep 17 00:00:00 2001 From: Desmond Foo <102380796+SHINE-six@users.noreply.github.com> Date: Tue, 17 Mar 2026 14:41:43 +0800 Subject: [PATCH 32/44] feat(tools): add SpawnStatusTool for reporting subagent statuses (#1540) * feat(tools): add SpawnStatusTool for reporting subagent statuses * feat(tools): enhance SpawnStatusTool to restrict task visibility by conversation context * feat(tests): add Unicode result truncation and channel filtering tests for SpawnStatusTool * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * feat(tools): enhance SpawnStatusTool with task ID validation and sorting by creation timestamp * feat(tools): update SpawnStatusTool description and parameter documentation for clarity * refactor(tests): improve comments for clarity in ChannelFiltering test case * fix(tools): update no subagents message for clarity and remove unnecessary locking in runTask * fix(tools): improve description clarity for SpawnStatusTool regarding task context * feat(tools): add spawn_status tool configuration and registration * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(agent): improve subagent management for spawn and spawn_status tools * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(tests): update ResultTruncation_Unicode test to use valid CJK character --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: lxowalle <83055338+lxowalle@users.noreply.github.com> --- pkg/agent/loop.go | 20 +- pkg/config/config.go | 3 + pkg/config/defaults.go | 3 + pkg/tools/spawn_status.go | 178 +++++++++++++++ pkg/tools/spawn_status_test.go | 406 +++++++++++++++++++++++++++++++++ pkg/tools/subagent.go | 28 ++- web/backend/api/tools.go | 14 +- 7 files changed, 641 insertions(+), 11 deletions(-) create mode 100644 pkg/tools/spawn_status.go create mode 100644 pkg/tools/spawn_status_test.go diff --git a/pkg/agent/loop.go b/pkg/agent/loop.go index 182bc0495..8328c691e 100644 --- a/pkg/agent/loop.go +++ b/pkg/agent/loop.go @@ -225,20 +225,26 @@ func registerSharedTools( } } - // Spawn tool with allowlist checker - if cfg.Tools.IsToolEnabled("spawn") { - if cfg.Tools.IsToolEnabled("subagent") { - subagentManager := tools.NewSubagentManager(provider, agent.Model, agent.Workspace) - subagentManager.SetLLMOptions(agent.MaxTokens, agent.Temperature) + // Spawn and spawn_status tools share a SubagentManager. + // Construct it when either tool is enabled (both require subagent). + spawnEnabled := cfg.Tools.IsToolEnabled("spawn") + spawnStatusEnabled := cfg.Tools.IsToolEnabled("spawn_status") + if (spawnEnabled || spawnStatusEnabled) && cfg.Tools.IsToolEnabled("subagent") { + subagentManager := tools.NewSubagentManager(provider, agent.Model, agent.Workspace) + subagentManager.SetLLMOptions(agent.MaxTokens, agent.Temperature) + if spawnEnabled { spawnTool := tools.NewSpawnTool(subagentManager) currentAgentID := agentID spawnTool.SetAllowlistChecker(func(targetAgentID string) bool { return registry.CanSpawnSubagent(currentAgentID, targetAgentID) }) agent.Tools.Register(spawnTool) - } else { - logger.WarnCF("agent", "spawn tool requires subagent to be enabled", nil) } + if spawnStatusEnabled { + agent.Tools.Register(tools.NewSpawnStatusTool(subagentManager)) + } + } else if (spawnEnabled || spawnStatusEnabled) && !cfg.Tools.IsToolEnabled("subagent") { + logger.WarnCF("agent", "spawn/spawn_status tools require subagent to be enabled", nil) } } } diff --git a/pkg/config/config.go b/pkg/config/config.go index ad5618907..35de48f23 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -751,6 +751,7 @@ type ToolsConfig struct { ReadFile ReadFileToolConfig `json:"read_file" envPrefix:"PICOCLAW_TOOLS_READ_FILE_"` SendFile ToolConfig `json:"send_file" envPrefix:"PICOCLAW_TOOLS_SEND_FILE_"` Spawn ToolConfig `json:"spawn" envPrefix:"PICOCLAW_TOOLS_SPAWN_"` + SpawnStatus ToolConfig `json:"spawn_status" envPrefix:"PICOCLAW_TOOLS_SPAWN_STATUS_"` SPI ToolConfig `json:"spi" envPrefix:"PICOCLAW_TOOLS_SPI_"` Subagent ToolConfig `json:"subagent" envPrefix:"PICOCLAW_TOOLS_SUBAGENT_"` WebFetch ToolConfig `json:"web_fetch" envPrefix:"PICOCLAW_TOOLS_WEB_FETCH_"` @@ -1112,6 +1113,8 @@ func (t *ToolsConfig) IsToolEnabled(name string) bool { return t.ReadFile.Enabled case "spawn": return t.Spawn.Enabled + case "spawn_status": + return t.SpawnStatus.Enabled case "spi": return t.SPI.Enabled case "subagent": diff --git a/pkg/config/defaults.go b/pkg/config/defaults.go index a029eeb59..2b177d5de 100644 --- a/pkg/config/defaults.go +++ b/pkg/config/defaults.go @@ -522,6 +522,9 @@ func DefaultConfig() *Config { Spawn: ToolConfig{ Enabled: true, }, + SpawnStatus: ToolConfig{ + Enabled: false, + }, SPI: ToolConfig{ Enabled: false, // Hardware tool - Linux only }, diff --git a/pkg/tools/spawn_status.go b/pkg/tools/spawn_status.go new file mode 100644 index 000000000..416fd2226 --- /dev/null +++ b/pkg/tools/spawn_status.go @@ -0,0 +1,178 @@ +package tools + +import ( + "context" + "fmt" + "sort" + "strings" + "time" +) + +// SpawnStatusTool reports the status of subagents that were spawned via the +// spawn tool. It can query a specific task by ID, or list every known task with +// a summary count broken-down by status. +type SpawnStatusTool struct { + manager *SubagentManager +} + +// NewSpawnStatusTool creates a SpawnStatusTool backed by the given manager. +func NewSpawnStatusTool(manager *SubagentManager) *SpawnStatusTool { + return &SpawnStatusTool{manager: manager} +} + +func (t *SpawnStatusTool) Name() string { + return "spawn_status" +} + +func (t *SpawnStatusTool) Description() string { + return "Get the status of spawned subagents. " + + "Returns a list of all subagents and their current state " + + "(running, completed, failed, or canceled), or retrieves details " + + "for a specific subagent task when task_id is provided. " + + "Results are scoped to the current conversation's channel and chat ID; " + + "all tasks are listed only when no channel/chat context is injected " + + "(e.g. direct programmatic calls via Execute)." +} + +func (t *SpawnStatusTool) Parameters() map[string]any { + return map[string]any{ + "type": "object", + "properties": map[string]any{ + "task_id": map[string]any{ + "type": "string", + "description": "Optional task ID (e.g. \"subagent-1\") to inspect a specific " + + "subagent. When omitted, all visible subagents are listed.", + }, + }, + "required": []string{}, + } +} + +func (t *SpawnStatusTool) Execute(ctx context.Context, args map[string]any) *ToolResult { + if t.manager == nil { + return ErrorResult("Subagent manager not configured") + } + + // Derive the calling conversation's identity so we can scope results to the + // current chat only — preventing cross-conversation task leakage in + // multi-user deployments. + callerChannel := ToolChannel(ctx) + callerChatID := ToolChatID(ctx) + + var taskID string + if rawTaskID, ok := args["task_id"]; ok && rawTaskID != nil { + taskIDStr, ok := rawTaskID.(string) + if !ok { + return ErrorResult("task_id must be a string") + } + taskID = strings.TrimSpace(taskIDStr) + } + + if taskID != "" { + // GetTaskCopy returns a consistent snapshot under the manager lock, + // eliminating any data race with the concurrent subagent goroutine. + taskCopy, ok := t.manager.GetTaskCopy(taskID) + if !ok { + return ErrorResult(fmt.Sprintf("No subagent found with task ID: %s", taskID)) + } + + // Restrict lookup to tasks that belong to this conversation. + if callerChannel != "" && taskCopy.OriginChannel != "" && taskCopy.OriginChannel != callerChannel { + return ErrorResult(fmt.Sprintf("No subagent found with task ID: %s", taskID)) + } + if callerChatID != "" && taskCopy.OriginChatID != "" && taskCopy.OriginChatID != callerChatID { + return ErrorResult(fmt.Sprintf("No subagent found with task ID: %s", taskID)) + } + + return NewToolResult(spawnStatusFormatTask(&taskCopy)) + } + + // ListTaskCopies returns consistent snapshots under the manager lock. + origTasks := t.manager.ListTaskCopies() + if len(origTasks) == 0 { + return NewToolResult("No subagents have been spawned yet.") + } + + tasks := make([]*SubagentTask, 0, len(origTasks)) + for i := range origTasks { + cpy := &origTasks[i] + + // Filter to tasks that originate from the current conversation only. + if callerChannel != "" && cpy.OriginChannel != "" && cpy.OriginChannel != callerChannel { + continue + } + if callerChatID != "" && cpy.OriginChatID != "" && cpy.OriginChatID != callerChatID { + continue + } + + tasks = append(tasks, cpy) + } + + if len(tasks) == 0 { + return NewToolResult("No subagents found for this conversation.") + } + + // Order by creation time (ascending) so spawning order is preserved. + // Fall back to ID string for tasks created in the same millisecond. + sort.Slice(tasks, func(i, j int) bool { + if tasks[i].Created != tasks[j].Created { + return tasks[i].Created < tasks[j].Created + } + return tasks[i].ID < tasks[j].ID + }) + + counts := map[string]int{} + for _, task := range tasks { + counts[task.Status]++ + } + + var sb strings.Builder + sb.WriteString(fmt.Sprintf("Subagent status report (%d total):\n", len(tasks))) + for _, status := range []string{"running", "completed", "failed", "canceled"} { + if n := counts[status]; n > 0 { + label := strings.ToUpper(status[:1]) + status[1:] + ":" + sb.WriteString(fmt.Sprintf(" %-10s %d\n", label, n)) + } + } + sb.WriteString("\n") + + for _, task := range tasks { + sb.WriteString(spawnStatusFormatTask(task)) + sb.WriteString("\n\n") + } + + return NewToolResult(strings.TrimRight(sb.String(), "\n")) +} + +// spawnStatusFormatTask renders a single SubagentTask as a human-readable block. +func spawnStatusFormatTask(task *SubagentTask) string { + var sb strings.Builder + + header := fmt.Sprintf("[%s] status=%s", task.ID, task.Status) + if task.Label != "" { + header += fmt.Sprintf(" label=%q", task.Label) + } + if task.AgentID != "" { + header += fmt.Sprintf(" agent=%s", task.AgentID) + } + if task.Created > 0 { + created := time.UnixMilli(task.Created).UTC().Format("2006-01-02 15:04:05 UTC") + header += fmt.Sprintf(" created=%s", created) + } + sb.WriteString(header) + + if task.Task != "" { + sb.WriteString(fmt.Sprintf("\n task: %s", task.Task)) + } + if task.Result != "" { + result := task.Result + const maxResultLen = 300 + runes := []rune(result) + if len(runes) > maxResultLen { + result = string(runes[:maxResultLen]) + "…" + } + sb.WriteString(fmt.Sprintf("\n result: %s", result)) + } + + return sb.String() +} diff --git a/pkg/tools/spawn_status_test.go b/pkg/tools/spawn_status_test.go new file mode 100644 index 000000000..9c772d61a --- /dev/null +++ b/pkg/tools/spawn_status_test.go @@ -0,0 +1,406 @@ +package tools + +import ( + "context" + "fmt" + "strings" + "testing" + "time" +) + +func TestSpawnStatusTool_Name(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + if tool.Name() != "spawn_status" { + t.Errorf("Expected name 'spawn_status', got '%s'", tool.Name()) + } +} + +func TestSpawnStatusTool_Description(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + desc := tool.Description() + if desc == "" { + t.Error("Description should not be empty") + } + if !strings.Contains(strings.ToLower(desc), "subagent") { + t.Errorf("Description should mention 'subagent', got: %s", desc) + } +} + +func TestSpawnStatusTool_Parameters(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + params := tool.Parameters() + if params["type"] != "object" { + t.Errorf("Expected type 'object', got: %v", params["type"]) + } + props, ok := params["properties"].(map[string]any) + if !ok { + t.Fatal("Expected 'properties' to be a map") + } + if _, hasTaskID := props["task_id"]; !hasTaskID { + t.Error("Expected 'task_id' parameter in properties") + } +} + +func TestSpawnStatusTool_NilManager(t *testing.T) { + tool := &SpawnStatusTool{manager: nil} + result := tool.Execute(context.Background(), map[string]any{}) + if !result.IsError { + t.Error("Expected error result when manager is nil") + } +} + +func TestSpawnStatusTool_Empty(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + result := tool.Execute(context.Background(), map[string]any{}) + if result.IsError { + t.Fatalf("Expected success, got error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "No subagents") { + t.Errorf("Expected 'No subagents' message, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ListAll(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + + now := time.Now().UnixMilli() + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", + Task: "Do task A", + Label: "task-a", + Status: "running", + Created: now, + } + manager.tasks["subagent-2"] = &SubagentTask{ + ID: "subagent-2", + Task: "Do task B", + Label: "task-b", + Status: "completed", + Result: "Done successfully", + Created: now, + } + manager.tasks["subagent-3"] = &SubagentTask{ + ID: "subagent-3", + Task: "Do task C", + Status: "failed", + Result: "Error: something went wrong", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{}) + + if result.IsError { + t.Fatalf("Expected success, got error: %s", result.ForLLM) + } + + // Summary header + if !strings.Contains(result.ForLLM, "3 total") { + t.Errorf("Expected total count in header, got: %s", result.ForLLM) + } + + // Individual task IDs + for _, id := range []string{"subagent-1", "subagent-2", "subagent-3"} { + if !strings.Contains(result.ForLLM, id) { + t.Errorf("Expected task %s in output, got:\n%s", id, result.ForLLM) + } + } + + // Status values + for _, status := range []string{"running", "completed", "failed"} { + if !strings.Contains(result.ForLLM, status) { + t.Errorf("Expected status '%s' in output, got:\n%s", status, result.ForLLM) + } + } + + // Result content + if !strings.Contains(result.ForLLM, "Done successfully") { + t.Errorf("Expected result text in output, got:\n%s", result.ForLLM) + } +} + +func TestSpawnStatusTool_GetByID(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-42"] = &SubagentTask{ + ID: "subagent-42", + Task: "Specific task", + Label: "my-task", + Status: "failed", + Result: "Something went wrong", + Created: time.Now().UnixMilli(), + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{"task_id": "subagent-42"}) + + if result.IsError { + t.Fatalf("Expected success, got error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "subagent-42") { + t.Errorf("Expected task ID in output, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "failed") { + t.Errorf("Expected status 'failed' in output, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "Something went wrong") { + t.Errorf("Expected result text in output, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "my-task") { + t.Errorf("Expected label in output, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_GetByID_NotFound(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + tool := NewSpawnStatusTool(manager) + + result := tool.Execute(context.Background(), map[string]any{"task_id": "nonexistent-999"}) + if !result.IsError { + t.Errorf("Expected error for nonexistent task, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "nonexistent-999") { + t.Errorf("Expected task ID in error message, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_TaskID_NonString(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + tool := NewSpawnStatusTool(manager) + + for _, badVal := range []any{42, 3.14, true, map[string]any{"x": 1}, []string{"a"}} { + result := tool.Execute(context.Background(), map[string]any{"task_id": badVal}) + if !result.IsError { + t.Errorf("Expected error for task_id=%T(%v), got success: %s", badVal, badVal, result.ForLLM) + } + if !strings.Contains(result.ForLLM, "task_id must be a string") { + t.Errorf("Expected type-error message, got: %s", result.ForLLM) + } + } +} + +func TestSpawnStatusTool_ResultTruncation(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + longResult := strings.Repeat("X", 500) + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", + Task: "Long task", + Status: "completed", + Result: longResult, + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{"task_id": "subagent-1"}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + // Output should be shorter than the raw result due to truncation + if len(result.ForLLM) >= len(longResult) { + t.Errorf("Expected result to be truncated, but ForLLM is %d chars", len(result.ForLLM)) + } + if !strings.Contains(result.ForLLM, "…") { + t.Errorf("Expected truncation indicator '…' in output, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ResultTruncation_Unicode(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + // Each CJK rune is 3 bytes; 400 runes = 1200 bytes — well over the 300-rune limit. + cjkChar := string(rune(0x5b57)) + longResult := strings.Repeat(cjkChar, 400) + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", + Task: "Unicode task", + Status: "completed", + Result: longResult, + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{"task_id": "subagent-1"}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "…") { + t.Errorf("Expected truncation indicator in output") + } + // The truncated result must be valid UTF-8 (no split rune boundaries). + if !strings.Contains(result.ForLLM, cjkChar) { + t.Errorf("Expected CJK runes to appear intact in output") + } +} + +func TestSpawnStatusTool_StatusCounts(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + for i, status := range []string{"running", "running", "completed", "failed", "canceled"} { + id := fmt.Sprintf("subagent-%d", i+1) + manager.tasks[id] = &SubagentTask{ID: id, Task: "t", Status: status} + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + // The summary line should mention all statuses that have counts + for _, want := range []string{"Running:", "Completed:", "Failed:", "Canceled:"} { + if !strings.Contains(result.ForLLM, want) { + t.Errorf("Expected %q in summary, got:\n%s", want, result.ForLLM) + } + } +} + +func TestSpawnStatusTool_SortByCreatedTimestamp(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + now := time.Now().UnixMilli() + manager.mu.Lock() + // Intentionally insert with out-of-order IDs and timestamps that reflect + // true spawn order: subagent-2 was spawned first, subagent-10 second. + manager.tasks["subagent-10"] = &SubagentTask{ + ID: "subagent-10", Task: "second", Status: "running", + Created: now + 1, + } + manager.tasks["subagent-2"] = &SubagentTask{ + ID: "subagent-2", Task: "first", Status: "running", + Created: now, + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + + pos2 := strings.Index(result.ForLLM, "subagent-2") + pos10 := strings.Index(result.ForLLM, "subagent-10") + if pos2 < 0 || pos10 < 0 { + t.Fatalf("Both task IDs should appear in output:\n%s", result.ForLLM) + } + if pos2 > pos10 { + t.Errorf("Expected subagent-2 (created first) to appear before subagent-10, but got:\n%s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ChannelFiltering_ListAll(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", Task: "mine", Status: "running", + OriginChannel: "telegram", OriginChatID: "chat-A", + } + manager.tasks["subagent-2"] = &SubagentTask{ + ID: "subagent-2", Task: "other user", Status: "running", + OriginChannel: "telegram", OriginChatID: "chat-B", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + + // Caller is chat-A — should only see subagent-1. + ctx := WithToolContext(context.Background(), "telegram", "chat-A") + result := tool.Execute(ctx, map[string]any{}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "subagent-1") { + t.Errorf("Expected own task in output, got:\n%s", result.ForLLM) + } + if strings.Contains(result.ForLLM, "subagent-2") { + t.Errorf("Should NOT see other chat's task, got:\n%s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ChannelFiltering_GetByID(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-99"] = &SubagentTask{ + ID: "subagent-99", Task: "secret", Status: "completed", Result: "private data", + OriginChannel: "slack", OriginChatID: "room-Z", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + + // Different chat trying to look up subagent-99 by ID. + ctx := WithToolContext(context.Background(), "slack", "room-OTHER") + result := tool.Execute(ctx, map[string]any{"task_id": "subagent-99"}) + + if !result.IsError { + t.Errorf("Expected error (cross-chat lookup blocked), got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ChannelFiltering_NoContext(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", Task: "t", Status: "completed", + OriginChannel: "telegram", OriginChatID: "chat-A", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + + // No ToolContext injected (e.g. a direct programmatic call that bypasses + // WithToolContext entirely) — callerChannel and callerChatID are both "". + // Note: the normal CLI path uses ProcessDirectWithChannel("cli", "direct"), + // which *does* inject a non-empty context; this test covers the case where + // no context injection happens at all. + // The filter conditions require a non-empty caller value, so all tasks pass through. + result := tool.Execute(context.Background(), map[string]any{}) + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "subagent-1") { + t.Errorf("Expected task visible from no-context caller, got:\n%s", result.ForLLM) + } +} diff --git a/pkg/tools/subagent.go b/pkg/tools/subagent.go index e51cbaafa..c37a5ee0f 100644 --- a/pkg/tools/subagent.go +++ b/pkg/tools/subagent.go @@ -109,9 +109,6 @@ func (sm *SubagentManager) Spawn( } func (sm *SubagentManager) runTask(ctx context.Context, task *SubagentTask, callback AsyncCallback) { - task.Status = "running" - task.Created = time.Now().UnixMilli() - // Build system prompt for subagent systemPrompt := `You are a subagent. Complete the given task independently and report the result. You have access to tools - use them as needed to complete your task. @@ -219,6 +216,18 @@ func (sm *SubagentManager) GetTask(taskID string) (*SubagentTask, bool) { return task, ok } +// GetTaskCopy returns a copy of the task with the given ID, taken under the +// read lock, so the caller receives a consistent snapshot with no data race. +func (sm *SubagentManager) GetTaskCopy(taskID string) (SubagentTask, bool) { + sm.mu.RLock() + defer sm.mu.RUnlock() + task, ok := sm.tasks[taskID] + if !ok { + return SubagentTask{}, false + } + return *task, true +} + func (sm *SubagentManager) ListTasks() []*SubagentTask { sm.mu.RLock() defer sm.mu.RUnlock() @@ -230,6 +239,19 @@ func (sm *SubagentManager) ListTasks() []*SubagentTask { return tasks } +// ListTaskCopies returns value copies of all tasks, taken under the read lock, +// so callers receive consistent snapshots with no data race. +func (sm *SubagentManager) ListTaskCopies() []SubagentTask { + sm.mu.RLock() + defer sm.mu.RUnlock() + + copies := make([]SubagentTask, 0, len(sm.tasks)) + for _, task := range sm.tasks { + copies = append(copies, *task) + } + return copies +} + // SubagentTool executes a subagent task synchronously and returns the result. // Unlike SpawnTool which runs tasks asynchronously, SubagentTool waits for completion // and returns the result directly in the ToolResult. diff --git a/web/backend/api/tools.go b/web/backend/api/tools.go index 373a3be12..9df4a7091 100644 --- a/web/backend/api/tools.go +++ b/web/backend/api/tools.go @@ -118,6 +118,12 @@ var toolCatalog = []toolCatalogEntry{ Category: "agents", ConfigKey: "spawn", }, + { + Name: "spawn_status", + Description: "Query the status of spawned subagents.", + Category: "agents", + ConfigKey: "spawn_status", + }, { Name: "i2c", Description: "Interact with I2C hardware devices exposed on the host.", @@ -205,7 +211,7 @@ func buildToolSupport(cfg *config.Config) []toolSupportItem { reasonCode = "requires_skills" } } - case "spawn": + case "spawn", "spawn_status": if cfg.Tools.IsToolEnabled(entry.ConfigKey) { if cfg.Tools.IsToolEnabled("subagent") { status = "enabled" @@ -300,6 +306,12 @@ func applyToolState(cfg *config.Config, toolName string, enabled bool) error { if enabled { cfg.Tools.Subagent.Enabled = true } + case "spawn_status": + cfg.Tools.SpawnStatus.Enabled = enabled + if enabled { + cfg.Tools.Spawn.Enabled = true + cfg.Tools.Subagent.Enabled = true + } case "i2c": cfg.Tools.I2C.Enabled = enabled case "spi": From 0499cdab72ea13f74100b9bcf57d9cf88a4ba1d4 Mon Sep 17 00:00:00 2001 From: wenjie Date: Tue, 17 Mar 2026 15:23:49 +0800 Subject: [PATCH 33/44] build: use WEB_GO for web targets and preserve backend dist directory (#1671) Separate web Go commands from the default Go toolchain so web builds, tests, and vet can enable CGO on Darwin without affecting the rest of the project. Also ensure frontend backend builds recreate backend/dist with a .gitkeep file so the embedded output directory remains tracked. --- Makefile | 8 +++++-- web/Makefile | 21 ++++++++++--------- web/frontend/package.json | 2 +- .../scripts/ensure-backend-gitkeep.cjs | 9 ++++++++ 4 files changed, 27 insertions(+), 13 deletions(-) create mode 100644 web/frontend/scripts/ensure-backend-gitkeep.cjs diff --git a/Makefile b/Makefile index 4f4a7a6cb..1c6b73591 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,7 @@ LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COM # Go variables GO?=CGO_ENABLED=0 go +WEB_GO?=$(GO) GOFLAGS?=-v -tags stdjson # Patch MIPS LE ELF e_flags (offset 36) for NaN2008-only kernels (e.g. Ingenic X2600). @@ -79,6 +80,7 @@ ifeq ($(UNAME_S),Linux) endif else ifeq ($(UNAME_S),Darwin) PLATFORM=darwin + WEB_GO=CGO_ENABLED=1 go ifeq ($(UNAME_M),x86_64) ARCH=amd64 else ifeq ($(UNAME_M),arm64) @@ -119,7 +121,7 @@ build-launcher: echo "Building frontend..."; \ cd web/frontend && pnpm install && pnpm build:backend; \ fi - @$(GO) build $(GOFLAGS) -o $(BUILD_DIR)/picoclaw-launcher-$(PLATFORM)-$(ARCH) ./web/backend + @$(WEB_GO) build $(GOFLAGS) -o $(BUILD_DIR)/picoclaw-launcher-$(PLATFORM)-$(ARCH) ./web/backend @ln -sf picoclaw-launcher-$(PLATFORM)-$(ARCH) $(BUILD_DIR)/picoclaw-launcher @echo "Build complete: $(BUILD_DIR)/picoclaw-launcher" @@ -219,7 +221,9 @@ clean: ## vet: Run go vet for static analysis vet: generate - @$(GO) vet ./... + @packages="$$(go list ./...)" && \ + $(GO) vet $$(printf '%s\n' "$$packages" | grep -v '^github.com/sipeed/picoclaw/web/') + @cd web/backend && $(WEB_GO) vet ./... ## test: Test Go code test: generate diff --git a/web/Makefile b/web/Makefile index 653dd77e1..5943924f2 100644 --- a/web/Makefile +++ b/web/Makefile @@ -1,17 +1,18 @@ .PHONY: dev dev-frontend dev-backend build test lint clean +# Go variables +GO?=CGO_ENABLED=0 go +WEB_GO?=$(GO) +GOFLAGS?=-v -tags stdjson + # Version VERSION?=$(shell git describe --tags --always --dirty 2>/dev/null || echo "dev") GIT_COMMIT=$(shell git rev-parse --short=8 HEAD 2>/dev/null || echo "dev") BUILD_TIME=$(shell date +%FT%T%z) -GO_VERSION=$(shell $(GO) version | awk '{print $$3}') +GO_VERSION=$(shell $(WEB_GO) version | awk '{print $$3}') CONFIG_PKG=github.com/sipeed/picoclaw/pkg/config LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w -# Go variables -GO?=CGO_ENABLED=0 go -GOFLAGS?=-v -tags stdjson - # OS detection UNAME_S:=$(shell uname -s) @@ -37,7 +38,7 @@ ifeq ($(UNAME_S),Linux) endif else ifeq ($(UNAME_S),Darwin) PLATFORM=darwin - GO=CGO_ENABLED=1 go + WEB_GO=CGO_ENABLED=1 go ifeq ($(UNAME_M),x86_64) ARCH=amd64 else ifeq ($(UNAME_M),arm64) @@ -69,21 +70,21 @@ dev-frontend: # Start backend dev server dev-backend: - cd backend && ${GO} run -ldflags "$(LDFLAGS)" . + cd backend && ${WEB_GO} run -ldflags "$(LDFLAGS)" . # Build frontend and embed into Go binary build: cd frontend && pnpm build:backend - cd backend && ${GO} build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o picoclaw-web . + cd backend && ${WEB_GO} build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o picoclaw-web . # Run all tests test: - cd backend && ${GO} test ./... + cd backend && ${WEB_GO} test ./... cd frontend && pnpm lint # Lint and format lint: - cd backend && ${GO} vet ./... + cd backend && ${WEB_GO} vet ./... cd frontend && pnpm check # Clean build artifacts diff --git a/web/frontend/package.json b/web/frontend/package.json index 973586519..2e0e37117 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -6,7 +6,7 @@ "scripts": { "dev": "vite", "build": "tsc -b && vite build", - "build:backend": "tsc -b && vite build --outDir ../backend/dist --emptyOutDir", + "build:backend": "tsc -b && vite build --outDir ../backend/dist --emptyOutDir && node ./scripts/ensure-backend-gitkeep.cjs", "lint": "eslint .", "preview": "vite preview", "format": "prettier --check .", diff --git a/web/frontend/scripts/ensure-backend-gitkeep.cjs b/web/frontend/scripts/ensure-backend-gitkeep.cjs new file mode 100644 index 000000000..db9782ab4 --- /dev/null +++ b/web/frontend/scripts/ensure-backend-gitkeep.cjs @@ -0,0 +1,9 @@ +const fs = require("node:fs") +const path = require("node:path") + +const gitkeepPath = path.resolve(__dirname, "../../backend/dist/.gitkeep") +const gitkeepContents = + "# Keep the embedded web backend dist directory in version control.\n" + +fs.mkdirSync(path.dirname(gitkeepPath), { recursive: true }) +fs.writeFileSync(gitkeepPath, gitkeepContents) From 11207186c8d99e4286ad8fb8a6e3c7dee0974c05 Mon Sep 17 00:00:00 2001 From: Liu Yuan Date: Tue, 17 Mar 2026 17:36:06 +0800 Subject: [PATCH 34/44] fix: proxy WebSocket through web server port (#1665) - Modify buildWsURL to use web server port (18800) instead of gateway port (18790) - Add WebSocket proxy handler to forward /pico/ws to gateway - Gateway port is read from config (cfg.Gateway.Port), defaults to 18790 - This allows WebSocket connections through the same port as the web UI, avoiding the need to expose extra ports for Tailscale/Docker --- web/backend/api/gateway_host.go | 8 ++++++- web/backend/api/gateway_host_test.go | 16 ++++++------- web/backend/api/pico.go | 35 ++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 9 deletions(-) diff --git a/web/backend/api/gateway_host.go b/web/backend/api/gateway_host.go index 5ef3ba2c5..8dde29b76 100644 --- a/web/backend/api/gateway_host.go +++ b/web/backend/api/gateway_host.go @@ -80,5 +80,11 @@ func (h *Handler) buildWsURL(r *http.Request, cfg *config.Config) string { if host == "" || host == "0.0.0.0" { host = requestHostName(r) } - return requestWSScheme(r) + "://" + net.JoinHostPort(host, strconv.Itoa(cfg.Gateway.Port)) + "/pico/ws" + // Use web server port instead of gateway port to avoid exposing extra ports + // The WebSocket connection will be proxied by the backend to the gateway + wsPort := h.serverPort + if wsPort == 0 { + wsPort = 18800 // default web server port + } + return requestWSScheme(r) + "://" + net.JoinHostPort(host, strconv.Itoa(wsPort)) + "/pico/ws" } diff --git a/web/backend/api/gateway_host_test.go b/web/backend/api/gateway_host_test.go index 43e84ff0e..3fffeb893 100644 --- a/web/backend/api/gateway_host_test.go +++ b/web/backend/api/gateway_host_test.go @@ -48,8 +48,8 @@ func TestBuildWsURLUsesRequestHostWhenLauncherPublicSaved(t *testing.T) { req := httptest.NewRequest("GET", "http://launcher.local/api/pico/token", nil) req.Host = "192.168.1.9:18800" - if got := h.buildWsURL(req, cfg); got != "ws://192.168.1.9:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "ws://192.168.1.9:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "ws://192.168.1.9:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "ws://192.168.1.9:18800/pico/ws") } } @@ -71,8 +71,8 @@ func TestBuildWsURLUsesWSSWhenForwardedProtoIsHTTPS(t *testing.T) { req.Host = "chat.example.com" req.Header.Set("X-Forwarded-Proto", "https") - if got := h.buildWsURL(req, cfg); got != "wss://chat.example.com:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "wss://chat.example.com:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "wss://chat.example.com:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://chat.example.com:18800/pico/ws") } } @@ -88,8 +88,8 @@ func TestBuildWsURLUsesWSSWhenRequestIsTLS(t *testing.T) { req.Host = "secure.example.com" req.TLS = &tls.ConnectionState{} - if got := h.buildWsURL(req, cfg); got != "wss://secure.example.com:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "wss://secure.example.com:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "wss://secure.example.com:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://secure.example.com:18800/pico/ws") } } @@ -106,7 +106,7 @@ func TestBuildWsURLPrefersForwardedHTTPOverTLS(t *testing.T) { req.TLS = &tls.ConnectionState{} req.Header.Set("X-Forwarded-Proto", "http") - if got := h.buildWsURL(req, cfg); got != "ws://chat.example.com:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "ws://chat.example.com:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "ws://chat.example.com:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "ws://chat.example.com:18800/pico/ws") } } diff --git a/web/backend/api/pico.go b/web/backend/api/pico.go index 2d2201e16..d11f7bc5e 100644 --- a/web/backend/api/pico.go +++ b/web/backend/api/pico.go @@ -6,6 +6,8 @@ import ( "encoding/json" "fmt" "net/http" + "net/http/httputil" + "net/url" "time" "github.com/sipeed/picoclaw/pkg/config" @@ -16,6 +18,39 @@ func (h *Handler) registerPicoRoutes(mux *http.ServeMux) { mux.HandleFunc("GET /api/pico/token", h.handleGetPicoToken) mux.HandleFunc("POST /api/pico/token", h.handleRegenPicoToken) mux.HandleFunc("POST /api/pico/setup", h.handlePicoSetup) + + // WebSocket proxy: forward /pico/ws to gateway + // This allows the frontend to connect via the same port as the web UI, + // avoiding the need to expose extra ports for WebSocket communication. + wsProxy := h.createWsProxy() + mux.HandleFunc("GET /pico/ws", h.handleWebSocketProxy(wsProxy)) +} + +// createWsProxy creates a reverse proxy to the gateway WebSocket endpoint. +// The gateway port is read from the configuration. +func (h *Handler) createWsProxy() *httputil.ReverseProxy { + cfg, err := config.LoadConfig(h.configPath) + gatewayPort := 18790 // default + if err == nil && cfg.Gateway.Port != 0 { + gatewayPort = cfg.Gateway.Port + } + gatewayURL, _ := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", gatewayPort)) + wsProxy := httputil.NewSingleHostReverseProxy(gatewayURL) + wsProxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) { + http.Error(w, "Gateway unavailable: "+err.Error(), http.StatusBadGateway) + } + return wsProxy +} + +// handleWebSocketProxy wraps a reverse proxy to handle WebSocket connections. +// It ensures the Connection and Upgrade headers are properly forwarded. +func (h *Handler) handleWebSocketProxy(proxy *httputil.ReverseProxy) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + // Set headers for WebSocket upgrade + r.Header.Set("Connection", "upgrade") + r.Header.Set("Upgrade", "websocket") + proxy.ServeHTTP(w, r) + } } // handleGetPicoToken returns the current WS token and URL for the frontend. From 8a44410e378b8a4e7789e2b3941001f4bddd5ad3 Mon Sep 17 00:00:00 2001 From: wenjie Date: Tue, 17 Mar 2026 18:46:00 +0800 Subject: [PATCH 35/44] feat: add web gateway hot reload and polling state sync (#1684) * feat(gateway): support hot reload and empty startup - extract gateway runtime into pkg/gateway - add gateway.hot_reload config with default and example values - allow starting the gateway without a default model via --allow-empty - stop treating missing enabled channels as a startup error - update related tests * feat: replace gateway SSE updates with polling-based state sync - remove gateway SSE broadcasting and event endpoint - add polling-based gateway status refresh with stopping state handling - detect when gateway restart is required after default model changes - resolve gateway health and websocket proxy targets from configured host - update gateway UI labels and add backend/frontend test coverage --- cmd/picoclaw/internal/gateway/command.go | 12 +- cmd/picoclaw/internal/gateway/command_test.go | 1 + config/config.example.json | 3 +- pkg/channels/manager.go | 1 - pkg/config/config.go | 5 +- pkg/config/config_test.go | 3 + pkg/config/defaults.go | 5 +- .../helpers.go => pkg/gateway/gateway.go | 262 ++++++++---------- web/backend/api/events.go | 80 ------ web/backend/api/gateway.go | 209 ++++---------- web/backend/api/gateway_host.go | 18 ++ web/backend/api/gateway_host_test.go | 76 +++++ web/backend/api/gateway_test.go | 129 +++++++++ web/backend/api/pico.go | 24 +- web/backend/api/pico_test.go | 77 +++++ web/backend/api/router.go | 5 +- web/backend/middleware/middleware.go | 5 +- web/backend/systray.go | 2 +- web/frontend/src/components/app-header.tsx | 34 ++- web/frontend/src/hooks/use-gateway-logs.ts | 4 +- web/frontend/src/hooks/use-gateway.ts | 138 ++------- web/frontend/src/i18n/locales/en.json | 3 +- web/frontend/src/i18n/locales/zh.json | 3 +- web/frontend/src/store/gateway.ts | 144 +++++++++- 24 files changed, 700 insertions(+), 543 deletions(-) rename cmd/picoclaw/internal/gateway/helpers.go => pkg/gateway/gateway.go (61%) delete mode 100644 web/backend/api/events.go diff --git a/cmd/picoclaw/internal/gateway/command.go b/cmd/picoclaw/internal/gateway/command.go index bfa69f072..4812f1bee 100644 --- a/cmd/picoclaw/internal/gateway/command.go +++ b/cmd/picoclaw/internal/gateway/command.go @@ -5,6 +5,8 @@ import ( "github.com/spf13/cobra" + "github.com/sipeed/picoclaw/cmd/picoclaw/internal" + "github.com/sipeed/picoclaw/pkg/gateway" "github.com/sipeed/picoclaw/pkg/logger" "github.com/sipeed/picoclaw/pkg/utils" ) @@ -12,6 +14,7 @@ import ( func NewGatewayCommand() *cobra.Command { var debug bool var noTruncate bool + var allowEmpty bool cmd := &cobra.Command{ Use: "gateway", @@ -31,12 +34,19 @@ func NewGatewayCommand() *cobra.Command { return nil }, RunE: func(_ *cobra.Command, _ []string) error { - return gatewayCmd(debug) + return gateway.Run(debug, internal.GetConfigPath(), allowEmpty) }, } cmd.Flags().BoolVarP(&debug, "debug", "d", false, "Enable debug logging") cmd.Flags().BoolVarP(&noTruncate, "no-truncate", "T", false, "Disable string truncation in debug logs") + cmd.Flags().BoolVarP( + &allowEmpty, + "allow-empty", + "E", + false, + "Continue starting even when no default model is configured", + ) return cmd } diff --git a/cmd/picoclaw/internal/gateway/command_test.go b/cmd/picoclaw/internal/gateway/command_test.go index 4d591ea67..839a7315a 100644 --- a/cmd/picoclaw/internal/gateway/command_test.go +++ b/cmd/picoclaw/internal/gateway/command_test.go @@ -28,4 +28,5 @@ func TestNewGatewayCommand(t *testing.T) { assert.True(t, cmd.HasFlags()) assert.NotNil(t, cmd.Flags().Lookup("debug")) + assert.NotNil(t, cmd.Flags().Lookup("allow-empty")) } diff --git a/config/config.example.json b/config/config.example.json index 1c11cd42a..14e209259 100644 --- a/config/config.example.json +++ b/config/config.example.json @@ -518,6 +518,7 @@ }, "gateway": { "host": "127.0.0.1", - "port": 18790 + "port": 18790, + "hot_reload": false } } diff --git a/pkg/channels/manager.go b/pkg/channels/manager.go index df430e4d3..8121525ab 100644 --- a/pkg/channels/manager.go +++ b/pkg/channels/manager.go @@ -357,7 +357,6 @@ func (m *Manager) StartAll(ctx context.Context) error { if len(m.channels) == 0 { logger.WarnC("channels", "No channels enabled") - return errors.New("no channels enabled") } logger.InfoC("channels", "Starting all channels") diff --git a/pkg/config/config.go b/pkg/config/config.go index 35de48f23..6694ef3a1 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -625,8 +625,9 @@ func (c *ModelConfig) Validate() error { } type GatewayConfig struct { - Host string `json:"host" env:"PICOCLAW_GATEWAY_HOST"` - Port int `json:"port" env:"PICOCLAW_GATEWAY_PORT"` + Host string `json:"host" env:"PICOCLAW_GATEWAY_HOST"` + Port int `json:"port" env:"PICOCLAW_GATEWAY_PORT"` + HotReload bool `json:"hot_reload" env:"PICOCLAW_GATEWAY_HOT_RELOAD"` } type ToolDiscoveryConfig struct { diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index fc835f78f..f4f8979e1 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -267,6 +267,9 @@ func TestDefaultConfig_Gateway(t *testing.T) { if cfg.Gateway.Port == 0 { t.Error("Gateway port should have default value") } + if cfg.Gateway.HotReload { + t.Error("Gateway hot reload should be disabled by default") + } } // TestDefaultConfig_Providers verifies provider structure diff --git a/pkg/config/defaults.go b/pkg/config/defaults.go index 2b177d5de..90a99408e 100644 --- a/pkg/config/defaults.go +++ b/pkg/config/defaults.go @@ -395,8 +395,9 @@ func DefaultConfig() *Config { }, }, Gateway: GatewayConfig{ - Host: "127.0.0.1", - Port: 18790, + Host: "127.0.0.1", + Port: 18790, + HotReload: false, }, Tools: ToolsConfig{ MediaCleanup: MediaCleanupConfig{ diff --git a/cmd/picoclaw/internal/gateway/helpers.go b/pkg/gateway/gateway.go similarity index 61% rename from cmd/picoclaw/internal/gateway/helpers.go rename to pkg/gateway/gateway.go index 85e93bcf9..6745d1748 100644 --- a/cmd/picoclaw/internal/gateway/helpers.go +++ b/pkg/gateway/gateway.go @@ -10,7 +10,6 @@ import ( "syscall" "time" - "github.com/sipeed/picoclaw/cmd/picoclaw/internal" "github.com/sipeed/picoclaw/pkg/agent" "github.com/sipeed/picoclaw/pkg/bus" "github.com/sipeed/picoclaw/pkg/channels" @@ -42,15 +41,13 @@ import ( "github.com/sipeed/picoclaw/pkg/voice" ) -// Timeout constants for service operations const ( serviceShutdownTimeout = 30 * time.Second providerReloadTimeout = 30 * time.Second gracefulShutdownTimeout = 15 * time.Second ) -// gatewayServices holds references to all running services -type gatewayServices struct { +type services struct { CronService *cron.CronService HeartbeatService *heartbeat.HeartbeatService MediaStore media.MediaStore @@ -59,24 +56,41 @@ type gatewayServices struct { HealthServer *health.Server } -func gatewayCmd(debug bool) error { +type startupBlockedProvider struct { + reason string +} + +func (p *startupBlockedProvider) Chat( + _ context.Context, + _ []providers.Message, + _ []providers.ToolDefinition, + _ string, + _ map[string]any, +) (*providers.LLMResponse, error) { + return nil, fmt.Errorf("%s", p.reason) +} + +func (p *startupBlockedProvider) GetDefaultModel() string { + return "" +} + +// Run starts the gateway runtime using the configuration loaded from configPath. +func Run(debug bool, configPath string, allowEmptyStartup bool) error { if debug { logger.SetLevel(logger.DEBUG) fmt.Println("🔍 Debug mode enabled") } - configPath := internal.GetConfigPath() - cfg, err := internal.LoadConfig() + cfg, err := config.LoadConfig(configPath) if err != nil { return fmt.Errorf("error loading config: %w", err) } - provider, modelID, err := providers.CreateProvider(cfg) + provider, modelID, err := createStartupProvider(cfg, allowEmptyStartup) if err != nil { return fmt.Errorf("error creating provider: %w", err) } - // Use the resolved model ID from provider creation if modelID != "" { cfg.Agents.Defaults.ModelName = modelID } @@ -84,17 +98,13 @@ func gatewayCmd(debug bool) error { msgBus := bus.NewMessageBus() agentLoop := agent.NewAgentLoop(cfg, msgBus, provider) - // Print agent startup info fmt.Println("\n📦 Agent Status:") startupInfo := agentLoop.GetStartupInfo() toolsInfo := startupInfo["tools"].(map[string]any) skillsInfo := startupInfo["skills"].(map[string]any) fmt.Printf(" • Tools: %d loaded\n", toolsInfo["count"]) - fmt.Printf(" • Skills: %d/%d available\n", - skillsInfo["available"], - skillsInfo["total"]) + fmt.Printf(" • Skills: %d/%d available\n", skillsInfo["available"], skillsInfo["total"]) - // Log to file as well logger.InfoCF("agent", "Agent initialized", map[string]any{ "tools_count": toolsInfo["count"], @@ -102,8 +112,7 @@ func gatewayCmd(debug bool) error { "skills_available": skillsInfo["available"], }) - // Setup and start all services - services, err := setupAndStartServices(cfg, agentLoop, msgBus) + runningServices, err := setupAndStartServices(cfg, agentLoop, msgBus) if err != nil { return err } @@ -116,23 +125,25 @@ func gatewayCmd(debug bool) error { go agentLoop.Run(ctx) - // Setup config file watcher for hot reload - configReloadChan, stopWatch := setupConfigWatcherPolling(configPath, debug) + var configReloadChan <-chan *config.Config + stopWatch := func() {} + if cfg.Gateway.HotReload { + configReloadChan, stopWatch = setupConfigWatcherPolling(configPath, debug) + logger.Info("Config hot reload enabled") + } defer stopWatch() sigChan := make(chan os.Signal, 1) signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM) - // Main event loop - wait for signals or config changes for { select { case <-sigChan: logger.Info("Shutting down...") - shutdownGateway(services, agentLoop, provider, true) + shutdownGateway(runningServices, agentLoop, provider, true) return nil - case newCfg := <-configReloadChan: - err := handleConfigReload(ctx, agentLoop, newCfg, &provider, services, msgBus) + err := handleConfigReload(ctx, agentLoop, newCfg, &provider, runningServices, msgBus, allowEmptyStartup) if err != nil { logger.Errorf("Config reload failed: %v", err) } @@ -140,18 +151,33 @@ func gatewayCmd(debug bool) error { } } -// setupAndStartServices initializes and starts all services +func createStartupProvider( + cfg *config.Config, + allowEmptyStartup bool, +) (providers.LLMProvider, string, error) { + modelName := cfg.Agents.Defaults.GetModelName() + if modelName == "" && allowEmptyStartup { + reason := "no default model configured; gateway started in limited mode" + fmt.Printf("⚠ Warning: %s\n", reason) + logger.WarnCF("gateway", "Gateway started without default model", map[string]any{ + "limited_mode": true, + }) + return &startupBlockedProvider{reason: reason}, "", nil + } + + return providers.CreateProvider(cfg) +} + func setupAndStartServices( cfg *config.Config, agentLoop *agent.AgentLoop, msgBus *bus.MessageBus, -) (*gatewayServices, error) { - services := &gatewayServices{} +) (*services, error) { + runningServices := &services{} - // Setup cron tool and service execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute var err error - services.CronService, err = setupCronTool( + runningServices.CronService, err = setupCronTool( agentLoop, msgBus, cfg.WorkspacePath(), @@ -162,120 +188,105 @@ func setupAndStartServices( if err != nil { return nil, fmt.Errorf("error setting up cron service: %w", err) } - if err = services.CronService.Start(); err != nil { + if err = runningServices.CronService.Start(); err != nil { return nil, fmt.Errorf("error starting cron service: %w", err) } fmt.Println("✓ Cron service started") - // Setup heartbeat service - services.HeartbeatService = heartbeat.NewHeartbeatService( + runningServices.HeartbeatService = heartbeat.NewHeartbeatService( cfg.WorkspacePath(), cfg.Heartbeat.Interval, cfg.Heartbeat.Enabled, ) - services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(createHeartbeatHandler(agentLoop)) - if err = services.HeartbeatService.Start(); err != nil { + runningServices.HeartbeatService.SetBus(msgBus) + runningServices.HeartbeatService.SetHandler(createHeartbeatHandler(agentLoop)) + if err = runningServices.HeartbeatService.Start(); err != nil { return nil, fmt.Errorf("error starting heartbeat service: %w", err) } fmt.Println("✓ Heartbeat service started") - // Create media store for file lifecycle management with TTL cleanup - services.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ + runningServices.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ Enabled: cfg.Tools.MediaCleanup.Enabled, MaxAge: time.Duration(cfg.Tools.MediaCleanup.MaxAge) * time.Minute, Interval: time.Duration(cfg.Tools.MediaCleanup.Interval) * time.Minute, }) - // Start the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Start() } - // Create channel manager - services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) + runningServices.ChannelManager, err = channels.NewManager(cfg, msgBus, runningServices.MediaStore) if err != nil { - // Stop the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Stop() } return nil, fmt.Errorf("error creating channel manager: %w", err) } - // Inject channel manager and media store into agent loop - agentLoop.SetChannelManager(services.ChannelManager) - agentLoop.SetMediaStore(services.MediaStore) + agentLoop.SetChannelManager(runningServices.ChannelManager) + agentLoop.SetMediaStore(runningServices.MediaStore) - // Wire up voice transcription if a supported provider is configured. if transcriber := voice.DetectTranscriber(cfg); transcriber != nil { agentLoop.SetTranscriber(transcriber) logger.InfoCF("voice", "Transcription enabled (agent-level)", map[string]any{"provider": transcriber.Name()}) } - enabledChannels := services.ChannelManager.GetEnabledChannels() + enabledChannels := runningServices.ChannelManager.GetEnabledChannels() if len(enabledChannels) > 0 { fmt.Printf("✓ Channels enabled: %s\n", enabledChannels) } else { fmt.Println("⚠ Warning: No channels enabled") } - // Setup shared HTTP server with health endpoints and webhook handlers addr := fmt.Sprintf("%s:%d", cfg.Gateway.Host, cfg.Gateway.Port) - services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) - services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) + runningServices.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) + runningServices.ChannelManager.SetupHTTPServer(addr, runningServices.HealthServer) - if err = services.ChannelManager.StartAll(context.Background()); err != nil { + if err = runningServices.ChannelManager.StartAll(context.Background()); err != nil { return nil, fmt.Errorf("error starting channels: %w", err) } fmt.Printf("✓ Health endpoints available at http://%s:%d/health and /ready\n", cfg.Gateway.Host, cfg.Gateway.Port) - // Setup state manager and device service stateManager := state.NewManager(cfg.WorkspacePath()) - services.DeviceService = devices.NewService(devices.Config{ + runningServices.DeviceService = devices.NewService(devices.Config{ Enabled: cfg.Devices.Enabled, MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) - services.DeviceService.SetBus(msgBus) - if err = services.DeviceService.Start(context.Background()); err != nil { + runningServices.DeviceService.SetBus(msgBus) + if err = runningServices.DeviceService.Start(context.Background()); err != nil { logger.ErrorCF("device", "Error starting device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println("✓ Device event service started") } - return services, nil + return runningServices, nil } -// stopAndCleanupServices stops all services and cleans up resources -func stopAndCleanupServices( - services *gatewayServices, - shutdownTimeout time.Duration, -) { +func stopAndCleanupServices(runningServices *services, shutdownTimeout time.Duration) { shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), shutdownTimeout) defer shutdownCancel() - if services.ChannelManager != nil { - services.ChannelManager.StopAll(shutdownCtx) + if runningServices.ChannelManager != nil { + runningServices.ChannelManager.StopAll(shutdownCtx) } - if services.DeviceService != nil { - services.DeviceService.Stop() + if runningServices.DeviceService != nil { + runningServices.DeviceService.Stop() } - if services.HeartbeatService != nil { - services.HeartbeatService.Stop() + if runningServices.HeartbeatService != nil { + runningServices.HeartbeatService.Stop() } - if services.CronService != nil { - services.CronService.Stop() + if runningServices.CronService != nil { + runningServices.CronService.Stop() } - if services.MediaStore != nil { - // Stop the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if runningServices.MediaStore != nil { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Stop() } } } -// shutdownGateway performs a complete gateway shutdown func shutdownGateway( - services *gatewayServices, + runningServices *services, agentLoop *agent.AgentLoop, provider providers.LLMProvider, fullShutdown bool, @@ -284,7 +295,7 @@ func shutdownGateway( cp.Close() } - stopAndCleanupServices(services, gracefulShutdownTimeout) + stopAndCleanupServices(runningServices, gracefulShutdownTimeout) agentLoop.Stop() agentLoop.Close() @@ -292,15 +303,14 @@ func shutdownGateway( logger.Info("✓ Gateway stopped") } -// handleConfigReload handles config file reload by stopping all services, -// reloading the provider and config, and restarting services with the new config. func handleConfigReload( ctx context.Context, al *agent.AgentLoop, newCfg *config.Config, providerRef *providers.LLMProvider, - services *gatewayServices, + runningServices *services, msgBus *bus.MessageBus, + allowEmptyStartup bool, ) error { logger.Info("🔄 Config file changed, reloading...") @@ -311,18 +321,14 @@ func handleConfigReload( logger.Infof(" New model is '%s', recreating provider...", newModel) - // Stop all services before reloading logger.Info(" Stopping all services...") - stopAndCleanupServices(services, serviceShutdownTimeout) + stopAndCleanupServices(runningServices, serviceShutdownTimeout) - // Create new provider from updated config first to ensure validity - // This will use the correct API key and settings from newCfg.ModelList - newProvider, newModelID, err := providers.CreateProvider(newCfg) + newProvider, newModelID, err := createStartupProvider(newCfg, allowEmptyStartup) if err != nil { logger.Errorf(" ⚠ Error creating new provider: %v", err) logger.Warn(" Attempting to restart services with old provider and config...") - // Try to restart services with old configuration - if restartErr := restartServices(al, services, msgBus); restartErr != nil { + if restartErr := restartServices(al, runningServices, msgBus); restartErr != nil { logger.Errorf(" ⚠ Failed to restart services: %v", restartErr) } return fmt.Errorf("error creating new provider: %w", err) @@ -332,31 +338,25 @@ func handleConfigReload( newCfg.Agents.Defaults.ModelName = newModelID } - // Use the atomic reload method on AgentLoop to safely swap provider and config. - // This handles locking internally to prevent races with in-flight LLM calls - // and concurrent reads of registry/config while the swap occurs. reloadCtx, reloadCancel := context.WithTimeout(context.Background(), providerReloadTimeout) defer reloadCancel() if err := al.ReloadProviderAndConfig(reloadCtx, newProvider, newCfg); err != nil { logger.Errorf(" ⚠ Error reloading agent loop: %v", err) - // Close the newly created provider since it wasn't adopted if cp, ok := newProvider.(providers.StatefulProvider); ok { cp.Close() } logger.Warn(" Attempting to restart services with old provider and config...") - if restartErr := restartServices(al, services, msgBus); restartErr != nil { + if restartErr := restartServices(al, runningServices, msgBus); restartErr != nil { logger.Errorf(" ⚠ Failed to restart services: %v", restartErr) } return fmt.Errorf("error reloading agent loop: %w", err) } - // Update local provider reference only after successful atomic reload *providerRef = newProvider - // Restart all services with new config logger.Info(" Restarting all services with new configuration...") - if err := restartServices(al, services, msgBus); err != nil { + if err := restartServices(al, runningServices, msgBus); err != nil { logger.Errorf(" ⚠ Error restarting services: %v", err) return fmt.Errorf("error restarting services: %w", err) } @@ -365,19 +365,16 @@ func handleConfigReload( return nil } -// restartServices restarts all services after a config reload func restartServices( al *agent.AgentLoop, - services *gatewayServices, + runningServices *services, msgBus *bus.MessageBus, ) error { - // Get current config from agent loop (which has been updated if this is a reload) cfg := al.GetConfig() - // Re-create and start cron service with new config execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute var err error - services.CronService, err = setupCronTool( + runningServices.CronService, err = setupCronTool( al, msgBus, cfg.WorkspacePath(), @@ -388,57 +385,51 @@ func restartServices( if err != nil { return fmt.Errorf("error restarting cron service: %w", err) } - if err = services.CronService.Start(); err != nil { + if err = runningServices.CronService.Start(); err != nil { return fmt.Errorf("error restarting cron service: %w", err) } fmt.Println(" ✓ Cron service restarted") - // Re-create and start heartbeat service with new config - services.HeartbeatService = heartbeat.NewHeartbeatService( + runningServices.HeartbeatService = heartbeat.NewHeartbeatService( cfg.WorkspacePath(), cfg.Heartbeat.Interval, cfg.Heartbeat.Enabled, ) - services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(createHeartbeatHandler(al)) - if err = services.HeartbeatService.Start(); err != nil { + runningServices.HeartbeatService.SetBus(msgBus) + runningServices.HeartbeatService.SetHandler(createHeartbeatHandler(al)) + if err = runningServices.HeartbeatService.Start(); err != nil { return fmt.Errorf("error restarting heartbeat service: %w", err) } fmt.Println(" ✓ Heartbeat service restarted") - // Re-create media store with new config - services.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ + runningServices.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ Enabled: cfg.Tools.MediaCleanup.Enabled, MaxAge: time.Duration(cfg.Tools.MediaCleanup.MaxAge) * time.Minute, Interval: time.Duration(cfg.Tools.MediaCleanup.Interval) * time.Minute, }) - // Start the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Start() } - al.SetMediaStore(services.MediaStore) + al.SetMediaStore(runningServices.MediaStore) - // Re-create channel manager with new config - services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) + runningServices.ChannelManager, err = channels.NewManager(cfg, msgBus, runningServices.MediaStore) if err != nil { return fmt.Errorf("error recreating channel manager: %w", err) } - al.SetChannelManager(services.ChannelManager) + al.SetChannelManager(runningServices.ChannelManager) - enabledChannels := services.ChannelManager.GetEnabledChannels() + enabledChannels := runningServices.ChannelManager.GetEnabledChannels() if len(enabledChannels) > 0 { fmt.Printf(" ✓ Channels enabled: %s\n", enabledChannels) } else { fmt.Println(" ⚠ Warning: No channels enabled") } - // Setup HTTP server with new config addr := fmt.Sprintf("%s:%d", cfg.Gateway.Host, cfg.Gateway.Port) - services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) - services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) + runningServices.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) + runningServices.ChannelManager.SetupHTTPServer(addr, runningServices.HealthServer) - // Use background context for lifecycle to ensure services persist after restartServices returns - if err = services.ChannelManager.StartAll(context.Background()); err != nil { + if err = runningServices.ChannelManager.StartAll(context.Background()); err != nil { return fmt.Errorf("error restarting channels: %w", err) } fmt.Printf( @@ -447,22 +438,20 @@ func restartServices( cfg.Gateway.Port, ) - // Re-create device service with new config stateManager := state.NewManager(cfg.WorkspacePath()) - services.DeviceService = devices.NewService(devices.Config{ + runningServices.DeviceService = devices.NewService(devices.Config{ Enabled: cfg.Devices.Enabled, MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) - services.DeviceService.SetBus(msgBus) - if err := services.DeviceService.Start(context.Background()); err != nil { + runningServices.DeviceService.SetBus(msgBus) + if err := runningServices.DeviceService.Start(context.Background()); err != nil { logger.WarnCF("device", "Failed to restart device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println(" ✓ Device event service restarted") } - // Wire up voice transcription with new config transcriber := voice.DetectTranscriber(cfg) - al.SetTranscriber(transcriber) // This will set it to nil if disabled + al.SetTranscriber(transcriber) if transcriber != nil { logger.InfoCF("voice", "Transcription re-enabled (agent-level)", map[string]any{"provider": transcriber.Name()}) } else { @@ -472,8 +461,6 @@ func restartServices( return nil } -// setupConfigWatcherPolling sets up a simple polling-based config file watcher -// Returns a channel for config updates and a stop function func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Config, func()) { configChan := make(chan *config.Config, 1) stop := make(chan struct{}) @@ -483,11 +470,10 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf go func() { defer wg.Done() - // Get initial file info lastModTime := getFileModTime(configPath) lastSize := getFileSize(configPath) - ticker := time.NewTicker(2 * time.Second) // Check every 2 seconds + ticker := time.NewTicker(2 * time.Second) defer ticker.Stop() for { @@ -496,20 +482,16 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf currentModTime := getFileModTime(configPath) currentSize := getFileSize(configPath) - // Check if file changed (modification time or size changed) if currentModTime.After(lastModTime) || currentSize != lastSize { if debug { logger.Debugf("🔍 Config file change detected") } - // Debounce - wait a bit to ensure file write is complete time.Sleep(500 * time.Millisecond) - // Update last known state to prevent repeated reload attempts on failure lastModTime = currentModTime lastSize = currentSize - // Validate and load new config newCfg, err := config.LoadConfig(configPath) if err != nil { logger.Errorf("⚠ Error loading new config: %v", err) @@ -517,7 +499,6 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf continue } - // Validate the new config if err := newCfg.ValidateModelList(); err != nil { logger.Errorf(" ⚠ New config validation failed: %v", err) logger.Warn(" Using previous valid config") @@ -526,15 +507,12 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf logger.Info("✓ Config file validated and loaded") - // Send new config to main loop (non-blocking) select { case configChan <- newCfg: default: - // Channel full, skip this update logger.Warn("⚠ Previous config reload still in progress, skipping") } } - case <-stop: return } @@ -549,7 +527,6 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf return configChan, stopFunc } -// getFileModTime returns the modification time of a file, or zero time if file doesn't exist func getFileModTime(path string) time.Time { info, err := os.Stat(path) if err != nil { @@ -558,7 +535,6 @@ func getFileModTime(path string) time.Time { return info.ModTime() } -// getFileSize returns the size of a file, or 0 if file doesn't exist func getFileSize(path string) int64 { info, err := os.Stat(path) if err != nil { @@ -577,10 +553,8 @@ func setupCronTool( ) (*cron.CronService, error) { cronStorePath := filepath.Join(workspace, "cron", "jobs.json") - // Create cron service cronService := cron.NewCronService(cronStorePath, nil) - // Create and register CronTool if enabled var cronTool *tools.CronTool if cfg.Tools.IsToolEnabled("cron") { var err error @@ -592,7 +566,6 @@ func setupCronTool( agentLoop.RegisterTool(cronTool) } - // Set onJob handler if cronTool != nil { cronService.SetOnJob(func(job *cron.CronJob) (string, error) { result := cronTool.ExecuteJob(context.Background(), job) @@ -605,22 +578,17 @@ func setupCronTool( func createHeartbeatHandler(agentLoop *agent.AgentLoop) func(prompt, channel, chatID string) *tools.ToolResult { return func(prompt, channel, chatID string) *tools.ToolResult { - // Use cli:direct as fallback if no valid channel if channel == "" || chatID == "" { channel, chatID = "cli", "direct" } - // Use ProcessHeartbeat - no session history, each heartbeat is independent - var response string - var err error - response, err = agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) + + response, err := agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) if err != nil { return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) } if response == "HEARTBEAT_OK" { return tools.SilentResult("Heartbeat OK") } - // For heartbeat, always return silent - the subagent result will be - // sent to user via processSystemMessage when the async task completes return tools.SilentResult(response) } } diff --git a/web/backend/api/events.go b/web/backend/api/events.go deleted file mode 100644 index 5c85b149a..000000000 --- a/web/backend/api/events.go +++ /dev/null @@ -1,80 +0,0 @@ -package api - -import ( - "encoding/json" - "sync" -) - -// GatewayEvent represents a state change event for the gateway process. -type GatewayEvent struct { - Status string `json:"gateway_status"` // "running", "starting", "restarting", "stopped", "error" - PID int `json:"pid,omitempty"` - BootDefaultModel string `json:"boot_default_model,omitempty"` - ConfigDefaultModel string `json:"config_default_model,omitempty"` - RestartRequired bool `json:"gateway_restart_required,omitempty"` -} - -// EventBroadcaster manages SSE client subscriptions and broadcasts events. -type EventBroadcaster struct { - mu sync.RWMutex - clients map[chan string]struct{} -} - -// NewEventBroadcaster creates a new broadcaster. -func NewEventBroadcaster() *EventBroadcaster { - return &EventBroadcaster{ - clients: make(map[chan string]struct{}), - } -} - -// Subscribe adds a new listener channel and returns it. -// The caller must call Unsubscribe when done. -func (b *EventBroadcaster) Subscribe() chan string { - ch := make(chan string, 8) - b.mu.Lock() - b.clients[ch] = struct{}{} - b.mu.Unlock() - return ch -} - -// Unsubscribe removes a listener channel and closes it. -func (b *EventBroadcaster) Unsubscribe(ch chan string) { - b.mu.Lock() - defer b.mu.Unlock() - - // Check if the channel is still registered before closing - if _, exists := b.clients[ch]; exists { - delete(b.clients, ch) - close(ch) - } -} - -// Broadcast sends a GatewayEvent to all connected SSE clients. -func (b *EventBroadcaster) Broadcast(event GatewayEvent) { - data, err := json.Marshal(event) - if err != nil { - return - } - - b.mu.RLock() - defer b.mu.RUnlock() - - for ch := range b.clients { - // Non-blocking send; drop event if client is slow - select { - case ch <- string(data): - default: - } - } -} - -// Shutdown closes all subscriber channels, notifying all SSE clients to disconnect. -// This should be called when the server is shutting down. -func (b *EventBroadcaster) Shutdown() { - // Close all channels to notify listeners - for ch := range b.clients { - b.Unsubscribe(ch) - } - // Clear the map - b.clients = make(map[chan string]struct{}) -} diff --git a/web/backend/api/gateway.go b/web/backend/api/gateway.go index 424b21e96..16b793427 100644 --- a/web/backend/api/gateway.go +++ b/web/backend/api/gateway.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "log" + "net" "net/http" "os" "os/exec" @@ -30,11 +31,9 @@ var gateway = struct { runtimeStatus string startupDeadline time.Time logs *LogBuffer - events *EventBroadcaster }{ runtimeStatus: "stopped", logs: NewLogBuffer(200), - events: NewEventBroadcaster(), } var ( @@ -51,11 +50,19 @@ var gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, // getGatewayHealth checks the gateway health endpoint and returns the status response // Returns (*health.StatusResponse, statusCode, error). If error is not nil, the other values are not valid. -func getGatewayHealth(port int, timeout time.Duration) (*health.StatusResponse, int, error) { - if port == 0 { - port = 18790 +func (h *Handler) getGatewayHealth(cfg *config.Config, timeout time.Duration) (*health.StatusResponse, int, error) { + port := 18790 + if cfg != nil && cfg.Gateway.Port != 0 { + port = cfg.Gateway.Port } - url := fmt.Sprintf("http://127.0.0.1:%d/health", port) + + probeHost := gatewayProbeHost(h.effectiveGatewayBindHost(cfg)) + url := "http://" + net.JoinHostPort(probeHost, strconv.Itoa(port)) + "/health" + + return getGatewayHealthByURL(url, timeout) +} + +func getGatewayHealthByURL(url string, timeout time.Duration) (*health.StatusResponse, int, error) { resp, err := gatewayHealthGet(url, timeout) if err != nil { return nil, 0, err @@ -73,7 +80,6 @@ func getGatewayHealth(port int, timeout time.Duration) (*health.StatusResponse, // registerGatewayRoutes binds gateway lifecycle endpoints to the ServeMux. func (h *Handler) registerGatewayRoutes(mux *http.ServeMux) { mux.HandleFunc("GET /api/gateway/status", h.handleGatewayStatus) - mux.HandleFunc("GET /api/gateway/events", h.handleGatewayEvents) mux.HandleFunc("GET /api/gateway/logs", h.handleGatewayLogs) mux.HandleFunc("POST /api/gateway/logs/clear", h.handleGatewayClearLogs) mux.HandleFunc("POST /api/gateway/start", h.handleGatewayStart) @@ -87,7 +93,7 @@ func (h *Handler) TryAutoStartGateway() { // Check if gateway is already running via health endpoint cfg, cfgErr := config.LoadConfig(h.configPath) if cfgErr == nil && cfg != nil { - healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 2*time.Second) if err == nil && statusCode == http.StatusOK { // Gateway is already running, attach to the existing process pid := healthResp.Pid @@ -170,6 +176,16 @@ func lookupModelConfig(cfg *config.Config, modelName string) *config.ModelConfig return modelCfg } +func gatewayRestartRequired(configDefaultModel, bootDefaultModel, gatewayStatus string) bool { + if gatewayStatus != "running" { + return false + } + if strings.TrimSpace(configDefaultModel) == "" || strings.TrimSpace(bootDefaultModel) == "" { + return false + } + return configDefaultModel != bootDefaultModel +} + func isCmdProcessAliveLocked(cmd *exec.Cmd) bool { if cmd == nil || cmd.Process == nil { return false @@ -220,7 +236,7 @@ func attachToGatewayProcessLocked(pid int, cfg *config.Config) error { return nil } -func gatewayStatusOnHealthFailureLocked() string { +func gatewayStatusWithoutHealthLocked() string { if gateway.runtimeStatus == "starting" || gateway.runtimeStatus == "restarting" { if gateway.startupDeadline.IsZero() || time.Now().Before(gateway.startupDeadline) { return gateway.runtimeStatus @@ -233,23 +249,7 @@ func gatewayStatusOnHealthFailureLocked() string { if gateway.runtimeStatus == "error" { return "error" } - return "error" -} - -func currentGatewayStatusLocked(processAlive bool) string { - if !processAlive { - if gateway.runtimeStatus == "restarting" { - if gateway.startupDeadline.IsZero() || time.Now().Before(gateway.startupDeadline) { - return "restarting" - } - return "error" - } - if gateway.runtimeStatus == "error" { - return "error" - } - return "stopped" - } - return gatewayStatusOnHealthFailureLocked() + return "stopped" } func waitForGatewayProcessExit(cmd *exec.Cmd, timeout time.Duration) bool { @@ -319,15 +319,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int return 0, err } - // Broadcast the attached state - gateway.events.Broadcast(GatewayEvent{ - Status: initialStatus, - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) - return pid, nil } @@ -335,7 +326,7 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int // Locate the picoclaw executable execPath := utils.FindPicoclawBinary() - cmd = exec.Command(execPath, "gateway") + cmd = exec.Command(execPath, "gateway", "-E") cmd.Env = os.Environ() // Forward the launcher's config path via the environment variable that // GetConfigPath() already reads, so the gateway sub-process uses the same @@ -376,15 +367,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int pid = cmd.Process.Pid log.Printf("Started picoclaw gateway (PID: %d) from %s", pid, execPath) - // Broadcast the launch state immediately so clients can reflect it without polling. - gateway.events.Broadcast(GatewayEvent{ - Status: initialStatus, - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) - // Capture stdout/stderr in background go scanPipe(stdoutPipe, gateway.logs) go scanPipe(stderrPipe, gateway.logs) @@ -398,26 +380,17 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int } gateway.mu.Lock() - shouldBroadcastStopped := false if gateway.cmd == cmd { gateway.cmd = nil gateway.bootDefaultModel = "" if gateway.runtimeStatus != "restarting" { setGatewayRuntimeStatusLocked("stopped") - shouldBroadcastStopped = true } } gateway.mu.Unlock() - - if shouldBroadcastStopped { - gateway.events.Broadcast(GatewayEvent{ - Status: "stopped", - RestartRequired: false, - }) - } }() - // Start a goroutine to probe health and broadcast "running" once ready + // Start a goroutine to probe health and update the runtime state once ready. go func() { for i := 0; i < 30; i++ { // try for up to 15 seconds time.Sleep(500 * time.Millisecond) @@ -431,7 +404,7 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int if err != nil { continue } - healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 1*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 1*time.Second) if err == nil && statusCode == http.StatusOK && healthResp.Pid == pid { // Verify the health endpoint returns the expected pid gateway.mu.Lock() @@ -439,13 +412,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int setGatewayRuntimeStatusLocked("running") } gateway.mu.Unlock() - gateway.events.Broadcast(GatewayEvent{ - Status: "running", - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) return } } @@ -461,7 +427,7 @@ func (h *Handler) handleGatewayStart(w http.ResponseWriter, r *http.Request) { // Prevent duplicate starts by checking health endpoint cfg, cfgErr := config.LoadConfig(h.configPath) if cfgErr == nil && cfg != nil { - healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 2*time.Second) if err == nil && statusCode == http.StatusOK { // Gateway is already running, attach to the existing process pid := healthResp.Pid @@ -597,10 +563,6 @@ func (h *Handler) RestartGateway() (int, error) { gateway.mu.Lock() previousCmd := gateway.cmd setGatewayRuntimeStatusLocked("restarting") - gateway.events.Broadcast(GatewayEvent{ - Status: "restarting", - RestartRequired: false, - }) gateway.mu.Unlock() if err = stopGatewayProcessForRestart(previousCmd); err != nil { @@ -704,24 +666,20 @@ func (h *Handler) handleGatewayStatus(w http.ResponseWriter, r *http.Request) { func (h *Handler) gatewayStatusData() map[string]any { data := map[string]any{} + configDefaultModel := "" cfg, cfgErr := config.LoadConfig(h.configPath) if cfgErr == nil && cfg != nil { - configDefaultModel := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + configDefaultModel = strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) if configDefaultModel != "" { data["config_default_model"] = configDefaultModel } } // Probe health endpoint to get pid and status - port := 0 - if cfgErr == nil && cfg != nil { - port = cfg.Gateway.Port - } - - healthResp, statusCode, err := getGatewayHealth(port, 2*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 2*time.Second) if err != nil { gateway.mu.Lock() - data["gateway_status"] = currentGatewayStatusLocked(true) + data["gateway_status"] = gatewayStatusWithoutHealthLocked() gateway.mu.Unlock() log.Printf("Gateway health check failed: %v", err) } else { @@ -734,45 +692,43 @@ func (h *Handler) gatewayStatusData() map[string]any { data["status_code"] = statusCode } else { gateway.mu.Lock() - // Check if this pid matches our tracked process - if gateway.cmd != nil && gateway.cmd.Process != nil && gateway.cmd.Process.Pid == healthResp.Pid { - setGatewayRuntimeStatusLocked("running") - bootDefaultModel := gateway.bootDefaultModel - if bootDefaultModel != "" { - data["boot_default_model"] = bootDefaultModel - } - data["gateway_status"] = "running" - data["pid"] = healthResp.Pid - } else { - // Health endpoint responded with a different pid - // This could be a manual restart, try to attach to the new process + setGatewayRuntimeStatusLocked("running") + if gateway.cmd == nil || gateway.cmd.Process == nil || gateway.cmd.Process.Pid != healthResp.Pid { oldPid := "none" if gateway.cmd != nil && gateway.cmd.Process != nil { oldPid = fmt.Sprintf("%d", gateway.cmd.Process.Pid) } - log.Printf("Detected new gateway PID (old: %s, new: %d), attempting to attach", oldPid, healthResp.Pid) - + log.Printf( + "Detected gateway PID from health (old: %s, new: %d), attempting to attach", + oldPid, + healthResp.Pid, + ) if err := attachToGatewayProcessLocked(healthResp.Pid, cfg); err != nil { - // Failed to find the process, treat as error - setGatewayRuntimeStatusLocked("error") - data["gateway_status"] = "error" - data["pid"] = healthResp.Pid - log.Printf("Failed to attach to new gateway process (PID: %d): %v", healthResp.Pid, err) - } else { - // Successfully attached, update response data - bootDefaultModel := gateway.bootDefaultModel - if bootDefaultModel != "" { - data["boot_default_model"] = bootDefaultModel - } - data["gateway_status"] = "running" - data["pid"] = healthResp.Pid + log.Printf( + "Failed to attach to gateway process reported by health (PID: %d): %v", + healthResp.Pid, + err, + ) } } + + bootDefaultModel := gateway.bootDefaultModel + if bootDefaultModel != "" { + data["boot_default_model"] = bootDefaultModel + } + data["gateway_status"] = "running" + data["pid"] = healthResp.Pid gateway.mu.Unlock() } } - data["gateway_restart_required"] = false + bootDefaultModel, _ := data["boot_default_model"].(string) + gatewayStatus, _ := data["gateway_status"].(string) + data["gateway_restart_required"] = gatewayRestartRequired( + configDefaultModel, + bootDefaultModel, + gatewayStatus, + ) ready, reason, readyErr := h.gatewayStartReady() if readyErr != nil { @@ -842,51 +798,6 @@ func gatewayLogsData(r *http.Request) map[string]any { return data } -// handleGatewayEvents serves an SSE stream of gateway state change events. -// -// GET /api/gateway/events -func (h *Handler) handleGatewayEvents(w http.ResponseWriter, r *http.Request) { - flusher, ok := w.(http.Flusher) - if !ok { - http.Error(w, "SSE not supported", http.StatusInternalServerError) - return - } - - w.Header().Set("Content-Type", "text/event-stream") - w.Header().Set("Cache-Control", "no-cache") - w.Header().Set("Connection", "keep-alive") - w.Header().Set("Access-Control-Allow-Origin", "*") - - // Subscribe to gateway events - ch := gateway.events.Subscribe() - defer gateway.events.Unsubscribe(ch) - - // Send initial status so the client doesn't start blank - initial := h.currentGatewayStatus() - fmt.Fprintf(w, "data: %s\n\n", initial) - flusher.Flush() - - for { - select { - case <-r.Context().Done(): - return - case data, ok := <-ch: - if !ok { - return - } - fmt.Fprintf(w, "data: %s\n\n", data) - flusher.Flush() - } - } -} - -// currentGatewayStatus returns the current gateway status as a JSON string. -func (h *Handler) currentGatewayStatus() string { - data := h.gatewayStatusData() - encoded, _ := json.Marshal(data) - return string(encoded) -} - // scanPipe reads lines from r and appends them to buf. Returns when r reaches EOF. func scanPipe(r io.Reader, buf *LogBuffer) { scanner := bufio.NewScanner(r) diff --git a/web/backend/api/gateway_host.go b/web/backend/api/gateway_host.go index 8dde29b76..592571a28 100644 --- a/web/backend/api/gateway_host.go +++ b/web/backend/api/gateway_host.go @@ -3,6 +3,7 @@ package api import ( "net" "net/http" + "net/url" "strconv" "strings" @@ -46,6 +47,23 @@ func gatewayProbeHost(bindHost string) string { return bindHost } +func (h *Handler) gatewayProxyURL() *url.URL { + cfg, err := config.LoadConfig(h.configPath) + port := 18790 + bindHost := "" + if err == nil && cfg != nil { + if cfg.Gateway.Port != 0 { + port = cfg.Gateway.Port + } + bindHost = h.effectiveGatewayBindHost(cfg) + } + + return &url.URL{ + Scheme: "http", + Host: net.JoinHostPort(gatewayProbeHost(bindHost), strconv.Itoa(port)), + } +} + func requestHostName(r *http.Request) string { reqHost, _, err := net.SplitHostPort(r.Host) if err == nil { diff --git a/web/backend/api/gateway_host_test.go b/web/backend/api/gateway_host_test.go index 3fffeb893..ae3434862 100644 --- a/web/backend/api/gateway_host_test.go +++ b/web/backend/api/gateway_host_test.go @@ -2,9 +2,12 @@ package api import ( "crypto/tls" + "errors" + "net/http" "net/http/httptest" "path/filepath" "testing" + "time" "github.com/sipeed/picoclaw/pkg/config" "github.com/sipeed/picoclaw/web/backend/launcherconfig" @@ -59,6 +62,79 @@ func TestGatewayProbeHostUsesLoopbackForWildcardBind(t *testing.T) { } } +func TestGatewayProxyURLUsesConfiguredHost(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "192.168.1.10" + cfg.Gateway.Port = 18791 + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + if got := h.gatewayProxyURL().String(); got != "http://192.168.1.10:18791" { + t.Fatalf("gatewayProxyURL() = %q, want %q", got, "http://192.168.1.10:18791") + } +} + +func TestGetGatewayHealthUsesConfiguredHost(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "192.168.1.10" + cfg.Gateway.Port = 18791 + + originalHealthGet := gatewayHealthGet + t.Cleanup(func() { + gatewayHealthGet = originalHealthGet + }) + + var requestedURL string + gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, error) { + requestedURL = url + return nil, errors.New("probe failed") + } + + _, statusCode, err := h.getGatewayHealth(cfg, time.Second) + _ = statusCode + _ = err + + if requestedURL != "http://192.168.1.10:18791/health" { + t.Fatalf("health url = %q, want %q", requestedURL, "http://192.168.1.10:18791/health") + } +} + +func TestGetGatewayHealthUsesProbeHostForPublicLauncher(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + h.SetServerOptions(18800, true, true, nil) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "127.0.0.1" + cfg.Gateway.Port = 18791 + + originalHealthGet := gatewayHealthGet + t.Cleanup(func() { + gatewayHealthGet = originalHealthGet + }) + + var requestedURL string + gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, error) { + requestedURL = url + return nil, errors.New("probe failed") + } + + _, statusCode, err := h.getGatewayHealth(cfg, time.Second) + _ = statusCode + _ = err + + if requestedURL != "http://127.0.0.1:18791/health" { + t.Fatalf("health url = %q, want %q", requestedURL, "http://127.0.0.1:18791/health") + } +} + func TestBuildWsURLUsesWSSWhenForwardedProtoIsHTTPS(t *testing.T) { configPath := filepath.Join(t.TempDir(), "config.json") h := NewHandler(configPath) diff --git a/web/backend/api/gateway_test.go b/web/backend/api/gateway_test.go index fb4f7d943..5c94f0b89 100644 --- a/web/backend/api/gateway_test.go +++ b/web/backend/api/gateway_test.go @@ -3,6 +3,7 @@ package api import ( "encoding/json" "errors" + "io" "net/http" "net/http/httptest" "os" @@ -36,6 +37,15 @@ func startLongRunningProcess(t *testing.T) *exec.Cmd { return cmd } +func mockGatewayHealthResponse(statusCode, pid int) *http.Response { + return &http.Response{ + StatusCode: statusCode, + Body: io.NopCloser(strings.NewReader( + `{"status":"ok","uptime":"1s","pid":` + strconv.Itoa(pid) + `}`, + )), + } +} + func startIgnoringTermProcess(t *testing.T) *exec.Cmd { t.Helper() @@ -419,6 +429,125 @@ func TestGatewayStatusKeepsRunningWhenHealthProbeFailsAfterRunning(t *testing.T) } } +func TestGatewayStatusReportsRunningFromHealthProbe(t *testing.T) { + resetGatewayTestState(t) + + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + cmd := startLongRunningProcess(t) + t.Cleanup(func() { + if cmd.Process != nil { + _ = cmd.Process.Kill() + } + _ = cmd.Wait() + }) + + gateway.mu.Lock() + setGatewayRuntimeStatusLocked("stopped") + gateway.mu.Unlock() + + gatewayHealthGet = func(string, time.Duration) (*http.Response, error) { + return mockGatewayHealthResponse(http.StatusOK, cmd.Process.Pid), nil + } + + rec := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/gateway/status", nil) + mux.ServeHTTP(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + var body map[string]any + if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil { + t.Fatalf("unmarshal response: %v", err) + } + + if got := body["gateway_status"]; got != "running" { + t.Fatalf("gateway_status = %#v, want %q", got, "running") + } + if got := body["pid"]; got != float64(cmd.Process.Pid) { + t.Fatalf("pid = %#v, want %d", got, cmd.Process.Pid) + } + if got := body["gateway_restart_required"]; got != false { + t.Fatalf("gateway_restart_required = %#v, want false", got) + } +} + +func TestGatewayStatusRequiresRestartAfterDefaultModelChange(t *testing.T) { + resetGatewayTestState(t) + + configPath := filepath.Join(t.TempDir(), "config.json") + cfg := config.DefaultConfig() + cfg.Agents.Defaults.ModelName = cfg.ModelList[0].ModelName + cfg.ModelList[0].APIKey = "test-key" + cfg.ModelList = append(cfg.ModelList, config.ModelConfig{ + ModelName: "second-model", + Model: "openai/gpt-4.1", + APIKey: "second-key", + }) + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + process, err := os.FindProcess(os.Getpid()) + if err != nil { + t.Fatalf("FindProcess() error = %v", err) + } + + gateway.mu.Lock() + gateway.cmd = &exec.Cmd{Process: process} + gateway.bootDefaultModel = cfg.ModelList[0].ModelName + setGatewayRuntimeStatusLocked("running") + gateway.mu.Unlock() + + updatedCfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + updatedCfg.Agents.Defaults.ModelName = "second-model" + if err := config.SaveConfig(configPath, updatedCfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + gatewayHealthGet = func(string, time.Duration) (*http.Response, error) { + return mockGatewayHealthResponse(http.StatusOK, os.Getpid()), nil + } + + rec := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/gateway/status", nil) + mux.ServeHTTP(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + var body map[string]any + if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil { + t.Fatalf("unmarshal response: %v", err) + } + + if got := body["gateway_status"]; got != "running" { + t.Fatalf("gateway_status = %#v, want %q", got, "running") + } + if got := body["boot_default_model"]; got != cfg.ModelList[0].ModelName { + t.Fatalf("boot_default_model = %#v, want %q", got, cfg.ModelList[0].ModelName) + } + if got := body["config_default_model"]; got != "second-model" { + t.Fatalf("config_default_model = %#v, want %q", got, "second-model") + } + if got := body["gateway_restart_required"]; got != true { + t.Fatalf("gateway_restart_required = %#v, want true", got) + } +} + func TestGatewayStatusReturnsErrorAfterStartupWindowExpires(t *testing.T) { resetGatewayTestState(t) diff --git a/web/backend/api/pico.go b/web/backend/api/pico.go index d11f7bc5e..a880f2f0c 100644 --- a/web/backend/api/pico.go +++ b/web/backend/api/pico.go @@ -7,7 +7,6 @@ import ( "fmt" "net/http" "net/http/httputil" - "net/url" "time" "github.com/sipeed/picoclaw/pkg/config" @@ -22,20 +21,13 @@ func (h *Handler) registerPicoRoutes(mux *http.ServeMux) { // WebSocket proxy: forward /pico/ws to gateway // This allows the frontend to connect via the same port as the web UI, // avoiding the need to expose extra ports for WebSocket communication. - wsProxy := h.createWsProxy() - mux.HandleFunc("GET /pico/ws", h.handleWebSocketProxy(wsProxy)) + mux.HandleFunc("GET /pico/ws", h.handleWebSocketProxy()) } -// createWsProxy creates a reverse proxy to the gateway WebSocket endpoint. -// The gateway port is read from the configuration. +// createWsProxy creates a reverse proxy to the current gateway WebSocket endpoint. +// The gateway bind host and port are resolved from the latest configuration. func (h *Handler) createWsProxy() *httputil.ReverseProxy { - cfg, err := config.LoadConfig(h.configPath) - gatewayPort := 18790 // default - if err == nil && cfg.Gateway.Port != 0 { - gatewayPort = cfg.Gateway.Port - } - gatewayURL, _ := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", gatewayPort)) - wsProxy := httputil.NewSingleHostReverseProxy(gatewayURL) + wsProxy := httputil.NewSingleHostReverseProxy(h.gatewayProxyURL()) wsProxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) { http.Error(w, "Gateway unavailable: "+err.Error(), http.StatusBadGateway) } @@ -43,12 +35,10 @@ func (h *Handler) createWsProxy() *httputil.ReverseProxy { } // handleWebSocketProxy wraps a reverse proxy to handle WebSocket connections. -// It ensures the Connection and Upgrade headers are properly forwarded. -func (h *Handler) handleWebSocketProxy(proxy *httputil.ReverseProxy) http.HandlerFunc { +// The reverse proxy forwards the incoming upgrade handshake as-is. +func (h *Handler) handleWebSocketProxy() http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - // Set headers for WebSocket upgrade - r.Header.Set("Connection", "upgrade") - r.Header.Set("Upgrade", "websocket") + proxy := h.createWsProxy() proxy.ServeHTTP(w, r) } } diff --git a/web/backend/api/pico_test.go b/web/backend/api/pico_test.go index 46149fa09..075da4ddc 100644 --- a/web/backend/api/pico_test.go +++ b/web/backend/api/pico_test.go @@ -2,9 +2,12 @@ package api import ( "encoding/json" + "io" "net/http" "net/http/httptest" + "net/url" "path/filepath" + "strconv" "testing" "github.com/sipeed/picoclaw/pkg/config" @@ -235,3 +238,77 @@ func TestHandlePicoSetup_Response(t *testing.T) { t.Error("response should have changed=true on first setup") } } + +func TestHandleWebSocketProxyReloadsGatewayTargetFromConfig(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + handler := h.handleWebSocketProxy() + + server1 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path != "/pico/ws" { + t.Fatalf("server1 path = %q, want %q", r.URL.Path, "/pico/ws") + } + w.WriteHeader(http.StatusOK) + _, _ = io.WriteString(w, "server1") + })) + defer server1.Close() + + server2 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path != "/pico/ws" { + t.Fatalf("server2 path = %q, want %q", r.URL.Path, "/pico/ws") + } + w.WriteHeader(http.StatusOK) + _, _ = io.WriteString(w, "server2") + })) + defer server2.Close() + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "127.0.0.1" + cfg.Gateway.Port = mustGatewayTestPort(t, server1.URL) + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + req1 := httptest.NewRequest(http.MethodGet, "/pico/ws", nil) + rec1 := httptest.NewRecorder() + handler(rec1, req1) + + if rec1.Code != http.StatusOK { + t.Fatalf("first status = %d, want %d", rec1.Code, http.StatusOK) + } + if body := rec1.Body.String(); body != "server1" { + t.Fatalf("first body = %q, want %q", body, "server1") + } + + cfg.Gateway.Port = mustGatewayTestPort(t, server2.URL) + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + req2 := httptest.NewRequest(http.MethodGet, "/pico/ws", nil) + rec2 := httptest.NewRecorder() + handler(rec2, req2) + + if rec2.Code != http.StatusOK { + t.Fatalf("second status = %d, want %d", rec2.Code, http.StatusOK) + } + if body := rec2.Body.String(); body != "server2" { + t.Fatalf("second body = %q, want %q", body, "server2") + } +} + +func mustGatewayTestPort(t *testing.T, rawURL string) int { + t.Helper() + + parsed, err := url.Parse(rawURL) + if err != nil { + t.Fatalf("url.Parse() error = %v", err) + } + + port, err := strconv.Atoi(parsed.Port()) + if err != nil { + t.Fatalf("Atoi(%q) error = %v", parsed.Port(), err) + } + + return port +} diff --git a/web/backend/api/router.go b/web/backend/api/router.go index b56438784..028a476f2 100644 --- a/web/backend/api/router.go +++ b/web/backend/api/router.go @@ -71,7 +71,4 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) { h.registerLauncherConfigRoutes(mux) } -// Shutdown gracefully shuts down the handler, closing all SSE connections. -func (h *Handler) Shutdown() { - gateway.events.Shutdown() -} +func (h *Handler) Shutdown() {} diff --git a/web/backend/middleware/middleware.go b/web/backend/middleware/middleware.go index de9e6d870..e15da577b 100644 --- a/web/backend/middleware/middleware.go +++ b/web/backend/middleware/middleware.go @@ -4,16 +4,14 @@ import ( "log" "net/http" "runtime/debug" - "strings" "time" ) // JSONContentType sets the Content-Type header to application/json for // API requests handled by the wrapped handler. -// SSE endpoints (text/event-stream) are excluded. func JSONContentType(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if strings.HasPrefix(r.URL.Path, "/api/") && !strings.HasSuffix(r.URL.Path, "/events") { + if len(r.URL.Path) >= 5 && r.URL.Path[:5] == "/api/" { w.Header().Set("Content-Type", "application/json") } next.ServeHTTP(w, r) @@ -32,7 +30,6 @@ func (rr *responseRecorder) WriteHeader(code int) { } // Flush delegates to the underlying ResponseWriter if it implements http.Flusher. -// This is required for SSE (Server-Sent Events) to work through the middleware. func (rr *responseRecorder) Flush() { if f, ok := rr.ResponseWriter.(http.Flusher); ok { f.Flush() diff --git a/web/backend/systray.go b/web/backend/systray.go index 58ce4984f..1ff98c71b 100644 --- a/web/backend/systray.go +++ b/web/backend/systray.go @@ -94,7 +94,7 @@ func onReady() { func onExit() { fmt.Println(T(Exiting)) - // First, shutdown API handler to close all SSE connections + // First, shutdown API handler if apiHandler != nil { apiHandler.Shutdown() } diff --git a/web/frontend/src/components/app-header.tsx b/web/frontend/src/components/app-header.tsx index fe0c84e69..4f0688008 100644 --- a/web/frontend/src/components/app-header.tsx +++ b/web/frontend/src/components/app-header.tsx @@ -56,14 +56,20 @@ export function AppHeader() { const isRunning = gwState === "running" const isStarting = gwState === "starting" const isRestarting = gwState === "restarting" + const isStopping = gwState === "stopping" const isStopped = gwState === "stopped" || gwState === "unknown" const showNotConnectedHint = - !isRestarting && canStart && (gwState === "stopped" || gwState === "error") + !isRestarting && + !isStopping && + canStart && + (gwState === "stopped" || gwState === "error") const [showStopDialog, setShowStopDialog] = React.useState(false) const handleGatewayToggle = () => { - if (gwLoading || isRestarting || (!isRunning && !canStart)) return + if (gwLoading || isRestarting || isStopping || (!isRunning && !canStart)) { + return + } if (isRunning) { setShowStopDialog(true) } else { @@ -137,7 +143,7 @@ export function AppHeader() { size="icon-sm" className="bg-amber-500/15 text-amber-700 hover:bg-amber-500/25 hover:text-amber-800 dark:text-amber-300 dark:hover:bg-amber-500/25" onClick={handleGatewayRestart} - disabled={gwLoading || isRestarting || !canStart} + disabled={gwLoading || isRestarting || isStopping || !canStart} aria-label={t("header.gateway.action.restart")} > @@ -168,25 +174,31 @@ export function AppHeader() { ) : ( )} diff --git a/web/frontend/src/hooks/use-gateway-logs.ts b/web/frontend/src/hooks/use-gateway-logs.ts index 15cbca4ae..1de361124 100644 --- a/web/frontend/src/hooks/use-gateway-logs.ts +++ b/web/frontend/src/hooks/use-gateway-logs.ts @@ -37,7 +37,9 @@ export function useGatewayLogs() { const fetchLogs = async () => { if ( !mounted || - !["running", "starting", "restarting"].includes(gateway.status) + !["running", "starting", "restarting", "stopping"].includes( + gateway.status, + ) ) { if (mounted) { timeout = setTimeout(fetchLogs, 1000) diff --git a/web/frontend/src/hooks/use-gateway.ts b/web/frontend/src/hooks/use-gateway.ts index 65ec2b776..b118b43da 100644 --- a/web/frontend/src/hooks/use-gateway.ts +++ b/web/frontend/src/hooks/use-gateway.ts @@ -1,83 +1,24 @@ import { useAtomValue } from "jotai" import { useCallback, useEffect, useState } from "react" +import { restartGateway, startGateway, stopGateway } from "@/api/gateway" import { - type GatewayStatusResponse, - getGatewayStatus, - restartGateway, - startGateway, - stopGateway, -} from "@/api/gateway" -import { - applyGatewayStatusToStore, + beginGatewayStoppingTransition, + cancelGatewayStoppingTransition, gatewayAtom, + refreshGatewayState, + subscribeGatewayPolling, updateGatewayStore, } from "@/store" -// Global variable to ensure we only have one SSE connection -let sseInitialized = false - export function useGateway() { const gateway = useAtomValue(gatewayAtom) const { status: state, canStart, restartRequired } = gateway const [loading, setLoading] = useState(false) - const applyGatewayStatus = useCallback((data: GatewayStatusResponse) => { - applyGatewayStatusToStore(data) - }, []) - - // Initialize global SSE connection once useEffect(() => { - if (sseInitialized) return - sseInitialized = true - - getGatewayStatus() - .then((data) => applyGatewayStatus(data)) - .catch(() => { - updateGatewayStore({ - status: "unknown", - canStart: true, - restartRequired: false, - }) - }) - - const statusPoll = window.setInterval(() => { - getGatewayStatus() - .then((data) => applyGatewayStatus(data)) - .catch(() => { - // ignore polling errors - }) - }, 5000) - - // Subscribe to SSE for real-time updates globally - const es = new EventSource("/api/gateway/events") - - es.onmessage = (event) => { - try { - const data = JSON.parse(event.data) - if ( - data.gateway_status || - typeof data.gateway_start_allowed === "boolean" - ) { - applyGatewayStatus(data) - } - } catch { - // ignore - } - } - - es.onerror = () => { - // EventSource will auto-reconnect. Preserve the last known gateway - // status so transient SSE disconnects do not suppress chat websocket - // reconnects while polling catches up. - } - - return () => { - window.clearInterval(statusPoll) - es.close() - sseInitialized = false - } - }, [applyGatewayStatus]) + return subscribeGatewayPolling() + }, []) const start = useCallback(async () => { if (!canStart) return @@ -85,33 +26,28 @@ export function useGateway() { setLoading(true) try { await startGateway() - // SSE will push the real state changes, but set optimistic state - updateGatewayStore({ status: "starting" }) - } catch (err) { - console.error("Failed to start gateway:", err) - try { - const status = await getGatewayStatus() - applyGatewayStatus(status) - } catch { - updateGatewayStore({ status: "unknown" }) - } - } finally { - setLoading(false) - } - }, [applyGatewayStatus, canStart]) - - const stop = useCallback(async () => { - setLoading(true) - try { - await stopGateway() updateGatewayStore({ - status: "stopped", - canStart: true, + status: "starting", restartRequired: false, }) } catch (err) { - console.error("Failed to stop gateway:", err) + console.error("Failed to start gateway:", err) } finally { + await refreshGatewayState({ force: true }) + setLoading(false) + } + }, [canStart]) + + const stop = useCallback(async () => { + setLoading(true) + beginGatewayStoppingTransition() + try { + await stopGateway() + } catch (err) { + console.error("Failed to stop gateway:", err) + cancelGatewayStoppingTransition() + } finally { + await refreshGatewayState({ force: true }) setLoading(false) } }, []) @@ -119,34 +55,20 @@ export function useGateway() { const restart = useCallback(async () => { if (state !== "running") return - const previousState = state - const previousCanStart = canStart - const previousRestartRequired = restartRequired - setLoading(true) - updateGatewayStore({ - status: "restarting", - restartRequired: false, - }) - try { await restartGateway() + updateGatewayStore({ + status: "restarting", + restartRequired: false, + }) } catch (err) { console.error("Failed to restart gateway:", err) - try { - const status = await getGatewayStatus() - applyGatewayStatus(status) - } catch { - updateGatewayStore({ - status: previousState, - canStart: previousCanStart, - restartRequired: previousRestartRequired, - }) - } } finally { + await refreshGatewayState({ force: true }) setLoading(false) } - }, [applyGatewayStatus, canStart, restartRequired, state]) + }, [state]) return { state, loading, canStart, restartRequired, start, stop, restart } } diff --git a/web/frontend/src/i18n/locales/en.json b/web/frontend/src/i18n/locales/en.json index 2fa32ebb5..327b4c646 100644 --- a/web/frontend/src/i18n/locales/en.json +++ b/web/frontend/src/i18n/locales/en.json @@ -63,7 +63,8 @@ }, "status": { "starting": "Starting Gateway...", - "restarting": "Restarting Gateway..." + "restarting": "Restarting Gateway...", + "stopping": "Stopping Gateway..." }, "restartRequired": "Model changes require a gateway restart to take effect." } diff --git a/web/frontend/src/i18n/locales/zh.json b/web/frontend/src/i18n/locales/zh.json index badf5bb3d..cd674ddc1 100644 --- a/web/frontend/src/i18n/locales/zh.json +++ b/web/frontend/src/i18n/locales/zh.json @@ -63,7 +63,8 @@ }, "status": { "starting": "服务启动中...", - "restarting": "服务重启中..." + "restarting": "服务重启中...", + "stopping": "服务停止中..." }, "restartRequired": "切换默认模型后需要重启服务才能生效。" } diff --git a/web/frontend/src/store/gateway.ts b/web/frontend/src/store/gateway.ts index c5eee8451..1bdec6220 100644 --- a/web/frontend/src/store/gateway.ts +++ b/web/frontend/src/store/gateway.ts @@ -6,6 +6,7 @@ export type GatewayState = | "running" | "starting" | "restarting" + | "stopping" | "stopped" | "error" | "unknown" @@ -24,9 +25,29 @@ const DEFAULT_GATEWAY_STATE: GatewayStoreState = { restartRequired: false, } +const GATEWAY_POLL_INTERVAL_MS = 2000 +const GATEWAY_TRANSIENT_POLL_INTERVAL_MS = 1000 +const GATEWAY_STOPPING_TIMEOUT_MS = 5000 + +interface RefreshGatewayStateOptions { + force?: boolean +} + // Global atom for gateway state export const gatewayAtom = atom(DEFAULT_GATEWAY_STATE) +let gatewayPollingSubscribers = 0 +let gatewayPollingTimer: ReturnType | null = null +let gatewayPollingRequest: Promise | null = null +let gatewayStoppingTimer: ReturnType | null = null + +function clearGatewayStoppingTimeout() { + if (gatewayStoppingTimer !== null) { + clearTimeout(gatewayStoppingTimer) + gatewayStoppingTimer = null + } +} + function normalizeGatewayStoreState( prev: GatewayStoreState, patch: GatewayStorePatch, @@ -49,10 +70,38 @@ export function updateGatewayStore( | GatewayStorePatch | ((prev: GatewayStoreState) => GatewayStorePatch | GatewayStoreState), ) { - getDefaultStore().set(gatewayAtom, (prev) => { + const store = getDefaultStore() + store.set(gatewayAtom, (prev) => { const nextPatch = typeof patch === "function" ? patch(prev) : patch return normalizeGatewayStoreState(prev, nextPatch) }) + const nextState = store.get(gatewayAtom) + if (nextState?.status !== "stopping") { + clearGatewayStoppingTimeout() + } +} + +export function beginGatewayStoppingTransition() { + clearGatewayStoppingTimeout() + updateGatewayStore({ + status: "stopping", + canStart: false, + restartRequired: false, + }) + gatewayStoppingTimer = setTimeout(() => { + gatewayStoppingTimer = null + updateGatewayStore((prev) => + prev.status === "stopping" ? { status: "running" } : prev, + ) + void refreshGatewayState({ force: true }) + }, GATEWAY_STOPPING_TIMEOUT_MS) +} + +export function cancelGatewayStoppingTransition() { + clearGatewayStoppingTimeout() + updateGatewayStore((prev) => + prev.status === "stopping" ? { status: "running" } : prev, + ) } export function applyGatewayStatusToStore( @@ -64,21 +113,92 @@ export function applyGatewayStatusToStore( >, ) { updateGatewayStore((prev) => ({ - status: data.gateway_status ?? prev.status, - canStart: data.gateway_start_allowed ?? prev.canStart, - restartRequired: - data.gateway_restart_required ?? - (data.gateway_status && data.gateway_status !== "running" + status: + prev.status === "stopping" && data.gateway_status === "running" + ? "stopping" + : (data.gateway_status ?? prev.status), + canStart: + prev.status === "stopping" && data.gateway_status === "running" ? false - : prev.restartRequired), + : (data.gateway_start_allowed ?? prev.canStart), + restartRequired: + prev.status === "stopping" && data.gateway_status === "running" + ? false + : (data.gateway_restart_required ?? prev.restartRequired), })) } -export async function refreshGatewayState() { +function nextGatewayPollInterval() { + const status = getDefaultStore().get(gatewayAtom).status + if ( + status === "starting" || + status === "restarting" || + status === "stopping" + ) { + return GATEWAY_TRANSIENT_POLL_INTERVAL_MS + } + return GATEWAY_POLL_INTERVAL_MS +} + +function scheduleGatewayPoll(delay = nextGatewayPollInterval()) { + if (gatewayPollingSubscribers === 0) { + return + } + + if (gatewayPollingTimer !== null) { + clearTimeout(gatewayPollingTimer) + } + + gatewayPollingTimer = setTimeout(() => { + gatewayPollingTimer = null + void refreshGatewayState() + }, delay) +} + +export async function refreshGatewayState( + options: RefreshGatewayStateOptions = {}, +) { + if (gatewayPollingRequest) { + await gatewayPollingRequest + if (options.force) { + return refreshGatewayState() + } + return + } + + gatewayPollingRequest = (async () => { + try { + const status = await getGatewayStatus() + applyGatewayStatusToStore(status) + } catch { + // Preserve the last known state when a poll fails. + } finally { + gatewayPollingRequest = null + scheduleGatewayPoll() + } + })() + try { - const status = await getGatewayStatus() - applyGatewayStatusToStore(status) - } catch { - updateGatewayStore(DEFAULT_GATEWAY_STATE) + await gatewayPollingRequest + } finally { + if (gatewayPollingSubscribers === 0 && gatewayPollingTimer !== null) { + clearTimeout(gatewayPollingTimer) + gatewayPollingTimer = null + } + } +} + +export function subscribeGatewayPolling() { + gatewayPollingSubscribers += 1 + if (gatewayPollingSubscribers === 1) { + void refreshGatewayState() + } + + return () => { + gatewayPollingSubscribers = Math.max(0, gatewayPollingSubscribers - 1) + if (gatewayPollingSubscribers === 0 && gatewayPollingTimer !== null) { + clearTimeout(gatewayPollingTimer) + gatewayPollingTimer = null + } } } From 7b9fdaec3229422fa9d81d3100eaea0ec8878acb Mon Sep 17 00:00:00 2001 From: wenjie Date: Tue, 17 Mar 2026 18:56:52 +0800 Subject: [PATCH 36/44] feat(config): add exec controls and gate cron commands on exec settings (#1685) - add a dedicated exec settings section in the config page - support timeout and custom allow/deny regex patterns for exec - validate custom exec regex patterns in the config API - block cron command scheduling and execution when exec is disabled - update tests and i18n strings for the new command settings --- pkg/tools/cron.go | 37 +++++-- pkg/tools/cron_test.go | 49 +++++++++ web/backend/api/config.go | 22 ++++ web/backend/api/config_test.go | 79 ++++++++++++++ .../src/components/config/config-page.tsx | 30 +++++- .../src/components/config/config-sections.tsx | 102 ++++++++++++++++-- .../src/components/config/form-model.ts | 42 ++++++++ web/frontend/src/i18n/locales/en.json | 24 +++-- web/frontend/src/i18n/locales/zh.json | 22 +++- 9 files changed, 379 insertions(+), 28 deletions(-) diff --git a/pkg/tools/cron.go b/pkg/tools/cron.go index aa22f9aa6..154ec75f0 100644 --- a/pkg/tools/cron.go +++ b/pkg/tools/cron.go @@ -25,6 +25,7 @@ type CronTool struct { msgBus *bus.MessageBus execTool *ExecTool allowCommand bool + execEnabled bool } // NewCronTool creates a new CronTool @@ -33,23 +34,32 @@ func NewCronTool( cronService *cron.CronService, executor JobExecutor, msgBus *bus.MessageBus, workspace string, restrict bool, execTimeout time.Duration, config *config.Config, ) (*CronTool, error) { - execTool, err := NewExecToolWithConfig(workspace, restrict, config) - if err != nil { - return nil, fmt.Errorf("unable to configure exec tool: %w", err) - } - allowCommand := true + execEnabled := true if config != nil { allowCommand = config.Tools.Cron.AllowCommand + execEnabled = config.Tools.Exec.Enabled } - execTool.SetTimeout(execTimeout) + var execTool *ExecTool + if execEnabled { + var err error + execTool, err = NewExecToolWithConfig(workspace, restrict, config) + if err != nil { + return nil, fmt.Errorf("unable to configure exec tool: %w", err) + } + } + + if execTool != nil { + execTool.SetTimeout(execTimeout) + } return &CronTool{ cronService: cronService, executor: executor, msgBus: msgBus, execTool: execTool, allowCommand: allowCommand, + execEnabled: execEnabled, }, nil } @@ -193,6 +203,9 @@ func (t *CronTool) addJob(ctx context.Context, args map[string]any) *ToolResult command, _ := args["command"].(string) commandConfirm, _ := args["command_confirm"].(bool) if command != "" { + if !t.execEnabled { + return ErrorResult("command execution is disabled") + } if !constants.IsInternalChannel(channel) { return ErrorResult("scheduling command execution is restricted to internal channels") } @@ -298,6 +311,18 @@ func (t *CronTool) ExecuteJob(ctx context.Context, job *cron.CronJob) string { // Execute command if present if job.Payload.Command != "" { + if !t.execEnabled || t.execTool == nil { + output := "Error executing scheduled command: command execution is disabled" + pubCtx, pubCancel := context.WithTimeout(context.Background(), 5*time.Second) + defer pubCancel() + t.msgBus.PublishOutbound(pubCtx, bus.OutboundMessage{ + Channel: channel, + ChatID: chatID, + Content: output, + }) + return "ok" + } + args := map[string]any{ "command": job.Payload.Command, "__channel": channel, diff --git a/pkg/tools/cron_test.go b/pkg/tools/cron_test.go index e46b13b13..09d29b6fa 100644 --- a/pkg/tools/cron_test.go +++ b/pkg/tools/cron_test.go @@ -5,6 +5,7 @@ import ( "path/filepath" "strings" "testing" + "time" "github.com/sipeed/picoclaw/pkg/bus" "github.com/sipeed/picoclaw/pkg/config" @@ -112,6 +113,28 @@ func TestCronTool_CommandAllowedWithConfirmWhenAllowCommandDisabled(t *testing.T } } +func TestCronTool_CommandBlockedWhenExecDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Exec.Enabled = false + + tool := newTestCronToolWithConfig(t, cfg) + ctx := WithToolContext(context.Background(), "cli", "direct") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "check disk", + "command": "df -h", + "command_confirm": true, + "at_seconds": float64(60), + }) + + if !result.IsError { + t.Fatal("expected command scheduling to be blocked when exec is disabled") + } + if !strings.Contains(result.ForLLM, "command execution is disabled") { + t.Errorf("expected exec disabled message, got: %s", result.ForLLM) + } +} + // TestCronTool_CommandAllowedFromInternalChannel verifies command scheduling works from internal channels func TestCronTool_CommandAllowedFromInternalChannel(t *testing.T) { tool := newTestCronTool(t) @@ -185,3 +208,29 @@ func TestCronTool_NonCommandJobDefaultsDeliverToFalse(t *testing.T) { t.Fatal("expected deliver=false by default for non-command jobs") } } + +func TestCronTool_ExecuteJobPublishesErrorWhenExecDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Exec.Enabled = false + + tool := newTestCronToolWithConfig(t, cfg) + job := &cron.CronJob{} + job.Payload.Channel = "cli" + job.Payload.To = "direct" + job.Payload.Command = "df -h" + + if got := tool.ExecuteJob(context.Background(), job); got != "ok" { + t.Fatalf("ExecuteJob() = %q, want ok", got) + } + + ctx, cancel := context.WithTimeout(context.Background(), time.Second) + defer cancel() + + msg, ok := tool.msgBus.SubscribeOutbound(ctx) + if !ok { + t.Fatal("expected outbound message") + } + if !strings.Contains(msg.Content, "command execution is disabled") { + t.Fatalf("expected exec disabled message, got: %s", msg.Content) + } +} diff --git a/web/backend/api/config.go b/web/backend/api/config.go index 091e3fbae..a7d5b3c5d 100644 --- a/web/backend/api/config.go +++ b/web/backend/api/config.go @@ -5,6 +5,7 @@ import ( "fmt" "io" "net/http" + "regexp" "github.com/sipeed/picoclaw/pkg/config" ) @@ -188,6 +189,27 @@ func validateConfig(cfg *config.Config) []string { errs = append(errs, "channels.discord.token is required when discord channel is enabled") } + if cfg.Tools.Exec.Enabled { + if cfg.Tools.Exec.EnableDenyPatterns { + errs = append( + errs, + validateRegexPatterns("tools.exec.custom_deny_patterns", cfg.Tools.Exec.CustomDenyPatterns)...) + } + errs = append( + errs, + validateRegexPatterns("tools.exec.custom_allow_patterns", cfg.Tools.Exec.CustomAllowPatterns)...) + } + + return errs +} + +func validateRegexPatterns(field string, patterns []string) []string { + var errs []string + for index, pattern := range patterns { + if _, err := regexp.Compile(pattern); err != nil { + errs = append(errs, fmt.Sprintf("%s[%d] is not a valid regular expression: %v", field, index, err)) + } + } return errs } diff --git a/web/backend/api/config_test.go b/web/backend/api/config_test.go index 29811e37e..54ec8e857 100644 --- a/web/backend/api/config_test.go +++ b/web/backend/api/config_test.go @@ -86,3 +86,82 @@ func TestHandleUpdateConfig_DoesNotInheritDefaultModelFields(t *testing.T) { t.Fatalf("model_list[0].api_base = %q, want empty string", got) } } + +func TestHandlePatchConfig_RejectsInvalidExecRegexPatterns(t *testing.T) { + configPath, cleanup := setupOAuthTestEnv(t) + defer cleanup() + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + req := httptest.NewRequest(http.MethodPatch, "/api/config", bytes.NewBufferString(`{ + "tools": { + "exec": { + "custom_deny_patterns": ["("] + } + } + }`)) + req.Header.Set("Content-Type", "application/json") + + rec := httptest.NewRecorder() + mux.ServeHTTP(rec, req) + if rec.Code != http.StatusBadRequest { + t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusBadRequest, rec.Body.String()) + } + if !bytes.Contains(rec.Body.Bytes(), []byte("custom_deny_patterns")) { + t.Fatalf("expected validation error mentioning custom_deny_patterns, body=%s", rec.Body.String()) + } +} + +func TestHandlePatchConfig_AllowsInvalidExecRegexPatternsWhenExecDisabled(t *testing.T) { + configPath, cleanup := setupOAuthTestEnv(t) + defer cleanup() + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + req := httptest.NewRequest(http.MethodPatch, "/api/config", bytes.NewBufferString(`{ + "tools": { + "exec": { + "enabled": false, + "custom_deny_patterns": ["("], + "custom_allow_patterns": ["("] + } + } + }`)) + req.Header.Set("Content-Type", "application/json") + + rec := httptest.NewRecorder() + mux.ServeHTTP(rec, req) + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusOK, rec.Body.String()) + } +} + +func TestHandlePatchConfig_AllowsInvalidDenyRegexPatternsWhenDenyPatternsDisabled(t *testing.T) { + configPath, cleanup := setupOAuthTestEnv(t) + defer cleanup() + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + req := httptest.NewRequest(http.MethodPatch, "/api/config", bytes.NewBufferString(`{ + "tools": { + "exec": { + "enabled": true, + "enable_deny_patterns": false, + "custom_deny_patterns": ["("] + } + } + }`)) + req.Header.Set("Content-Type", "application/json") + + rec := httptest.NewRecorder() + mux.ServeHTTP(rec, req) + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusOK, rec.Body.String()) + } +} diff --git a/web/frontend/src/components/config/config-page.tsx b/web/frontend/src/components/config/config-page.tsx index 130498ba4..e533b956f 100644 --- a/web/frontend/src/components/config/config-page.tsx +++ b/web/frontend/src/components/config/config-page.tsx @@ -16,6 +16,7 @@ import { AgentDefaultsSection, CronSection, DevicesSection, + ExecSection, LauncherSection, RuntimeSection, } from "@/components/config/config-sections" @@ -27,6 +28,7 @@ import { buildFormFromConfig, parseCIDRText, parseIntField, + parseMultilineList, } from "@/components/config/form-model" import { PageHeader } from "@/components/page-header" import { Button } from "@/components/ui/button" @@ -170,6 +172,28 @@ export function ConfigPage() { "Cron exec timeout", { min: 0 }, ) + const execConfigPatch: Record = { + enabled: form.execEnabled, + } + + if (form.execEnabled) { + execConfigPatch.allow_remote = form.allowRemote + execConfigPatch.enable_deny_patterns = form.enableDenyPatterns + execConfigPatch.custom_allow_patterns = parseMultilineList( + form.customAllowPatternsText, + ) + execConfigPatch.timeout_seconds = parseIntField( + form.execTimeoutSeconds, + "Exec timeout", + { min: 0 }, + ) + + if (form.enableDenyPatterns) { + execConfigPatch.custom_deny_patterns = parseMultilineList( + form.customDenyPatternsText, + ) + } + } await patchAppConfig({ agents: { @@ -190,9 +214,7 @@ export function ConfigPage() { allow_command: form.allowCommand, exec_timeout_minutes: cronExecTimeoutMinutes, }, - exec: { - allow_remote: form.allowRemote, - }, + exec: execConfigPatch, }, heartbeat: { enabled: form.heartbeatEnabled, @@ -289,6 +311,8 @@ export function ConfigPage() { + + - onFieldChange("allowRemote", checked)} - /> - + onFieldChange("execEnabled", checked)} + /> + + {form.execEnabled && ( + <> + onFieldChange("allowRemote", checked)} + /> + + + onFieldChange("enableDenyPatterns", checked) + } + /> + + {form.enableDenyPatterns && ( + +