From a01af36af4fb387a8bff6f528f5c5fb9cb89bb83 Mon Sep 17 00:00:00 2001 From: afjcjsbx Date: Thu, 12 Mar 2026 18:58:24 +0100 Subject: [PATCH 01/47] feat(logger): add custom console formatter for JSON and multiline strings --- pkg/logger/logger.go | 65 +++++++++++++++++++++++++++++++++++++++----- 1 file changed, 58 insertions(+), 7 deletions(-) diff --git a/pkg/logger/logger.go b/pkg/logger/logger.go index 80adcf86c..54dc61588 100644 --- a/pkg/logger/logger.go +++ b/pkg/logger/logger.go @@ -5,6 +5,7 @@ import ( "os" "path/filepath" "runtime" + "strconv" "strings" "sync" @@ -45,6 +46,9 @@ func init() { consoleWriter := zerolog.ConsoleWriter{ Out: os.Stdout, TimeFormat: "15:04:05", // TODO: make it configurable??? + + // Custom formatter to handle multiline strings and JSON objects + FormatFieldValue: formatFieldValue, } logger = zerolog.New(consoleWriter).With().Timestamp().Logger() @@ -52,6 +56,37 @@ func init() { }) } +func formatFieldValue(i any) string { + var s string + + switch val := i.(type) { + case string: + s = val + case []byte: + s = string(val) + default: + return fmt.Sprintf("%v", i) + } + + if unquoted, err := strconv.Unquote(s); err == nil { + s = unquoted + } + + if strings.Contains(s, "\n") { + return fmt.Sprintf("\n%s", s) + } + + if strings.Contains(s, " ") { + if (strings.HasPrefix(s, "{") && strings.HasSuffix(s, "}")) || + (strings.HasPrefix(s, "[") && strings.HasSuffix(s, "]")) { + return s + } + return fmt.Sprintf("%q", s) + } + + return s +} + func SetLevel(level LogLevel) { mu.Lock() defer mu.Unlock() @@ -162,10 +197,7 @@ func logMessage(level LogLevel, component string, message string, fields map[str event.Str("caller", fmt.Sprintf(" %s:%d (%s)", callerFile, callerLine, callerFunc)) } - for k, v := range fields { - event.Interface(k, v) - } - + appendFields(event, fields) event.Msg(message) // Also log to file if enabled @@ -175,9 +207,8 @@ func logMessage(level LogLevel, component string, message string, fields map[str if component != "" { fileEvent.Str("component", component) } - for k, v := range fields { - fileEvent.Interface(k, v) - } + + appendFields(event, fields) fileEvent.Msg(message) } @@ -186,6 +217,26 @@ func logMessage(level LogLevel, component string, message string, fields map[str } } +func appendFields(event *zerolog.Event, fields map[string]any) { + for k, v := range fields { + // Type switch to avoid double JSON serialization of strings + switch val := v.(type) { + case string: + event.Str(k, val) + case int: + event.Int(k, val) + case int64: + event.Int64(k, val) + case float64: + event.Float64(k, val) + case bool: + event.Bool(k, val) + default: + event.Interface(k, v) // Fallback for struct, slice and maps + } + } +} + func Debug(message string) { logMessage(DEBUG, "", message, nil) } From 78c9b86d7efb451a5055202810540b97f48350a3 Mon Sep 17 00:00:00 2001 From: afjcjsbx Date: Fri, 13 Mar 2026 14:02:28 +0100 Subject: [PATCH 02/47] added tests --- pkg/logger/logger_test.go | 111 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 111 insertions(+) diff --git a/pkg/logger/logger_test.go b/pkg/logger/logger_test.go index 6e6f8dfa8..87be4fe97 100644 --- a/pkg/logger/logger_test.go +++ b/pkg/logger/logger_test.go @@ -137,3 +137,114 @@ func TestLoggerHelperFunctions(t *testing.T) { DebugC("test", "Debug with component") WarnF("Warning with fields", map[string]any{"key": "value"}) } + +func TestFormatFieldValue(t *testing.T) { + tests := []struct { + name string + input any + expected string + }{ + // Basic types test (default case of the switch) + { + name: "Integer Type", + input: 42, + expected: "42", + }, + { + name: "Boolean Type", + input: true, + expected: "true", + }, + { + name: "Unsupported Struct Type", + input: struct{ A int }{A: 1}, + expected: "{1}", + }, + + // Simple strings and byte slices test + { + name: "Simple string without spaces", + input: "simple_value", + expected: "simple_value", + }, + { + name: "Simple byte slice", + input: []byte("byte_value"), + expected: "byte_value", + }, + + // Unquoting test (strconv.Unquote) + { + name: "Quoted string", + input: `"quoted_value"`, + expected: "quoted_value", + }, + + // Strings with newline (\n) test + { + name: "String with newline", + input: "line1\nline2", + expected: "\nline1\nline2", + }, + { + name: "Quoted string with newline (Unquote -> newline)", + input: `"line1\nline2"`, // Escaped \n that Unquote will resolve + expected: "\nline1\nline2", + }, + + // Strings with spaces test (which should be quoted) + { + name: "String with spaces", + input: "hello world", + expected: `"hello world"`, + }, + { + name: "Quoted string with spaces (Unquote -> has spaces -> Re-quote)", + input: `"hello world"`, + expected: `"hello world"`, + }, + + // JSON formats test (strings with spaces that start/end with brackets) + { + name: "Valid JSON object", + input: `{"key": "value"}`, + expected: `{"key": "value"}`, + }, + { + name: "Valid JSON array", + input: `[1, 2, "three"]`, + expected: `[1, 2, "three"]`, + }, + { + name: "Fake JSON (starts with { but doesn't end with })", + input: `{"key": "value"`, // Missing closing bracket, has spaces + expected: `"{\"key\": \"value\""`, + }, + { + name: "Empty JSON (object)", + input: `{ }`, + expected: `{ }`, + }, + + // 7. Edge Cases + { + name: "Empty string", + input: "", + expected: "", + }, + { + name: "Whitespace only string", + input: " ", + expected: `" "`, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + actual := formatFieldValue(tt.input) + if actual != tt.expected { + t.Errorf("formatFieldValue() = %q, expected %q", actual, tt.expected) + } + }) + } +} From b9aaad95cd1770deeb7a78d9d137fc807c12a365 Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 12:01:47 +0800 Subject: [PATCH 03/47] refactor(media): centralize temp media dir path --- pkg/channels/feishu/feishu_64.go | 2 +- pkg/channels/matrix/matrix.go | 4 +--- pkg/channels/matrix/matrix_test.go | 3 ++- pkg/media/tempdir.go | 13 +++++++++++++ pkg/utils/media.go | 3 ++- 5 files changed, 19 insertions(+), 6 deletions(-) create mode 100644 pkg/media/tempdir.go diff --git a/pkg/channels/feishu/feishu_64.go b/pkg/channels/feishu/feishu_64.go index 5dbbcf0af..9c462e41e 100644 --- a/pkg/channels/feishu/feishu_64.go +++ b/pkg/channels/feishu/feishu_64.go @@ -618,7 +618,7 @@ func (c *FeishuChannel) downloadResource( } // Write to the shared picoclaw_media directory using a unique name to avoid collisions. - mediaDir := filepath.Join(os.TempDir(), "picoclaw_media") + mediaDir := media.TempDir() if mkdirErr := os.MkdirAll(mediaDir, 0o700); mkdirErr != nil { logger.ErrorCF("feishu", "Failed to create media directory", map[string]any{ "error": mkdirErr.Error(), diff --git a/pkg/channels/matrix/matrix.go b/pkg/channels/matrix/matrix.go index bec5dfdac..4cbe95c5c 100644 --- a/pkg/channels/matrix/matrix.go +++ b/pkg/channels/matrix/matrix.go @@ -35,8 +35,6 @@ const ( roomKindCacheTTL = 5 * time.Minute roomKindCacheCleanupPeriod = 1 * time.Minute roomKindCacheMaxEntries = 2048 - - matrixMediaTempDirName = "picoclaw_media" ) var matrixMentionHrefRegexp = regexp.MustCompile(`(?i)]+href=["']([^"']+)["']`) @@ -1105,7 +1103,7 @@ func (c *MatrixChannel) stripSelfMention(text string) string { } func matrixMediaTempDir() (string, error) { - mediaDir := filepath.Join(os.TempDir(), matrixMediaTempDirName) + mediaDir := media.TempDir() if err := os.MkdirAll(mediaDir, 0o700); err != nil { return "", err } diff --git a/pkg/channels/matrix/matrix_test.go b/pkg/channels/matrix/matrix_test.go index 07a35c021..7484c8d87 100644 --- a/pkg/channels/matrix/matrix_test.go +++ b/pkg/channels/matrix/matrix_test.go @@ -15,6 +15,7 @@ import ( "maunium.net/go/mautrix/id" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/media" ) func TestMatrixLocalpartMentionRegexp(t *testing.T) { @@ -165,7 +166,7 @@ func TestMatrixMediaTempDir(t *testing.T) { if err != nil { t.Fatalf("matrixMediaTempDir failed: %v", err) } - if filepath.Base(dir) != matrixMediaTempDirName { + if filepath.Base(dir) != media.TempDirName { t.Fatalf("unexpected media dir base: %q", filepath.Base(dir)) } diff --git a/pkg/media/tempdir.go b/pkg/media/tempdir.go new file mode 100644 index 000000000..45942b34f --- /dev/null +++ b/pkg/media/tempdir.go @@ -0,0 +1,13 @@ +package media + +import ( + "os" + "path/filepath" +) + +const TempDirName = "picoclaw_media" + +// TempDir returns the shared temporary directory used for downloaded media. +func TempDir() string { + return filepath.Join(os.TempDir(), TempDirName) +} diff --git a/pkg/utils/media.go b/pkg/utils/media.go index 3e1c5d88e..82e9f5f45 100644 --- a/pkg/utils/media.go +++ b/pkg/utils/media.go @@ -12,6 +12,7 @@ import ( "github.com/google/uuid" "github.com/sipeed/picoclaw/pkg/logger" + "github.com/sipeed/picoclaw/pkg/media" ) // IsAudioFile checks if a file is an audio file based on its filename extension and content type. @@ -67,7 +68,7 @@ func DownloadFile(urlStr, filename string, opts DownloadOptions) string { opts.LoggerPrefix = "utils" } - mediaDir := filepath.Join(os.TempDir(), "picoclaw_media") + mediaDir := media.TempDir() if err := os.MkdirAll(mediaDir, 0o700); err != nil { logger.ErrorCF(opts.LoggerPrefix, "Failed to create media directory", map[string]any{ "error": err.Error(), From 1bc05e83927ad0f914e96d6546a016f6fb9fbc6f Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 12:02:06 +0800 Subject: [PATCH 04/47] fix(tools): allow sandbox access to temp media files --- pkg/agent/instance.go | 27 +++++++++++- pkg/agent/instance_test.go | 86 +++++++++++++++++++++++++++++++++++++ pkg/agent/loop.go | 3 ++ pkg/tools/filesystem.go | 48 ++++++++++++++++++--- pkg/tools/send_file.go | 17 +++++++- pkg/tools/send_file_test.go | 39 +++++++++++++++++ pkg/tools/shell.go | 44 +++++++++++++------ 7 files changed, 241 insertions(+), 23 deletions(-) diff --git a/pkg/agent/instance.go b/pkg/agent/instance.go index 0c7baa1ee..1c3635322 100644 --- a/pkg/agent/instance.go +++ b/pkg/agent/instance.go @@ -10,6 +10,7 @@ import ( "strings" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/media" "github.com/sipeed/picoclaw/pkg/memory" "github.com/sipeed/picoclaw/pkg/providers" "github.com/sipeed/picoclaw/pkg/routing" @@ -66,7 +67,7 @@ func NewAgentInstance( readRestrict := restrict && !defaults.AllowReadOutsideWorkspace // Compile path whitelist patterns from config. - allowReadPaths := compilePatterns(cfg.Tools.AllowReadPaths) + allowReadPaths := buildAllowReadPatterns(cfg) allowWritePaths := compilePatterns(cfg.Tools.AllowWritePaths) toolsRegistry := tools.NewToolRegistry() @@ -82,7 +83,7 @@ func NewAgentInstance( toolsRegistry.Register(tools.NewListDirTool(workspace, readRestrict, allowReadPaths)) } if cfg.Tools.IsToolEnabled("exec") { - execTool, err := tools.NewExecToolWithConfig(workspace, restrict, cfg) + execTool, err := tools.NewExecToolWithConfig(workspace, restrict, cfg, allowReadPaths) if err != nil { log.Fatalf("Critical error: unable to initialize exec tool: %v", err) } @@ -282,6 +283,28 @@ func compilePatterns(patterns []string) []*regexp.Regexp { return compiled } +func buildAllowReadPatterns(cfg *config.Config) []*regexp.Regexp { + var configured []string + if cfg != nil { + configured = cfg.Tools.AllowReadPaths + } + + compiled := compilePatterns(configured) + mediaDirPattern := regexp.MustCompile(mediaTempDirPattern()) + for _, pattern := range compiled { + if pattern.String() == mediaDirPattern.String() { + return compiled + } + } + + return append(compiled, mediaDirPattern) +} + +func mediaTempDirPattern() string { + sep := regexp.QuoteMeta(string(os.PathSeparator)) + return "^" + regexp.QuoteMeta(filepath.Clean(media.TempDir())) + "(?:" + sep + "|$)" +} + // Close releases resources held by the agent's session store. func (a *AgentInstance) Close() error { if a.Sessions != nil { diff --git a/pkg/agent/instance_test.go b/pkg/agent/instance_test.go index 4f41ecd1c..f8057bb2f 100644 --- a/pkg/agent/instance_test.go +++ b/pkg/agent/instance_test.go @@ -1,10 +1,14 @@ package agent import ( + "context" "os" + "path/filepath" + "strings" "testing" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/media" ) func TestNewAgentInstance_UsesDefaultsTemperatureAndMaxTokens(t *testing.T) { @@ -160,3 +164,85 @@ func TestNewAgentInstance_ResolveCandidatesFromModelListAlias(t *testing.T) { }) } } + +func TestNewAgentInstance_AllowsMediaTempDirForReadListAndExec(t *testing.T) { + workspace := t.TempDir() + mediaDir := media.TempDir() + if err := os.MkdirAll(mediaDir, 0o700); err != nil { + t.Fatalf("MkdirAll(mediaDir) error = %v", err) + } + + mediaFile, err := os.CreateTemp(mediaDir, "instance-tool-*.txt") + if err != nil { + t.Fatalf("CreateTemp(mediaDir) error = %v", err) + } + mediaPath := mediaFile.Name() + if _, err := mediaFile.WriteString("attachment content"); err != nil { + mediaFile.Close() + t.Fatalf("WriteString(mediaFile) error = %v", err) + } + if err := mediaFile.Close(); err != nil { + t.Fatalf("Close(mediaFile) error = %v", err) + } + t.Cleanup(func() { _ = os.Remove(mediaPath) }) + + cfg := &config.Config{ + Agents: config.AgentsConfig{ + Defaults: config.AgentDefaults{ + Workspace: workspace, + Model: "test-model", + RestrictToWorkspace: true, + }, + }, + Tools: config.ToolsConfig{ + ReadFile: config.ReadFileToolConfig{Enabled: true}, + ListDir: config.ToolConfig{Enabled: true}, + Exec: config.ExecConfig{ + ToolConfig: config.ToolConfig{Enabled: true}, + EnableDenyPatterns: true, + AllowRemote: true, + }, + }, + } + + agent := NewAgentInstance(nil, &cfg.Agents.Defaults, cfg, &mockProvider{}) + + readTool, ok := agent.Tools.Get("read_file") + if !ok { + t.Fatal("read_file tool not registered") + } + readResult := readTool.Execute(context.Background(), map[string]any{"path": mediaPath}) + if readResult.IsError { + t.Fatalf("read_file should allow media temp dir, got: %s", readResult.ForLLM) + } + if !strings.Contains(readResult.ForLLM, "attachment content") { + t.Fatalf("read_file output missing media content: %s", readResult.ForLLM) + } + + listTool, ok := agent.Tools.Get("list_dir") + if !ok { + t.Fatal("list_dir tool not registered") + } + listResult := listTool.Execute(context.Background(), map[string]any{"path": mediaDir}) + if listResult.IsError { + t.Fatalf("list_dir should allow media temp dir, got: %s", listResult.ForLLM) + } + if !strings.Contains(listResult.ForLLM, filepath.Base(mediaPath)) { + t.Fatalf("list_dir output missing media file: %s", listResult.ForLLM) + } + + execTool, ok := agent.Tools.Get("exec") + if !ok { + t.Fatal("exec tool not registered") + } + execResult := execTool.Execute(context.Background(), map[string]any{ + "command": "cat " + filepath.Base(mediaPath), + "working_dir": mediaDir, + }) + if execResult.IsError { + t.Fatalf("exec should allow media temp dir, got: %s", execResult.ForLLM) + } + if !strings.Contains(execResult.ForLLM, "attachment content") { + t.Fatalf("exec output missing media content: %s", execResult.ForLLM) + } +} diff --git a/pkg/agent/loop.go b/pkg/agent/loop.go index dfa339dee..8a0303b50 100644 --- a/pkg/agent/loop.go +++ b/pkg/agent/loop.go @@ -117,6 +117,8 @@ func registerSharedTools( registry *AgentRegistry, provider providers.LLMProvider, ) { + allowReadPaths := buildAllowReadPatterns(cfg) + for _, agentID := range registry.ListAgentIDs() { agent, ok := registry.GetAgent(agentID) if !ok { @@ -195,6 +197,7 @@ func registerSharedTools( cfg.Agents.Defaults.RestrictToWorkspace, cfg.Agents.Defaults.GetMaxMediaSize(), nil, + allowReadPaths, ) agent.Tools.Register(sendFileTool) } diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index 6b1cb1475..21385b01b 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -22,6 +22,10 @@ const MaxReadFileSize = 64 * 1024 // 64KB limit to avoid context overflow // validatePath ensures the given path is within the workspace if restrict is true. func validatePath(path, workspace string, restrict bool) (string, error) { + return validatePathWithAllowPaths(path, workspace, restrict, nil) +} + +func validatePathWithAllowPaths(path, workspace string, restrict bool, patterns []*regexp.Regexp) (string, error) { if workspace == "" { return path, fmt.Errorf("workspace is not defined") } @@ -42,6 +46,10 @@ func validatePath(path, workspace string, restrict bool) (string, error) { } if restrict { + if isAllowedPath(absPath, patterns) { + return absPath, nil + } + if !isWithinWorkspace(absPath, absWorkspace) { return "", fmt.Errorf("access denied: path is outside the workspace") } @@ -73,6 +81,39 @@ func validatePath(path, workspace string, restrict bool) (string, error) { return absPath, nil } +func isAllowedPath(path string, patterns []*regexp.Regexp) bool { + if len(patterns) == 0 { + return false + } + + cleaned := filepath.Clean(path) + if !matchesAllowedPath(cleaned, patterns) { + return false + } + + resolved, err := filepath.EvalSymlinks(cleaned) + if err == nil { + return matchesAllowedPath(resolved, patterns) + } + if os.IsNotExist(err) { + parentResolved, parentErr := resolveExistingAncestor(filepath.Dir(cleaned)) + if parentErr == nil { + return matchesAllowedPath(parentResolved, patterns) + } + } + + return false +} + +func matchesAllowedPath(path string, patterns []*regexp.Regexp) bool { + for _, pattern := range patterns { + if pattern.MatchString(path) { + return true + } + } + return false +} + func resolveExistingAncestor(path string) (string, error) { for current := filepath.Clean(path); ; current = filepath.Dir(current) { if resolved, err := filepath.EvalSymlinks(current); err == nil { @@ -625,12 +666,7 @@ type whitelistFs struct { } func (w *whitelistFs) matches(path string) bool { - for _, p := range w.patterns { - if p.MatchString(path) { - return true - } - } - return false + return matchesAllowedPath(path, w.patterns) } func (w *whitelistFs) ReadFile(path string) ([]byte, error) { diff --git a/pkg/tools/send_file.go b/pkg/tools/send_file.go index 1a03e58ed..a67bd4210 100644 --- a/pkg/tools/send_file.go +++ b/pkg/tools/send_file.go @@ -6,6 +6,7 @@ import ( "mime" "os" "path/filepath" + "regexp" "strings" "github.com/h2non/filetype" @@ -21,20 +22,32 @@ type SendFileTool struct { restrict bool maxFileSize int mediaStore media.MediaStore + allowPaths []*regexp.Regexp defaultChannel string defaultChatID string } -func NewSendFileTool(workspace string, restrict bool, maxFileSize int, store media.MediaStore) *SendFileTool { +func NewSendFileTool( + workspace string, + restrict bool, + maxFileSize int, + store media.MediaStore, + allowPaths ...[]*regexp.Regexp, +) *SendFileTool { if maxFileSize <= 0 { maxFileSize = config.DefaultMaxMediaSize } + var patterns []*regexp.Regexp + if len(allowPaths) > 0 { + patterns = allowPaths[0] + } return &SendFileTool{ workspace: workspace, restrict: restrict, maxFileSize: maxFileSize, mediaStore: store, + allowPaths: patterns, } } @@ -92,7 +105,7 @@ func (t *SendFileTool) Execute(ctx context.Context, args map[string]any) *ToolRe return ErrorResult("media store not configured") } - resolved, err := validatePath(path, t.workspace, t.restrict) + resolved, err := validatePathWithAllowPaths(path, t.workspace, t.restrict, t.allowPaths) if err != nil { return ErrorResult(fmt.Sprintf("invalid path: %v", err)) } diff --git a/pkg/tools/send_file_test.go b/pkg/tools/send_file_test.go index 08d129674..6daaab31c 100644 --- a/pkg/tools/send_file_test.go +++ b/pkg/tools/send_file_test.go @@ -4,6 +4,7 @@ import ( "context" "os" "path/filepath" + "regexp" "strings" "testing" @@ -128,6 +129,44 @@ func TestSendFileTool_CustomFilename(t *testing.T) { } } +func TestSendFileTool_AllowsWhitelistedMediaTempPath(t *testing.T) { + workspace := t.TempDir() + mediaDir := media.TempDir() + if err := os.MkdirAll(mediaDir, 0o700); err != nil { + t.Fatalf("MkdirAll(mediaDir) error = %v", err) + } + + testFile, err := os.CreateTemp(mediaDir, "send-file-*.txt") + if err != nil { + t.Fatalf("CreateTemp(mediaDir) error = %v", err) + } + testPath := testFile.Name() + if _, err := testFile.WriteString("forward me"); err != nil { + testFile.Close() + t.Fatalf("WriteString(testFile) error = %v", err) + } + if err := testFile.Close(); err != nil { + t.Fatalf("Close(testFile) error = %v", err) + } + t.Cleanup(func() { _ = os.Remove(testPath) }) + + pattern := regexp.MustCompile( + "^" + regexp.QuoteMeta(filepath.Clean(mediaDir)) + "(?:" + regexp.QuoteMeta(string(os.PathSeparator)) + "|$)", + ) + + store := media.NewFileMediaStore() + tool := NewSendFileTool(workspace, true, 0, store, []*regexp.Regexp{pattern}) + tool.SetContext("feishu", "chat123") + + result := tool.Execute(context.Background(), map[string]any{"path": testPath}) + if result.IsError { + t.Fatalf("expected whitelisted temp media file to be sendable, got: %s", result.ForLLM) + } + if len(result.Media) != 1 { + t.Fatalf("expected 1 media ref, got %d", len(result.Media)) + } +} + func TestDetectMediaType_MagicBytes(t *testing.T) { dir := t.TempDir() diff --git a/pkg/tools/shell.go b/pkg/tools/shell.go index 9ea05bb12..0dc85ae21 100644 --- a/pkg/tools/shell.go +++ b/pkg/tools/shell.go @@ -23,6 +23,7 @@ type ExecTool struct { denyPatterns []*regexp.Regexp allowPatterns []*regexp.Regexp customAllowPatterns []*regexp.Regexp + allowedPathPatterns []*regexp.Regexp restrictToWorkspace bool allowRemote bool } @@ -95,14 +96,23 @@ var ( } ) -func NewExecTool(workingDir string, restrict bool) (*ExecTool, error) { - return NewExecToolWithConfig(workingDir, restrict, nil) +func NewExecTool(workingDir string, restrict bool, allowPaths ...[]*regexp.Regexp) (*ExecTool, error) { + return NewExecToolWithConfig(workingDir, restrict, nil, allowPaths...) } -func NewExecToolWithConfig(workingDir string, restrict bool, config *config.Config) (*ExecTool, error) { +func NewExecToolWithConfig( + workingDir string, + restrict bool, + config *config.Config, + allowPaths ...[]*regexp.Regexp, +) (*ExecTool, error) { denyPatterns := make([]*regexp.Regexp, 0) customAllowPatterns := make([]*regexp.Regexp, 0) + var allowedPathPatterns []*regexp.Regexp allowRemote := true + if len(allowPaths) > 0 { + allowedPathPatterns = allowPaths[0] + } if config != nil { execConfig := config.Tools.Exec @@ -146,6 +156,7 @@ func NewExecToolWithConfig(workingDir string, restrict bool, config *config.Conf denyPatterns: denyPatterns, allowPatterns: nil, customAllowPatterns: customAllowPatterns, + allowedPathPatterns: allowedPathPatterns, restrictToWorkspace: restrict, allowRemote: allowRemote, }, nil @@ -198,7 +209,7 @@ func (t *ExecTool) Execute(ctx context.Context, args map[string]any) *ToolResult cwd := t.workingDir if wd, ok := args["working_dir"].(string); ok && wd != "" { if t.restrictToWorkspace && t.workingDir != "" { - resolvedWD, err := validatePath(wd, t.workingDir, true) + resolvedWD, err := validatePathWithAllowPaths(wd, t.workingDir, true, t.allowedPathPatterns) if err != nil { return ErrorResult("Command blocked by safety guard (" + err.Error() + ")") } @@ -226,16 +237,20 @@ func (t *ExecTool) Execute(ctx context.Context, args map[string]any) *ToolResult if err != nil { return ErrorResult(fmt.Sprintf("Command blocked by safety guard (path resolution failed: %v)", err)) } - absWorkspace, _ := filepath.Abs(t.workingDir) - wsResolved, _ := filepath.EvalSymlinks(absWorkspace) - if wsResolved == "" { - wsResolved = absWorkspace + if isAllowedPath(resolved, t.allowedPathPatterns) { + cwd = resolved + } else { + absWorkspace, _ := filepath.Abs(t.workingDir) + wsResolved, _ := filepath.EvalSymlinks(absWorkspace) + if wsResolved == "" { + wsResolved = absWorkspace + } + rel, err := filepath.Rel(wsResolved, resolved) + if err != nil || !filepath.IsLocal(rel) { + return ErrorResult("Command blocked by safety guard (working directory escaped workspace)") + } + cwd = resolved } - rel, err := filepath.Rel(wsResolved, resolved) - if err != nil || !filepath.IsLocal(rel) { - return ErrorResult("Command blocked by safety guard (working directory escaped workspace)") - } - cwd = resolved } // timeout == 0 means no timeout @@ -412,6 +427,9 @@ func (t *ExecTool) guardCommand(command, cwd string) string { if safePaths[p] { continue } + if isAllowedPath(p, t.allowedPathPatterns) { + continue + } rel, err := filepath.Rel(cwdPath, p) if err != nil { From 345452fba840d1839e82bab58f9e8894c4844abe Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 12:08:11 +0800 Subject: [PATCH 05/47] refactor(tools): remove unused validatePath wrapper --- pkg/tools/filesystem.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index 21385b01b..d25ec1254 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -20,11 +20,6 @@ import ( const MaxReadFileSize = 64 * 1024 // 64KB limit to avoid context overflow -// validatePath ensures the given path is within the workspace if restrict is true. -func validatePath(path, workspace string, restrict bool) (string, error) { - return validatePathWithAllowPaths(path, workspace, restrict, nil) -} - func validatePathWithAllowPaths(path, workspace string, restrict bool, patterns []*regexp.Regexp) (string, error) { if workspace == "" { return path, fmt.Errorf("workspace is not defined") From bb1a4145274c78e1b8267af89a1816cd7b0107f5 Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 19:58:23 +0800 Subject: [PATCH 06/47] fix(tools): harden whitelist path resolution --- pkg/tools/filesystem.go | 42 +++++++++++++++++++++++-------- pkg/tools/filesystem_test.go | 49 ++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 11 deletions(-) diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index d25ec1254..92946ef98 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -82,22 +82,19 @@ func isAllowedPath(path string, patterns []*regexp.Regexp) bool { } cleaned := filepath.Clean(path) + if !filepath.IsAbs(cleaned) { + return false + } if !matchesAllowedPath(cleaned, patterns) { return false } - resolved, err := filepath.EvalSymlinks(cleaned) - if err == nil { - return matchesAllowedPath(resolved, patterns) - } - if os.IsNotExist(err) { - parentResolved, parentErr := resolveExistingAncestor(filepath.Dir(cleaned)) - if parentErr == nil { - return matchesAllowedPath(parentResolved, patterns) - } + resolved, err := resolvePathAgainstExistingAncestor(cleaned) + if err != nil { + return false } - return false + return matchesAllowedPath(resolved, patterns) } func matchesAllowedPath(path string, patterns []*regexp.Regexp) bool { @@ -122,6 +119,29 @@ func resolveExistingAncestor(path string) (string, error) { } } +func resolvePathAgainstExistingAncestor(path string) (string, error) { + cleaned := filepath.Clean(path) + for current := cleaned; ; current = filepath.Dir(current) { + resolved, err := filepath.EvalSymlinks(current) + if err == nil { + suffix, relErr := filepath.Rel(current, cleaned) + if relErr != nil { + return "", relErr + } + if suffix == "." { + return filepath.Clean(resolved), nil + } + return filepath.Clean(filepath.Join(resolved, suffix)), nil + } + if !os.IsNotExist(err) { + return "", err + } + if filepath.Dir(current) == current { + return "", os.ErrNotExist + } + } +} + func isWithinWorkspace(candidate, workspace string) bool { rel, err := filepath.Rel(filepath.Clean(workspace), filepath.Clean(candidate)) return err == nil && filepath.IsLocal(rel) @@ -661,7 +681,7 @@ type whitelistFs struct { } func (w *whitelistFs) matches(path string) bool { - return matchesAllowedPath(path, w.patterns) + return isAllowedPath(path, w.patterns) } func (w *whitelistFs) ReadFile(path string) ([]byte, error) { diff --git a/pkg/tools/filesystem_test.go b/pkg/tools/filesystem_test.go index 0bbf6caf0..78d69273f 100644 --- a/pkg/tools/filesystem_test.go +++ b/pkg/tools/filesystem_test.go @@ -521,6 +521,55 @@ func TestWhitelistFs_AllowsMatchingPaths(t *testing.T) { } } +func TestWhitelistFs_BlocksSymlinkEscapeInAllowedDir(t *testing.T) { + workspace := t.TempDir() + allowedDir := t.TempDir() + secretDir := t.TempDir() + secretFile := filepath.Join(secretDir, "secret.txt") + if err := os.WriteFile(secretFile, []byte("top secret"), 0o644); err != nil { + t.Fatalf("WriteFile(secretFile) error = %v", err) + } + + linkPath := filepath.Join(allowedDir, "link_out") + if err := os.Symlink(secretDir, linkPath); err != nil { + t.Skipf("symlink not supported in this environment: %v", err) + } + + patterns := []*regexp.Regexp{regexp.MustCompile(`^` + regexp.QuoteMeta(allowedDir))} + tool := NewReadFileTool(workspace, true, MaxReadFileSize, patterns) + + result := tool.Execute(context.Background(), map[string]any{"path": filepath.Join(linkPath, "secret.txt")}) + if !result.IsError { + t.Fatalf("expected symlink escape from allowed dir to be blocked, got: %s", result.ForLLM) + } +} + +func TestWhitelistFs_WriteAllowsNewFileUnderAllowedDir(t *testing.T) { + workspace := t.TempDir() + rootDir := t.TempDir() + allowedDir := filepath.Join(rootDir, "allowed") + targetFile := filepath.Join(allowedDir, "nested", "file.txt") + + patterns := []*regexp.Regexp{regexp.MustCompile(`^` + regexp.QuoteMeta(allowedDir))} + tool := NewWriteFileTool(workspace, true, patterns) + + result := tool.Execute(context.Background(), map[string]any{ + "path": targetFile, + "content": "outside write", + }) + if result.IsError { + t.Fatalf("expected whitelisted write to succeed, got: %s", result.ForLLM) + } + + data, err := os.ReadFile(targetFile) + if err != nil { + t.Fatalf("ReadFile(targetFile) error = %v", err) + } + if string(data) != "outside write" { + t.Fatalf("target file content = %q, want %q", string(data), "outside write") + } +} + // TestReadFileTool_ChunkedReading verifies the pagination logic of the tool // by reading a file in multiple chunks using 'offset' and 'length'. func TestReadFileTool_ChunkedReading(t *testing.T) { From f71eaaf7f8d8189319453314c157d3ab969798a4 Mon Sep 17 00:00:00 2001 From: Hoshina Date: Sat, 14 Mar 2026 21:03:23 +0800 Subject: [PATCH 07/47] fix(cron): default scheduled jobs to agent execution --- pkg/tools/cron.go | 6 +++--- pkg/tools/cron_test.go | 22 ++++++++++++++++++++++ 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/pkg/tools/cron.go b/pkg/tools/cron.go index 648cc3c6c..25608a54c 100644 --- a/pkg/tools/cron.go +++ b/pkg/tools/cron.go @@ -96,7 +96,7 @@ func (t *CronTool) Parameters() map[string]any { }, "deliver": map[string]any{ "type": "boolean", - "description": "If true, send message directly to channel. If false, let agent process message (for complex tasks). Default: true", + "description": "If true, send message directly to channel. If false, let agent process message (for complex tasks). Default: false", }, }, "required": []string{"action"}, @@ -174,8 +174,8 @@ func (t *CronTool) addJob(ctx context.Context, args map[string]any) *ToolResult return ErrorResult("one of at_seconds, every_seconds, or cron_expr is required") } - // Read deliver parameter, default to true - deliver := true + // Read deliver parameter, default to false so scheduled tasks execute through the agent + deliver := false if d, ok := args["deliver"].(bool); ok { deliver = d } diff --git a/pkg/tools/cron_test.go b/pkg/tools/cron_test.go index 1776abc65..f1e857949 100644 --- a/pkg/tools/cron_test.go +++ b/pkg/tools/cron_test.go @@ -114,3 +114,25 @@ func TestCronTool_NonCommandJobAllowedFromRemoteChannel(t *testing.T) { t.Fatalf("expected non-command reminder to succeed from remote channel, got: %s", result.ForLLM) } } + +func TestCronTool_NonCommandJobDefaultsDeliverToFalse(t *testing.T) { + tool := newTestCronTool(t) + ctx := WithToolContext(context.Background(), "telegram", "chat-1") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "send me a poem", + "at_seconds": float64(600), + }) + + if result.IsError { + t.Fatalf("expected non-command reminder to succeed, got: %s", result.ForLLM) + } + + jobs := tool.cronService.ListJobs(false) + if len(jobs) != 1 { + t.Fatalf("expected 1 job, got %d", len(jobs)) + } + if jobs[0].Payload.Deliver { + t.Fatal("expected deliver=false by default for non-command jobs") + } +} From 5fb4b3bedf47735cdaaaab199ce3031ca6f8459f Mon Sep 17 00:00:00 2001 From: Kunal Karmakar <5303824+kunalk16@users.noreply.github.com> Date: Sat, 14 Mar 2026 20:22:34 +0530 Subject: [PATCH 08/47] feat(provider): add support for azure openai provider (#1422) * Add support for azure openai provider * Add checks for deployment model name * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Addressing @Copilot suggestion to remove the init() function which seemed redundant * Fix readme * Fix linting checks --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- README.fr.md | 1 + README.ja.md | 1 + README.md | 2 + README.pt-br.md | 1 + README.vi.md | 1 + README.zh.md | 1 + config/config.example.json | 6 + pkg/config/defaults.go | 9 + pkg/providers/azure/provider.go | 150 +++++ pkg/providers/azure/provider_test.go | 232 ++++++++ pkg/providers/common/common.go | 380 +++++++++++++ pkg/providers/common/common_test.go | 558 +++++++++++++++++++ pkg/providers/factory_provider.go | 19 + pkg/providers/factory_provider_test.go | 72 +++ pkg/providers/openai_compat/provider.go | 327 +---------- pkg/providers/openai_compat/provider_test.go | 9 +- 16 files changed, 1446 insertions(+), 323 deletions(-) create mode 100644 pkg/providers/azure/provider.go create mode 100644 pkg/providers/azure/provider_test.go create mode 100644 pkg/providers/common/common.go create mode 100644 pkg/providers/common/common_test.go diff --git a/README.fr.md b/README.fr.md index d5fe873bf..49a02fb77 100644 --- a/README.fr.md +++ b/README.fr.md @@ -991,6 +991,7 @@ Cette conception permet également le **support multi-agent** avec une sélectio | **BytePlus** | `byteplus/` | `https://ark.ap-southeast.bytepluses.com/api/v3` | OpenAI | [Obtenir Clé](https://www.byteplus.com/) | | **LongCat** | `longcat/` | `https://api.longcat.chat/openai` | OpenAI | [Obtenir une clé](https://longcat.chat/platform) | | **ModelScope (魔搭)**| `modelscope/` | `https://api-inference.modelscope.cn/v1` | OpenAI | [Obtenir un Token](https://modelscope.cn/my/tokens) | +| **Azure OpenAI** | `azure/` | `https://{resource}.openai.azure.com` | Azure | [Obtenir Clé](https://portal.azure.com) | | **Antigravity** | `antigravity/` | Google Cloud | Custom | OAuth uniquement | | **GitHub Copilot** | `github-copilot/` | `localhost:4321` | gRPC | - | diff --git a/README.ja.md b/README.ja.md index 7fff46d13..c0d27de4f 100644 --- a/README.ja.md +++ b/README.ja.md @@ -935,6 +935,7 @@ HEARTBEAT_OK 応答 ユーザーが直接結果を受け取る | **BytePlus** | `byteplus/` | `https://ark.ap-southeast.bytepluses.com/api/v3` | OpenAI | [キーを取得](https://www.byteplus.com) | | **LongCat** | `longcat/` | `https://api.longcat.chat/openai` | OpenAI | [キーを取得](https://longcat.chat/platform) | | **ModelScope (魔搭)**| `modelscope/` | `https://api-inference.modelscope.cn/v1` | OpenAI | [トークンを取得](https://modelscope.cn/my/tokens) | +| **Azure OpenAI** | `azure/` | `https://{resource}.openai.azure.com` | Azure | [キーを取得](https://portal.azure.com) | | **Antigravity** | `antigravity/` | Google Cloud | カスタム | OAuthのみ | | **GitHub Copilot** | `github-copilot/` | `localhost:4321` | gRPC | - | diff --git a/README.md b/README.md index e64daf0e4..159ac706f 100644 --- a/README.md +++ b/README.md @@ -1006,6 +1006,7 @@ The subagent has access to tools (message, web_search, etc.) and can communicate | `groq` | LLM + **Voice transcription** (Whisper) | [console.groq.com](https://console.groq.com) | | `cerebras` | LLM (Cerebras direct) | [cerebras.ai](https://cerebras.ai) | | `vivgrid` | LLM (Vivgrid direct) | [vivgrid.com](https://vivgrid.com) | +| `azure` | LLM (Azure OpenAI) | [portal.azure.com](https://portal.azure.com) | ### Model Configuration (model_list) @@ -1042,6 +1043,7 @@ This design also enables **multi-agent support** with flexible provider selectio | **Vivgrid** | `vivgrid/` | `https://api.vivgrid.com/v1` | OpenAI | [Get Key](https://vivgrid.com) | | **LongCat** | `longcat/` | `https://api.longcat.chat/openai` | OpenAI | [Get Key](https://longcat.chat/platform) | | **ModelScope (魔搭)**| `modelscope/` | `https://api-inference.modelscope.cn/v1` | OpenAI | [Get Token](https://modelscope.cn/my/tokens) | +| **Azure OpenAI** | `azure/` | `https://{resource}.openai.azure.com` | Azure | [Get Key](https://portal.azure.com) | | **Antigravity** | `antigravity/` | Google Cloud | Custom | OAuth only | | **GitHub Copilot** | `github-copilot/` | `localhost:4321` | gRPC | - | diff --git a/README.pt-br.md b/README.pt-br.md index 3fe24d7ea..56946139b 100644 --- a/README.pt-br.md +++ b/README.pt-br.md @@ -987,6 +987,7 @@ Este design também possibilita o **suporte multi-agent** com seleção flexíve | **BytePlus** | `byteplus/` | `https://ark.ap-southeast.bytepluses.com/api/v3` | OpenAI | [Obter Chave](https://www.byteplus.com) | | **LongCat** | `longcat/` | `https://api.longcat.chat/openai` | OpenAI | [Obter Chave](https://longcat.chat/platform) | | **ModelScope (魔搭)**| `modelscope/` | `https://api-inference.modelscope.cn/v1` | OpenAI | [Obter Token](https://modelscope.cn/my/tokens) | +| **Azure OpenAI** | `azure/` | `https://{resource}.openai.azure.com` | Azure | [Obter Chave](https://portal.azure.com) | | **Antigravity** | `antigravity/` | Google Cloud | Custom | Apenas OAuth | | **GitHub Copilot** | `github-copilot/` | `localhost:4321` | gRPC | - | diff --git a/README.vi.md b/README.vi.md index 3ee0209f6..a542d6507 100644 --- a/README.vi.md +++ b/README.vi.md @@ -956,6 +956,7 @@ Thiết kế này cũng cho phép **hỗ trợ đa tác nhân** với lựa ch | **BytePlus** | `byteplus/` | `https://ark.ap-southeast.bytepluses.com/api/v3` | OpenAI | [Lấy Khóa](https://www.byteplus.com) | | **LongCat** | `longcat/` | `https://api.longcat.chat/openai` | OpenAI | [Lấy Key](https://longcat.chat/platform) | | **ModelScope (魔搭)**| `modelscope/` | `https://api-inference.modelscope.cn/v1` | OpenAI | [Lấy Token](https://modelscope.cn/my/tokens) | +| **Azure OpenAI** | `azure/` | `https://{resource}.openai.azure.com` | Azure | [Lấy Khóa](https://portal.azure.com) | | **Antigravity** | `antigravity/` | Google Cloud | Tùy chỉnh | Chỉ OAuth | | **GitHub Copilot** | `github-copilot/` | `localhost:4321` | gRPC | - | diff --git a/README.zh.md b/README.zh.md index 66d7c5f7c..9877ef9f4 100644 --- a/README.zh.md +++ b/README.zh.md @@ -528,6 +528,7 @@ Agent 读取 HEARTBEAT.md | **BytePlus** | `byteplus/` | `https://ark.ap-southeast.bytepluses.com/api/v3` | OpenAI | [获取密钥](https://www.byteplus.com) | | **LongCat** | `longcat/` | `https://api.longcat.chat/openai` | OpenAI | [获取密钥](https://longcat.chat/platform) | | **ModelScope (魔搭)**| `modelscope/` | `https://api-inference.modelscope.cn/v1` | OpenAI | [获取 Token](https://modelscope.cn/my/tokens) | +| **Azure OpenAI** | `azure/` | `https://{resource}.openai.azure.com` | Azure | [获取密钥](https://portal.azure.com) | | **Antigravity** | `antigravity/` | Google Cloud | 自定义 | 仅 OAuth | | **GitHub Copilot** | `github-copilot/` | `localhost:4321` | gRPC | - | diff --git a/config/config.example.json b/config/config.example.json index 094aa46df..1c11cd42a 100644 --- a/config/config.example.json +++ b/config/config.example.json @@ -53,6 +53,12 @@ "api_key": "your-modelscope-access-token", "api_base": "https://api-inference.modelscope.cn/v1" }, + { + "model_name": "azure-gpt5", + "model": "azure/my-gpt5-deployment", + "api_key": "your-azure-api-key", + "api_base": "https://your-resource.openai.azure.com" + }, { "model_name": "loadbalanced-gpt-5.4", "model": "openai/gpt-5.4", diff --git a/pkg/config/defaults.go b/pkg/config/defaults.go index 189af0a84..dc534d852 100644 --- a/pkg/config/defaults.go +++ b/pkg/config/defaults.go @@ -384,6 +384,15 @@ func DefaultConfig() *Config { APIBase: "http://localhost:8000/v1", APIKey: "", }, + + // Azure OpenAI - https://portal.azure.com + // model_name is a user-friendly alias; the model field's path after "azure/" is your deployment name + { + ModelName: "azure-gpt5", + Model: "azure/my-gpt5-deployment", + APIBase: "https://your-resource.openai.azure.com", + APIKey: "", + }, }, Gateway: GatewayConfig{ Host: "127.0.0.1", diff --git a/pkg/providers/azure/provider.go b/pkg/providers/azure/provider.go new file mode 100644 index 000000000..6e1d07e78 --- /dev/null +++ b/pkg/providers/azure/provider.go @@ -0,0 +1,150 @@ +package azure + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "net/http" + "net/url" + "strings" + "time" + + "github.com/sipeed/picoclaw/pkg/providers/common" + "github.com/sipeed/picoclaw/pkg/providers/protocoltypes" +) + +type ( + LLMResponse = protocoltypes.LLMResponse + Message = protocoltypes.Message + ToolDefinition = protocoltypes.ToolDefinition +) + +const ( + // azureAPIVersion is the Azure OpenAI API version used for all requests. + azureAPIVersion = "2024-10-21" + defaultRequestTimeout = common.DefaultRequestTimeout +) + +// Provider implements the LLM provider interface for Azure OpenAI endpoints. +// It handles Azure-specific authentication (api-key header), URL construction +// (deployment-based), and request body formatting (max_completion_tokens, no model field). +type Provider struct { + apiKey string + apiBase string + httpClient *http.Client +} + +// Option configures the Azure Provider. +type Option func(*Provider) + +// WithRequestTimeout sets the HTTP request timeout. +func WithRequestTimeout(timeout time.Duration) Option { + return func(p *Provider) { + if timeout > 0 { + p.httpClient.Timeout = timeout + } + } +} + +// NewProvider creates a new Azure OpenAI provider. +func NewProvider(apiKey, apiBase, proxy string, opts ...Option) *Provider { + p := &Provider{ + apiKey: apiKey, + apiBase: strings.TrimRight(apiBase, "/"), + httpClient: common.NewHTTPClient(proxy), + } + + for _, opt := range opts { + if opt != nil { + opt(p) + } + } + + return p +} + +// NewProviderWithTimeout creates a new Azure OpenAI provider with a custom request timeout in seconds. +func NewProviderWithTimeout(apiKey, apiBase, proxy string, requestTimeoutSeconds int) *Provider { + return NewProvider( + apiKey, apiBase, proxy, + WithRequestTimeout(time.Duration(requestTimeoutSeconds)*time.Second), + ) +} + +// Chat sends a chat completion request to the Azure OpenAI endpoint. +// The model parameter is used as the Azure deployment name in the URL. +func (p *Provider) Chat( + ctx context.Context, + messages []Message, + tools []ToolDefinition, + model string, + options map[string]any, +) (*LLMResponse, error) { + if p.apiBase == "" { + return nil, fmt.Errorf("Azure API base not configured") + } + + // model is the deployment name for Azure OpenAI + deployment := model + + // Build Azure-specific URL safely using url.JoinPath and query encoding + // to prevent path traversal or query injection via deployment names. + base, err := url.JoinPath(p.apiBase, "openai/deployments", deployment, "chat/completions") + if err != nil { + return nil, fmt.Errorf("failed to build Azure request URL: %w", err) + } + requestURL := base + "?api-version=" + azureAPIVersion + + // Build request body — no "model" field (Azure infers from deployment URL) + requestBody := map[string]any{ + "messages": common.SerializeMessages(messages), + } + + if len(tools) > 0 { + requestBody["tools"] = tools + requestBody["tool_choice"] = "auto" + } + + // Azure OpenAI always uses max_completion_tokens + if maxTokens, ok := common.AsInt(options["max_tokens"]); ok { + requestBody["max_completion_tokens"] = maxTokens + } + + if temperature, ok := common.AsFloat(options["temperature"]); ok { + requestBody["temperature"] = temperature + } + + jsonData, err := json.Marshal(requestBody) + if err != nil { + return nil, fmt.Errorf("failed to marshal request: %w", err) + } + + req, err := http.NewRequestWithContext(ctx, "POST", requestURL, bytes.NewReader(jsonData)) + if err != nil { + return nil, fmt.Errorf("failed to create request: %w", err) + } + + // Azure uses api-key header instead of Authorization: Bearer + req.Header.Set("Content-Type", "application/json") + if p.apiKey != "" { + req.Header.Set("api-key", p.apiKey) + } + + resp, err := p.httpClient.Do(req) + if err != nil { + return nil, fmt.Errorf("failed to send request: %w", err) + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, common.HandleErrorResponse(resp, p.apiBase) + } + + return common.ReadAndParseResponse(resp, p.apiBase) +} + +// GetDefaultModel returns an empty string as Azure deployments are user-configured. +func (p *Provider) GetDefaultModel() string { + return "" +} diff --git a/pkg/providers/azure/provider_test.go b/pkg/providers/azure/provider_test.go new file mode 100644 index 000000000..8f44edff5 --- /dev/null +++ b/pkg/providers/azure/provider_test.go @@ -0,0 +1,232 @@ +package azure + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "testing" + "time" +) + +// writeValidResponse writes a minimal valid Azure OpenAI chat completion response. +func writeValidResponse(w http.ResponseWriter) { + resp := map[string]any{ + "choices": []map[string]any{ + { + "message": map[string]any{"content": "ok"}, + "finish_reason": "stop", + }, + }, + } + w.Header().Set("Content-Type", "application/json") + json.NewEncoder(w).Encode(resp) +} + +func TestProviderChat_AzureURLConstruction(t *testing.T) { + var capturedPath string + var capturedAPIVersion string + + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + capturedPath = r.URL.Path + capturedAPIVersion = r.URL.Query().Get("api-version") + writeValidResponse(w) + })) + defer server.Close() + + p := NewProvider("test-key", server.URL, "") + _, err := p.Chat(t.Context(), []Message{{Role: "user", Content: "hi"}}, nil, "my-gpt5-deployment", nil) + if err != nil { + t.Fatalf("Chat() error = %v", err) + } + + wantPath := "/openai/deployments/my-gpt5-deployment/chat/completions" + if capturedPath != wantPath { + t.Errorf("URL path = %q, want %q", capturedPath, wantPath) + } + if capturedAPIVersion != azureAPIVersion { + t.Errorf("api-version = %q, want %q", capturedAPIVersion, azureAPIVersion) + } +} + +func TestProviderChat_AzureAuthHeader(t *testing.T) { + var capturedAPIKey string + var capturedAuth string + + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + capturedAPIKey = r.Header.Get("api-key") + capturedAuth = r.Header.Get("Authorization") + writeValidResponse(w) + })) + defer server.Close() + + p := NewProvider("test-azure-key", server.URL, "") + _, err := p.Chat(t.Context(), []Message{{Role: "user", Content: "hi"}}, nil, "deployment", nil) + if err != nil { + t.Fatalf("Chat() error = %v", err) + } + + if capturedAPIKey != "test-azure-key" { + t.Errorf("api-key header = %q, want %q", capturedAPIKey, "test-azure-key") + } + if capturedAuth != "" { + t.Errorf("Authorization header should be empty, got %q", capturedAuth) + } +} + +func TestProviderChat_AzureOmitsModelFromBody(t *testing.T) { + var requestBody map[string]any + + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + json.NewDecoder(r.Body).Decode(&requestBody) + writeValidResponse(w) + })) + defer server.Close() + + p := NewProvider("test-key", server.URL, "") + _, err := p.Chat(t.Context(), []Message{{Role: "user", Content: "hi"}}, nil, "deployment", nil) + if err != nil { + t.Fatalf("Chat() error = %v", err) + } + + if _, exists := requestBody["model"]; exists { + t.Error("request body should not contain 'model' field for Azure OpenAI") + } +} + +func TestProviderChat_AzureUsesMaxCompletionTokens(t *testing.T) { + var requestBody map[string]any + + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + json.NewDecoder(r.Body).Decode(&requestBody) + writeValidResponse(w) + })) + defer server.Close() + + p := NewProvider("test-key", server.URL, "") + _, err := p.Chat( + t.Context(), + []Message{{Role: "user", Content: "hi"}}, + nil, + "deployment", + map[string]any{"max_tokens": 2048}, + ) + if err != nil { + t.Fatalf("Chat() error = %v", err) + } + + if _, exists := requestBody["max_completion_tokens"]; !exists { + t.Error("request body should contain 'max_completion_tokens'") + } + if _, exists := requestBody["max_tokens"]; exists { + t.Error("request body should not contain 'max_tokens'") + } +} + +func TestProviderChat_AzureHTTPError(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + http.Error(w, `{"error":"unauthorized"}`, http.StatusUnauthorized) + })) + defer server.Close() + + p := NewProvider("bad-key", server.URL, "") + _, err := p.Chat(t.Context(), []Message{{Role: "user", Content: "hi"}}, nil, "deployment", nil) + if err == nil { + t.Fatal("expected error, got nil") + } +} + +func TestProviderChat_AzureParseToolCalls(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + resp := map[string]any{ + "choices": []map[string]any{ + { + "message": map[string]any{ + "content": "", + "tool_calls": []map[string]any{ + { + "id": "call_1", + "type": "function", + "function": map[string]any{ + "name": "get_weather", + "arguments": `{"city":"Seattle"}`, + }, + }, + }, + }, + "finish_reason": "tool_calls", + }, + }, + } + w.Header().Set("Content-Type", "application/json") + json.NewEncoder(w).Encode(resp) + })) + defer server.Close() + + p := NewProvider("test-key", server.URL, "") + out, err := p.Chat(t.Context(), []Message{{Role: "user", Content: "weather?"}}, nil, "deployment", nil) + if err != nil { + t.Fatalf("Chat() error = %v", err) + } + + if len(out.ToolCalls) != 1 { + t.Fatalf("len(ToolCalls) = %d, want 1", len(out.ToolCalls)) + } + if out.ToolCalls[0].Name != "get_weather" { + t.Errorf("ToolCalls[0].Name = %q, want %q", out.ToolCalls[0].Name, "get_weather") + } +} + +func TestProvider_AzureEmptyAPIBase(t *testing.T) { + p := NewProvider("test-key", "", "") + _, err := p.Chat(t.Context(), []Message{{Role: "user", Content: "hi"}}, nil, "deployment", nil) + if err == nil { + t.Fatal("expected error for empty API base") + } +} + +func TestProvider_AzureRequestTimeoutDefault(t *testing.T) { + p := NewProvider("test-key", "https://example.com", "") + if p.httpClient.Timeout != defaultRequestTimeout { + t.Errorf("timeout = %v, want %v", p.httpClient.Timeout, defaultRequestTimeout) + } +} + +func TestProvider_AzureRequestTimeoutOverride(t *testing.T) { + p := NewProvider("test-key", "https://example.com", "", WithRequestTimeout(300*time.Second)) + if p.httpClient.Timeout != 300*time.Second { + t.Errorf("timeout = %v, want %v", p.httpClient.Timeout, 300*time.Second) + } +} + +func TestProvider_AzureNewProviderWithTimeout(t *testing.T) { + p := NewProviderWithTimeout("test-key", "https://example.com", "", 180) + if p.httpClient.Timeout != 180*time.Second { + t.Errorf("timeout = %v, want %v", p.httpClient.Timeout, 180*time.Second) + } +} + +func TestProviderChat_AzureDeploymentNameEscaped(t *testing.T) { + var capturedPath string + + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + capturedPath = r.URL.RawPath // use RawPath to see percent-encoding + if capturedPath == "" { + capturedPath = r.URL.Path + } + writeValidResponse(w) + })) + defer server.Close() + + p := NewProvider("test-key", server.URL, "") + + // Deployment name with characters that could cause path injection + _, err := p.Chat(t.Context(), []Message{{Role: "user", Content: "hi"}}, nil, "my deploy/../../admin", nil) + if err != nil { + t.Fatalf("Chat() error = %v", err) + } + + // The slash and special chars in the deployment name must be escaped, not treated as path separators + if capturedPath == "/openai/deployments/my deploy/../../admin/chat/completions" { + t.Fatal("deployment name was interpolated without escaping — path injection possible") + } +} diff --git a/pkg/providers/common/common.go b/pkg/providers/common/common.go new file mode 100644 index 000000000..23680a1bf --- /dev/null +++ b/pkg/providers/common/common.go @@ -0,0 +1,380 @@ +// PicoClaw - Ultra-lightweight personal AI agent +// License: MIT +// +// Copyright (c) 2026 PicoClaw contributors + +// Package common provides shared utilities used by multiple LLM provider +// implementations (openai_compat, azure, etc.). +package common + +import ( + "bufio" + "bytes" + "encoding/json" + "fmt" + "io" + "log" + "net/http" + "net/url" + "strings" + "time" + + "github.com/sipeed/picoclaw/pkg/providers/protocoltypes" +) + +// Re-export protocol types used across providers. +type ( + ToolCall = protocoltypes.ToolCall + FunctionCall = protocoltypes.FunctionCall + LLMResponse = protocoltypes.LLMResponse + UsageInfo = protocoltypes.UsageInfo + Message = protocoltypes.Message + ToolDefinition = protocoltypes.ToolDefinition + ToolFunctionDefinition = protocoltypes.ToolFunctionDefinition + ExtraContent = protocoltypes.ExtraContent + GoogleExtra = protocoltypes.GoogleExtra + ReasoningDetail = protocoltypes.ReasoningDetail +) + +const DefaultRequestTimeout = 120 * time.Second + +// NewHTTPClient creates an *http.Client with an optional proxy and the default timeout. +func NewHTTPClient(proxy string) *http.Client { + client := &http.Client{ + Timeout: DefaultRequestTimeout, + } + if proxy != "" { + parsed, err := url.Parse(proxy) + if err == nil { + // Preserve http.DefaultTransport settings (TLS, HTTP/2, timeouts, etc.) + if base, ok := http.DefaultTransport.(*http.Transport); ok { + tr := base.Clone() + tr.Proxy = http.ProxyURL(parsed) + client.Transport = tr + } else { + // Fallback: minimal transport if DefaultTransport is not *http.Transport. + client.Transport = &http.Transport{ + Proxy: http.ProxyURL(parsed), + } + } + } else { + log.Printf("common: invalid proxy URL %q: %v", proxy, err) + } + } + return client +} + +// --- Message serialization --- + +// openaiMessage is the wire-format message for OpenAI-compatible APIs. +// It mirrors protocoltypes.Message but omits SystemParts, which is an +// internal field that would be unknown to third-party endpoints. +type openaiMessage struct { + Role string `json:"role"` + Content string `json:"content"` + ReasoningContent string `json:"reasoning_content,omitempty"` + ToolCalls []ToolCall `json:"tool_calls,omitempty"` + ToolCallID string `json:"tool_call_id,omitempty"` +} + +// SerializeMessages converts internal Message structs to the OpenAI wire format. +// - Strips SystemParts (unknown to third-party endpoints) +// - Converts messages with Media to multipart content format (text + image_url parts) +// - Preserves ToolCallID, ToolCalls, and ReasoningContent for all messages +func SerializeMessages(messages []Message) []any { + out := make([]any, 0, len(messages)) + for _, m := range messages { + if len(m.Media) == 0 { + out = append(out, openaiMessage{ + Role: m.Role, + Content: m.Content, + ReasoningContent: m.ReasoningContent, + ToolCalls: m.ToolCalls, + ToolCallID: m.ToolCallID, + }) + continue + } + + // Multipart content format for messages with media + parts := make([]map[string]any, 0, 1+len(m.Media)) + if m.Content != "" { + parts = append(parts, map[string]any{ + "type": "text", + "text": m.Content, + }) + } + for _, mediaURL := range m.Media { + if strings.HasPrefix(mediaURL, "data:image/") { + parts = append(parts, map[string]any{ + "type": "image_url", + "image_url": map[string]any{ + "url": mediaURL, + }, + }) + } + } + + msg := map[string]any{ + "role": m.Role, + "content": parts, + } + if m.ToolCallID != "" { + msg["tool_call_id"] = m.ToolCallID + } + if len(m.ToolCalls) > 0 { + msg["tool_calls"] = m.ToolCalls + } + if m.ReasoningContent != "" { + msg["reasoning_content"] = m.ReasoningContent + } + out = append(out, msg) + } + return out +} + +// --- Response parsing --- + +// ParseResponse parses a JSON chat completion response body into an LLMResponse. +func ParseResponse(body io.Reader) (*LLMResponse, error) { + var apiResponse struct { + Choices []struct { + Message struct { + Content string `json:"content"` + ReasoningContent string `json:"reasoning_content"` + Reasoning string `json:"reasoning"` + ReasoningDetails []ReasoningDetail `json:"reasoning_details"` + ToolCalls []struct { + ID string `json:"id"` + Type string `json:"type"` + Function *struct { + Name string `json:"name"` + Arguments json.RawMessage `json:"arguments"` + } `json:"function"` + ExtraContent *struct { + Google *struct { + ThoughtSignature string `json:"thought_signature"` + } `json:"google"` + } `json:"extra_content"` + } `json:"tool_calls"` + } `json:"message"` + FinishReason string `json:"finish_reason"` + } `json:"choices"` + Usage *UsageInfo `json:"usage"` + } + + if err := json.NewDecoder(body).Decode(&apiResponse); err != nil { + return nil, fmt.Errorf("failed to decode response: %w", err) + } + + if len(apiResponse.Choices) == 0 { + return &LLMResponse{ + Content: "", + FinishReason: "stop", + }, nil + } + + choice := apiResponse.Choices[0] + toolCalls := make([]ToolCall, 0, len(choice.Message.ToolCalls)) + for _, tc := range choice.Message.ToolCalls { + arguments := make(map[string]any) + name := "" + + // Extract thought_signature from Gemini/Google-specific extra content + thoughtSignature := "" + if tc.ExtraContent != nil && tc.ExtraContent.Google != nil { + thoughtSignature = tc.ExtraContent.Google.ThoughtSignature + } + + if tc.Function != nil { + name = tc.Function.Name + arguments = DecodeToolCallArguments(tc.Function.Arguments, name) + } + + toolCall := ToolCall{ + ID: tc.ID, + Name: name, + Arguments: arguments, + ThoughtSignature: thoughtSignature, + } + + if thoughtSignature != "" { + toolCall.ExtraContent = &ExtraContent{ + Google: &GoogleExtra{ + ThoughtSignature: thoughtSignature, + }, + } + } + + toolCalls = append(toolCalls, toolCall) + } + + return &LLMResponse{ + Content: choice.Message.Content, + ReasoningContent: choice.Message.ReasoningContent, + Reasoning: choice.Message.Reasoning, + ReasoningDetails: choice.Message.ReasoningDetails, + ToolCalls: toolCalls, + FinishReason: choice.FinishReason, + Usage: apiResponse.Usage, + }, nil +} + +// DecodeToolCallArguments decodes a tool call's arguments from raw JSON. +func DecodeToolCallArguments(raw json.RawMessage, name string) map[string]any { + arguments := make(map[string]any) + raw = bytes.TrimSpace(raw) + if len(raw) == 0 || bytes.Equal(raw, []byte("null")) { + return arguments + } + + var decoded any + if err := json.Unmarshal(raw, &decoded); err != nil { + log.Printf("common: failed to decode tool call arguments payload for %q: %v", name, err) + arguments["raw"] = string(raw) + return arguments + } + + switch v := decoded.(type) { + case string: + if strings.TrimSpace(v) == "" { + return arguments + } + if err := json.Unmarshal([]byte(v), &arguments); err != nil { + log.Printf("common: failed to decode tool call arguments for %q: %v", name, err) + arguments["raw"] = v + } + return arguments + case map[string]any: + return v + default: + log.Printf("common: unsupported tool call arguments type for %q: %T", name, decoded) + arguments["raw"] = string(raw) + return arguments + } +} + +// --- HTTP response helpers --- + +// HandleErrorResponse reads a non-200 response body and returns an appropriate error. +func HandleErrorResponse(resp *http.Response, apiBase string) error { + contentType := resp.Header.Get("Content-Type") + body, readErr := io.ReadAll(io.LimitReader(resp.Body, 256)) + if readErr != nil { + return fmt.Errorf("failed to read response: %w", readErr) + } + if LooksLikeHTML(body, contentType) { + return WrapHTMLResponseError(resp.StatusCode, body, contentType, apiBase) + } + return fmt.Errorf( + "API request failed:\n Status: %d\n Body: %s", + resp.StatusCode, + ResponsePreview(body, 128), + ) +} + +// ReadAndParseResponse peeks at the response body to detect HTML errors, +// then parses the JSON response into an LLMResponse. +func ReadAndParseResponse(resp *http.Response, apiBase string) (*LLMResponse, error) { + contentType := resp.Header.Get("Content-Type") + reader := bufio.NewReader(resp.Body) + prefix, err := reader.Peek(256) + if err != nil && err != io.EOF && err != bufio.ErrBufferFull { + return nil, fmt.Errorf("failed to inspect response: %w", err) + } + if LooksLikeHTML(prefix, contentType) { + return nil, WrapHTMLResponseError(resp.StatusCode, prefix, contentType, apiBase) + } + out, err := ParseResponse(reader) + if err != nil { + return nil, fmt.Errorf("failed to parse JSON response: %w", err) + } + return out, nil +} + +// LooksLikeHTML checks if the response body appears to be HTML. +func LooksLikeHTML(body []byte, contentType string) bool { + contentType = strings.ToLower(strings.TrimSpace(contentType)) + if strings.Contains(contentType, "text/html") || strings.Contains(contentType, "application/xhtml+xml") { + return true + } + prefix := bytes.ToLower(leadingTrimmedPrefix(body, 128)) + return bytes.HasPrefix(prefix, []byte("" + } + if len(trimmed) <= maxLen { + return string(trimmed) + } + return string(trimmed[:maxLen]) + "..." +} + +func leadingTrimmedPrefix(body []byte, maxLen int) []byte { + i := 0 + for i < len(body) { + switch body[i] { + case ' ', '\t', '\n', '\r', '\f', '\v': + i++ + default: + end := i + maxLen + if end > len(body) { + end = len(body) + } + return body[i:end] + } + } + return nil +} + +// --- Numeric helpers --- + +// AsInt converts various numeric types to int. +func AsInt(v any) (int, bool) { + switch val := v.(type) { + case int: + return val, true + case int64: + return int(val), true + case float64: + return int(val), true + case float32: + return int(val), true + default: + return 0, false + } +} + +// AsFloat converts various numeric types to float64. +func AsFloat(v any) (float64, bool) { + switch val := v.(type) { + case float64: + return val, true + case float32: + return float64(val), true + case int: + return float64(val), true + case int64: + return float64(val), true + default: + return 0, false + } +} diff --git a/pkg/providers/common/common_test.go b/pkg/providers/common/common_test.go new file mode 100644 index 000000000..bb7e7434d --- /dev/null +++ b/pkg/providers/common/common_test.go @@ -0,0 +1,558 @@ +package common + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "net/url" + "strings" + "testing" + + "github.com/sipeed/picoclaw/pkg/providers/protocoltypes" +) + +// --- NewHTTPClient tests --- + +func TestNewHTTPClient_DefaultTimeout(t *testing.T) { + client := NewHTTPClient("") + if client.Timeout != DefaultRequestTimeout { + t.Errorf("timeout = %v, want %v", client.Timeout, DefaultRequestTimeout) + } +} + +func TestNewHTTPClient_WithProxy(t *testing.T) { + client := NewHTTPClient("http://127.0.0.1:8080") + transport, ok := client.Transport.(*http.Transport) + if !ok || transport == nil { + t.Fatalf("expected http.Transport with proxy, got %T", client.Transport) + } + req := &http.Request{URL: &url.URL{Scheme: "https", Host: "api.example.com"}} + gotProxy, err := transport.Proxy(req) + if err != nil { + t.Fatalf("proxy function error: %v", err) + } + if gotProxy == nil || gotProxy.String() != "http://127.0.0.1:8080" { + t.Errorf("proxy = %v, want http://127.0.0.1:8080", gotProxy) + } +} + +func TestNewHTTPClient_NoProxy(t *testing.T) { + client := NewHTTPClient("") + if client.Transport != nil { + t.Errorf("expected nil transport without proxy, got %T", client.Transport) + } +} + +func TestNewHTTPClient_InvalidProxy(t *testing.T) { + // Should not panic, just log and return client without proxy + client := NewHTTPClient("://bad-url") + if client == nil { + t.Fatal("expected non-nil client even with invalid proxy") + } +} + +// --- SerializeMessages tests --- + +func TestSerializeMessages_PlainText(t *testing.T) { + messages := []Message{ + {Role: "user", Content: "hello"}, + {Role: "assistant", Content: "hi", ReasoningContent: "thinking..."}, + } + result := SerializeMessages(messages) + + data, _ := json.Marshal(result) + var msgs []map[string]any + json.Unmarshal(data, &msgs) + + if msgs[0]["content"] != "hello" { + t.Errorf("expected plain string content, got %v", msgs[0]["content"]) + } + if msgs[1]["reasoning_content"] != "thinking..." { + t.Errorf("reasoning_content not preserved, got %v", msgs[1]["reasoning_content"]) + } +} + +func TestSerializeMessages_WithMedia(t *testing.T) { + messages := []Message{ + {Role: "user", Content: "describe this", Media: []string{"data:image/png;base64,abc123"}}, + } + result := SerializeMessages(messages) + + data, _ := json.Marshal(result) + var msgs []map[string]any + json.Unmarshal(data, &msgs) + + content, ok := msgs[0]["content"].([]any) + if !ok { + t.Fatalf("expected array content for media message, got %T", msgs[0]["content"]) + } + if len(content) != 2 { + t.Fatalf("expected 2 content parts, got %d", len(content)) + } +} + +func TestSerializeMessages_MediaWithToolCallID(t *testing.T) { + messages := []Message{ + {Role: "tool", Content: "result", Media: []string{"data:image/png;base64,xyz"}, ToolCallID: "call_1"}, + } + result := SerializeMessages(messages) + + data, _ := json.Marshal(result) + var msgs []map[string]any + json.Unmarshal(data, &msgs) + + if msgs[0]["tool_call_id"] != "call_1" { + t.Errorf("tool_call_id not preserved, got %v", msgs[0]["tool_call_id"]) + } +} + +func TestSerializeMessages_StripsSystemParts(t *testing.T) { + messages := []Message{ + { + Role: "system", + Content: "you are helpful", + SystemParts: []protocoltypes.ContentBlock{ + {Type: "text", Text: "you are helpful"}, + }, + }, + } + result := SerializeMessages(messages) + + data, _ := json.Marshal(result) + if strings.Contains(string(data), "system_parts") { + t.Error("system_parts should not appear in serialized output") + } +} + +// --- ParseResponse tests --- + +func TestParseResponse_BasicContent(t *testing.T) { + body := `{"choices":[{"message":{"content":"hello world"},"finish_reason":"stop"}]}` + out, err := ParseResponse(strings.NewReader(body)) + if err != nil { + t.Fatalf("ParseResponse() error = %v", err) + } + if out.Content != "hello world" { + t.Errorf("Content = %q, want %q", out.Content, "hello world") + } + if out.FinishReason != "stop" { + t.Errorf("FinishReason = %q, want %q", out.FinishReason, "stop") + } +} + +func TestParseResponse_EmptyChoices(t *testing.T) { + body := `{"choices":[]}` + out, err := ParseResponse(strings.NewReader(body)) + if err != nil { + t.Fatalf("ParseResponse() error = %v", err) + } + if out.Content != "" { + t.Errorf("Content = %q, want empty", out.Content) + } + if out.FinishReason != "stop" { + t.Errorf("FinishReason = %q, want %q", out.FinishReason, "stop") + } +} + +func TestParseResponse_WithToolCalls(t *testing.T) { + body := `{"choices":[{"message":{"content":"","tool_calls":[{"id":"call_1","type":"function","function":{"name":"get_weather","arguments":"{\"city\":\"SF\"}"}}]},"finish_reason":"tool_calls"}]}` + out, err := ParseResponse(strings.NewReader(body)) + if err != nil { + t.Fatalf("ParseResponse() error = %v", err) + } + if len(out.ToolCalls) != 1 { + t.Fatalf("len(ToolCalls) = %d, want 1", len(out.ToolCalls)) + } + if out.ToolCalls[0].Name != "get_weather" { + t.Errorf("ToolCalls[0].Name = %q, want %q", out.ToolCalls[0].Name, "get_weather") + } + if out.ToolCalls[0].Arguments["city"] != "SF" { + t.Errorf("ToolCalls[0].Arguments[city] = %v, want SF", out.ToolCalls[0].Arguments["city"]) + } +} + +func TestParseResponse_WithUsage(t *testing.T) { + body := `{"choices":[{"message":{"content":"ok"},"finish_reason":"stop"}],"usage":{"prompt_tokens":10,"completion_tokens":5,"total_tokens":15}}` + out, err := ParseResponse(strings.NewReader(body)) + if err != nil { + t.Fatalf("ParseResponse() error = %v", err) + } + if out.Usage == nil { + t.Fatal("Usage is nil") + } + if out.Usage.PromptTokens != 10 { + t.Errorf("PromptTokens = %d, want 10", out.Usage.PromptTokens) + } +} + +func TestParseResponse_WithReasoningContent(t *testing.T) { + body := `{"choices":[{"message":{"content":"2","reasoning_content":"Let me think... 1+1=2"},"finish_reason":"stop"}]}` + out, err := ParseResponse(strings.NewReader(body)) + if err != nil { + t.Fatalf("ParseResponse() error = %v", err) + } + if out.ReasoningContent != "Let me think... 1+1=2" { + t.Errorf("ReasoningContent = %q, want %q", out.ReasoningContent, "Let me think... 1+1=2") + } +} + +func TestParseResponse_InvalidJSON(t *testing.T) { + _, err := ParseResponse(strings.NewReader("not json")) + if err == nil { + t.Fatal("expected error for invalid JSON") + } +} + +// --- DecodeToolCallArguments tests --- + +func TestDecodeToolCallArguments_ObjectJSON(t *testing.T) { + raw := json.RawMessage(`{"city":"Seattle","units":"metric"}`) + args := DecodeToolCallArguments(raw, "test") + if args["city"] != "Seattle" { + t.Errorf("city = %v, want Seattle", args["city"]) + } + if args["units"] != "metric" { + t.Errorf("units = %v, want metric", args["units"]) + } +} + +func TestDecodeToolCallArguments_StringJSON(t *testing.T) { + raw := json.RawMessage(`"{\"city\":\"SF\"}"`) + args := DecodeToolCallArguments(raw, "test") + if args["city"] != "SF" { + t.Errorf("city = %v, want SF", args["city"]) + } +} + +func TestDecodeToolCallArguments_EmptyInput(t *testing.T) { + args := DecodeToolCallArguments(nil, "test") + if len(args) != 0 { + t.Errorf("expected empty map, got %v", args) + } +} + +func TestDecodeToolCallArguments_NullInput(t *testing.T) { + args := DecodeToolCallArguments(json.RawMessage(`null`), "test") + if len(args) != 0 { + t.Errorf("expected empty map, got %v", args) + } +} + +func TestDecodeToolCallArguments_InvalidJSON(t *testing.T) { + args := DecodeToolCallArguments(json.RawMessage(`not-json`), "test") + if _, ok := args["raw"]; !ok { + t.Error("expected 'raw' fallback key for invalid JSON") + } +} + +func TestDecodeToolCallArguments_EmptyStringJSON(t *testing.T) { + args := DecodeToolCallArguments(json.RawMessage(`" "`), "test") + if len(args) != 0 { + t.Errorf("expected empty map for whitespace string, got %v", args) + } +} + +// --- HandleErrorResponse tests --- + +func TestHandleErrorResponse_JSONError(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusBadRequest) + w.Write([]byte(`{"error":"bad request"}`)) + })) + defer server.Close() + + resp, err := http.Get(server.URL) + if err != nil { + t.Fatalf("http.Get() error = %v", err) + } + defer resp.Body.Close() + err = HandleErrorResponse(resp, server.URL) + if err == nil { + t.Fatal("expected error") + } + if !strings.Contains(err.Error(), "400") { + t.Errorf("error should contain status code, got %v", err) + } + if strings.Contains(err.Error(), "HTML") { + t.Errorf("should not mention HTML for JSON error, got %v", err) + } +} + +func TestHandleErrorResponse_HTMLError(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "text/html") + w.WriteHeader(http.StatusBadGateway) + w.Write([]byte("bad gateway")) + })) + defer server.Close() + + resp, err := http.Get(server.URL) + if err != nil { + t.Fatalf("http.Get() error = %v", err) + } + defer resp.Body.Close() + err = HandleErrorResponse(resp, server.URL) + if err == nil { + t.Fatal("expected error") + } + if !strings.Contains(err.Error(), "HTML instead of JSON") { + t.Errorf("expected HTML error message, got %v", err) + } +} + +// --- ReadAndParseResponse tests --- + +func TestReadAndParseResponse_ValidJSON(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.Write([]byte(`{"choices":[{"message":{"content":"ok"},"finish_reason":"stop"}]}`)) + })) + defer server.Close() + + resp, err := http.Get(server.URL) + if err != nil { + t.Fatalf("http.Get() error = %v", err) + } + defer resp.Body.Close() + out, err := ReadAndParseResponse(resp, server.URL) + if err != nil { + t.Fatalf("ReadAndParseResponse() error = %v", err) + } + if out.Content != "ok" { + t.Errorf("Content = %q, want %q", out.Content, "ok") + } +} + +func TestReadAndParseResponse_HTMLResponse(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "text/html") + w.Write([]byte("login page")) + })) + defer server.Close() + + resp, err := http.Get(server.URL) + if err != nil { + t.Fatalf("http.Get() error = %v", err) + } + defer resp.Body.Close() + _, err = ReadAndParseResponse(resp, server.URL) + if err == nil { + t.Fatal("expected error for HTML response") + } + if !strings.Contains(err.Error(), "HTML instead of JSON") { + t.Errorf("expected HTML error, got %v", err) + } +} + +// --- LooksLikeHTML tests --- + +func TestLooksLikeHTML_ContentTypeHTML(t *testing.T) { + if !LooksLikeHTML(nil, "text/html; charset=utf-8") { + t.Error("expected true for text/html content type") + } +} + +func TestLooksLikeHTML_ContentTypeXHTML(t *testing.T) { + if !LooksLikeHTML(nil, "application/xhtml+xml") { + t.Error("expected true for xhtml content type") + } +} + +func TestLooksLikeHTML_BodyPrefix(t *testing.T) { + tests := []struct { + name string + body string + }{ + {"doctype", ""}, + {"html tag", ""}, + {"head tag", ""}, + {"body tag", "<body>content"}, + {"whitespace before", " \n\t<!DOCTYPE html>"}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if !LooksLikeHTML([]byte(tt.body), "application/json") { + t.Errorf("expected true for body %q", tt.body) + } + }) + } +} + +func TestLooksLikeHTML_NotHTML(t *testing.T) { + if LooksLikeHTML([]byte(`{"error":"bad"}`), "application/json") { + t.Error("expected false for JSON body") + } +} + +// --- ResponsePreview tests --- + +func TestResponsePreview_Short(t *testing.T) { + got := ResponsePreview([]byte("hello"), 128) + if got != "hello" { + t.Errorf("got %q, want %q", got, "hello") + } +} + +func TestResponsePreview_Truncated(t *testing.T) { + body := strings.Repeat("a", 200) + got := ResponsePreview([]byte(body), 128) + if len(got) != 131 { // 128 + "..." + t.Errorf("len = %d, want 131", len(got)) + } + if !strings.HasSuffix(got, "...") { + t.Error("expected ... suffix") + } +} + +func TestResponsePreview_Empty(t *testing.T) { + got := ResponsePreview([]byte(""), 128) + if got != "<empty>" { + t.Errorf("got %q, want %q", got, "<empty>") + } +} + +func TestResponsePreview_Whitespace(t *testing.T) { + got := ResponsePreview([]byte(" \n\t "), 128) + if got != "<empty>" { + t.Errorf("got %q, want %q for whitespace-only body", got, "<empty>") + } +} + +// --- AsInt tests --- + +func TestAsInt(t *testing.T) { + tests := []struct { + name string + val any + want int + ok bool + }{ + {"int", 42, 42, true}, + {"int64", int64(99), 99, true}, + {"float64", float64(512), 512, true}, + {"float32", float32(256), 256, true}, + {"string", "nope", 0, false}, + {"nil", nil, 0, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, ok := AsInt(tt.val) + if ok != tt.ok || got != tt.want { + t.Errorf("AsInt(%v) = (%d, %v), want (%d, %v)", tt.val, got, ok, tt.want, tt.ok) + } + }) + } +} + +// --- AsFloat tests --- + +func TestAsFloat(t *testing.T) { + tests := []struct { + name string + val any + want float64 + ok bool + }{ + {"float64", float64(0.7), 0.7, true}, + {"float32", float32(0.5), float64(float32(0.5)), true}, + {"int", 1, 1.0, true}, + {"int64", int64(100), 100.0, true}, + {"string", "nope", 0, false}, + {"nil", nil, 0, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + got, ok := AsFloat(tt.val) + if ok != tt.ok || got != tt.want { + t.Errorf("AsFloat(%v) = (%f, %v), want (%f, %v)", tt.val, got, ok, tt.want, tt.ok) + } + }) + } +} + +// --- WrapHTMLResponseError tests --- + +func TestWrapHTMLResponseError(t *testing.T) { + err := WrapHTMLResponseError(502, []byte("<html>bad</html>"), "text/html", "https://api.example.com") + if err == nil { + t.Fatal("expected error") + } + msg := err.Error() + if !strings.Contains(msg, "502") { + t.Errorf("expected status code in error, got %v", msg) + } + if !strings.Contains(msg, "https://api.example.com") { + t.Errorf("expected api base in error, got %v", msg) + } + if !strings.Contains(msg, "HTML instead of JSON") { + t.Errorf("expected HTML mention in error, got %v", msg) + } +} + +// --- HandleErrorResponse with read failure --- + +func TestHandleErrorResponse_EmptyBody(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusInternalServerError) + // empty body + })) + defer server.Close() + + resp, err := http.Get(server.URL) + if err != nil { + t.Fatalf("http.Get() error = %v", err) + } + defer resp.Body.Close() + err = HandleErrorResponse(resp, server.URL) + if err == nil { + t.Fatal("expected error") + } + if !strings.Contains(err.Error(), "500") { + t.Errorf("expected status code, got %v", err) + } +} + +// --- ReadAndParseResponse with invalid JSON --- + +func TestReadAndParseResponse_InvalidJSON(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.Header().Set("Content-Type", "application/json") + w.Write([]byte("not valid json")) + })) + defer server.Close() + + resp, err := http.Get(server.URL) + if err != nil { + t.Fatalf("http.Get() error = %v", err) + } + defer resp.Body.Close() + _, err = ReadAndParseResponse(resp, server.URL) + if err == nil { + t.Fatal("expected error for invalid JSON") + } +} + +// --- ParseResponse with thought_signature (Google/Gemini) --- + +func TestParseResponse_WithThoughtSignature(t *testing.T) { + body := `{"choices":[{"message":{"content":"","tool_calls":[{"id":"call_1","type":"function","function":{"name":"test_tool","arguments":"{}"},"extra_content":{"google":{"thought_signature":"sig123"}}}]},"finish_reason":"tool_calls"}]}` + out, err := ParseResponse(strings.NewReader(body)) + if err != nil { + t.Fatalf("ParseResponse() error = %v", err) + } + if len(out.ToolCalls) != 1 { + t.Fatalf("len(ToolCalls) = %d, want 1", len(out.ToolCalls)) + } + if out.ToolCalls[0].ThoughtSignature != "sig123" { + t.Errorf("ThoughtSignature = %q, want %q", out.ToolCalls[0].ThoughtSignature, "sig123") + } + if out.ToolCalls[0].ExtraContent == nil || out.ToolCalls[0].ExtraContent.Google == nil { + t.Fatal("ExtraContent.Google is nil") + } + if out.ToolCalls[0].ExtraContent.Google.ThoughtSignature != "sig123" { + t.Errorf("ExtraContent.Google.ThoughtSignature = %q, want %q", + out.ToolCalls[0].ExtraContent.Google.ThoughtSignature, "sig123") + } +} diff --git a/pkg/providers/factory_provider.go b/pkg/providers/factory_provider.go index e99e07bc2..b7567f9fc 100644 --- a/pkg/providers/factory_provider.go +++ b/pkg/providers/factory_provider.go @@ -11,6 +11,7 @@ import ( "github.com/sipeed/picoclaw/pkg/config" anthropicmessages "github.com/sipeed/picoclaw/pkg/providers/anthropic_messages" + "github.com/sipeed/picoclaw/pkg/providers/azure" ) // createClaudeAuthProvider creates a Claude provider using OAuth credentials from auth store. @@ -94,6 +95,24 @@ func CreateProviderFromConfig(cfg *config.ModelConfig) (LLMProvider, string, err cfg.RequestTimeout, ), modelID, nil + case "azure", "azure-openai": + // Azure OpenAI uses deployment-based URLs, api-key header auth, + // and always sends max_completion_tokens. + if cfg.APIKey == "" { + return nil, "", fmt.Errorf("api_key is required for azure protocol") + } + if cfg.APIBase == "" { + return nil, "", fmt.Errorf( + "api_base is required for azure protocol (e.g., https://your-resource.openai.azure.com)", + ) + } + return azure.NewProviderWithTimeout( + cfg.APIKey, + cfg.APIBase, + cfg.Proxy, + cfg.RequestTimeout, + ), modelID, nil + case "litellm", "openrouter", "groq", "zhipu", "gemini", "nvidia", "ollama", "moonshot", "shengsuanyun", "deepseek", "cerebras", "vivgrid", "volcengine", "vllm", "qwen", "mistral", "avian", diff --git a/pkg/providers/factory_provider_test.go b/pkg/providers/factory_provider_test.go index 00676ebf9..b678a7eb6 100644 --- a/pkg/providers/factory_provider_test.go +++ b/pkg/providers/factory_provider_test.go @@ -64,6 +64,12 @@ func TestExtractProtocol(t *testing.T) { wantProtocol: "nvidia", wantModelID: "meta/llama-3.1-8b", }, + { + name: "azure with prefix", + model: "azure/my-gpt5-deployment", + wantProtocol: "azure", + wantModelID: "my-gpt5-deployment", + }, } for _, tt := range tests { @@ -371,3 +377,69 @@ func TestCreateProviderFromConfig_RequestTimeoutPropagation(t *testing.T) { t.Fatalf("Chat() error = %q, want timeout-related error", errMsg) } } + +func TestCreateProviderFromConfig_Azure(t *testing.T) { + cfg := &config.ModelConfig{ + ModelName: "azure-gpt5", + Model: "azure/my-gpt5-deployment", + APIKey: "test-azure-key", + APIBase: "https://my-resource.openai.azure.com", + } + + provider, modelID, err := CreateProviderFromConfig(cfg) + if err != nil { + t.Fatalf("CreateProviderFromConfig() error = %v", err) + } + if provider == nil { + t.Fatal("CreateProviderFromConfig() returned nil provider") + } + if modelID != "my-gpt5-deployment" { + t.Errorf("modelID = %q, want %q", modelID, "my-gpt5-deployment") + } +} + +func TestCreateProviderFromConfig_AzureOpenAIAlias(t *testing.T) { + cfg := &config.ModelConfig{ + ModelName: "azure-gpt4", + Model: "azure-openai/my-deployment", + APIKey: "test-azure-key", + APIBase: "https://my-resource.openai.azure.com", + } + + provider, modelID, err := CreateProviderFromConfig(cfg) + if err != nil { + t.Fatalf("CreateProviderFromConfig() error = %v", err) + } + if provider == nil { + t.Fatal("CreateProviderFromConfig() returned nil provider") + } + if modelID != "my-deployment" { + t.Errorf("modelID = %q, want %q", modelID, "my-deployment") + } +} + +func TestCreateProviderFromConfig_AzureMissingAPIKey(t *testing.T) { + cfg := &config.ModelConfig{ + ModelName: "azure-gpt5", + Model: "azure/my-gpt5-deployment", + APIBase: "https://my-resource.openai.azure.com", + } + + _, _, err := CreateProviderFromConfig(cfg) + if err == nil { + t.Fatal("CreateProviderFromConfig() expected error for missing API key") + } +} + +func TestCreateProviderFromConfig_AzureMissingAPIBase(t *testing.T) { + cfg := &config.ModelConfig{ + ModelName: "azure-gpt5", + Model: "azure/my-gpt5-deployment", + APIKey: "test-azure-key", + } + + _, _, err := CreateProviderFromConfig(cfg) + if err == nil { + t.Fatal("CreateProviderFromConfig() expected error for missing API base") + } +} diff --git a/pkg/providers/openai_compat/provider.go b/pkg/providers/openai_compat/provider.go index f97bf3acd..fb2abaa5c 100644 --- a/pkg/providers/openai_compat/provider.go +++ b/pkg/providers/openai_compat/provider.go @@ -1,18 +1,16 @@ package openai_compat import ( - "bufio" "bytes" "context" "encoding/json" "fmt" - "io" - "log" "net/http" "net/url" "strings" "time" + "github.com/sipeed/picoclaw/pkg/providers/common" "github.com/sipeed/picoclaw/pkg/providers/protocoltypes" ) @@ -38,7 +36,7 @@ type Provider struct { type Option func(*Provider) -const defaultRequestTimeout = 120 * time.Second +const defaultRequestTimeout = common.DefaultRequestTimeout func WithMaxTokensField(maxTokensField string) Option { return func(p *Provider) { @@ -55,25 +53,10 @@ func WithRequestTimeout(timeout time.Duration) Option { } func NewProvider(apiKey, apiBase, proxy string, opts ...Option) *Provider { - client := &http.Client{ - Timeout: defaultRequestTimeout, - } - - if proxy != "" { - parsed, err := url.Parse(proxy) - if err == nil { - client.Transport = &http.Transport{ - Proxy: http.ProxyURL(parsed), - } - } else { - log.Printf("openai_compat: invalid proxy URL %q: %v", proxy, err) - } - } - p := &Provider{ apiKey: apiKey, apiBase: strings.TrimRight(apiBase, "/"), - httpClient: client, + httpClient: common.NewHTTPClient(proxy), } for _, opt := range opts { @@ -117,7 +100,7 @@ func (p *Provider) Chat( requestBody := map[string]any{ "model": model, - "messages": serializeMessages(messages), + "messages": common.SerializeMessages(messages), } if len(tools) > 0 { @@ -125,7 +108,7 @@ func (p *Provider) Chat( requestBody["tool_choice"] = "auto" } - if maxTokens, ok := asInt(options["max_tokens"]); ok { + if maxTokens, ok := common.AsInt(options["max_tokens"]); ok { // Use configured maxTokensField if specified, otherwise fallback to model-based detection fieldName := p.maxTokensField if fieldName == "" { @@ -141,7 +124,7 @@ func (p *Provider) Chat( requestBody[fieldName] = maxTokens } - if temperature, ok := asFloat(options["temperature"]); ok { + if temperature, ok := common.AsFloat(options["temperature"]); ok { lowerModel := strings.ToLower(model) // Kimi k2 models only support temperature=1. if strings.Contains(lowerModel, "kimi") && strings.Contains(lowerModel, "k2") { @@ -185,275 +168,11 @@ func (p *Provider) Chat( } defer resp.Body.Close() - contentType := resp.Header.Get("Content-Type") - - // Non-200: read a prefix to tell HTML error page apart from JSON error body. if resp.StatusCode != http.StatusOK { - body, readErr := io.ReadAll(io.LimitReader(resp.Body, 256)) - if readErr != nil { - return nil, fmt.Errorf("failed to read response: %w", readErr) - } - if looksLikeHTML(body, contentType) { - return nil, wrapHTMLResponseError(resp.StatusCode, body, contentType, p.apiBase) - } - return nil, fmt.Errorf( - "API request failed:\n Status: %d\n Body: %s", - resp.StatusCode, - responsePreview(body, 128), - ) + return nil, common.HandleErrorResponse(resp, p.apiBase) } - // Peek without consuming so the full stream reaches the JSON decoder. - reader := bufio.NewReader(resp.Body) - prefix, err := reader.Peek(256) // io.EOF/ErrBufferFull are normal; only real errors abort - if err != nil && err != io.EOF && err != bufio.ErrBufferFull { - return nil, fmt.Errorf("failed to inspect response: %w", err) - } - if looksLikeHTML(prefix, contentType) { - return nil, wrapHTMLResponseError(resp.StatusCode, prefix, contentType, p.apiBase) - } - - out, err := parseResponse(reader) - if err != nil { - return nil, fmt.Errorf("failed to parse JSON response: %w", err) - } - - return out, nil -} - -func wrapHTMLResponseError(statusCode int, body []byte, contentType, apiBase string) error { - respPreview := responsePreview(body, 128) - return fmt.Errorf( - "API request failed: %s returned HTML instead of JSON (content-type: %s); check api_base or proxy configuration.\n Status: %d\n Body: %s", - apiBase, - contentType, - statusCode, - respPreview, - ) -} - -func looksLikeHTML(body []byte, contentType string) bool { - contentType = strings.ToLower(strings.TrimSpace(contentType)) - if strings.Contains(contentType, "text/html") || strings.Contains(contentType, "application/xhtml+xml") { - return true - } - prefix := bytes.ToLower(leadingTrimmedPrefix(body, 128)) - return bytes.HasPrefix(prefix, []byte("<!doctype html")) || - bytes.HasPrefix(prefix, []byte("<html")) || - bytes.HasPrefix(prefix, []byte("<head")) || - bytes.HasPrefix(prefix, []byte("<body")) -} - -func leadingTrimmedPrefix(body []byte, maxLen int) []byte { - i := 0 - for i < len(body) { - switch body[i] { - case ' ', '\t', '\n', '\r', '\f', '\v': - i++ - default: - end := i + maxLen - if end > len(body) { - end = len(body) - } - return body[i:end] - } - } - return nil -} - -func responsePreview(body []byte, maxLen int) string { - trimmed := bytes.TrimSpace(body) - if len(trimmed) == 0 { - return "<empty>" - } - if len(trimmed) <= maxLen { - return string(trimmed) - } - return string(trimmed[:maxLen]) + "..." -} - -func parseResponse(body io.Reader) (*LLMResponse, error) { - var apiResponse struct { - Choices []struct { - Message struct { - Content string `json:"content"` - ReasoningContent string `json:"reasoning_content"` - Reasoning string `json:"reasoning"` - ReasoningDetails []ReasoningDetail `json:"reasoning_details"` - ToolCalls []struct { - ID string `json:"id"` - Type string `json:"type"` - Function *struct { - Name string `json:"name"` - Arguments json.RawMessage `json:"arguments"` - } `json:"function"` - ExtraContent *struct { - Google *struct { - ThoughtSignature string `json:"thought_signature"` - } `json:"google"` - } `json:"extra_content"` - } `json:"tool_calls"` - } `json:"message"` - FinishReason string `json:"finish_reason"` - } `json:"choices"` - Usage *UsageInfo `json:"usage"` - } - - if err := json.NewDecoder(body).Decode(&apiResponse); err != nil { - return nil, fmt.Errorf("failed to decode response: %w", err) - } - - if len(apiResponse.Choices) == 0 { - return &LLMResponse{ - Content: "", - FinishReason: "stop", - }, nil - } - - choice := apiResponse.Choices[0] - toolCalls := make([]ToolCall, 0, len(choice.Message.ToolCalls)) - for _, tc := range choice.Message.ToolCalls { - arguments := make(map[string]any) - name := "" - - // Extract thought_signature from Gemini/Google-specific extra content - thoughtSignature := "" - if tc.ExtraContent != nil && tc.ExtraContent.Google != nil { - thoughtSignature = tc.ExtraContent.Google.ThoughtSignature - } - - if tc.Function != nil { - name = tc.Function.Name - arguments = decodeToolCallArguments(tc.Function.Arguments, name) - } - - // Build ToolCall with ExtraContent for Gemini 3 thought_signature persistence - toolCall := ToolCall{ - ID: tc.ID, - Name: name, - Arguments: arguments, - ThoughtSignature: thoughtSignature, - } - - if thoughtSignature != "" { - toolCall.ExtraContent = &ExtraContent{ - Google: &GoogleExtra{ - ThoughtSignature: thoughtSignature, - }, - } - } - - toolCalls = append(toolCalls, toolCall) - } - - return &LLMResponse{ - Content: choice.Message.Content, - ReasoningContent: choice.Message.ReasoningContent, - Reasoning: choice.Message.Reasoning, - ReasoningDetails: choice.Message.ReasoningDetails, - ToolCalls: toolCalls, - FinishReason: choice.FinishReason, - Usage: apiResponse.Usage, - }, nil -} - -func decodeToolCallArguments(raw json.RawMessage, name string) map[string]any { - arguments := make(map[string]any) - raw = bytes.TrimSpace(raw) - if len(raw) == 0 || bytes.Equal(raw, []byte("null")) { - return arguments - } - - var decoded any - if err := json.Unmarshal(raw, &decoded); err != nil { - log.Printf("openai_compat: failed to decode tool call arguments payload for %q: %v", name, err) - arguments["raw"] = string(raw) - return arguments - } - - switch v := decoded.(type) { - case string: - if strings.TrimSpace(v) == "" { - return arguments - } - if err := json.Unmarshal([]byte(v), &arguments); err != nil { - log.Printf("openai_compat: failed to decode tool call arguments for %q: %v", name, err) - arguments["raw"] = v - } - return arguments - case map[string]any: - return v - default: - log.Printf("openai_compat: unsupported tool call arguments type for %q: %T", name, decoded) - arguments["raw"] = string(raw) - return arguments - } -} - -// openaiMessage is the wire-format message for OpenAI-compatible APIs. -// It mirrors protocoltypes.Message but omits SystemParts, which is an -// internal field that would be unknown to third-party endpoints. -type openaiMessage struct { - Role string `json:"role"` - Content string `json:"content"` - ReasoningContent string `json:"reasoning_content,omitempty"` - ToolCalls []ToolCall `json:"tool_calls,omitempty"` - ToolCallID string `json:"tool_call_id,omitempty"` -} - -// serializeMessages converts internal Message structs to the OpenAI wire format. -// - Strips SystemParts (unknown to third-party endpoints) -// - Converts messages with Media to multipart content format (text + image_url parts) -// - Preserves ToolCallID, ToolCalls, and ReasoningContent for all messages -func serializeMessages(messages []Message) []any { - out := make([]any, 0, len(messages)) - for _, m := range messages { - if len(m.Media) == 0 { - out = append(out, openaiMessage{ - Role: m.Role, - Content: m.Content, - ReasoningContent: m.ReasoningContent, - ToolCalls: m.ToolCalls, - ToolCallID: m.ToolCallID, - }) - continue - } - - // Multipart content format for messages with media - parts := make([]map[string]any, 0, 1+len(m.Media)) - if m.Content != "" { - parts = append(parts, map[string]any{ - "type": "text", - "text": m.Content, - }) - } - for _, mediaURL := range m.Media { - if strings.HasPrefix(mediaURL, "data:image/") { - parts = append(parts, map[string]any{ - "type": "image_url", - "image_url": map[string]any{ - "url": mediaURL, - }, - }) - } - } - - msg := map[string]any{ - "role": m.Role, - "content": parts, - } - if m.ToolCallID != "" { - msg["tool_call_id"] = m.ToolCallID - } - if len(m.ToolCalls) > 0 { - msg["tool_calls"] = m.ToolCalls - } - if m.ReasoningContent != "" { - msg["reasoning_content"] = m.ReasoningContent - } - out = append(out, msg) - } - return out + return common.ReadAndParseResponse(resp, p.apiBase) } func normalizeModel(model, apiBase string) string { @@ -476,36 +195,6 @@ func normalizeModel(model, apiBase string) string { } } -func asInt(v any) (int, bool) { - switch val := v.(type) { - case int: - return val, true - case int64: - return int(val), true - case float64: - return int(val), true - case float32: - return int(val), true - default: - return 0, false - } -} - -func asFloat(v any) (float64, bool) { - switch val := v.(type) { - case float64: - return val, true - case float32: - return float64(val), true - case int: - return float64(val), true - case int64: - return float64(val), true - default: - return 0, false - } -} - // supportsPromptCacheKey reports whether the given API base is known to // support the prompt_cache_key request field. Currently only OpenAI's own // API and Azure OpenAI support this. All other OpenAI-compatible providers diff --git a/pkg/providers/openai_compat/provider_test.go b/pkg/providers/openai_compat/provider_test.go index 41f278a1b..ed9747f9d 100644 --- a/pkg/providers/openai_compat/provider_test.go +++ b/pkg/providers/openai_compat/provider_test.go @@ -12,6 +12,7 @@ import ( "testing" "time" + "github.com/sipeed/picoclaw/pkg/providers/common" "github.com/sipeed/picoclaw/pkg/providers/protocoltypes" ) @@ -648,7 +649,7 @@ func TestSerializeMessages_PlainText(t *testing.T) { {Role: "user", Content: "hello"}, {Role: "assistant", Content: "hi", ReasoningContent: "thinking..."}, } - result := serializeMessages(messages) + result := common.SerializeMessages(messages) data, err := json.Marshal(result) if err != nil { @@ -670,7 +671,7 @@ func TestSerializeMessages_WithMedia(t *testing.T) { messages := []protocoltypes.Message{ {Role: "user", Content: "describe this", Media: []string{"data:image/png;base64,abc123"}}, } - result := serializeMessages(messages) + result := common.SerializeMessages(messages) data, _ := json.Marshal(result) var msgs []map[string]any @@ -703,7 +704,7 @@ func TestSerializeMessages_MediaWithToolCallID(t *testing.T) { messages := []protocoltypes.Message{ {Role: "tool", Content: "image result", Media: []string{"data:image/png;base64,xyz"}, ToolCallID: "call_1"}, } - result := serializeMessages(messages) + result := common.SerializeMessages(messages) data, _ := json.Marshal(result) var msgs []map[string]any @@ -833,7 +834,7 @@ func TestSerializeMessages_StripsSystemParts(t *testing.T) { }, }, } - result := serializeMessages(messages) + result := common.SerializeMessages(messages) data, _ := json.Marshal(result) raw := string(data) From f7dd040ae4a6d07dca87617fc08e63fda82bde40 Mon Sep 17 00:00:00 2001 From: Hoshina <hoshina@evaz.org> Date: Sun, 15 Mar 2026 12:45:11 +0800 Subject: [PATCH 09/47] fix(provider/azure): lint err --- pkg/providers/azure/provider.go | 2 +- pkg/providers/azure/provider_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/providers/azure/provider.go b/pkg/providers/azure/provider.go index 6e1d07e78..e0ddbbde4 100644 --- a/pkg/providers/azure/provider.go +++ b/pkg/providers/azure/provider.go @@ -128,7 +128,7 @@ func (p *Provider) Chat( // Azure uses api-key header instead of Authorization: Bearer req.Header.Set("Content-Type", "application/json") if p.apiKey != "" { - req.Header.Set("api-key", p.apiKey) + req.Header.Set("Api-Key", p.apiKey) } resp, err := p.httpClient.Do(req) diff --git a/pkg/providers/azure/provider_test.go b/pkg/providers/azure/provider_test.go index 8f44edff5..531b81296 100644 --- a/pkg/providers/azure/provider_test.go +++ b/pkg/providers/azure/provider_test.go @@ -53,7 +53,7 @@ func TestProviderChat_AzureAuthHeader(t *testing.T) { var capturedAuth string server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - capturedAPIKey = r.Header.Get("api-key") + capturedAPIKey = r.Header.Get("Api-Key") capturedAuth = r.Header.Get("Authorization") writeValidResponse(w) })) From 54f870c2559d2d7b29fb9487744138632c0c874b Mon Sep 17 00:00:00 2001 From: sky5454 <sky5454@users.noreply.github.com> Date: Sun, 15 Mar 2026 18:02:26 +0800 Subject: [PATCH 10/47] feat/sec add github's dependabot to scan the lib sec. --- .github/dependabot.yml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 000000000..559a2249e --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,27 @@ +version: 2 + +updates: + + # Go dependencies (entire repo) + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "weekly" + labels: + - "dependencies" + - "go" + + # Frontend dependencies + - package-ecosystem: "npm" + directory: "/web/frontend" + schedule: + interval: "weekly" + labels: + - "dependencies" + - "frontend" + + # GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" \ No newline at end of file From 71e2b636d66c9d30250f027085d142d93d4246be Mon Sep 17 00:00:00 2001 From: BitToby <218712309+bittoby@users.noreply.github.com> Date: Mon, 16 Mar 2026 03:58:37 +0200 Subject: [PATCH 11/47] fix: Use secure defaults for Pico channel setup and stop leaking the token in the URL (#1563) * fix: Use secure defaults for Pico channel setup and stop leaking the token in the URL * fix: Derive default allow_origins from the setup request's Origin header instead of hardcoding localhost ports --- pkg/channels/pico/pico.go | 31 ++- web/backend/api/gateway.go | 2 +- web/backend/api/pico.go | 24 +- web/backend/api/pico_test.go | 237 +++++++++++++++++++ web/frontend/src/lib/pico-chat-controller.ts | 5 +- 5 files changed, 281 insertions(+), 18 deletions(-) create mode 100644 web/backend/api/pico_test.go diff --git a/pkg/channels/pico/pico.go b/pkg/channels/pico/pico.go index 8d8b62a67..206e71f92 100644 --- a/pkg/channels/pico/pico.go +++ b/pkg/channels/pico/pico.go @@ -251,7 +251,13 @@ func (c *PicoChannel) handleWebSocket(w http.ResponseWriter, r *http.Request) { return } - conn, err := c.upgrader.Upgrade(w, r, nil) + // Echo the matched subprotocol back so the browser accepts the upgrade. + var responseHeader http.Header + if proto := c.matchedSubprotocol(r); proto != "" { + responseHeader = http.Header{"Sec-WebSocket-Protocol": {proto}} + } + + conn, err := c.upgrader.Upgrade(w, r, responseHeader) if err != nil { logger.ErrorCF("pico", "WebSocket upgrade failed", map[string]any{ "error": err.Error(), @@ -282,8 +288,10 @@ func (c *PicoChannel) handleWebSocket(w http.ResponseWriter, r *http.Request) { go c.readLoop(pc) } -// authenticate checks the Bearer token from the Authorization header. -// Query parameter authentication is only allowed when AllowTokenQuery is explicitly enabled. +// authenticate checks the request for a valid token: +// 1. Authorization: Bearer <token> header +// 2. Sec-WebSocket-Protocol "token.<value>" (for browsers that can't set headers) +// 3. Query parameter "token" (only when AllowTokenQuery is on) func (c *PicoChannel) authenticate(r *http.Request) bool { token := c.config.Token if token == "" { @@ -298,6 +306,11 @@ func (c *PicoChannel) authenticate(r *http.Request) bool { } } + // Check Sec-WebSocket-Protocol subprotocol ("token.<value>") + if c.matchedSubprotocol(r) != "" { + return true + } + // Check query parameter only when explicitly allowed if c.config.AllowTokenQuery { if r.URL.Query().Get("token") == token { @@ -308,6 +321,18 @@ func (c *PicoChannel) authenticate(r *http.Request) bool { return false } +// matchedSubprotocol returns the "token.<value>" subprotocol that matches +// the configured token, or "" if none do. +func (c *PicoChannel) matchedSubprotocol(r *http.Request) string { + token := c.config.Token + for _, proto := range websocket.Subprotocols(r) { + if after, ok := strings.CutPrefix(proto, "token."); ok && after == token { + return proto + } + } + return "" +} + // readLoop reads messages from a WebSocket connection. func (c *PicoChannel) readLoop(pc *picoConn) { defer func() { diff --git a/web/backend/api/gateway.go b/web/backend/api/gateway.go index 1813cac92..f50f7609a 100644 --- a/web/backend/api/gateway.go +++ b/web/backend/api/gateway.go @@ -281,7 +281,7 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { gateway.logs.Reset() // Ensure Pico Channel is configured before starting gateway - if _, err := h.ensurePicoChannel(); err != nil { + if _, err := h.ensurePicoChannel(""); err != nil { log.Printf("Warning: failed to ensure pico channel: %v", err) // Non-fatal: gateway can still start without pico channel } diff --git a/web/backend/api/pico.go b/web/backend/api/pico.go index a4590dcde..2d2201e16 100644 --- a/web/backend/api/pico.go +++ b/web/backend/api/pico.go @@ -65,9 +65,14 @@ func (h *Handler) handleRegenPicoToken(w http.ResponseWriter, r *http.Request) { }) } -// ensurePicoChannel checks if the Pico Channel is properly configured and -// enables it with sensible defaults if not. Returns true if config was changed. -func (h *Handler) ensurePicoChannel() (bool, error) { +// ensurePicoChannel enables the Pico channel with sane defaults if it isn't +// already configured. Returns true when the config was modified. +// +// callerOrigin is the Origin header from the setup request. If non-empty and +// no origins are configured yet, it's written as the allowed origin so the +// WebSocket handshake works for whatever host the caller is on (LAN, custom +// port, etc.). Pass "" when there's no request context. +func (h *Handler) ensurePicoChannel(callerOrigin string) (bool, error) { cfg, err := config.LoadConfig(h.configPath) if err != nil { return false, fmt.Errorf("failed to load config: %w", err) @@ -85,14 +90,9 @@ func (h *Handler) ensurePicoChannel() (bool, error) { changed = true } - if !cfg.Channels.Pico.AllowTokenQuery { - cfg.Channels.Pico.AllowTokenQuery = true - changed = true - } - - // Make sure origins are allowed (frontend might be running on a different port like 5173 during dev) - if len(cfg.Channels.Pico.AllowOrigins) == 0 { - cfg.Channels.Pico.AllowOrigins = []string{"*"} + // Seed origins from the request instead of hardcoding ports. + if len(cfg.Channels.Pico.AllowOrigins) == 0 && callerOrigin != "" { + cfg.Channels.Pico.AllowOrigins = []string{callerOrigin} changed = true } @@ -109,7 +109,7 @@ func (h *Handler) ensurePicoChannel() (bool, error) { // // POST /api/pico/setup func (h *Handler) handlePicoSetup(w http.ResponseWriter, r *http.Request) { - changed, err := h.ensurePicoChannel() + changed, err := h.ensurePicoChannel(r.Header.Get("Origin")) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError) return diff --git a/web/backend/api/pico_test.go b/web/backend/api/pico_test.go new file mode 100644 index 000000000..46149fa09 --- /dev/null +++ b/web/backend/api/pico_test.go @@ -0,0 +1,237 @@ +package api + +import ( + "encoding/json" + "net/http" + "net/http/httptest" + "path/filepath" + "testing" + + "github.com/sipeed/picoclaw/pkg/config" +) + +func TestEnsurePicoChannel_FreshConfig(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + changed, err := h.ensurePicoChannel("") + if err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + if !changed { + t.Fatal("ensurePicoChannel() should report changed on a fresh config") + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if !cfg.Channels.Pico.Enabled { + t.Error("expected Pico to be enabled after setup") + } + if cfg.Channels.Pico.Token == "" { + t.Error("expected a non-empty token after setup") + } +} + +func TestEnsurePicoChannel_DoesNotEnableTokenQuery(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + if _, err := h.ensurePicoChannel(""); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if cfg.Channels.Pico.AllowTokenQuery { + t.Error("setup must not enable allow_token_query by default") + } +} + +func TestEnsurePicoChannel_DoesNotSetWildcardOrigins(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + if _, err := h.ensurePicoChannel("http://localhost:18800"); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + for _, origin := range cfg.Channels.Pico.AllowOrigins { + if origin == "*" { + t.Error("setup must not set wildcard origin '*'") + } + } +} + +func TestEnsurePicoChannel_NoOriginWithoutCaller(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + if _, err := h.ensurePicoChannel(""); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + // Without a caller origin, allow_origins stays empty (CheckOrigin + // allows all when the list is empty, so the channel still works). + if len(cfg.Channels.Pico.AllowOrigins) != 0 { + t.Errorf("allow_origins = %v, want empty when no caller origin", cfg.Channels.Pico.AllowOrigins) + } +} + +func TestEnsurePicoChannel_SetsCallerOrigin(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + lanOrigin := "http://192.168.1.9:18800" + if _, err := h.ensurePicoChannel(lanOrigin); err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if len(cfg.Channels.Pico.AllowOrigins) != 1 || cfg.Channels.Pico.AllowOrigins[0] != lanOrigin { + t.Errorf("allow_origins = %v, want [%s]", cfg.Channels.Pico.AllowOrigins, lanOrigin) + } +} + +func TestEnsurePicoChannel_PreservesUserSettings(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + + // Pre-configure with custom user settings + cfg := config.DefaultConfig() + cfg.Channels.Pico.Enabled = true + cfg.Channels.Pico.Token = "user-custom-token" + cfg.Channels.Pico.AllowTokenQuery = true + cfg.Channels.Pico.AllowOrigins = []string{"https://myapp.example.com"} + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + h := NewHandler(configPath) + + changed, err := h.ensurePicoChannel("") + if err != nil { + t.Fatalf("ensurePicoChannel() error = %v", err) + } + if changed { + t.Error("ensurePicoChannel() should not change a fully configured config") + } + + cfg, err = config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if cfg.Channels.Pico.Token != "user-custom-token" { + t.Errorf("token = %q, want %q", cfg.Channels.Pico.Token, "user-custom-token") + } + if !cfg.Channels.Pico.AllowTokenQuery { + t.Error("user's allow_token_query=true must be preserved") + } + if len(cfg.Channels.Pico.AllowOrigins) != 1 || cfg.Channels.Pico.AllowOrigins[0] != "https://myapp.example.com" { + t.Errorf("allow_origins = %v, want [https://myapp.example.com]", cfg.Channels.Pico.AllowOrigins) + } +} + +func TestEnsurePicoChannel_Idempotent(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + origin := "http://localhost:18800" + + // First call sets things up + if _, err := h.ensurePicoChannel(origin); err != nil { + t.Fatalf("first ensurePicoChannel() error = %v", err) + } + + cfg1, _ := config.LoadConfig(configPath) + token1 := cfg1.Channels.Pico.Token + + // Second call should be a no-op + changed, err := h.ensurePicoChannel(origin) + if err != nil { + t.Fatalf("second ensurePicoChannel() error = %v", err) + } + if changed { + t.Error("second ensurePicoChannel() should not report changed") + } + + cfg2, _ := config.LoadConfig(configPath) + if cfg2.Channels.Pico.Token != token1 { + t.Error("token should not change on subsequent calls") + } +} + +func TestHandlePicoSetup_IncludesRequestOrigin(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + req := httptest.NewRequest("POST", "/api/pico/setup", nil) + req.Header.Set("Origin", "http://10.0.0.5:3000") + rec := httptest.NewRecorder() + + h.handlePicoSetup(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + cfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + + if len(cfg.Channels.Pico.AllowOrigins) != 1 || cfg.Channels.Pico.AllowOrigins[0] != "http://10.0.0.5:3000" { + t.Errorf("allow_origins = %v, want [http://10.0.0.5:3000]", cfg.Channels.Pico.AllowOrigins) + } +} + +func TestHandlePicoSetup_Response(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + req := httptest.NewRequest("POST", "/api/pico/setup", nil) + rec := httptest.NewRecorder() + + h.handlePicoSetup(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + var resp map[string]any + if err := json.NewDecoder(rec.Body).Decode(&resp); err != nil { + t.Fatalf("failed to decode response: %v", err) + } + + if resp["token"] == nil || resp["token"] == "" { + t.Error("response should contain a non-empty token") + } + if resp["ws_url"] == nil || resp["ws_url"] == "" { + t.Error("response should contain ws_url") + } + if resp["enabled"] != true { + t.Error("response should have enabled=true") + } + if resp["changed"] != true { + t.Error("response should have changed=true on first setup") + } +} diff --git a/web/frontend/src/lib/pico-chat-controller.ts b/web/frontend/src/lib/pico-chat-controller.ts index be3397bae..0e77d1ad0 100644 --- a/web/frontend/src/lib/pico-chat-controller.ts +++ b/web/frontend/src/lib/pico-chat-controller.ts @@ -165,8 +165,9 @@ export async function connectChat() { console.warn("Could not parse ws_url:", error) } - const url = `${finalWsUrl}?token=${encodeURIComponent(token)}&session_id=${encodeURIComponent(activeSessionIdRef)}` - const socket = new WebSocket(url) + const url = `${finalWsUrl}?session_id=${encodeURIComponent(activeSessionIdRef)}` + // Send token as a subprotocol so it doesn't end up in the URL. + const socket = new WebSocket(url, [`token.${token}`]) if (generation !== connectionGeneration) { socket.close() From 45c01f4d91bd2f1ec7d0945fbca09372571850b9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:42:04 +0800 Subject: [PATCH 12/47] chore(deps): bump golang.org/x/oauth2 from 0.35.0 to 0.36.0 (#1596) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.35.0 to 0.36.0. - [Commits](https://github.com/golang/oauth2/compare/v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index f29ef7207..a2ce5c511 100644 --- a/go.mod +++ b/go.mod @@ -27,7 +27,7 @@ require ( github.com/stretchr/testify v1.11.1 github.com/tencent-connect/botgo v0.2.1 go.mau.fi/whatsmeow v0.0.0-20260219150138-7ae702b1eed4 - golang.org/x/oauth2 v0.35.0 + golang.org/x/oauth2 v0.36.0 golang.org/x/time v0.14.0 google.golang.org/protobuf v1.36.11 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index addbab56c..c8ee84e87 100644 --- a/go.sum +++ b/go.sum @@ -270,8 +270,8 @@ golang.org/x/net v0.19.0/go.mod h1:CfAk/cbD4CthTvqiEl8NpboMuiuOYsAr/7NOjZJtv1U= golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo= golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y= golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI= -golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ= -golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA= +golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= +golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= From dd936302d1223613693c7942364eb4d4d8597b4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:46:54 +0800 Subject: [PATCH 13/47] chore(deps): bump github.com/mymmrac/telego from 1.6.0 to 1.7.0 (#1598) Bumps [github.com/mymmrac/telego](https://github.com/mymmrac/telego) from 1.6.0 to 1.7.0. - [Release notes](https://github.com/mymmrac/telego/releases) - [Commits](https://github.com/mymmrac/telego/compare/v1.6.0...v1.7.0) --- updated-dependencies: - dependency-name: github.com/mymmrac/telego dependency-version: 1.7.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 4 ++-- go.sum | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/go.mod b/go.mod index a2ce5c511..c0e2fa60c 100644 --- a/go.mod +++ b/go.mod @@ -17,7 +17,7 @@ require ( github.com/larksuite/oapi-sdk-go/v3 v3.5.3 github.com/mdp/qrterminal/v3 v3.2.1 github.com/modelcontextprotocol/go-sdk v1.3.1 - github.com/mymmrac/telego v1.6.0 + github.com/mymmrac/telego v1.7.0 github.com/open-dingtalk/dingtalk-stream-sdk-go v0.9.1 github.com/openai/openai-go/v3 v3.22.0 github.com/rivo/tview v0.42.0 @@ -87,7 +87,7 @@ require ( github.com/twitchyliquid64/golang-asm v0.15.1 // indirect github.com/valyala/bytebufferpool v1.0.0 // indirect github.com/valyala/fasthttp v1.69.0 // indirect - github.com/valyala/fastjson v1.6.7 // indirect + github.com/valyala/fastjson v1.6.10 // indirect github.com/yosida95/uritemplate/v3 v3.0.2 // indirect golang.org/x/arch v0.24.0 // indirect golang.org/x/crypto v0.48.0 // indirect diff --git a/go.sum b/go.sum index c8ee84e87..11be48d87 100644 --- a/go.sum +++ b/go.sum @@ -136,8 +136,8 @@ github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFe github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU= github.com/modelcontextprotocol/go-sdk v1.3.1 h1:TfqtNKOIWN4Z1oqmPAiWDC2Jq7K9OdJaooe0teoXASI= github.com/modelcontextprotocol/go-sdk v1.3.1/go.mod h1:DgVX498dMD8UJlseK1S5i1T4tFz2fkBk4xogC3D15nw= -github.com/mymmrac/telego v1.6.0 h1:Zc8rgyHozvd/7ZgyrigyHdAF9koHYMfilYfyB6wlFC0= -github.com/mymmrac/telego v1.6.0/go.mod h1:xt6ZWA8zi8KmuzryE1ImEdl9JSwjHNpM4yhC7D8hU4Y= +github.com/mymmrac/telego v1.7.0 h1:yRO/l00tFGG4nY66ufUKb4ARqv7qx9+LsjQv/b0NEyo= +github.com/mymmrac/telego v1.7.0/go.mod h1:pdLV346EgVuq7Xrh3kMggeBiazeHhsdEoK0RTEOPXRM= github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w= github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A= @@ -216,8 +216,8 @@ github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6Kllzaw github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZyVI= github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw= -github.com/valyala/fastjson v1.6.7 h1:ZE4tRy0CIkh+qDc5McjatheGX2czdn8slQjomexVpBM= -github.com/valyala/fastjson v1.6.7/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY= +github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4= +github.com/valyala/fastjson v1.6.10/go.mod h1:e6FubmQouUNP73jtMLmcbxS6ydWIpOfhz34TSfO3JaE= github.com/vektah/gqlparser/v2 v2.5.27 h1:RHPD3JOplpk5mP5JGX8RKZkt2/Vwj/PZv0HxTdwFp0s= github.com/vektah/gqlparser/v2 v2.5.27/go.mod h1:D1/VCZtV3LPnQrcPBeR/q5jkSQIPti0uYCP/RI0gIeo= github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU= From e9d240d760bab164ceabf13f58f33d2909a45f37 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:47:46 +0800 Subject: [PATCH 14/47] chore(deps): bump github.com/caarlos0/env/v11 from 11.3.1 to 11.4.0 (#1599) Bumps [github.com/caarlos0/env/v11](https://github.com/caarlos0/env) from 11.3.1 to 11.4.0. - [Release notes](https://github.com/caarlos0/env/releases) - [Commits](https://github.com/caarlos0/env/compare/v11.3.1...v11.4.0) --- updated-dependencies: - dependency-name: github.com/caarlos0/env/v11 dependency-version: 11.4.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index c0e2fa60c..e48b3006f 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/adhocore/gronx v1.19.6 github.com/anthropics/anthropic-sdk-go v1.22.1 github.com/bwmarrin/discordgo v0.29.0 - github.com/caarlos0/env/v11 v11.3.1 + github.com/caarlos0/env/v11 v11.4.0 github.com/ergochat/irc-go v0.5.0 github.com/ergochat/readline v0.1.3 github.com/gdamore/tcell/v2 v2.13.8 diff --git a/go.sum b/go.sum index 11be48d87..810bdac62 100644 --- a/go.sum +++ b/go.sum @@ -23,8 +23,8 @@ github.com/bytedance/sonic v1.15.0 h1:/PXeWFaR5ElNcVE84U0dOHjiMHQOwNIx3K4ymzh/uS github.com/bytedance/sonic v1.15.0/go.mod h1:tFkWrPz0/CUCLEF4ri4UkHekCIcdnkqXw9VduqpJh0k= github.com/bytedance/sonic/loader v0.5.0 h1:gXH3KVnatgY7loH5/TkeVyXPfESoqSBSBEiDd5VjlgE= github.com/bytedance/sonic/loader v0.5.0/go.mod h1:AR4NYCk5DdzZizZ5djGqQ92eEhCCcdf5x77udYiSJRo= -github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA= -github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U= +github.com/caarlos0/env/v11 v11.4.0 h1:Kcb6t5kIIr4XkoQC9AF2j+8E1Jsrl3Wz/hhm1LtoGAc= +github.com/caarlos0/env/v11 v11.4.0/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M= From 2f40a8c165810a88442630b231d25fbd17937ea3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:51:55 +0800 Subject: [PATCH 15/47] chore(deps): bump github.com/anthropics/anthropic-sdk-go (#1601) Bumps [github.com/anthropics/anthropic-sdk-go](https://github.com/anthropics/anthropic-sdk-go) from 1.22.1 to 1.26.0. - [Release notes](https://github.com/anthropics/anthropic-sdk-go/releases) - [Changelog](https://github.com/anthropics/anthropic-sdk-go/blob/main/CHANGELOG.md) - [Commits](https://github.com/anthropics/anthropic-sdk-go/compare/v1.22.1...v1.26.0) --- updated-dependencies: - dependency-name: github.com/anthropics/anthropic-sdk-go dependency-version: 1.26.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index e48b3006f..6f5de1605 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.25.7 require ( github.com/adhocore/gronx v1.19.6 - github.com/anthropics/anthropic-sdk-go v1.22.1 + github.com/anthropics/anthropic-sdk-go v1.26.0 github.com/bwmarrin/discordgo v0.29.0 github.com/caarlos0/env/v11 v11.4.0 github.com/ergochat/irc-go v0.5.0 diff --git a/go.sum b/go.sum index 810bdac62..0fb4be1b8 100644 --- a/go.sum +++ b/go.sum @@ -11,8 +11,8 @@ github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNg github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ= github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY= -github.com/anthropics/anthropic-sdk-go v1.22.1 h1:xbsc3vJKCX/ELDZSpTNfz9wCgrFsamwFewPb1iI0Xh0= -github.com/anthropics/anthropic-sdk-go v1.22.1/go.mod h1:WTz31rIUHUHqai2UslPpw5CwXrQP3geYBioRV4WOLvE= +github.com/anthropics/anthropic-sdk-go v1.26.0 h1:oUTzFaUpAevfuELAP1sjL6CQJ9HHAfT7CoSYSac11PY= +github.com/anthropics/anthropic-sdk-go v1.26.0/go.mod h1:qUKmaW+uuPB64iy1l+4kOSvaLqPXnHTTBKH6RVZ7q5Q= github.com/beeper/argo-go v1.1.2 h1:UQI2G8F+NLfGTOmTUI0254pGKx/HUU/etbUGTJv91Fs= github.com/beeper/argo-go v1.1.2/go.mod h1:M+LJAnyowKVQ6Rdj6XYGEn+qcVFkb3R/MUpqkGR0hM4= github.com/bwmarrin/discordgo v0.29.0 h1:FmWeXFaKUwrcL3Cx65c20bTRW+vOb6k8AnaP+EgjDno= @@ -38,6 +38,8 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc= +github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI= +github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/elliotchance/orderedmap/v3 v3.1.0 h1:j4DJ5ObEmMBt/lcwIecKcoRxIQUEnw0L804lXYDt/pg= @@ -354,6 +356,7 @@ gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWD gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= From 43eb6fe20c5670fa15ce261174e0c1a2ac1f3c80 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:58:18 +0800 Subject: [PATCH 16/47] chore(deps): bump github.com/github/copilot-sdk/go from 0.1.23 to 0.1.32 (#1603) Bumps [github.com/github/copilot-sdk/go](https://github.com/github/copilot-sdk) from 0.1.23 to 0.1.32. - [Release notes](https://github.com/github/copilot-sdk/releases) - [Changelog](https://github.com/github/copilot-sdk/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/copilot-sdk/compare/v0.1.23...v0.1.32) --- updated-dependencies: - dependency-name: github.com/github/copilot-sdk/go dependency-version: 0.1.32 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 6f5de1605..130db73ff 100644 --- a/go.mod +++ b/go.mod @@ -73,7 +73,7 @@ require ( github.com/bytedance/sonic v1.15.0 // indirect github.com/bytedance/sonic/loader v0.5.0 // indirect github.com/cloudwego/base64x v0.1.6 // indirect - github.com/github/copilot-sdk/go v0.1.23 + github.com/github/copilot-sdk/go v0.1.32 github.com/go-resty/resty/v2 v2.17.1 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/google/jsonschema-go v0.4.2 // indirect diff --git a/go.sum b/go.sum index 0fb4be1b8..a4d8ed3d0 100644 --- a/go.sum +++ b/go.sum @@ -54,8 +54,8 @@ github.com/gdamore/encoding v1.0.1 h1:YzKZckdBL6jVt2Gc+5p82qhrGiqMdG/eNs6Wy0u3Uh github.com/gdamore/encoding v1.0.1/go.mod h1:0Z0cMFinngz9kS1QfMjCP8TY7em3bZYeeklsSDPivEo= github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3RlfU= github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo= -github.com/github/copilot-sdk/go v0.1.23 h1:uExtO/inZQndCZMiSAA1hvXINiz9tqo/MZgQzFzurxw= -github.com/github/copilot-sdk/go v0.1.23/go.mod h1:GdwwBfMbm9AABLEM3x5IZKw4ZfwCYxZ1BgyytmZenQ0= +github.com/github/copilot-sdk/go v0.1.32 h1:wc9SFWwxXhJts6vyzzboPLJqcEJGnHE8rMCAY1RrUgo= +github.com/github/copilot-sdk/go v0.1.32/go.mod h1:qc2iEF7hdO8kzSvbyGvrcGhuk2fzdW4xTtT0+1EH2ts= github.com/go-redis/redis/v8 v8.11.4/go.mod h1:2Z2wHZXdQpCDXEGzqMockDpNyYvi2l4Pxt6RJr792+w= github.com/go-resty/resty/v2 v2.6.0/go.mod h1:PwvJS6hvaPkjtjNg9ph+VrSD92bi5Zq73w/BIH7cC3Q= github.com/go-resty/resty/v2 v2.17.1 h1:x3aMpHK1YM9e4va/TMDRlusDDoZiQ+ViDu/WpA6xTM4= From b8dfd0befc44233c2193f599797aa0c0a781c687 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 10:58:48 +0800 Subject: [PATCH 17/47] chore(deps): bump jotai from 2.18.0 to 2.18.1 in /web/frontend (#1605) Bumps [jotai](https://github.com/pmndrs/jotai) from 2.18.0 to 2.18.1. - [Release notes](https://github.com/pmndrs/jotai/releases) - [Commits](https://github.com/pmndrs/jotai/compare/v2.18.0...v2.18.1) --- updated-dependencies: - dependency-name: jotai dependency-version: 2.18.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 373b4d468..8d5b77fb9 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -24,7 +24,7 @@ "dayjs": "^1.11.19", "i18next": "^25.8.14", "i18next-browser-languagedetector": "^8.2.1", - "jotai": "^2.18.0", + "jotai": "^2.18.1", "radix-ui": "^1.4.3", "react": "^19.2.0", "react-dom": "^19.2.0", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 75acacfa5..a1ea2a512 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -42,8 +42,8 @@ importers: specifier: ^8.2.1 version: 8.2.1 jotai: - specifier: ^2.18.0 - version: 2.18.0(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4) + specifier: ^2.18.1 + version: 2.18.1(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4) radix-ui: specifier: ^1.4.3 version: 1.4.3(@types/react-dom@19.2.3(@types/react@19.2.14))(@types/react@19.2.14)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) @@ -2669,8 +2669,8 @@ packages: jose@6.1.3: resolution: {integrity: sha512-0TpaTfihd4QMNwrz/ob2Bp7X04yuxJkjRGi4aKmOqwhov54i6u79oCv7T+C7lo70MKH6BesI3vscD1yb/yzKXQ==} - jotai@2.18.0: - resolution: {integrity: sha512-XI38kGWAvtxAZ+cwHcTgJsd+kJOJGf3OfL4XYaXWZMZ7IIY8e53abpIHvtVn1eAgJ5dlgwlGFnP4psrZ/vZbtA==} + jotai@2.18.1: + resolution: {integrity: sha512-e0NOzK+yRFwHo7DOp0DS0Ycq74KMEAObDWFGmfEL28PD9nLqBTt3/Ug7jf9ca72x0gC9LQZG9zH+0ISICmy3iA==} engines: {node: '>=12.20.0'} peerDependencies: '@babel/core': '>=7.0.0' @@ -6501,7 +6501,7 @@ snapshots: jose@6.1.3: {} - jotai@2.18.0(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4): + jotai@2.18.1(@babel/core@7.29.0)(@babel/template@7.28.6)(@types/react@19.2.14)(react@19.2.4): optionalDependencies: '@babel/core': 7.29.0 '@babel/template': 7.28.6 From a93bd0132933b6a6251395ca4fa8c6fcf67ab3aa Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:04:50 +0800 Subject: [PATCH 18/47] chore(deps-dev): bump @vitejs/plugin-react in /web/frontend (#1606) Bumps [@vitejs/plugin-react](https://github.com/vitejs/vite-plugin-react/tree/HEAD/packages/plugin-react) from 5.1.4 to 5.2.0. - [Release notes](https://github.com/vitejs/vite-plugin-react/releases) - [Changelog](https://github.com/vitejs/vite-plugin-react/blob/plugin-react@5.2.0/packages/plugin-react/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite-plugin-react/commits/plugin-react@5.2.0/packages/plugin-react) --- updated-dependencies: - dependency-name: "@vitejs/plugin-react" dependency-version: 5.2.0 dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 8d5b77fb9..189b93fc0 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -48,7 +48,7 @@ "@types/react": "^19.2.7", "@types/react-dom": "^19.2.3", "@typescript-eslint/eslint-plugin": "^8.56.1", - "@vitejs/plugin-react": "^5.1.1", + "@vitejs/plugin-react": "^5.2.0", "eslint": "^9.39.1", "eslint-config-prettier": "^10.1.8", "eslint-plugin-react-hooks": "^7.0.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index a1ea2a512..2510d06ee 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -109,8 +109,8 @@ importers: specifier: ^8.56.1 version: 8.56.1(@typescript-eslint/parser@8.56.1(eslint@9.39.3(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.3(jiti@2.6.1))(typescript@5.9.3) '@vitejs/plugin-react': - specifier: ^5.1.1 - version: 5.1.4(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) + specifier: ^5.2.0 + version: 5.2.0(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) eslint: specifier: ^9.39.1 version: 9.39.3(jiti@2.6.1) @@ -1790,11 +1790,11 @@ packages: '@ungap/structured-clone@1.3.0': resolution: {integrity: sha512-WmoN8qaIAo7WTYWbAZuG8PYEhn5fkz7dZrqTBZ7dtt//lL2Gwms1IcnQ5yHqjDfX8Ft5j4YzDM23f87zBfDe9g==} - '@vitejs/plugin-react@5.1.4': - resolution: {integrity: sha512-VIcFLdRi/VYRU8OL/puL7QXMYafHmqOnwTZY50U1JPlCNj30PxCMx65c494b1K9be9hX83KVt0+gTEwTWLqToA==} + '@vitejs/plugin-react@5.2.0': + resolution: {integrity: sha512-YmKkfhOAi3wsB1PhJq5Scj3GXMn3WvtQ/JC0xoopuHoXSdmtdStOpFrYaT1kie2YgFBcIe64ROzMYRjCrYOdYw==} engines: {node: ^20.19.0 || >=22.12.0} peerDependencies: - vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 + vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0 || ^8.0.0 accepts@2.0.0: resolution: {integrity: sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==} @@ -5641,7 +5641,7 @@ snapshots: '@ungap/structured-clone@1.3.0': {} - '@vitejs/plugin-react@5.1.4(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': + '@vitejs/plugin-react@5.2.0(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': dependencies: '@babel/core': 7.29.0 '@babel/plugin-transform-react-jsx-self': 7.27.1(@babel/core@7.29.0) From 3bf8a27570112488d1a0f0bdec892e80dee23fb3 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:05:03 +0800 Subject: [PATCH 19/47] chore(deps): bump react-i18next from 16.5.4 to 16.5.8 in /web/frontend (#1607) Bumps [react-i18next](https://github.com/i18next/react-i18next) from 16.5.4 to 16.5.8. - [Changelog](https://github.com/i18next/react-i18next/blob/master/CHANGELOG.md) - [Commits](https://github.com/i18next/react-i18next/compare/v16.5.4...v16.5.8) --- updated-dependencies: - dependency-name: react-i18next dependency-version: 16.5.8 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 189b93fc0..d6d13a8fd 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -28,7 +28,7 @@ "radix-ui": "^1.4.3", "react": "^19.2.0", "react-dom": "^19.2.0", - "react-i18next": "^16.5.4", + "react-i18next": "^16.5.8", "react-markdown": "^10.1.0", "react-textarea-autosize": "^8.5.9", "remark-gfm": "^4.0.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 2510d06ee..38820d871 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -54,8 +54,8 @@ importers: specifier: ^19.2.0 version: 19.2.4(react@19.2.4) react-i18next: - specifier: ^16.5.4 - version: 16.5.4(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3) + specifier: ^16.5.8 + version: 16.5.8(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3) react-markdown: specifier: ^10.1.0 version: 10.1.0(@types/react@19.2.14)(react@19.2.4) @@ -3323,8 +3323,8 @@ packages: peerDependencies: react: ^19.2.4 - react-i18next@16.5.4: - resolution: {integrity: sha512-6yj+dcfMncEC21QPhOTsW8mOSO+pzFmT6uvU7XXdvM/Cp38zJkmTeMeKmTrmCMD5ToT79FmiE/mRWiYWcJYW4g==} + react-i18next@16.5.8: + resolution: {integrity: sha512-2ABeHHlakxVY+LSirD+OiERxFL6+zip0PaHo979bgwzeHg27Sqc82xxXWIrSFmfWX0ZkrvXMHwhsi/NGUf5VQg==} peerDependencies: i18next: '>= 25.6.2' react: '>= 16.8.0' @@ -7310,7 +7310,7 @@ snapshots: react: 19.2.4 scheduler: 0.27.0 - react-i18next@16.5.4(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3): + react-i18next@16.5.8(i18next@25.8.14(typescript@5.9.3))(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(typescript@5.9.3): dependencies: '@babel/runtime': 7.28.6 html-parse-stringify: 3.0.1 From 99304d1f8e779294439660a443d5d45e5832cd9a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:05:17 +0800 Subject: [PATCH 20/47] chore(deps): bump dayjs from 1.11.19 to 1.11.20 in /web/frontend (#1608) Bumps [dayjs](https://github.com/iamkun/dayjs) from 1.11.19 to 1.11.20. - [Release notes](https://github.com/iamkun/dayjs/releases) - [Changelog](https://github.com/iamkun/dayjs/blob/dev/CHANGELOG.md) - [Commits](https://github.com/iamkun/dayjs/compare/v1.11.19...v1.11.20) --- updated-dependencies: - dependency-name: dayjs dependency-version: 1.11.20 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index d6d13a8fd..6a4719adb 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -21,7 +21,7 @@ "@tanstack/react-router-devtools": "^1.163.3", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", - "dayjs": "^1.11.19", + "dayjs": "^1.11.20", "i18next": "^25.8.14", "i18next-browser-languagedetector": "^8.2.1", "jotai": "^2.18.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 38820d871..3c6c4c7cf 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -33,8 +33,8 @@ importers: specifier: ^2.1.1 version: 2.1.1 dayjs: - specifier: ^1.11.19 - version: 1.11.19 + specifier: ^1.11.20 + version: 1.11.20 i18next: specifier: ^25.8.14 version: 25.8.14(typescript@5.9.3) @@ -2060,8 +2060,8 @@ packages: resolution: {integrity: sha512-0R9ikRb668HB7QDxT1vkpuUBtqc53YyAwMwGeUFKRojY/NWKvdZ+9UYtRfGmhqNbRkTSVpMbmyhXipFFv2cb/A==} engines: {node: '>= 12'} - dayjs@1.11.19: - resolution: {integrity: sha512-t5EcLVS6QPBNqM2z8fakk/NKel+Xzshgt8FFKAn+qwlD1pzZWxh0nVCrvFK7ZDb6XucZeF9z8C7CBWTRIVApAw==} + dayjs@1.11.20: + resolution: {integrity: sha512-YbwwqR/uYpeoP4pu043q+LTDLFBLApUP6VxRihdfNTqu4ubqMlGDLd6ErXhEgsyvY0K6nCs7nggYumAN+9uEuQ==} debug@4.4.3: resolution: {integrity: sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==} @@ -5894,7 +5894,7 @@ snapshots: data-uri-to-buffer@4.0.1: {} - dayjs@1.11.19: {} + dayjs@1.11.20: {} debug@4.4.3: dependencies: From 4178b2cec5028ab0b86cc0bdd5c0ff0c2ffbca9f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 11:05:31 +0800 Subject: [PATCH 21/47] chore(deps): bump @tanstack/react-router in /web/frontend (#1609) Bumps [@tanstack/react-router](https://github.com/TanStack/router/tree/HEAD/packages/react-router) from 1.163.3 to 1.167.0. - [Release notes](https://github.com/TanStack/router/releases) - [Changelog](https://github.com/TanStack/router/blob/main/packages/react-router/CHANGELOG.md) - [Commits](https://github.com/TanStack/router/commits/@tanstack/react-router@1.167.0/packages/react-router) --- updated-dependencies: - dependency-name: "@tanstack/react-router" dependency-version: 1.167.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- web/frontend/package.json | 2 +- web/frontend/pnpm-lock.yaml | 85 ++++++++++++++++++++++++++----------- 2 files changed, 61 insertions(+), 26 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index 6a4719adb..f3bae6d6a 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -17,7 +17,7 @@ "@tabler/icons-react": "^3.38.0", "@tailwindcss/vite": "^4.2.1", "@tanstack/react-query": "^5.90.21", - "@tanstack/react-router": "^1.163.3", + "@tanstack/react-router": "^1.167.0", "@tanstack/react-router-devtools": "^1.163.3", "class-variance-authority": "^0.7.1", "clsx": "^2.1.1", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index 3c6c4c7cf..ac2168798 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -21,11 +21,11 @@ importers: specifier: ^5.90.21 version: 5.90.21(react@19.2.4) '@tanstack/react-router': - specifier: ^1.163.3 - version: 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + specifier: ^1.167.0 + version: 1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4) '@tanstack/react-router-devtools': specifier: ^1.163.3 - version: 1.163.3(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.163.3)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + version: 1.163.3(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.167.0)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4) class-variance-authority: specifier: ^0.7.1 version: 0.7.1 @@ -92,7 +92,7 @@ importers: version: 0.5.19(tailwindcss@4.2.1) '@tanstack/router-plugin': specifier: ^1.164.0 - version: 1.164.0(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) + version: 1.164.0(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) '@trivago/prettier-plugin-sort-imports': specifier: ^6.0.2 version: 6.0.2(prettier@3.8.1) @@ -1587,15 +1587,15 @@ packages: '@tanstack/router-core': optional: true - '@tanstack/react-router@1.163.3': - resolution: {integrity: sha512-hheBbFVb+PbxtrWp8iy6+TTRTbhx3Pn6hKo8Tv/sWlG89ZMcD1xpQWzx8ukHN9K8YWbh5rdzt4kv6u8X4kB28Q==} + '@tanstack/react-router@1.167.0': + resolution: {integrity: sha512-U7CamtXjuC8ixg1c32Rj/4A2OFBnjtMLdbgbyOGHrFHE7ULWS/yhnZLVXff0QSyn6qF92Oecek9mDMHCaTnB2Q==} engines: {node: '>=20.19'} peerDependencies: react: '>=18.0.0 || >=19.0.0' react-dom: '>=18.0.0 || >=19.0.0' - '@tanstack/react-store@0.9.1': - resolution: {integrity: sha512-YzJLnRvy5lIEFTLWBAZmcOjK3+2AepnBv/sr6NZmiqJvq7zTQggyK99Gw8fqYdMdHPQWXjz0epFKJXC+9V2xDA==} + '@tanstack/react-store@0.9.2': + resolution: {integrity: sha512-Vt5usJE5sHG/cMechQfmwvwne6ktGCELe89Lmvoxe3LKRoFrhPa8OCKWs0NliG8HTJElEIj7PLtaBQIcux5pAQ==} peerDependencies: react: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 react-dom: ^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0 @@ -1604,6 +1604,10 @@ packages: resolution: {integrity: sha512-jPptiGq/w3nuPzcMC7RNa79aU+b6OjaDzWJnBcV2UAwL4ThJamRS4h42TdhJE+oF5yH9IEnCOGQdfnbw45LbfA==} engines: {node: '>=20.19'} + '@tanstack/router-core@1.167.0': + resolution: {integrity: sha512-pnaaUP+vMQEyL2XjZGe2PXmtzulxvXfGyvEMUs+AEBaNEk77xWA88bl3ujiBRbUxzpK0rxfJf+eSKPdZmBMFdQ==} + engines: {node: '>=20.19'} + '@tanstack/router-devtools-core@1.163.3': resolution: {integrity: sha512-FPi64IP0PT1IkoeyGmsD6JoOVOYAb85VCH0mUbSdD90yV0+1UB6oT+D7K27GXkp7SXMJN3mBEjU5rKnNnmSCIw==} engines: {node: '>=20.19'} @@ -1646,6 +1650,9 @@ packages: '@tanstack/store@0.9.1': resolution: {integrity: sha512-+qcNkOy0N1qSGsP7omVCW0SDrXtaDcycPqBDE726yryiA5eTDFpjBReaYjghVJwNf1pcPMyzIwTGlYjCSQR0Fg==} + '@tanstack/store@0.9.2': + resolution: {integrity: sha512-K013lUJEFJK2ofFQ/hZKJUmCnpcV00ebLyOyFOWQvyQHUOZp/iYO84BM6aOGiV81JzwbX0APTVmW8YI7yiG5oA==} + '@tanstack/virtual-file-routes@1.161.4': resolution: {integrity: sha512-42WoRePf8v690qG8yGRe/YOh+oHni9vUaUUfoqlS91U2scd3a5rkLtVsc6b7z60w3RogH0I00vdrC5AaeiZ18w==} engines: {node: '>=20.19'} @@ -2648,8 +2655,8 @@ packages: resolution: {integrity: sha512-e6rvdUCiQCAuumZslxRJWR/Doq4VpPR82kqclvcS0efgt430SlGIk05vdCN58+VrzgtIcfNODjozVielycD4Sw==} engines: {node: '>=16'} - isbot@5.1.35: - resolution: {integrity: sha512-waFfC72ZNfwLLuJ2iLaoVaqcNo+CAaLR7xCpAn0Y5WfGzkNHv7ZN39Vbi1y+kb+Zs46XHOX3tZNExroFUPX+Kg==} + isbot@5.1.36: + resolution: {integrity: sha512-C/ZtXyJqDPZ7G7JPr06ApWyYoHjYexQbS6hPYD4WYCzpv2Qes6Z+CCEfTX4Owzf+1EJ933PoI2p+B9v7wpGZBQ==} engines: {node: '>=18'} isexe@2.0.0: @@ -3476,10 +3483,20 @@ packages: peerDependencies: seroval: ^1.0 + seroval-plugins@1.5.1: + resolution: {integrity: sha512-4FbuZ/TMl02sqv0RTFexu0SP6V+ywaIe5bAWCCEik0fk17BhALgwvUDVF7e3Uvf9pxmwCEJsRPmlkUE6HdzLAw==} + engines: {node: '>=10'} + peerDependencies: + seroval: ^1.0 + seroval@1.5.0: resolution: {integrity: sha512-OE4cvmJ1uSPrKorFIH9/w/Qwuvi/IMcGbv5RKgcJ/zjA/IohDLU6SVaxFN9FwajbP7nsX0dQqMDes1whk3y+yw==} engines: {node: '>=10'} + seroval@1.5.1: + resolution: {integrity: sha512-OwrZRZAfhHww0WEnKHDY8OM0U/Qs8OTfIDWhUD4BLpNJUfXK4cGmjiagGze086m+mhI+V2nD0gfbHEnJjb9STA==} + engines: {node: '>=10'} + serve-static@2.2.1: resolution: {integrity: sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==} engines: {node: '>= 18'} @@ -5365,31 +5382,31 @@ snapshots: '@tanstack/query-core': 5.90.20 react: 19.2.4 - '@tanstack/react-router-devtools@1.163.3(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.163.3)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': + '@tanstack/react-router-devtools@1.163.3(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(@tanstack/router-core@1.167.0)(csstype@3.2.3)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: - '@tanstack/react-router': 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4) - '@tanstack/router-devtools-core': 1.163.3(@tanstack/router-core@1.163.3)(csstype@3.2.3) + '@tanstack/react-router': 1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + '@tanstack/router-devtools-core': 1.163.3(@tanstack/router-core@1.167.0)(csstype@3.2.3) react: 19.2.4 react-dom: 19.2.4(react@19.2.4) optionalDependencies: - '@tanstack/router-core': 1.163.3 + '@tanstack/router-core': 1.167.0 transitivePeerDependencies: - csstype - '@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': + '@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: '@tanstack/history': 1.161.4 - '@tanstack/react-store': 0.9.1(react-dom@19.2.4(react@19.2.4))(react@19.2.4) - '@tanstack/router-core': 1.163.3 - isbot: 5.1.35 + '@tanstack/react-store': 0.9.2(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + '@tanstack/router-core': 1.167.0 + isbot: 5.1.36 react: 19.2.4 react-dom: 19.2.4(react@19.2.4) tiny-invariant: 1.3.3 tiny-warning: 1.0.3 - '@tanstack/react-store@0.9.1(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': + '@tanstack/react-store@0.9.2(react-dom@19.2.4(react@19.2.4))(react@19.2.4)': dependencies: - '@tanstack/store': 0.9.1 + '@tanstack/store': 0.9.2 react: 19.2.4 react-dom: 19.2.4(react@19.2.4) use-sync-external-store: 1.6.0(react@19.2.4) @@ -5404,9 +5421,19 @@ snapshots: tiny-invariant: 1.3.3 tiny-warning: 1.0.3 - '@tanstack/router-devtools-core@1.163.3(@tanstack/router-core@1.163.3)(csstype@3.2.3)': + '@tanstack/router-core@1.167.0': dependencies: - '@tanstack/router-core': 1.163.3 + '@tanstack/history': 1.161.4 + '@tanstack/store': 0.9.2 + cookie-es: 2.0.0 + seroval: 1.5.1 + seroval-plugins: 1.5.1(seroval@1.5.1) + tiny-invariant: 1.3.3 + tiny-warning: 1.0.3 + + '@tanstack/router-devtools-core@1.163.3(@tanstack/router-core@1.167.0)(csstype@3.2.3)': + dependencies: + '@tanstack/router-core': 1.167.0 clsx: 2.1.1 goober: 2.1.18(csstype@3.2.3) tiny-invariant: 1.3.3 @@ -5426,7 +5453,7 @@ snapshots: transitivePeerDependencies: - supports-color - '@tanstack/router-plugin@1.164.0(@tanstack/react-router@1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': + '@tanstack/router-plugin@1.164.0(@tanstack/react-router@1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4))(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0))': dependencies: '@babel/core': 7.29.0 '@babel/plugin-syntax-jsx': 7.28.6(@babel/core@7.29.0) @@ -5442,7 +5469,7 @@ snapshots: unplugin: 2.3.11 zod: 3.25.76 optionalDependencies: - '@tanstack/react-router': 1.163.3(react-dom@19.2.4(react@19.2.4))(react@19.2.4) + '@tanstack/react-router': 1.167.0(react-dom@19.2.4(react@19.2.4))(react@19.2.4) vite: 7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0) transitivePeerDependencies: - supports-color @@ -5463,6 +5490,8 @@ snapshots: '@tanstack/store@0.9.1': {} + '@tanstack/store@0.9.2': {} + '@tanstack/virtual-file-routes@1.161.4': {} '@trivago/prettier-plugin-sort-imports@6.0.2(prettier@3.8.1)': @@ -6489,7 +6518,7 @@ snapshots: dependencies: is-inside-container: 1.0.0 - isbot@5.1.35: {} + isbot@5.1.36: {} isexe@2.0.0: {} @@ -7517,8 +7546,14 @@ snapshots: dependencies: seroval: 1.5.0 + seroval-plugins@1.5.1(seroval@1.5.1): + dependencies: + seroval: 1.5.1 + seroval@1.5.0: {} + seroval@1.5.1: {} + serve-static@2.2.1: dependencies: encodeurl: 2.0.0 From c8065989b0f04336d94ed8aa815a5280778c7462 Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Mon, 16 Mar 2026 11:58:06 +0800 Subject: [PATCH 22/47] chore(web): upgrade eslint deps to resolve flatted vulnerability (#1629) --- web/frontend/package.json | 4 ++-- web/frontend/pnpm-lock.yaml | 28 ++++++++++++++-------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/web/frontend/package.json b/web/frontend/package.json index f3bae6d6a..973586519 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -40,7 +40,7 @@ "wrap-ansi": "^10.0.0" }, "devDependencies": { - "@eslint/js": "^9.39.1", + "@eslint/js": "^9.39.3", "@tailwindcss/typography": "^0.5.19", "@tanstack/router-plugin": "^1.164.0", "@trivago/prettier-plugin-sort-imports": "^6.0.2", @@ -49,7 +49,7 @@ "@types/react-dom": "^19.2.3", "@typescript-eslint/eslint-plugin": "^8.56.1", "@vitejs/plugin-react": "^5.2.0", - "eslint": "^9.39.1", + "eslint": "^9.39.3", "eslint-config-prettier": "^10.1.8", "eslint-plugin-react-hooks": "^7.0.1", "eslint-plugin-react-refresh": "^0.4.24", diff --git a/web/frontend/pnpm-lock.yaml b/web/frontend/pnpm-lock.yaml index ac2168798..20f0a7342 100644 --- a/web/frontend/pnpm-lock.yaml +++ b/web/frontend/pnpm-lock.yaml @@ -85,7 +85,7 @@ importers: version: 10.0.0 devDependencies: '@eslint/js': - specifier: ^9.39.1 + specifier: ^9.39.3 version: 9.39.3 '@tailwindcss/typography': specifier: ^0.5.19 @@ -112,7 +112,7 @@ importers: specifier: ^5.2.0 version: 5.2.0(vite@7.3.1(@types/node@24.11.0)(jiti@2.6.1)(lightningcss@1.31.1)(tsx@4.21.0)) eslint: - specifier: ^9.39.1 + specifier: ^9.39.3 version: 9.39.3(jiti@2.6.1) eslint-config-prettier: specifier: ^10.1.8 @@ -469,8 +469,8 @@ packages: resolution: {integrity: sha512-EriSTlt5OC9/7SXkRSCAhfSxxoSUgBm33OH+IkwbdpgoqsSsUg7y3uh+IICI/Qg4BBWr3U2i39RpmycbxMq4ew==} engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0} - '@eslint/config-array@0.21.1': - resolution: {integrity: sha512-aw1gNayWpdI/jSYVgzN5pL0cfzU02GT3NBpeT/DXbx1/1x7ZKxFPd9bwrzygx/qiwIQiJ1sw/zD8qY/kRvlGHA==} + '@eslint/config-array@0.21.2': + resolution: {integrity: sha512-nJl2KGTlrf9GjLimgIru+V/mzgSK0ABCDQRvxw5BjURL7WfH5uoWmizbH7QB6MmnMBd8cIC9uceWnezL1VZWWw==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} '@eslint/config-helpers@0.4.2': @@ -481,8 +481,8 @@ packages: resolution: {integrity: sha512-yL/sLrpmtDaFEiUj1osRP4TI2MDz1AddJL+jZ7KSqvBuliN4xqYY54IfdN8qD8Toa6g1iloph1fxQNkjOxrrpQ==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} - '@eslint/eslintrc@3.3.4': - resolution: {integrity: sha512-4h4MVF8pmBsncB60r0wSJiIeUKTSD4m7FmTFThG8RHlsg9ajqckLm9OraguFGZE4vVdpiI1Q4+hFnisopmG6gQ==} + '@eslint/eslintrc@3.3.5': + resolution: {integrity: sha512-4IlJx0X0qftVsN5E+/vGujTRIFtwuLbNsVUe7TO6zYPDR1O6nFwvwhIKEKSrl6dZchmYBITazxKoUYOjdtjlRg==} engines: {node: ^18.18.0 || ^20.9.0 || >=21.1.0} '@eslint/js@9.39.3': @@ -2362,8 +2362,8 @@ packages: resolution: {integrity: sha512-f7ccFPK3SXFHpx15UIGyRJ/FJQctuKZ0zVuN3frBo4HnK3cay9VEW0R6yPYFHC0AgqhukPzKjq22t5DmAyqGyw==} engines: {node: '>=16'} - flatted@3.3.3: - resolution: {integrity: sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==} + flatted@3.4.1: + resolution: {integrity: sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==} formdata-polyfill@4.0.10: resolution: {integrity: sha512-buewHzMvYL29jdeQTVILecSaZKnt/RJWjoZCF5OW60Z67/GmSLBkOFM7qh1PI3zFNtJbaZL5eQu1vLfazOwj4g==} @@ -4285,7 +4285,7 @@ snapshots: '@eslint-community/regexpp@4.12.2': {} - '@eslint/config-array@0.21.1': + '@eslint/config-array@0.21.2': dependencies: '@eslint/object-schema': 2.1.7 debug: 4.4.3 @@ -4301,7 +4301,7 @@ snapshots: dependencies: '@types/json-schema': 7.0.15 - '@eslint/eslintrc@3.3.4': + '@eslint/eslintrc@3.3.5': dependencies: ajv: 6.14.0 debug: 4.4.3 @@ -6077,10 +6077,10 @@ snapshots: dependencies: '@eslint-community/eslint-utils': 4.9.1(eslint@9.39.3(jiti@2.6.1)) '@eslint-community/regexpp': 4.12.2 - '@eslint/config-array': 0.21.1 + '@eslint/config-array': 0.21.2 '@eslint/config-helpers': 0.4.2 '@eslint/core': 0.17.0 - '@eslint/eslintrc': 3.3.4 + '@eslint/eslintrc': 3.3.5 '@eslint/js': 9.39.3 '@eslint/plugin-kit': 0.4.1 '@humanfs/node': 0.16.7 @@ -6270,10 +6270,10 @@ snapshots: flat-cache@4.0.1: dependencies: - flatted: 3.3.3 + flatted: 3.4.1 keyv: 4.5.4 - flatted@3.3.3: {} + flatted@3.4.1: {} formdata-polyfill@4.0.10: dependencies: From 2f10b47f59f01a34ef989fd919d84c6212b5f0ad Mon Sep 17 00:00:00 2001 From: sky5454 <sky5454@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:06:32 +0800 Subject: [PATCH 23/47] =?UTF-8?q?feat(credential):=20part1=20add=20AES-GCM?= =?UTF-8?q?=20encryption,=20SecureStore,=20and=20onboard=20ke=E2=80=A6=20(?= =?UTF-8?q?#1521)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * feat(credential): add AES-GCM encryption, SecureStore, and onboard keygen - pkg/credential: new package with AES-256-GCM enc:// credential format, HKDF-SHA256 key derivation (passphrase + optional SSH key binding), ErrPassphraseRequired / ErrDecryptionFailed sentinel errors, and PassphraseProvider hook for runtime passphrase injection - pkg/credential/store: lock-free SecureStore via atomic.Pointer[string]; passphrase never written to disk or os.Environ - pkg/credential/keygen: ed25519 SSH key generation helper used by onboard - pkg/config: replace os.Getenv(PassphraseEnvVar) with credential.PassphraseProvider() at all three call sites so that LoadConfig and SaveConfig use whatever passphrase source is active - cmd/picoclaw/onboard: prompt for passphrase with echo-off, generate picoclaw-specific SSH key, re-encrypt existing config on re-onboard - docs/credential_encryption.md: design doc for the enc:// format * fix(credential): address Copilot review comments on PR #1521 - credential.go: decouple ErrPassphraseRequired from env var name; message is now 'enc:// passphrase required' since PassphraseProvider may come from any source, not just os.Environ - credential.go: Resolver resolves symlinks via EvalSymlinks before the isWithinDir containment check, preventing symlink-based path traversal for file:// credential references - store.go: tighten comment to describe only what SecureStore guarantees (in-memory only); remove claims about how callers transport the value - store_test.go: replace the meaningless GetReturnsCopy test (Go strings are immutable, equality across two calls proves nothing) with TestSecureStore_ConcurrentSetGet that exercises atomic.Pointer under 10-goroutine concurrent Set/Get load - config_test.go: update error-message assertion to match new sentinel text - docs/credential_encryption.md: remove reference to non-existent 'picoclaw encrypt' subcommand; describe the onboard flow instead * fix(config): encryptPlaintextAPIKeys: struct-based encryption, fail-fast, remove raw []byte * fix(credential): require SSH private key for encryption/decryption, remove passphrase-only mode * lint: fix credential keygen lint, fix test keygen * onboard: make encryption opt-in via --enc flag Encryption (passphrase prompt + SSH key generation) is now only triggered when the user passes --enc to 'picoclaw onboard'. Without the flag, onboard skips the credential-encryption setup and writes a plain config + workspace templates directly. - Add --enc BoolFlag in NewOnboardCommand() - Pass encrypt bool into onboard() - Guard passphrase prompt, SSH key generation, and related env-var setup behind the encrypt branch - Adjust 'Next steps' output so the passphrase reminder only appears when --enc was used --- cmd/picoclaw/internal/onboard/command.go | 7 +- cmd/picoclaw/internal/onboard/command_test.go | 5 +- cmd/picoclaw/internal/onboard/helpers.go | 133 ++++++- docs/credential_encryption.md | 168 ++++++++ pkg/config/config.go | 72 +++- pkg/config/config_test.go | 365 +++++++++++++++++- pkg/credential/credential.go | 335 ++++++++++++++++ pkg/credential/credential_test.go | 283 ++++++++++++++ pkg/credential/keygen.go | 62 +++ pkg/credential/keygen_test.go | 115 ++++++ pkg/credential/store.go | 44 +++ pkg/credential/store_test.go | 81 ++++ 12 files changed, 1649 insertions(+), 21 deletions(-) create mode 100644 docs/credential_encryption.md create mode 100644 pkg/credential/credential.go create mode 100644 pkg/credential/credential_test.go create mode 100644 pkg/credential/keygen.go create mode 100644 pkg/credential/keygen_test.go create mode 100644 pkg/credential/store.go create mode 100644 pkg/credential/store_test.go diff --git a/cmd/picoclaw/internal/onboard/command.go b/cmd/picoclaw/internal/onboard/command.go index ec1012959..9f8b288c6 100644 --- a/cmd/picoclaw/internal/onboard/command.go +++ b/cmd/picoclaw/internal/onboard/command.go @@ -11,14 +11,19 @@ import ( var embeddedFiles embed.FS func NewOnboardCommand() *cobra.Command { + var encrypt bool + cmd := &cobra.Command{ Use: "onboard", Aliases: []string{"o"}, Short: "Initialize picoclaw configuration and workspace", Run: func(cmd *cobra.Command, args []string) { - onboard() + onboard(encrypt) }, } + cmd.Flags().BoolVar(&encrypt, "enc", false, + "Enable credential encryption (generates SSH key and prompts for passphrase)") + return cmd } diff --git a/cmd/picoclaw/internal/onboard/command_test.go b/cmd/picoclaw/internal/onboard/command_test.go index bc799a079..56936190b 100644 --- a/cmd/picoclaw/internal/onboard/command_test.go +++ b/cmd/picoclaw/internal/onboard/command_test.go @@ -24,6 +24,9 @@ func TestNewOnboardCommand(t *testing.T) { assert.Nil(t, cmd.PersistentPreRun) assert.Nil(t, cmd.PersistentPostRun) - assert.False(t, cmd.HasFlags()) + assert.True(t, cmd.HasFlags()) + encFlag := cmd.Flags().Lookup("enc") + require.NotNil(t, encFlag, "expected --enc flag to be registered") + assert.Equal(t, "false", encFlag.DefValue, "--enc should default to false") assert.False(t, cmd.HasSubCommands()) } diff --git a/cmd/picoclaw/internal/onboard/helpers.go b/cmd/picoclaw/internal/onboard/helpers.go index 4db8bdc8b..6f1d4bdd7 100644 --- a/cmd/picoclaw/internal/onboard/helpers.go +++ b/cmd/picoclaw/internal/onboard/helpers.go @@ -6,25 +6,71 @@ import ( "os" "path/filepath" + "golang.org/x/term" + "github.com/sipeed/picoclaw/cmd/picoclaw/internal" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/credential" ) -func onboard() { +func onboard(encrypt bool) { configPath := internal.GetConfigPath() + configExists := false if _, err := os.Stat(configPath); err == nil { - fmt.Printf("Config already exists at %s\n", configPath) - fmt.Print("Overwrite? (y/n): ") - var response string - fmt.Scanln(&response) - if response != "y" { - fmt.Println("Aborted.") - return + configExists = true + if encrypt { + // Only ask for confirmation when *both* config and SSH key already exist, + // indicating a full re-onboard that would reset the config to defaults. + sshKeyPath, _ := credential.DefaultSSHKeyPath() + if _, err := os.Stat(sshKeyPath); err == nil { + // Both exist — confirm a full reset. + fmt.Printf("Config already exists at %s\n", configPath) + fmt.Print("Overwrite config with defaults? (y/n): ") + var response string + fmt.Scanln(&response) + if response != "y" { + fmt.Println("Aborted.") + return + } + configExists = false // user agreed to reset; treat as fresh + } + // Config exists but SSH key is missing — keep existing config, only add SSH key. } } - cfg := config.DefaultConfig() + var err error + if encrypt { + fmt.Println("\nSet up credential encryption") + fmt.Println("-----------------------------") + passphrase, pErr := promptPassphrase() + if pErr != nil { + fmt.Printf("Error: %v\n", pErr) + os.Exit(1) + } + // Expose the passphrase to credential.PassphraseProvider (which calls + // os.Getenv by default) so that SaveConfig can encrypt api_keys. + // This process is a one-shot CLI tool; the env var is never exposed outside + // the current process and disappears when it exits. + os.Setenv(credential.PassphraseEnvVar, passphrase) + + if err = setupSSHKey(); err != nil { + fmt.Printf("Error generating SSH key: %v\n", err) + os.Exit(1) + } + } + + var cfg *config.Config + if configExists { + // Preserve the existing config; SaveConfig will re-encrypt api_keys with the new passphrase. + cfg, err = config.LoadConfig(configPath) + if err != nil { + fmt.Printf("Error loading existing config: %v\n", err) + os.Exit(1) + } + } else { + cfg = config.DefaultConfig() + } if err := config.SaveConfig(configPath, cfg); err != nil { fmt.Printf("Error saving config: %v\n", err) os.Exit(1) @@ -33,9 +79,17 @@ func onboard() { workspace := cfg.WorkspacePath() createWorkspaceTemplates(workspace) - fmt.Printf("%s picoclaw is ready!\n", internal.Logo) + fmt.Printf("\n%s picoclaw is ready!\n", internal.Logo) fmt.Println("\nNext steps:") - fmt.Println(" 1. Add your API key to", configPath) + if encrypt { + fmt.Println(" 1. Set your encryption passphrase before starting picoclaw:") + fmt.Println(" export PICOCLAW_KEY_PASSPHRASE=<your-passphrase> # Linux/macOS") + fmt.Println(" set PICOCLAW_KEY_PASSPHRASE=<your-passphrase> # Windows cmd") + fmt.Println("") + fmt.Println(" 2. Add your API key to", configPath) + } else { + fmt.Println(" 1. Add your API key to", configPath) + } fmt.Println("") fmt.Println(" Recommended:") fmt.Println(" - OpenRouter: https://openrouter.ai/keys (access 100+ models)") @@ -43,7 +97,62 @@ func onboard() { fmt.Println("") fmt.Println(" See README.md for 17+ supported providers.") fmt.Println("") - fmt.Println(" 2. Chat: picoclaw agent -m \"Hello!\"") + fmt.Println(" 3. Chat: picoclaw agent -m \"Hello!\"") +} + +// promptPassphrase reads the encryption passphrase twice from the terminal +// (with echo disabled) and returns it. Returns an error if the passphrase is +// empty or if the two inputs do not match. +func promptPassphrase() (string, error) { + fmt.Print("Enter passphrase for credential encryption: ") + p1, err := term.ReadPassword(int(os.Stdin.Fd())) + fmt.Println() + if err != nil { + return "", fmt.Errorf("reading passphrase: %w", err) + } + if len(p1) == 0 { + return "", fmt.Errorf("passphrase must not be empty") + } + + fmt.Print("Confirm passphrase: ") + p2, err := term.ReadPassword(int(os.Stdin.Fd())) + fmt.Println() + if err != nil { + return "", fmt.Errorf("reading passphrase confirmation: %w", err) + } + + if string(p1) != string(p2) { + return "", fmt.Errorf("passphrases do not match") + } + return string(p1), nil +} + +// setupSSHKey generates the picoclaw-specific SSH key at ~/.ssh/picoclaw_ed25519.key. +// If the key already exists the user is warned and asked to confirm overwrite. +// Answering anything other than "y" keeps the existing key (not an error). +func setupSSHKey() error { + keyPath, err := credential.DefaultSSHKeyPath() + if err != nil { + return fmt.Errorf("cannot determine SSH key path: %w", err) + } + + if _, err := os.Stat(keyPath); err == nil { + fmt.Printf("\n⚠️ WARNING: %s already exists.\n", keyPath) + fmt.Println(" Overwriting will invalidate any credentials previously encrypted with this key.") + fmt.Print(" Overwrite? (y/n): ") + var response string + fmt.Scanln(&response) + if response != "y" { + fmt.Println("Keeping existing SSH key.") + return nil + } + } + + if err := credential.GenerateSSHKey(keyPath); err != nil { + return err + } + fmt.Printf("SSH key generated: %s\n", keyPath) + return nil } func createWorkspaceTemplates(workspace string) { diff --git a/docs/credential_encryption.md b/docs/credential_encryption.md new file mode 100644 index 000000000..448eaaa10 --- /dev/null +++ b/docs/credential_encryption.md @@ -0,0 +1,168 @@ +# Credential Encryption + +PicoClaw supports encrypting `api_key` values in `model_list` configuration entries. +Encrypted keys are stored as `enc://<base64>` strings and decrypted automatically at startup. + +--- + +## Quick Start + +**1. Set your passphrase** + +```bash +export PICOCLAW_KEY_PASSPHRASE="your-passphrase" +``` + +**2. Encrypt an API key** + +Run `picoclaw onboard` — it prompts for your passphrase and generates the SSH key, +then automatically re-encrypts any plaintext `api_key` entries in your config on +the next `SaveConfig` call. The resulting `enc://` value will look like: + +``` +enc://AAAA...base64... +``` + +**3. Paste the output into your config** + +```json +{ + "model_list": [ + { + "model_name": "gpt-4o", + "api_key": "enc://AAAA...base64...", + "base_url": "https://api.openai.com/v1" + } + ] +} +``` + +--- + +## Supported `api_key` Formats + +| Format | Example | Behaviour | +|--------|---------|-----------| +| Plaintext | `sk-abc123` | Used as-is | +| File reference | `file://openai.key` | Content read from the same directory as the config file | +| Encrypted | `enc://<base64>` | Decrypted at startup using `PICOCLAW_KEY_PASSPHRASE` | +| Empty | `""` | Passed through unchanged (used with `auth_method: oauth`) | + +--- + +## Cryptographic Design + +### Key Derivation + +Encryption uses **HKDF-SHA256** with an optional SSH private key as a second factor. + +``` +Without SSH key (passphrase only): + + ikm = SHA256(passphrase) + aes_key = HKDF-SHA256(ikm, salt, info="picoclaw-credential-v1", 32 bytes) + + +With SSH key (recommended): + + sshHash = SHA256(ssh_private_key_file_bytes) + ikm = HMAC-SHA256(key=sshHash, message=passphrase) + aes_key = HKDF-SHA256(ikm, salt, info="picoclaw-credential-v1", 32 bytes) +``` + +### Encryption + +``` +AES-256-GCM(key=aes_key, nonce=random[12], plaintext=api_key) +``` + +### Wire Format + +``` +enc://<base64( salt[16] + nonce[12] + ciphertext )> +``` + +| Field | Size | Description | +|-------|------|-------------| +| `salt` | 16 bytes | Random per encryption; fed into HKDF | +| `nonce` | 12 bytes | Random per encryption; AES-GCM IV | +| `ciphertext` | variable | AES-256-GCM ciphertext + 16-byte authentication tag | + +The GCM authentication tag is appended to the ciphertext automatically. Any tampering causes decryption to fail with an error rather than returning corrupt plaintext. + +### Performance + +| Operation | Time (ARM Cortex-A) | +|-----------|---------------------| +| Key derivation (HKDF) | < 1 ms | +| AES-256-GCM decrypt | < 1 ms | +| **Total startup overhead** | **< 2 ms per key** | + +--- + +## Two-Factor Security with SSH Key + +When a SSH private key is provided, breaking the encryption requires **both**: + +1. The **passphrase** (`PICOCLAW_KEY_PASSPHRASE`) +2. The **SSH private key file** + +This means a leaked config file alone is not sufficient to recover the API key, even if the passphrase is weak. The SSH key contributes 256 bits of entropy (Ed25519) regardless of passphrase strength. + +### Threat Model + +| Attacker Has | Can Decrypt? | +|---|---| +| Config file only | No — needs passphrase + SSH key | +| SSH key only | No — needs passphrase | +| Passphrase only | No — needs SSH key | +| Config file + SSH key + passphrase | Yes — full compromise | + +--- + +## Environment Variables + +| Variable | Required | Description | +|----------|----------|-------------| +| `PICOCLAW_KEY_PASSPHRASE` | Yes (for `enc://`) | Passphrase used for key derivation | +| `PICOCLAW_SSH_KEY_PATH` | No | Path to SSH private key. Set to `""` to disable auto-detection and use passphrase-only mode | + +### SSH Key Auto-Detection + +If `PICOCLAW_SSH_KEY_PATH` is not set, PicoClaw looks for the picoclaw-specific key: + +``` +~/.ssh/picoclaw_ed25519.key +``` + +This dedicated file avoids conflicts with the user's existing SSH keys. +Run `picoclaw onboard` to generate it automatically. + +`os.UserHomeDir()` is used for cross-platform home directory resolution (reads `USERPROFILE` on Windows, `HOME` on Unix/macOS). + +To explicitly disable SSH key usage and use passphrase-only mode: + +```bash +export PICOCLAW_SSH_KEY_PATH="" +``` + +--- + +## Migration + +Because the only secret material is `PICOCLAW_KEY_PASSPHRASE` and the SSH private key file, migration is straightforward: + +1. Copy the config file to the new machine. +2. Set `PICOCLAW_KEY_PASSPHRASE` to the same value. +3. Copy the SSH private key file to the same path (or set `PICOCLAW_SSH_KEY_PATH` to its new location). + +No re-encryption is needed. + +--- + +## Security Considerations + +- **Passphrase strength matters in passphrase-only mode.** Without an SSH key, a weak passphrase can be brute-forced offline. Use `PICOCLAW_SSH_KEY_PATH=""` only in environments where no SSH key is available and the passphrase is sufficiently strong (≥ 32 random characters). +- **The SSH key is read-only at runtime.** PicoClaw never writes to or modifies the SSH key file. +- **Plaintext keys remain supported.** Existing configs without `enc://` are unaffected. +- **The `enc://` format is versioned** via the HKDF `info` field (`picoclaw-credential-v1`), allowing future algorithm upgrades without breaking existing encrypted values. diff --git a/pkg/config/config.go b/pkg/config/config.go index 190341224..2937c36e4 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -4,11 +4,13 @@ import ( "encoding/json" "fmt" "os" + "path/filepath" "strings" "sync/atomic" "github.com/caarlos0/env/v11" + "github.com/sipeed/picoclaw/pkg/credential" "github.com/sipeed/picoclaw/pkg/fileutil" ) @@ -837,10 +839,24 @@ func LoadConfig(path string) (*Config, error) { return nil, err } + if passphrase := credential.PassphraseProvider(); passphrase != "" { + for _, m := range cfg.ModelList { + if m.APIKey != "" && !strings.HasPrefix(m.APIKey, "enc://") && !strings.HasPrefix(m.APIKey, "file://") { + fmt.Fprintf(os.Stderr, + "picoclaw: warning: model %q has a plaintext api_key; call SaveConfig to encrypt it\n", + m.ModelName) + } + } + } + if err := env.Parse(cfg); err != nil { return nil, err } + if err := resolveAPIKeys(cfg.ModelList, filepath.Dir(path)); err != nil { + return nil, err + } + // Migrate legacy channel config fields to new unified structures cfg.migrateChannelConfigs() @@ -857,6 +873,48 @@ func LoadConfig(path string) (*Config, error) { return cfg, nil } +// encryptPlaintextAPIKeys returns a copy of models with plaintext api_key values +// encrypted. Returns (nil, nil) when nothing changed (all keys already sealed or +// empty). Returns (nil, error) if any key fails to encrypt — callers must treat +// this as a hard failure to prevent a mixed plaintext/ciphertext state on disk. +// Symmetric counterpart of resolveAPIKeys: both operate purely on []ModelConfig +// and leave JSON marshaling to the caller. +func encryptPlaintextAPIKeys(models []ModelConfig, passphrase string) ([]ModelConfig, error) { + sealed := make([]ModelConfig, len(models)) + copy(sealed, models) + changed := false + for i := range sealed { + m := &sealed[i] + if m.APIKey == "" || strings.HasPrefix(m.APIKey, "enc://") || strings.HasPrefix(m.APIKey, "file://") { + continue + } + encrypted, err := credential.Encrypt(passphrase, "", m.APIKey) + if err != nil { + return nil, fmt.Errorf("cannot seal api_key for model %q: %w", m.ModelName, err) + } + m.APIKey = encrypted + changed = true + } + if !changed { + return nil, nil + } + return sealed, nil +} + +// resolveAPIKeys decrypts or dereferences each api_key in models in-place. +// Supports plaintext (no-op), file:// (read from configDir), and enc:// (AES-GCM decrypt). +func resolveAPIKeys(models []ModelConfig, configDir string) error { + cr := credential.NewResolver(configDir) + for i := range models { + resolved, err := cr.Resolve(models[i].APIKey) + if err != nil { + return fmt.Errorf("model_list[%d] (%s): %w", i, models[i].ModelName, err) + } + models[i].APIKey = resolved + } + return nil +} + func (c *Config) migrateChannelConfigs() { // Discord: mention_only -> group_trigger.mention_only if c.Channels.Discord.MentionOnly && !c.Channels.Discord.GroupTrigger.MentionOnly { @@ -871,12 +929,22 @@ func (c *Config) migrateChannelConfigs() { } func SaveConfig(path string, cfg *Config) error { + if passphrase := credential.PassphraseProvider(); passphrase != "" { + sealed, err := encryptPlaintextAPIKeys(cfg.ModelList, passphrase) + if err != nil { + return err + } + if sealed != nil { + tmp := *cfg + tmp.ModelList = sealed + cfg = &tmp + } + } + data, err := json.MarshalIndent(cfg, "", " ") if err != nil { return err } - - // Use unified atomic write utility with explicit sync for flash storage reliability. return fileutil.WriteFileAtomic(path, data, 0o600) } diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index c5bdbf3c3..4c4dd9421 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -7,8 +7,22 @@ import ( "runtime" "strings" "testing" + + "github.com/sipeed/picoclaw/pkg/credential" ) +// mustSetupSSHKey generates a temporary Ed25519 SSH key in t.TempDir() and sets +// PICOCLAW_SSH_KEY_PATH to its path for the duration of the test. This is required +// whenever a test exercises encryption/decryption via credential.Encrypt or SaveConfig. +func mustSetupSSHKey(t *testing.T) { + t.Helper() + keyPath := filepath.Join(t.TempDir(), "picoclaw_ed25519.key") + if err := credential.GenerateSSHKey(keyPath); err != nil { + t.Fatalf("mustSetupSSHKey: %v", err) + } + t.Setenv("PICOCLAW_SSH_KEY_PATH", keyPath) +} + func TestAgentModelConfig_UnmarshalString(t *testing.T) { var m AgentModelConfig if err := json.Unmarshal([]byte(`"gpt-4"`), &m); err != nil { @@ -482,13 +496,19 @@ func TestDefaultConfig_DMScope(t *testing.T) { } func TestDefaultConfig_WorkspacePath_Default(t *testing.T) { - // Unset to ensure we test the default t.Setenv("PICOCLAW_HOME", "") - // Set a known home for consistent test results - t.Setenv("HOME", "/tmp/home") + + var fakeHome string + if runtime.GOOS == "windows" { + fakeHome = `C:\tmp\home` + t.Setenv("USERPROFILE", fakeHome) + } else { + fakeHome = "/tmp/home" + t.Setenv("HOME", fakeHome) + } cfg := DefaultConfig() - want := filepath.Join("/tmp/home", ".picoclaw", "workspace") + want := filepath.Join(fakeHome, ".picoclaw", "workspace") if cfg.Agents.Defaults.Workspace != want { t.Errorf("Default workspace path = %q, want %q", cfg.Agents.Defaults.Workspace, want) @@ -499,7 +519,7 @@ func TestDefaultConfig_WorkspacePath_WithPicoclawHome(t *testing.T) { t.Setenv("PICOCLAW_HOME", "/custom/picoclaw/home") cfg := DefaultConfig() - want := "/custom/picoclaw/home/workspace" + want := filepath.Join("/custom/picoclaw/home", "workspace") if cfg.Agents.Defaults.Workspace != want { t.Errorf("Workspace path with PICOCLAW_HOME = %q, want %q", cfg.Agents.Defaults.Workspace, want) @@ -621,3 +641,338 @@ func TestFlexibleStringSlice_UnmarshalText_EmptySliceConsistency(t *testing.T) { } }) } + +// TestLoadConfig_WarnsForPlaintextAPIKey verifies that LoadConfig resolves a plaintext +// api_key into memory but does NOT rewrite the config file. File writes are the sole +// responsibility of SaveConfig. +func TestLoadConfig_WarnsForPlaintextAPIKey(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + const original = `{"model_list":[{"model_name":"test","model":"openai/gpt-4","api_key":"sk-plaintext"}]}` + if err := os.WriteFile(cfgPath, []byte(original), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + cfg, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig: %v", err) + } + // In-memory value must be the resolved plaintext. + if cfg.ModelList[0].APIKey != "sk-plaintext" { + t.Errorf("in-memory api_key = %q, want %q", cfg.ModelList[0].APIKey, "sk-plaintext") + } + // The file on disk must remain unchanged — LoadConfig must not write anything. + raw, _ := os.ReadFile(cfgPath) + if string(raw) != original { + t.Errorf("LoadConfig must not modify the config file; got:\n%s", string(raw)) + } +} + +// TestSaveConfig_EncryptsPlaintextAPIKey verifies that SaveConfig writes enc:// ciphertext +// to disk and that a subsequent LoadConfig decrypts it back to the original plaintext. +func TestSaveConfig_EncryptsPlaintextAPIKey(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + mustSetupSSHKey(t) + + cfg := DefaultConfig() + cfg.ModelList = []ModelConfig{ + {ModelName: "test", Model: "openai/gpt-4", APIKey: "sk-plaintext"}, + } + if err := SaveConfig(cfgPath, cfg); err != nil { + t.Fatalf("SaveConfig: %v", err) + } + + // Disk must contain enc://, not the raw key. + raw, _ := os.ReadFile(cfgPath) + if !strings.Contains(string(raw), "enc://") { + t.Errorf("saved file should contain enc://, got:\n%s", string(raw)) + } + if strings.Contains(string(raw), "sk-plaintext") { + t.Errorf("saved file must not contain the plaintext key") + } + + // A fresh load must decrypt back to the original plaintext. + cfg2, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig after SaveConfig: %v", err) + } + if cfg2.ModelList[0].APIKey != "sk-plaintext" { + t.Errorf("loaded api_key = %q, want %q", cfg2.ModelList[0].APIKey, "sk-plaintext") + } +} + +// TestLoadConfig_NoSealWithoutPassphrase verifies that api_key values are left +// unchanged when PICOCLAW_KEY_PASSPHRASE is not set. +func TestLoadConfig_NoSealWithoutPassphrase(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + data := `{"model_list":[{"model_name":"test","model":"openai/gpt-4","api_key":"sk-plaintext"}]}` + if err := os.WriteFile(cfgPath, []byte(data), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + if _, err := LoadConfig(cfgPath); err != nil { + t.Fatalf("LoadConfig: %v", err) + } + + raw, _ := os.ReadFile(cfgPath) + if strings.Contains(string(raw), "enc://") { + t.Error("config file must not be modified when no passphrase is set") + } +} + +// TestLoadConfig_FileRefNotSealed verifies that file:// api_key references are not +// converted to enc:// values (they are resolved at runtime by the Resolver). +func TestLoadConfig_FileRefNotSealed(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + keyFile := filepath.Join(dir, "openai.key") + if err := os.WriteFile(keyFile, []byte("sk-from-file"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + data := `{"model_list":[{"model_name":"test","model":"openai/gpt-4","api_key":"file://openai.key"}]}` + if err := os.WriteFile(cfgPath, []byte(data), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + if _, err := LoadConfig(cfgPath); err != nil { + t.Fatalf("LoadConfig: %v", err) + } + + raw, _ := os.ReadFile(cfgPath) + if !strings.Contains(string(raw), "file://openai.key") { + t.Error("file:// reference should be preserved unchanged in the config file") + } + if strings.Contains(string(raw), "enc://") { + t.Error("file:// reference must not be converted to enc://") + } +} + +// TestSaveConfig_MixedKeys verifies that SaveConfig encrypts only plaintext api_keys +// and leaves already-encrypted (enc://) and file:// entries unchanged. +func TestSaveConfig_MixedKeys(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + mustSetupSSHKey(t) + + // Pre-encrypt one key so we have a genuine enc:// value to put in the config. + if err := SaveConfig(cfgPath, &Config{ + ModelList: []ModelConfig{ + {ModelName: "pre", Model: "openai/gpt-4", APIKey: "sk-already-plain"}, + }, + }); err != nil { + t.Fatalf("setup SaveConfig: %v", err) + } + raw, _ := os.ReadFile(cfgPath) + // Extract the enc:// value from the saved file. + var tmp struct { + ModelList []struct { + APIKey string `json:"api_key"` + } `json:"model_list"` + } + if err := json.Unmarshal(raw, &tmp); err != nil || len(tmp.ModelList) == 0 { + t.Fatalf("setup: could not parse saved config: %v", err) + } + alreadyEncrypted := tmp.ModelList[0].APIKey + if !strings.HasPrefix(alreadyEncrypted, "enc://") { + t.Fatalf("setup: expected enc:// key, got %q", alreadyEncrypted) + } + + // Build a config with three models: + // 1. plaintext → must be encrypted by SaveConfig + // 2. enc:// → must be left unchanged (already encrypted) + // 3. file:// → must be left unchanged (file reference) + keyFile := filepath.Join(dir, "api.key") + if err := os.WriteFile(keyFile, []byte("sk-from-file"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + cfg := &Config{ + ModelList: []ModelConfig{ + {ModelName: "plain", Model: "openai/gpt-4", APIKey: "sk-new-plaintext"}, + {ModelName: "enc", Model: "openai/gpt-4", APIKey: alreadyEncrypted}, + {ModelName: "file", Model: "openai/gpt-4", APIKey: "file://api.key"}, + }, + } + if err := SaveConfig(cfgPath, cfg); err != nil { + t.Fatalf("SaveConfig: %v", err) + } + + raw, _ = os.ReadFile(cfgPath) + s := string(raw) + + // 1. Plaintext must be encrypted. + if strings.Contains(s, "sk-new-plaintext") { + t.Error("plaintext key must not appear in saved file") + } + // 2. The pre-existing enc:// value must still be present (byte-for-byte unchanged). + if !strings.Contains(s, alreadyEncrypted) { + t.Error("pre-existing enc:// entry must be preserved unchanged") + } + // 3. file:// must be preserved. + if !strings.Contains(s, "file://api.key") { + t.Error("file:// reference must be preserved unchanged") + } + + // Now load and verify all three decrypt/resolve correctly. + cfg2, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig after SaveConfig: %v", err) + } + byName := make(map[string]string) + for _, m := range cfg2.ModelList { + byName[m.ModelName] = m.APIKey + } + if byName["plain"] != "sk-new-plaintext" { + t.Errorf("plain model api_key = %q, want %q", byName["plain"], "sk-new-plaintext") + } + if byName["enc"] != "sk-already-plain" { + t.Errorf("enc model api_key = %q, want %q", byName["enc"], "sk-already-plain") + } + if byName["file"] != "sk-from-file" { + t.Errorf("file model api_key = %q, want %q", byName["file"], "sk-from-file") + } +} + +// TestLoadConfig_MixedKeys_NoPassphrase verifies that when PICOCLAW_KEY_PASSPHRASE +// is not set, enc:// entries cause LoadConfig to return an error, while plaintext +// and file:// entries in the same config are not affected. +func TestLoadConfig_MixedKeys_NoPassphrase(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + // First encrypt a key so we have a real enc:// value. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "test-passphrase") + mustSetupSSHKey(t) + if err := SaveConfig(cfgPath, &Config{ + ModelList: []ModelConfig{ + {ModelName: "m", Model: "openai/gpt-4", APIKey: "sk-secret"}, + }, + }); err != nil { + t.Fatalf("setup SaveConfig: %v", err) + } + raw, _ := os.ReadFile(cfgPath) + var tmp struct { + ModelList []struct { + APIKey string `json:"api_key"` + } `json:"model_list"` + } + if err := json.Unmarshal(raw, &tmp); err != nil { + t.Fatalf("setup parse: %v", err) + } + encValue := tmp.ModelList[0].APIKey + + // Write a mixed config: enc:// + plaintext + file:// + keyFile := filepath.Join(dir, "api.key") + if err := os.WriteFile(keyFile, []byte("sk-from-file"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + mixed, _ := json.Marshal(map[string]any{ + "model_list": []map[string]any{ + {"model_name": "enc", "model": "openai/gpt-4", "api_key": encValue}, + {"model_name": "plain", "model": "openai/gpt-4", "api_key": "sk-plain"}, + {"model_name": "file", "model": "openai/gpt-4", "api_key": "file://api.key"}, + }, + }) + if err := os.WriteFile(cfgPath, mixed, 0o600); err != nil { + t.Fatalf("setup write: %v", err) + } + + // Now clear the passphrase — LoadConfig must fail because enc:// cannot be decrypted. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + + _, err := LoadConfig(cfgPath) + if err == nil { + t.Fatal("LoadConfig should fail when enc:// key is present and no passphrase is set") + } + if !strings.Contains(err.Error(), "passphrase required") { + t.Errorf("error should mention passphrase required, got: %v", err) + } +} + +// TestSaveConfig_UsesPassphraseProvider verifies that SaveConfig encrypts plaintext +// api_keys using credential.PassphraseProvider() rather than os.Getenv directly. +// This matters for the launcher, which clears the environment variable and redirects +// PassphraseProvider to an in-memory SecureStore. +func TestSaveConfig_UsesPassphraseProvider(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + // Ensure the env var is empty — passphrase must come from PassphraseProvider only. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + mustSetupSSHKey(t) + + // Replace PassphraseProvider with an in-memory function (simulating SecureStore). + const testPassphrase = "provider-passphrase" + orig := credential.PassphraseProvider + credential.PassphraseProvider = func() string { return testPassphrase } + t.Cleanup(func() { credential.PassphraseProvider = orig }) + + cfg := DefaultConfig() + cfg.ModelList = []ModelConfig{ + {ModelName: "test", Model: "openai/gpt-4", APIKey: "sk-plaintext"}, + } + if err := SaveConfig(cfgPath, cfg); err != nil { + t.Fatalf("SaveConfig: %v", err) + } + + raw, _ := os.ReadFile(cfgPath) + if !strings.Contains(string(raw), "enc://") { + t.Errorf("SaveConfig should have encrypted plaintext key via PassphraseProvider; got:\n%s", raw) + } +} + +// TestLoadConfig_UsesPassphraseProvider verifies that LoadConfig decrypts enc:// keys +// using credential.PassphraseProvider() rather than os.Getenv directly. +func TestLoadConfig_UsesPassphraseProvider(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + + // Ensure the env var is empty throughout. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + mustSetupSSHKey(t) + + const testPassphrase = "provider-passphrase" + const plainKey = "sk-secret" + + // First, encrypt the key using the same passphrase. + encrypted, err := credential.Encrypt(testPassphrase, "", plainKey) + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + raw, _ := json.Marshal(map[string]any{ + "model_list": []map[string]any{ + {"model_name": "test", "model": "openai/gpt-4", "api_key": encrypted}, + }, + }) + if err = os.WriteFile(cfgPath, raw, 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + // Redirect PassphraseProvider — env var is empty, so without this the load would fail. + orig := credential.PassphraseProvider + credential.PassphraseProvider = func() string { return testPassphrase } + t.Cleanup(func() { credential.PassphraseProvider = orig }) + + cfg, err := LoadConfig(cfgPath) + if err != nil { + t.Fatalf("LoadConfig: %v", err) + } + if cfg.ModelList[0].APIKey != plainKey { + t.Errorf("api_key = %q, want %q", cfg.ModelList[0].APIKey, plainKey) + } +} diff --git a/pkg/credential/credential.go b/pkg/credential/credential.go new file mode 100644 index 000000000..83af3fc9f --- /dev/null +++ b/pkg/credential/credential.go @@ -0,0 +1,335 @@ +// Package credential resolves API credential values for model_list entries. +// +// An API key is a form of authorization credential. This package centralizes +// how raw credential strings—plaintext or file references—are resolved into +// their actual values, keeping that logic out of the config loader. +// +// Supported formats for the api_key field: +// +// - Plaintext: "sk-abc123" → returned as-is +// - File ref: "file://filename.key" → content read from configDir/filename.key +// - Encrypted: "enc://<base64>" → AES-256-GCM decrypt via PICOCLAW_KEY_PASSPHRASE +// - Empty: "" → returned as-is (auth_method=oauth etc.) +// +// Encryption uses AES-256-GCM with HKDF-SHA256 key derivation (< 1ms, safe for embedded Linux). +// An SSH private key is required for both encryption and decryption. +// Key derivation: +// +// HKDF-SHA256(ikm=HMAC-SHA256(SHA256(sshKeyBytes), passphrase), salt, info) +// +// SSH key path resolution priority: +// +// 1. sshKeyPath argument to Encrypt (explicit) +// 2. PICOCLAW_SSH_KEY_PATH env var +// 3. ~/.ssh/picoclaw_ed25519.key (os.UserHomeDir is cross-platform) +package credential + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/hkdf" + "crypto/hmac" + "crypto/rand" + "crypto/sha256" + "encoding/base64" + "errors" + "fmt" + "io" + "os" + "path/filepath" + "strings" +) + +// PassphraseEnvVar is the environment variable that holds the encryption passphrase. +// Other packages (e.g. config) reference this constant to avoid duplicating the string. +const PassphraseEnvVar = "PICOCLAW_KEY_PASSPHRASE" + +// PassphraseProvider is the function used to retrieve the passphrase for enc:// +// credential decryption. It defaults to reading PICOCLAW_KEY_PASSPHRASE from the +// process environment. Replace it at startup to use a different source, such as +// an in-memory SecureStore, so that all LoadConfig() calls everywhere share the +// same passphrase source without needing os.Environ. +// +// Example (launcher main.go): +// +// credential.PassphraseProvider = apiHandler.passphraseStore.Get +var PassphraseProvider func() string = func() string { + return os.Getenv(PassphraseEnvVar) +} + +// ErrPassphraseRequired is returned when an enc:// credential is encountered but +// no passphrase is available from PassphraseProvider. Callers can detect this +// with errors.Is to distinguish a missing-passphrase condition from other errors. +var ErrPassphraseRequired = errors.New("credential: enc:// passphrase required") + +// ErrDecryptionFailed is returned when an enc:// credential cannot be decrypted, +// indicating a wrong passphrase or SSH key. Callers can detect this with errors.Is. +var ErrDecryptionFailed = errors.New("credential: enc:// decryption failed (wrong passphrase or SSH key?)") + +const ( + fileScheme = "file://" + encScheme = "enc://" + hkdfInfo = "picoclaw-credential-v1" + saltLen = 16 + nonceLen = 12 + keyLen = 32 + sshKeyEnv = "PICOCLAW_SSH_KEY_PATH" +) + +// Resolver resolves raw credential strings for model_list api_key fields. +// File references are resolved relative to the directory of the config file. +type Resolver struct { + configDir string + resolvedConfigDir string // symlink-resolved form of configDir +} + +// NewResolver returns a Resolver that resolves file:// references relative to +// configDir (typically filepath.Dir of the config file path). +func NewResolver(configDir string) *Resolver { + resolved := configDir + if configDir != "" { + if linkedPath, err := filepath.EvalSymlinks(configDir); err == nil { + resolved = linkedPath + } + } + return &Resolver{configDir: configDir, resolvedConfigDir: resolved} +} + +// Resolve returns the actual credential value for raw: +// +// - "" → "" (no error; auth_method=oauth needs no key) +// - "file://name.key" → trimmed content of configDir/name.key +// - anything else → raw unchanged (plaintext credential) +func (r *Resolver) Resolve(raw string) (string, error) { + if raw == "" { + return "", nil + } + + if strings.HasPrefix(raw, fileScheme) { + fileName := strings.TrimSpace(strings.TrimPrefix(raw, fileScheme)) + if fileName == "" { + return "", fmt.Errorf("credential: file:// reference has no filename") + } + + baseDir := r.resolvedConfigDir + if baseDir == "" { + baseDir = r.configDir + } + keyPath := filepath.Join(baseDir, fileName) + // Resolve symlinks before enforcing containment to prevent escaping via symlinks. + realKeyPath, err := filepath.EvalSymlinks(keyPath) + if err != nil { + return "", fmt.Errorf("credential: failed to resolve credential file path %q: %w", keyPath, err) + } + if !isWithinDir(realKeyPath, baseDir) { + return "", fmt.Errorf("credential: file:// path escapes config directory") + } + data, err := os.ReadFile(realKeyPath) + if err != nil { + return "", fmt.Errorf("credential: failed to read credential file %q: %w", realKeyPath, err) + } + + value := strings.TrimSpace(string(data)) + if value == "" { + return "", fmt.Errorf("credential: credential file %q is empty", realKeyPath) + } + + return value, nil + } + + if strings.HasPrefix(raw, encScheme) { + return resolveEncrypted(raw) + } + + // Plaintext credential — return unchanged. + return raw, nil +} + +// resolveEncrypted decrypts an enc:// credential using PassphraseProvider. +func resolveEncrypted(raw string) (string, error) { + passphrase := PassphraseProvider() + if passphrase == "" { + return "", ErrPassphraseRequired + } + + sshKeyPath := pickSSHKeyPath("") // override="": consult env then auto-detect + + b64 := strings.TrimPrefix(raw, encScheme) + blob, err := base64.StdEncoding.DecodeString(b64) + if err != nil { + return "", fmt.Errorf("credential: enc:// invalid base64: %w", err) + } + if len(blob) < saltLen+nonceLen+1 { + return "", fmt.Errorf("credential: enc:// payload too short") + } + + salt := blob[:saltLen] + nonce := blob[saltLen : saltLen+nonceLen] + ciphertext := blob[saltLen+nonceLen:] + + key, err := deriveKey(passphrase, sshKeyPath, salt) + if err != nil { + return "", err + } + block, err := aes.NewCipher(key) + if err != nil { + return "", fmt.Errorf("credential: enc:// cipher init: %w", err) + } + gcm, err := cipher.NewGCM(block) + if err != nil { + return "", fmt.Errorf("credential: enc:// gcm init: %w", err) + } + + plaintext, err := gcm.Open(nil, nonce, ciphertext, nil) + if err != nil { + return "", fmt.Errorf("%w: %w", ErrDecryptionFailed, err) + } + return string(plaintext), nil +} + +// Encrypt encrypts plaintext and returns an enc:// credential string. +// +// passphrase is required (PICOCLAW_KEY_PASSPHRASE value). +// sshKeyPath is the SSH private key file to use; pass "" to auto-detect via +// PICOCLAW_SSH_KEY_PATH env var or ~/.ssh/picoclaw_ed25519.key. +// An SSH private key must be resolvable or Encrypt returns an error. +func Encrypt(passphrase, sshKeyPath, plaintext string) (string, error) { + if passphrase == "" { + return "", fmt.Errorf("credential: passphrase must not be empty") + } + sshKeyPath = pickSSHKeyPath(sshKeyPath) + + salt := make([]byte, saltLen) + if _, err := io.ReadFull(rand.Reader, salt); err != nil { + return "", fmt.Errorf("credential: failed to generate salt: %w", err) + } + + key, err := deriveKey(passphrase, sshKeyPath, salt) + if err != nil { + return "", err + } + block, err := aes.NewCipher(key) + if err != nil { + return "", fmt.Errorf("credential: cipher init: %w", err) + } + gcm, err := cipher.NewGCM(block) + if err != nil { + return "", fmt.Errorf("credential: gcm init: %w", err) + } + + nonce := make([]byte, nonceLen) + if _, err := io.ReadFull(rand.Reader, nonce); err != nil { + return "", fmt.Errorf("credential: failed to generate nonce: %w", err) + } + + ciphertext := gcm.Seal(nil, nonce, []byte(plaintext), nil) + blob := make([]byte, 0, saltLen+nonceLen+len(ciphertext)) + blob = append(blob, salt...) + blob = append(blob, nonce...) + blob = append(blob, ciphertext...) + return encScheme + base64.StdEncoding.EncodeToString(blob), nil +} + +// isWithinDir reports whether path is contained within (or equal to) dir. +// Uses filepath.IsLocal on the relative path for robust cross-platform traversal detection. +func isWithinDir(path, dir string) bool { + rel, err := filepath.Rel(filepath.Clean(dir), filepath.Clean(path)) + return err == nil && filepath.IsLocal(rel) +} + +// allowedSSHKeyPath reports whether path is in a permitted location for SSH key files: +// - exact match with PICOCLAW_SSH_KEY_PATH env var +// - within the PICOCLAW_HOME env var directory +// - within ~/.ssh/ +func allowedSSHKeyPath(path string) bool { + if path == "" { + return true // passphrase-only mode; no file will be read + } + clean := filepath.Clean(path) + + // Exact match with PICOCLAW_SSH_KEY_PATH. + if envPath, ok := os.LookupEnv(sshKeyEnv); ok && envPath != "" { + if clean == filepath.Clean(envPath) { + return true + } + } + + // Within PICOCLAW_HOME. + if picoHome := os.Getenv("PICOCLAW_HOME"); picoHome != "" { + if isWithinDir(clean, picoHome) { + return true + } + } + + // Within ~/.ssh/. + if userHome, err := os.UserHomeDir(); err == nil { + if isWithinDir(clean, filepath.Join(userHome, ".ssh")) { + return true + } + } + + return false +} + +// deriveKey derives a 32-byte AES-256 key from passphrase and SSH private key. +// +// ikm = HMAC-SHA256(key=SHA256(sshKeyBytes), msg=passphrase) +// Final key: HKDF-SHA256(ikm, salt, info="picoclaw-credential-v1", 32 bytes) +// sshKeyPath must be non-empty; returns an error otherwise. +func deriveKey(passphrase, sshKeyPath string, salt []byte) ([]byte, error) { + if sshKeyPath == "" { + return nil, fmt.Errorf( + "credential: SSH private key is required but not found" + + " (set PICOCLAW_SSH_KEY_PATH or place key at ~/.ssh/picoclaw_ed25519.key)") + } + if !allowedSSHKeyPath(sshKeyPath) { + return nil, fmt.Errorf( + "credential: SSH key path %q is not in an allowed location (PICOCLAW_SSH_KEY_PATH, PICOCLAW_HOME, or ~/.ssh/)", + sshKeyPath, + ) + } + sshBytes, err := os.ReadFile(sshKeyPath) + if err != nil { + return nil, fmt.Errorf("credential: cannot read SSH key %q: %w", sshKeyPath, err) + } + sshHash := sha256.Sum256(sshBytes) + mac := hmac.New(sha256.New, sshHash[:]) + mac.Write([]byte(passphrase)) + ikm := mac.Sum(nil) + + key, err := hkdf.Key(sha256.New, ikm, salt, hkdfInfo, keyLen) + if err != nil { + return nil, fmt.Errorf("credential: HKDF expand failed: %w", err) + } + return key, nil +} + +// pickSSHKeyPath returns the SSH private key path to use for encryption/decryption. +// +// Priority: +// 1. override (non-empty explicit argument) +// 2. PICOCLAW_SSH_KEY_PATH env var +// 3. ~/.ssh/picoclaw_ed25519.key (auto-detection) +// +// Returns "" when no key is found; deriveKey will return an error in that case. +func pickSSHKeyPath(override string) string { + if override != "" { + return override + } + if p, ok := os.LookupEnv(sshKeyEnv); ok { + return p // respect explicit setting, even if "" + } + return findDefaultSSHKey() +} + +// findDefaultSSHKey returns the picoclaw-specific SSH key path if it exists. +func findDefaultSSHKey() string { + p, err := DefaultSSHKeyPath() + if err != nil { + return "" + } + if _, err := os.Stat(p); err == nil { + return p + } + return "" +} diff --git a/pkg/credential/credential_test.go b/pkg/credential/credential_test.go new file mode 100644 index 000000000..138af3134 --- /dev/null +++ b/pkg/credential/credential_test.go @@ -0,0 +1,283 @@ +package credential_test + +import ( + "os" + "path/filepath" + "testing" + + "github.com/sipeed/picoclaw/pkg/credential" +) + +func TestResolve_PlainKey(t *testing.T) { + r := credential.NewResolver(t.TempDir()) + got, err := r.Resolve("sk-plaintext-key") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "sk-plaintext-key" { + t.Fatalf("got %q, want %q", got, "sk-plaintext-key") + } +} + +func TestResolve_FileKey_Success(t *testing.T) { + dir := t.TempDir() + keyFile := "openai_plain.key" + if err := os.WriteFile(filepath.Join(dir, keyFile), []byte("sk-from-file\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + r := credential.NewResolver(dir) + got, err := r.Resolve("file://" + keyFile) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "sk-from-file" { + t.Fatalf("got %q, want %q", got, "sk-from-file") + } +} + +func TestResolve_FileKey_NotFound(t *testing.T) { + r := credential.NewResolver(t.TempDir()) + _, err := r.Resolve("file://missing.key") + if err == nil { + t.Fatal("expected error for missing file, got nil") + } +} + +func TestResolve_FileKey_Empty(t *testing.T) { + dir := t.TempDir() + keyFile := "empty.key" + if err := os.WriteFile(filepath.Join(dir, keyFile), []byte(" \n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + r := credential.NewResolver(dir) + _, err := r.Resolve("file://" + keyFile) + if err == nil { + t.Fatal("expected error for empty credential file, got nil") + } +} + +// TestResolve_EncKey_RoundTrip tests basic encryption/decryption round-trip with an SSH key. +func TestResolve_EncKey_RoundTrip(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-key-material\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + const passphrase = "test-passphrase-32bytes-long-ok!" + const plaintext = "sk-encrypted-secret" + + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt(passphrase, "", plaintext) + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", passphrase) + + r := credential.NewResolver(t.TempDir()) + got, err := r.Resolve(enc) + if err != nil { + t.Fatalf("Resolve: %v", err) + } + if got != plaintext { + t.Fatalf("got %q, want %q", got, plaintext) + } +} + +// TestResolve_EncKey_WithSSHKey tests that the SSH key file is incorporated into key derivation. +func TestResolve_EncKey_WithSSHKey(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-private-key-material\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + const passphrase = "test-passphrase" + const plaintext = "sk-ssh-protected-secret" + + // Set PICOCLAW_SSH_KEY_PATH before Encrypt so the path passes allowedSSHKeyPath validation. + t.Setenv("PICOCLAW_KEY_PASSPHRASE", passphrase) + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt(passphrase, sshKeyPath, plaintext) + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + r := credential.NewResolver(t.TempDir()) + got, err := r.Resolve(enc) + if err != nil { + t.Fatalf("Resolve: %v", err) + } + if got != plaintext { + t.Fatalf("got %q, want %q", got, plaintext) + } +} + +func TestResolve_EncKey_NoPassphrase(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt("some-passphrase", "", "sk-secret") + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "") + + r := credential.NewResolver(t.TempDir()) + _, err = r.Resolve(enc) + if err == nil { + t.Fatal("expected error when PICOCLAW_KEY_PASSPHRASE is unset, got nil") + } +} + +func TestResolve_EncKey_BadCiphertext(t *testing.T) { + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "some-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + r := credential.NewResolver(t.TempDir()) + _, err := r.Resolve("enc://!!not-valid-base64!!") + if err == nil { + t.Fatal("expected error for invalid enc:// payload, got nil") + } +} + +func TestResolve_EncKey_PayloadTooShort(t *testing.T) { + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "some-passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + + // Valid base64 but fewer bytes than salt(16)+nonce(12)+1 minimum. + import64 := "dG9vc2hvcnQ=" // "tooshort" = 8 bytes + r := credential.NewResolver(t.TempDir()) + _, err := r.Resolve("enc://" + import64) + if err == nil { + t.Fatal("expected error for too-short enc:// payload, got nil") + } +} + +func TestResolve_EncKey_WrongPassphrase(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-ssh-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt("correct-passphrase", "", "sk-secret") + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "wrong-passphrase") + + r := credential.NewResolver(t.TempDir()) + _, err = r.Resolve(enc) + if err == nil { + t.Fatal("expected decryption error for wrong passphrase, got nil") + } +} + +func TestEncrypt_EmptyPassphrase(t *testing.T) { + _, err := credential.Encrypt("", "", "sk-secret") + if err == nil { + t.Fatal("expected error for empty passphrase, got nil") + } +} + +func TestDeriveKey_SSHKeyNotFound(t *testing.T) { + // Encrypt with a real SSH key path, then try to decrypt with a missing path. + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + // Register the real key path so allowedSSHKeyPath validation passes for Encrypt. + t.Setenv("PICOCLAW_SSH_KEY_PATH", sshKeyPath) + + enc, err := credential.Encrypt("passphrase", sshKeyPath, "sk-secret") + if err != nil { + t.Fatalf("Encrypt: %v", err) + } + + // Point to a non-existent SSH key so deriveKey's ReadFile fails. + // The path is still under the same dir, so allowedSSHKeyPath passes (exact env match). + t.Setenv("PICOCLAW_KEY_PASSPHRASE", "passphrase") + t.Setenv("PICOCLAW_SSH_KEY_PATH", filepath.Join(dir, "nonexistent_key")) + + r := credential.NewResolver(t.TempDir()) + _, err = r.Resolve(enc) + if err == nil { + t.Fatal("expected error when SSH key file is missing, got nil") + } +} + +// TestResolve_FileRef_PathTraversal verifies that file:// references cannot escape configDir +// via relative traversal ("../../etc/passwd") or absolute paths ("/abs/path"). +func TestResolve_FileRef_PathTraversal(t *testing.T) { + dir := t.TempDir() + cfgPath := filepath.Join(dir, "config.json") + // Create a file outside configDir that the traversal would point to. + outsideFile := filepath.Join(t.TempDir(), "secret.key") + if err := os.WriteFile(outsideFile, []byte("stolen"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + r := credential.NewResolver(filepath.Dir(cfgPath)) + + cases := []string{ + "file://../../secret.key", + "file://../secret.key", + "file://" + outsideFile, // absolute path + } + for _, raw := range cases { + _, err := r.Resolve(raw) + if err == nil { + t.Errorf("Resolve(%q): expected path traversal error, got nil", raw) + } + } +} + +// TestResolve_FileRef_withinConfigDir verifies that a legitimate relative file:// ref works. +func TestResolve_FileRef_withinConfigDir(t *testing.T) { + dir := t.TempDir() + if err := os.WriteFile(filepath.Join(dir, "my.key"), []byte("sk-valid\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + r := credential.NewResolver(dir) + got, err := r.Resolve("file://my.key") + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if got != "sk-valid" { + t.Fatalf("got %q, want %q", got, "sk-valid") + } +} + +// TestEncrypt_SSHKeyOutsideAllowedDirs verifies that Encrypt rejects SSH key paths +// that are not under PICOCLAW_SSH_KEY_PATH, PICOCLAW_HOME, or ~/.ssh/. +func TestEncrypt_SSHKeyOutsideAllowedDirs(t *testing.T) { + dir := t.TempDir() + sshKeyPath := filepath.Join(dir, "picoclaw_ed25519.key") + if err := os.WriteFile(sshKeyPath, []byte("fake-key\n"), 0o600); err != nil { + t.Fatalf("setup: %v", err) + } + + // Make sure none of the allowed env vars point here. + t.Setenv("PICOCLAW_SSH_KEY_PATH", "") + t.Setenv("PICOCLAW_HOME", "") + + _, err := credential.Encrypt("passphrase", sshKeyPath, "sk-secret") + if err == nil { + t.Fatal("expected error for SSH key outside allowed directories, got nil") + } +} diff --git a/pkg/credential/keygen.go b/pkg/credential/keygen.go new file mode 100644 index 000000000..c57564a76 --- /dev/null +++ b/pkg/credential/keygen.go @@ -0,0 +1,62 @@ +package credential + +import ( + "crypto/ed25519" + "crypto/rand" + "encoding/pem" + "fmt" + "os" + "path/filepath" + + "golang.org/x/crypto/ssh" +) + +// DefaultSSHKeyPath returns the canonical path for the picoclaw-specific SSH key. +// The path is always ~/.ssh/picoclaw_ed25519.key (os.UserHomeDir is cross-platform). +func DefaultSSHKeyPath() (string, error) { + home, err := os.UserHomeDir() + if err != nil { + return "", fmt.Errorf("credential: cannot determine home directory: %w", err) + } + return filepath.Join(home, ".ssh", "picoclaw_ed25519.key"), nil +} + +// GenerateSSHKey generates an Ed25519 SSH key pair and writes the private key +// to path (permissions 0600) and the public key to path+".pub" (permissions 0644). +// The ~/.ssh/ directory is created with 0700 if it does not exist. +// If the files already exist they are overwritten. +func GenerateSSHKey(path string) error { + if err := os.MkdirAll(filepath.Dir(path), 0o700); err != nil { + return fmt.Errorf("credential: keygen: cannot create directory %q: %w", filepath.Dir(path), err) + } + + pubRaw, privRaw, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + return fmt.Errorf("credential: keygen: ed25519 key generation failed: %w", err) + } + + // Marshal private key as OpenSSH PEM. + block, err := ssh.MarshalPrivateKey(privRaw, "") + if err != nil { + return fmt.Errorf("credential: keygen: marshal private key: %w", err) + } + privPEM := pem.EncodeToMemory(block) + + if err = os.WriteFile(path, privPEM, 0o600); err != nil { + return fmt.Errorf("credential: keygen: write private key %q: %w", path, err) + } + + // Marshal public key as authorized_keys line. + sshPub, err := ssh.NewPublicKey(pubRaw) + if err != nil { + return fmt.Errorf("credential: keygen: marshal public key: %w", err) + } + pubLine := ssh.MarshalAuthorizedKey(sshPub) + + pubPath := path + ".pub" + if err := os.WriteFile(pubPath, pubLine, 0o644); err != nil { + return fmt.Errorf("credential: keygen: write public key %q: %w", pubPath, err) + } + + return nil +} diff --git a/pkg/credential/keygen_test.go b/pkg/credential/keygen_test.go new file mode 100644 index 000000000..1e21ea0b9 --- /dev/null +++ b/pkg/credential/keygen_test.go @@ -0,0 +1,115 @@ +package credential + +import ( + "crypto/ed25519" + "os" + "path/filepath" + "runtime" + "testing" + + "golang.org/x/crypto/ssh" +) + +func TestGenerateSSHKey_CreatesFiles(t *testing.T) { + dir := t.TempDir() + keyPath := filepath.Join(dir, "test_ed25519.key") + + if err := GenerateSSHKey(keyPath); err != nil { + t.Fatalf("GenerateSSHKey() error = %v", err) + } + + // Private key must exist. + privInfo, err := os.Stat(keyPath) + if err != nil { + t.Fatalf("private key file missing: %v", err) + } + + // Check permissions on non-Windows (Windows does not support Unix permission bits). + if runtime.GOOS != "windows" { + if got := privInfo.Mode().Perm(); got != 0o600 { + t.Errorf("private key permissions = %04o, want 0600", got) + } + } + + // Public key must exist. + pubPath := keyPath + ".pub" + pubInfo, err := os.Stat(pubPath) + if err != nil { + t.Fatalf("public key file missing: %v", err) + } + if runtime.GOOS != "windows" { + if got := pubInfo.Mode().Perm(); got != 0o644 { + t.Errorf("public key permissions = %04o, want 0644", got) + } + } + + // Private key must be parseable as an OpenSSH ed25519 key. + privPEM, err := os.ReadFile(keyPath) + if err != nil { + t.Fatalf("read private key: %v", err) + } + privKey, err := ssh.ParseRawPrivateKey(privPEM) + if err != nil { + t.Fatalf("parse private key: %v", err) + } + if _, ok := privKey.(*ed25519.PrivateKey); !ok { + t.Errorf("private key type = %T, want *ed25519.PrivateKey", privKey) + } + + // Public key must be parseable as authorized_keys line. + pubBytes, err := os.ReadFile(pubPath) + if err != nil { + t.Fatalf("read public key: %v", err) + } + pubKey, _, _, rest, err := ssh.ParseAuthorizedKey(pubBytes) + if err != nil { + t.Fatalf("parse public key: %v", err) + } + if pubKey == nil { + t.Fatal("expected non-nil public key") + } + if len(rest) > 0 { + t.Errorf("unexpected trailing bytes after public key: %d bytes", len(rest)) + } +} + +func TestGenerateSSHKey_OverwritesExisting(t *testing.T) { + dir := t.TempDir() + keyPath := filepath.Join(dir, "test_ed25519.key") + + // Generate twice; second call must not error and must produce a different key. + if err := GenerateSSHKey(keyPath); err != nil { + t.Fatalf("first GenerateSSHKey() error = %v", err) + } + first, err := os.ReadFile(keyPath) + if err != nil { + t.Fatalf("read first key: %v", err) + } + + if err = GenerateSSHKey(keyPath); err != nil { + t.Fatalf("second GenerateSSHKey() error = %v", err) + } + second, err := os.ReadFile(keyPath) + if err != nil { + t.Fatalf("read second key: %v", err) + } + + // Two independently generated Ed25519 keys must differ. + if string(first) == string(second) { + t.Error("expected overwritten key to differ from original") + } +} + +func TestGenerateSSHKey_CreatesDirectory(t *testing.T) { + dir := t.TempDir() + // Nested directory that does not yet exist. + keyPath := filepath.Join(dir, "subdir", ".ssh", "picoclaw_ed25519.key") + + if err := GenerateSSHKey(keyPath); err != nil { + t.Fatalf("GenerateSSHKey() error = %v", err) + } + + if _, err := os.Stat(keyPath); err != nil { + t.Fatalf("private key not created: %v", err) + } +} diff --git a/pkg/credential/store.go b/pkg/credential/store.go new file mode 100644 index 000000000..9c72974b0 --- /dev/null +++ b/pkg/credential/store.go @@ -0,0 +1,44 @@ +package credential + +import "sync/atomic" + +// SecureStore holds a passphrase in memory. +// +// Uses atomic.Pointer so reads and writes are lock-free. +// The passphrase is never written to disk; callers decide how to +// transport it outside this store (e.g., via cmd.Env or os.Environ). +type SecureStore struct { + val atomic.Pointer[string] +} + +// NewSecureStore creates an empty SecureStore. +func NewSecureStore() *SecureStore { + return &SecureStore{} +} + +// SetString stores the passphrase. An empty string clears the store. +func (s *SecureStore) SetString(passphrase string) { + if passphrase == "" { + s.val.Store(nil) + return + } + s.val.Store(&passphrase) +} + +// Get returns the stored passphrase, or "" if not set. +func (s *SecureStore) Get() string { + if p := s.val.Load(); p != nil { + return *p + } + return "" +} + +// IsSet reports whether a passphrase is currently stored. +func (s *SecureStore) IsSet() bool { + return s.val.Load() != nil +} + +// Clear removes the stored passphrase. +func (s *SecureStore) Clear() { + s.val.Store(nil) +} diff --git a/pkg/credential/store_test.go b/pkg/credential/store_test.go new file mode 100644 index 000000000..63299743a --- /dev/null +++ b/pkg/credential/store_test.go @@ -0,0 +1,81 @@ +package credential + +import ( + "sync" + "testing" +) + +func TestSecureStore_SetGet(t *testing.T) { + s := NewSecureStore() + if s.IsSet() { + t.Error("expected empty store") + } + + s.SetString("hunter2") + if !s.IsSet() { + t.Error("expected store to be set") + } + if got := s.Get(); got != "hunter2" { + t.Errorf("Get() = %q, want %q", got, "hunter2") + } +} + +func TestSecureStore_Clear(t *testing.T) { + s := NewSecureStore() + s.SetString("secret") + s.Clear() + + if s.IsSet() { + t.Error("expected store to be empty after Clear()") + } + if got := s.Get(); got != "" { + t.Errorf("Get() after Clear() = %q, want empty", got) + } +} + +func TestSecureStore_SetOverwrites(t *testing.T) { + s := NewSecureStore() + s.SetString("first") + s.SetString("second") + + if got := s.Get(); got != "second" { + t.Errorf("Get() = %q, want %q", got, "second") + } +} + +func TestSecureStore_EmptyPassphrase(t *testing.T) { + s := NewSecureStore() + s.SetString("") // empty → should not mark as set + + if s.IsSet() { + t.Error("empty passphrase should not mark store as set") + } +} + +func TestSecureStore_ConcurrentSetGet(t *testing.T) { + s := NewSecureStore() + const goroutines = 10 + const iterations = 1000 + + var wg sync.WaitGroup + wg.Add(goroutines) + for i := 0; i < goroutines; i++ { + go func(id int) { + defer wg.Done() + for j := 0; j < iterations; j++ { + if id%2 == 0 { + s.SetString("even") + } else { + s.SetString("odd") + } + _ = s.Get() + } + }(i) + } + wg.Wait() + + final := s.Get() + if final != "" && final != "even" && final != "odd" { + t.Errorf("Get() returned unexpected value %q after concurrent Set/Get", final) + } +} From 4d4243b919accb4969f2cfe71011e4a9989b80d5 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:08:29 +0800 Subject: [PATCH 24/47] chore(deps): bump docker/setup-buildx-action from 3 to 4 (#1595) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-build.yml | 2 +- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index dadbed212..c03c6346f 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -31,7 +31,7 @@ jobs: # ── Docker Buildx ───────────────────────── - name: 🔧 Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 # ── Login to GHCR ───────────────────────── - name: 🔑 Login to GitHub Container Registry diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 0103fcff1..375e2e211 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -59,7 +59,7 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry uses: docker/login-action@v3 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4a584773d..56d2f2b23 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -77,7 +77,7 @@ jobs: uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry uses: docker/login-action@v3 From 44ac304e5b122bac7fbc9c9b6699ff335f0da0e2 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:09:01 +0800 Subject: [PATCH 25/47] chore(deps): bump actions/setup-node from 4 to 6 (#1597) Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](https://github.com/actions/setup-node/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/nightly.yml | 2 +- .github/workflows/release.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index 375e2e211..b29881d6c 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -48,7 +48,7 @@ jobs: go-version-file: go.mod - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 22 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 56d2f2b23..84aade578 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -66,7 +66,7 @@ jobs: go-version-file: go.mod - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: 22 From f247c3bc00cb8bba874712535ce07de8c6b1b613 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:09:36 +0800 Subject: [PATCH 26/47] chore(deps): bump actions/setup-go from 5 to 6 (#1600) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5 to 6. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml index 1e9a7919a..902d4d4eb 100644 --- a/.github/workflows/pr.yml +++ b/.github/workflows/pr.yml @@ -34,7 +34,7 @@ jobs: persist-credentials: false - name: Setup Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: go-version-file: go.mod From b7b8d1eeca7a750f3c42820727135dca8f080ced Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:10:19 +0800 Subject: [PATCH 27/47] chore(deps): bump docker/build-push-action from 6 to 7 (#1602) Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index c03c6346f..8b4c033c2 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -62,7 +62,7 @@ jobs: # ── Build & Push ────────────────────────── - name: 🚀 Build and push Docker image - uses: docker/build-push-action@v6 + uses: docker/build-push-action@v7 with: context: . push: true From 0c94e6f7b3d2a19d4e0f85bb1b5647dda14355e0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 16 Mar 2026 14:11:22 +0800 Subject: [PATCH 28/47] chore(deps): bump docker/login-action from 3 to 4 (#1604) Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/docker-build.yml | 4 ++-- .github/workflows/nightly.yml | 4 ++-- .github/workflows/release.yml | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 8b4c033c2..784c404a6 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -35,7 +35,7 @@ jobs: # ── Login to GHCR ───────────────────────── - name: 🔑 Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.GHCR_REGISTRY }} username: ${{ github.actor }} @@ -43,7 +43,7 @@ jobs: # ── Login to Docker Hub ──────────────────── - name: 🔑 Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ${{ env.DOCKERHUB_REGISTRY }} username: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml index b29881d6c..e001dc3e9 100644 --- a/.github/workflows/nightly.yml +++ b/.github/workflows/nightly.yml @@ -62,14 +62,14 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 84aade578..19c8e5404 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,14 +80,14 @@ jobs: uses: docker/setup-buildx-action@v4 - name: Login to GitHub Container Registry - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v4 with: registry: docker.io username: ${{ secrets.DOCKERHUB_USERNAME }} From c513ad22d73a579bb3fb30efc5b012b07c71a32c Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Mon, 16 Mar 2026 16:25:16 +0800 Subject: [PATCH 29/47] fix(web): refactor pico chat flow and fix proxied websocket URLs (#1639) - move chat controller, state, protocol, history, and websocket logic into a dedicated chat feature module - improve chat reconnection, session hydration, and send gating based on actual websocket state - preserve gateway status during transient SSE disconnects and update stop state immediately - generate wss websocket URLs behind HTTPS proxies and add backend tests for forwarded proto handling --- web/backend/api/gateway_host.go | 20 +- web/backend/api/gateway_host_test.go | 53 +++ .../src/components/chat/chat-composer.tsx | 4 +- .../src/components/chat/chat-empty-state.tsx | 2 +- .../src/components/chat/chat-page.tsx | 23 +- .../chat/controller.ts} | 337 ++++++++++-------- web/frontend/src/features/chat/history.ts | 68 ++++ web/frontend/src/features/chat/protocol.ts | 81 +++++ .../chat/state.ts} | 0 web/frontend/src/features/chat/websocket.ts | 57 +++ web/frontend/src/hooks/use-gateway.ts | 12 +- web/frontend/src/hooks/use-pico-chat.ts | 4 +- web/frontend/src/hooks/use-websocket.ts | 47 --- web/frontend/src/routes/__root.tsx | 2 +- web/frontend/src/store/chat.ts | 2 +- web/frontend/src/store/gateway.ts | 12 +- 16 files changed, 509 insertions(+), 215 deletions(-) rename web/frontend/src/{lib/pico-chat-controller.ts => features/chat/controller.ts} (53%) create mode 100644 web/frontend/src/features/chat/history.ts create mode 100644 web/frontend/src/features/chat/protocol.ts rename web/frontend/src/{lib/pico-chat-state.ts => features/chat/state.ts} (100%) create mode 100644 web/frontend/src/features/chat/websocket.ts delete mode 100644 web/frontend/src/hooks/use-websocket.ts diff --git a/web/backend/api/gateway_host.go b/web/backend/api/gateway_host.go index a499c1ea2..5ef3ba2c5 100644 --- a/web/backend/api/gateway_host.go +++ b/web/backend/api/gateway_host.go @@ -57,10 +57,28 @@ func requestHostName(r *http.Request) string { return "127.0.0.1" } +func requestWSScheme(r *http.Request) string { + if forwarded := strings.TrimSpace(r.Header.Get("X-Forwarded-Proto")); forwarded != "" { + proto := strings.ToLower(strings.TrimSpace(strings.Split(forwarded, ",")[0])) + if proto == "https" || proto == "wss" { + return "wss" + } + if proto == "http" || proto == "ws" { + return "ws" + } + } + + if r.TLS != nil { + return "wss" + } + + return "ws" +} + func (h *Handler) buildWsURL(r *http.Request, cfg *config.Config) string { host := h.effectiveGatewayBindHost(cfg) if host == "" || host == "0.0.0.0" { host = requestHostName(r) } - return "ws://" + net.JoinHostPort(host, strconv.Itoa(cfg.Gateway.Port)) + "/pico/ws" + return requestWSScheme(r) + "://" + net.JoinHostPort(host, strconv.Itoa(cfg.Gateway.Port)) + "/pico/ws" } diff --git a/web/backend/api/gateway_host_test.go b/web/backend/api/gateway_host_test.go index afd600359..43e84ff0e 100644 --- a/web/backend/api/gateway_host_test.go +++ b/web/backend/api/gateway_host_test.go @@ -1,6 +1,7 @@ package api import ( + "crypto/tls" "net/http/httptest" "path/filepath" "testing" @@ -57,3 +58,55 @@ func TestGatewayProbeHostUsesLoopbackForWildcardBind(t *testing.T) { t.Fatalf("gatewayProbeHost() = %q, want %q", got, "127.0.0.1") } } + +func TestBuildWsURLUsesWSSWhenForwardedProtoIsHTTPS(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "0.0.0.0" + cfg.Gateway.Port = 18790 + + req := httptest.NewRequest("GET", "http://launcher.local/api/pico/token", nil) + req.Host = "chat.example.com" + req.Header.Set("X-Forwarded-Proto", "https") + + if got := h.buildWsURL(req, cfg); got != "wss://chat.example.com:18790/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://chat.example.com:18790/pico/ws") + } +} + +func TestBuildWsURLUsesWSSWhenRequestIsTLS(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "0.0.0.0" + cfg.Gateway.Port = 18790 + + req := httptest.NewRequest("GET", "https://launcher.local/api/pico/token", nil) + req.Host = "secure.example.com" + req.TLS = &tls.ConnectionState{} + + if got := h.buildWsURL(req, cfg); got != "wss://secure.example.com:18790/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://secure.example.com:18790/pico/ws") + } +} + +func TestBuildWsURLPrefersForwardedHTTPOverTLS(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "0.0.0.0" + cfg.Gateway.Port = 18790 + + req := httptest.NewRequest("GET", "https://launcher.local/api/pico/token", nil) + req.Host = "chat.example.com" + req.TLS = &tls.ConnectionState{} + req.Header.Set("X-Forwarded-Proto", "http") + + if got := h.buildWsURL(req, cfg); got != "ws://chat.example.com:18790/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "ws://chat.example.com:18790/pico/ws") + } +} diff --git a/web/frontend/src/components/chat/chat-composer.tsx b/web/frontend/src/components/chat/chat-composer.tsx index e8bae89b8..7d696b898 100644 --- a/web/frontend/src/components/chat/chat-composer.tsx +++ b/web/frontend/src/components/chat/chat-composer.tsx @@ -42,7 +42,7 @@ export function ChatComposer({ placeholder={t("chat.placeholder")} disabled={!canInput} className={cn( - "max-h-[200px] min-h-[60px] resize-none border-0 bg-transparent px-2 py-1 text-[15px] shadow-none transition-colors focus-visible:ring-0 focus-visible:outline-none dark:bg-transparent", + "placeholder:text-muted-foreground max-h-[200px] min-h-[60px] resize-none border-0 bg-transparent px-2 py-1 text-[15px] shadow-none transition-colors focus-visible:ring-0 focus-visible:outline-none dark:bg-transparent", !canInput && "cursor-not-allowed", )} minRows={1} @@ -56,7 +56,7 @@ export function ChatComposer({ size="icon" className="size-8 rounded-full bg-violet-500 text-white transition-transform hover:bg-violet-600 active:scale-95" onClick={onSend} - disabled={!input.trim() || !isConnected} + disabled={!input.trim() || !canInput} > <IconArrowUp className="size-4" /> </Button> diff --git a/web/frontend/src/components/chat/chat-empty-state.tsx b/web/frontend/src/components/chat/chat-empty-state.tsx index 624ff9c59..0574c44d1 100644 --- a/web/frontend/src/components/chat/chat-empty-state.tsx +++ b/web/frontend/src/components/chat/chat-empty-state.tsx @@ -34,7 +34,7 @@ export function ChatEmptyState({ <p className="text-muted-foreground mb-4 text-center text-sm"> {t("chat.empty.noConfiguredModelDescription")} </p> - <Button asChild variant="secondary" size="sm" className="px-4"> + <Button asChild variant="outline" size="sm" className="px-4"> <Link to="/models">{t("chat.empty.goToModels")}</Link> </Button> </div> diff --git a/web/frontend/src/components/chat/chat-page.tsx b/web/frontend/src/components/chat/chat-page.tsx index 1906a0367..ebcde8981 100644 --- a/web/frontend/src/components/chat/chat-page.tsx +++ b/web/frontend/src/components/chat/chat-page.tsx @@ -15,7 +15,6 @@ import { useChatModels } from "@/hooks/use-chat-models" import { useGateway } from "@/hooks/use-gateway" import { usePicoChat } from "@/hooks/use-pico-chat" import { useSessionHistory } from "@/hooks/use-session-history" -import { hydrateActiveSession } from "@/lib/pico-chat-controller" export function ChatPage() { const { t } = useTranslation() @@ -26,6 +25,7 @@ export function ChatPage() { const { messages, + connectionState, isTyping, activeSessionId, sendMessage, @@ -34,7 +34,8 @@ export function ChatPage() { } = usePicoChat() const { state: gwState } = useGateway() - const isConnected = gwState === "running" + const isGatewayRunning = gwState === "running" + const isChatConnected = connectionState === "connected" const { defaultModelName, @@ -43,7 +44,8 @@ export function ChatPage() { oauthModels, localModels, handleSetDefault, - } = useChatModels({ isConnected }) + } = useChatModels({ isConnected: isGatewayRunning }) + const canSend = isChatConnected && Boolean(defaultModelName) const { sessions, @@ -68,10 +70,6 @@ export function ChatPage() { syncScrollState(e.currentTarget) } - useEffect(() => { - void hydrateActiveSession() - }, []) - useEffect(() => { if (scrollRef.current) { if (isAtBottom) { @@ -82,9 +80,10 @@ export function ChatPage() { }, [messages, isTyping, isAtBottom]) const handleSend = () => { - if (!input.trim() || !isConnected) return - sendMessage(input.trim()) - setInput("") + if (!input.trim() || !canSend) return + if (sendMessage(input.trim())) { + setInput("") + } } return ( @@ -143,7 +142,7 @@ export function ChatPage() { <ChatEmptyState hasConfiguredModels={hasConfiguredModels} defaultModelName={defaultModelName} - isConnected={isConnected} + isConnected={isGatewayRunning} /> )} @@ -168,7 +167,7 @@ export function ChatPage() { input={input} onInputChange={setInput} onSend={handleSend} - isConnected={isConnected} + isConnected={isChatConnected} hasDefaultModel={Boolean(defaultModelName)} /> </div> diff --git a/web/frontend/src/lib/pico-chat-controller.ts b/web/frontend/src/features/chat/controller.ts similarity index 53% rename from web/frontend/src/lib/pico-chat-controller.ts rename to web/frontend/src/features/chat/controller.ts index 0e77d1ad0..5e6eb2229 100644 --- a/web/frontend/src/lib/pico-chat-controller.ts +++ b/web/frontend/src/features/chat/controller.ts @@ -2,24 +2,24 @@ import { getDefaultStore } from "jotai" import { toast } from "sonner" import { getPicoToken } from "@/api/pico" -import { getSessionHistory } from "@/api/sessions" -import i18n from "@/i18n" +import { + loadSessionMessages, + mergeHistoryMessages, +} from "@/features/chat/history" +import { type PicoMessage, handlePicoMessage } from "@/features/chat/protocol" import { clearStoredSessionId, generateSessionId, - normalizeUnixTimestamp, readStoredSessionId, -} from "@/lib/pico-chat-state" -import { type ChatMessage, getChatState, updateChatStore } from "@/store/chat" -import { gatewayAtom } from "@/store/gateway" - -interface PicoMessage { - type: string - id?: string - session_id?: string - timestamp?: number | string - payload?: Record<string, unknown> -} +} from "@/features/chat/state" +import { + invalidateSocket, + isCurrentSocket, + normalizeWsUrlForBrowser, +} from "@/features/chat/websocket" +import i18n from "@/i18n" +import { getChatState, updateChatStore } from "@/store/chat" +import { type GatewayState, gatewayAtom } from "@/store/gateway" const store = getDefaultStore() @@ -31,81 +31,51 @@ let initialized = false let unsubscribeGateway: (() => void) | null = null let hydratePromise: Promise<void> | null = null let connectionGeneration = 0 +let reconnectTimer: number | null = null +let reconnectAttempts = 0 +let shouldMaintainConnection = false -async function loadSessionMessages(sessionId: string): Promise<ChatMessage[]> { - const detail = await getSessionHistory(sessionId) - const fallbackTime = detail.updated - - return detail.messages.map((message, index) => ({ - id: `hist-${index}-${Date.now()}`, - role: message.role, - content: message.content, - timestamp: fallbackTime, - })) +function clearReconnectTimer() { + if (reconnectTimer !== null) { + window.clearTimeout(reconnectTimer) + reconnectTimer = null + } } -function handlePicoMessage(message: PicoMessage) { - const payload = message.payload || {} +function shouldReconnectFor(generation: number, sessionId: string): boolean { + return ( + shouldMaintainConnection && + generation === connectionGeneration && + sessionId === activeSessionIdRef && + store.get(gatewayAtom).status === "running" + ) +} - switch (message.type) { - case "message.create": { - const content = (payload.content as string) || "" - const messageId = (payload.message_id as string) || `pico-${Date.now()}` - const timestamp = - message.timestamp !== undefined && - Number.isFinite(Number(message.timestamp)) - ? normalizeUnixTimestamp(Number(message.timestamp)) - : Date.now() - - updateChatStore((prev) => ({ - messages: [ - ...prev.messages, - { - id: messageId, - role: "assistant", - content, - timestamp, - }, - ], - isTyping: false, - })) - break - } - - case "message.update": { - const content = (payload.content as string) || "" - const messageId = payload.message_id as string - if (!messageId) { - break - } - - updateChatStore((prev) => ({ - messages: prev.messages.map((msg) => - msg.id === messageId ? { ...msg, content } : msg, - ), - })) - break - } - - case "typing.start": - updateChatStore({ isTyping: true }) - break - - case "typing.stop": - updateChatStore({ isTyping: false }) - break - - case "error": - console.error("Pico error:", payload) - updateChatStore({ isTyping: false }) - break - - case "pong": - break - - default: - console.log("Unknown pico message type:", message.type) +function scheduleReconnect(generation: number, sessionId: string) { + if (!shouldReconnectFor(generation, sessionId) || reconnectTimer !== null) { + return } + + const delay = Math.min(1000 * 2 ** reconnectAttempts, 5000) + reconnectAttempts += 1 + reconnectTimer = window.setTimeout(() => { + reconnectTimer = null + if (!shouldReconnectFor(generation, sessionId)) { + return + } + void connectChat() + }, delay) +} + +function needsActiveSessionHydration(): boolean { + const state = getChatState() + const storedSessionId = readStoredSessionId() + + return Boolean( + storedSessionId && + storedSessionId === state.activeSessionId && + !state.hasHydratedActiveSession, + ) } function setActiveSessionId(sessionId: string) { @@ -113,8 +83,35 @@ function setActiveSessionId(sessionId: string) { updateChatStore({ activeSessionId: sessionId }) } +function disconnectChatInternal({ + clearDesiredConnection, +}: { + clearDesiredConnection: boolean +}) { + connectionGeneration += 1 + clearReconnectTimer() + + if (clearDesiredConnection) { + shouldMaintainConnection = false + } + + const socket = wsRef + wsRef = null + isConnecting = false + + invalidateSocket(socket) + + updateChatStore({ + connectionState: "disconnected", + isTyping: false, + }) +} + export async function connectChat() { - if (store.get(gatewayAtom).status !== "running") { + if ( + store.get(gatewayAtom).status !== "running" || + needsActiveSessionHydration() + ) { return } @@ -130,12 +127,15 @@ export async function connectChat() { const generation = connectionGeneration + 1 connectionGeneration = generation isConnecting = true + clearReconnectTimer() updateChatStore({ connectionState: "connecting" }) try { const { token, ws_url } = await getPicoToken() + const sessionId = activeSessionIdRef if (generation !== connectionGeneration) { + isConnecting = false return } @@ -143,56 +143,71 @@ export async function connectChat() { console.error("No pico token available") updateChatStore({ connectionState: "error" }) isConnecting = false + scheduleReconnect(generation, sessionId) return } - let finalWsUrl = ws_url - try { - const parsedUrl = new URL(ws_url) - const isLocalHost = - parsedUrl.hostname === "localhost" || - parsedUrl.hostname === "127.0.0.1" || - parsedUrl.hostname === "0.0.0.0" - const isBrowserLocal = - window.location.hostname === "localhost" || - window.location.hostname === "127.0.0.1" - - if (isLocalHost && !isBrowserLocal) { - parsedUrl.hostname = window.location.hostname - finalWsUrl = parsedUrl.toString() - } - } catch (error) { - console.warn("Could not parse ws_url:", error) - } - - const url = `${finalWsUrl}?session_id=${encodeURIComponent(activeSessionIdRef)}` - // Send token as a subprotocol so it doesn't end up in the URL. + const finalWsUrl = normalizeWsUrlForBrowser(ws_url) + const url = `${finalWsUrl}?session_id=${encodeURIComponent(sessionId)}` const socket = new WebSocket(url, [`token.${token}`]) if (generation !== connectionGeneration) { - socket.close() + isConnecting = false + invalidateSocket(socket) return } socket.onopen = () => { - if (wsRef !== socket) { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { return } updateChatStore({ connectionState: "connected" }) isConnecting = false + reconnectAttempts = 0 } socket.onmessage = (event) => { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { + return + } + try { - const message: PicoMessage = JSON.parse(event.data) - handlePicoMessage(message) + const message = JSON.parse(event.data) as PicoMessage + handlePicoMessage(message, sessionId) } catch { console.warn("Non-JSON message from pico:", event.data) } } socket.onclose = () => { - if (wsRef !== socket) { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { return } wsRef = null @@ -201,42 +216,42 @@ export async function connectChat() { connectionState: "disconnected", isTyping: false, }) + scheduleReconnect(generation, sessionId) } socket.onerror = () => { - if (wsRef !== socket) { + if ( + !isCurrentSocket({ + socket, + currentSocket: wsRef, + generation, + currentGeneration: connectionGeneration, + sessionId, + currentSessionId: activeSessionIdRef, + }) + ) { return } isConnecting = false updateChatStore({ connectionState: "error" }) + scheduleReconnect(generation, sessionId) } wsRef = socket } catch (error) { if (generation !== connectionGeneration) { + isConnecting = false return } console.error("Failed to connect to pico:", error) updateChatStore({ connectionState: "error" }) isConnecting = false + scheduleReconnect(generation, activeSessionIdRef) } } export function disconnectChat() { - connectionGeneration += 1 - - const socket = wsRef - wsRef = null - isConnecting = false - - if (socket) { - socket.close() - } - - updateChatStore({ - connectionState: "disconnected", - isTyping: false, - }) + disconnectChatInternal({ clearDesiredConnection: true }) } export async function hydrateActiveSession() { @@ -250,7 +265,6 @@ export async function hydrateActiveSession() { if ( !storedSessionId || state.hasHydratedActiveSession || - state.messages.length > 0 || storedSessionId !== state.activeSessionId ) { if (!state.hasHydratedActiveSession) { @@ -267,7 +281,13 @@ export async function hydrateActiveSession() { } if (currentState.messages.length > 0) { - updateChatStore({ hasHydratedActiveSession: true }) + updateChatStore({ + messages: mergeHistoryMessages( + historyMessages, + currentState.messages, + ), + hasHydratedActiveSession: true, + }) return } @@ -307,9 +327,10 @@ export async function hydrateActiveSession() { export function sendChatMessage(content: string) { if (!wsRef || wsRef.readyState !== WebSocket.OPEN) { console.warn("WebSocket not connected") - return + return false } + const socket = wsRef const id = `msg-${++msgIdCounter}-${Date.now()}` updateChatStore((prev) => ({ @@ -320,13 +341,23 @@ export function sendChatMessage(content: string) { isTyping: true, })) - wsRef.send( - JSON.stringify({ - type: "message.send", - id, - payload: { content }, - }), - ) + try { + socket.send( + JSON.stringify({ + type: "message.send", + id, + payload: { content }, + }), + ) + return true + } catch (error) { + console.error("Failed to send pico message:", error) + updateChatStore((prev) => ({ + messages: prev.messages.filter((message) => message.id !== id), + isTyping: false, + })) + return false + } } export async function switchChatSession(sessionId: string) { @@ -337,7 +368,7 @@ export async function switchChatSession(sessionId: string) { try { const historyMessages = await loadSessionMessages(sessionId) - disconnectChat() + disconnectChatInternal({ clearDesiredConnection: false }) setActiveSessionId(sessionId) updateChatStore({ messages: historyMessages, @@ -346,6 +377,7 @@ export async function switchChatSession(sessionId: string) { }) if (store.get(gatewayAtom).status === "running") { + shouldMaintainConnection = true await connectChat() } } catch (error) { @@ -359,7 +391,7 @@ export async function newChatSession() { return } - disconnectChat() + disconnectChatInternal({ clearDesiredConnection: false }) setActiveSessionId(generateSessionId()) updateChatStore({ messages: [], @@ -368,6 +400,7 @@ export async function newChatSession() { }) if (store.get(gatewayAtom).status === "running") { + shouldMaintainConnection = true await connectChat() } } @@ -379,23 +412,43 @@ export function initializeChatStore() { initialized = true activeSessionIdRef = getChatState().activeSessionId + let lastGatewayStatus: GatewayState | null = null - const syncConnectionWithGateway = () => { - if (store.get(gatewayAtom).status === "running") { + const syncConnectionWithGateway = (force: boolean = false) => { + const gatewayStatus = store.get(gatewayAtom).status + if (!force && gatewayStatus === lastGatewayStatus) { + return + } + lastGatewayStatus = gatewayStatus + + if (gatewayStatus === "running") { + shouldMaintainConnection = true + if (needsActiveSessionHydration()) { + return + } void connectChat() return } - disconnectChat() + if (gatewayStatus === "stopped" || gatewayStatus === "error") { + disconnectChatInternal({ clearDesiredConnection: true }) + } } unsubscribeGateway = store.sub(gatewayAtom, syncConnectionWithGateway) if (!readStoredSessionId()) { updateChatStore({ hasHydratedActiveSession: true }) + syncConnectionWithGateway(true) + return } - syncConnectionWithGateway() + void hydrateActiveSession().finally(() => { + if (!initialized) { + return + } + syncConnectionWithGateway(true) + }) } export function teardownChatStore() { diff --git a/web/frontend/src/features/chat/history.ts b/web/frontend/src/features/chat/history.ts new file mode 100644 index 000000000..886148184 --- /dev/null +++ b/web/frontend/src/features/chat/history.ts @@ -0,0 +1,68 @@ +import { getSessionHistory } from "@/api/sessions" +import { normalizeUnixTimestamp } from "@/features/chat/state" +import type { ChatMessage } from "@/store/chat" + +export async function loadSessionMessages( + sessionId: string, +): Promise<ChatMessage[]> { + const detail = await getSessionHistory(sessionId) + const fallbackTime = detail.updated + + return detail.messages.map((message, index) => ({ + id: `hist-${index}-${Date.now()}`, + role: message.role, + content: message.content, + timestamp: fallbackTime, + })) +} + +function normalizeMessageTimestamp(timestamp: number | string): string { + if (typeof timestamp === "number") { + return String(normalizeUnixTimestamp(timestamp)) + } + + const trimmed = timestamp.trim() + if (/^-?\d+(\.\d+)?$/.test(trimmed)) { + return String(normalizeUnixTimestamp(Number(trimmed))) + } + + const parsed = Date.parse(trimmed) + return Number.isNaN(parsed) ? trimmed : String(parsed) +} + +function messageSignature(message: ChatMessage): string { + return `${message.role}\u0000${message.content}\u0000${normalizeMessageTimestamp( + message.timestamp, + )}` +} + +function comparableTimestamp(timestamp: number | string): number { + const normalized = normalizeMessageTimestamp(timestamp) + const numeric = Number(normalized) + return Number.isFinite(numeric) ? numeric : 0 +} + +export function mergeHistoryMessages( + historyMessages: ChatMessage[], + currentMessages: ChatMessage[], +): ChatMessage[] { + const currentIds = new Set(currentMessages.map((message) => message.id)) + const currentSignatures = new Set( + currentMessages.map((message) => messageSignature(message)), + ) + + const merged = [ + ...historyMessages.filter( + (message) => + !currentIds.has(message.id) && + !currentSignatures.has(messageSignature(message)), + ), + ...currentMessages, + ] + + return merged.sort( + (left, right) => + comparableTimestamp(left.timestamp) - + comparableTimestamp(right.timestamp), + ) +} diff --git a/web/frontend/src/features/chat/protocol.ts b/web/frontend/src/features/chat/protocol.ts new file mode 100644 index 000000000..5e5220c77 --- /dev/null +++ b/web/frontend/src/features/chat/protocol.ts @@ -0,0 +1,81 @@ +import { normalizeUnixTimestamp } from "@/features/chat/state" +import { updateChatStore } from "@/store/chat" + +export interface PicoMessage { + type: string + id?: string + session_id?: string + timestamp?: number | string + payload?: Record<string, unknown> +} + +export function handlePicoMessage( + message: PicoMessage, + expectedSessionId: string, +) { + if (message.session_id && message.session_id !== expectedSessionId) { + return + } + + const payload = message.payload || {} + + switch (message.type) { + case "message.create": { + const content = (payload.content as string) || "" + const messageId = (payload.message_id as string) || `pico-${Date.now()}` + const timestamp = + message.timestamp !== undefined && + Number.isFinite(Number(message.timestamp)) + ? normalizeUnixTimestamp(Number(message.timestamp)) + : Date.now() + + updateChatStore((prev) => ({ + messages: [ + ...prev.messages, + { + id: messageId, + role: "assistant", + content, + timestamp, + }, + ], + isTyping: false, + })) + break + } + + case "message.update": { + const content = (payload.content as string) || "" + const messageId = payload.message_id as string + if (!messageId) { + break + } + + updateChatStore((prev) => ({ + messages: prev.messages.map((msg) => + msg.id === messageId ? { ...msg, content } : msg, + ), + })) + break + } + + case "typing.start": + updateChatStore({ isTyping: true }) + break + + case "typing.stop": + updateChatStore({ isTyping: false }) + break + + case "error": + console.error("Pico error:", payload) + updateChatStore({ isTyping: false }) + break + + case "pong": + break + + default: + console.log("Unknown pico message type:", message.type) + } +} diff --git a/web/frontend/src/lib/pico-chat-state.ts b/web/frontend/src/features/chat/state.ts similarity index 100% rename from web/frontend/src/lib/pico-chat-state.ts rename to web/frontend/src/features/chat/state.ts diff --git a/web/frontend/src/features/chat/websocket.ts b/web/frontend/src/features/chat/websocket.ts new file mode 100644 index 000000000..6b132e9a6 --- /dev/null +++ b/web/frontend/src/features/chat/websocket.ts @@ -0,0 +1,57 @@ +export function normalizeWsUrlForBrowser(wsUrl: string): string { + let finalWsUrl = wsUrl + + try { + const parsedUrl = new URL(wsUrl) + const isLocalHost = + parsedUrl.hostname === "localhost" || + parsedUrl.hostname === "127.0.0.1" || + parsedUrl.hostname === "0.0.0.0" + const isBrowserLocal = + window.location.hostname === "localhost" || + window.location.hostname === "127.0.0.1" + + if (isLocalHost && !isBrowserLocal) { + parsedUrl.hostname = window.location.hostname + finalWsUrl = parsedUrl.toString() + } + } catch (error) { + console.warn("Could not parse ws_url:", error) + } + + return finalWsUrl +} + +export function invalidateSocket(socket: WebSocket | null) { + if (!socket) { + return + } + + socket.onopen = null + socket.onmessage = null + socket.onclose = null + socket.onerror = null + socket.close() +} + +export function isCurrentSocket({ + socket, + currentSocket, + generation, + currentGeneration, + sessionId, + currentSessionId, +}: { + socket: WebSocket + currentSocket: WebSocket | null + generation: number + currentGeneration: number + sessionId: string + currentSessionId: string +}): boolean { + return ( + currentSocket === socket && + generation === currentGeneration && + sessionId === currentSessionId + ) +} diff --git a/web/frontend/src/hooks/use-gateway.ts b/web/frontend/src/hooks/use-gateway.ts index 848f4d59c..65ec2b776 100644 --- a/web/frontend/src/hooks/use-gateway.ts +++ b/web/frontend/src/hooks/use-gateway.ts @@ -67,10 +67,9 @@ export function useGateway() { } es.onerror = () => { - // EventSource will auto-reconnect - updateGatewayStore((prev) => - prev.status === "restarting" ? {} : { status: "unknown" }, - ) + // EventSource will auto-reconnect. Preserve the last known gateway + // status so transient SSE disconnects do not suppress chat websocket + // reconnects while polling catches up. } return () => { @@ -105,6 +104,11 @@ export function useGateway() { setLoading(true) try { await stopGateway() + updateGatewayStore({ + status: "stopped", + canStart: true, + restartRequired: false, + }) } catch (err) { console.error("Failed to stop gateway:", err) } finally { diff --git a/web/frontend/src/hooks/use-pico-chat.ts b/web/frontend/src/hooks/use-pico-chat.ts index 1b97a2a9c..3ac2e1613 100644 --- a/web/frontend/src/hooks/use-pico-chat.ts +++ b/web/frontend/src/hooks/use-pico-chat.ts @@ -5,7 +5,7 @@ import { newChatSession, sendChatMessage, switchChatSession, -} from "@/lib/pico-chat-controller" +} from "@/features/chat/controller" import { chatAtom } from "@/store/chat" const UNIX_MS_THRESHOLD = 1e12 @@ -33,7 +33,6 @@ function parseTimestamp(dateRaw: number | string | Date) { return dayjs(dateRaw) } -// Helper to format message timestamps export function formatMessageTime(dateRaw: number | string | Date): string { const date = parseTimestamp(dateRaw) if (!date.isValid()) { @@ -48,7 +47,6 @@ export function formatMessageTime(dateRaw: number | string | Date): string { return date.format("LT") } - // Cross-day formatting if (isThisYear) { return date.format("MMM D LT") } diff --git a/web/frontend/src/hooks/use-websocket.ts b/web/frontend/src/hooks/use-websocket.ts deleted file mode 100644 index c41b5ed34..000000000 --- a/web/frontend/src/hooks/use-websocket.ts +++ /dev/null @@ -1,47 +0,0 @@ -import { useCallback, useEffect, useRef, useState } from "react" - -export function useWebSocket(path: string) { - const [message, setMessage] = useState<string>("No messages yet") - const [connected, setConnected] = useState(false) - const wsRef = useRef<WebSocket | null>(null) - - const connect = useCallback(() => { - if (wsRef.current) { - wsRef.current.close() - } - - const protocol = window.location.protocol === "https:" ? "wss:" : "ws:" - const url = `${protocol}//${window.location.host}${path}` - const socket = new WebSocket(url) - - socket.onopen = () => { - setConnected(true) - setMessage("Connected to WebSocket server.") - } - - socket.onmessage = (event) => { - setMessage(event.data) - } - - socket.onclose = () => { - setConnected(false) - setMessage("WebSocket connection closed.") - } - - socket.onerror = (error) => { - setConnected(false) - setMessage("WebSocket error occurred.") - console.error("WebSocket Error:", error) - } - - wsRef.current = socket - }, [path]) - - useEffect(() => { - return () => { - wsRef.current?.close() - } - }, []) - - return { message, connected, connect } -} diff --git a/web/frontend/src/routes/__root.tsx b/web/frontend/src/routes/__root.tsx index 6431d9490..31fdb7804 100644 --- a/web/frontend/src/routes/__root.tsx +++ b/web/frontend/src/routes/__root.tsx @@ -3,7 +3,7 @@ import { TanStackRouterDevtools } from "@tanstack/react-router-devtools" import { useEffect } from "react" import { AppLayout } from "@/components/app-layout" -import { initializeChatStore } from "@/lib/pico-chat-controller" +import { initializeChatStore } from "@/features/chat/controller" const RootLayout = () => { useEffect(() => { diff --git a/web/frontend/src/store/chat.ts b/web/frontend/src/store/chat.ts index d79a1a93b..da5fa6670 100644 --- a/web/frontend/src/store/chat.ts +++ b/web/frontend/src/store/chat.ts @@ -3,7 +3,7 @@ import { atom, getDefaultStore } from "jotai" import { getInitialActiveSessionId, writeStoredSessionId, -} from "@/lib/pico-chat-state" +} from "@/features/chat/state" export interface ChatMessage { id: string diff --git a/web/frontend/src/store/gateway.ts b/web/frontend/src/store/gateway.ts index b7655839c..c5eee8451 100644 --- a/web/frontend/src/store/gateway.ts +++ b/web/frontend/src/store/gateway.ts @@ -31,7 +31,17 @@ function normalizeGatewayStoreState( prev: GatewayStoreState, patch: GatewayStorePatch, ) { - return { ...prev, ...patch } + const next = { ...prev, ...patch } + + if ( + next.status === prev.status && + next.canStart === prev.canStart && + next.restartRequired === prev.restartRequired + ) { + return prev + } + + return next } export function updateGatewayStore( From 8fc36a4f9bdd4ea1c9784d2570102a5a1d16dd57 Mon Sep 17 00:00:00 2001 From: Dmitrii Balabanov <dimonb@gmail.com> Date: Fri, 13 Mar 2026 12:06:48 +0200 Subject: [PATCH 30/47] fix(logger): mask bot tokens in 3rd-party logger output --- pkg/logger/logger_3rd_party.go | 36 ++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/pkg/logger/logger_3rd_party.go b/pkg/logger/logger_3rd_party.go index da50d686a..3c311520c 100644 --- a/pkg/logger/logger_3rd_party.go +++ b/pkg/logger/logger_3rd_party.go @@ -2,7 +2,19 @@ package logger -import "fmt" +import ( + "fmt" + "regexp" +) + +// botTokenRe matches the secret part of a Telegram bot token embedded in a URL +// or log message: /bot<id>:<secret>/ → /bot<id>:****/ +var botTokenRe = regexp.MustCompile(`(bot\d+:)[A-Za-z0-9_-]{20,}`) + +// maskSecrets replaces any embedded bot tokens in s with a redacted placeholder. +func maskSecrets(s string) string { + return botTokenRe.ReplaceAllString(s, "${1}****") +} // Logger implements common Logger interface type Logger struct { @@ -12,52 +24,52 @@ type Logger struct { // Debug logs debug messages func (b *Logger) Debug(v ...any) { - logMessage(DEBUG, b.component, fmt.Sprint(v...), nil) + logMessage(DEBUG, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Info logs info messages func (b *Logger) Info(v ...any) { - logMessage(INFO, b.component, fmt.Sprint(v...), nil) + logMessage(INFO, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Warn logs warning messages func (b *Logger) Warn(v ...any) { - logMessage(WARN, b.component, fmt.Sprint(v...), nil) + logMessage(WARN, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Error logs error messages func (b *Logger) Error(v ...any) { - logMessage(ERROR, b.component, fmt.Sprint(v...), nil) + logMessage(ERROR, b.component, maskSecrets(fmt.Sprint(v...)), nil) } // Debugf logs formatted debug messages func (b *Logger) Debugf(format string, v ...any) { - logMessage(DEBUG, b.component, fmt.Sprintf(format, v...), nil) + logMessage(DEBUG, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Infof logs formatted info messages func (b *Logger) Infof(format string, v ...any) { - logMessage(INFO, b.component, fmt.Sprintf(format, v...), nil) + logMessage(INFO, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Warnf logs formatted warning messages func (b *Logger) Warnf(format string, v ...any) { - logMessage(WARN, b.component, fmt.Sprintf(format, v...), nil) + logMessage(WARN, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Warningf logs formatted warning messages func (b *Logger) Warningf(format string, v ...any) { - logMessage(WARN, b.component, fmt.Sprintf(format, v...), nil) + logMessage(WARN, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Errorf logs formatted error messages func (b *Logger) Errorf(format string, v ...any) { - logMessage(ERROR, b.component, fmt.Sprintf(format, v...), nil) + logMessage(ERROR, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Fatalf logs formatted fatal messages and exits func (b *Logger) Fatalf(format string, v ...any) { - logMessage(FATAL, b.component, fmt.Sprintf(format, v...), nil) + logMessage(FATAL, b.component, maskSecrets(fmt.Sprintf(format, v...)), nil) } // Log logs a message at a given level with caller information @@ -75,7 +87,7 @@ func (b *Logger) Log(msgL, caller int, format string, a ...any) { level = lvl } } - logMessage(level, b.component, fmt.Sprintf(format, a...), nil) + logMessage(level, b.component, maskSecrets(fmt.Sprintf(format, a...)), nil) } // Sync flushes log buffer (no-op for this implementation) From 64ceb5ab760703b0b27e933f1a022f7b64de64aa Mon Sep 17 00:00:00 2001 From: Dmitrii Balabanov <dimonb@gmail.com> Date: Fri, 13 Mar 2026 12:09:03 +0200 Subject: [PATCH 31/47] fix(logger): show first/last 4 chars of bot token for identification --- pkg/logger/logger_3rd_party.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/pkg/logger/logger_3rd_party.go b/pkg/logger/logger_3rd_party.go index 3c311520c..d0cb178c5 100644 --- a/pkg/logger/logger_3rd_party.go +++ b/pkg/logger/logger_3rd_party.go @@ -7,13 +7,14 @@ import ( "regexp" ) -// botTokenRe matches the secret part of a Telegram bot token embedded in a URL -// or log message: /bot<id>:<secret>/ → /bot<id>:****/ -var botTokenRe = regexp.MustCompile(`(bot\d+:)[A-Za-z0-9_-]{20,}`) +// botTokenRe matches the bot ID prefix and the secret part of a Telegram bot token. +// Groups: 1 = "bot<id>:", 2 = first 4 chars of secret, 3 = middle, 4 = last 4 chars. +var botTokenRe = regexp.MustCompile(`(bot\d+:)([A-Za-z0-9_-]{4})[A-Za-z0-9_-]{12,}([A-Za-z0-9_-]{4})`) -// maskSecrets replaces any embedded bot tokens in s with a redacted placeholder. +// maskSecrets replaces any embedded bot tokens in s with a redacted placeholder +// that keeps the first and last 4 characters of the secret for identification. func maskSecrets(s string) string { - return botTokenRe.ReplaceAllString(s, "${1}****") + return botTokenRe.ReplaceAllString(s, "${1}${2}****${3}") } // Logger implements common Logger interface From be4a33cc150c6ea0f41b3bd939b15dc526f84603 Mon Sep 17 00:00:00 2001 From: Cytown <cytown@gmail.com> Date: Tue, 17 Mar 2026 09:35:52 +0800 Subject: [PATCH 32/47] refactor gateway/helpers and add server.pid to health (#1646) --- cmd/picoclaw/internal/gateway/helpers.go | 121 ++++++++++------------- pkg/health/server.go | 3 + 2 files changed, 55 insertions(+), 69 deletions(-) diff --git a/cmd/picoclaw/internal/gateway/helpers.go b/cmd/picoclaw/internal/gateway/helpers.go index 3562f03ef..85e93bcf9 100644 --- a/cmd/picoclaw/internal/gateway/helpers.go +++ b/cmd/picoclaw/internal/gateway/helpers.go @@ -7,6 +7,7 @@ import ( "os/signal" "path/filepath" "sync" + "syscall" "time" "github.com/sipeed/picoclaw/cmd/picoclaw/internal" @@ -43,7 +44,6 @@ import ( // Timeout constants for service operations const ( - serviceRestartTimeout = 30 * time.Second serviceShutdownTimeout = 30 * time.Second providerReloadTimeout = 30 * time.Second gracefulShutdownTimeout = 15 * time.Second @@ -121,7 +121,7 @@ func gatewayCmd(debug bool) error { defer stopWatch() sigChan := make(chan os.Signal, 1) - signal.Notify(sigChan, os.Interrupt) + signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM) // Main event loop - wait for signals or config changes for { @@ -150,7 +150,8 @@ func setupAndStartServices( // Setup cron tool and service execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute - services.CronService = setupCronTool( + var err error + services.CronService, err = setupCronTool( agentLoop, msgBus, cfg.WorkspacePath(), @@ -158,7 +159,10 @@ func setupAndStartServices( execTimeout, cfg, ) - if err := services.CronService.Start(); err != nil { + if err != nil { + return nil, fmt.Errorf("error setting up cron service: %w", err) + } + if err = services.CronService.Start(); err != nil { return nil, fmt.Errorf("error starting cron service: %w", err) } fmt.Println("✓ Cron service started") @@ -170,26 +174,8 @@ func setupAndStartServices( cfg.Heartbeat.Enabled, ) services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(func(prompt, channel, chatID string) *tools.ToolResult { - // Use cli:direct as fallback if no valid channel - if channel == "" || chatID == "" { - channel, chatID = "cli", "direct" - } - // Use ProcessHeartbeat - no session history, each heartbeat is independent - var response string - var err error - response, err = agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) - if err != nil { - return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) - } - if response == "HEARTBEAT_OK" { - return tools.SilentResult("Heartbeat OK") - } - // For heartbeat, always return silent - the subagent result will be - // sent to user via processSystemMessage when the async task completes - return tools.SilentResult(response) - }) - if err := services.HeartbeatService.Start(); err != nil { + services.HeartbeatService.SetHandler(createHeartbeatHandler(agentLoop)) + if err = services.HeartbeatService.Start(); err != nil { return nil, fmt.Errorf("error starting heartbeat service: %w", err) } fmt.Println("✓ Heartbeat service started") @@ -206,7 +192,6 @@ func setupAndStartServices( } // Create channel manager - var err error services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) if err != nil { // Stop the media store if it's a FileMediaStore with cleanup @@ -238,7 +223,7 @@ func setupAndStartServices( services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) - if err := services.ChannelManager.StartAll(context.Background()); err != nil { + if err = services.ChannelManager.StartAll(context.Background()); err != nil { return nil, fmt.Errorf("error starting channels: %w", err) } @@ -251,7 +236,7 @@ func setupAndStartServices( MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) services.DeviceService.SetBus(msgBus) - if err := services.DeviceService.Start(context.Background()); err != nil { + if err = services.DeviceService.Start(context.Background()); err != nil { logger.ErrorCF("device", "Error starting device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println("✓ Device event service started") @@ -386,17 +371,13 @@ func restartServices( services *gatewayServices, msgBus *bus.MessageBus, ) error { - // Create an independent context with timeout for service restart - // This prevents cancellation from the main loop context during reload - ctx, cancel := context.WithTimeout(context.Background(), serviceRestartTimeout) - defer cancel() - // Get current config from agent loop (which has been updated if this is a reload) cfg := al.GetConfig() // Re-create and start cron service with new config execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute - services.CronService = setupCronTool( + var err error + services.CronService, err = setupCronTool( al, msgBus, cfg.WorkspacePath(), @@ -404,7 +385,10 @@ func restartServices( execTimeout, cfg, ) - if err := services.CronService.Start(); err != nil { + if err != nil { + return fmt.Errorf("error restarting cron service: %w", err) + } + if err = services.CronService.Start(); err != nil { return fmt.Errorf("error restarting cron service: %w", err) } fmt.Println(" ✓ Cron service restarted") @@ -416,31 +400,12 @@ func restartServices( cfg.Heartbeat.Enabled, ) services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(func(prompt, channel, chatID string) *tools.ToolResult { - if channel == "" || chatID == "" { - channel, chatID = "cli", "direct" - } - var response string - var err error - response, err = al.ProcessHeartbeat(context.Background(), prompt, channel, chatID) - if err != nil { - return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) - } - if response == "HEARTBEAT_OK" { - return tools.SilentResult("Heartbeat OK") - } - return tools.SilentResult(response) - }) - if err := services.HeartbeatService.Start(); err != nil { + services.HeartbeatService.SetHandler(createHeartbeatHandler(al)) + if err = services.HeartbeatService.Start(); err != nil { return fmt.Errorf("error restarting heartbeat service: %w", err) } fmt.Println(" ✓ Heartbeat service restarted") - // Stop the old media store before creating a new one - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { - fms.Stop() - } - // Re-create media store with new config services.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ Enabled: cfg.Tools.MediaCleanup.Enabled, @@ -454,13 +419,8 @@ func restartServices( al.SetMediaStore(services.MediaStore) // Re-create channel manager with new config - var err error services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) if err != nil { - // Stop the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { - fms.Stop() - } return fmt.Errorf("error recreating channel manager: %w", err) } al.SetChannelManager(services.ChannelManager) @@ -477,7 +437,8 @@ func restartServices( services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) - if err := services.ChannelManager.StartAll(ctx); err != nil { + // Use background context for lifecycle to ensure services persist after restartServices returns + if err = services.ChannelManager.StartAll(context.Background()); err != nil { return fmt.Errorf("error restarting channels: %w", err) } fmt.Printf( @@ -493,7 +454,7 @@ func restartServices( MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) services.DeviceService.SetBus(msgBus) - if err := services.DeviceService.Start(ctx); err != nil { + if err := services.DeviceService.Start(context.Background()); err != nil { logger.WarnCF("device", "Failed to restart device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println(" ✓ Device event service restarted") @@ -544,6 +505,10 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf // Debounce - wait a bit to ensure file write is complete time.Sleep(500 * time.Millisecond) + // Update last known state to prevent repeated reload attempts on failure + lastModTime = currentModTime + lastSize = currentSize + // Validate and load new config newCfg, err := config.LoadConfig(configPath) if err != nil { @@ -561,10 +526,6 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf logger.Info("✓ Config file validated and loaded") - // Update last known state - lastModTime = currentModTime - lastSize = currentSize - // Send new config to main loop (non-blocking) select { case configChan <- newCfg: @@ -613,7 +574,7 @@ func setupCronTool( restrict bool, execTimeout time.Duration, cfg *config.Config, -) *cron.CronService { +) (*cron.CronService, error) { cronStorePath := filepath.Join(workspace, "cron", "jobs.json") // Create cron service @@ -625,7 +586,7 @@ func setupCronTool( var err error cronTool, err = tools.NewCronTool(cronService, agentLoop, msgBus, workspace, restrict, execTimeout, cfg) if err != nil { - logger.Fatalf("Critical error during CronTool initialization: %v", err) + return nil, fmt.Errorf("critical error during CronTool initialization: %w", err) } agentLoop.RegisterTool(cronTool) @@ -639,5 +600,27 @@ func setupCronTool( }) } - return cronService + return cronService, nil +} + +func createHeartbeatHandler(agentLoop *agent.AgentLoop) func(prompt, channel, chatID string) *tools.ToolResult { + return func(prompt, channel, chatID string) *tools.ToolResult { + // Use cli:direct as fallback if no valid channel + if channel == "" || chatID == "" { + channel, chatID = "cli", "direct" + } + // Use ProcessHeartbeat - no session history, each heartbeat is independent + var response string + var err error + response, err = agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) + if err != nil { + return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) + } + if response == "HEARTBEAT_OK" { + return tools.SilentResult("Heartbeat OK") + } + // For heartbeat, always return silent - the subagent result will be + // sent to user via processSystemMessage when the async task completes + return tools.SilentResult(response) + } } diff --git a/pkg/health/server.go b/pkg/health/server.go index 5609ebdf6..b9ee9f496 100644 --- a/pkg/health/server.go +++ b/pkg/health/server.go @@ -6,6 +6,7 @@ import ( "fmt" "maps" "net/http" + "os" "sync" "time" ) @@ -29,6 +30,7 @@ type StatusResponse struct { Status string `json:"status"` Uptime string `json:"uptime"` Checks map[string]Check `json:"checks,omitempty"` + Pid int `json:"pid"` } func NewServer(host string, port int) *Server { @@ -112,6 +114,7 @@ func (s *Server) healthHandler(w http.ResponseWriter, r *http.Request) { resp := StatusResponse{ Status: "ok", Uptime: uptime.String(), + Pid: os.Getpid(), } json.NewEncoder(w).Encode(resp) From fcb69860c4807bbe1da4ef9144fc38fbcaf49fd9 Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 09:44:32 +0800 Subject: [PATCH 33/47] feat(web): add configurable cron command execution settings (#1647) - add tools.cron.allow_command config with a default value of true - require command_confirm only when cron command execution is disabled - expose cron command permission and timeout settings in the config UI - add backend tests and update i18n strings --- pkg/config/config.go | 5 +- pkg/config/config_test.go | 23 +++++++ pkg/config/defaults.go | 1 + pkg/tools/cron.go | 34 +++++++---- pkg/tools/cron_test.go | 61 +++++++++++++++++-- .../src/components/config/config-page.tsx | 12 ++++ .../src/components/config/config-sections.tsx | 36 +++++++++++ .../src/components/config/form-model.ts | 13 ++++ web/frontend/src/i18n/locales/en.json | 5 ++ web/frontend/src/i18n/locales/zh.json | 5 ++ 10 files changed, 174 insertions(+), 21 deletions(-) diff --git a/pkg/config/config.go b/pkg/config/config.go index 2937c36e4..ad5618907 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -699,8 +699,9 @@ type WebToolsConfig struct { } type CronToolsConfig struct { - ToolConfig ` envPrefix:"PICOCLAW_TOOLS_CRON_"` - ExecTimeoutMinutes int ` env:"PICOCLAW_TOOLS_CRON_EXEC_TIMEOUT_MINUTES" json:"exec_timeout_minutes"` // 0 means no timeout + ToolConfig ` envPrefix:"PICOCLAW_TOOLS_CRON_"` + ExecTimeoutMinutes int ` env:"PICOCLAW_TOOLS_CRON_EXEC_TIMEOUT_MINUTES" json:"exec_timeout_minutes"` // 0 means no timeout + AllowCommand bool ` env:"PICOCLAW_TOOLS_CRON_ALLOW_COMMAND" json:"allow_command"` } type ExecConfig struct { diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 4c4dd9421..fc835f78f 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -405,6 +405,13 @@ func TestDefaultConfig_ExecAllowRemoteEnabled(t *testing.T) { } } +func TestDefaultConfig_CronAllowCommandEnabled(t *testing.T) { + cfg := DefaultConfig() + if !cfg.Tools.Cron.AllowCommand { + t.Fatal("DefaultConfig().Tools.Cron.AllowCommand should be true") + } +} + func TestLoadConfig_OpenAIWebSearchDefaultsTrueWhenUnset(t *testing.T) { dir := t.TempDir() configPath := filepath.Join(dir, "config.json") @@ -437,6 +444,22 @@ func TestLoadConfig_ExecAllowRemoteDefaultsTrueWhenUnset(t *testing.T) { } } +func TestLoadConfig_CronAllowCommandDefaultsTrueWhenUnset(t *testing.T) { + dir := t.TempDir() + configPath := filepath.Join(dir, "config.json") + if err := os.WriteFile(configPath, []byte(`{"tools":{"cron":{"exec_timeout_minutes":5}}}`), 0o600); err != nil { + t.Fatalf("WriteFile() error: %v", err) + } + + cfg, err := LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error: %v", err) + } + if !cfg.Tools.Cron.AllowCommand { + t.Fatal("tools.cron.allow_command should remain true when unset in config file") + } +} + func TestLoadConfig_OpenAIWebSearchCanBeDisabled(t *testing.T) { dir := t.TempDir() configPath := filepath.Join(dir, "config.json") diff --git a/pkg/config/defaults.go b/pkg/config/defaults.go index dc534d852..a029eeb59 100644 --- a/pkg/config/defaults.go +++ b/pkg/config/defaults.go @@ -452,6 +452,7 @@ func DefaultConfig() *Config { Enabled: true, }, ExecTimeoutMinutes: 5, + AllowCommand: true, }, Exec: ExecConfig{ ToolConfig: ToolConfig{ diff --git a/pkg/tools/cron.go b/pkg/tools/cron.go index 25608a54c..aa22f9aa6 100644 --- a/pkg/tools/cron.go +++ b/pkg/tools/cron.go @@ -20,10 +20,11 @@ type JobExecutor interface { // CronTool provides scheduling capabilities for the agent type CronTool struct { - cronService *cron.CronService - executor JobExecutor - msgBus *bus.MessageBus - execTool *ExecTool + cronService *cron.CronService + executor JobExecutor + msgBus *bus.MessageBus + execTool *ExecTool + allowCommand bool } // NewCronTool creates a new CronTool @@ -37,12 +38,18 @@ func NewCronTool( return nil, fmt.Errorf("unable to configure exec tool: %w", err) } + allowCommand := true + if config != nil { + allowCommand = config.Tools.Cron.AllowCommand + } + execTool.SetTimeout(execTimeout) return &CronTool{ - cronService: cronService, - executor: executor, - msgBus: msgBus, - execTool: execTool, + cronService: cronService, + executor: executor, + msgBus: msgBus, + execTool: execTool, + allowCommand: allowCommand, }, nil } @@ -76,7 +83,7 @@ func (t *CronTool) Parameters() map[string]any { }, "command_confirm": map[string]any{ "type": "boolean", - "description": "Required when using command=true. Must be true to explicitly confirm scheduling a shell command.", + "description": "Optional explicit confirmation flag for scheduling a shell command. Command execution must also be enabled via tools.cron.allow_command.", }, "at_seconds": map[string]any{ "type": "integer", @@ -180,16 +187,17 @@ func (t *CronTool) addJob(ctx context.Context, args map[string]any) *ToolResult deliver = d } - // GHSA-pv8c-p6jf-3fpp: command scheduling requires internal channel + explicit confirm. - // Non-command reminders (plain messages) remain open to all channels. + // GHSA-pv8c-p6jf-3fpp: command scheduling requires internal channel. When + // allow_command is disabled, explicit confirmation is required as an override. + // Non-command reminders remain open to all channels. command, _ := args["command"].(string) commandConfirm, _ := args["command_confirm"].(bool) if command != "" { if !constants.IsInternalChannel(channel) { return ErrorResult("scheduling command execution is restricted to internal channels") } - if !commandConfirm { - return ErrorResult("command_confirm=true is required to schedule command execution") + if !t.allowCommand && !commandConfirm { + return ErrorResult("command_confirm=true is required when allow_command is disabled") } deliver = false } diff --git a/pkg/tools/cron_test.go b/pkg/tools/cron_test.go index f1e857949..e46b13b13 100644 --- a/pkg/tools/cron_test.go +++ b/pkg/tools/cron_test.go @@ -11,12 +11,11 @@ import ( "github.com/sipeed/picoclaw/pkg/cron" ) -func newTestCronTool(t *testing.T) *CronTool { +func newTestCronToolWithConfig(t *testing.T, cfg *config.Config) *CronTool { t.Helper() storePath := filepath.Join(t.TempDir(), "cron.json") cronService := cron.NewCronService(storePath, nil) msgBus := bus.NewMessageBus() - cfg := config.DefaultConfig() tool, err := NewCronTool(cronService, nil, msgBus, t.TempDir(), true, 0, cfg) if err != nil { t.Fatalf("NewCronTool() error: %v", err) @@ -24,6 +23,11 @@ func newTestCronTool(t *testing.T) *CronTool { return tool } +func newTestCronTool(t *testing.T) *CronTool { + t.Helper() + return newTestCronToolWithConfig(t, config.DefaultConfig()) +} + // TestCronTool_CommandBlockedFromRemoteChannel verifies command scheduling is restricted to internal channels func TestCronTool_CommandBlockedFromRemoteChannel(t *testing.T) { tool := newTestCronTool(t) @@ -44,8 +48,7 @@ func TestCronTool_CommandBlockedFromRemoteChannel(t *testing.T) { } } -// TestCronTool_CommandRequiresConfirm verifies command_confirm=true is required -func TestCronTool_CommandRequiresConfirm(t *testing.T) { +func TestCronTool_CommandDoesNotRequireConfirmByDefault(t *testing.T) { tool := newTestCronTool(t) ctx := WithToolContext(context.Background(), "cli", "direct") result := tool.Execute(ctx, map[string]any{ @@ -55,11 +58,57 @@ func TestCronTool_CommandRequiresConfirm(t *testing.T) { "at_seconds": float64(60), }) + if result.IsError { + t.Fatalf("expected command scheduling without confirm to succeed by default, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "Cron job added") { + t.Errorf("expected 'Cron job added', got: %s", result.ForLLM) + } +} + +func TestCronTool_CommandRequiresConfirmWhenAllowCommandDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Cron.AllowCommand = false + + tool := newTestCronToolWithConfig(t, cfg) + ctx := WithToolContext(context.Background(), "cli", "direct") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "check disk", + "command": "df -h", + "at_seconds": float64(60), + }) + if !result.IsError { - t.Fatal("expected error when command_confirm is missing") + t.Fatal("expected command scheduling to require confirm when allow_command is disabled") } if !strings.Contains(result.ForLLM, "command_confirm=true") { - t.Errorf("expected 'command_confirm=true' message, got: %s", result.ForLLM) + t.Errorf("expected command_confirm requirement message, got: %s", result.ForLLM) + } +} + +func TestCronTool_CommandAllowedWithConfirmWhenAllowCommandDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Cron.AllowCommand = false + + tool := newTestCronToolWithConfig(t, cfg) + ctx := WithToolContext(context.Background(), "cli", "direct") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "check disk", + "command": "df -h", + "command_confirm": true, + "at_seconds": float64(60), + }) + + if result.IsError { + t.Fatalf( + "expected command scheduling with confirm to succeed when allow_command is disabled, got: %s", + result.ForLLM, + ) + } + if !strings.Contains(result.ForLLM, "Cron job added") { + t.Errorf("expected 'Cron job added', got: %s", result.ForLLM) } } diff --git a/web/frontend/src/components/config/config-page.tsx b/web/frontend/src/components/config/config-page.tsx index cbce7d27e..130498ba4 100644 --- a/web/frontend/src/components/config/config-page.tsx +++ b/web/frontend/src/components/config/config-page.tsx @@ -14,6 +14,7 @@ import { } from "@/api/system" import { AgentDefaultsSection, + CronSection, DevicesSection, LauncherSection, RuntimeSection, @@ -164,6 +165,11 @@ export function ConfigPage() { "Heartbeat interval", { min: 1 }, ) + const cronExecTimeoutMinutes = parseIntField( + form.cronExecTimeoutMinutes, + "Cron exec timeout", + { min: 0 }, + ) await patchAppConfig({ agents: { @@ -180,6 +186,10 @@ export function ConfigPage() { dm_scope: dmScope, }, tools: { + cron: { + allow_command: form.allowCommand, + exec_timeout_minutes: cronExecTimeoutMinutes, + }, exec: { allow_remote: form.allowRemote, }, @@ -279,6 +289,8 @@ export function ConfigPage() { <RuntimeSection form={form} onFieldChange={updateField} /> + <CronSection form={form} onFieldChange={updateField} /> + <LauncherSection launcherForm={launcherForm} onFieldChange={updateLauncherField} diff --git a/web/frontend/src/components/config/config-sections.tsx b/web/frontend/src/components/config/config-sections.tsx index dfbe22fc3..04b9e528b 100644 --- a/web/frontend/src/components/config/config-sections.tsx +++ b/web/frontend/src/components/config/config-sections.tsx @@ -236,6 +236,42 @@ export function RuntimeSection({ form, onFieldChange }: RuntimeSectionProps) { ) } +interface CronSectionProps { + form: CoreConfigForm + onFieldChange: UpdateCoreField +} + +export function CronSection({ form, onFieldChange }: CronSectionProps) { + const { t } = useTranslation() + + return ( + <ConfigSectionCard title={t("pages.config.sections.cron")}> + <SwitchCardField + label={t("pages.config.allow_shell_execution")} + hint={t("pages.config.allow_shell_execution_hint")} + layout="setting-row" + checked={form.allowCommand} + onCheckedChange={(checked) => onFieldChange("allowCommand", checked)} + /> + + <Field + label={t("pages.config.cron_exec_timeout")} + hint={t("pages.config.cron_exec_timeout_hint")} + layout="setting-row" + > + <Input + type="number" + min={0} + value={form.cronExecTimeoutMinutes} + onChange={(e) => + onFieldChange("cronExecTimeoutMinutes", e.target.value) + } + /> + </Field> + </ConfigSectionCard> + ) +} + interface LauncherSectionProps { launcherForm: LauncherForm onFieldChange: UpdateLauncherField diff --git a/web/frontend/src/components/config/form-model.ts b/web/frontend/src/components/config/form-model.ts index d868c4bb4..8c850b2c4 100644 --- a/web/frontend/src/components/config/form-model.ts +++ b/web/frontend/src/components/config/form-model.ts @@ -4,6 +4,8 @@ export interface CoreConfigForm { workspace: string restrictToWorkspace: boolean allowRemote: boolean + allowCommand: boolean + cronExecTimeoutMinutes: string maxTokens: string maxToolIterations: string summarizeMessageThreshold: string @@ -56,6 +58,8 @@ export const EMPTY_FORM: CoreConfigForm = { workspace: "", restrictToWorkspace: true, allowRemote: true, + allowCommand: true, + cronExecTimeoutMinutes: "5", maxTokens: "32768", maxToolIterations: "50", summarizeMessageThreshold: "20", @@ -106,6 +110,7 @@ export function buildFormFromConfig(config: unknown): CoreConfigForm { const heartbeat = asRecord(root.heartbeat) const devices = asRecord(root.devices) const tools = asRecord(root.tools) + const cron = asRecord(tools.cron) const exec = asRecord(tools.exec) return { @@ -118,6 +123,14 @@ export function buildFormFromConfig(config: unknown): CoreConfigForm { exec.allow_remote === undefined ? EMPTY_FORM.allowRemote : asBool(exec.allow_remote), + allowCommand: + cron.allow_command === undefined + ? EMPTY_FORM.allowCommand + : asBool(cron.allow_command), + cronExecTimeoutMinutes: asNumberString( + cron.exec_timeout_minutes, + EMPTY_FORM.cronExecTimeoutMinutes, + ), maxTokens: asNumberString(defaults.max_tokens, EMPTY_FORM.maxTokens), maxToolIterations: asNumberString( defaults.max_tool_iterations, diff --git a/web/frontend/src/i18n/locales/en.json b/web/frontend/src/i18n/locales/en.json index b099dec13..2fa32ebb5 100644 --- a/web/frontend/src/i18n/locales/en.json +++ b/web/frontend/src/i18n/locales/en.json @@ -394,6 +394,10 @@ "restrict_workspace_hint": "Only allow file operations inside workspace.", "allow_remote": "Allow Remote Shell Execution", "allow_remote_hint": "When enabled, shell commands can also run for remote sessions or non-local contexts. When disabled, shell execution stays limited to local safe contexts.", + "allow_shell_execution": "Allow Shell Execution", + "allow_shell_execution_hint": "Enable scheduled shell commands for cron jobs by default. When disabled, users must pass command_confirm=true to schedule a cron command.", + "cron_exec_timeout": "Cron Command Timeout (minutes)", + "cron_exec_timeout_hint": "Maximum runtime for scheduled shell commands. Set to 0 to disable the timeout.", "max_tokens": "Max Tokens", "max_tokens_hint": "Upper token limit per model response.", "max_tool_iterations": "Max Tool Iterations", @@ -434,6 +438,7 @@ "sections": { "agent": "Agent", "runtime": "Runtime", + "cron": "Cron Tasks", "launcher": "Service", "devices": "Devices" }, diff --git a/web/frontend/src/i18n/locales/zh.json b/web/frontend/src/i18n/locales/zh.json index 78093e5c7..badf5bb3d 100644 --- a/web/frontend/src/i18n/locales/zh.json +++ b/web/frontend/src/i18n/locales/zh.json @@ -394,6 +394,10 @@ "restrict_workspace_hint": "仅允许在工作目录内执行文件操作。", "allow_remote": "允许远程执行 Shell 命令", "allow_remote_hint": "开启后,来自远程会话或非本地上下文的请求也可以执行 shell 命令;关闭后,仅允许本地安全上下文执行。", + "allow_shell_execution": "允许 Shell 执行", + "allow_shell_execution_hint": "开启后,cron 定时任务默认允许执行 shell 命令。关闭后,必须显式传入 command_confirm=true 才能创建 cron 命令任务。", + "cron_exec_timeout": "定时命令超时(分钟)", + "cron_exec_timeout_hint": "定时 shell 命令的最长执行时间。设置为 0 表示不限制超时。", "max_tokens": "最大 Token 数", "max_tokens_hint": "单次模型响应允许的最大 Token 数。", "max_tool_iterations": "最大工具迭代次数", @@ -434,6 +438,7 @@ "sections": { "agent": "智能体", "runtime": "运行时", + "cron": "定时任务", "launcher": "服务参数", "devices": "设备" }, From 8d97896a0dfc485b6a8400d80b2859f852421aa3 Mon Sep 17 00:00:00 2001 From: Zane Tung <zanetung13@gmail.com> Date: Tue, 17 Mar 2026 11:52:58 +0800 Subject: [PATCH 34/47] fix(providers): handle nil input in GLM series tool_use blocks - add defensive nil check for tool call Arguments field - replace nil input with empty object to comply with Anthropic spec - prevent API errors when GLM models return null input in tool_use blocks Zhipu AI's GLM series models may return tool_use blocks with null input field, which causes their API to reject subsequent requests with error: "ClaudeContentBlockToolResult object has no attribute id" This fix ensures compatibility by converting nil inputs to empty objects {}, matching the Anthropic Messages API specification while maintaining backward compatibility with other providers. --- pkg/providers/anthropic_messages/provider.go | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/pkg/providers/anthropic_messages/provider.go b/pkg/providers/anthropic_messages/provider.go index 8a83a7058..c201dfe00 100644 --- a/pkg/providers/anthropic_messages/provider.go +++ b/pkg/providers/anthropic_messages/provider.go @@ -221,11 +221,17 @@ func buildRequestBody( // Add tool_use blocks for _, tc := range msg.ToolCalls { + // Handle nil Arguments (GLM-4 may return null input) + input := tc.Arguments + if input == nil { + input = map[string]any{} + } + toolUse := map[string]any{ "type": "tool_use", "id": tc.ID, "name": tc.Name, - "input": tc.Arguments, + "input": input, } content = append(content, toolUse) } From cef0f28881169fa52d9eadd8414e0cc3f2f18607 Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 14:10:11 +0800 Subject: [PATCH 35/47] fix(tools): normalize whitelist path checks for symlinked allowed roots (#1660) - keep regex whitelist matching for existing configs - add normalized directory-prefix checks for literal allow-path patterns - support allowed roots that resolve through symlinks - add regression coverage for symlink-backed whitelist paths --- pkg/tools/filesystem.go | 105 ++++++++++++++++++++++++++++++++++- pkg/tools/filesystem_test.go | 35 ++++++++++++ 2 files changed, 138 insertions(+), 2 deletions(-) diff --git a/pkg/tools/filesystem.go b/pkg/tools/filesystem.go index 92946ef98..ae356f248 100644 --- a/pkg/tools/filesystem.go +++ b/pkg/tools/filesystem.go @@ -98,14 +98,115 @@ func isAllowedPath(path string, patterns []*regexp.Regexp) bool { } func matchesAllowedPath(path string, patterns []*regexp.Regexp) bool { + cleaned := filepath.Clean(path) for _, pattern := range patterns { - if pattern.MatchString(path) { + if pattern.MatchString(cleaned) { + return true + } + if root, ok := extractAllowedPathRoot(pattern); ok && isWithinAllowedRoot(cleaned, root) { return true } } return false } +func extractAllowedPathRoot(pattern *regexp.Regexp) (string, bool) { + raw := pattern.String() + if !strings.HasPrefix(raw, "^") { + return "", false + } + + literal := strings.TrimPrefix(raw, "^") + + // Recognize the common "directory prefix" form: ^<literal>(?:/|$) + literal = strings.TrimSuffix(literal, "(?:/|$)") + literal = strings.TrimSuffix(literal, `(?:\\|$)`) + + // Reject patterns that still contain regex operators after removing the + // optional anchored-directory suffix. That keeps arbitrary regex behavior + // unchanged and only enables normalized prefix matching for literal paths. + if containsUnescapedRegexMeta(literal) { + return "", false + } + + unescaped, ok := unescapeRegexLiteral(literal) + if !ok || unescaped == "" { + return "", false + } + + return filepath.Clean(unescaped), filepath.IsAbs(unescaped) +} + +func appendUniquePath(paths []string, path string) []string { + for _, existing := range paths { + if existing == path { + return paths + } + } + return append(paths, path) +} + +func containsUnescapedRegexMeta(s string) bool { + escaped := false + for _, r := range s { + if escaped { + escaped = false + continue + } + if r == '\\' { + escaped = true + continue + } + switch r { + case '.', '+', '*', '?', '(', ')', '[', ']', '{', '}', '|': + return true + } + } + return escaped +} + +func unescapeRegexLiteral(s string) (string, bool) { + var b strings.Builder + b.Grow(len(s)) + + escaped := false + for _, r := range s { + if escaped { + b.WriteRune(r) + escaped = false + continue + } + if r == '\\' { + escaped = true + continue + } + b.WriteRune(r) + } + + if escaped { + return "", false + } + + return b.String(), true +} + +func isWithinAllowedRoot(path, root string) bool { + candidate := filepath.Clean(path) + allowedVariants := []string{filepath.Clean(root)} + + if resolvedRoot, err := resolvePathAgainstExistingAncestor(root); err == nil { + allowedVariants = appendUniquePath(allowedVariants, filepath.Clean(resolvedRoot)) + } + + for _, allowedRoot := range allowedVariants { + if isWithinWorkspace(candidate, allowedRoot) { + return true + } + } + + return false +} + func resolveExistingAncestor(path string) (string, error) { for current := filepath.Clean(path); ; current = filepath.Dir(current) { if resolved, err := filepath.EvalSymlinks(current); err == nil { @@ -144,7 +245,7 @@ func resolvePathAgainstExistingAncestor(path string) (string, error) { func isWithinWorkspace(candidate, workspace string) bool { rel, err := filepath.Rel(filepath.Clean(workspace), filepath.Clean(candidate)) - return err == nil && filepath.IsLocal(rel) + return err == nil && (rel == "." || filepath.IsLocal(rel)) } type ReadFileTool struct { diff --git a/pkg/tools/filesystem_test.go b/pkg/tools/filesystem_test.go index 78d69273f..5ebf38df2 100644 --- a/pkg/tools/filesystem_test.go +++ b/pkg/tools/filesystem_test.go @@ -570,6 +570,41 @@ func TestWhitelistFs_WriteAllowsNewFileUnderAllowedDir(t *testing.T) { } } +func TestWhitelistFs_AllowsResolvedAllowedRootAlias(t *testing.T) { + workspace := t.TempDir() + realDir := t.TempDir() + linkParent := t.TempDir() + allowedAlias := filepath.Join(linkParent, "allowed-link") + + if err := os.Symlink(realDir, allowedAlias); err != nil { + t.Skipf("symlink not supported in this environment: %v", err) + } + + targetFile := filepath.Join(allowedAlias, "nested", "alias.txt") + if err := os.MkdirAll(filepath.Dir(targetFile), 0o755); err != nil { + t.Fatalf("MkdirAll(targetFile dir) error = %v", err) + } + if err := os.WriteFile(targetFile, []byte("through alias"), 0o644); err != nil { + t.Fatalf("WriteFile(targetFile) error = %v", err) + } + + patterns := []*regexp.Regexp{ + regexp.MustCompile( + "^" + regexp.QuoteMeta(filepath.Clean(allowedAlias)) + + "(?:" + regexp.QuoteMeta(string(os.PathSeparator)) + "|$)", + ), + } + tool := NewReadFileTool(workspace, true, MaxReadFileSize, patterns) + + result := tool.Execute(context.Background(), map[string]any{"path": targetFile}) + if result.IsError { + t.Fatalf("expected symlink-backed allowed root to be readable, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "through alias") { + t.Fatalf("expected file content, got: %s", result.ForLLM) + } +} + // TestReadFileTool_ChunkedReading verifies the pagination logic of the tool // by reading a file in multiple chunks using 'offset' and 'length'. func TestReadFileTool_ChunkedReading(t *testing.T) { From e41423483e46aa8fb506bbe1c9b4bf735ff39c4d Mon Sep 17 00:00:00 2001 From: Cytown <cytown@gmail.com> Date: Tue, 17 Mar 2026 14:12:32 +0800 Subject: [PATCH 36/47] add systray ui for all platform (#1649) * add systray ui for all platform * update from getlantern/systray to fyne.io/systray for fix test --- Makefile | 53 ++--- go.mod | 6 +- go.sum | 4 + pkg/agent/instance_test.go | 2 +- web/Makefile | 62 +++++- web/backend/api/events.go | 21 +- web/backend/api/gateway.go | 373 +++++++++++++++++++++----------- web/backend/api/gateway_test.go | 54 ----- web/backend/api/router.go | 5 + web/backend/i18n.go | 120 ++++++++++ web/backend/icon.png | Bin 0 -> 104580 bytes web/backend/main.go | 56 +++-- web/backend/systray.go | 133 ++++++++++++ web/backend/systray_unix.go | 8 + web/backend/systray_windows.go | 8 + 15 files changed, 674 insertions(+), 231 deletions(-) create mode 100644 web/backend/i18n.go create mode 100644 web/backend/icon.png create mode 100644 web/backend/systray.go create mode 100644 web/backend/systray_unix.go create mode 100644 web/backend/systray_windows.go diff --git a/Makefile b/Makefile index 2f673d3b9..4f4a7a6cb 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ GIT_COMMIT=$(shell git rev-parse --short=8 HEAD 2>/dev/null || echo "dev") BUILD_TIME=$(shell date +%FT%T%z) GO_VERSION=$(shell $(GO) version | awk '{print $$3}') CONFIG_PKG=github.com/sipeed/picoclaw/pkg/config -LDFLAGS=-ldflags "-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w" +LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w # Go variables GO?=CGO_ENABLED=0 go @@ -107,7 +107,7 @@ generate: build: generate @echo "Building $(BINARY_NAME) for $(PLATFORM)/$(ARCH)..." @mkdir -p $(BUILD_DIR) - @$(GO) build $(GOFLAGS) $(LDFLAGS) -o $(BINARY_PATH) ./$(CMD_DIR) + @$(GO) build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o $(BINARY_PATH) ./$(CMD_DIR) @echo "Build complete: $(BINARY_PATH)" @ln -sf $(BINARY_NAME)-$(PLATFORM)-$(ARCH) $(BUILD_DIR)/$(BINARY_NAME) @@ -128,16 +128,16 @@ build-whatsapp-native: generate ## @echo "Building $(BINARY_NAME) with WhatsApp native for $(PLATFORM)/$(ARCH)..." @echo "Building for multiple platforms..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=amd64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) - GOOS=linux GOARCH=arm64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) - GOOS=linux GOARCH=loong64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) - GOOS=linux GOARCH=riscv64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) - GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) + GOOS=linux GOARCH=amd64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) + GOOS=linux GOARCH=arm64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=loong64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) + GOOS=linux GOARCH=riscv64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) + GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) $(call PATCH_MIPS_FLAGS,$(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle) - GOOS=darwin GOARCH=arm64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) - GOOS=windows GOARCH=amd64 $(GO) build -tags whatsapp_native $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) -## @$(GO) build $(GOFLAGS) -tags whatsapp_native $(LDFLAGS) -o $(BINARY_PATH) ./$(CMD_DIR) + GOOS=darwin GOARCH=arm64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) + GOOS=windows GOARCH=amd64 $(GO) build -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) +## @$(GO) build $(GOFLAGS) -tags whatsapp_native -ldflags "$(LDFLAGS)" -o $(BINARY_PATH) ./$(CMD_DIR) @echo "Build complete" ## @ln -sf $(BINARY_NAME)-$(PLATFORM)-$(ARCH) $(BUILD_DIR)/$(BINARY_NAME) @@ -145,21 +145,21 @@ build-whatsapp-native: generate build-linux-arm: generate @echo "Building for linux/arm (GOARM=7)..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) @echo "Build complete: $(BUILD_DIR)/$(BINARY_NAME)-linux-arm" ## build-linux-arm64: Build for Linux ARM64 (e.g. Raspberry Pi Zero 2 W 64-bit) build-linux-arm64: generate @echo "Building for linux/arm64..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) @echo "Build complete: $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64" ## build-linux-mipsle: Build for Linux MIPS32 LE build-linux-mipsle: generate @echo "Building for linux/mipsle (softfloat)..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) + GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) $(call PATCH_MIPS_FLAGS,$(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle) @echo "Build complete: $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle" @@ -171,18 +171,18 @@ build-pi-zero: build-linux-arm build-linux-arm64 build-all: generate @echo "Building for multiple platforms..." @mkdir -p $(BUILD_DIR) - GOOS=linux GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) - GOOS=linux GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) - GOOS=linux GOARCH=loong64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) - GOOS=linux GOARCH=riscv64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) - GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) + GOOS=linux GOARCH=amd64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-amd64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm ./$(CMD_DIR) + GOOS=linux GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=loong64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-loong64 ./$(CMD_DIR) + GOOS=linux GOARCH=riscv64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-riscv64 ./$(CMD_DIR) + GOOS=linux GOARCH=mipsle GOMIPS=softfloat $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle ./$(CMD_DIR) $(call PATCH_MIPS_FLAGS,$(BUILD_DIR)/$(BINARY_NAME)-linux-mipsle) - GOOS=linux GOARCH=arm GOARM=7 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-linux-armv7 ./$(CMD_DIR) - GOOS=darwin GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) - GOOS=windows GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) - GOOS=netbsd GOARCH=amd64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-amd64 ./$(CMD_DIR) - GOOS=netbsd GOARCH=arm64 $(GO) build $(LDFLAGS) -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-arm64 ./$(CMD_DIR) + GOOS=linux GOARCH=arm GOARM=7 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-linux-armv7 ./$(CMD_DIR) + GOOS=darwin GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-darwin-arm64 ./$(CMD_DIR) + GOOS=windows GOARCH=amd64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-windows-amd64.exe ./$(CMD_DIR) + GOOS=netbsd GOARCH=amd64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-amd64 ./$(CMD_DIR) + GOOS=netbsd GOARCH=arm64 $(GO) build -ldflags "$(LDFLAGS)" -o $(BUILD_DIR)/$(BINARY_NAME)-netbsd-arm64 ./$(CMD_DIR) @echo "All builds complete" ## install: Install picoclaw to system and copy builtin skills @@ -223,7 +223,8 @@ vet: generate ## test: Test Go code test: generate - @$(GO) test ./... + @$(GO) test $$(go list ./... | grep -v github.com/sipeed/picoclaw/web/) + @cd web && make test ## fmt: Format Go code fmt: diff --git a/go.mod b/go.mod index 130db73ff..4442b28fe 100644 --- a/go.mod +++ b/go.mod @@ -3,6 +3,7 @@ module github.com/sipeed/picoclaw go 1.25.7 require ( + fyne.io/systray v1.12.0 github.com/adhocore/gronx v1.19.6 github.com/anthropics/anthropic-sdk-go v1.26.0 github.com/bwmarrin/discordgo v0.29.0 @@ -28,6 +29,7 @@ require ( github.com/tencent-connect/botgo v0.2.1 go.mau.fi/whatsmeow v0.0.0-20260219150138-7ae702b1eed4 golang.org/x/oauth2 v0.36.0 + golang.org/x/term v0.40.0 golang.org/x/time v0.14.0 google.golang.org/protobuf v1.36.11 gopkg.in/yaml.v3 v3.0.1 @@ -43,6 +45,7 @@ require ( github.com/dustin/go-humanize v1.0.1 // indirect github.com/elliotchance/orderedmap/v3 v3.1.0 // indirect github.com/gdamore/encoding v1.0.1 // indirect + github.com/godbus/dbus/v5 v5.1.0 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/lucasb-eyer/go-colorful v1.3.0 // indirect github.com/mattn/go-colorable v0.1.14 // indirect @@ -59,7 +62,6 @@ require ( go.mau.fi/libsignal v0.2.1 // indirect go.mau.fi/util v0.9.6 // indirect golang.org/x/exp v0.0.0-20260212183809-81e46e3db34a // indirect - golang.org/x/term v0.40.0 // indirect golang.org/x/text v0.34.0 // indirect modernc.org/libc v1.67.6 // indirect modernc.org/mathutil v1.7.1 // indirect @@ -90,7 +92,7 @@ require ( github.com/valyala/fastjson v1.6.10 // indirect github.com/yosida95/uritemplate/v3 v3.0.2 // indirect golang.org/x/arch v0.24.0 // indirect - golang.org/x/crypto v0.48.0 // indirect + golang.org/x/crypto v0.48.0 golang.org/x/net v0.51.0 // indirect golang.org/x/sync v0.19.0 // indirect golang.org/x/sys v0.41.0 // indirect diff --git a/go.sum b/go.sum index a4d8ed3d0..f0e3fc132 100644 --- a/go.sum +++ b/go.sum @@ -1,6 +1,8 @@ cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k= filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw= filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4= +fyne.io/systray v1.12.0 h1:CA1Kk0e2zwFlxtc02L3QFSiIbxJ/P0n582YrZHT7aTM= +fyne.io/systray v1.12.0/go.mod h1:RVwqP9nYMo7h5zViCBHri2FgjXF7H2cub7MAq4NSoLs= github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU= github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/adhocore/gronx v1.19.6 h1:5KNVcoR9ACgL9HhEqCm5QXsab/gI4QDIybTAWcXDKDc= @@ -64,6 +66,8 @@ github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg78 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U= github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/godbus/dbus/v5 v5.1.0 h1:4KLkAxT3aOY8Li4FRJe/KvhoNFFxo0m6fNuFUO8QJUk= +github.com/godbus/dbus/v5 v5.1.0/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q= github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8= diff --git a/pkg/agent/instance_test.go b/pkg/agent/instance_test.go index f8057bb2f..5a13c8f1b 100644 --- a/pkg/agent/instance_test.go +++ b/pkg/agent/instance_test.go @@ -190,7 +190,7 @@ func TestNewAgentInstance_AllowsMediaTempDirForReadListAndExec(t *testing.T) { Agents: config.AgentsConfig{ Defaults: config.AgentDefaults{ Workspace: workspace, - Model: "test-model", + ModelName: "test-model", RestrictToWorkspace: true, }, }, diff --git a/web/Makefile b/web/Makefile index 559005956..653dd77e1 100644 --- a/web/Makefile +++ b/web/Makefile @@ -1,5 +1,59 @@ .PHONY: dev dev-frontend dev-backend build test lint clean +# Version +VERSION?=$(shell git describe --tags --always --dirty 2>/dev/null || echo "dev") +GIT_COMMIT=$(shell git rev-parse --short=8 HEAD 2>/dev/null || echo "dev") +BUILD_TIME=$(shell date +%FT%T%z) +GO_VERSION=$(shell $(GO) version | awk '{print $$3}') +CONFIG_PKG=github.com/sipeed/picoclaw/pkg/config +LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w + +# Go variables +GO?=CGO_ENABLED=0 go +GOFLAGS?=-v -tags stdjson + + +# OS detection +UNAME_S:=$(shell uname -s) +UNAME_M:=$(shell uname -m) + +# Platform-specific settings +ifeq ($(UNAME_S),Linux) + PLATFORM=linux + ifeq ($(UNAME_M),x86_64) + ARCH=amd64 + else ifeq ($(UNAME_M),aarch64) + ARCH=arm64 + else ifeq ($(UNAME_M),armv81) + ARCH=arm64 + else ifeq ($(UNAME_M),loongarch64) + ARCH=loong64 + else ifeq ($(UNAME_M),riscv64) + ARCH=riscv64 + else ifeq ($(UNAME_M),mipsel) + ARCH=mipsle + else + ARCH=$(UNAME_M) + endif +else ifeq ($(UNAME_S),Darwin) + PLATFORM=darwin + GO=CGO_ENABLED=1 go + ifeq ($(UNAME_M),x86_64) + ARCH=amd64 + else ifeq ($(UNAME_M),arm64) + ARCH=arm64 + else + ARCH=$(UNAME_M) + endif +else ifeq ($(UNAME_S),Windows) + PLATFORM=windows + ARCH=$(UNAME_M) + LDFLAGS=-H=windowsgui $(LDFLAGS) +else + PLATFORM=$(UNAME_S) + ARCH=$(UNAME_M) +endif + # Run both frontend and backend dev servers dev: @if [ ! -f backend/picoclaw-web ] || [ ! -d backend/dist ]; then \ @@ -15,21 +69,21 @@ dev-frontend: # Start backend dev server dev-backend: - cd backend && go run . + cd backend && ${GO} run -ldflags "$(LDFLAGS)" . # Build frontend and embed into Go binary build: cd frontend && pnpm build:backend - cd backend && go build -o picoclaw-web . + cd backend && ${GO} build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o picoclaw-web . # Run all tests test: - cd backend && go test ./... + cd backend && ${GO} test ./... cd frontend && pnpm lint # Lint and format lint: - cd backend && go vet ./... + cd backend && ${GO} vet ./... cd frontend && pnpm check # Clean build artifacts diff --git a/web/backend/api/events.go b/web/backend/api/events.go index af44d1824..5c85b149a 100644 --- a/web/backend/api/events.go +++ b/web/backend/api/events.go @@ -40,9 +40,13 @@ func (b *EventBroadcaster) Subscribe() chan string { // Unsubscribe removes a listener channel and closes it. func (b *EventBroadcaster) Unsubscribe(ch chan string) { b.mu.Lock() - delete(b.clients, ch) - b.mu.Unlock() - close(ch) + defer b.mu.Unlock() + + // Check if the channel is still registered before closing + if _, exists := b.clients[ch]; exists { + delete(b.clients, ch) + close(ch) + } } // Broadcast sends a GatewayEvent to all connected SSE clients. @@ -63,3 +67,14 @@ func (b *EventBroadcaster) Broadcast(event GatewayEvent) { } } } + +// Shutdown closes all subscriber channels, notifying all SSE clients to disconnect. +// This should be called when the server is shutting down. +func (b *EventBroadcaster) Shutdown() { + // Close all channels to notify listeners + for ch := range b.clients { + b.Unsubscribe(ch) + } + // Clear the map + b.clients = make(map[chan string]struct{}) +} diff --git a/web/backend/api/gateway.go b/web/backend/api/gateway.go index f50f7609a..424b21e96 100644 --- a/web/backend/api/gateway.go +++ b/web/backend/api/gateway.go @@ -3,10 +3,10 @@ package api import ( "bufio" "encoding/json" + "errors" "fmt" "io" "log" - "net" "net/http" "os" "os/exec" @@ -18,6 +18,7 @@ import ( "time" "github.com/sipeed/picoclaw/pkg/config" + "github.com/sipeed/picoclaw/pkg/health" "github.com/sipeed/picoclaw/web/backend/utils" ) @@ -48,6 +49,27 @@ var gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, return client.Get(url) } +// getGatewayHealth checks the gateway health endpoint and returns the status response +// Returns (*health.StatusResponse, statusCode, error). If error is not nil, the other values are not valid. +func getGatewayHealth(port int, timeout time.Duration) (*health.StatusResponse, int, error) { + if port == 0 { + port = 18790 + } + url := fmt.Sprintf("http://127.0.0.1:%d/health", port) + resp, err := gatewayHealthGet(url, timeout) + if err != nil { + return nil, 0, err + } + defer resp.Body.Close() + + var healthResponse health.StatusResponse + if decErr := json.NewDecoder(resp.Body).Decode(&healthResponse); decErr != nil { + return nil, resp.StatusCode, decErr + } + + return &healthResponse, resp.StatusCode, nil +} + // registerGatewayRoutes binds gateway lifecycle endpoints to the ServeMux. func (h *Handler) registerGatewayRoutes(mux *http.ServeMux) { mux.HandleFunc("GET /api/gateway/status", h.handleGatewayStatus) @@ -62,12 +84,35 @@ func (h *Handler) registerGatewayRoutes(mux *http.ServeMux) { // TryAutoStartGateway checks whether gateway start preconditions are met and // starts it when possible. Intended to be called by the backend at startup. func (h *Handler) TryAutoStartGateway() { + // Check if gateway is already running via health endpoint + cfg, cfgErr := config.LoadConfig(h.configPath) + if cfgErr == nil && cfg != nil { + healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + if err == nil && statusCode == http.StatusOK { + // Gateway is already running, attach to the existing process + pid := healthResp.Pid + gateway.mu.Lock() + defer gateway.mu.Unlock() + ready, reason, err := h.gatewayStartReady() + if err != nil { + log.Printf("Skip auto-starting gateway: %v", err) + return + } + if !ready { + log.Printf("Skip auto-starting gateway: %s", reason) + return + } + _, err = h.startGatewayLocked("starting", pid) + if err != nil { + log.Printf("Failed to attach to running gateway (PID: %d): %v", pid, err) + } + return + } + } + gateway.mu.Lock() defer gateway.mu.Unlock() - if isGatewayProcessAliveLocked() { - return - } if gateway.cmd != nil && gateway.cmd.Process != nil { gateway.cmd = nil } @@ -82,7 +127,7 @@ func (h *Handler) TryAutoStartGateway() { return } - pid, err := h.startGatewayLocked("starting") + pid, err := h.startGatewayLocked("starting", 0) if err != nil { log.Printf("Failed to auto-start gateway: %v", err) return @@ -125,10 +170,6 @@ func lookupModelConfig(cfg *config.Config, modelName string) *config.ModelConfig return modelCfg } -func isGatewayProcessAliveLocked() bool { - return isCmdProcessAliveLocked(gateway.cmd) -} - func isCmdProcessAliveLocked(cmd *exec.Cmd) bool { if cmd == nil || cmd.Process == nil { return false @@ -157,6 +198,28 @@ func setGatewayRuntimeStatusLocked(status string) { gateway.startupDeadline = time.Time{} } +// attachToGatewayProcess attaches to an existing gateway process by PID +// and updates the gateway state accordingly. +// Assumes gateway.mu is held by the caller. +func attachToGatewayProcessLocked(pid int, cfg *config.Config) error { + process, err := os.FindProcess(pid) + if err != nil { + return fmt.Errorf("failed to find process for PID %d: %w", pid, err) + } + + gateway.cmd = &exec.Cmd{Process: process} + setGatewayRuntimeStatusLocked("running") + + // Update bootDefaultModel from config + if cfg != nil { + defaultModelName := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + gateway.bootDefaultModel = defaultModelName + } + + log.Printf("Attached to gateway process (PID: %d)", pid) + return nil +} + func gatewayStatusOnHealthFailureLocked() string { if gateway.runtimeStatus == "starting" || gateway.runtimeStatus == "restarting" { if gateway.startupDeadline.IsZero() || time.Now().Before(gateway.startupDeadline) { @@ -238,24 +301,41 @@ func stopGatewayProcessForRestart(cmd *exec.Cmd) error { return fmt.Errorf("existing gateway did not exit before restart") } -func gatewayRestartRequired(status, bootDefaultModel, configDefaultModel string) bool { - return status == "running" && - bootDefaultModel != "" && - configDefaultModel != "" && - bootDefaultModel != configDefaultModel -} - -func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { +func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int, error) { cfg, err := config.LoadConfig(h.configPath) if err != nil { return 0, fmt.Errorf("failed to load config: %w", err) } defaultModelName := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + var cmd *exec.Cmd + var pid int + + if existingPid > 0 { + // Attach to existing process + pid = existingPid + gateway.cmd = nil // Clear first to ensure clean state + if err = attachToGatewayProcessLocked(pid, cfg); err != nil { + return 0, err + } + + // Broadcast the attached state + gateway.events.Broadcast(GatewayEvent{ + Status: initialStatus, + PID: pid, + BootDefaultModel: defaultModelName, + ConfigDefaultModel: defaultModelName, + RestartRequired: false, + }) + + return pid, nil + } + + // Start new process // Locate the picoclaw executable execPath := utils.FindPicoclawBinary() - cmd := exec.Command(execPath, "gateway") + cmd = exec.Command(execPath, "gateway") cmd.Env = os.Environ() // Forward the launcher's config path via the environment variable that // GetConfigPath() already reads, so the gateway sub-process uses the same @@ -293,7 +373,7 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { gateway.cmd = cmd gateway.bootDefaultModel = defaultModelName setGatewayRuntimeStatusLocked(initialStatus) - pid := cmd.Process.Pid + pid = cmd.Process.Pid log.Printf("Started picoclaw gateway (PID: %d) from %s", pid, execPath) // Broadcast the launch state immediately so clients can reflect it without polling. @@ -351,30 +431,22 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { if err != nil { continue } - healthHost := gatewayProbeHost(h.effectiveGatewayBindHost(cfg)) - healthPort := cfg.Gateway.Port - if healthPort == 0 { - healthPort = 18790 - } - healthURL := fmt.Sprintf("http://%s/health", net.JoinHostPort(healthHost, strconv.Itoa(healthPort))) - resp, err := gatewayHealthGet(healthURL, 1*time.Second) - if err == nil { - resp.Body.Close() - if resp.StatusCode == http.StatusOK { - gateway.mu.Lock() - if gateway.cmd == cmd { - setGatewayRuntimeStatusLocked("running") - } - gateway.mu.Unlock() - gateway.events.Broadcast(GatewayEvent{ - Status: "running", - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) - return + healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 1*time.Second) + if err == nil && statusCode == http.StatusOK && healthResp.Pid == pid { + // Verify the health endpoint returns the expected pid + gateway.mu.Lock() + if gateway.cmd == cmd { + setGatewayRuntimeStatusLocked("running") } + gateway.mu.Unlock() + gateway.events.Broadcast(GatewayEvent{ + Status: "running", + PID: pid, + BootDefaultModel: defaultModelName, + ConfigDefaultModel: defaultModelName, + RestartRequired: false, + }) + return } } }() @@ -386,19 +458,54 @@ func (h *Handler) startGatewayLocked(initialStatus string) (int, error) { // // POST /api/gateway/start func (h *Handler) handleGatewayStart(w http.ResponseWriter, r *http.Request) { + // Prevent duplicate starts by checking health endpoint + cfg, cfgErr := config.LoadConfig(h.configPath) + if cfgErr == nil && cfg != nil { + healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + if err == nil && statusCode == http.StatusOK { + // Gateway is already running, attach to the existing process + pid := healthResp.Pid + gateway.mu.Lock() + ready, reason, err := h.gatewayStartReady() + if err != nil { + gateway.mu.Unlock() + http.Error( + w, + fmt.Sprintf("Failed to validate gateway start conditions: %v", err), + http.StatusInternalServerError, + ) + return + } + if !ready { + gateway.mu.Unlock() + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusBadRequest) + json.NewEncoder(w).Encode(map[string]any{ + "status": "precondition_failed", + "message": reason, + }) + return + } + _, err = h.startGatewayLocked("starting", pid) + gateway.mu.Unlock() + if err != nil { + log.Printf("Failed to attach to running gateway (PID: %d): %v", pid, err) + http.Error(w, fmt.Sprintf("Failed to attach to gateway: %v", err), http.StatusInternalServerError) + return + } + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusOK) + json.NewEncoder(w).Encode(map[string]any{ + "status": "ok", + "pid": pid, + }) + return + } + } + gateway.mu.Lock() defer gateway.mu.Unlock() - // Prevent duplicate starts - if isGatewayProcessAliveLocked() { - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusConflict) - json.NewEncoder(w).Encode(map[string]any{ - "status": "already_running", - "pid": gateway.cmd.Process.Pid, - }) - return - } if gateway.cmd != nil && gateway.cmd.Process != nil { gateway.cmd = nil setGatewayRuntimeStatusLocked("stopped") @@ -423,7 +530,7 @@ func (h *Handler) handleGatewayStart(w http.ResponseWriter, r *http.Request) { return } - pid, err := h.startGatewayLocked("starting") + pid, err := h.startGatewayLocked("starting", 0) if err != nil { http.Error(w, fmt.Sprintf("Failed to start gateway: %v", err), http.StatusInternalServerError) return @@ -475,27 +582,16 @@ func (h *Handler) handleGatewayStop(w http.ResponseWriter, r *http.Request) { }) } -// handleGatewayRestart stops the gateway (if running) and starts a new instance. -// -// POST /api/gateway/restart -func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { +// RestartGateway restarts the gateway process. This is a non-blocking operation +// that stops the current gateway (if running) and starts a new one. +// Returns the PID of the new gateway process or an error. +func (h *Handler) RestartGateway() (int, error) { ready, reason, err := h.gatewayStartReady() if err != nil { - http.Error( - w, - fmt.Sprintf("Failed to validate gateway start conditions: %v", err), - http.StatusInternalServerError, - ) - return + return 0, fmt.Errorf("failed to validate gateway start conditions: %w", err) } if !ready { - w.Header().Set("Content-Type", "application/json") - w.WriteHeader(http.StatusBadRequest) - json.NewEncoder(w).Encode(map[string]any{ - "status": "precondition_failed", - "message": reason, - }) - return + return 0, &preconditionFailedError{reason: reason} } gateway.mu.Lock() @@ -519,8 +615,7 @@ func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { } } gateway.mu.Unlock() - http.Error(w, fmt.Sprintf("Failed to restart gateway: %v", err), http.StatusInternalServerError) - return + return 0, fmt.Errorf("failed to stop gateway: %w", err) } gateway.mu.Lock() @@ -528,7 +623,7 @@ func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { gateway.cmd = nil gateway.bootDefaultModel = "" } - pid, err := h.startGatewayLocked("restarting") + pid, err := h.startGatewayLocked("restarting", 0) if err != nil { gateway.cmd = nil gateway.bootDefaultModel = "" @@ -536,6 +631,43 @@ func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { } gateway.mu.Unlock() if err != nil { + return 0, fmt.Errorf("failed to start gateway: %w", err) + } + + return pid, nil +} + +// preconditionFailedError is returned when gateway restart preconditions are not met +type preconditionFailedError struct { + reason string +} + +func (e *preconditionFailedError) Error() string { + return e.reason +} + +// IsBadRequest returns true if the error should result in a 400 Bad Request status +func (e *preconditionFailedError) IsBadRequest() bool { + return true +} + +// handleGatewayRestart stops the gateway (if running) and starts a new instance. +// +// POST /api/gateway/restart +func (h *Handler) handleGatewayRestart(w http.ResponseWriter, r *http.Request) { + pid, err := h.RestartGateway() + if err != nil { + // Check if it's a precondition failed error + var precondErr *preconditionFailedError + if errors.As(err, &precondErr) { + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(http.StatusBadRequest) + json.NewEncoder(w).Encode(map[string]any{ + "status": "precondition_failed", + "message": precondErr.reason, + }) + return + } http.Error(w, fmt.Sprintf("Failed to restart gateway: %v", err), http.StatusInternalServerError) return } @@ -573,83 +705,74 @@ func (h *Handler) handleGatewayStatus(w http.ResponseWriter, r *http.Request) { func (h *Handler) gatewayStatusData() map[string]any { data := map[string]any{} cfg, cfgErr := config.LoadConfig(h.configPath) - configDefaultModel := "" if cfgErr == nil && cfg != nil { - configDefaultModel = strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + configDefaultModel := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) if configDefaultModel != "" { data["config_default_model"] = configDefaultModel } } - // Check process state - gateway.mu.Lock() - processAlive := isGatewayProcessAliveLocked() - bootDefaultModel := "" - if processAlive { - data["pid"] = gateway.cmd.Process.Pid - if gateway.bootDefaultModel != "" { - data["boot_default_model"] = gateway.bootDefaultModel - bootDefaultModel = gateway.bootDefaultModel - } + // Probe health endpoint to get pid and status + port := 0 + if cfgErr == nil && cfg != nil { + port = cfg.Gateway.Port } - gateway.mu.Unlock() - if !processAlive { + healthResp, statusCode, err := getGatewayHealth(port, 2*time.Second) + if err != nil { gateway.mu.Lock() - data["gateway_status"] = currentGatewayStatusLocked(false) + data["gateway_status"] = currentGatewayStatusLocked(true) gateway.mu.Unlock() + log.Printf("Gateway health check failed: %v", err) } else { - // Process is alive — probe its health endpoint - host := "127.0.0.1" - port := 18790 - if cfgErr == nil && cfg != nil { - host = gatewayProbeHost(h.effectiveGatewayBindHost(cfg)) - if cfg.Gateway.Port != 0 { - port = cfg.Gateway.Port - } - } - - url := fmt.Sprintf("http://%s/health", net.JoinHostPort(host, strconv.Itoa(port))) - resp, err := gatewayHealthGet(url, 2*time.Second) - - if err != nil { + log.Printf("Gateway health status: %d", statusCode) + if statusCode != http.StatusOK { gateway.mu.Lock() - data["gateway_status"] = currentGatewayStatusLocked(true) + setGatewayRuntimeStatusLocked("error") gateway.mu.Unlock() + data["gateway_status"] = "error" + data["status_code"] = statusCode } else { - defer resp.Body.Close() - if resp.StatusCode != http.StatusOK { - gateway.mu.Lock() - setGatewayRuntimeStatusLocked("error") - gateway.mu.Unlock() - data["gateway_status"] = "error" - data["status_code"] = resp.StatusCode + gateway.mu.Lock() + // Check if this pid matches our tracked process + if gateway.cmd != nil && gateway.cmd.Process != nil && gateway.cmd.Process.Pid == healthResp.Pid { + setGatewayRuntimeStatusLocked("running") + bootDefaultModel := gateway.bootDefaultModel + if bootDefaultModel != "" { + data["boot_default_model"] = bootDefaultModel + } + data["gateway_status"] = "running" + data["pid"] = healthResp.Pid } else { - var healthData map[string]any - if decErr := json.NewDecoder(resp.Body).Decode(&healthData); decErr != nil { - gateway.mu.Lock() + // Health endpoint responded with a different pid + // This could be a manual restart, try to attach to the new process + oldPid := "none" + if gateway.cmd != nil && gateway.cmd.Process != nil { + oldPid = fmt.Sprintf("%d", gateway.cmd.Process.Pid) + } + log.Printf("Detected new gateway PID (old: %s, new: %d), attempting to attach", oldPid, healthResp.Pid) + + if err := attachToGatewayProcessLocked(healthResp.Pid, cfg); err != nil { + // Failed to find the process, treat as error setGatewayRuntimeStatusLocked("error") - gateway.mu.Unlock() data["gateway_status"] = "error" + data["pid"] = healthResp.Pid + log.Printf("Failed to attach to new gateway process (PID: %d): %v", healthResp.Pid, err) } else { - gateway.mu.Lock() - setGatewayRuntimeStatusLocked("running") - gateway.mu.Unlock() - for k, v := range healthData { - data[k] = v + // Successfully attached, update response data + bootDefaultModel := gateway.bootDefaultModel + if bootDefaultModel != "" { + data["boot_default_model"] = bootDefaultModel } data["gateway_status"] = "running" + data["pid"] = healthResp.Pid } } + gateway.mu.Unlock() } } - status, _ := data["gateway_status"].(string) - data["gateway_restart_required"] = gatewayRestartRequired( - status, - bootDefaultModel, - configDefaultModel, - ) + data["gateway_restart_required"] = false ready, reason, readyErr := h.gatewayStartReady() if readyErr != nil { diff --git a/web/backend/api/gateway_test.go b/web/backend/api/gateway_test.go index 06803722d..fb4f7d943 100644 --- a/web/backend/api/gateway_test.go +++ b/web/backend/api/gateway_test.go @@ -494,60 +494,6 @@ func TestGatewayStatusReturnsRestartingDuringRestartGap(t *testing.T) { } } -func TestGatewayStatusIncludesRestartRequiredWhenModelsDiffer(t *testing.T) { - resetGatewayTestState(t) - - configPath := filepath.Join(t.TempDir(), "config.json") - cfg := config.DefaultConfig() - cfg.Agents.Defaults.ModelName = cfg.ModelList[0].ModelName - cfg.ModelList[0].APIKey = "test-key" - if err := config.SaveConfig(configPath, cfg); err != nil { - t.Fatalf("SaveConfig() error = %v", err) - } - - h := NewHandler(configPath) - mux := http.NewServeMux() - h.RegisterRoutes(mux) - - cmd := startLongRunningProcess(t) - t.Cleanup(func() { - if cmd.Process != nil { - _ = cmd.Process.Kill() - } - _ = cmd.Wait() - }) - - gateway.mu.Lock() - gateway.cmd = cmd - gateway.bootDefaultModel = "previous-model" - setGatewayRuntimeStatusLocked("running") - gateway.mu.Unlock() - - gatewayHealthGet = func(string, time.Duration) (*http.Response, error) { - rec := httptest.NewRecorder() - rec.WriteHeader(http.StatusOK) - _, _ = rec.WriteString(`{"ok":true}`) - return rec.Result(), nil - } - - rec := httptest.NewRecorder() - req := httptest.NewRequest(http.MethodGet, "/api/gateway/status", nil) - mux.ServeHTTP(rec, req) - - if rec.Code != http.StatusOK { - t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) - } - - var body map[string]any - if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil { - t.Fatalf("unmarshal response: %v", err) - } - - if got := body["gateway_restart_required"]; got != true { - t.Fatalf("gateway_restart_required = %#v, want true", got) - } -} - func TestGatewayRestartKeepsRunningProcessWhenPreconditionsFail(t *testing.T) { configPath := filepath.Join(t.TempDir(), "config.json") cfg := config.DefaultConfig() diff --git a/web/backend/api/router.go b/web/backend/api/router.go index 5f081dee9..b56438784 100644 --- a/web/backend/api/router.go +++ b/web/backend/api/router.go @@ -70,3 +70,8 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) { // Launcher service parameters (port/public) h.registerLauncherConfigRoutes(mux) } + +// Shutdown gracefully shuts down the handler, closing all SSE connections. +func (h *Handler) Shutdown() { + gateway.events.Shutdown() +} diff --git a/web/backend/i18n.go b/web/backend/i18n.go new file mode 100644 index 000000000..9cda9e5d5 --- /dev/null +++ b/web/backend/i18n.go @@ -0,0 +1,120 @@ +package main + +import ( + "fmt" + "os" + "strings" +) + +// Language represents the supported languages +type Language string + +const ( + LanguageEnglish Language = "en" + LanguageChinese Language = "zh" +) + +// current language (default: English) +var currentLang Language = LanguageEnglish + +// TranslationKey represents a translation key used for i18n +type TranslationKey string + +const ( + AppTooltip TranslationKey = "AppTooltip" + MenuOpen TranslationKey = "MenuOpen" + MenuOpenTooltip TranslationKey = "MenuOpenTooltip" + MenuAbout TranslationKey = "MenuAbout" + MenuAboutTooltip TranslationKey = "MenuAboutTooltip" + MenuVersion TranslationKey = "MenuVersion" + MenuVersionTooltip TranslationKey = "MenuVersionTooltip" + MenuGitHub TranslationKey = "MenuGitHub" + MenuDocs TranslationKey = "MenuDocs" + MenuRestart TranslationKey = "MenuRestart" + MenuRestartTooltip TranslationKey = "MenuRestartTooltip" + MenuQuit TranslationKey = "MenuQuit" + MenuQuitTooltip TranslationKey = "MenuQuitTooltip" + Exiting TranslationKey = "Exiting" + DocUrl TranslationKey = "DocUrl" +) + +// Translation tables +// Chinese translations intentionally contain Han script +// +//nolint:gosmopolitan +var translations = map[Language]map[TranslationKey]string{ + LanguageEnglish: { + AppTooltip: "%s - Web Console", + MenuOpen: "Open Console", + MenuOpenTooltip: "Open PicoClaw console in browser", + MenuAbout: "About", + MenuAboutTooltip: "About PicoClaw", + MenuVersion: "Version: %s", + MenuVersionTooltip: "Current version number", + MenuGitHub: "GitHub", + MenuDocs: "Documentation", + MenuRestart: "Restart Service", + MenuRestartTooltip: "Restart Gateway service", + MenuQuit: "Quit", + MenuQuitTooltip: "Exit PicoClaw", + Exiting: "Exiting PicoClaw...", + DocUrl: "https://docs.picoclaw.io/docs/", + }, + LanguageChinese: { + AppTooltip: "%s - Web Console", + MenuOpen: "打开控制台", + MenuOpenTooltip: "在浏览器中打开 PicoClaw 控制台", + MenuAbout: "关于", + MenuAboutTooltip: "关于 PicoClaw", + MenuVersion: "版本: %s", + MenuVersionTooltip: "当前版本号", + MenuGitHub: "GitHub", + MenuDocs: "文档", + MenuRestart: "重启服务", + MenuRestartTooltip: "重启核心服务", + MenuQuit: "退出", + MenuQuitTooltip: "退出 PicoClaw", + Exiting: "正在退出 PicoClaw...", + DocUrl: "https://docs.picoclaw.io/zh-Hans/docs/", + }, +} + +// SetLanguage sets the current language +func SetLanguage(lang string) { + lang = strings.ToLower(strings.TrimSpace(lang)) + + // Extract language code before first underscore or dot + // e.g., "en_US.UTF-8" -> "en", "zh_CN" -> "zh" + if idx := strings.IndexAny(lang, "_."); idx > 0 { + lang = lang[:idx] + } + + if lang == "zh" || lang == "zh-cn" || lang == "chinese" { + currentLang = LanguageChinese + } else { + currentLang = LanguageEnglish + } +} + +// GetLanguage returns the current language +func GetLanguage() Language { + return currentLang +} + +// T translates a key to the current language +func T(key TranslationKey, args ...any) string { + if trans, ok := translations[currentLang][key]; ok { + if len(args) > 0 { + return fmt.Sprintf(trans, args...) + } + return trans + } + return string(key) +} + +// Initialize i18n from environment variable +func init() { + if lang := os.Getenv("LANG"); lang != "" { + SetLanguage(lang) + } +} diff --git a/web/backend/icon.png b/web/backend/icon.png new file mode 100644 index 0000000000000000000000000000000000000000..e0b4aab9c42f1b84b3ff7ffb145a965bcd67e925 GIT binary patch literal 104580 zcmYgXb9`L=(vOn{jm?IQZQD*`JB`)Yjcwa)jK*qgHfU@&cC!2KKJRmH??2gm&d#3S z%$)CdPNa&GGzuaCA_N2kimZ%;8UzFs=wB!Z1US>>?ls1Oys{tc0kBC*+wQyfM+> z9pJ(8;m-oqc-KQPN?C>>ak~v<u-HXp5X8H#bm+O{0Pm0)u}Rc&?m1_uAT+X2Lp!rx zu0KE8YtE*C*{SB=&nojuk~zP7ad)V1bUuCY*vRJYpoi_yfnk8cfs786>?LQ}L#u=9 zP2k`E(f{uiV|0irNaI?lf4(+GuR}l<g{gvMfl+QhZvg$^pDXq-3K!Lo#wvB@pzpQ8 zcMJLu7RU(^w*0PTz4_lOg>fQgz-q{uh>*8`FF{84CW!SCK!~5XtxoCwKNGzw(gkh6 zMF?xDpF{uU08b1-8`>Bl*KYOGzii;0AlO~>a6<erGkN&Sy!k)O^Zxo#{2y@^(5+Vj zY$2K?`v2(tM@r)eGGmm$4=zRa+>HM(w{Zo<Ogs3{*l@vy|7RD>n+TY<9gbC{|KZIZ zECLR?kKJEM1HqE^%Kk8D`YY)RKo7b=keX}o9|eI`!Y=@|2(i4aTz_8hAGNu|{Csvq z31rc*%lh|{Hp~|%kap`r@{Lyo|BCwcVUqx2yLDOPzYpPT2CR{Ap{^gUe?=Wx0EucY zHdOXkRCp<n4E&d)%?6EsnL7Y6N5;;@HT;)31~79b%GKu?f0^Su0V$YIZ1~{6_%Mc- z1mEr`vU&YqH3fm5>hN0&oXGIwvi@K068_;%p!$dUU+#{oKpH+m{*dkXU)2$#LE1u` z1=9TbGWstoVSG@zU}1C3%;o<95*U`o;o{(9*JzuG|L0gOu<mLK%*X%I!T&?I{H}Su z{;#x4|Ilrl%l{Q49E>{th2y5&|Dn@*0pE|@V*D>1{6BOvqfG|?L$~w~otcIFzo-E7 zCknpbL}e54|Im4W&;3(iG5(hh{vW!L$fouGm<dRI5C70@Tgd-?YT;ny@ekNE<^B(y z2l(7S<d)-q>EQpN>y>RX_#e85f9T9CZU5?Jh5`h5(Evny_<wB$4ESU)L}@Bk`2L#N z9{8~(<crXE|3!iKA_!Es$lQA4|3ym(0qC(IpUhi@w)|DIGWgg$a;ww7>O=eISl{ca zqyIsH7ubMY&+HWcixy;EutTv{&c$B)i-N9W5cs@9@~UnBix$x+kfFgHM>d-Ns{ydD z@BoAF;<B;%UsDFTu#e~<7giu(uW21EQbS%~AvT!$lsw&Ta~3o2n9IF;%m0w=en1?q zC`|8vJJIOC|K&i(gNXlhVim_37?Ei;fSTt#RoyWy^paMoJ{6sAVzM^*%MgXUZD5PX z!MU^7nD6xVF#`WEz<)0%*?~xCcfvE0mpfv3vXwccLRoVG8R3>|MIWJS-{cg`r#N0v zsK%N)-Hw@Mp5LJm`*izTQ>XSyxdCyPD3Lo-O2Bs<zi8++s7t(OO$0MVwN^=iLmcG} z?haaD`|+;RRZQa!%?!)3y_jSt5jJ)eT!)2(2vVvqiOodJyu-TRbEXGFmcP{N8NQjb zj!AAnbN1ZQOI$a4<zB3z$r&7E&3H795vy6IKF8a{s*n=&IU0c_yJfzUfpfBILOoS> zy%{+O8^kxAzYTR@o{55<tc=uo&L{LdbOcFAJt$hCe)r%f=t25H!>1`b12xbYpz2hh z;aN7)n@}Gf!nch7koG;A4;@BV(5E8A!r+B$4{0N7O-$r_oZPbi(KoiNVK5V?fC`$+ zSEwCbV87t`skjX_$LX}7D7Gs{+onjQNVM;b-X_=NtINRzzsHWIPf_Fmb9)}+I4`#@ zR=fpQ`w@7Jf3aom$|RltmMV6@j{jxc3&xw7>|%a{y`BghY6?So*P=YptxkLvykHMM zI@efDJ7SkIoB1-3@vHizh;Bi>N*)r9XFGpHEs}N(P>#s?`S|&q;{BCl@X@$sF1oPg zvkkYhex0#1jJR|0s=vVcqxw|0t0PUMD|xq1EQYrV6ox4?DQ2I4VBY%?Ck$-fB9_BG zw5C2rxPpvjf}BIdJr<ID8o70m7)LE9hmZFsIMX~YH6fF8L3fB~xx@k)gpTkRMdx`S zqe?)5!C^2Y%Jg1jY)nQ6YFu}aL^UeKs#lsHK$v1FX%1mRR;;R!^(xHCLb)f`-Vzs) zYiUlAxE49<6_b+;CM@raecaU<Ux4(2okcR(?2*NCpkj)CcQ5+Ym?70aW-MP;;6#eW zU3=8z&D1(`_*;4Z<^5y>3RB(_*ZUl|A(Z~A4<hC+Eau{rhT<#6W?uh9CN?O2E2i&N z_^uVu={4qb{(({Wm}GqlJ=5(DDOlJVAFvmo{usTd@<4FfZ^{UGU0@gDU%{jDTYQ9I z=gLd7DKEXhObMu&-p7V*OY<Zh23Qe$phw^ZlMHo<7dqu?w({=m<qGaHHe*f)Y(Vsz zWM4qTXpmkuF@Q`qh!_r%QGL4Ai*0?16t~pjfbWJ^18aU+a97Q8K{&`>O>lO3hD|zf zFfMJHPsZ;z9@YGGT>S4s61*zUpP4SdQPh)EFC_L`^~bfOuCfoQr0Oo-SS)S1pqa2o z(06vJKVH!7Z_n@^uJNpSLq8vSUv#FPr5uGv)A9%FGJ(93h%iO3`ysy7Mtw4UqB32n zqw(oW@$9eo8pk3XE=4(~^0>w)-9Ow3NtF2u)o6H7f#W(SM5<!(f$h-ULXJ{)8#TLe z@wf?@s)jLeRv9W+&964ITK7)5or8g_t$PxX6Iop+KoT2tlT~sn`q*qiW=&T6w!Fa5 zd-q9zFs|SH4urmj-#q&GFOcUOA%`N`Yl9QWC#ntHA{SBI?iN2`Q5p4NP?>xb90D%R zC@1>&?@|f)6D3G{y~4x?6mkN3A4yBJAgdhM-uwRX;FKt+ZwYMFI6A$FdX)sbJY=4b zKXf7bbXJS2#k1e~v2sqA%cCV0>=0seYu?Ffi;Bx5-`na~@E*I*jh6t?ceP|3T?4Rf z=xHTQF#`Be(Sy#0Z(O_PT>4_JG6we}KU^bA9d02@MA|i1HVlqjgQMLSG#H+ne4(jT zY&j!kST{N!&ft(9mMOGg9e?QN(HDkWhFzM9j2=-%e|Cf6bn--f{mfn}ydTGET{iRO zgczT2%Wa(!@6~XhZ1npYJgkiZlwTfc0|Tt9wd%Tb%aXCx`4Dmn5nI$ml$?p$=!?t_ zC!LHk+0ABKCNMAX7*-eN9SMjNkKPd_IO6nO4Rqz;p-sK_F}`HYOKl!Fv0!|jZi32# z*n<}Ue5-xqZ@$<Z@_McAj&Jn@;QCefRQtUlj0=vAF@Ip`6me8=dheA%YaLWE%HZAx zflEW|xDg|nj!GB9erNZw{KlJbY`w(~9P)HO6f{rxQV8lv7{D_QJJ&JWq;B4ed_|P$ zQ7%>74{`L-H8`g^sWrU+*xme^_;|7DF90}bpfXynGm-7ITxsda)xO_r!Tg@)+vUH{ zyrY*6d~_wPdUSprw1^)HXs}E3omJ-a)h+LuM%bgr+O^V90h+iH;uF?Fd9cGnPGU2< zLIAyaT&Tvl&iG$~nXwzg5?pu@x^T<}BXg-$mZFTAA#!Ooe`{7)wzU-A<rg@kJ~*Nq zF;yEH-DFxsY6-tg6<?7u1l&#m_3oE*d-U%w&wC87v|p_*1pE)7$4R?(>6aUxvfRX& z=DGujodHZ&r8GkU;Q}Wk(cx=IC_@M$yfBA0S_W0&v1=;?kcA?5&ZhUvprq1ATUQAu zNHo5;$#n;_`Ba~RJep?)*L~&#-G?sOmuDTiSjWfT9iN}*e9Z=nTe|8@N7Lzocy9PB z*170O9u&JQgu73LF9f__*0Y1g=ej+xt*Raxk8X6$a^d(mU?hyiB1LkGQ`-mS7f3k| za|p*p<KbLflW7kJr8_Wq^+b)7wmph6-qWgY4G?p_dPRF?P^C<lxj#3oC%ayh`~*(& z#}8^%z3gh))|<;p^Vpbut=7jd>Ugc^&)2=L03;ns3cX|Wn9X=3mZ&w~y+yd>HcKEc z-A6_TlBc9i8q_`hkr^uDq9_L?7$QpfB=k9w1wgb6mmO>ixn1%IzIO?6DFInyJANnv zfBHK}vbp^N2F>#Q;N^F1%q=jxo@PCNjSXKsuU==mH12L=ps!Kr_6%^f)J0AV!Nx)y zWOJVO!?aTEODg4cGVl`cTEoPYJMU0-HKwFRfBf#%SX6w)BU#!L<$6g2!f~W|uwmL` z@rBTR+d~?|lczLdzLOi)4xl4`v(sUv_)6N1?THrU4I4#ZnBagn2$@G6Q51c8)JB*0 z(BT`v>G}N~4jg~}_=oHUceg%^M&faBem7zQGr=&$i1$T+3>U!-pNC4~F>Rrjusf}m zX6`x^JAUJ?C{r~IcT()LK%W2U)#LaDrD2D-4`5I~#Q$qU7py38n>rRC42F&dXV4ej z-EY7{Is5AU(0)=9f!{r6s27KlM5VHt?@b_;J;a}8q_Z$76qFj^=c}GvrQP=ZcwXfU z3v8Up<$wcse!RSKlI~sj$|jG}`zzP#`Y;7Pwv(vTBX)x;<y`b!?zBTHang~&up9|c zuFUJDTcv^%<S!}0wN#x=UsQXDAe6+&zT^0k0JRrzxzEJS3=Bf`C*npV|1O7+$<^K* zvLCc(yX2&^^_i|*IC-%VlxG>CvlzEWw1<ryR~=7P<*-13BQ@>pAW~|@ILv3hK!shF zj_}ExRG<(_8&zTjU}}tX__!$krD~o#2)EBiKg>qvlcBip1)Mo=<RS5P_6UNi3)5DB z+Z;akoD(v$rFvti$d@Pc_REIVsC`RNTD!*p)yUjhGcpVK<#tA3kz#|A<q+VNxe+vt z%LCiva|$?}6t{lcET@vW3@QIlFF-yCWS=*qZcw=OR~L~({4tnYJDhBG3q@uhTrzq7 zWH#2FW<VOgPpH1zwX}WIQmxSmoch`_{pvpR%v!w{=RrD{KiQv*-=1-2{-c>U@!M-a z6Gyia?}j-vu>fwtQC~u15#2>W8@BU{H(4J6gD47)Xmt)aQs$G98T$2+2j!577>40g zz}MxB9o=}T-IS-3b}#x)(1_0hWVul58TDeP%Toi0^?a4Y=M~?d(2+F1bAz67=;H~} zKN+4YR|1ks)kP#c3o7t38`5=mCnYfzKoD=geF*JXRe%0IP8!#Pc)MMdj}i(?0C_i# zS-T-`*Mm4hSb`<S&B#%AUo^bc)Q)gK4xitGfbD}uZK-DtDtZZ3$EV3zB0$Dy+KCm{ zjT2n-eqiJ1<xv+3MY-$sQVU-H$uZg0M&RvFzXu>I>QIfYa&zuoU8dKNw#fn?j8vd8 zlsdC$Ucg*a)Tw;yW=~<!&q&JGWHOhMh?FpHrnC24kHMsrbFEf`{T`j9hBf(WZMO}+ z*d#ZFJ>|`YN=Wo>qmmHPFwz}}G*jM4`)`!F_GRgyYN{X|;`a&2BSwn|)Rc$_!HqD9 zP-`_QeLfdvP<!ZjAblzFf+B7E!RW&QXul|}2}~QdM#wmX5{rePXb~xkE@n!yK05;W zH}=V1#o4NPEUOKP_8VOFuvz@f=o<44zq4U+#cAzJr$A^F#+9aHX^uLQ1NVlkxvx9p z{;9L_x2mKYh1z%?I#Xd)<OzP3ix4A1WogBd#w=uH$r}zI-6f2eM8Y0gLotP((ox@v zE#h%9-~lc_j4p%#PwwCNfR^XusD&oxD4*0cjB_f+9OM>4mF6~4uUf?d>~h}t<GNMI zEZ2phH)KAO$_wzIqC8IYpimzuq6#Mh4XmFyVGgiGn>L#wDhvv8cFSW1WA2~0sFu)< z@}q^9yzTev5s=+s=;$=CX8R>uEs?&)L+dU*{{|{0elvo+1roS<D9`Hkw0F06dr#sP zI+MN~k+PLRVh%|nsiUHoPUW>T2qwQAWT<Y2+9W>BOYBLwZ9Q9^0&i3OkJhCfSU1lO zO&mh8<sB++Dc|f(Ur^=J$U<SxBeqnQQYF=K?rX!TBr=HUDw+8({dXTE<<rW+2|7E1 z0&Na%A=@(yr}>fk5z!tm{#`(I^0mHF^@~UFR+iDGx|UYc!8pM)WIM!Su)pnB2aLji z-Qu_}QyD7gq&T{i(UFJ%d=8l*Xg=r-@2>kdpCpu0<`2aac$eqv(n2pdzWMT4p1D6S zueTjL$jr7+DRNntiw)8gM`%HHaDsYyKcX4>5j;%HDt{0y2gG|EGGAo0jHOo+O|!7t zezMiYHCN?aB`)98u`lnIO4tQj&^#eyc7&;zcSw;!WJ&K_$0D!TBBob_#YhD>hH&=v zcX$Ae-_!IzZAzP($J%q0=9NtJ6yI;6O{FX&-lOA6bG=0$T$*w<6C&Iy&R%BsIR0+X z2dCylBE~~E+2nDa!_HC!<CJmMuaY#FwTv(K<?OBA?7t>r-EIP42_}TGq5Pwz%*wiq ze-b6GpxxCUUwm6%#T`+KqU$Y0!)F#bIwK9<=g{=OS%m)szhYDG*w)!inRn|eAXdDe zZ$~TnnUrG;hNrGzgdMns@MT;PtcC2uK{*TbBX*b~$$kp*6K!-EZHk<gr|zGaDE-&m zVfzo%_PT?2rJ!p1JOY%x141*cHtwrIf4r|28XYoYLstSm``#6|)GB#xEcua6s~o6E zN<t77In_M^Xp^T}`#fQ^Ilhag9GQ*QCoC{IQCA-`0aGtV2(`1Sfu%DwnN>7Z3O)Dl z$$CoAMRsA&xzLLcS5V?^&|gTQSNrDAzjl8EmCfB^i`UHvd*o1V?lh(-W;`MnNvZ;| z``t=Ft4YC@B`b#ckeE>`KZmNQA)(T30f-SRvXkUBVAA(>qba<2M+N?y#V(Pjgl5HC zAKP3lqDSG9B0qez-(1!`HYuv_Nb!GpNjp(9jqEHw`UWwOjpJ1sph3nmyghWn>8vub zr(>ouT+PY8PQe3YRS17d{F>=UI56}-zMNRn)t1a&bOigK&4M2&Ixuh~L2b2tzx+3R zQE100V<7^Z$u}&`)iRC%mO|)+SD5gK3#PN)MA$|`fdWHRXqk|GPjWfZ<vrCGSx!?{ z!|crbL5(L_ba(J{_xYgAJd_nX$SE7XG(O*LC|13H?3RO(IZ9_wC`{3uz!tb4ZD_J~ zB4}SMe@B<+G?b5@&+-<tD#W&1rH3;m$Sf3g_jO^n&V^+0MjsG|yg}BCWbW|X*{J4% zw(Q>l#Z?%MaBINo8vGpBu@COD?qNach4*3i{UOT9W$ELw-7R^qyd-I=^R{Eul}!Z4 z<60R(Bl5WP&G{TbrMKi*Zf{3G_^qGTYO@_Rz7b>bmCrE!es9=rm)YDJ5KUJ6<-^b` zG&zPKSN51(|7NJ~&9b9Z^=gS$FxNYPWQd*LY0eqRq|kQzPG-H<^k_JsRP97H=*D`i zpSe8W`Lt4mxjO_c{^dBuo1j;o0O1ab#gPH!JM4TeFm|^ag%{lQb~*d1?aTn>7bzmj zhyro+l=&NtF}rzdlGCv`Bmj_9`Q_kNrlj}R4z9IK#kR?3!~!xlg}~673t!vk<12AR zZ!YW7hu`o*uQVK&q}OHxn?FR&gGGqBe);*4G&I#SH*&gB#^grS%qO&{9lw67d$lW3 ztY~H1q@U2MXl@smnD8P+s;Hl7=y1tlo)EwuE+``3<vmt_+l8GG%7aUfWlM==aePl? zHI4kl)rJZ4%%*oo<vP9!&i-g&N_2x9JTjAH=}<b$DgMAQ#D@Fd2Y&G|7KpfHjm zxRv31Vj^XcigY7<!3<?q;5}bF^Mq=(G|*YUjOhhJW4n}T5mG=gI1Lyz8DFgz$`P)w zjwsDmh`_<p>kTN^8gSNro8D-0GJUd8Ig!}0N&B=Wb%ip-A;&@eA(+2>$Z{GKC<$)b zp9te$I9BsYS#J<I<_eo(4=7}O?uTX&_H8kJVnwEvylb<Yk-^O$fHWD?Q)L)bd!DqF zgB~;P0)a=(lz!O@@3>`=RP;k9&J!lSj|NT*-yUY^-0xqXrVPyJ9Ees-Mwu)fUVo+A z&du~-FitnfwKhNvMX15s*XRxIBc`2vifBZ_Q^Ls{TAA$r^10G?vH>aDLU^yd*wV%f zjyHU?mt$pR_Rp{4^rgK<g?KTBpog}BD@O!2UtAHnrlB0#soO}w&&D!ZC#zF8P)Dn9 z3?86%Cz&)_g{NW)CN0iUkphOQSy%pI{fyQD+pl9aZ-GDD8oaf~B@dtIfTSuq8Pn@o zU)&C!F+zWKOU^D^h@e_kRA<^+%`b9)xR&N>FLKwMPwWj%d#cft{;)C571@G=mE4%{ z8$OnA=@VSYy_b%hEI&)wl=sXz`jp!IX`!%Y0@HFp-_D@mwRZ+QUTV4F9D!qKbKmJC zdZKL2X%<yP9XXeMAb5ZR0qL0CjBv{hg~UC9NviY#+n7UrRcPTkV{H1{OHUi)4NIOz zyzi{m^LTf-vh(j3NxIl2&ffI{HAXYWg&e63cA8Jd?_E7dHVt8Jl<ftC@3cgK$#y?e zYmZn78h}kL^Yc1oTB0Kr&~WV`omJ+%_3dL#_W{$cdCte7A5mS2+l=R*okIofInH-J z<yEy<TjPZk6BFjOUg>@}@V3`z-t9D_xplv&f}B}G&;x+tlxTtXB0<o_V1;{54Ea<0 zMrDmvVhojcYW>-$GL5Ey?=XBlN1kli74&BSVbfv{1f@QHh!DilyZQ>DT-y;H{Ms;V zMSa>C`N}FWVN-FP3Ee0CpcizA;5-NU0~^K)cxyN^bIiS$%iM&VDylBd$^y-o6Xx!F z(!~Uo{y5^2K$i@<A!LTL75L1wfWS%JT}8ya<Jd40xrJLB+v^zVuY-0YurLiS;`?IK zRmk8}`VgTtu0JwM_1m^Z<vU;QT9xoaOU6%xEm!cuaRJLJp*_!eK$NMGfPSgBI-HN{ z8sbV>Nm*7Y@OPiID{IQT+@>XIryueQKL_MBi&<7_tQHMpRzR2M6JHG8z&k6ha5v`8 z_^X<{SHDC=zt~rU=1*iD*aciBaei;6d5BzOo;{kyA4{V@Cl>HFRb&wNA07o&s3<^2 z@&|{oVAXq%oNr1>BMFYls~=__-hpN|J~8%4I6*n0fr!J!a0s7dq-3gnY1UO%ZK-TM z-GiERaAX$vm{nIc#;>>8T?!Gg6{PFAv&Yo5YnDXqD}6T~t{9s9g<~?USy2Zk-34wB z?l={Zj5${k2DAN`9{ljxx0}cEXxCZ##ODm#5A!riYW^^yTu4i>4QxRsZzJSDhjU}y zY2%z%?4O<b;Kv{jN=g0vHE-OKBPy~VL#c@dvaAAS^pE~NIZ996Ui%Em9l4m!pR!^s z@6m2U1392hF!`QHxd67+l|o_!=&>2!*9CFN`5Q8=AbB3&<fA(W4t~>HL*B7d`xK$- z)D>8v4kt46QylcQs&v{!U|WasqI35Qq@2rp)89K7{8k2j64$h}lQuj2txcK6+S3^G z{Omqs3MfqUiY_s*$?JEy5&#Vx#i<1fh1I-JZ>8CPpnzvs1?bxCXx$gGobaY*Fkho6 zdRwhA9IP!jsXjXw>-iq_sGWud1j<w-H0Lz}n$Pec%INj3Ptu|nnOy=fX&F-LR}5Mv zNK&sl-kGH8mPLBjUbY4;Fd=Mx9O<6GQ^Zi)45gCq3=UrQ4)W(UqbM4d<+DHzBpGcm z75A@>sG<fkmV6OKk}F(*8QA@1P^O5726GmPhqi2Aj1vSYLgwG0)ZxGhzf+B`r<Gx- z6=6N}Dm143v~~Ut{f@+{0^g!|%`Dk$%%>#h=fH+1F#WRtBXF_z)Z_`RRl`~xD@Ap# zP?Asnc5Wm4)-EI97V{Y*Z?Qpy)}!1xde?Hako`;7m@*exH7A=l1P7(^shbeC+cXQ; zG^Dj7qw{KDf+88L?kVf;A{jH~Ds{71LBM;EaSQXTYBE6a1_oNo7QH91Ov9l=g+I<j zXBLc+E65*)W1R|^N^w`LFs4>5{%FvpGvV+>rj-(^_!X$=znuqvG>g_eopQ4ysHS`2 zk5}sPLEBQMF7{rOMGZ!J|5H%_NgSq|r=esULDx!?Z8tC4XNVcJs08;+^-#8DMjEuE zOVg2e@2b(j*1CxH5i%*KuuF-8%&p)M*}m%HJFnlHv95M_)5VN9N-^cn2GKV0rMcPY z^N{8Oy*2LqdV}Pk*eB~bec5svtC0&H-VE&i*Wu33fl}{v9h)q9;J){#M0ZUJpWEbS zuNNEJNSo<W*Q5;Mg`;o)#A;&|?sUs+mo^8+veD<XAfgWIJ`#xXKG+{Y1Odj>SQT^I z|I-V2`;}l19^&G8!W?ZVzYs8gPP|9$Ru!0%x`8>VgKB9)du#ioq4GjwlYcb#K5Koi zhW)uT1Y>;?5v$2N<d>mj>zqqv(@@86gFq68ynNrR#!U~IV<#N8JbPb;Pr59G10OmS znAJzQ3t5x`4cMKFu3894jzS^bJ<HT`OUl(!JHyzRb`dByA3)FRUDR8eJxZW|$Zsxl zFh`n;Q;N<B0jhyn?@M^+mOhhvKdNTDf3%z+;I=bFCTE99>bpcMPT642ZFQ~KPD*sf zWveLIq`J|nC=g%2we$Lla~A2jb`I6?MRLRM_2$%XggH}H_A~C$y;Fq?sxyaD#-E9k z<bZ5`3cgyj8V_W`>E8S<EU!!)xg-m3qRvj4=KD#uIO>u@JJXuLFhlD+MP#(29#YUS zlXUS1RdjDJMcv-6KSyH0&l{uhk1@tsnt*y&YAQMQv{4tS5+)rw6?jp!Z|0m$_Z)_~ zKP)oh865Wq3AyQS&<TwVKH7@1V&AUO(zB9t^xR0$^@kZbh1utEBXG09^e;=nYM9UF zxH=GR@Q&A{XVf2E<H7iRRJCG@3;RXcEfnhen-s?r;%Af_XSFDOB`oD_p)`c5@~i0( z*B%6D5I+)>Y%E!aa7zKjx2~ctZgFG#wWG6=Vk=^+DJAZlZ}-}9aAtTlcrcm*oj7*_ zzxC<X!P8b(OP+w4*{g{B6fW>d<$VeRZtrVIQQbWSj73iNrDeFq7b^QF3NQNQ9vbUm zJ5#R{UBD02M#<Z@QH{M3S*tacD!(re>NptzwgN7D`gs@8ketkz@Q{miq|;R^Y}^YX zqZ+mL&zDC8@g%Wu1XzXBwlmCVCj7AWrz^YX2)BoMoDk2L_N!@<WbkO(Kc+8J@^1si zMfrS(<nb%fEY)>#vo~73=s*QQ#)6fJ?OUsfMxC@c<-G9bRr3fvN~!iBTV{$??Vh~X zG3xRr_lSVoft)~?C~wC@XJTt@(gyQ#yp=V=SD+b*$%VwdS`kx}+(tck7G&xpcA}c0 z;%os}Y)5?vJ~WW(-{JX@y)A%v$Cjt?%Y-V;SD*=av~xd~#wb+#9V_(Uv)GFqc@ZA@ zxvSln2zV7FNM!wo4LY6-%#QOWv)jgY)#VZahR{|t4-{{Zu$6+dVg9lfYPn*?qi*+o zT{(i1iBI7l8?n@~#+@bGp}XILikjOWQore4M0bjR$~az$P}|`o?eb*WIj73ko9q@U zXnx`=_&Sw9Yw%T@NTgjs060NgK5PZg<ZJ21t1=W>J~+HTC>LL@>e?KU16L8#=s<VI zX*2C(KISm8@W8|!>vhxgC}T_Z+HQJ?Uvi2Zt~&}iuLY?a*KsvVl8gpTn-})Lr1piE zUcZ|2lOBI1k5*_()X@#`u(0cwjaS(&RsZv4_P*Bg8`Dqxw0*oO#x!FXWq7^^)#yh4 zA)fk;y7^x}$#-w`4sC{$&2wX17qZwtOWdAdb6totl!m>s@|zm+BO6VjWgL>-W2mM} zVhI(GhZD2k#5{7a7h4_DQU|QUvyOAlPxpB3#9Z-koNTExxP)Nv2C=60OldHS>X3Z* zkT=vPh%eXqu_T(Z8-1X2%1JX`Pz&y(8&TLj>A|?52YIf=Q=13{-tY{v*ZQ-5Cgh-r z|J)heK5{dcpTRn`S}OalnQ{5ttoW54^Sh-D=^?^xy?KHSgPcvDBXw1nPW}?Zl9uR8 zFsJS~|29fQ|LwMn3EVD8c&hv^ifRdIVR>ICc3ol&+nuZ^OKj#Loob6(zF{UVqoCjK z%obufGvgNC@*%59p1ZVT_33ttd+>C9z2sCeTUnaz8h^1v@tqJw!urT29%hVK$P?R^ z+QC|*gSWll?nd~MA$$8~A@a9}i7=9Iz@K_S*|*qM`)Tq73IuScLxF0}1L=~SgKYv( z;V(%ovWM}}U6Mi5d%><f9d~XrhQwhgVp+HGv(VfLrrhlc+NX@5)LPCBs|{%RbW5u* za)$UJC2FSycP=Q8=Sb-A1rqub_W4U)DcmGaui+|FsLN9qD?Qa)&v0yZ<Rey#e`1)a z{Wj3=ct5TseYtIR%Kc8X*(OEg9u0lxMfF$&6|=LM?;aH>V)^F>s@<xY5wN%!Sh~+% z7rc?0Ak<R3q%-yt<p$=Gf&tgT6JdfKYI_{I%3K^s-g{aaK-g3bUhilN>GhEpdZ|GL zo}%FmrkfZq{;XC=$)TQU@s<;6`&`6lJmz)9>Po+pxp=<n?(!ivY}9I<gKL^mNI&J7 zBM^z~GoBbW_Th-G7W>7OMdT7-xWSJEks@*u3Mj~hb%MUV@FOD1mCK?i$*j`ws|QK< zouaJICPgicEO8h9%yLwOYDKYE9qO?eT3dn}>*xTDcpbM5N94Yn)ph26KG53J$S}`) z_hLm2kb-n7EmrUBs;Kflc`j~(6DP{CBT1a85Xf(b5(pSx`(X{PddD{OUkK@b_*6u+ z0&=$td!?v|u`AXkw{@q8E?m^Lb0VI@C;6C#tQL>2&^ZvUvq*4C-UqIj_XQ6ouHgDs zdQRC~(UQj8pt|@yV5*#ap_^xy&|qD)W3nA<A+tA>_R-}{^r<tCR3%`%ezttrKbE}H z&Eec50WkU``dTaGH(bWyjo)$|dHDM-^+fD0MZ7VOK8UlOxd==4idc+i+_mFbYe2f| zo?7{l8fkOQzv=v_Ur*7(oYlpz4ZVW;I+|LPn3}sE#`1@&S`Xax(Q{h)2^y`V2BjOe z(=>DHK8Uv$lNRZDqF}4RM~zG{xqpC<3pr}*R*iiAmOnI^7jk2bM#R0I>oEdaky-ax z#J}n)&-K57)H{sfU6WtTKjD3rqq?RlU2rFFfd7SS6%nTOF^_iak`DXV(uV&L4gpo6 zMMFMb{0o|037aAIkUq33dd#nVS#QRla&G*J%mHUL0raRwR2Zm@>n$UNK`D14D_%-> zx{!HaFNU=QzPwB~^4>V&v~n1v)D|LnRmqrqkcAG)%dM*_%;iGsns!Tq6T?|81GQ&a zL=fycf#bgnt6zmlpQW+34d{xIr(sxHXb~vmJ6!SeM}ziU$)DlJ`qp<^H}9~!$5&n+ zV8#T@da2;rkjZ@@kDTlY60lGbTPo|iyL{8037@@gntu=Y`=TvYiSXZQr|_xblcsI< zbG+T}UU7daM!$5gzT&?3Gtj!ckn`EwPyR9I<P{0`3-uGZ-+9CE1$oWSy&9(@!%PW2 zgNf6iLv1nohFQ2EE&MDS%ok$Fjh45KGW!{Db43(J6F}bWj<iRQ2K3S0!;TtRvDU&0 z<tp~WO4ttck~6%R`YI^fp>m~QPJj*7&bFxXblL(5e6eth@#|!^tVk*CCo}vhkkS$r zHHJ$6QTIC4r7Ud!jyhJVcjz7aWx?XcWMFsvd5?&$be?`K?jM)h@xGLFtmy0(WPo(> z&Tuykw?y)FTT7bny+PT7j!M1tyV!K(`~)0Ef;+@xMnCG_0t*3_V2}MWBD_(%@8Hb0 zhoTNNwET2@y4xdO>Wq6#Tm6PYG&AqVfRHUFXfO;6x$vXtdVYH`^gbpp?tN}uxj!3> z)KFXXmyyKYuoCUo{Ot0Q)upTh^89U-mud#3zHw_c<eA*CJbFt*6s9pj1Z7m5!G|2a zf4DK%UkVBX2~eu$XD+O(^RJq_^DSz=Rn>GjJejo!TWmaUIp@Remyg?=I7dp%18kSD zy3pIXVC&&T_^sin`v@SQLptn#ktZ}F;O%$3&aMVbeR!P@T$3)nrVFG?Qss$hz#Uno zurKj>qgC@=u{#8$%9EBHe(<q(3s<+<&hmb2fDFEzzJp?=%2*)ITW9PzSh{KlP2+)W z3|GGmXep=fg6Jg#2rQm)e-E=4y#>shdWYT;)ce2+gbmGWJon68_MDc#ea9e~(#`XI zE3=3nNC)?qUhF3gBv8r^NaN}hMT+I<+!;QDCPG{6D&dO|cpvxdJ3#FVY2zn~D~sjM z<M*ThP7My>(xgHkAr_bkk*SgmH?oXDg27uj?4kJ16#b_u3J-t-*&4`kT+InSl&mN> zA}5%n(XrC$Hdcw&>n)yzyn)KV2XJ5zK<x=Q-0lzxpUf7XO%RjRm8M(%jW5*6o+y*E zP0LGFNJysuxR(C&cos#v`Lqfejv6JO)4Z-&(tN0~j)_?y-!Fu1t_e35pV#^*9=$vO z0Iz<&MYq^blCxBx{j<M7PttY6{7cQ1mlI%hr0I{Wn@w}ObkiCq@zBU}qSnHb32U&t zT(sSzDA_*n;9R=Vbex6_#N{56)OvEOtS7;lb1FrgIqg4D@BN7Kl~ucQ8D;#UpTmA? z@Eg_D<b}|eai3eX&hDMr4nv(Edq}mlo{w=4n*nFhdI~}_`>sKDj+k_GW-6bXtS6}g z(f$zp+S%<7;<^^2B-|<qvfThdBD~9fg`CA2P5a?e%eK-DfG6J#z&9$LS`406d)#y( zc+FY_gloiD4oz@=uC(%oB9A1K+L9|5OGRP0VM;xmcQXqJcNbbosA{(xG`kY!rejK* zO57@c)g5d5pg_c=&U2<W8^hQ?{_{HAB@2^Kb?DRtne`*6q1|ao=jT~itNnxC4)Yln zv@LmyH1PvHx;HMU_f$TOGF|xfNh@6#1E?fkbglo$BO9$R6Y53N1^r-q{ucETu-FZt zU#b8W_`P8cZQeC|R5SBb3q{5==Z8LCOJ6(>f1@(u9uk{^+(on=>GjQJ4zc6=mKrma zz-yjtut_-VDwqcG^$7bJmg7h7!(@4`&On$Y3>@2gUR7w?ID2rX7mon}4;C<Gc7@FW z=ihTS`^cRp>^*FiCg^>5d?65pnO03bIUqYu(y^<5u-^1K%OB9Rv;7!76q<X=wAJ+e zRDz8V0t!1QDlT{(v<tJX9A+%`eZU_6cX`9gN2LJ*h*cK+N8-HXAl#pF;05tB7KE93 z(gzcOmvYV(*;(3WnML(X`$>lOxQGz+%$smiC4Jfv^Lt++TFN6h#%J*qM??eNca<y> zNpL^1KO1MaRR6Q_8MG!=fKl&l#E*{xfzsN2fjZ4t39p&8LbHG!WqlJ=l318zy+YpI z*>SeI$u%AJ6{kM(Ek5uBNNpbt@@Am^s|Wfr3o6P?yRNOuQcJozgcj|)fVnQes}G4u zAL%lbTB(sFLftb&YUVFD-;EQF*+8#9%p`Nph^^fJvt8N?LB1tkVkmL))4YJq)tV?J zY#-$phxF^pfGuJH6*9ExkHrTy$FKV<O+nyA<o|~s$n#6W>|n`F^iV7o!a;E6^kYy_ z5=Qj?40YC$IENwY$HfTI5);<m9@cD#L0Lt^dn5)e*S_-BVSsn@ctb_jJYKg#B=HT^ z7vc~mgn7njE8*obn$1{5oAO}&bvpjj3mDb$cg{d2@UF%HDl$Z71GUgJ2g*>;K;<MJ z*_M4H*q#3&-;(EJB)~_8D1}kW=$Lz`H8;fKw@o~T`g(#1DRe2>HP@rI?{C{iW^(jy z9JcSDW+k|Fg*KyGipBu_RfbGOm*Upe1J86-tR3h#y@?&@1s&L)=Tj}7l^66d$7i|( z)Z0zMlm^wXk@Lo(;H_krcaX3a0C^KO4eDxa81#csS^;X*+`6Pc0aOj_T~viYh={R( z;za=A1$JkP^HITEYTkhqek!4<Htj#l$|8Trw&+U=L&BHDzGCpfqh<1QJH!MgycQ;7 zMH-{tf5AZ^Pj}Y#RQBzR@%bYgYVo@%2<)k#qkHVv|3B<X&@w^^7h6M7(m3uo4q@>7 z4uQ71hMQ_1=FoNlj!Q;N$(|BUnHOWg-xlw$zUm)$gGM;}3fjEj@dBvFSn3!5^D8st z3}-=eoJ4dOstszO7MCwqb%_DQy8tS+x}cgQt?+$N?(=0_7CgF4E+0g+0D&Hv63T{k z`l$~Ove4A&q&7(vdHsr=M62fd9`|U4k_MTwj2U`wlX=}W(H&U4pT_?p{s1+V>uO8| z-l}tX4|&3n>ngS%Bci?;6$7&%6!;Z*Ln;~^m$amo)Km-n;K6MRvG=E~KIxx*>mbk? zjHsz&JJ17%OjtvN@jKad{)46@_tyi|?E(Fhc92NNcG@~%k=8^-$TC9{Kb(?+t7ajh z=7ePhnoyHH+oL6cS!NR(fk`&5y^m0I()$gj|9@{tagjdfWzR=(e~mZYgqrU^6Eqy+ z^qL6kbwnnO##;SmSb%a*!ehg$b$Wy_E~hgD5N+;4RUBZ*F_CS3EDUCs67jK-r~q!` zmT+76%GCLl5>u9vlf-^JL@;HK7DW6-3UjDP3P2hs>FUa|umf!&i76YuAGehRzqIfL z83qf7$&IyzJc{;kAC|*R6&VS~b&;5R7sGv`*L^|R>%a)mzKt={hw?an5{}9XZTu~o zH&7_BHHIuS6mHg&HAxc)*$Us$EJ3z(KN*{5%ckQ6Rs`|8ARg>zNL;LR63@OS6Zjkt zl_$u<d_LbEBqsc{tS<&$I<wXNL%a8ZQgLlv0$JUKzCEe=B>r1%R_PZ3eTn<<IsCP^ zz3gFyMdZF*8`3<y<cJucRHh2H5n;>O&&L`c0%^C#<+T`M<sHJXlr6*3Z{U*N#+o~5 zB|46xz(rq(9=sCFf`?x4lZo%>HL?F*@FCD7!1DrgUw3ng_6|2i(?eues@e$~K7V|< zSsv!3C@@7|qUWVl<pi<%mwS%Q29vIz;Zyx|YAs#6%Q7S`1KsB7Yh<h;)a~(sZR<>g zh4oiM2ODD&6iC4PL>5~H%Lq+UbgE)DH(uDj9)bOy2rAMCwiNuIqisv>8zF5pDXAmi z=#Yb;uv|;t<C}kTm{v_E#D21k<GgS#w?{yCuRK={WTlG;C2ydAD6bDUYZK0S>CdXj zc`9xb)*-veXd#t|QxCqWaI4uecK_bm`duKa)9o?n@B-Q!8v^0k7!wv(goKvi@wc>} zwp7|277jy1FGJ)+s{ow%YPwXzf&}-<OhK`!a9Z=1u*JeKbSogK(>*Zf%ld=%RG4TW z#6_hjSt<4`*s|?ma2TUdR)J@^wxve`&U@6Qx9%ESxCnbr-;Od7gmCHK_foidVW#cj zQ5_iET&-=Q%1x0OlzwPQ6E~7Y?FSSe<{OL%sHdrF20!jdkI;rdirg_*nE7)B$K>d# zYP3Jll+E=!lcfs^X?6p>aMKPad+e5vShZ5)tGXPPkA8n2H#=5FUA^d1P9t^d8<r;W z-1xcEHJ!<6Cn`ycMkBO>R%}M1zJ|{ZdxAh9RoEDS@~C^;<0~!LbKTc^71!%fjXpA1 z?BC|;QopN74USKQ2m_y109Fc2--+IwVIRC<+oI?ISlh@XBIvR*E6C_U3Rtm{G0er` z+Xotn?X9nYu7_~!2USg2xUv*<Nu$tYBrn?Y(PaZ4FB;yM*8G<Jar6G9VjJzY0_>sI z<l1#4YH&w5OTJ5NBi`T9q3bis)xbL?-|uTKeQNoj>*n_axX9J>@AZ1YVdn9Z$j66{ z#+4?*77X&s3s)E?5B>%9_8>u$rYc1U_YUfF!idcv_=P7I<RE7x99-m8pM6NVLxXQ* zOJaLi2$m`nD!8okjrdrZu~=Ky5$$UIZ8dg#t&&tP2HNkPBJ(l@-#ah5p}`sppvLIJ zqg-*!U_y&bxT5dB<okS$!Zs)y;Lc0RUJ0j<SY3&UH}B*pJAmfj^;9U0b3sRjXGt4Y zm+cVSQwicTpl#D9<Bm+rrl{|nPB{l|T=l=_@xe$~ho>&rj9-pCCt?%{Tj}xC$MID1 zy<5xj*;%=cF&_Ty(#U;4J*GHXr2+O+Q{={2I(`gZQ2K2Ih=<W5Q&?Q_3)4Z2;zO=v z{GTGbr?CADkMnSqPz+hmDk<exD5_0o5YADp+DUvh+{52k+E2qTe5OoPjhL1avN@fo zB$UYG+t5-Fjnkw(mz&9;zTit%@k1w=N$jz~w#jbk>wFQpsxQ8O8n6y*J6h*5o84y} zj?7a~Iv537<8jY=qr@hZ|0pxI0-8YVJ7tZTtW;Tp*?doKY?)aTJ`d}Xioq)f!LDwx z;BKOWiasoA$PpaeX)W?pk5E(tJ!Ll=!blzL$NK_|!R#BfIJUVF+5ZJCl)=(KNq&h` zdAo*u*9NntWjSJ-tiO%C`GCnUTXiXB#LMkm_KF|Gry?=YAOF6g{vB2zThNAlflwib zgHp$aWdDO;z(t;EU>T!eksbF~r;M9ZT(+8?1c6NiApE}bkeeZL>BmTY2P4|ZF9X-@ zy>E7!OkiBMpe4+8P3L`cyCss|Q;RrLy1JIhg_C|Khj`6m|0;9VG495|XDp<|YwDQe zH38r`d<=1#a)#foGD97xls=E%McsggzhEWgS0oO<P7>o$N)M;q=88l-7Te#QOR7%o zxR-$ZHu5ZRO*^$lD~q&%<MxA5fVtK!|EG9!a<{I8fqWi(vYZ4|Xl#`u`49qqu(7hW zuP%MtkIshs);VZq{Ke!SmO1#$&H}@D-s~guD7$@wX}<`r(<=@;`+XG~Owc~e?DN~A z-Hk?l21WK;NGJ_}IuW-^O<2H(mFa>X?>-?;AO%Oju)iE*N^Q?{9d1vUq4t)R69?H& z@xSNx-6?LpN+un=!_5mkW#S=OGVm05h)11sG<|l*%?VV_cgA88xI!a<=`c&j$5d6z zfNwzd^th!Uw_Ja9)5?hscdT4N(HJ03b<C!b+lN#OMkaj8y&t@ofx!D=?0j7JHAiB1 zA18<pvlnmi)NM$4WqWRmH81h!D_#`RwaUOUQMOyMvLWbA3#@Sz+&*WhwGy}f%>D;{ zE8p<c-&Tk(o@ib~g_3fsR@qpxi9j{a4cA)c$fXP{c@u;^hb&O)@UW&m3d%)8M79kN zW1Wc}>=51ZA{0#5wwDu0qfPJkSb4S+1TQP&N#h7BFKc;$o;jl{08yVmUv+ZU<4IJ* z)TTh7+e602#Wt4kdRI1Myc}&9oE*Ofua)D&;LvtNsqeKo%X41wR(GhR4qYmPKQpR1 zz=r*MHlIQMk>CArSJW#hzZ|wS^U?OGsrFZy!jlEkG`%>7dlrHN1#zzn$H&L)4?J=v z+Rl)ciUc8Vhts{Y@MlrUsH>Re#9gFQJO>atKdgmwTpkU1?hDqPX8ts?q%X&Qq?h_S zPIcrNEm}vPdfQC!2ewZ-g^#I+(PPYODNa*2m$8V()#k&3)2wbS%&Ra*iLIvHcWVzg zY$)Q5fsk)Bn%W?67bv5#G_F`{D4{1dRw__8B*yH9WtJ-8aUx6q>0lQcTmdv6l7`R6 z^F!QNDoLoagwVjV9esAH+@p>o4l={}6Lfk+)ta^uqW*r9kewz@ieu-?P?-!Fsd~{A zLE<J$^Y_|OukQ3|_lt&@2~IV+@_u9p+ReiW3|ZRZS4XIU*Zv%p{dW$Qn!>5_<VX)W zA?!Hk@#D(E7~Hce?QcoR&ZmPkyJdqkKRsm~p7$dAuIzCGkhxuf>>OcJynjT9L}RR! zNeDd=Bt}>Sc%U*x#JAL19|s~rrU(cPt0Yf;ww{(D#Zyc}Lw=eew_2@%I~lz}6<R?0 z=hX$huyvbo5hfb*&O}!oYx-<ZGBcx$z@SZ}>NVOAbNwztA&6`@!-Ql9v<VM2Rp!zj z76mlR=~FJa{*n{Jhi0%Y0W)}uM%4MRCPHiIeX`ACyp(Bh2`7^&l6&AY^{)6{hZDnK z**6pleYDPjDGQHsUdGXG{PSAy;FGTDu<MX7(hYUgS2K&45?Qk_c&Rxm?C|Y-d7&^{ zn>7uF->5!w&@47<GAXWMMiSF9{)SjX{A!xIU*DO9o3*s5U(NR47g_D$tto|UU9-m_ z3qXUk4|1c$q9qV9SfTO)!Y+BNN1i#X3V9iMl|ioB#*`vP2p(cT388=w^)MT#qm8m5 zFp#b$$QY{C8DQreK*7S0l~dfzfMd*+Dk_Cyw)pK~-2zTXa?p1}HXMe@pBpKv$38%k zQk$z{E9U7LDGrr{n#fQWru3u9>d(pHVCSkY-nylz4$q&BU6riQJU`A5>=$MRPIvx( zSlVj_Xti*pU?koGif$Qa$^?Jl{p_teyx{a85c0YfTbn42WpAZq^ZD($cQ{BkCrYY& ziGe;)gszaugGfVK?{T^I)$7Mj!MatyG5S#GCoHmlSQmWL%H0s)&xrfgqsCg=m|ouS z{V$fFSH3Vx2)cpvshYs;-vMkTfr`JwL>w+Ii$?4rtKC3?_V$vYwKhuT4lh1XTIdgR zjR6y2U7ctRmZRVQCbpoGWY}owbH<vmd;EP9KO9NA0$m)I>ShX4@uYHHALh$h-dGA@ zRFZ(m9s*gQj%L?8*V<AYj*YEUzo0lj))QpY7)rSN#RLW=wfG@hnHwPOJSB}9<h59c zbozMy*recOZ5~T#K!OLgWaJ5@B;=;7uvL#?qf_N&1nJGu=<t!5&aijjM`+11GoMJ4 z27(*yO@DB0q0vnD^SqvG9amMLBB21nWiXz=PhDB?maD&bpf{NdLMrT1u!VM+<|O|s zIMU<`?6aJ;yf6%yCMrla<}s0H@HoH-`7M$Y1&sW`Q|cElsaCRe(CnCT`RcNFxznX( zeulc^OhqshJgPzc4&|oS;g|~5Q-1VYk{UM-FRltHx`XKFY*MoV4W}ReZ#2ri!3Jd% z%*_3J?TTGBBvQxd%U+9=`rZesJiuajv$+hHuaV?v@Vb^CifS1Rot`h#UduHGr02JR zHf4%rp(k+F^`briOhXbw8cm_`l^IB=HpK{&|Mmj%u)UL94Xo+&!4}zqfJN*EK%g7H zDNIzw&saI#xGCFy#l$u3o0^}&PVXs$lPwq2SXwkYAF9@F^A=3&YDv5Opy^xp{`-=> zl*K1T!3l$TM)F|QetGB7O6e_7c;o7(%YY=nVbmg*mQL;9=dnel=dz$G((PoMN<r$s z&Xh`T0VFt^Wz<Jxt!>KN=*s{KcPqVq0-K5-`pR1k9Z9S;<Tw}4x0bfdM-F{gt9Ucs z-bcafkO#9;gl{jH-4D|!JtIu?XJG6#0Zi&6MB-uwOleHE#g_K6m;to7R!#>25b<Uu zbs`txfRO9Ao?2fPLwwENG885lz8(yCt$?Z~utDOWjoj?ZR9i43T=y?WB3LTmg*LW^ zbv@Lu^Z8Lteyn>AGcVXO@^**yze~rx3K<4QO#1<?TAxnicd6%yH+3*d1RwHS5@bq# zW}zrzqT_Kt4w4EJA$`e0Y!o8Vtz&g&K7WMAt)3#>@LYagQs&x==GhM{GIh*da!Wy* zwavP>7&xl$H=x3uC1z=$t^Q<A5+mTeO`@%^B9)ddCZW6EBET}%T_Y59mrZx|=i8m9 z+0*CF_A}_tdb>}?ME1YcP|O6HtLDFKI+6D6CxGH5|0N7E{iyk{^-aMpwpXRjZeXjJ z&I*a#v3x;kE912NFaf<MNdVE+`o4l$`jf3VJi?xT8Yq4PiFDpELcK-x9z9v%x)gBN zHpCkDi+#o&i@H{I-V<65Xvxf_)i2@MHEOBHQ0{qz>wcQKa2iY}`H8am%-Ri1?%B~& z2I9(BUIOp)TS6WKE_?&S%-eVGUcbzdsZ{Y#W<cEVt*1Cs@KrFw&YUE?$^bs>D#s~j zs9rrK&ePQ}=Yl&8I70?Yk=Wv=i3Gnzm#M9dujw$#7zCKp!dl8j;?NwZtEpyJ1O2|_ z#mOrPWAu;9LE-Bia9<D(8X2g^?_bmo<^!(Sx`DgGJ3kzSgXnu6(U@M&pj(5l()}Oh z8T<gBG=42`YMrt$G1Cu4hF`?)g1pgot^8a}(8Sb3a=DU_*QvGYR5R90XB*mv<B_h> zOT4%2%a&1iFKUAVsO8pxX*md5d*p;VCift%ft|ME_bU0)r-~TPkP#ApCdlk*P;C%| z^A07FaznoxQP_89x^<f{es_CQFdEyIi!Ae6HwCJwCd8mjxwjfOHzJ;-8`ren`ul4Q z5gxJcUQox*mf%4_6N|7qwrX&fM$?uh{PkeTea&s>Pxe7(!Oy<D_Y!Ic;%11lXbm<- zG+W<)O(f|SDD?U6E8||Z8sN!N`3~wxo4p=wtJpOeKvI|dA5mw)6j$4HYb>}YKyVAe z-5r9vyE_E8;0%&rL4vzGL4)hy1a}DT?hZ3B^UZUr-a3C_*RH<1SFgTS)Ie1;>CK(E zXaZ>u<YO%akgy9@f`o~SLP;RtDX{NZH_i>DL*?)EPs`KqvkZ((<~38{eU=kZTsfY* zeHr|5$*;ed5E$@sm{lS4)F65IFD6jKfqBEcn^f@cRJHXUw(qGb=#u6fp9~PqIdbTj zi)9Mf@uEf+*Pq|dw&#OfW^<H)R!xf|1sV~UYZbTnEJF7D%Go>-$+A^(m<O@rP%~J8 zg9co;KJQGYTRue8<QTU;k^MxC{nK$>^5dUpIx+d}#LPm=zWu_`Nc=xo_mdD>+#kuW z_zP!iO~>&{xpZH)ZK^fJgVLM)>8R&h&%3{J(p2`q7lcZMs(m3A{c{gKkyHWl&7P0{ zTDJF6td`rgBwN4e<B>=@bjcDy)34qL#C*2ut|tInlHMkWoU5kmB6jY_dBQu%1d*0c zewlvGbqzt&?jPbJH2#}8EP5u|MD5n{B&_4}Z)=yc@)Dg#YkZ=9_^m=Wg(?k)Z@<@h z_lS~op?=?@4sR9L_4seLp+(49))U#8XnXZ(SXtiC6FC~D#Ih4{aXDzq)%HH1PJHd> zPWk4dQyUP*fMy~>h{v*j4miqupSaxj9$KkQ!mj=Tcxn*eO@Iaxpi$W2GZVUV`mFkr z1@{J?5{+tCE1l4U`89s-3ry}62~4j{%2(}IqYHOxIgW}lcuz^YkcpduLVOWCNE_zB zz7zYAx5_Jt;YmFT(@`%L&8lq^FnohT!%lKJDjz^$>USm@xDyHNt!u~p)7%l?yc!u@ zJnjy2-J6%6ykGf1=WJFo@Zk=MguUvC{g}Zm*pwrYqwQ=Gy42+SMNxf?-hN-?(AW3d z#(-H37NceI7rc*T(O=!797_Ka0y^U0>>e=)x5y1}ft}{9%oGf34`Y<EYktNDU9ZO- zG8$WN+B`p84^IBp70<qw)3`ufQ%GOn3HIzNK74kY@#$Y>o=VuEB7u89jEOUjJr}q& za+b3qcK;i=cV)cw<V$94{mjTVF_4$Tn9aUr!!TE4y{sW%3C!hmICo>3ysqj=kH}Yb zZ&4vwE{dw(L#>e6Z80IA%`@Dldi>cHR&*tc{&UKUMgy;uipG9(V)G{QJoIKzp3!q5 zXa1ujU%SU5a$s~L#LnRp?<a2Y>oyE5Rx7g1l|ZYD%eNTR2v5e{h2qCjy)Qp>Re5>f zc8;PR<AWt%eD`Z82YlhboUIM^{gikn;PeGs(Y2ytY9KXfYr}qvQf2^z7l(jE53)Xn zHjn?~QchE+LG2{!j+}t;Rp(P0H04Y>&yD;EqxLLsM_`IVaX}t$M_Wg!s0v@mm>8*T zs{Biq>N0?3U}EV5m)dVA$Q9aWX68%YGyCmx1LD|E*{l@r0Gk!b=2(MsjBlB|#D_rK zLm8T#1BUc6yaK`ZIP5cGsX7ud(dJnm>&2FI2f_rgAAfdP6z>qG_D2tz$A+Scl8ns4 zxtWxUzAsx?rgxi865j*50x4M#IT)=z@^)bkL=xCdTq(-JI_SfE<~T|XLc{f(t0vAb z|Ju{u*_S<bz}9TWtk#uT}#xS&1=s-umXeVFfjf+vcDNwdqSpGB?w!c?9tJGAviz z^QuB`#C3)DPxGVp%>&Whtx_;v++bd`v=z{kCXt=_AcuNvMJgrbXHpbu2|;IBxU~vF zs`0bFE7N)V9Z$xC|B`FftPoct)D8;fgS@UYS2){yHMFwLLgb|jw7*3bi7<6<94hxk zVW-$_zbn8CaVFKtJK1m9;}f2cg)_3E#tUU2axsOs96I<*$%*}PV5Kf*`N8t#rNU93 z`r>7fy8^Y*foY}O%pVZ|IAPUZTF5TJR`|ZshqFh4j2HSMv=`brIq{b|SH9&Tpd`bs zPWN)F=1iQ{DO`-U(`Ta~a^M^6h-?7$c-R1va!2uZ?dAPb{Hjgh!{%uJUzwBLF3Prs zf0TEY@6;;w@8wh%x|Q3fLKQ1#X?CL|zAqR|zj~2SZ1k;e)z%v>ahknl^V*Q5DoBp+ z>w-!7^>)naSO$bCs~uA}XC=cLr*Zh5PAcSE@1&80r!ztl$v?tnjcv{F9U>r<Dxhv; zNF~VH6P}@dmyLZtE>|-)@?r*JtOZ}XUY8$j^$(A&ZtKVwzs5;kj{|$6yt6wW$;rcy z(#Eo`Wu-J#NU2Bvj{h{D&MlYf=gK^!cYt%cdyQJ^Z44H=*}jczNL=Cb!U*lt`bPp6 zeq?N*5Xppa)0Wi_ySmnUb(?ObUoh4bG8R3?90zBU#z98oq=7OvfELZEKs+59gcC;P z!$JWoq!2A22SxFil7%gFRvx)kh`GDRlGoIvg(>6ZwqB{QtQH;`bl0uAvBR24ER$Zc zW4@bq!unLMN)~rJM}wQ3HoEr6OOW^2?aX~Y`~Y=c*%9{Y`fk^xT2qn@Rf8J9nuI6e zoTnH1>+LJk-l_+qn@jN7_1LY>J@zLfy}xevB;!5Zw*$^xwhV;(%S%gE8z9!c;5848 z<)QP+J={1XN{C}N7JK(wvoe+|ZQ)CGRh8d#2V_mMS&HsI`jSv?3%4*T0@st)O;Nkv zCbw%p+H$Voh02kzj1a8W)oo9!@;qYE@9GM~XAKeC6*6!d>2_SuO)%T%fNi$<f~|=a zf8G{qx5e$ud)DWmy9`xf5es~$U#8Q1zB0PnGlK@vYy16JG;DQe4!+%Q<e;2E8|QbR zOYxRA;N%iTDQLz~Ard9!9a7kNvy{d4vb7I;t<UG-Jz4wBzr(C167DJXgmf9WouJ=Z zdWJL4Zq!Tx2!ildQ`L4L!t=S-^tq-(NR=SZ(-#{K)VOs-u?*~z8j_|z7cM$iMKEUn ziVqzt$u9!y&qrP9Thi+TOkiiDsg1}m0FIIF5;;+*uknTd&C|#<bRvlU-2WonESgXS zz*UqhE{lG9_02L-P1@2gXGaMQ2^-FH3w^ITf@h;Q(-vAreK+|QSX-0*#=!-1N;g_C zFSiVsIbi&@nv1nGY7XY^xqGIpkAF}xl(V*lm<3$(KQC@UHg=SS@ZB{`HBs+=S$qyA zIrNK^ovan?To!wSi;JwOvL~GHu&Z~x<sP1`Qqg%{j=_>YN~JdB!7S>x+hZktv@dwQ z%!KYj@<o57@*rdCvffQX%2;)tSMu{lmMLFEH%+?n#Nx1%H<P5lkHcxC5bQTAZ??ET zBO|@i?D&eCHtZ|utZ`jTVgC$iFY@^}wGwZD<Us__3OnGg^F12BT=Rsa;sn|*uR4h9 z(8&NiZ!K{I;{z(AR{1rIM0HcNJ~A@IpuPunu!}7Za{EHV%f`{~@VvR1YfiI-oNB7j zmO8`HH=a4S(0n1y1Z^PZgzW=<y?$=)IlhOuFwn1v{z)?cnfTk8lJ8M>vlH`1*}|g~ zU6>`UCr|i9sO?e?r<N4I&Yc62Z%^3tr{oP~v3Z`j@G?u$7)<s7J(;2?!gOlDv%NHW z40Y9>MO#em+els@wqEcF^?K_*yYG*2y5HjKQ9hd{;rVYje#TFWayN^VZ-kUC>*#lC zX>-*7h(pQgIHuh*-o8n@H6H;hwMK>Y7O%dVzRX{Y{rk>F#nBey6?lME+oSKmiqIY> zVf_1q2mn}M%ZKc6cAA2(k1%AV0egh9fXhJ|AEpt(h#2##s1$@Gxvi$`s^5eMvbd}) zwwg=yulB9P7Yl6e0bh6sLp``~h@-7Z4nxH@5(ye|O*%#I4tmR>cZ6&`cVg==-TB*< zfS!KdyJla&Br+RLSDdTnXl~HJQ~f?Wdr?adywO+EUyod8jF!>%Ea)Sgs>$CbdFh%e z)et2Dc;M!+yFM$HlRfjmg`DRi<~h0vqBJD!l;HJ=eaZoHlAYo!bX|iK18+jNwyU#y zB9m*Mg;cvAjoNOqp^@Sq(FIAeVbfvokIo(63A5$P_`G72BwFcTK?nM`Hy1caO%;wl zJ|ak5Ta&`3X3hyL2ygNKQHs2#2)6S7j1xTN3Iaieoj;XgAlrur8%GR720iEH1;ZF6 z(jg2#*1n0Cot>FeXnI=t;f`47x*&~ZYTy<JR)ljM`lMOhr`;fRjjvn`0R0HlgLbHM zJRbNFZG3jfpLT_zPj+2B7*_!G|M>zuuudy6!@rRLaHTUde(q#3a<gpQ&#)je+&X{i z%^^f%ULWT{o2tn+i_$+qZS(tqYqN@Omwh;~8OY?jamW-{@4~(0R6VHcZ<18WWAknT z<rn(h-L~yBB*cK2<KGW=dd24E#b)-pEWNMGZv$|rmaFE>WysmRx~4Gt7Ogp?aeWH* zB9xod2D`a?jV++uSq%Z*ts0<5ZBr+T3v6Wja-J=E$}u5A1<ruuIGLgj`~_rf^mn+D zP^Vm;6y>sQV%8+dEPbA^kKITJqv}PDqhg|X%~)to>xOZQq%GzTAXa^~QoEG=BX`c8 zXcflgMsoj8Lioa&1rypiDmtrj<T@^99cr4sqP>CA47!H#@)l@=?!rzZ#*}?dz_^3t ze4?R$JEiK>vfnF{3wE>>>J$V#P4x84j9}L2$fLCda=iZ_by0SUkCi~YUyL^>w}-~x zp4jf{I-v8kWtTVVpVEMX-X?pi(2A%D>P(+o!J+WXDW3}JH!t+c4nu|!cr27h8TlZ} z6s4hgNi7|1icxLbD>ruwim@1sUk=DI6i%`u4tMW0eO~RECNLXKwARZTG)e#Fya>Y2 z=<l@mg}Bn-9?Zcp$P9`QZC@LEX;u8$?cdfBPkbbZ+p)!DvXX9|=4Jddt3t%*HcbMD zRA^^$z4!;YcU#y_cQ;2uV*J&yM^oVGHo#}=;S`09RCiA#%S`{i?S0%vNeY=%_n+jb zSmY8o)D*Ge+8^4^yc6K({dXs!G{=U_7fOPOsPBJ#pn!E<(xP^UJM9wi8`D;DDTUPx z;#!H-W!X4yAM2z(mobtsXaD{>BQY&wPmC9ZFCqW&Sw*_Qw<nIMcaph4--I%cyp$t& zf#aOhmFcYcDxuHv1?*^%rjPrlVK{(CkPE66_DhJ*;hJ{lf!XQ$Y4H&zTsb05D8riP zr%Ms&Dy2!a^}XoqYZo|`v|W;{IV$|vShL{%-CS|Ncr}>x378r24msrBaG#Ca&9XuL zV0OY>WnSx0%;bL3fz@h6BZJSK=W_!2ELXeQqY2Yx(BZUnFiTb<fM9uq-=#*9hWHX5 z7w@rED^gh&5|mnKk0dZF;x+QjZ6>nr1Hp_X*P&q2mEwv{Hw6&co)kF4`|JCzywuG* zH6lwGxplaUeEj)n|BED+yqU`g$v-Lt#<s|7Ju7{hSbeBMVPp912`ta)0+Wq&Ymglw zRr%coLj=Ai1*+%Y*T*?8&S81WyE85o3U9_8aGJn=lnNyCrNSQ<VdRp3Z7IZzl-MP> zQVrD3d7MSQ<q5(kVjJI4S9j*}ghvd&3MS+I^w`WQd>mUOt*`v^S^FfDsfY~KZt5+( z-l5@lNnz04kN%5kVJ~fN5_b!TW5ElGv@Outz|-Y-)!FqrV9OzU(Tl~<p{u?uSgEaa zL3>PAnBqSc<jqv&g$5xmhuYPZ*GYG>Py1=8mSUvZ+aIP0pqva%D?_4|JO&b%MhHzI z`sf!=6&9YPMICwmg@GL><Mza|`*T@YYNSD4kAyK19lZo;EW5GAW?Vy_U)PTl;eJ=u zuehn&pLgg&5(ktTo~F3XA@9w~xVly7Ap!?cLFQu0B^A8`&zX=+HGJ29n&fHZCDEL4 zWF)vrg#(h65a^B<*<s_vFzRu&w;bA`DtY95{3ebTeJncb<}djjU|rpJzfPJaxO%#a zD(LQmAIyyer+zdV-uRs)$I_^h6(J}@V(9%;?D!RBJFFB_Qe=uer0GlE2h^Tz78)NZ zYn;O2Wuhlqww(X^L(%1x71M?en=NCcC2^$c);MBjeqH%-n1Pg*mI@31pnGTY726IV zFSz`R>X<Z|sc*)QKK<Hq^5vOmsa|av3OtcDm17UtA=Vw9czr5k_TR}9E@TiV)Gb+d zz<|vuoG4cjVc5^vuIOE_kKlhz%|ccIyKU+vvG0%>2Ff)K??@yfA}O<nxW-`TZtem{ z-^1Nz@;q@1=?etw1o>E6bQgEi)w-jknUaH-r{#F~;BIQ$$+9xneE&c5(LXXI&Ee-2 zTkcaP%43#zDdbPl>tFs2{rjKsdx4sQr*2HacSr!iH8+JI5>2nS@-smUAF_-U;C%sa zafUZXqZ+Nwbf##kzbHZA#jr{R?V{^SjI<6x5^uBoBJa%FuaJ=ki~KRk#=Q51b7>Q- zKp2of|8dhW0|#P_?+TNf$O5h}1?-<z+)~H1tL0AiWK(wM<`a6qH_&cZxNRbbFQ?b^ z3t!dAh}r=Qu^JM_ys6u5;nb}HDv`W|?zn!QB=|jA0AIM>PaNd7kHf!7Ik*=pxX2wA zP6E1LvGaob3_3-Udk+JnUY)GM9XH`P6w>@ddd+L_gHf=SHuc+C5lp1bU0$P)r_#j* zf*_0HLN#qX&|3M0w?D->%qd9;=+-#cF;;NV2)OqHwkf(rUoi+gL_e57`zEx7Tvr$F zD%(iyo|^3|s=sG$klL8Z4Q<soqeq{TFoFGVT{IsZaAa4)iver3mG+ps*5BNm3c=77 zXjdHXS!+{G$HhNy@^cYKd{v_+%EuKO|E1Uvyi%FA*VtmWUJ6g#xVE)b$IfJ1XdY<! z%olJ`7JCMbi7{)}nCW#i3X({e^t*9@d+s4(l8b%I<Mv~j5{5_^drxr+1VUdvn%d@Q zUi{2<{Tz6`BP;UQX%~)z+{_Md--oVt{lS!kXwzJuF1uxbs^D8j-oJQ#Bq1p(3cbeK zo`AurWs!Og!|b-tNms!Jf>SDrm5nJ$;nLRVRPVH3!h$#FqLDwHz+VgAIr6~ur@9qf z#|eukZhJ_wp0=v*xUQ2i1U2SYRDGtLx)cOI;VV2F>(21t_NN5t6Uhj2n8M)^q>(c$ z0HI)&t}jpih%b?ZmPPK<SFn9b;H?#9Utz$-_gDSzm7*AmNb|#SgUv_eKNBcA=wp7~ zQsW25V2Zi2n8h7Ip7>g39&#&XieIs8#waW9Gxx^ak14ntwx;Ge0&YJ(1|Zq0lEjG~ zsSYVn8if3w5<_k^4a8@A{#VGM#9BJ^uCR!NjL)UAUk&;!V(NRbF*9EWZy4rVH21Kq z{{&!&HBlz(8tT8g?OUT{ZkH(_N9aQg%7^q#Y*dx!m=@gb;T>#BzCALc#%mQFM*roA z`tG>?Z5{NP+Q4L#*q<EbD;BpfZ_K|YYh({#Y5$R75XS(H?Nchp*<<CZVaXXOiOEaO z+t=E~><&?CymxmFh81q_FkBAL0s+C71R3S$ae>O{SfyS{lx;_<ZQor^xnVUdc?2_Z z9)7Du`8&-A&s=Clkk2qyz5qNuc?18L;2MF2>{`Fd2o{#YtN)48e*$kJ4WY_t4b8mV zUF;7J?f^VPo#S%E@JYGHjL`A+LH9j+wZV(@Kuj1hE9{xBeEV>Seg~Zi+6a>c|8CyF zmZPZB$5?+qW%;S!;iy4z#KGej95}8KDct3k8!5gC7AJ_0cR*@5tRJ6Xa?X!N5oxdh z?D#Ns0(cr4M4Mc0N;t{frA2n+uW`yU2d|B=C-Vt?XA5p`FTjE6wk8w-M;b45g!ct$ z`GhpKzx+?#S{H#W&^^MeRb|JK1jY6f&Z*6boXjomL_DM1$ML44y({+aXdv(!88)1v zG5=w$Y2%;_xD+8L%JZ<_{!=Ru=sJ-jAasrTw?(tYhbA8JPGN1J@;EjdjNZ|az1%Lt zwfMzc<n3*U|9Y9o^ynN|%R5gfC;Q^Fe_*fCWacxHnr{BI^1dFNqtJH_p#`6lwLRmM z!Z&TXG;-L1d}BZA#zw6*)EF9={1g`lqf>w$=JiwED`n}aJOC<E=gtzxm?0bfQN8B1 zwpby3fsfVa7kCBPfO6(biq3Hz95SsBtlg$$Pu~uN@(-1vpQ2U`!k{gY@p3bd#^6sw z3@-U&JO*0iUEn$g)QpG;DL>g+(jQyq#vmS~x#7}$<u6)0TJxEfL9%1++lNFN;?@)t zOU{+U><|zQ<Y9~}gZ@$&|1(KkZy?pNZ$~}*0ZC8hB<WD_qdUrW2BOapHOApKY{Sqy zajz!&mD1SOwm0X-OkoIc=#FB!oLfdEOF`ajQ6K2}!u0w)dUSnRg_Q}l3q{pVK~|;5 z5w?VDdDl2Rdtip0j&3Slkkad}jeCci>x>*8m;L)XyA(RyEgpbg2ka!V$jWs%^bWCu zJJRU#QX5et{kBvwNx6V(-7|pV-CBJug&i7$Zue*-o+AYGAFG^|hs4E`wksHWCl)W@ zA!JU#^T;NJ_Q`13@h7Rh%X2XVx>i*0lRyX;T=WyXEWuL$#7veQ(l{d|01U4j$`j@G zlggR868hg}^7Sg*@}CF9Z-D$;Qb`m)XTnsXX~O!$L?*I?*nGdfttU`~DXEFaxLnAz zf!3|ud6%E!`hl=Qd!yiwp(<uc$x?7s&{Xn^#w&0&b{G7MdqXbx4Koj5BX}zGY~1iZ zy1x*fDt`Wxfr~WVJ5HAEbAYm+djb*{j#%xpIXT7KBzN1Doze}kb*mgtT4yVQR7)hU z>nVtGYyCDMK+Hbb8K*O@ce@sLPudp*iRilbx*It(4T7$3d?xn^mJB{8jC2WRdb^Vz z4W{`jfP~01$Ild4+&drrDM{sOYk5A^3|KmwyQOY`#XZk|20h#n-=8TXBkB_`)yUl8 zR)l6kyT}=G^)~%+Dpg}c4lmoadtfy#gUjN>w_NUb;B%q(;G}Q){8-#D%+|F9-LZX8 zXQrBGm&=~6$m{R&n>9N~B&!!dYn0cnIi~#{kzO}sSdB&LcUP!b2EX5jLuHC+n18HQ zno|vwZ2&dP3wXB`bdKYjf!up`Rf|TkglSRo&Yyb&VQVYw50FFrz4pW(3kIr!h%fZc zl(0FsY>*O$Z;GN9uRDLQL7#D9h9j3tS9B;<k}(hfG+VR%{Pl13R<_T1oJZXeNlzj2 zu<bCVNRysk!r@9cY@@+n3;m^ciwvqJwmH$XAQ{S3NUK`)e?7^s+m+MqJ*1U{-TnQF zmUErkGU|rMdAoIZ-J*m>duKCqGxijq?SXtOU)0Gz@=EpvL!yPy!4tVrXvK<*q;>0T zO|G$Zyk~q?CqUBy9KbD6Aoxan`v?$(M#(X098S$LLC_*2MWNF1jF$)Y50WR&UQj_o z4!8-X{DdNGt_um3G4D?`8{c{v13!}K?y<xl%D8$-oBWm*V=J;n{e%v=FaK^^zj$Bn zKdOCQ8zf~zK+@tOQ*eK>%kTKiI0fl8f7^7W&&pQ}Bb4a8H<nkAfA0&gO@DS^yYv<b z=!&I;+}CN#*I6mqV0BM)sCAkfZ?Xg1@t+|3b-wpL(B4SW*8Z#Q3zP#{yiw+`c?C0& z_A%x}bN+A^&hn0U9otCuxZZ#-PnF}Th1jkYW)&#n(^q?Y=WP%~m|1*qp1mhDS`h8_ ze_8<4Djx`bro5Sy%fpPVBQgUJdEfKcd<|PZvCT^ynePc~Jv>3-vu3bMj{NxF;eaK5 zVEs3r{#3R7E02e8jEK$w7#L|bTVM?+$>`0Mo<=YAX)gb5*Brh0esaV|)7#s=qN=EW zi$opK4s<vmd=i12(HxlJr-!_QNhzLdp7<Cc8Nu|HcP?!ewNE4|h}Xhea$VnCh7Eum zIkthL#rNz0Aie8m32r4U_KiDj#H0Tdy0>{~pAQ9?7IK9H-JbwfNgc3{g=U+f(x;(l z2=eVWNImfCJYUQa-PFhd5?n=Ig+C4jPbUGl`|_b!IB&bIvFW>!JYGG^CD*{m;;r56 zgjX@QCvoU0I$OZP4arzYWkh@1QbXp*d=f-=(evpC0G~t3J9`}uAzYk&<T9cUr{Y5L z8y-h3WTQ67ycN%7;9YI8i{@Cj0@+JNRBY+4&quq~KFsylKYWT?6Z?pz(+^-|CNPLK zHRndJKhSV_4|5`Aw6`dTOU`CX$^Dwo%Il|78FzzBKip*u(ipcdbFaJ5hmyQEKwjg& zfMYZc^z-TIp4df4e(Kyuq3Y#S<#2$GH+dfPYE3%|P+Sy<4+M`u)kiZMM#l%GDy}!W z`U`Nzcx9E#k`R+!(g2zd5Bi<%7^d4SkR!G3@8IB`4_k$Qpr8S@UB?pFUp<o#Z?K<^ z@pXS1iY|5r?gO#@eRYNo_rO41Vdli-v`+!*Th+mbg{`EX=XEj#|A`+wyXF8-4EW4` zUdYSxdZ(vBoG0I4w}!OK9?!ir9<MCbo9Bim9_f$EQcd|qez!8SNrPZIl2pi&Y^kd; zn9L#oA)jwd-1=>cfd>nFOVnZ&#rr$=vAm>4fpqD6+Fn{h=4Gcre190lj*AUM4~69S zHal;sJ&6F7TCfUnY#)Z--XK|6&tQzYJvrbjY0u-#)pgKRyqQVE=e@|_ENWalfreLe z;(;A}I1gtl`gttx`w#BKQQ*nl(&$9@BhtO$Kz~2xxEw<^#1fG^IDls*w&kP&P`32( zLA*`qftCLNur~E7-1|GyK=?~Dgjn7Osl<sAcDHr6*wd~jCeqzRLZE259FrtmdCx3e zsey1m{_yofeZDGfsytHu8rIT7IQ^3m!y6&uH?>e0k&S79uMsey%*~4NiuKzmarazM zQyqaj`*H%6!<odj7rOZZ_XNGYdcH*j_W1~e2i-4EZ$C}H60y%I)t`4a>vvi(x9Bbv z!PXzmpY9$yu(FvfD9*WE2}B-V9rbS`kHTzzux~suGePNZS^>c5uW7tTf18q{r9Y`d zX8ScWY%s4s3btgf0MiTLf9-TaML)E{&$v3yiW45Qrw+e@`MR#RS1E4)EW)xTKsFK^ zeVk1j;|K`<t!`Idw4T(wKC6g*Ch1Gn=JJWbhkXK0vQ9b-6|cYj3?C*>l17Mwws-5Q z4wV6p5{C{Do;di)73WChjzou5Zs`4w`Sr)<*jxSuF*^yZ9QhA;OxpZ)sJm?@Nu|`8 z{cA86hZ^)2f#CV-x;-E`6#BGX*FN=zvi>v=+@&T#J=}PZ1Ar5@b$U>OA3yX!0f7Ex zN)W3UbinLaF!4t`_U;!`Ih^+9B$?w!pIdZXMy4Mz!*C~e<0u<jJae)y*^v?f0kyn# zuM(^_zD82ev1Q2e=-XX(e)jFifA^k}y=0_+VteEJreN_3!+vC4-4(w5oX`S#9elyR zqdsB>ZI?$W6)-^dhaELD9~Sk&oD0%-`4yFD#;@Mltp$aDxSrQ*{Sts`*4r#**>oYl z`pg^?@<P`Q5MU`Ik+KpgF}#}Um^SODbG!$qjrofYXe?&U6l&eipD6-v1p|*p0R8C{ z&%BqQzG?RnoZtxd^(Upk+`KRpz=Kci6);vWy$+qi?XJ_p7cHHctoB9j=NN9_wVbxn zji;@6#vA{_9OTabb26Wz*|KM;eH>v|K_TEv4#bS<V57t4%SMn9<mMXuNcnn?xmu{r z%zqVM=!G2NWY#><v)!|6@_F$hE#cKOHD<lg_(?Hz;zutY-u*$@q|;XQ#qwftVTVx0 zNp`}0M&wK2oh0c-dd<ATcr$>!EqIOJ+IpS`7o;1O=c#8aSWu5NOgckK=NKEtGaYWQ z#)pHR)$E!-X4)EA;%VX6{V{y-<7e5I-}0DA#bfz)lz9f=a(Mek3pQ`5wSdfB7p%${ zZ56H?-QhE|NyVB6X52R)iQr+-Rxtsdt9m7AD;e+0<|#n*o-d8%q)-RG(;F|8yflLs z?pq4C;9n5u(-=5HW}HS&c&vTJebJfb6fS;;GjWO5Lbp?9ayNj&q)q|J?2udSCVK_4 zR5iRJma3t<b{3NP0{3gGU_TB%geqYm2t@>$OUWILN>d%F*lFYS3&UNOxmjK(wh*)J z66K^^QyUA_UMcR$z*z;NK}XU-xt2WrNyCvKAsudfe~tXUiD?yZhYZRIgY4#Ph^uxU zTbPaG$eh*vtlP`0t5xJ{({qaH0hdlri#~%p$|+xPZ`!s}AHj9X#xSrf48oSkh_UDQ z{;`t_05h|`D^3vUbldM&BWNy}y_;qu^LgD3LnAO7=bwg$g->9eA|P}=5F>QmgJN54 zobXWPLR_FxF%#a#?FuPEcr<i0zpncY<QGX~Z_3-^^Q$YdY{A~zuZKZF38ruy;utkv zKY!%&sRc(SEE{^Fg$)0Ni(0G^yI$`*Fbrt&)vw>A@I@p;*&dY^cPb0wo=<QSq=BjA zs91P~oHIBoPi<%_rTJxNX7i}q=b|Bs(jSu%ta=B1Ri(sQEB}DFvzP1M?hjdc^EYqL zV}7@Y1Z>r0=LKyWWkX)Jr(0n58$gv=haGJio63`ZhLd*e$l?d4CkKM%bk)kJgiH^^ zz_I=0%T<Tlk<0a<TZOOrqbDzs%Kt<l*Io*{8QLuFU%12{X1!?qxxD^ZlKNql``Y-? z_cM#kF7i^=;5}6+6zBZVsvi%1uh!!^T}k<Kni9tSTxyD0qmL676SEvdTP8q}MQD3Y zj1%+99*NhIybv&H5G7_oonWhFo9QKk|HfryW;R+=DVa?Gd_i&*O$~latC3$^lng*T zqH|7Rmgx*<`0kzO;h4YIfz6NGUxjI%Wq=>$p+Kd}MV1(*$wPv`R<Zc&VbYjG8)j%L zz0p9LFXNOT>v**&n>BFd=)??S3TD^9AZLL#9ZhPvDg$xIXR~iWNuSb0Gf^#(V#EgC z&F866mY@nSQwHtx{;*;a6Zh~KGSMp6S#KX7)LVr2FJVzUE1D0yFg`EOCEeb=qq$Xa zU%=TO>yEDoD16v3oD;{T6EB#1q1XnbTkl>;R$ehKzx8-v^x$Yr5cvx&1R4GgAYXo| zt;?zF%zOXjy?-jdAP8hI3{<S4ms1ve@dPV_{^j14<-M+q?x}%Z-AGX0aZp5x9lyqp zB^_DHU1VM8)zaWHU(2Cd^KYKd_WYV<(4Q9hw>%RPF~+puygq0Epqs-&v&XIrnzi-u z&Fb62^*X#+-**%hzziw4qS1ck?ATUH)DuGJn}h2{l-2mTH$!+lq%O5-Yg@OD8taZ% z*pR5lhu`oA&&|>gx0K@}pXWvC*>8uyxwdht`Y6>ovu0hIMHp#VsxnxyjEmd=k3B2! z_Gno3ML+Pd#Nx8&g^q4S&I^>><>mTBwdEsCf#*)4tr%qVNq@{};#r#MA-ur4CrY`r z)hZ{wnzYZc1M~h-14JWntKb*m8?-NX`}1e6elXgd5_~LS-zN>OaBx6$g;e2!gW<l% zuo=x3Wv@HMEH(vUY0n8`Q1S0B3|~JoZq?~EyVuJ6e48#j*>5vz@)QPG!uZ_HwBEyy zHtJMVnz-bQ*xwFR*j7^XJ+--F#BIb@wG5&SVR9=EFkQKj)+SqpxT9YwKpQUiBTZQ> zg#^2d9tcl2BAhpNE`fy3M3GL#ib_)-J#siiV^cQz=iZkOaR{YUMQ}Sdz51A$Jjo+m zWz{<}Lm~1OoR)M0iTq9<!iWJpI5haU$fJj)B<7poWpd(gBsz-LZ^%v`qn4ir+m`6H z2gm94*15b94p|vyZZ&G|33>#!wAm=;ih?T!+mq3u#(3Uv(kcigND|T{YLRXLqk_4} zbSJ7sS0%@GDGIlu7q`2gRC85d$1Tm{VWt%%d2Q)2d2ad0=!zk?1)`L_O-h0%$&n}E zp<_GE)=2bT_wrMgmq%dM4Q@s$I#sQCt23%TM~kF|4+t^z-OsCULnHd36Jxpo9R@d^ z!)8ElM~*!;ZQX&Z$nuwfIg|@JhXm`qH`2T;*)Z%hcp)~svBOVj)Af73aR&pwh_?}O zCASol24DuJTaU8T{)5%-0q+3*0tBYeFPfaGL1?i_3A4U`*(u{*EsFh&DL&$n?NieT zt{lXF=Q`pt(HpwE^wyr(uPJtJBYtab0jiv+iQJ?)q~?)r+aCo|fuLm46h!V<cy!C^ zJCq9B<uUS!sAOI?dqF4V$=VQaj?IKe9i-i17y?FIep(0bz@k8zW+=t|b2|m?Shp^W z`(iv2gc%R!T~;tlp`fND4$$;}JWk#%{;VCyN_ms_5%D5`GegTi9%O#moEp@ND=#D? zV>r&EQPs8l#U4xiVzzlpf=HYI8WAV2yT}p8eQwHqC5$YVPJf(qTn|6VyBoqGj}=1L z{eI^c3;LM11MYsGND~o*FL!Y{vv{4;2h5>1N@j9Z8*$9xaB~U{ZI=&Sx&pPN6mwx` z=BtbH%h_j1$^NE|<O;Ral<I!Ymlevox5t~5?)~X8BRcD14d`FRN79u(;e$iZ1e6LE z(xr2fr8%&|5Q;WwMGH?(t_8t3V!i}4O#*DjQ?KEk6T@F(?ir%1Kbl)l5wS_4?jt>( zu*nG~$Zq@#;yf^>4PMmHGVQCrq2CY)94;ESa*~&qV*B_j!noWy5(PU{-t^7Q{a%#} zB{xq=a!BpTmnrdk=FM_#`EDH_qEmU}?>zp@(yT1<C&5O3cR7}3Vi834UMhd=f@16+ z`|fVCpV1j%N{q-<Sa>r)^+Ndc`yui(B}4A&sz$r%{%EYsR?Po<7QT3-x4*dTo}<!; zZ^uH*-DrGJKWv<E<z&?pJ$(+F^cqs469Csm9yXJGYI(-faHGk28$ma(4J9-%*dnla zk2_?a5w)sE=G|OOgY%^wM?iIRakL8$B|-S|F}l$K7xrjh$cK=#!j`eZtHhHxkdh%{ zYQssq%{WoK#UrXL)sp|#M9pVQv>Gyc;&GvQ*CfA$c;I?hMCFE5vzJdkOlZOt2(vn3 z?0-hcT6U~z!553`nWFnpBeUrm^}O-`H@Fw02sD2kU5-;Da1mUH6Uz4~K5ZRy?}6oQ zNQWw#3C|4#a5b4}gKQtKO5Yc*?7BVXk9Y$PmZ8T2|I-4#A3j;obShkh6nvloGaYPF z)!qSIO!qfI^0#551B+~j#He>HNH(~0*yON4I;s54p39uHx7t@jNbER}z)C51i^WSA zq)toak3R0hY+ti8>+SL(coOsgTa*-0Oui8VI#oT)7fNawytkD8BvgK5aq6d%>@{wT zCV7q)%5&MMoLNv-D7Eo^Sn8@$#qcSGfq!N5gH(2omvcsEGd#ZzGIp2^zKI`HsA;~a zSO?^8HJUh-s}MVbCRc#@WA*!zKc(Cs>x%rGzheI_bR#WGA){98sZIrn%l+=G($W`r zD|wdR<J=i_?01mZKbx0@#g3I<U-nK2wz0H<Zgv(s&by-W0smkoJq}rkNODt-^XrV? z)+|(3GmCNI(SGUT8d^WIn$OgMeoA`-K_)f%RtG#4sQ=1qqe@R!W^9QIejar8&!?S; zBL%X*;|4E>_AUST)@+L5OL{#g+T959b<HA%wxx40*A?Dt`Tfdw(C~2-h?G)af2ZKD z_x+7`Y-^eWtQU_#Z}^wbL#b{KH;O4SQ~lJEz@0*^b1Dey#YmiQr_E@X*B{Bt1x*<# zfD{H<G(w6re~XEs&oSYT&E8SCoswVZX4S;a%#Qsm+@1EdXq2lrA5+7`(2n~OVl9RE zb;(s?BO=aN?R=vx<9+!UgQt`Ue#9X{Hymtvs_AaTV28_L=Bd2o6sm?;JN_lQ`h$j1 zhjEXIB&!zT@ZIp6uqZdacWvz8!ZiF#QPlb8FjR#Zob3FvqnJhjxqmLkV03TvFcr-k zmC92#F6srG4%;r-S=*GTYA__hF;LKF7tJTu<ll2_h&jrN5P6f&ui#Y|Ym89(Jhx3U zvpYP-323}P;vF1uG@Hx2hJG#vUKyl04T1}>JbiM-o)gga!oTF~MDe_$zhJBwrGWGn z#K@iT*`PS!LBB5o{!1@IkCzEAmTm_mZlrwN<2W_%S(FnF2?Hkj=LU{w14=q*NXEf* zWZsbscJWaaZ2b8@!d53B;q=f+-nG0!hIe-h;vl{1$1pEOnV)b!zF)(+ue%Cy9uYB* zEx!8?6CLW?W#)d7)F#T%B;{3v^46jQ+bn)(&i}jh^0KPd(Qw=<GiuQ#eA_u7dnTW0 zpShqxo`3dw2)xso-^j17lGUR~JBu>AJn+6syL;oYOH}CJJ~Gv-mM%nnHioJ$IbUox z|89q8##gAz#(^7N9DKiPMX#3GCNS*|pmr0(NL<l2#s>Lui*f`#g{=UdADG5M-;Zvr z00gXuaV5m0FX(DPwjX`~v!Ans$^$jJK6SlrE9ivFX)~Wl&~QL^uM$Xh7Pg4pX<I!) zGU<M~m<i`>q<rmrt`D}K0%>_agmwb+xB<Bo-*KLQcvmyBek41=ew^I?muo=1Q4y-d z>zpQDO;mt3l@r%=M6J<`xBalLLQN{*2Pyb`>h%KO>p)<}lIxWes4SB!SGYe;!=;9V zjqG-3|C({en~YjS=Ej%HD10<8czM8>C`wl0N<h#qp84AF%&9NnYeudun9xSx){FP= zWH-PkZMXj_dM^;+R|7&*j|<PDkkDEas#j)x@b4r;{tj@f6Iu$OgF5u`ctp3$<D5zz zq`iL9!Ssn~xzJ+#>!&LIFY~y^@fB<7@Euy?X&0_YO;^+!R#UER;7%()>zcZHY^8E9 zLq8amt}D8H-A~=Hyoa{d3KBXMN~1|-?`igJ-CWmmvbi?A8H$974a?S$ut&0<n4XR0 zvt;~MBp;H{>ki<t`R=(jn7k|8h?)E>92G_){l`!PhWKLbG<JvXH0=IsO-+(PU?hMv z5lUqo{EbRta>(5T*+0HBV?(h1fW*n;+>^<=xIq2<OHBt0CEl&oLhD8n?;RpFL10HA z@@UnA{XY<OYQL>-v_Dg@Kd=3@S1au*3t|b31XFjp)O-MjB|i}ZVj}YFOkd6<lMU-N zU;dy)`FOqmn^9bsv8!|PJEbB(o`6P^4WSi9#kM;}?ka8itjTH^LERh^q=Lb(M>Wt~ zfqu{-p6h#SqKEant;dVQTLtU0MNRcvWbc1C(N5Ec-b@#sTb<H{U>fY@UaE^vxKn2` z8DbqKy5ryF-TmN|uu!C9la%T4`=o-svn$DxZR3orI9$ur#5VFPS6Q_|j+L+cG%7Z@ z6OSirGVB{95v|1L0poTYRyn`_I5Gi>pS8SGMMOnA;#Eoy6uTyH;MnwyId*&R5*91> zTVJ(Lze?DCL9ohtqCgIuAC^COpftY9RhUPlZR1W0%HE>(!ISKX%BnT?_H1DDw_ZnU zojCmQ>-|xw)M#d<Jl}uGT=g*Q{JYWJx4IAf{-o^Z?YP`C#}h<N@`qiYr)s|`>D$K= zv%Kf!typU#uFNt#mK6KFsC{XBt)}ZNfw=KHyy3bep(6B0VCKbG@jCe)L4Acs@@uiN zM92~B=$7B0G1DqoF8OJqUlR=O(oU1n<{5;W;o9x>w8dgq-at*PyX_D{xQ>Kh9i3<Z zdh$#(pLn7b%%?>YfoB{VBy~fM)cAX!%=Sc~^waKs6oRW*VX769RK)}hlz15}&p%5~ zlDgK`<@dShEMYQaN%3JN=m(L8c4;^Ec&RZkq!BU)nl!Tb+jUqjc<MbUtalf?KKx68 z{%d;+5I&lTdyRisIqL~9og#4*w0J#-Rc{(Hm3RuoKg{`Lkpj$we`+$B?TF`}4S4s` zaGECa`CKnieD~K~LbwO8Ki~#mg9|ZCByE)O!t(N+r*jq#rA7;O_@n4EkF79EidAOj z;Li1d!$n=`%N_03({$C7<8<8N3r?-4*`B5<yGd{+$)tzS$R&$s(>XFLf~WXHZ${E? zgPBgeCxzX|J;8qhCMU6v-MdIhFXX8;291UF-{uc@MpsE@ZI`Ay%ZqQ@vqpM6MDt_v z&%mQqD%VNgGhToqO3<EX!~q?tIr6&kklpd$A&dMN78|k0fj0iPB^pOKgHD(|nO_`^ z!3LbqDTv3|Vb}!9k-)YK7KGbO=x0braF?gsE@$v3x`cPeg!5PSA{sl?WH<V2DP4Co z4IO+E8*#t2p50V2bcPIo@`H9ZV9dAQFjnJoQK0ITAtF_|ni>?1|7qSwErw7CiWBe2 zB`u3yGQJ$~=-uOT-730H#N^F|H(%-1KvBZxMB6&T`)2)6W<GpGcUA~ixN#jw4li@( zC#4NRoNlr1oQI-5pYYU$vtCzB_y@5ynU;w-*|PHx4sTeX7`uh+9d5x_DEYEqB1yvE zeNPDpJtLyPg1g9E))ppGn}_3Au4|94loqbz*rsbiD=5^cX@>g5zvC|pguYrYKpz*d zAQ;T)gUhvsw-5djQOL-PO9zs{>JMY+Yph6zfWw}ZS^YkK=}N1UuVllCWk$<CG~>@? zZv}-<>Q@jp$!*Bf{`M(vUUMMo{)vdmAKUr}zpCUpVdsi0VVd7KDZ5u(mqvnIpcP)N z;E4^p!#NZQku@M31aPx%rricju@GN&1Jd?RJEiZV_k|<&lRWsIVKUSxp!i=WQ%M;; zvxym^mYf|5u$FJ*%|rIWv0DZVdg{sVF$9A&dD?JlH0rv#4sV`^OO^J>FgvFC^uBsI z7EBWq){q%UNx*_lpvDAofhuI)-z5|U)_z@j5Ycf)pUR^=ASn{#NKzwDmbL3<et)rJ zvt7F4UFgUBW{6Y2YXi1@+@}-R`N*Sx$q>e8_TFe`mQ)&R=`7wMM9c0iK7viF;h&D; z&ezaYJ*v_!B2Solq`efk-*`q5OYP(~!=pGGr*cQ~*yd%snf2F#R-&;p+t)Psw<uI7 zSJ7;*s)K$LS_vHn1H0YF%{}gXyuNyzBAm&qXQ$i1Xu`Z#Rp3LpI~p?$#USYr8f<~s zj;;8sGfk>ogZ7cVT`9SD_!nYNkh&eu2v=JMn0|Nmd%OJo3|SM%Ea{psj@lAgJ)fJg zgQg#2Wr2mZz>mBHA$&$@0oE4bPO(vcZNm4ay8>eHSYyBA#{qGk4ixZ$XOes)=R{po zI@)VRIvyr@)5>-nFGIC2bRUB-CPWjfS3in8XH~3*q_m5_UaE!hu5rmW?>Mf`tK8mO zBy^5t6&=^~TtO8ap|&^>mH782w-EL{*J}OSQbnpupHz)94<QOYQdNOM--DGAwV<o> zVjSaO&@4)i|3p8hnzpvrq0HpqpOF(-Y5=EKc$+26X2+IYety}}z|Ke)`K4q4<yq*g zl5pSgB7->Ceijx=<88h=Lp=Un_xwou0_^p)jDna;oFP(s^%Yxt1yAbFz_8nnxkDOE zUOI%AcGhHhU_|IpO92%BJ?!ZvE;=YifCUWInLx6ZBg^`}*4lZ#k%Z4OtZZi$9`%20 zm31$V)2v%r|5BOFZ;0t^omDv5MZ`zzFt(^eV`7F?SBUIDA~7t$@fzDFp;Xksyz#oo zLxu_bkiMLiu8k?K^3plV#5}a(5?A+T7dY!fQ{(z2=mHko_*_?`?}11l?(bFHkksYZ z2R}4EE#Pu^+NdgEx!68p`UkW@1k7Q1x{4NPTlQXemAK~@(E~VoOlB!T+U@h(fkr&V zTf+*e1p6$>lHn5XQlaZN&7Bn@M~#Zs)Tw|vJ5mIbl9cR3H3BAb`>p-XcJ!2d)pv-- ze{3;O+6^-#--{AQNmHqQP;G*9kwl~UF@Vd;<XY12(e^^;M&lQ9f4MZzqZ}rgA&Y*# z<b!%ma;+JsB)O9F(u&)r&SM*6{&8Li$iRSuaFB<c*Tt{+&r$c(TSt4z=ofm55P{Ew z?9>83)e4W5+L9CcZR{W3%covc4)l#*8mGp(w@DBCYZ8jRYV-<>NQ#-u+3klsYqC^` zI!4o8G@b3DAA`$qhTG&dE~R;Gs`v0Q4(y$#n;N?VDK8q5K?D*2tpJaoN4_{fU^X=W z2>>2qmFQaIhWJbyWjyuyjZ6kYbF9QVK<j%h3=fe(wBl7gSbBiOygWyRBeVrMnSETm z=E&j&iX3V3awI(__Z}YnVs^iqzi)?KZRV0lL0#U#eGd(AX+coxdJYPot-{*`*_<}b zKk9>l+bG?uU0x*7r&&oIairXA@Fh&-2U5PAKj(iBg9`reH3nk`GGYr=g2v3Zxx+PE zvx>O%Tv*hfXLs?U2yx^}>_5`Hvnj!6dfSy{VmNeXyc@%_=|RVYKhf1%!*I06p0Pzf znD<@Db9wsnBcvTWmWbgRna;8D>D8%Wb4sqj92FKqoUIWfYd``E;0jaItfa3LAWa47 zmN+1lRL)F#Cr*_th@J|wc@mpO%v3Kl7R(4=N&2GEM!MD>S)0tD%+p(8W<Y$6<2jDL zkPgsx`KxJ7qP<CgK^AHOt!1KDD3o1K5YNLMvBAAyz06Z|0oNR_x$DIvHX-u|!4Xpm zsT=+e*Uoa4ZBZTCKS2T`^ARAC|7iiM1Jc$$QOZBe1sL;RCw&>>J-!?DAeX^=d?yTC z^;tZ6#cOCh#>>D(`2ey%;~ozBRA;j$g+!?N;#x)4ncOy2Q?!tXFe=5~>O~U`Q-pc6 zb%^}Dc@M*|5029b(Na)*l}Otg-#NZvEpmjHk2I@t&lkp;d{C!~$KbDv8tWpP-My7) z&$i-E!=c9yx9nj+i7N@yZ^sju?J6)WsmD}hkA<5I70wVPUUB&ArQv2&je%;v>tH)D z%yA#SQZY+lQt@wD#&?R8z(!QW9}vhS=Xu_$aeBBaQNU5D3o<Nox-Fjw<?Ib6PWZ_= zrge}0={Ns8w_bQbKFj>S);#{|=344Ef>mgkYAG~ds{~pPvb)joJ;~G7Ys-27=^T;q z1x~h)kiAOwHRuthm-HY<2TG=N;M3T}RM5(IMw^Sg5Zth|#r{}eW1v%Ki5g}dwr6s{ zdtax!+P!mJ{3y7OBR9ovZMYOZCL}k`afGY?F`+ZNihf#Mb<^8z-~QwvOWYT+jD)1( z`NX5T@}OE!=L?Pn9`1CYr~?y#FV^^9Q^ZIgx6Kl-pw+FwKYQ$I6MPk<FLak4e3YzA zN7X<~mtee9e=&k!B$_#1zA+1O5(Hy>b=49j?|$^mzB$Yk3OiL3e$#$|l_pyx%re`@ zoT{4dob?@n&OF@p?%!~?gTBUkBs^8!e9ZtaenhBTt-02G;5brfRDL3Pk7Edw0#S=x z-8uL|?I^B|Ud+1+dGjCTw0Cd64)qu5*pauML4G{s?{k1;qCC@SPdzj&ZC_A4;5f#z zt*EsFursw{@u=p$p8t(BXOqq^OYyYIH1b^n#;-dTB~o*zUmkfW{k?2#<wYiguYGZ? z&gIG^nzc*W%b_Yl_oq#6-%0X@O-6=8nV#fLM;cf1)EmZh+=R|!6{AfqLEcZY5t|FV z;lnL`xwV?y#pWm-y_!_o3ogN&MaJU^`|1601pU#{)N_q%e;2qn;Ti)&C~i6afKBmj zL+<VWdKJ>P$jc&maSSLg>dj-BC=BpP`U>vbvbb`Cu;59KhvzL~H@t#iR%auHY`+b? zffC0<$BmWtIUTb4iTO9P$NA{19)8OQ?%!#Hq~g5`l5%;5Z8Ii-O-?J_T+i288<`*c zy+cQWB*t`#xqV+zqW^xPIC3|W-@vZMkz>qgQ?aoqGGG&sE)c8P_-ivw>9<WGOJVJx zWw2|t0!x*<X<PNPoD|R-A5vtztCLdlr!6Zp;xRBHop_ypc;FaOd98T%Hqay><ROog zM!fp+(5~x({Pe*NVms^<8;UErMi=d|b4bu%y~fW3L16HQ_w{UHUb{eI3O<nS>nmB) zY1P^8J<2xFG~pG2d0LcOg-zr_J|g3QZ&o?bhjHA_l?%OcyIC_uktTvjjjwpN=kMn} zIkvcQX`&@4@!A@&58|39nO2HIsprz^E};A2W`W-XFGtTW`R97td?l?XiAR+4cuTKS zKCBz1BpD%{($J0hYS<w#Y=5MR4Iob`F5vP=Vj%seKxOyy4DeYz3-q@Ue33rgWQqbK z=92W2*}!6!YjQ;t1*cYa1&ouEcDfT6j+DhUqz=psRDKJ?Z)&iv2qMJF59P!nM?@XB zq#AM^&j;1)5WgGEl;UX1&g7aGa?~0Oea|XU@~iPJOjDqNg$YtN9F6gP`1=g5y&`(_ zCzY;b?f(PfKpnqFbhm_LGszfZ9+v^qoW1&74`z}LT|~erlyssFsk*IPXRhTWG2O+Q zw%C9oz<bzS>t3Q3Y2MprX~2;2hME6Opy?HWMnY@-ocQ`%sg!(Y#E3D^to%iMYe#aw zT2T>w|J+5>$0Wv{t|QJZfLzbv>s%4+Cy)^U6e+90Q3@i`5l@pjRv^cVqpxsEaoj%_ z?NicGg|6hOt`xFm1|I@*E_<ll_0`ErsS8D9Y;StdsQhb?sH%dOOlES64tFF{8rF`g ztkJv?{jj{gPUFo_nd@PmCN=|u_PQ{*i$HN!?$X_F9@H~&Z(RN8WaBvk?|x+7`~>s< zN#LL2n3vIIX%t!GU|0jcEBz$XAsq;&Pp?p#MpKG2e~(6h!Ei`pGDtgb&Re5bfD@G3 ztw`2x;XPly*-NK>#hc-4$)xx2nqS@e_DlC%l<^@yT~XnzKL4W=OY-VYcEq95m+PqN z&k|9)0%F$n1%0$RN<pMc?8}tMLQ!%V#QEsc#~wJWHzKLtRJL_<6M-3*f2$-G!{N$N zi<KzzP)d&l^@7*@s;T^|;iY)*aL{baOa%Osk*-pq7o!s^(k$SyRKFSlW>82s)N*E5 ziLMUrq8yl6zgtiS^B%uhqZd)^vXBNW7y(}QeSJ4AsYfWqicAKTF>pM(Mh*GC$D%fb zA)vXOWxPU0@tb8Kqde%L3M*>U1``4tpXe3PG=x_s>#HA1HdK8rmDEqJ`E`6FyFn)! zf7=8m%3G%&KVns3?Gd~#u5^^TPDIWi&6CErrKC-jtRE^RV0&HSOL+?b*_%GqPsOx< zVsDH9GqAvJI}QR17T;Y^6fNFI9CfiMwF`SDq#gyM@Do+lRQ{Y%rZ{uvm6wr`V6@g^ zmKoZ$7p-3DvuaXnkV!@kS<Nsr;4~Fs+PHP;{@2DG*ij22P%UTuT=Q3sd2<JSzH!ju z<ems+ZYhtTj#R#^RPet;-E|)XuLB6x@TTuZsd@E0Z`Kn)m|6s0gua>e^V%@(Vq++2 zyJXS=ph3Uu(Kvp^*ZS^+pZxB+`jQu^{OdCH>Vt}k{59t++N~&p3kA*%O34MHWH&$x z(T|%l;}5ADP3E!q9xQ)x)Jvbx)8znb01&|)B~bZC5{2$uIPNES5g#BxkI%1B{teYs z{?$|>^a6B-kpLsLuSZ~E+-X~OC8kjEYxCc0xPH(!H~YuI08h8Bar^t`VJ;5(9kn9L z;jBNOGk&i1=a;~V#2~^RbyO*fdD_g>JCu>ah|CbBr)>E9gUgVPJVbluey#Oe;g$pa z1XTQ~`YIR&XAFWYiaTgo8JxXjec%x?GyiP9;%Cga!9;`hBz7P;@i*hl^Sm#<<3!X0 zRZH((jtu{;kGGqwJnN{jZeiVVy#KF;!sS%L2a$a#ssC<%HfDl|fbDm4+>xk2b_LX8 z(dwvYE4u$+pn~0Y3<TnFRaY9F;<{0;S;;XX=F59M>zYyiX6B!)u7&nOCz)Z4OGT+s zBTDMpKb^WX?m<a|0DW!%c&Q}PRD5X~0Dc!{cH%_faJFy0+UGJ>{WR-u29Sdle9lNU zHF|Sec&sP*N==(Pw<5CXxgV_Y9a$pKk8#jjm7zS(T?)nsND~j!MtHd$Kh<Ds-2G`@ z6Rl_cM6U<kH?`W*b~e1q(GhJg*?zC1dd+$5Yi&<yF4IxmSh}VBjVXivH^E*%1<_wm zJN}aOf4O%(cz}@Y-SZaatv>&lU0o+~p%!%=L_Wsx(tNN-0U;IoDT$Ldun*m8O#?Ae z*iDpL9IcUqo?5ujMK?BU0CWSa94;z5Z5=zB^VXA~<TPH)=7E(SiR-0OFv>qsQ$q#P zW#tbIF|VqOjr#ea&jDx;<|%gL1?Z7nombNEQi(?8Pxr3&(;Zh4f#OWxJm43}FU9t? ze)R9gsfaODjFRf8Vd7iD!C}h!;ls=_i{8BS-qqTZpNN)UvtA7;G-!GP(lh{q884SY zhSEB>HrUbwWR`+bwUubbKzC|vg+du5>fpEehi4=hvRlT@d70vtW!vs&s?##PZJn0K zEz4!vZ(rW@$xx;mxt^}IuIH)#vp~KQsgC?^>(U3eQs&Suy?fq?Wv*ZR5e4T8CF)av zEFk4!fHx6=qu2w+==LTBtg?>}EH27V?81%<kGm99mrB_}IgP-A>+dd!s=UJ>>Kr99 zx~IZ!Q~q@OYmb*xHyH7XW7B$qa%D_NH7$-`&vf%&wHReN@a{LtKN#Qx<=?U4B8s<v zG#`<IQbh8L5xmo%Ws$nd&i9fCj1~5wqdLUbrIj^7tK@{Ha(ZKfyF!cpiH3fGX&FzL z_I;!qs$t%lPMas)d!Yc?PR<7^gutufC2EkW-5QXWpf}4bwe&)I4y-L|^Nh4O>XTj5 zgrPoRZkQV8hRi+}lNzJJ^{X}4_vMf5#g_{t{q&lb?%{F!F7Wn}Rc9`m5Y_3El)^PE zaSClW^L7-g@~9~cWTYsV^jw-^h#U;a`7a!~SMwNw&NgcRbcRrl=g+wOcd?Y0zd#&0 zSCq3;PsR1P&Yx&n^EV2kCww$ylIu9*!t46=bXjNL0N|Y+D1XlIf+zhuQEtQtPOOm1 zzbuH&ak#wwlNzi;cWs%4LxUc#eKl#DWG~&5N_h?cCGJ0A+6GeQK%CN4{^tK4r0ELx zIWx{&cyQ)uo_o_TkIFt(w-x3CG3f>>etJQ&*CU<=7;3|jNxBmXs<BL_xLtiVp$)N4 z%e*evZ&T0k2<nn&>%f9d38uZK-9ZrPdiLiJzUO^$L*bg|S1x@p^mD#XnAiKxJ!Yng zxaWw-)gm|;B89ouLC&Bk*7kGJ1Nla1k>j*-PWfLK|95~j0D6FO&Qz&*!YOpu&!FLW z8Wq_=ymWeWKD|Ks*U<G(x4)lpBH5L0bB3xXfHz#*!s12iG}M;1>AgCpQuFB6HnTi0 zS;r}i-yu8U`o5c2OyzG}{#-EONYG)0KF;(xBQ>v|Y2C5MqFD?PHQEtrg>U6Ek8SmR zd4^E@od9$)erwK*lfjHQW&Q_3vYy_DjxlR)JC|ea`@!;$M`fR)A(*V$%%vb+%YowW z1d=XxtdR@vu(suyqz!>T=6dRYH1jmeg%b17MGEE9)w-Y=PEj?9yDfTS5*iP6W0dQ^ z310Jm_5Ji0H*cx^H=cabd@G}!%$jTB`{gI*L7a;<<YE?>3rL1_at!FElt4s!BZH|t zQAC|ykNo}PK&Sek(*nJb#@6jy1a=yq7^NL$zVH80UN^Cxv_|WhGo@N2Dyy=f45W-V z*`x`WSK3yVv`%qE)*E@#>b7}3IwqrS%0E@#sqPae0ynP&Zb31WYaUmS9yOcIN`A5d zIvxIPh46NC8Pms(+%PhqadXhF6I~&`|0E!r(1lIY@JQEJAz8f%DS89ER03x9+=Z$+ zQ$+Lpo7eX|8Zl}1!FV<T#m}V<^V|b3h^)z~15WL)7o$Wqn9iH8d0z+n3R*RhFb>j$ zD>x+Xn<{O|@M)}T%CJsYebx=inaXU|M9tKk-Z>9;hJ3(^8r%#YMvbA>L1R)5{!;D~ zPyaJM^yfEis{b!uUlRIo@v9XT(GSMw?XKW|hPw4Ec6$Oua<-GgYel5j;<*r+qa5dg zV~*U*JlNRb8MFpKhw$WX=G;$xw<zLx3mqk=i^!;+NUAw=N}6x`S60I8_k>5AIu0-2 zscs6B+N49=RIP^Yl7ebmx81RxtjY%f01yC4L_t*6!Hmxg`W`(1;BmV$EfRzZKT=Qv zH@^sqhCqv~0oyfr2TK-I#@!Gi&lf$)L(&)m+p29?`n_5x^<Tp9uWgB4*zvgxkm77P zRkH=gRqo}wA;1nA<Hg8nurpo^W5gtDH^Us8ye@P*D@8Ofbbvn$I*1jOK9x5Wx8H`g z83T%iNm^L06>%62(hUzo0$&tb@(FmDIxGhhx1k`7c|p0B?YH1#^1wVD)CGb%;6}0d z+Y}lPbkkAJMH)UWseeQJcWvHS^I}KJzpSuk4=3VY#Xg_RzK&#H8av0GurSbRisvO8 z0+L4&1P5vrJ>}Jkxn{PLv1`2YGUnNgTt$Gce>bmSXXU7mL&?0Ji0K>UUss3vEmZ#9 zeBdurdyUtxOw$oDUmxUkxV>a_OS(pjUe61&mt%{Dmrl@)y(KULK&7y~m9~2VGuw}t zcl+~<@^_Idn^C?#`=NEWT=0%)J;L|38O&OCMMop4_c`nRD-%Q4L7AQ*5Kk_jq>MM9 zc1z$oHwso8!=yuOGqB5YvZf4179*3H?WgFuNYQ9XR&PYAt`Y{vj<12<2^4m*>fp*2 zm{<#A)l5xF+i8jw<6z$jl(|vBz9<?BZAsua@!6*IgL(>n5O1%qgZk2rhabqm@}^Bg zK|LNf#hPi_w9!N`G1!qH?j1(`SX*-pd0T7$3meDOJeNuNn}6a{T2#Bc($3WaIfh+q zWia=nyxnR_cn(FRTXn(;^O_Y68N<_iYJE*<hx)-90AUE`c-mZSpbOa97b1rVq}%6E zYt0#71L`+#h3?t|Xx%_WCTlG-r!0)eT2@+-e!f<Gtmj}Ix>nb+Z03DUrJqEqW(#BL zIju7nWsY(q!Fs=I-tSiqQ*t9{D*be#7TQmDTObiNEUNu>9-r0a^;@-;{}Pe+y3Ldo zj7(mlj>|!tV2pt@6|GUYM#1X-GzPRLE<P1|isv{H%<PS#Pt|NjqH2BPxu@Gdkco2l zWgwRA*lTG_3Sto&0VFEdZHjx_zERqSwku&%#wg<E*zC6?lOB-MRFBte<1u+O@oibY z?S4?Usa)fJ6Q3p{pfOER=4PVoV26T!H1@0UmucJy>pznREKr_xzV^Sesc7x*u_WB> zZ@%Y0COLYZ`084S97QVWn!p2JN<=6w<q%RY16jBb%+io^JNiISx0OdP<+9bYfIu?p zDN#BmkXU!wX%4XIL=ttIw{Vc{z5?n(d!+(36J;2KmfO;$Y0A8XLr%v}tGBGvX5UYx z5V-xhb`JKVO?In8p{w8J%wNR{ARI_rWe)Ix_R<K}|LKM4fhc9ZDDy3V)>W4*@kFZ+ zm}p)JWYohzTs<zUBxz(NILkJ1y1oX1F_22a$gXL?G~%y&*ho_~wq<x}8W=t?@wfzG z+A*&zrs}pLS+x<#>J2>STZ8t^vPo0TevYJdd%|OqHbjMMX622_l?vBsB#CnTjYgnd z7mazUF{Uy$irY7Jo5<|9EaQ<USkLf4#Dz9I75N%seUoqM1nrZD&pANL`aa8>I>NdV z$iTWx^G$v7)|_b?qJn^-=Ci2TE#&5=xm9!QxPNo1_VG*){Kex?@5ZWUXy3V7i8>4- z#ktv?aH$OZA_57|?sh7bdnuV66{*qYlfj|&Stc~yCgv~#(d6a^y27d;lI)h49B|El z^Q+%N<)2J-t7=yZ^ZMn;hdG`jv)k6ua4I?2tZtj$m1CnIlC@L>iFy_%7yf1n;<%jo zm%zO4r&R9D{EfVt=fJGD>mJPh8|$M)Lk~0iZ7BtJgND4Ik)8j!V3fUir7l^siL>tw zRK^=&&Vexq(wv1Gg>5_pemd1?7*LVxfP5Hb-AEqyn}|x@l=ag|n7SSf4X>dNW-UL( z8Gf>A0}_?%+0G^|MO4#3O|Y)twwrx^O#EP|v7zn5u?}{Hc_d!wMv-gAexOvT;2i}g z62b71!!Tv)1WcPg5o5-VM6AF#?3$G@%Qcs$;trI#!#t+>%7IYv7nKxY+=S7XI&C5* zP8x^OVWn_l5%}aEln=_159|BQ`-}s5$ivNxVfd(W$}m3Q(JX_h-(23v9h9g197hlk zT5b{?Y{wxu9H<|TbLz=NQvM&FTSC`gxEL3%IBsmrbv{j)7C}&kZfv<yR75DcWJMgF zJH?B2oYu~H&+ZrgnP8QbmMoKgMd0-f@Rg_Q;rkhHhIRr`@p$Pp8Y-(exOTl-J3d`V z;59sx7WmF{E8@|X#dSK(H3wPQGOa87M)?Ob|3nRo^Rnh|reJ3KX67F#f5*vGY{1e3 zrOGvTqa1r81hFktf>PEMQmaroc4HNL{Dx?~xm89M4vb<q3fn9VnDzH06}3^;2`cR* z4TNOv7S7Zw17&W?Y^UlVEqFbTWs+3%3C`?;x?9%;hJ`t|>4q9Ae0msk|112K@U*_V zT0q>it4$nGqY+>fs!^mquQkOP_r%F#aq{sCan9+BaL#E*<Ft<*f%)@iHW~p<O4`&3 zh?**hO*-p?$41%jx6gc>dh+2gJkC1xC>-{Yy)bs%C>Z`w9MefbJ(h2d&5YkrBrl37 zlgHtNMF-*R(~rT~l%e9J!?5f8S%}gw2xM)luX!<nq`|%fATTz43---V<AFB214rf^ z+1Hau-%|D5edaadP;uT_v`-0@*(U_*WQYvMAlyWRq6@%)ENvoE1f>sgN@ce&mc%S9 z*{0<*0!!m*-pG}_P|PPUyCkZ|wf;nP4U#prT`J$3LK-qc1H06v(E6i59yV*}m9#~e z-L)2c%H60;synS9qTuEi!_Bb={?N3U*}qw5H%0)^WeA#TH%B^;DzXp@7gE<Zr!~b~ z27vO{Yr)%1DSZ}cDr(aY-?;4)bu=oCqTfm*U<<FY&8^5Nc;nJf*H?2*zZO1c{^k`v z!=vXo^uBB6478=~TxHwtwlcyrlIC?5kZMxKRK&vl!r~$vfAoQv$(etCULInx7{-nn zfklV!kMW$*J9Nh*Q1lLrvgSPuaK_%8rlL{ozS|t^v*$dF9yJ_!tY2DEj6HUpjRkw` zgwnDSG?z88sc-lMJjh2J7b973;Xw;9XVzpC<mbW2F@EeQ9D2x}m`bliP|tBVgHQpP zen8mOpkIs`c>VCVIhf4Gv($`3b57sKnnMLP`dU6)_4fzgVS7ddMy<o|7R`v&MPn!O zzBm_<(dhP;I~5eqg9IleJ2DY4#i3@jD4Z7de*&xlkR6=+pNp0{_^9ei!$ygw>gt2p ze^<))wu}Idi0rIghigyUhZ9d@D-_-p(Op`92xgs}^_$rvI@?6xaJ}EnD~94gh+N!! zAL-!XKMqwrluv7kh(^H_OmV|lDD785%WGkIHf=is92mDB1bf2Ymc&C7wk0+0XkKSp zai&c2MFmO}RQ_hYeZqt>7&m4lYnif)nnGbg9(I~F1<|~GfQlL{ACN;E&QVM=<e-GE z|4B3yii--HYBoj@*TsZ!ql4uHqrlP3!_+st3=fh+17rAzVVFG8JbojMmH8_oFf#12 z^9;b;8>|x;4`SqJUl?na0ToYUj5eF_*bpOz_SiA84+5`sT8sM8O`|J+nTdTIQ002~ zUUez&s#MyWMA;-$*};%5B4Eg_sKyJRaa2?#C%0wHE3a*mJsu1QXh&5-u)Z@{jSZbn zB+#&RE6sS`9-URlQa&%@nQU#(5hq+<)XZ{C-fIbX{#we^x!hEi9@qPmH5t8r&1{2M zxiLfvN})Jd1_?R#!#-2_*TKwuc_Ml&od7Nse5@9=ZWxoggj3~f|1GU)9)=aLY2bC) z0tF(<8>vOYwq4CEQ&#h0)+}RUn0=B@GD;Lm0g8%TxhN{kXEqh8<{557#l`f*^4e^y zW6B#+O?4e;D)aop0z|3AjQ~7<Xi3pX1kqR?G~3eK+H6su>0-*z^WZ4es;=Q9qEJ#) z2ysojjpUnhOxKDsoBoghVKB#l*+r|3c}>UcUK<>nGO`z?D8<XXivJ&sXDb8WV~*Kt zR2t5WzSgr+p6BQuNR@&0fFw7bg6%kGNeHDOqg2%Ys7C9v$}0$V8;l4vG}KV3Z0b;S z-uaCW{cYv?s@GxB>}RTCjw=faqXoNc<INk{SI#=#qszCYh3uI1ai6Z`WG%Z#S93^_ zR!PEHO|)<r#EmdL>o*U1W+AX2=IM6Rw_b4*-oOfx6beHPfby7EC*r&(K;J&-fx)?P z0Bj*RQEG8yc1^x!vLS#fsBuJwHnEam#%~mGGl7b?dEXZ*UKkbBp1`_k$AL%kjp7Z+ zp+Z+M&kqFY#z4r#gEDzdJdCjrP*dB6pWzYkH+(?@q@5gqF<MMHBQIFa$mEl!Hv6W3 zB+YhoQ@^$0!(&D*f=Mvcm}JT{?q&6tBNsOLT7P-tKki?XiSw&-=SEXHav7laV}<-= zIt}gjkwlq<$a1=f!gh4C$DBNi98o8{eB}IsmRwcK1G_(X5b#}Po~Z9|Cf)eZpILWJ z4nW7uP$Ii%tq#Vb%VW&~NUC8IhsQT~!)CZsnd_y3HDv8|!D!(P6DcTzibNsYZ*C`- zVj60k{nz(;_TStmBIJ08h8h4XN7kl1=#4BxmrrvI8yf^#UvL}}O=2_g&|I-#4F2dq z847|}F(w&BYm}vl4S{ZVC`BdiAnmwFn|(IIYa4CJ7X_oBO*xNc1BFioZsH)_?6bbl z_S@DCjsciA0MaaH%A0z=F(yc6KS*PJZRBRzpiWy^n4Y4iLbHxGvYVLveAY4j(d;8A zr{RGn3>ssqSjvS~+x7%D(<-Oe2O9OfexKary!+csyx68xPb@hY8fO9$Jn^4Qd!W&P z?rphMIyeO)*%wOSLS%M2Qp{!9?d+`qupNs*wU=`BRuTD-H;Nx7xLNm4*4Dv%>NhOE zf6`<Ol-hqn!I;_2?KyBa@uq!)LrSQ2Z<O13EE3ICI*i@CBAB&*;Xu}5!2!+G2xkBE z0`$2U^s+=9T?xoK*eyUn^VblgrXWo*BkpQL;ExD&OX6s36uu#!*OyNP+ei-JkW3n5 zqkPkJt^1;=fDlTWd`%srv{Njbq7l#>r@8MlO&flc!>6$AiLx<Y(@S8=Ct1gk;bV?H z9&1BJMve&W>r*bnoAR1Ejb+&f8UjAkjBye4jmJ9ZH`}AkMs7o3T`g#{ZBL-cZSs12 z=xNdKyD9k^mM%?a;_}}U7nb@^*ZGjKEE5Qlq5<G>>5#{RHxTna5?(kFDN6hL*p~dQ z0nieSL9}1AHQk`KZ<MKdH?EcBn&yAHp@HlE)C1gamD!&M0uG7TOT;@43*)Y7dS&Fb zYTmTVz*(v}Zb`nEMyjq7UZQJnDkwLKVBMbsUrRo@wr`$g&}n*MvUDy8Ynpl><Aanw z=>8Yoqwg)`8g|*0N65|)BNMoSpl-qd01yC4L_t)mg+C<CNC&avjGoGmic~j|nPCS? zlGmAujUq?WzEQquD$pR!l-Inn!-xtrC}YZ+SvXIiPaa002k9n_d79<SWzvoUc{yCO zjA`4DscYoXL7GwKBy-1s(*oUI4wyU|8XntDv5sc@hL36A?0Zb}*#}=a#K7QSh*(Hl zGQu<yfuqdkh)tTPSHyl-!N+6kp1tqYju_Q7Brjlldr`7&-bJJQ4Vm$;qq;5ga&6zB z*;g`&NFMng`oAOR7dE%SE2??d#<_&R+=?fnlg{|UuyKpy1z~c%bk9X;5w)2YI~U4Z zl;9oYC6cJ$S_Pd8*09KE%DHet85&(roS{0}TT6*wCv6Lwvty$u({){Xu>lZ4q-Yp& z_KANqZl+)6`}HPnOzHKnPg6b>U0<JZc9hnBLTlaO@=&j(7$gj+B$_1U(ATsVL_9PK z-|Povcs-e8&DpQtqy&vZ^r$3#qZp|;!PzmmZ^)#jnU^-lRH(cVVd@!vVWfpaEfp&a znL5p}*>9qt3@BI#1I_dxzh%9)`^Jc%>>L6@IM5(4sVrk;@S0@TO>LV#nSIk|pZzp_ zX*Pf$Gz7%RMPe{)C{7S%_eauH=<mX>yRRd@FCM<YJnerGM3=NIXZoE=`+*0hW%^*+ z7ZHd^Uy1CJ`P2qCZ>Q!4cvUv<+BlaGa3|F6Q!;AwX=MfDW@V5|d#ThG-qx*VdcnGX zbv0+vU2~yl;GNB6b2;znxX#B%oN!&SVNA`no;T|YByEnh=1rSQ1n-cuKPIVDa`Q`| zB6;8ija=O{JD5(?L8o~xxSu6CQv|JkUEM~)7|zl4q6r1Hflab#c$uM`syV)Db5(-s zhOtqs0Vzc#?!c!~^r-LyWyshlMo`&mDosNsKh6C#%fTpr6Z06t`b0d;{mx`)aR5^; zDBogValeU7xlHvz`C#fRmZy?Nz{hRDlf$_vX!a|NhtG7hs28}A$j>L~7Q9UVJRWab z7NAk2n@O55;{~LJKW&0;bKIRnt^F<ZT|B<=A3y#uQ@uE#lF_^?p!Ilwoki=-ECXm> z_^nej9SzC!eE5-%H20iWO!Kada|MC<*L<Z=9CfVYI2EoNnV3l~ae^g)_nY(0j6YT1 zfMh>>?5DZSuEkOYk;C&Ng~zeHh*P;qYyW?MU$1$y>U1hl{<@2w#|>Qn#sE+p2+1&K z1N&w^exuE3oIN3FO`rzL_Q|*e5Ot990UC$s&3K$Wi3f<&_Rh;T2^y7_ITo0G4emE7 zH=hdDr-JmU{2CP^uP<|r83jp2Z(Qzy``nGdD9>%m-;@!D{EYGiG+S#=Y=?ZoHekvJ z`_23r2gj^0lq*AhEgY^*-AqIoz%uRICPNd1GMKvT4@`TEO+QlXn@`fs#tzd>{|ycX z6U{oBa%<K%gytBOl`IWwa34*ZX}@W=JCQMHSNI9%$E=i*#j(fkKiBv5DWW8w<=Tam z=fNxkw96PI2_n)0$vzNTBMK#l5MVLfc}1DXQZ6Cj>k<2lQU@qU%~#?~YWqpuW?2&r zvYDgJd(<=3qZ%o?{u`>QIRf$YHW$i)*j&>hvXdz1^ob|M=dD`u^#(uDu+mF5yp^ii zjE1TW@RCNabxqjdsecYqT`N6sr93nHr)PsFBzr<=UCVR66^K*EhqJABk%IQC=pxOn z3n5(G{!0ypJT}MJ0He)NOXY8roJS>R$S6Id{J>-I8Z%1Yr^5G0sV4Fw5i}})&b}3i z<pPB&RNxxm{n(y_jZ%pko<UjFtn?Y1{eW1XGKJQs*r2SSfdZ$gj)~h6+sIg-yb-j+ z`hm=por=G?Z)x_=^w$uY@(msy+cX$y!&@k$=}SOHsFuV&wmj_4zSf%s>KB`zpOEpj zKLC>U{7VS&DE3hyWHSbU&rFsH$!(o96pwiN9MS%~XAV5D%=AALM3Z4@U=Wy4@wI%{ zagI?+=8ICLP%_;cJ#j>sG_kx$r7!XUIFsgb0Fre5`^jWj(OgK2a?ChTIqH(pM_x0s zu3^*aMAe3;Q*~8Zn+N2m)w&|26Dx#@()cH{u9P3BGTQf%s;{IX$f&1#B$|k9QI6i& zQDry1#bd)Ypap;-x@}hg+m%v~CY-er6K#^IP>o^>$f05*!D&>Eno8cu&%^N1BQS5? zOdPQ9t~l&~J#fVSyW`0HcEb@oK4PC;aKv8oaKwV0aM&KRFmH0^uh5PzE5gCMOvmAS z%qGpj;jDASg2wo86El6E*^@D>D4)``4@G%V>@s;Q4&R;i7Z}>9i3j67$cMCW*BO{I zVO0CdOc4>37Z*}a*4=Xs<(`Wp_SqRn?lT`p?#I6EzZ>@2eJ;jL8V9$q06H20=n*i6 zfH8<X;$jRWP0Td4h$cU63<{DKHn1(UI@p%l$&ROiRSkafXB`=~|5&vDG!JqzTZm@j z=XpLndI5O-XDX7@>4X&se$XcyZ6lsR42u+{=9vbR`LUEc2$W44b|9ek(vTvaEczAo z?1DVE-6tH4#4i`EsMp$G<9q&wG+qDZbH64%7fJgbyoTD+MCFEK{Q4~yrZ%PObt?Hh zpsA?3D6uF+3Q8d=_b*#7Q460-8_4pewchA?D&rcdX)czS;AwH|q4{SLECB*;jmjUw z1CnkcpVyO_-8L$J2PzuH*zu!r<VW_!smC9RV?VMt7Vfz-4%lrD4%l@z4%lTT4%~SL z4xBf=iKgLzIa4rm%!okm@V;#qk0>g{zB4A^pq-}Rpt(~6I&ki^AU<d(9y5LSDPvJe zqa&<-ek6j~<3=>rH|4kSU|qA%`uoqCgqdT9H}+HW&T2sd!7v&Z2U5<1*lx4zrY{G~ zpN#`|+X+YPw;N79=3rDDyAX3`Pe-JHh5$VT0WJn3M<Kw9xS@%(u(^=HrbAN0lUTNj zIe)Kq-(SHvQxMVmLV=XCfRHkV#s>k(HDd{rF?7inL`9t44FbyiSjr6q=6>qCMT)b3 z2<Gw%SG>nenC)wS2IBGd=PDjI)64bA+PZfW)iuzZb>>D-wo73Yf11kB{0F#X^=9Rz z>L+N?=j0XPEO9{Z1-ks*dh^b|a-$F-I@_DbxjmmV5PCK^0-Mv5Rq?1BWUc6w!7U@> zyt1^fv`%ou^fDIOfirYS--5K@vN1*giPw-(W`?#Yf8`)brMJ^g({aq9`(gf^=@>q& zH28-)Q5pr&NCfT4MbvF1M^QntA@j&bTM`jOn#x7p#`00ObxhA6012LAZ(Cn8-7)gD zsS|Zu^Dt%F)@?pEyrXW5@@@KK{`pWzQ4yw29D}15?u~=?+Z`q59}uw)9L`0QYI;3T zpoRPF6AZx|qs0~g4c#K8lil_3{a<E!@1K0+sblsU?L$7!eYz$(<`ygim`-<GY{=#+ zh{H2v4S-y`0-R|6zC1a5i=ebwHW3*IN6nnFb#h5_TFbb8!@Bi}%E~vqq<J{JWzGQa zQ&o9f|4!C!MXGu;*ZAvbprol3wF{ByP;wDRlT$gPeT~HXx?_2TgI}be1j0e6<B|iL z%f7%%)WG-pU@1nUp4h$br-IigGj?=Y(OT^(&*LfR6xWPQ25Cm?4s)1eKN@GLjr%YW zNsCchBy&AAk(-x?88aqh|Gjp>m{H}3L|vHj#*s3V$f2??E-Jw8JI};kd(4CRFNa_n zh?6mx3<dZp0!bVVM#!+WJ|AI)#CWRS<XG@hSguK1Qc<Du5Iv5(Ch(Yz^0$Lv-URSF znGAJMeTUB?jt*(giwhP+)DGX<LDIn~=f(3>L>(<6a|E*Oyl6-sw9GA4-qg^ptgqXU zP9)!?W~FuwEz$3ZzWJa}eKnHRo8U3_y%fdM+vE^{R=iAy$SK_4_DagO0wFu*wLdWr zCWYkXQj+#PG|v9F_cv?u3D!b;%QruttnHBJieVg|-4yX1QXYWTi1W&72@(%AsPGL5 z4@d-wdPf0NY;YWm9Xk@c&7FY}!%88-8Ln=;Y-vbgD3b9A%qJdGrc6MD#u1d$h?NkV zCgrcuh$&1gXt8ZS&`dSNs9n&|n^^LxjsLhm<5FP$iWM>6*JtodaolLfqFsXV00h>r zIce>3Z2}QcJRg(tN7NS+Qy$td;0P3zPufE%cQ1jIwiJfr6mK`oQ{v8Hx{z9hW&5B; zD_N<vzoAve032xEa9*+@c%?5@w-tUm!GY5cm4qGP^h%F{$RyzwTBs>eoCw^!A{Nc< z%hmKhc<qk{P?PA{j5t>6Wuk;jCQCY1?BWeAA1DX37FhG@YCZ~f1wp>q4@lrs=?AWV z;Wfqmg2Dn!o;Vic#*BpGadY*d9v9^2VHYlml#~{u884s8-xon(Kr!Zx$^Ay8w86J= zm%rw~5O*2OIcO#x(z=2f9M+1jm-1MX+6B#}&+?Hm^T67kEWnf1u1LEC8Vg8s8IHqI zyS&DPA^$51Qr6&=j8;P)iW~r7VLa}-u5%=SSrE|7MypL6HA#z_H*N9VC9N{dK|Icp zo-Sc6Zx{t+k_Lh_XTIr%nn3w`T=UmP33hr1n$ZI^1UitIMFQoY!?S;O(?GBNbW*1q zs=4ozz@N6n<hFq(QU|@?o~3mI+j+I#({F80w0oKm7-G~EwksUoO9=9UBq}T>XkJge zmk^Lq^no%{C>>UYabrgz%5`z#9GsQ5vClhgN2a#@HOC-;<3^1@`S4+I&6@!RGpY}R zpHD17GMECym;2zR1H8GjEwoE8Y@tQd{jcAWg4D8YMceGW_SzFJn>?0c6t&6f@G$N9 z!OhoUp`o4W`VmaA20#v61Y0V{&4#G`1Q;GBj@FV7CA*XqM`wlQN1@l!oc=Ec=(R6D zouu2l5^3`t|5O9A`7ol;?HCvULUb@Nn>KTAnAwU>a<>LrZy>#+wf_?7uYmV6?WG^{ zQ;8q=p7&My*FFpJ?_k-Rw~@vzl-{I$4x+xw-h594KjOglQ}X(Q*4n%g!KEC0$bIuv zbb@*GWCpEsSKa~Sg_<!no6*@;zs0~7fyNGfe-o4zNDxsfp=}8~4DtzbW6T`0PvvE1 zu$qb=)GPrx4vI^PFs!tMrvmM$wjqhv-un=L{`VXB(@U@8PcOcPKfUlO{`9X`w$t-3 z<4@hCfBvugb(-7wC)+di+tTwL@oXWlk^cqu<3;x8r8n@*Ys;~<wjLgh9A0s)Fo;s| zmzS5(3&+*SCd@QrEs9<Nfi}1rJc+;AC(=ygFV6vgn}RuLNlezVS$Iva`{ToPJPHk| z4WkOUoPPo{h1BKH(Q^P@X0ihp<S7$RtEoHm05K@eUp%hh#ts#&XYu}tAY?Nqi+MXk zsa;X=L^}^bZDs8yAO35+Lo%+Tg|N*+l18J;zY^*C8W=+$7&)@QIbgw#yRkxu;|7QQ z@x#H-=!+DU@K){XWsINF+Iv)typ&7;01yC4L_t*h-dBC!zh3+4OMTzFP^Z%ui}Ehx zG~*f#|2AssJJU(;E56`cK9b*8u5))p>-!ST1pi)9{@tP@-!o+#<$o0-pW_I6oA|h1 zYx%S`A35>UpM>a(eXXx1@6WT$y;|^F4gIr}$n#jzx%+>{<T0Y*yCOTT0bouNwr#xf zx9xL>he198*cO|8Dk-D*b+FH&kFifh2G>Q5uI{|NsIl@|QHt7U&E`t{?d7-e;#({6 z(wpy+R*;tCr8h{gFT+c(z0))5Rb96EI;m~jufBtSzxH-3+9sbVZ^+1P=uP(HEki5u z-0LgwzZI(yC{9A?w;&BcNpTUJXcU?TIUHhVuw-oT)7%HK+!hP-%`uE|Kt?<t{B0A2 zY-OV-`d`e@q;^49R5*$J)Eo_tjqP$fPB8uOXv}n6Dpzwu;mE46Y(XidC-6*Vm9J&i zO$6qyA2~`y9ZVVxgx)DIn=)?$h}wPrm`d~SFHO=mTDN~uJqNWFyit}jk>{4beI2w$ zI#GvI-Bx(U<?m<z8AK5WeLeeUH#{0G)!Nr9wD0{zYwvEY{hNK?`;_+6m-v4AI;H*3 zdA|Q`U;Kv>RW&~yxpMXI-*aF4+sgloKmXoOZ~M>tOX9Du{(1cEb$|ToyPKEZyK3Xp zk9@fPFZZrn`}6}FYFf~Sr4O#%`1Cy=nlfvbKDctj()*Te`un|atbgYI|808uz85w= zGv)6a>tcV*OV<3tQ~slX`+bh1UsfJ&NvGw(%38ImE2p(#>ssaeDyp?sT`51<%Cx?~ zWxM!hm!!cT0;f%mi49TF`y|~&U<@iVZOCyThJ-U(R^m0mOQO*ekftknYfU}YZrY04 zy81?{twU{19qMXo(LhR&%;&carD|%>NVUNyxlLMk$?$7S?RnHR@~^E$$`EBpHBqvf zX|1RRDaw^3H88!N<!TMFUeKrddQ|av?dB?^eU2h+Ffe#TB2mC~;5)>q89NaeOq)qF zJs_rYJfat%`8){s&B@qKY$By0tJ8V%*7nradrLQLi16k-gr_sVbx!9;=Dhhd-gpnR zDV*bnx_{(jGv?%sRsGYPZ6y-|k^F-FMPw(4<Yg)oq-*5SOR&3&MRpC2TmHo3G}!&s z(Ef|&W^I|(7yFtwR?4jR8<&5QE`QDDv)zygR5TyrMv&!=V}h>Z&k7C@f7E{ZJD&D$ z;IQ`@cI!r+PJT6=uDjpaq<{YY&+yj|ej0yq<xk^puKrnk)v6`&%~bNWFTHe6s%a*! zvnU&R#eI<Xs^^x}Z(aJ}R%0w|ppjq<gssos_nyh?N_(l|JjEe5AD~9Vj=XUUYwljt zu2DSTeq&4&gha(;l$0hMK}@9&?i*$0bKiX7E;!~HF!xU@;-&4SJ@}pn@B-luV-JeQ zu9t?JPPHN@okk-yrJFJ>$@k!PLJ{V-rEPV#@gko<1`iI?S`lS(T9A>^$mFI{h_Gyg zG8);1^<gOJmk*EWyf4tI{~E!um@6v4$`}9+;81n&xDi7Y7y@QLz}=J;0Z8UpbC(CL zjR1`rCcjfva#STUZ)QyV2rII&%!R^oe0CzuewqG+<>zXeh5@|qr6cy{ypHNNuzfGu z&}m`D<=={lat>#Y$CJ!CVU!^-mzTzzblTf%^x4-Gwk_3=$X}<m{EP16MBBV<9%~Lx z>4s{g>#N|W*i>IAe+n$3IQuVvFh(yo;^y<ds?@&!GU+kWT^z`-;~;UH^7J=qYyC&w z-{}4RgP+~@!Uw<j?DEw=|H7t~OXCed-0x-615!Ow-QX*&Hu75dFZ;elYp|>Q9S~`< z+bH|f#E>^c)1FZ<CS6nEm?RT79~-6Q(*S508|Ag_^R|H^Q`lCA41&7bVh!^LDifG% zo!7sjSHPv>behN*1HyEpP=na)v%K^L@icbGmok}rPzG=xRQQI3%H7DP7&}Ze@*6T~ zL0Qu`@}>iT{Y3~7Z{p}v>6_02o7i9o9-G*w2gMKa)plc`l_5YtL1T<;f<3_&UX-ul ziHgvB%sl;{AE_Tnk>;E7J)x8_+{mD1-CW-{;+pHPALJAT8Ls-FA=^X-1Y(iGIih4& zffQ#b(kj_YrAm`kHG4)Hip*;<t@1YRQD3V?zez8_JFPOZcwlBhDX#UW&Aa{SBu9z9 zx>N<qi9kin1OPqScq3_OU9GkMKkey<e9wz>RJ)P!7t=}q-a@5+z3Qj8{cGhf;wv{l z8Lz_9c)CXo<zS^%6Ofdc{6}frOe5eXUKih`n13g&B`BWe#{C^5NK-djDSsv^g=VGS zteCV>_Ec1wWE7U?xbR8l7_850hL=p^W!=0VC`8RRjDn;>S53-aQHd&}V2z?R#B?yf z6*bifn8GkId>A(~?`cdn+k)W{2uVF^+HY>t>>IgE9LVOu7y<#&2-s!_G?yU{b6GS} zYYa>i8U|Abns}v2p6kN=(;&@d0T543@|%f9fx+B(TpEdW4Ze&(K3WI{4FK1bH()l+ z6ce|g*Is+V)eb$Q&?8zTcWXDz^W(8!-KsQn3Jb@AGHU<~+zA&Y&Y^%z;ypp18amv3 z-o)wp29>I>o9~Kqz>Gzg$68g0$9*NTN(0ZdO3%^(6(@q3KWG1bI@LHrWQliMHX;Hi zRsh9;1l`;?fTc<ALVG{=wEsoQeVh3D%WhTe1MjJq|M0=j<FBsyb$sLNOX9R(I1qJ{ z|DY(oWQk{<L0JFy`~KuaQxAI*{TjiHYu~?>*nEe5c$&0{`@CGZH%P*EVFOLFU217O z*1VCl*;mvsGysee3dk{vi?<jRmr-Cw>8D*6KGR{YF_zUrgTd4%SKXF0Q%FK(ssi$0 z;&#eDP`)h7`n*Ac-|at*GO`K4$k-b~XB%apyn*3Cc|p01?Azq!u}L$1FcjnkX;cYh z&Dz0@(JH3+nm9Ep`!umk6F-Bc=6-X!IX1ZZ#MO6*Y16qd_?mue!w2GN$figv?|s~H z2UFN+o3LTSsHhfaPe6LS2AE3w@J#>Fyybq(dy<!q?jJz~h1LM*AE?{4GUw9olq<(Q zQ0Rtfm)R~sBb`hl)zCn_=8w@@4rnMCKD%wPhRVwIyn3F2)*Y>@wXN3avF0qnqvAI+ ze{Gb1Fg$cxt;Yp~gNG9>=uUm!F}jL3&p)-VzpMX0d*1;d$5E{PRnP41CFLwx!P%Cx z<s3jJ7~}*zevupr&phB^%rhB>1%r8*_{bP1Fwr6#EMshtgDl%v;3y|qIfu))ai;tK zYIgUuce;FgC)wOw*L13`uCD3ss_vehb2jM$TxY}d57*b@&b7b0>e*HIe7UK3Zr>le zFLPXRTkpQDt#Qc@*6dhv<9$^@>(9c#e8a)%ta~*d<BiU_f3lI>DT!WwXYgg@guT7U zt^<{RQK>pAbE^<3C@OyTClFjQ9(t<$eUubelqV(<fODkT38E^Z3=88dH&t8_$rk(w zp?D)tQK-lZ%6!ML@>cMbUxO%4#j47+9mq?R-oaP=A}D@Di<QxbQJ+(}hNH^MZe&%+ zyI2?Tt>J<p;K;j$8UPAlzLp{?rw?YiP5{<H8LFZO<)^X>X+$Yl`Wn}C&39D%Rzdkx z&~}hVZ8wxhL6-iOF?ACflek8!-3|QOKovg?fZekCoS^RjSQ-HA<9#l(rx7W3C=3T5 zeAYGWHN#QWNFALe5KmMc&Eb3y)2j$QI;*SyOcr5Q7p?jkT^wuRozZz0VC&sqNpTj_ z4+8zGM}qyxbX5L9rj=*@EpXiS#87unP7o#*hw019f7E20t+w+l@ovsvUqcvvA;<<_ zUnlmL>wbUray`qh^wz#h!aTijVSL-dg>~!S`-btW-|@ydYc4$d&@Gp|>4*&%opbVr zi_Sh{?FDDOe%*y<zhP4uth;!@nHw%#@S3$3FF19>C1)MI`P~cVGHw4=?|ki)e_b+v z>_ZDru6Fb1`wrkti=nvO27S5kp_|t3y#JQJjjpM=NrK$<5SxUvUlx%+IAAR&%czqL z1p}3#*^PKKnV?F>s<KfKCKyg}R7RkZQn2h-Hs(Xa!ZZaM;t=Ao{Tx2%0GdXb0Gus_ zU<m4Kyvz0o>ud)Dr*sKcfd)uOKUBXQjEDBL@^Cp$S=bWCGOn~W>=<{XixP+-YvhCX z^4=tc#zbw2_-9+x*ETVcK^;)&(0)rA3MyA&o#Ocr%1|O1#!!%F4Epbr+hywc0C}-R za7KWlOdJFv(q@d=c-UccbI;6OB+$#bg3qu6#OAYgfSZd!T>9LiUjsN&90Z-=EUG*Y z6T6hR#I>gkXZuF#iX@Pv{*Jvy#7u$kFG}nF7UpsYboEbbR<T4dLkwP(t{SVK2iBw_ zi1V%8D8StuJcFLd9alR+rY%zbb~uzjTOn+i(bYd2$!K@Za;3l7!Ty0fUQfg1x-e+_ z?%E^W;!S`0+&UDt_q!|Gr}WzwF7!5?dv1*?Xe#nU*I#(<tEu4s--b2kymwq}`XfPY z=F?snyE>kTT^;k}Y72Xf@#HFqT;+S-m7XzIa#C&wPrNH(ysLP8bCnVQYB>LD-*{Ii z5;a#(cB4K!t9JayHqWa2(3XqOxp3np=bXFo;`2`3c)@uGue|Wg$(t@cx5kklPGiz1 z=KFxOa`Csb+n4=x<&OJq{Zr5u`;HTPoptV7h}=XQZ#hZ4Jaz@xPaJ4U6QJQDSo*pe ztsOlYv-h2i!wx?LM;vh|jyn8c95eSI9COHlIOgE}am+#c;iv;=W5&dBFj~g3<z?VB z%p`T9H-#v%EJM@4TrD2~r&Ysa2V-D84?zSzeFBY+fC@4KhVvz0T3(?PFZY=qc(Fox zhP8|yVU&EOuk~2g$vy_K-gY2A%4wutC1SLAV=A2*Gb+7eB8>pf986~)V1TK`@YuRq z96D<{<+X1CRCX#u%JRs$2jhsMd=ICL4>)LljGH(CM!%{k22Ob>f{KapR`JZnantrw z>PUW0Q(0HhEtx;x^L&{?F;6Kb4cLob1mx;qzyyZ5pkt#8f*<;d`P>s`=&Kp2p|b?` z|F0<%Ma+pD6CJ+$-x*KimP$XbtA82+8ZUsv1v1Y!@iV8No2)6M74BmvZE9d>85~y8 zAGl*j46><$@*jq6{}Q9ZNzCi+<v+((Ik(l?@D69~^)__ZrNsVV{co>%AX@Dwle$<b zk?NQK*roGg>lboGf62LrY`FNG*Pc?7J|7d@W${Gyr=4%E;)Hai81q>J`3#@kCm^_7 z#C%YUTr4nehsb{b@<y&~=8KWj38!`dF{d%_)gnee`TS-Fc^hCZ5Rpq^@L?m~6)^HC zE9SETxl#mI!N*lqUgFa>XD{DWleuK$#b=+j@!jVfyW#u=`#imHew`XA82sfLmfz5{ zW68~r)tgm64kWx@48A}?eg|-s)8<tG01yC4L_t)4C;6=o2<Y#1j(in(5_$wjp|yiC z7&C4x4x>Uk{)A(2+`OZ3{IN&k#G?<#Nk`7b$wwZ7lMX)!C(S(&CmymtW>1+&@l#om zl+x`0jF3D;ea9Pd+8yge5j-lqapT8P`Hjce2?Q#^F%u?W4E?baH9j8W7$3**IHrvw z&iKASgkPXLE((t){RymR0t$2|U=-`E8dV3x<B`z;w!a)Axj;C8v?V3(%i2<GS1CpP za+olx7Dw+ti}E@ECmlw)(U6K{NLikA^kF#Rm?Lo9yd!bkaYy60<B!47j8C0572?wn zqI|S|&<C`BX@l`MH;k*2?JFi}0y<s3vEIH^hKWw;{f_3N7XjIu`(1L+6kwYpBW##z z_suX>G*V5O1Zrxkjx$DPGbv8!(S=m}0Sy4hV}K5bBGa9b*GiSq?*g<BqUAT-kk8w2 zrFE9O02px34|8b*sb<(vHxhIz=urF6L^wehKMwJ@g}AGRNbPe}G+Bh)>JPu+Z2pUO zbHfkU|Mu#~wl7MyBAS{}xcYc!i{vq`@Hb!b#yRURIA{K}?6eC^P5dJ<=RR#j6|h|C zAfGU*<RR}Q+1H8SXc3tMU?Lzj4u}CToYRDU|3Fv@EDQJo(TQ#hM5c=1Ao?dj@CL&9 z<mE#m-p85#S^8Isqk$0fKQXSR?t>@Sq~Edb;`3g$_FZT1_uP9<9p#b{J+d-Dw`57s zxa8I~+m_t)`<$Qu8U$aY5%4X-T@G%eLu3fh8zB8k784~V*u@MJC?pV^7#Oag_d9Su z9Lm+{)TvW2ipsIJrW)-~U4^;`5~!_8AnyASElWjM4va?WT3b7?4q#V(U|ftrqP7Od zQu(O@JYE$c72*l=j=)J&h9@0!I8LVVaWa)<0p>E^A2^Ko9pNO>Q#g_IPoQyg3~3*z ztM5q@;AjXq8q;V88aL!qd5r+OUn)z5^7fa)o-wFN#8F3C)m0~;va6;1YHO-?$+V^h zwUogG8Yu@JbN~+EE<r8juF5|GuqWvw6G{1gY<p|nI+_1!CU$bM(fJthbsTic>3=lf zycu#4rHZxxrH8+S%9~?tcq$g;&G6JTQcJr8l1al!{WWkhzCEp*fMdrExb+{>2<QSO z#_@c#2Xh{G0Vb5^$Lg^|ocx8Iesg(xU&CQO3;mb2Hpp_s>Xgvel7qt&;l!;U|B(V6 zPQG+VIoL;>b>Bglzc$FaZ?FIDwU2FB_Kh^L`o$cPWgAz{FI{xjK^rbQ_l?uXyZ2ed zK5l%uN`zqKf4E9NA0qP^Kaenvb*Pf3H~dZtRmSL#B~SZ`;3Np%A|n3<kxv;hR~z6e zFJ?YjYsY<P)7o<uZn)&!lXQnb-zi{m7Ug{auI1jJ?A&qR&3|_RzHP;Pkp|c|;qYfZ zkoAPz07wo|5p5!Yj?b4YvKofti3FxjpNbkPq*D4o{Afbff+VY+0)wFZ5naN{*l(RN zh*ekP02&<!MX)apIbdHLy8j%)Y#h3u!YulPeJcR_k%q$lq)V8~x{ju?qbu>Fk2)MP zX72-2RR!mHfCBl05r7U6&kU%K^2_ltbI3DE+c_AB(O8%`aU#Z!8;htu@Y4E39BWS1 zB>aX0a3B-s6N=7h7GSbA#(up&Q-v@nr^;VJ+cGFZ!&I2_T=WcvqdJN^M>!8iRU>tj zByi-GDHFwb^JoZ<Dy4Pjhxt5$Ob(9QSY6==WRd`{kH!60gJ;AgoHa|58RIg~u+#sQ zY5m#-usrJz(#_Ph8O{WxKmx<&IFWj>1goQT990k8OD=Rjb1wX1+m@Cuulwz_OE=w- zOc9|w#+bFcdwSu*_{MjiIdkKM=bn+TuDc`-^D!~*8W^LB|56co4JWC6S+b768I$+D z*YS}fMxMus;2_THuQNv8>xub{IP-a~^R6_$cloU9i2#*AYQGn)z3A-MuD{^C1N69H zpv~E_^yZfOB{x32Bj5U6gzgKZ^KHUks47Z30*vlOjzUpxd~QAap3k5}6RKm683>R- z<XAlN*-wf-J>m4J^%?pEOBhHUl_*1QsOLS589fRI)7Y4I<YCxn);`de^VB#2d20vd zSwRbx0~^Uj!=U6<-WHF~AjV^n@+#n9speDhnyQu#>17e;#3vs!%aR5hbZnFE0$9ty zfT;{mLAIH~A)m_h&{wGyjTit!FXxUm*y{MvVq_mqB!0)7jxp^FK{ksp-{WG-kj^38 z0snvd;>ZKaDP;4p?GEmD&bdDC0yy1qNVg))P{+D{*$w4Y4=l_H$#^k{7t@LxXnovc zo&84Wf@|0PI{D`vORw*C!sx0(_HNn!p7TbnzvQeV#?_|&12%CPJX}rLU+H=BZmynB zWI1l-qsQk!oR@=Bqh%Cm5J1dXobW%)o!_Kyyrk#bE5=lhdiT1E&pA_fKAyPn%vzOA zzZ<n|QJTiUV>{Zs?{R+m0%?3toc%ks#Wse+e$yL*0%{ovnN!kPj-8g~7Uc5*S!8cw zBKf5L>1UXQ=vcbUNmLV{zL?0T%wZYU>J@)af=9z=>g0(y;;@4;e$qr(#vMBZ$X|iy zBLAQ-1n{CC@yuH#+F&`C=>JP-ZRH6aX|jfb;02)pQq_~Er&dD0S+*p~D&2@GG2|1D z$6=+k!TLd9q5KS%&Ty1>6h37z994mjKh0->k!#o_;KVcD>8x%Xp*Zpw>cZI|M8LCu z^}EP!Pa=_8F><PPc-ySAKc#e|Jg$_}VNU+#oL$U5)u#zM)R+D;Eu1j>gdWvXshfy_ z7fYzM^CAc9PlF)$`Sq(e{7ApS&pP@xCJKn6KhN86;aMl-tv%m3^GShx0Y*N|&i*Qh zOabJTp!Ctr#i<-|K&CQq3dH=U@#OO!<hq1-S4{BY7jC@h?D_ih#TOSWNT9#h@*7e+ zAGqmJv%Te8fYlv=Ti9V9;{(!fPtfZx!NKBdl?1w7+T9_a&0+QGwb-&{D>6Jn3wai7 zIY@d0(%@KObI=ZIjXF(KHbrkm&~Oo`tf<vY!2n>kqVG{44{8KVnJ@u|9DD!_k3*bc z?^obB1C((9!rc+Dtps&!ez^$SWuR@L=%_?ppFoYSojV(_cI`Se*3*_(s!E)`IA<xZ zbk*dk*}7S?qExLr0v-<_Nv@2mA!>(XO$_3Cxx5JIDCiOlqPhJjDsAi){lFhV9h3wP ze$UNyV&nus>d?cbogiBM=lc4^J(<p7^A;X>zINWFKa3SgyPDkSZ5*+`Vtg&3N2fat zdhYLd1kfYmkYsAlM+=O%)Q0w3*)aUV#@}7Ltgrw4Mp@!aB5U7u_PC7~opX`|@rymr zTm_iVi81ehnEeGvP)76=``-q%y&i94#mGEk<b5LMOCHbk6N%VIswR8?Z_|Zm9rye@ z&z-10GwhF4wy#*!y8Zqi-=E0@Utxd!61ByzIce*XF4G@6gTr-T+lnL{eaAR~-HH5Q z!`k(D>d9yD!t*P!n&DOJHel8IO?YX;X1ug<3trl^m9Pz~w(P);mNpI*$0igMqKl~U z)~(Z;3*f{Ql)u@fP)p_aq#ujNFmu{e?gC7pf#QLR7ZCDX0`Sr>n8u*G?)Ys@XR&U3 z176y^9WQO#Mxg9ehAPVqn<&?fSWWq^p`2H)T#YB6cp9r;T8$hRG5Rc2GF1L5+(4|$ zOy74>fEBFqK0>*BW})OIR%1aUpgesL;ebb|(R%>eF9tzpsEexX?eOvF#Gz@#02u10 zT1MZibq7GaeL38?LMzMY6m;A^3o;qlAn26SZPXKyLj>~fZ96v~g=8{%t}7Q`md$zD zC!7m^&8e;1iP=)=2dO65Fv|+G8`2v-7qZW9wl4ewXNNCNUc2E(TYs0_*4OIEt-N^t zg3;^GKleBjlM6-6=P8S;A!Y#tlS#)TjJSdXsG=~|895ok9TAalIM2Jb#&_@AT$6t7 zx{DX=uirjUnHJD{zqdU4lbt&sxaE$(*e_UTzv-NdemcmK!@i9qj+_%Xu|dN@K99Al z*5DtHJcgx9AHf659>bDHmSf33{)HuvJ%J_vd>Tt0e+KtI`5abm+=}R|m?Uf`V3f@% zIuTHIh%SazsZyRa0E7ybh5(T}m)}!y2SIgJ0<&gJ=P>{c0K;iPfqbI`Y=~o%=)v(u z@u4ezw>CE8k>_8+k|$PR$>UE`c25;#_>ada(|=+KW&6NGk7DVAkKkd-`o-s7K&quR zdJg(56i6Nr1WqJV+m?0X_RF|u=FZn@QM#VNGoH0(tiV*ELRZKJDRii)LbNMM#&X_Q z`B#!=_q0?RuF-UlFp^Vg3HWjEWHB<DgP=I%x~?JQ#1(S&uZBR^7+t1Ti^$0$=KZsu z@$@H#5z?0JiH1<@FW9l3<OtWN9;LV6m=WsMf3^*3skf&OLx9Y1ivz12>`%CDnB4fM z>+fB@{02?yQ|&Ku3w!g0XCG4Kn}uEspZARUym;~&5sU>e(zhvuZk<4l#z`XbM$eaP zVdR@eypOr@c+-Z9&O73zg|8dqk_AH&y<fI*$*pU4PHnx(IY~OmPn^Ru>~E>wiw+RO z0fOSCVS>gqO;~ZHa5$lYkfSl(*4%>Dre^4S0nH3IQ#nP@+J@$~Hl%rEpq424MrR;7 zB~4K3^wdc)Okb;}QUf&1Nayl<GHyH{6UL1LJP+0wl=xI$AppoTN*8&juH3Et%72bW zlC7yUnz>Wb9LcVQ;R3WYH=|8~@@=J`Nv9AkUW&w`XQ4z2V7b$u8#N{Epr4z<qEhXV zpJ<&;j$Dn1jYSC+x&_<?Pz75dazjGKQeIAFG$hnJ5_L4qDCiv{lVnG^3|(yD?VcEO zGAF0rxBt1_rbfU3m>DO=JBxK(vhR7H;aN8+EJ^DB?OQ3K{gH#)$&?PxGFMmsaJEDG zP)FF&bA;!~(+#<p{c6)gKYppNb*f@o_m1<X$0vGcIwPO;#JkRjyq@L9z`2n=O+oa} zi4Vx32J(I}_=fRpGG3E-`}&t2J$A!IZ<*lAeqn;1u0@M-`hGwrpZ%(H_AA_D{2QN# z?&b_#=W>ARG3doG>*Lhs+Ck$As)P*txX>Wbcmc>3)1ok(Qi$#v>I?;(2xZreGpI(| zl`12h%XN;ck)hwH&xaNrA><B3_n_z4?f7hi(y&w(o#}UugFNa{06Y`zQfRy#P>`G} z`eeV`_H )&V7Xv2G}k7nQ00KLM37G(W;~q)KooJPUwvusocE2(gmkqDx)_Vj;RV zq|;<7^brX)N~*{$A6V!vKt+fR5s~P5s!WH7emPkRS!>#E$`ePzLnna)rfwN8B1f=e z_qes?XsHIdEYu$eH{vi2Fc-Rb)jMaM{Uw_I!1hJSwv=c81cy6FvwekaZHRod_1~Vv z?4frY?RvKH5}f;?NY(fCH|Kq=RX>Znv#jxb000mGNkl<ZY2{-_`&IV8VxD|cjJ%yQ z%Vg3V+3N4B5WB-;2L)t`IC-;Yys!DjTyIS7!VOhz{d!NJ^`YCg?MyxStGspBaF+Qg z0DU(=&zBe+3dg4pg<Z6z6eR=fXHkamZipwUq%@sjb(*iyZh_@?bE4Ebrxwz>r9++? zT2olNy&h|}?jUT#nk|IQTd^jBE%XVSI>BbfqkQ6RQP{@w_?_6^)Pjue6q0Utbt;D( zBM>n(01P6%s=OD$p}@1^DLCG`q6N*+TNjyzd4}miP+6*$CmDK<)D;+u^1wK(^<1!J zYNr<fQMg8pYB4nEN4Y|@Vt3sE2x+WTjNlLuQvOs-LqNJKk`%GqGGYL9C7K~fi+goP zK+FV=fF2c<e)iYqRX+}p31JN)vsu>%Z6f%OId4wtcDUQV9Xs;5?6;kB&ycdyfoe-z z|4bN0=Y%$igZxIU{CNA4@3r=&ZU@M!cb+#TOxriY$5+_Ck3nQVCUf-)j9e9zfCwKE z>R`+n5c5SE17EF;xr^3UwH>qeU1yKGy)Qcg%a`Yy9=PRSCZ4|DS^HJ$jz`I1Gl7qi z_aS$ks?nLX1X10k{Gv}!v!kp|H)eH6=^QU*YI=7xN;ofW-WI)caPL2##J!I_fqNhQ zCt*4M_V8o4m*?pB@*I74_(viCk>$kw7w-KB%RTlamOk?W4S{-URPJPyD(K`ZKMEWx zaKgPof`;4C^hp;Z%0GCcE2i}B6^i%0glOfV?l^T#yQ*rG;cmrf<_e)=PT%hcx$DCD zuVOSSNl5v!G*Hy9B;D?5IcKcdG-3dBFQJO&aJ71ZKx%p->YRnX{crpJ@?Ur449D4i zo^L+kjQ7@A@8V7Xj{@T3y=ScruXoOEv0*-1{i`9+9g!hQ&vHU~RIIse$I_cy`cj9x z^wQXdOU^kU7Iz=?Jo8-<GoR(E2_tUECBQx_IMsM^t?|6C`o4MR={1={wk=#(mrTO+ zQoY-D?=QAi1+71GHoTh8ox4zOJC#iL8mkwAea&{N=oGo#=YkYP1*qu^qa8F4u*w*j z)UDWZU@}oz7KnoMx^WKW<+=(79NYR%LN1*~E|o%#=jD;F;kGv92|*d;Q*FpG9)X4x zk7d$K+q7*vR&lo=!v#ZEbrsUcbEKao;@Pszg(%}C*+e<Sqi>nX`Jsz;6!M{E6o|Xa zQ8r9tQ6`Zt?_D}(QO1U-Uh9^1jO~uqn9Yl`*4sU2a49N_fChm2gQGNbr7eZ8vLCt{ z$|yUbxnVc-Hh{}Yj06WPfrYnwFy3+O_&q8uUHRKw4jcdjuBxn{#}Rgb_;Mw3!39&^ zlAOHe)?_wg+#Rgv#vs$$tmpq__`?un_jYbQVDH@V;E!}$xW_s<p~#jC&#YaS-gF|j z8NcQk`7|e>sVrm&yWB`<XeA&bpz%tfze+s$atQao+3NIp7q5BatQSAr`?mx(=tqPe zoO8b*OmdF95pe4O3}Ty$rOTWH+0%IBNu;D*6ps=BvhToj`j+5?EuoJxa73l<r{Y5g z&@_iWUPN?|4&~Y24)JJg)A$Ar0R^FN@_BfK7$MFr{a8MS62uvf2Zek?UrJ?pRHzGu z9LwZ_utOc?bvm-HK(>IWz2L>h@?LV<_VzFX<>gD^hz3|rX+%C{Xn3SRumqK<qYuq5 zf}`&sd>(`-OyY({qk(_G0oZkY?sFtui2C_J#7LqLtL#1Ck*6xz%2KTiHO`C}<{gSq zkRLGsD)abyrlRNnG<y%^Na*(Gf7$_}?SBsDo~iXKmm^eWi^yjZp7+7&Z~DSM+gEMM zTG{@8`E>K|ofG|@e!mC~4q0*nc`7hY|51_aiB>WRv*EpO7?(GRH~KzqU>nXMensC5 zCcP2Y9|`aw5WS9l`E1`aUysB8Oso;7>W7zle^D@Lx8Hy3i&?mDI)^V?xMxXg@b3i( zsn9tT0*;=OqQapMLP<G=R8Y=%0R0H0pv0hYung&Rc8&?;m-p_SD1rh9xQ^rQF`2_v zC}(<rid?ABJu3K;ve&RGc{K<O(+i-=p9TSOW0A2CK<Fb3NP|G7=2$N&ckS2!x(K7> zv#IU4E{X_1IVn>2{1ZpzBxN#-Wa&W-fP!o}-IQ>Y9>E!wqeJ^89z|8vQe7>WS4d3a znnHm0Am(#ziVTAlce(=*a@|{T!WAH>I}-}70<`)-!a>lIZmX{6)9eHK2+E)&P$M<^ zM!ufK_bBg>tADEldr-A?Dl8CQQ^lB%#bWOI88fFJ=GNuYZMpE%fc+b>2R{juNM9TW z{#H&_4>c~iwZ{(=xn$B@vhod6B=9cg{P81ka)`E~n>t34hg$;dP<)nC*tOmlGv0TQ zi(R_5Ds|B6OXgQOK+wb0`oJyQ<0=0q*2<@;Y#xJi12aNd3+pP>#IV+?iXXyA85lo? zcvTguYHLwdSBq-;1*k!F4WXJ)RgJ<o>xJxKHz-un=}rNZ5LsjNraQ<`S#l}6gAZpB zDQ_xqk7M1ZZwRW?g>l^#i1N9@hXV7|*F2Bm7;y|i(_l$Um*_p!OSY9KK)Gbw=o1~~ zS1Dfb1&ZGpJSzLDM1nG_CQxQ7J3>uu4QlFYDcd?EYU}9NBEfV|{|A7fLBMBW2`B=& z@L6~DrpIz#!>TITzG4!Sm{N54M9f(MEt_IO1-+0<Y&vaP1*ukslo}=+50xR-D-{)i z+ZuXaOOFbvS2`mIeUd=R87e+(0Q4W+bX_FmR$j>MKc@q_Ym`Bya+K9_5WZDh{^p=2 zSm5P@Y&OId>~xP1a)Tn?m%^-s?SBad_Yu7?*D%o8F+*NhzGQqD%7?}HU*Nnk79wQ7 zGv-Kqk4iwFh(y;Ro+nqvJab*l)xLJ!yUreadoM2uZd!grs$pvLUoG4x_`Ltd>8JwV z3y2tk0~MGQz@zdXKY23d9(g2=Klvn_a?(jS?S$iT`f>Ac+OfwHj>M@)AC8lcn2UX< zO@(lEOO=Yw;K~GDsAX3|6lVjd>e#*AZe=^uinJ>gw@2{95QZRJ#YYNV!vsw$fwb=! zgaGmM=XRd6G&n5dlpyP7sQY@!Jl!sa%R*7QHlUd1AkgWjD|!>gj>54AAAnPjJRGMU zbp%d3<|v#t?`WK+vONBHoO<F3IGHj&;p9_rIAuF^=FG_O0%htVkm%Wvwnvt$S~fkC zz+7N{r+)`LD$`<JDEhK!k*i90&a#=!HgxM)cVqMnDnYh_G{V4A_O5~ydm<%#3|K#Z z$&!(O2Go<7DwVhL+wa*P<bq%F@iu@%7hPOICd=_1bdgiJBxl1|KHYK@x8-h1RQcB> zjH`7n__#p+$w8spZe+1?^>v^ml48@J8(Y2ksSfF#B1`7aPqez=<hFF?f2?&ifCzfJ zM)LNo1Vn_7s8+<B2YCPI#pFXL)wIsh7dLxkY|)}z{gl>6LL;97<ag|NZRqz^P%3~# zPCW&uH?BS>&6tj3sF)5t;&9BKH4FMhyjjzyVHTDB?5UG6o5sPM$&)a9(gcj-DprK_ z95@tq0kxJo>~>L;ln{ksLxAJF>UO6QWfkdyieHtxDu1Cu2jeAB<-R+FkTM*_)wqf3 z()t|A>3134jrpz;C_^Tb%`WNH#1oh?ejMgZo`^Y9D6=V)-;^nsHI+bls$6GM-ZN+J zgM$w_1oKWj5pxba5MIoOJ`Sfh0Wa|==9-;5Q(e9f)zUJ`!iCL5bwnPlbCie9YpX=$ z1|#wT9$npOog3cYJ@=s%`dx>iTKw%^Jv)!XOO&xSyJwE1421+TO)bA<Z+rpH?xy9L zjv$+3zvqA+iprHHM}p1M$jC<j|6vRu?}Nx4Vq$OS6!IO;TTc^ZH{MX8i=%mib>^{^ zix>BJ<S?c>9A&M0Q!XDQvMLkDk`>}%gv?M%z!~b?{dxPO5${VI(wk3Nzi?qSpC0F# zZt7jMC~R0Vb4A|TtEqB-POJeK0W4K?tP4(99i8X<m~+4Z7&l=8yE)hA%+#*bU(gjX zSXQebS@k+Xk)SGWAu^Q<ib-Ais=z%eeu;qNopZ4w3JYm@RqRH?C17n)oW9~IM7Ye? zu+AODphmj|Elxp1UUxTbW?$*`SSKr}88sTyxC=05{CGt5M#AGwxCiJ^9b|*rsp}F< z&>!@ma5*RYR98D|tc5nRkUG$N!1nAkf?pHf7xy#Q9Dl;=?)H7}p90a3Qw@}E#mlM8 zc{~B_I~6D1H9^kv_Ib@RdK-bEm%z$fF54akxu398Zf9-ucrUsz2w-^x;MnhrNfq}j zC!8R?YiEt~q!E$noH0HM$hY7m4$i`aA#fbo4(mMNUp*10Pz-XpN%UW%gP|prA$yE< zUuYy}?~_2C5%V9Ohp(HO^gC9bzd%3gBHgo@v`r7*yqeGZS{i;g6Hixc^!nktpkAeC z`!%%?<8flefWfi*DHOOVMxumb7%tLPs;>-{xn|K0=(0XN=LN^OZvPuaEP|F5r9&vx z19Z_OpqLuvIkaC&rn@>Vu{57vM<=AB&@mO=(qVo5$<sO$d<M03b-QX{l^oFG#8v0> zEnI}`$|{ALW^S`F&u;;w$AtpAzsPCy65(UM*vl!~kDRi2+5N}eu{<ToB&F{-2e}t1 zYS%r9;ms)+0NnU+!^0A*vDUihw3Q<UfJ$MQAlJC#m)6?l&e;x~JIr!r&a=NEV?&>K zK7%l~``jwgh4CUdlAuOF<=Jp1!>+x`h1*y5MEveEkF3roVn-8qmf{7JNn1M0IfE&h zFaj?Z33w1Wmhgq@nE%NQ7o9VmPf(}-?)Z20_usO?WbAd;x*rj#!}wslXGh|l5!9&G zRTaB_=d6Cmm3+j!21=zhti&U&XdzTB3YuI(Y4?d2(8%AgaTB&~+JqpV1DqukunYHg zZ0aUvF{-;6C7>)(0?UD_=}{bNI-vWD#996B`I@LumZMRHvZO%;Eyu5p;Z8(E9BP6f zKcVn}$d0-5rY{fkL9QOor8?&HDHalI3+aE&<#XqsbmGImIOQ+P>X}9<@J^RT=1Cf; z&q18xGG)&@H4JG04;Ld&AnB@@c|j{2F#uEw!vxRY{K=MlKL34)Y+#j9r*s@~fo^qk zurO^%T(tVn=m+<rDu<+wo`~{@VLP0Ce#g>3DihtJj;X4y<0N{90G=YLY}5dtQqbt` zFp{!YOF+28#0UA`o|x;lod2dndtugX|HrLcGin65@J9BTeoxTC3b^8nw5R?<njPD> zBb~{Bs&-J&VbpNEq68&X9mQD-jR3`EsJ*_Bc{>{#u=J5fu=Js&XxzCIPG9U(L?OpT zaP+MhSe~P_gT@IwT!CXg=M5-m*qK7vC=9gMS6+81tW^;O5#Ldu`<vpH$_>U>#ox$w zYkQ-5l`v(YHPfpJvu^U1S^7EPC7M(Ku-ldV000mGNkl<Zng*Xs0=_jl2h(2zAf!Z= zc+OrVqum!zzxT0Kl8nSspk2Hl@{@b(owHBFVN)?_k9$F2DIzyqd{}mbEt{U(zC$ZC zdK-b^lfa4xf_uUsxRZ~&QES!7pz!uTpNl3`8aUcqkmKrqV86Di1Umw36wm1IzS-=q zDKbO+j2XxI?$mOOkVhA->GW_8kn-wB!h@6m71U@L_cj}|Ut9OCvtE@<CVQH5TpNu5 zKdAaVC+J(*b$b~U4njmuXpxJ8<Tpy=%KW7j&tT2U7tz+%2Hg#?*1|Hq1R=u;8g~pk zR!GObMsjW!M0A;<blI0#12Z*|X$54m$?}>MdCb-oT`TKd{`lj#=e{Law{{K3V6H%v z6v(*VfudqpC2u{0kVh5~@C-%cj%k_)8U_lM=^?=qPvazjQl0JWu>STiSS6u%=g2+_ z60yB3qouIQNM%(HnpOanYY}MN=({`XR<FiO&#pkal{P<#sO(rlff?s&oeie3s@+@? zw1Hx_#lUUeEwifxJ~Td)ofOj-auQy0(#a41?UY5!x}EHZ>!@#^AgSjFY$5M^(2;%Q zgAi69;_&bhipX<kty~%Hvh_3=hlibiw_29JKX03}-*VQfLJY#ZzWf&snG_ti8iQ;b zqKRtAYUz<MIl!iz%|$PrbceZk!Gd^BFvmd-D97R40o?@%I7rIV0gOanHWH93Kwe|w z=1cEc_2{{`_xv+KxAmc^J8ae@c~<;e#|wSB9I+gCc6UKGmBNbU%kkh}@5Y1o-G>Js zdI<MF@-XiI$D_FKvE{h`pZ~&rk3WI?pL!ZEZr+T5%1f*301;KkdzsUycFcBQp7!!$ zJe$knr59en-~V<mUU=?VC?BQq7ZnB7kZ|fPL8Q#NS3<=OpT2^I6*NzMf+ciN{z6<s zT3S8p?!b3hyi_;QI=HB$GE|nT(XQxhYih=$&%cQKo_GrPtISk(l<och_y=YB2p(9r zj5{0;;h_ia#{+-;3!ZrRAvAIahMH~HGob|#83N*JsPLw3|Mfr2lKaXkF9zGZ+5m96 zOIl3n#v`L*<Z&bR-QvQp&tLq=MoI3z>PM$57RYmaT+cgz7FnmvJrE7J$WeoFn5qt( zbx)S+VlONONBrTEz|+$=ueL$>LpZlC$mX5n%4A6D<|JT)Ji=^$chf4$4Xtszp{aK4 zrk<!y$nC7-BIkJG#0VW6Ckr&EMs@)@2<2rK5kZ`1ug81FTy=7F+uQ#>f4<*+6Oy)m zR?}va%YB;K<37i0H(bu%Qc7f4gTnsKF-6_sSj<6{PngT0rM@29Hmt{{wQI3~uzvk| zY}mK~8#ZmkMxM!U+_D9Y%`MRFdX}P^!Y&|9O;h@XM2#shg?WYgxC6kj3j=IqJxi(h zpIZJHQcX?Z)&mg>^eh#BXbdcutCq^#6#?`k#qUuhW#AZgz7O>+!+{?|K;J2T(J*jA zdZeoybq89na-i}uY=rs|Q^i|*oCI_sN{?7tVi&ZfGuX0y8#Zp<MA>a5P=0Ld`t|Fu ze%(53q+B<zS&c1g*PwCRHso~Ij>nq%Ov+z))GEcITAZD-ZqwGpq`BL*I!$heQR$XE zU{*<?`u6k=0p|iSayyR;-aQfH?mlVpBP~7RmldA&i#zJA*r)mIdYqHWiVRsW<lG-p zPF;2JA*s~4yz}s{5^YlojQGPSfn?HV{qT2T5dJyHWa=F|z);lgXy%5wG#o9=p`hOv znw%GRaFMbKi@%-g2|t$b>)0990O%4elg%TeA4(#@2w~**a+E-fM!=Dt@jt%btlIN? z{Cx1DMd9|uhBZ6_`Uo4UyJhscaITOhC7)3$0^VK02;dmd{_m)q5dpVbg8){6<IXAs zOp8|kfGWTaKuU1DvELQwGTfD8p-gi#9$)$(8mIsR8Xk^iqM}sLRty3v|A2}+uRtXp zP`QT@#1K-shYZ^ygpAu5(+PP(j-dEz5P&!lkPb*w*<tm&^UlgO-LU}-Dp~=^S0Mm$ zra1(r@eX?3&>@vbR+OFk3MxYa2%@s3@0hOgj);($6c_+mKy<MZx;V2YrM7Jur)f!i zPQ6`Fjl3~#h01SNVtL4=#K@O}(EoTU>pyc~;ittUTaMFxn9tFQm?!CX-><qaUeO$V zSHh}{DoV9mVh)1Vn8VX049>Zw;D|p25?~+en(Fh{zqd7$YWr?JoqCKNJvxu+8gt;O z&W3w>^{>otaiLkwfFpG2m?0Us(GYV~mk3OxjL_1Sh8@1a!dgdMr6s^;9TUM}G2>mn zu`2Vf9*uw{OM-@->E|r)QL3M<-SHxkb|Gat)nG#HqM+dts3J04Z5d}F1hfMS5g!EY zW4qPC>|JSP5#mSbC7(Pv8zP@!Pi8$}BNbZ}zcpNU6Lh7ot9MoMA(ePQC7+MQk)v|Y zsUJ@u8;?hjqpxXsrUwK|0P!R6xJkyH06&pHO-&8rK6efxX1cj4Bg!X12%WJ?#*?Ni zs`|TumTLzK4n(NTlwKrPwpqiabY@b{4*G1`!L?I0%pV(Oa{ELn*IctJhY2k$qjC;* z1t7bfjdDV563C~k;r-vMPPu>M8SEn%z!m1~^VYd%*`yv9CIcYd=OWtQ@_8DcWTMZ7 z28XEfTstlmZy!s15QC#QQo4Hy9Qf|9ojrcR`}RSy%NL*Av}d=y<nqC{*%6-M2;ivd zo>qTz949!dAN~pUSpP1v?6!nH)Bq^PclY$`e_nvu%+dduK(A|;=L#dGKbdr{YlM;1 zmxTn_*JIQShlwvA-CUD?N009WtXPz*$+tXUL;D#vu9eV(BjsXlq>M_@lCOC>*_Psw zueSndmfDx)5asAi%a%Y9OJViP<3iQOG)DtK6~E>77pVM&3cGgnXiT0m6;q~8$K+`< zFljnr+Vq02;RyC&T!DEr2uz!-K)lHcEI)b56ilOk(Cj%lV8%Wq@1dOM&f$nXwn1g0 z%3ghFq5^r{<s6e;m$X<M3gx&&W@8;6B_fF8;H7jUKp`EwE{aDZln%xqXFI&_qZtbG zmn;cW8QDOj&hG&<J0~Brp1JLq#SiR|WbfzwO0O$ewW+NIkc~7>cus>ocI9>VNgvqo zaFC<?o}9B}N&A9x!~hsV!N*3Aetp7>x~lGxofBA%5IVReOOipRwPlI5?x!3)YeAbC z6}lX^;&l6;BeX&k`%lI><l$s%;N^RKqc@Sr);P}`LK*b<9RkurYbwK?Ts36-&(BDS zy-ETxa&s6&E<35Z?HmW}Ha<|i^xp|1pZ_&2<R3Zb`eD(Ms?sQ<To%-vA_z5!0=iXx zMMQc<nhZsbS_&lqscV=DUzL9tDSr=jqsL(G+{19vyc2Q!G4lw=;)J7%!1xK>!O`=I zc*o#`qmIT2M;?U}jyMu09CkS79eOAZnmH47)iqu6tU9Ftj``%73j$UAMhB5HUi8%< z(5QkYQO3mYLJo@10g7!^uS0rSgn6vFETKbi3~X?4hm>MOi<!}hHj49+ViMqx@r}DW zpN;+cv_C)Cs5tF;0|*>2YxG=Bw<khm>;Q^aq=@CN$*`XP133fx4^e3rTQFh(6a`Un zFX@c$#|}%>)V;MTll#D!)83^Wjk51p)7HDc+UDoeKj+~5J)G6A1a?FiP|T53fH0RH zQ0WR5YT+Q;)Ur9<(i2VJ1-0VrA=phiyO#=iR@<7+KnKt6xg#n4kpPt`EN6Z7OVFS4 zgT>|Jjyu7T#&{oH|E}{+?}=XhBR^|)LGGInxsNR8JK~a3lu+_@hGSTju>uNV$1o3n z0s8F#%|moW3X`Eo36}dEv>5TVOaw$KcckltQ!F8%5g^>Q-*><Lsql}({<HVR*s)_# zT~iDFN@2gCss>dNRMRg)qKc;hF+^=554-VPOrxxz&lXfRk@BY@zyu12jnYgww!{&; z;54Z#S_O=<wzI8>N(w@Tl@HMG01#5gu8YMBbfP5vLgfBS?^%(EVx4Yt8j<k?e*ws_ z)7K~DR>_7xoxfxWj{rK7?Nqea=!**%Oya!sR)IMKK#Z_QT#noSp?13Ashvu}wK@s@ zSzetfkBo#XCxJO@ZjBqyOsyI}X{<5we&4Hp=lB!PAJtV2tN-}LZMj_bht9ft;9QT& zva9l)(;NqTs6Q{{nPlg@;f!-WsOM1Kh!u-EP1qf|5EHKvBL@L2f!?olCWmY;4^>{h zV~=2TCjs4l+|kquh5F_;G_|Fo9Tt7rGT;u9Dh`G2%2y&?AXS`%j`L#f<LfRw`|zG< zHZ0wLgBA065x188O7#>VR1wgN0XhvSIEI~eCj~=AL|@}p3{**jK7>d`aP*bnZa|Gi zrzCd)i$S53!m=pQGY0ymzh702!{#1|gAY6eW5<nypGdG?;Z6gF6?CsG2m%P_1dqB@ zRKqJM?<HTu1a0ST?Pt2CX&!`)rYs|0!wPJ#BZO?f?s~N6LD*gvCXUKhfiW;S0@9=L zCo|-w?fWD@7p0>7nlpbsM|iN5HLfD*7pc9zdcwVr)-%qc81VJjym>Khnk-;5-b~ge z4w%p&3+lMa1v-bRbO%YSZ^c6=Zey;g`K5Anj=l2eNVrlGs2La52xLm4Zj6alRZlY_ zA2qS~*;CHEuy*%4#BFN!UxI|+Wk-L2u=_WAcQ4d!ilgGUdw%t={Otfle`?e1piKfM z2RGV5qR;=L_bXETt*I<5C$&DHkDzoT0rp9xvw5`9plZovX#iwV-<paHf^Cg0k>AWC z7d5tYrJ|EoH>3uaEK(yzPV+tUu}$whw}(kNX&dHDe~fzU|D2%3m1-44%0}akvw8`@ za0ygNse)1;R9FyBeF~*8sIW*++t>j#jlgW)SrPB;P8cr(rLA=cmHnY}568?|v$*1~ z0f^IqCKc~+#X~Cp)|O@neKi8Oz@V@wDe?fl)Mr$K3Q?4|-T7lNwnN(jm01~Ro7L#C zLgPx)>BAIc<5)&P%SFCcQUD@jd?v^pR)}`IOEPI2y>J7m{I9X{^;1rKXf?yGBUb-o zQxBVVoWOf41bY0yPJlgfQN+;)fK<-I#6Z?K{Og{j&$pG=x5orf&crJ*?9%z^5UKWJ zo>WhmEaG|liIGp|)Bb`kjesS|K<e<%FmJ!ZCBnm$Nsp^$=6CJbvuqf^2JP>8bd5I* zsbpn)AU%I_^ZzZJ>x*#{;4q;-Eaf<%rPCuuK!0S`8P{;K_PNihJ1Lf1ks%GLfJZF3 zAVek?M210ATN>M&+Gq^4K#hT1K7itPrZvbo)r5>DjW^hsyX>KbCs#AvwY%k-Y_>Xf zJJt1{0qJ<gMJgazf+}OMeK9Wg#!sJ#eGWPVa}GHS`yYHL_CN4o?0>+4*l)iBu;0G> zW8c|xFn-*40HjJ4!+zVYCn*+oP4HqKetOF%000mGNkl<ZH4sP}hywKJYh0+ySeMor zdLHH+a1f@?n1xs@(N3qF=5U3T_e?g6ZJRg3<D4LTzM%DlP7JUW(2Gsy)I&wjKqnN` z^5|mbjD4`*oc*CPi)6=kMzTEUQ0#ZeT+BK2FwCSsna3T~qsJin)dS_DieEwNKqNcX zf#@11B1b(lcacP~PPcRJSe~Xlf9qg>E6IqpP8j`*zIgtEeQ21xO^i8JAYC3k^pE1e zu>+2=kYi2dJa8)gDCv-Pp?NTgj&d9^0Qw=r{-ByfVg@@m<twNeKM}Ebm4PvHjhIj6 z)3G;Bn*YJFf0I?9yyn(qCO@j?erv-YaF8x%=g=LzLS`TDjsx80vv9WGMf+GopV2}G zZ1?i{UjFsw<hW<u6cJSQiE<IiQ8;Z}wdQFEXt<a>;`KuU!c|%#9_zM*D*A#!5Fo{! z0yPG9Hn*aYy9DW64%Sv~`_jP~h)fb=-aa!i;Xl}Sq&vo1Pno*I`2Kfbuo7I`BDxe^ zl{9^JCenf`p;?C=f&Gs<7OMPbA8;_{?0+Ek<+=R6bN0i2RQ&tRnvH$;nThc{pN|wc zY3ax*fwqvmFtw8_)}i%8P&5E)$BxG=()Q!=Xr?XE*%N-2&uH70O=#Y}4f<0(J}^%I zYz^lKP7nac5Tyl5EovO2P@|zMUTbS=FmviO?8{w^{btXm?DoZeZ0EjeK<$43<$4fi z(Xg6z@LcSB<T03Y<gpk#Wg4Jzp{!UdA|pVwD!nOSG@tun_uleAt)_McVz|@){9r@z zANq98?pJ*ECG)EizV{}9oJAPdufi2Z*7+)%&%>&)D@?l^a*hwX$-3at&iSTu!brR_ z65y(KUs4hRym%F=#!rIrJdb1HC}Z#`xYUC2C!RlA^UGoDZ69xwZ2Ink5n%ttC#U1F z9HqywqvBTsphu+P$;^nuj-72T`kx2gRoND#5)d<$`5vKPPL)$DcLBoT8%X`)Z*ND| z&RG?UK{U_{vyR$9<*hpdEj)gyZ%&~>4FMVkwsMAm_JKLZmk+GHXu;7vvE=VR?Fljd z%?@DyVgu-)08Vub2nX3DDyT`b_CxL1@kmtHB2iV1M4|*$NF)gH1QG<#^Hm>0yHZD> ziXu&Qj&#+B3QPg4Pz=DZDmP0S(`L>_qPnIFIvBPzwY;;rJXijku;In$VKbTN9RQRm zemL-oZuIH+d^Hv_qhtFEd<)wdkHt|%StU51B~*416y>S1t*T+$Yf(LVEGBRVWYX;Y zP&H~aiL0Cl3~3!sg9S(cZjPVH>0HU&p>tlo?p2(8|ARHm;S)9V_n4!oksF$wwC>uJ z1LTDX{?2vibnQ_=bmHX|6&2%6V}m033MZqQiId?cY5);mAV)jreT-*?Zys~n2gae( zweHXV+Ys8!pI|L_0_@`)G+`%{Zldhk-0HJ?!S+8HY-L-w;mQ3wZqqWO+=Y3s3gV_P zO$fcY-SV?kK$&c1SEIXC@(NC<iun-!^|guYiwLRkvz)-x_);T4cLp?Wb!O`;p>FV~ zOZBIqNBhSA$m&bxkL?OAiED7s^jGKN<3|6MV{0jKI`%OEd@85W6DCt3MPm+*NCO5f zNSY)8C&hq9G)&N)1IsZkT=h?!qPDC+i|h%|XVb<r|Mf4ufOXG3gH&S!B;@qLg#j!% z(r3iy2lW|^d~Hh++LIZNvIpR^2z<(-Zrpg(j2?qs-K$J?h%UqXq`-y8(Wfooc0-8L z2YFk6!5a<`4{sNdc_PsMHAsqsD;{wBKj1S_qk3?Z`dHezHfn~Y2QDuB1EBI!raUqd zuABrYSbeFjy+iv|HK?W$z^zNIL}%S&jmSrRFZa&LuYKPXCbr`;jE%qh($1_G`y&VF z54e*4CkJMr={<qt0JmWtP6vBWh{KS_4%gsdw*yJtMeVjmFBirIGO1gHUNTha=y%HV z98|+LpnBoy<&^Dt1~Fe3-stxgvcF}x(ro6AKtoFkt?3MOV(T}dP6Y(0;rMw&+}6G; znFNC!5lWwqJ?ivVZ}sB-tq!u07#;eVP$3)7gX4_Pv4cSYiL(y0D>BkV3BZeC#}%^2 z)v^A(ueZ9i&sr+sP=V*bVHpGrtAfb$XiFi-t>P@V@=K86nSLgnhC-UYLMlbsx3*yW zwyjvR@_D@Y)Z^GhzpZ`;^yNQL*?@IHcK{;ak?9hE_BWy{O5v?H{`;CQo)1Hah<9@n zC*$~lPsaOi@Vh}7RPwfk3+s%DzttG?8WI{!*rQJ8s0^QJ$gwj_j5v;gCQgqJbX6Z^ z-&OKR+Mp$1xUKEbE?*Hr4Ob-bx-k%Az)8+$9Y@grZyVT4C!cche(3aH(zY!6%=WDK zf3P<AE^+mv7(Koi=&1O^{GNaLkG$%nQg1@g0MJ+u;KyT>!EU=CU6$x3G0)ze%48Ah z<kk(&NOIQ_5D`?xV-Vp}=o+QhRF%8F6VTL_L1Swg>1aoWnxxl~-5`hv1QTJ*d;fFQ zf}^^^(tjdTH+7bqI(zm*#xr*T(u}eygIpHrwpIk(sjxtF9zRgu73n%M1+qqRyBy=3 zU||he_Bo`*>$R>Ojg5G5?HW9{@&!D{E&69)coxq-zXH#4#s2KGPh-WiPvO}W3QywM zXP(50r%UhzR#3S=^Yr6TSn<@qu;R&o;#tD;gjG*JflV(yhlY*ok!x=1sQfuL^d-RP zXMoCmsZkm(f}^i6P&t*C3rRndYD0#G2^c16I;BoeT`4H8mf3U1u6%MjWm`&Bj6p*Z zFxjfqna;Sk@G;FGK_To>rv`u;bxw`3;o(Ge#u^(lPjywD=_+v~ZIBY6B4>x22H{^B zDW5BZy2;bwC#nG=0Pwh3cnBcx4P)L%CT^}d8VeTiTnz1(8UZ1X1Jnp`&h_{cK}Q3? z?j;5Q1oa%vy&3>9CqD58ZJDdm$?!P9a-wS&-bkQN5~zw(arFtadn8WcP(!ShhFD`; z8m&Bc4s_+&eUV;rcvL2Gs5SnF)_49@z%|#f%K+mVGVa*7AJ<%4SN$vYx0gsT02xsw zXSvGSzIHX5c5EYG0d&DNU?Aa=(~6yr-6Ck%GHk`b5h5i>q@L<(qEg(nb#w7Q>aD}Z z^=q+l-5SDbY+Adj9X6ByE$dce>-qw0V|d$!HQ2FXEq1WXPWttP28J6qtV7$jEy%0l zr|}~^3M{PrLqv+745?g%yg{MVpmLw-ec_*^dX%RcgsnV!s3%Y9=0=pBiLfrMUx7iU zM|W;NxoKiECr7ag-rjTJ*>lB{cNj5;k!*~x$DNK5-Qi(39Tr~rNZTm)NA&B7T~#<@ z0CXjlL8i^AJuC*1i5zH@eHk%M6p7JeQ9XV#jQ(SfC`*J$vp6W;0popQVrt5nW9MJe z;p|h71H8~JwxRn!XYF4|cejrP(KvvOw*PxQDTrzv;+vy^+YrR;j^66Yxt!0o*Y<`7 zphpzTSt*syBA*XA->}>Fh&_^7E`bDBu10%ddEx-W`W*CFpozNy3Rx;*H}Ki6irV39 zuXf@ax?^WldLK9IgkzuaJ+qh^r6E#s><dCeu!Tx?<BBJ-@wun5Wz9?2x^W%0Y+8>k zn>S#~mQC2q{LNIFTefe7D&>IX^aZ+dU=oKLYo~l%5f}r<cRQ5Q9S3rG*>1z!u?o4Z zUjXi0<uVAf1#t9*+x$j>MwDUPr$YA`_vpu1&ZkWMd=5T+Pa(*|<B@@((%+@{smdt> zm4k3F(mVm#17%bMdUP&o69bw{1Z{6ueCsc6w$<;1%1h<8W$Px&aAQH1l&Q*g8;y~z z>sDbScQe*=mqLvbOMXS4e+eRKI@ab`sRF?9Kc4U!%)2y(3SAp6dhG-%{&yOf(@3(8 zu*aRYHlw>^DvROa#&Ln!0Bi5zqt)tnt98Tx*i9sZPLO!j=n3r5wcz0DOwDkzjqw;j zUkDUw7r*eDB#?8&c^`{~xN!1m@7b^XNMOzHla0C7s(VB0{?9u5TWYzEKd<BJ-*F;f zdgm&KJ<gsMI&t+b$Tjs=xfSC%K}~OXeaX*r5=?QT3@s<Wz7!b2i6r28CVCG*P?<~T zw>*_xD-AL=0@AuOqlx_|&tV}G*`GeJ<-#*3N5zFBi-E&dEOakyZgE>$vu@h{`({Rs z9s37?JWmCe6DmAad?6KPlPde?pTWjwpTq_l1M6rEta)JtR=@Zx*1YsQ)~tFFYq;v( zLFE>(-)PS%hmdu#e%=etK>*nWj^Xk&RiNeNy9ztjqX0`|U4c6#LQo~{vk%8Ojum_= zbd5*pWnqnb#8-uH=nKa_+JQB){a_uSFO)mE#jcAn^4#7AW;g<v?05?aq_EpDMhlNq zHqd}tvwCGDv(+n~rwpHi%5oj$yMf0Rk+Jp66WILRQ)u9>MV>nyLO%2p#0ts_94k|x z*X~4Wn0NH3YFCk813Y%=ycneVY%y{!n^WjF?Un7hK*(p6)gvkGB*Vi-o{xV`)@$wX z`QP%Y+ci*m;z)Qf5^(UV#!Ui*TltQ|3cFn#m+-3UVB%GP4n`C&RfK|5oiQH@ja)Wy zOWkP`Pkqm*VlKAc{qeTy^tgv;GJo4S`xED!ZhPu@<#-QagIo!9kNRwMMj#DMTN+Zm zF%q|wk?X_vxO*eSe4SU)w6HT&I3q>?1=2?+B8ZLw==ZTmpV0Ifq%t|^uLRm?41{6S zRr^%749R0(IysQUTW;skS}9#$1l0Ec#_<@Swk_-SJNl>>J>UB)C$xGh6R5&5R6dRh zHLqvU4Lgyp-+>GvMQCf>iPpw?v^F&m8j($>VL4lN2JKS{QN5Ip6Pg&{x{3*!?wDo? zV48xab*9ld&T$Jw3Y+qvQiznlDtLlNh?IIUU5KYp*v=<D+k~!wyu-3~^%bz|Vro(E zl5gd;6Ih|tm=@vj)|p?8=V_FrTAC><%1h<eP>(jsRArgoxg82A^(osN@tm&w$)`R8 zp%3MWKn}<lE1{z(5ith%B4&ER1oN3WXg4D>?HFU^9i*@SZO|Ju!3q#ybCJ#E`55^O zD?qQ0B$@^C;OT#Us-Zi4(_O|$`T!-6{G9lLnGkf@@pSN84kqKr5vv{zFGf3ogAcnd zo$wA4;6jM`1U&byN%P-(Kxuny<>Je->u|{9Vb1=LX8QLyfc`<qI!+XpM*zFX?9ouG zKpL^~M129JXGUVo7D9!b<s_&t1m<aJtE?+T_7zX2D(17xR=%04JTly-RwJM#oq_HQ z^rse1oI=KGMdW?+sv2fQaV2ogHLkP^u(c)a#_hLHuDWLQokV^?oXx4yQRSn+Sr?!Z zlA?0;ipn)gXBZqij#jw?sne-f0;h4Uk4$LLsV@Q$TsxrsitrtyJ%Cdr@}oQ{c&uN+ zFpaze<OPb;?srFw^+b%S-xW~Zw(}@Z&K&Ed000mGNkl<ZL&cc_@1W9m1ZxZwv^`*! z%0R1*$d*;>$eYTkBs1a8h3-T|I~0_ws2qzR#8rseqhS)%xX@R+g*_Y+r)%fhxpCs; z^^@i=9MpFGwoA^MYK3zr<aoBHx}E+W4mi$BX)a83JPZdbe3X{5-X;j|?y0^J1E44A z3^dPRKNjUP;JuS`91vCq3Om0SuZB+}K#c)N2Xqm^cnDq(k;`G-<r8bdGpC;ZZtg5V zu;^{!hCe1>%GltiVHkYF*>JH7g9gVz*{Qlc6>YY#jX=`&#sGDL&UKVVkC^?+%u)HP z5fG@H`&IJa7dh_xFsdAeKm<DP=YkOW0io7Z2Ks#ZS&b2cqv8^O3of1Km&%rQ0k$P3 z+t#{C_V6PPeZd&>H{(#RI{>P540jz=5fv1dg-}^}>=!=y(UmqB2jkFj$zEtlyaQ+& zfuj!KptJ-hfQx*AW;rl{PSY$?I+O>{IUX4RDikVs<<n3(7={Z9(m@AA0a%z(-g|JY zxRe_Oc_VM2z`*Cp-9(fC9;bUl@VGW1Xu2wY^%dW-9b|<qK$ko_$_O-8#0Jqj2Oedo zG8D=Z3@Zq6gz}8iHOzKKY4nwF)J6u#Wr^#OU*!ZxB0s9f4?vZWyYgRLupp6h@)l#v z8<{_zu-CY}?nDuyXFm*F(U8jk?%A;3J=Ifn><v9-kL2}N0t=s+D@NpC(Gk@}VXK`$ zN15h{z)RFbI|0VuZ6^Q%!~}A%i*^I>$xzJu$DRJ(Q%WxhZv9<yTduX`Px&DG6&qx3 z<rsU0xV^8sF|-#uUo*!z4S?S3@jSyhRVsdVp)aCkcpMN?0rbwr2nL@+;XMEuI$7kY z7+QD~&_W|X&qDiIQ_L9eqRp*SrgM|6oy$clR=EAft+LzJH(8u;V%Co(?quIv1?vJs z1!SnOR2doe1652Q55h5MsIWYOFdxKo96UNKLo!tks=S?!M2=Myf#VPs0(RU8P)ujN zh-f&VoJQv`vsnx8tWy=DVL@S(6L#d73ADEmyfo4cM0FcLeO2xesDfvjr~dBXm~IK7 zf?<ACCgP%7{#8Dptb{VtmA^+hsth#_rb!gH&~$}@>?tM6R@=xX^5oJ%8>lVOI3q>J zbb*0jvh(Ck<?lYBA6L}`?__~_7pctzNRPL@!Kv(0oQte>j^Sd+$xc>v?}?8*vfB&e zOmBClJv0)ihy<RQw7r^^_Oa~D(iOpwlTT#b7c)f+ysBCn0i)2B5kNHIHJbjZgv&g^ zr@2<UWWwq1J$~HlE*-P=?ysgc#b0<Nn`-_BNAEW|!0zF^Qcqlt1K#(DlNJbC`cgHg z9i1OjJ>m`^QwN)#KWDkcpy2_K`1dLzf<$x-&}Fx+m@M=~yVguD`o}_gCd$6rXWAli zI6QOa`Hw7!MTM@pChFsdEnL`c1WbO_Q7a6vj7q0bIN{Pqq>Lg36><k41gOXi<Ep3> zgmGQn5*=MZR0%sYMBoUj_`{-aIes-AP`L>#NM3=3x}v3Nst}+JR{#--UvQ*Bx+sBR zOB6J&evjY*s?4d>5dk+!yfWYpk7L~WF<AOR5v<~BIi)S8TmB=Ssmx1qGexBj%Fz_T zqZ|zlEkitsz!j7}+o{h1Y^!KPo!&~YD<Uv;#Cgr=?W6nsGT_E{oH<i`c@IT(Bml0a zc;8E0z#Wo8U*FZ%A!aQg{dMAUf1|v6tdu>Bs3Wd25?FY<=hcpyC-4pdy0$<qx2L1Q zM1+zPF$E)_W;DE56@>9pUdd<2HV{mr|3<O+xH0Ziem;Nk<X6Avq*3+NW9z51Zt|*g zzYy3j@rmEYa?fzwReWVly1hDa$Q#qQRlSG{xMR>KW1-iIJ0avb@YD#%)9C6f^G>M$ z_EDh(s$$fu8en)RT}b87mdT<i+6l;`AI~Q4j9d_#V8=TSgowv$u5tJra9Gg@h>f0` zGrrs<aBHbdY)KInw%9ESaSN!jA|IYAEGjVNf#U{Ug4U$~3WvTUs1aZ}P94LDfZQ;f zW3Fo&%r2+RC_sGhiqaz*Oo)5~7>{7!sGt>8Q7eR0<o$&Jxj;t0fMo(I{(#RnU^q`u z8jgNsEEv`&1VgDQKV*omV>{R|p{zX0%use32IVG9lPJxW$<`rK_*y0c5+yY$czQ2_ zEBYvk!ucXHEAHHRJU%2t=+pJYg=f|xk$5``yapnp`c!C`khEXv>VH^wA|0Ao?<2C^ zt?I3rlv!^mBl&%jfO9f;QrjdW@?XT)6+69-jt>Qv$_Q>($1h<B2cVy*g<mrUCSDC; zyp-3;_aHLeK{!avXPlGI#`CfFP1ru_jBIOsVyrd39QpiLxRm)Chx4DQTsLy;*-kWu zKHA5Fh-@Hv^4aZMssIMXt6JV^ZojG085E&^gTnEc2e12nS5XP*u8bOI&21Uzae$7E zzEnU3aeNH^@y{$=7~?o_S|)i7T=H|DYc~SoqpS31Pfv<NtBy5s7Q&^su1pn#3JVd0 z+#OJ`kwIXYMl_TIC=Wkgg+xs)gvvMqDoj=U3giJ1AX0CI6*Rdjr_njg0vwWx&z{e6 zj&&%l=q#QqbND_~IXfzCU9pF;I6_t4arNT}7!P6z1o6H>Si)nOkl+X)Jt2MZC`QkR zVZ5rE3vlv6X>^c*@~=CW!d1Vn@I@0SD<P<1Rg$U3BUw8KDT2x$+FA$ocq=(gD1=oK zg-~>_gUD+zZ+TS|>*baN%y{d)3W5s=Q;05vy~gRhqeqdB@)!=L*mz6WXq{br-16nU z&cbFmnEE%UL*{+zhS9NFv(O066Jb~ErqPzG(r!Bg3;Ky_#ApO~GzP?Q3$GhG0(i`t z!jX0si+##ieBSrnhjTUIdE$FhLeJdeZ1_c3{E$QKL4qn-dMq{6PS}2*lITM{zKdlY zOs`)I>;tJTQB>AxZaHW44O~uGT_TMnMiMZ_Am$s02!`XboD_9+)ZCUvu8W<qE_o1C zTO)6;t<Bd&`P@Q^{A;dpR0h#615RFea+Bv|2^==l2ypZ{Ox!MDKag@IM#ZKdtkIvk zITGstVo+T-8k6?f7vrYRz}P7>P&<ASC?s^aMD?30boF}&5Ffl*F^G;6D0@j%p?cC( zjG8egg1UWX)1QsH8MEon!RYDg&&FuRN6(mr(bEa)?*=8DUH%y2jxE8onHW1&q0pYO zQ>J6W)O|2^;uL^84;|VMwuR3rmrg-~JcO%%P<~LOis`~|N!hCpO;dpvePMY%1K!J> z)=-FRej(I;&x*y`>Fv>;1Mj`y4f}Dv`!9Cc0|D`|mt86DbOoUuHm)eyHYe`MSeXAu zUn(_yK^np7NdiuezWkOkA*#<7F&_m?b+_0Y6jle24v=n<1Rhr$vDz{4t4G23ae%!W z-CiOBj3v&=06q-k{ug4d_H1~ugEtFs_XFkz=KY4%KTd_%%rN^2??dD`<8uCu43u7L z$Ro&dg4jgFu6bg{V4YgwIuQG_(j07^FURsirW5*q0q75xD;NQJ=m&#xx;xf~ij60) zbwPTzTewh-V6gAI2*8cwYv68QxX?o4OR12!1?qxGEwl4S%85SHAyi=Pii}&?VX76m zwl+j|fkV5`Abcw3iB!rn4m<+W4>|(lX$-JFL;$^1atgc3b*57uCkre@d{Y2x3<3gb zM`6r<hhXyI^DyPGV=;BE!ZDbBDB+N!F`Y2ukfYE64rY8eI1)1s?h1~;jDrp@z=4Nh z#sLb4Vg~D+Hs>Hzv3>_>Z+nU7fbz+=HpA&}`y;u9h!j7SzhPsf2nG4FX;EDLBG4;1 zM^Aws9b3<P2bbaev^;O!4V#wVk?N4sMP%ps3r0K7zl4VCsesgAFT3>YKh4Dl+caF9 zQMhgsoZL0<p5;2v_ge3W0nn?6dO%1f&EX%pakBNyo5abLB4&;Vq`MMPN8q3VA5(WY zrF2#Nv6|6{>25%*8e$4_T`9jSUqs>pnJt3zAm%C-`8q^C?!+F(^rrxKA0W@M`eyP% z4?}XXt{5keSYL>HUYOyOvw_UmzTgiOM^~6>TH|@{zzmeeE4`eE6kY_RKb&nX7y-FH z8v*QJlj0`!+O1VhRUP;gaqRC-m^jx?SW83nUrcF;6cYzsq^Q_24WXdG9Ki7?G|KZW zO-MKFK%lz;#I+p&a8%HSTks~HfZ^6TtLW&oQi68kj%6J>$5|^tT&SE0O51X<TF<B5 z5{IF|Q38))FOfhy#2Fp}5YHo@AneYse$PMGL^0-bfUagKGZO(@LSHD)NXAtBpxlJX z=x}L*LLo6~dLh_;XRf{rv<BAQ*!bYhPqt@t6HwzX<;&|mG4CSEp#GT{%U9fSenpDP ze>hkFlzp1we>%w8C6qBm+IzE1?<gY}T}VLYByXuYs%g%lek^{G@ys<4bBG9}3*7c3 z{r$gojP`_H0;=@=syf7K$HL>0fbpnPSxGO&G+X&d078RA&KBU~j>n`BIg^uMj^Re; z^{InkU{}mo7w=2ay1JGO7ZsZXt}BbbFC_YmqsIVg8UX=UG<`1gZ-yB6J$QyaW|-S; zsXS7gF!h~)UX3(I9dG39T)t`yJMr$!(hykk_iI7}`yiXKfs-P;JVQiQMFn;^_RnY) z3o0;$Fx7_C_ASUXH!|v=I;|_v@vCG=4RGzDD5^JYM_1*_(+Z`?wvJ_E00oZ*K79-6 zw(fEo!xav=>Tlk(1|fF<M8^%~WeA){Ae3XI>?w!HrvOSmgLK+b1qSJ)2=qER5&(8O z$nWCm*dLhb2tB%Wb*%@Bm=9BgdRjms_J}_0nL5X$vRQVKUYk-W-W>b+W@qJ|yZ^Rq zb6<(>b%N_F<9i5C4*2l55=UQt%j|I}DpTM4l<~Z)*b%8{q5Zo@wj2izA5xDvyJfP6 z>ybd5MnGf;wC@J=T3tISV)}$}gt_GMR1Q)-8ep^?rP6_ff$O+B>!yZZFIo{;=WVB4 zI{t5iZtw?_tdny(n?r_R^;ryt*ekTGXAELA0z`(gd!WlppO60kfR<F6EAg;PoG4L5 z4CGkP%kR6q?887&Ug<_7Kz#F0z`Y~_E?pgjoh$;!u(LcZqq^08puppY?9OdyS-%Q7 z8UxCUBdyM0nWlN7Wf(3vV$qR2oz}ownNdt)+U{|XDS$F&OArCe2?4v~_C#kW^TK={ zEn7DtwP`(UHVts61Z=mc{7Sxti!J25LhegWIV*(ON^NN&()B$>!|K5>8*=OahF%u} zt1o%;Sl@adWFI&V5H57ES6!CYSt^}Hs0P#UamGF_&%ovXlH`->Yqh4Yi2v4j3vc(R z_(vc6(cAW~N{oITXUNN)_}>s?&PVjK6K=9|0?`$IPjYg)eHIOtp0K*k6K)Us+zp7= zjfY=78YUKpaNDqJ>>g5O*VO~opt2lXbx7z7k=+Rq4*&oV07*naR3tlVOu{Bk7y5q< zIu;p%SionXE6r>!51q(|po*6@N%oH7F~FW_hCY*)R2FIo=(`);bK%DD=<T#IZIi3J z!`U|e%pKHEPjX*dKZ=5A=&_>}e8&~6L$sP@p8yq_&7_dpxE9T8UO=v;86l60IG2Mo zI)IipYCy0|lu=~BF~bp=E=umsFQ8K`iUMQwIFCSqT=iJCJDQbDR|S^Oq|v%%0~%j^ z1_4+9P-VvUM)IPsMnJ?U+pJETfG)1?(o3ig$P-p@2K`~<!?&&}rFZ8)cImuWEDX;T zF$*Dk-?_i?9j*Sk)2Pox<HG<HAvUuA-E+d-kM=6Va(+e(fO2WHhn>t_n2gW+<PXOj zbH$CbkJ>jquQoCIt=6~K#Ke5xc;>&2$bOtrBn<KhI9PH#L(I3fAX??O)9Dz9^7K)4 zOzwM(6NW1OSnU|Z>n1=A0^=tjW^a3pQZ0f$zm((Pw{h*W0y=y4T^a+%)b|0@2*~&K z&GP}*^ztm2i1}du-eb&%oH_NSKz&A*%BD+3M1%_9HDkrrcA2k<i{56fnB`8ekqV0= z&w>4{0IWl-g;2u_l{s{E8-@tln$bc7pyBx^c_gq2IV!(=HiLkDC7_WX83kbgk7d;e zV4vkQ;8+`hj^q&1?+I)H8)O90#il@X43oPa%Bu0I%B6d-2*_8rb(6UcWoh69Wsv8J zU*GmmH||8!+85FA+~WwEXghI^Qv*OKA8m8N2yhUUA%OyjT-27bo0NsS3_4iu8f;+R zFY9H^-|6@2rsk#`CLXSUfqv?@*D87?SYZS;T6G62q^v7Ux?6I51X&tkPq5C#6o~5< zv5O4tbzLO?n<XWahAVvC+8=w&CvKX4>?dwJB)0Fqrv^d%omS#k88J6{p8s8AybHwh zW>S%Rx;+-8Q^++nA+vKk{YK<?ei(4F=uUb%nf2@GbVEouS?IAqtZp3QqbI<N_gU9= zL$R{SoEWO%Of8V?Q~wG~t_={b0z~IV6t5xm^i#npTIr##{)V)smml%?9yS0}Vj&e- zV`~bTToCD4P3sICm-8~dH}Uq;uK_wEP%ZH!;3*PV=OBS-zT=HECi`flz)A|uP`Q<i z0Gn<@YW+*t`S>!_ulOgL*RDj{mUU>`x`D6}xrUvQ0pO92r^W+)*1<X0AtZV2#65vS z#0fFgFGA!Ax+|Bb@sUooprv64VLMvti_kznN@F^eb(+T)YCv_SqiMMyhZZXL_OkU` z(XvxvGg`K9M$_hXs9*Igwm<m@nrQ%qT-1Q|g0c}lkAmX2k=%r>Ri~h=voU3ER}0G$ zcMCdzJAdx4*;fB2Sh6J84WU!Q`h{;8FHSxIkwaOp-zj^KN7)|a*k3a|VjM<hSgl*{ zY<TzGe_6JwzxDQMg6=QTy$_#jfMn9lyYz>#lRx_P>VrRV)2Mk@{BYt?AN}!+!#{rO z{zo<MdsKCN%xhr0^PP=d=^#Ha;@xKa*#8;Ndyj}Yf^DkS1!|bfAy37hZK{tHf1ZOx z|K%w2;W$uojSaB0q&40dXgF|6a-EY094B97IS!*g6&x^?p(rT215k^3o4meIKQUd+ zb3gY2Cl&gADKU5)eU_PQ9+45i$!+iyUpW+X^&cy|2M~%tKP*zYPTLPL<wJ{xmNw*6 z33X9U;Kqm69C6yXOrneID5<{1Yz5>+4!mX*FVWUeX$x0r!e?)a;BoxwDpwUAm;A8Y z(aWq~g{G(ff%@eSpy9Fm(fH2?(e~og&?5sar#k@}Rs(=a2_)GoX!Sr*ZK|ihxTaf> zGy|RK<Z@Zmb4z~n%BQjU#iw?`3&k+gw^DgGZrjvN{SKM7RusxViOtVHj?K^h6Ps5& zhRshsifvCVL&MXLqKz~{8Wf1$_@_=T%0vw$ZL7Aq&{kLE*g@M(wu_GOVyG7{3vtUy z>xV7NZ`jcbE}mYvFfKLz+r^kSQC#uf@b^T1NLlIXpIvJ>tIrt0W4X|~GYM$-=~vw^ ze*=Ju9Xz9-o4h@K@<(s4p8LV?)*XHMEn`pk^p7XZ{rD|YkNWJ7XUzTRP5U3wH2bi8 zZTzIP8TW>&(0gZI5|@jI>wPh|8sGfR_q;_CGvA`Z|1UA}DiN7MU`MlJIRS+nfVv&1 z|4%%#V;h3j)=1%ZmUhS;fNXOkEIUKzJa+cok_MYV%a3(&pbnN$CCdxqG`U7inUJRZ zdM7MPmIOIxwm2uN+p&is5OU(z57A_3v0K;YiE9`*+p|@$-=mr*t)7U!m+`!VTgSe; zl@qW2kBL@tmjm3e7zSBxQL7OUbTyvHsBdrr`RRTOZ21j&fly=17Vr_%XdpVMd%z|* z2>XD7DmFud!(%;$bqWF8>Q@lm0;fWBMF3aQYA8hI*l!F03M8q{@zxVCyUYp03iOJu z+p;{SaOA~tf#JwQ0rGH~Rs;}7$?Qgh3654pR94%;`OM|B0Ou<&n}tvCNY{{#aK4LH z{`3vypo(8XC@YYLu&oN(=G{5h+It4F60+<Id>*&%c;J?Q^^DEO#5umUs_htod<Kwi z-}%5Eyews-iwQkm94<BlRQS%VbWZ+!`aMh64WwQ(kV3;-hN`5f;E(*+PipmCzFfH< z+%WUNxiiy8#+qABZIjelv6|Y2*24$$q4{{s$yX$Aew6Uzzx3j<-+OWYcU;x~+>6D& z>-(|K8sC4HG2UskDrZya*K$5FG;5<d!tsHI94Ps83fZOxq^R_>_4NodX|VJ5C<1*K zAmCP<t};6yI(GdI34@O~7s7`5!4s+^1&0{PjcQB#-A~L!D0jxUtrYz7^0eUy2b|#A z(phA=v$Nat8V&~b(mLXCKdesp*CD{WI4<7fdFDzH_gzjpza~5g$g}Lu>j7-zm}z91 z?%rre)Ky4DJ9>&cHBGH)sKLhiIylyQY^F8jaZ`un4v_%f3MOoh1}-^cKV#I9ZO0_E z8v(*GZ`25&67>|q5QZQGlz{0V9vqvgKB1rtL0S%$Lg@_({fu?92n+G9VMl$4Zp*t; zeaZ*xZ0DzFq-b2{ELB83)eq%Aq7gvY_kD(Aq+zJ+g#f03ac#3#l!YOVXq{ate`TF5 zD0h4&<<U-I3dpg~ICF<rmH$06yP&|-qGP74e*T}6;>P<t=V|@PU(e)=<%ZK^i;$<> zT2q<ftXBI=D|^jSm&@NZ(2C7K3l2#+T6*)iO;4y%MSskPZ=W>pvY*VHJEQT4cuU)> zU64IL2ofL3<lO(pow*r-{GmD#U!3sG-Civ52QMD`x#z`x<oWS0K+GpRKX!pJW&zLb z=NXaxM9c(8WI_77@z19i4ImBzJ;%>BHzB=aJ2Kn1A>YyrwVa_M->qO538a;6q_L1= zhhVsb;mX3Lw88m&{2ZK)R{P-SRJgRjP*h_~V8)=27bo5pC-NxKIkSS^@Hw^G)d(1Q zDR7s}<1yb)c>cJW+W4AN7eDm3lkZ%5<H?JcU31E)8Sl$w;%|yue?cPVE#xl2WqjCQ zXUX4kW`2bJO2QUGJ)9JG3lK8Sxt#X_x@JzU`VWLu!IhH`$brVX@jbi;0GP~bIBarG zf~YJx5e+zp$QV#xfl5vlolx<q(o^s_zI65L71J~i!~>Nfv<$(ha%KfeQeVK+te${H z6tw`3UOR9+Gu&NSr}d};w`@k_Q>^NfM`#)qH^^I;JVe!SXhk?dyYlxL7Xr$_ke;^N zkhYLs0UXrOX_pu26`QOff+K+PL@$@nP;?I%!Hrw*zOAhnWNf|g%$j)I{-+puEphiQ zeMN@Ug_M(i&f4mO(}dxH&^h;{6Z_i}?|pRVKÐ(DO2QQ;r?v9Hw5{pgM358g3j zwr<nsM#ojrU*i(lABR=AClRl?SNzzY{Hp5j8{hw&AB(+@{sK?Dc~tQGiZK%*GKzyb z4gu#RhzJC|U5*2e9o%+M`rDA+wgovVaGUL@z<VQCp0Do%WE&cwwA<5JU!RSL_CnnU z*a6@;@Evyny2sixITZewSUeop*V@zi9)Qh1K@s&jDfE?QfAF%oJX+HkbhXOt51m&E zE}x$<o*Y>d)0a65tzw#!MT^2SmMm#K;qLp_AOEKZ9zA*S(qEmjc-gfZN6ok-muXxe z24@;^@1#-iX=8Asf&7hOJx1UWf@|WqOp#8WKDAMSZeQ-IUK(0b$mRoBc9K#V2N`b? zX6Es=+jZBel-$8@Tr#KG!LFk6YHZJNph5$Oql^4Vxsk3=$wt7*+*k`Cs6td_=xLas zX&iVg%lxQJfsT$x%OKTqWbt(8D~=-`Se8T>(inm9Zp$#w(Fg&Rb5CH&pVHrr4#`Jy zqp}jx@FSoh5Gj6QGp^~X_)G09wO?4b@=E!UU00Y`9ocSog$SQ(drDUUN3(-GJVE|$ z+Is(uy&m_uOD~NDCVrBLxq|dO!d~atp6ERyoj-<|xow`{FX>eE1B0p845sja$|jR$ zZu0i{+z;MfcjRS1n~|@Hoi1+DM`K?6)|#5Czxr|iu9z45zVTz18{aH2#y?Puj2Dr( zK#YhCsM<my$9`;KIS4FQ&H7u{XnTMA)^??@Tl|iLsDMAXyVA<FHp6moDJ7@33WD-! zbpY!CtsvcskP<h>bEeM*z!^)Hgt@%kD&n3(MHuKG5f!2SGC;TSMvQ=h?0nzMb%@s$ zVm;sA78wRBT2H<6p|vy!?mOkKWjD|`_@B|E8s22`_BAmvZ{f(jf~&@xL}V%bbp#$A zxReNTq~7a01)+7QZ%$GFQDL!wIx3}@5$p$yt<reckhCJQ%86_PD=o(n4ocEsvO~Mi zdPEHY^*I+v<TIbXuJ(;~mIz460m85Xcu~1Ql|oOzBCL<d>NLXgoS4X&&QGq}@{T-# zbC)V=!*TBwLFiK`&^!>wl2TXoGYi7G$RqeHqv5C=<ErdEwpD$hp&<+l+p7Tb*Djk9 z&+12@4Tu6g-<)%l(R#7?O}$z5x1Ny!mrR;1xpg!6P`=2z`@ECb8{JCgvq{M10<^Yq zp;$@6z0q>Wv+kw&oc#^w%|TT@Oa_3Hg}2}C=?i*CHBUbv*3$O&cy;CnrrO=-C*ptc zVzFyI-#b@~*&kwRAmWKYdXq!%`Hp>;zz(h}@gS2yj@$VeZtb^i*@X1g&B!%1LRb2Z z9lm#Z{m01hC?U+G3w$^Z7P|gZ>AHmDAl~b?|BI|T$T&`hlZw&4crK`M&76=2WzqJf zqV8}kC%kkfhqhD}8txA7-yvN@;2H0rM3o(@lQ9NxaR9r+7p=&hbnhcuPg=b6VHyQD zoqE?pm&Lbb&a4j8r^XE4>Kl_J-XFPZp#P&nSLj(*r5fJR-_2#YTi2-X15imtnIh~m zazKr56H&aIo3+6zah3)EwPR--)<h!hid;BO6*nSwzW@Lb07*naR6vcX3Q*K90p|%} ze!CGsa#T>%SR}&qNb!<B`#!n@PTs^Q;IkmWeh1QZ^t&xjbg<1H+po$yPCr%x&I6jJ zMuFp8$Gzb$>vpWeXBnU8)j~Y59O#>JAdW=93Zpi=NG@R8R7Pwrc`rFv3iLKvYw2d* z?#d>DANS=ae{0q}K00vzM-Aiz@ENyPv=;?}z@oXe4f@Q6jV*Q_CvF9w$8S%%=i%oD zTdx@`fu74dK{Dwddg%>QpMSXJ&9U0rADCG6U%goTW)t(yH^%J8hwJxDqwl$t4dr5C z*`b464!O2AWE%@F@U>Clr>O9=^*a&0pvQsGcglmnWUtRQ)Whbv$YFR8ly)oXxEk2& zUH~j|$w_gn2*wwqee+sIwc5}<2sjF>Z$&DN6>{=RWwJ;Uv_Dmv{>zD;?|Ea8$DGZ} zmseGi@8gy)&ma5Oe{DK(@k4(*@y?}R*-$s*9dSSR>bQ01c)(}4qQ8TEN8f5zV?g!j zE=@y5TGCl=yXIi|tQh4KBKw6d=$S{G&=(f<=Vqj*<P@}Y88C^)2-tVo1sxS1%EB&6 z;{?NW7XcIK96|9AT{^^jgN}&Gj)KxrAUX9qf!6D>y)n*hK0z2RDQ=CIz%bo$+I72? z2YI&eIcFFGBCrtRYZ(QxE{dyxqcVsTJ~e(M6NgUMt_02Rl-W6INo$z|_)*KfKk4<n zdi5pqtNbAMS`YG{5a|Q?&eaWlJmfQIO{I~eF*WqHmDM29;H<mT3vzc-Fs>|TK*1q1 z0Q5_Gb3gi{xkt3j`BY+T&7FQc@l#`B?-DVy$myVzzD~>vB}Jc4QPDRwBE54vQd>5o zZSw}C2pMke=b9Q2rc;Pk$~r1o`EWbS;|4WE96L?L>SkLU2eGq3#Yk3^kdx6|Kup5i zg>m%pn!jX8HWa8;+wTur^s$OQp#^+S`aVD=o8!DY=rPu(I`>8-PB0v<-eIY+*}9?R zPmd3dyJPu|6YgI2&`Eba^o?vfzAz{Glj6p`*%$d1mC@6zKU4lN>RVIM<g2SM@;Sxk z(c=z4yf(el!EGh38Wkj`u8U`@Ndzh^u--@;YnXLIIObSBO4E1*N+wd0EW|KXYL}~T z8|5L&)48iqmSspY3Ue%jD{^g5Ic_PeWrR580LCL=e^p~ZxAr{_I#P}5DU~hx5e?!( zfr=jlk6_4ywk_g=h1=V$?P8oBxi7hn36VTXS>5<-(+b)ow{2f`)4#ewX;0Sw^5=!M z2N=&>3z43Uy7p4T8?cm_{!bBoDRp>jM#yLMci-R_$KA8MsS<UYN)RchF*kX8{D>=l zG%q%1zyD3ds{as+#q>*hM*&hrTdptt1)VSLxVnX(=T>@FxA3`&PjNLLDf%rNk*1>0 zHgIL%+5-I@e)M4;cIwV__GDal9c(ts=cfZ`@SHdu=sE%HW$kQlnV<?rCXSlyk8V%v zCBV+%vhiFaC#+u22zwzl=xqI2PfIET{e^(rTV*`xR`x<bM10>IQinv3KeOwFO24wT z5Aa+wn1AO#wjO`Nvb#@A$39L4JfBAdZ=_=SI`g07;|O%8rh!I)PR1NmQ(#SX66kh5 z+j{qHDFbf{aa*MWM>-x$&>;h=_zJiV1)uq>ygke)=|y>}K((Jx*?|k`o<Ykgane#m zp+Yg--Z#2X$!D452<QMVN4rJ;A&)9=;(}#%L5N7HbD?25M~2+p+>Hm$75Yv8Xc5A& zmR04ib!#|k2l<gAUz9mC7_r)ZbL}COfkJyicLC?NiId-nN&K-pl=Ad#e*Hva<l|z@ z!4zztswgi%)M0(b*<1j9>wl>0>O|l189nKo`PIBTmp#)dZ@|%R2TZ>yCX;6FM{hVR z){?r`_p5*5dEN*35cegWcwZl+3bz0jp>E-~wjf=<1F5Z>xT4>P43&PC@qBADLU!~> z(d$59$7MZxy%QR6(EzIer;hD*I*=<sYiLL~?((<^38|jYFZw(Na8~}pGMv?T--Aw# z03GP+Yroustn9I>Iff6*duB*?0J>@%XMQJ1Sp7)U$$weau%T|B2b;{e&x-F}7Z-OC zj|u*k$>me6sjLo#8o03fnuQCcD_X@g2iPru=z9j7k{ALaAMF=WBCV%>F_A&hApIyy z!zGC39cIuk;J65dDLwjyOk!CJRlur<eP`iiQm{KVA#7_Yps*h8cP_{w+_?p=VF&R! zEOgwfA;9vH@{W9_s{zndk8tY->WVU6m~UxZgzHyAxXYkr3S0iHUwJPAv{ntX-j2>O zs(?sdQCrdbMc#8P^;d5F-?n|p_j>(x&-VA6H!2sedXv$A^aE5*H}%eHpD-wzXhG22 z#^+?&vObln2$DX`tu!tdIm!P;09z5NBvKI}AA0!@rybq8-(`t-&5upY|8FiF_9t!K zzUh@dI|)>gg|u+<s_?mu-?o_wpGrTwa|iS{_+d5!%Z{tK(5Ill3WnW@apK3ES5*zK zx&|f|>y-s%wFJE)_XmL!hTB`W|D$#Y`>9NVGt;7I-)_)jfSk=g1-KXcSY*i1w7=;N zKucSi3oOg7H>`tx$lBE(!hDD`jSZ&ge_`uSxk}=a2dBpbXDwcwJ^4?|Hr0-5`i)l= zyp2li-7V?NqkKkQ4j9d4k=Ikb&bY1IijE9`ay-)SLa~)S>$0HgNOlAW2ep>dcob%w zeYQYW@p}R-r1%8GaqLk+D;O$vyJ0ngl}{nuz6mbX3fr_3`4^u=u;w|q40R}RRe>uA zjR3>l04b$0j<zNQFa8VRnrC74Gvz7nif&zp+*1$1HExHNqudYy>u={h3K!T{_KG2T z+7NUhAM|#ypgc@X^^@&yn5jp4jCWt;>4gj9sk}YPz<i38Rd<iMXL6MJJater=K@_2 z3^NxQ2mAX_<n|L6Khjdkx_ed7JykaE(o17UUVigy67kyq6VLmMh#V!58kXsiu1>6$ zoi+N(USmB{+qQ6(zXj1Yej7VIjRD=NavU5w*gAGdQXf9Y=k9W1%uc_iw!Uh@q@ZT< zR3yfZgYi9R8+u~JX=#FW24N8#dv{M|`kEKXMhAXh3+w?r_JxUjcKtE{1aPBkY8oh~ z#SFSVz;=f!opZ?K^3j%`9bT)y10Q=ZQsZFuAJ;HW$Mqg$qfoW>kHZ(O$esARN4Zx# z?hht(7pF40Kj!ked~NOap68ta+r^>Bvs2P9RJ7aOL3i&opETGtiNL;52%umPuzzTh zLm{<WpGexTgyYvE7%G0@d`K%3$Yo$RtwR1^_anD#G4hYzgK!m1o3>_Xz9F7R@CjbA zY^2O-2pEEX&CfMAAph)R$UnRoxrY`b|HOlEG$=Gr%SXVnT7PMNjoQS)TJYI`$Y~3} zcBB87bE}<mzpiiF{veV`+Y<o?$mp8ZnZ74iP>1L{V%XcRFbL7AM}nLShLtyg_Nu=* zXMVP^ZpIq+KZ>hz9P~I~daCA_4}WV?FzS@cyhQBl#>hEjY$EZw?aO-?j-3IP7F4A4 zd0wB|wi%fn+lnjvEFAM3J7v@%yC^?gNtCYsil)gq`6rC|d3^NPUsq3=wvEca&Pycx zAf1*Bk0FA#qBY(FW2D8s8l%ICSd`Gfh7!x}?o?Km6UXj3dsB*|0pMm};X<!ZTosXG zv27{#gFkUHppc7+d(hLqo8ggEGq?Wq?0FBevL~uGFz(PqJT_`iRNh0K?m+GctR6Le zWiFNeTytyq?3y*`@r_txTs<|BuAp>ic1v1EY9VtMTE{fUkxX#Ja=a0wG<Pw~zDo<B zkluaRqM*PnqOw|E$FqX|Vkq4T*TT&T9tTJ^3qu9uQNc&bp12+S$QTG=Sk^FX@&QaH z1MsL6q+wERF!?+@=6O+BSE!S`3W3aOL)a#I?aoD^UG0vdeY-i=?40}oLGW8Fza!mS zp_T7mz<I*FOGM5j6JBrl!<`>c_WDwAI+NpEKCHEK>aqW#3Gm|yvh^Rj3s&jc2V?*o ze)*3MbyZ_OXMF#15i^%eRYUm4Kxb#!;R0^qXPX+3-o6c)9owN>{kF8qXMQwDIu{(? zxMg>5ptK*d&VF4y|BC7f6MtJfb)V^6?Z3hJvHinLHkPg5A^NKV%K_@F?U6%Af|jd( zbS)MP{$d5g-5vYOw8I!SfBKZBs;d4JJ#5j6eAZ^4wbuQ!KjnrJm%Jd8%|nj^tW((! zWo>&AZO+PYa(L+5F?$hL?X2je_|oWoR<Eg@wEc`FOTzYyE&}PGs)-Yx9<UGW0hUUs z9|3Q4I)AAm)$RN!%DQ{<6`zwjv`nP@9p@4Sol~f!bvHmEQsz|Z9>KJOg_aTPioS(m ze-xHA3XzdeFa{!pPkKtn(>#LWiPoiM2+E7D`h`5h>1`K8X}h9*4TTVMFG>A!=NtCh z%t8$E-i=$oaA9?g^G@<S^Pfc7D|VU4N4wKs1f?=r=%>P|AKKH0A)rrZ4g2dY@v6jM z4_v%5I}~-2em}@2ljevkZhe)PsJhm8=4~R-f6mb5L3p&<=NXo+mLsLFAH<;{uxq8? zk9vmymAz8u@kR%?%v$>u8`?{}SoNoBCQV&aJ7dP1W1~i0YGU4rVLlj7<0YPH*e-#- zc*ud+d7yN~p6e>Hi?lGGMnG#n<kp`f?Y?y~a;@EilRy_F_ogH&em6DS8rR*S-uP<I z=fvY`;%IW#{g$f}+n%w91G@T8a~06abHKhmr#;MYg{l{kdA`K2+HmnX7p=eG4F|lq zU_qinq$@&3jQ|A_>v7oCwzjo7L5dI(w@1f5*mZtXgQHzr062EfA{hEQEPDeGAyU?= zkQoMj1y#<abXC|2s=P~SnqLC2E@4@PLRs=dIwf2a83Goic&VKF;Jgu)i^^*=9fz6v zC1AW1?5EFh@g&FX?c?fdp6G4s|90*ShSjZya6Y|EoTx78XKh1^9#V$sbdJhD1GZ~u zE8Cs=PClm}dwKJ_qkq4o$78GAi}pRG?*_oa+r1;3W}of({#8cI8vq$k*sZ(`@`%2+ zw{r)w^*a%A`^lD8%<OR3vzKFMYvsfIr*rmO&IRv7)?Mn?)ZJRQ&pvgv)24nXQCoL~ zG2R(A3}@zAT54#(NYKhfLlAI~^le~hGc9KsaGF3bm+pk*Q;o<rZ%4Li8}e-p2(u|T zJrdy{@3OeE!Acwt7`n{gTM`A@Kc>cFVZYDy=FK}d<K@g<Y~mK|MVA@@`ukt~iJ;>% z*o#;jGFGSz$Iu8kTa5Xl@#DAEPWHaB?xJ(vzUIO+_tlrThOFWW6W;pd{%OwSDYmCq z1EA}wqk&f#)qM6+1WwdY#cDW5IL?0sEKV0B(p8vq5Il};A%IGoJVAY>p-`^0jdc-i zO&6_C<LVQla`dBg(vm38?!pflR$v_x0co}4YpG!J?EnA}07*naRG18s8FA`Y030@p z;MZ9%b<fJh-|ltAdTd?Obl-Rvz{n{S>Rz?=A9Cj;#g)Hq{fCrm1*Fqw5_}vjd@MhO zF~3+jcKTNKS0?qjc)t*Jg6_QlSN=!MPM>FD{>O~q6f#uDLiBhqI!lF>qoT}E>2t-5 zAf1B#cHgn%6;bw_=Xf^gu$q1UHVb!|3*7tjg0Dzo)B|<1X3eOXJo$h8c;ZTU=4?*t z`-YiJZMLyqa!rj;1?>jZh7RKCvF%FVg?WVe4CU5>T+2>mnzzxfkK#7SL2*h%v^O~R zkWzfF_MJ?z@aFW&V<!YjCT(^UHgRJ3L#M1g9t}CErqY?{r6Bf~J<iXNGa!5lK%D^l zh{$oAnBL`ka-HubZXREgzHZ$GXP>w39j~9RA8{FSUItY`(h8g!0lB`DaRt<(M;QQ| zNE8Z+ml;&Ps=$$ML%8w@*i4EzEXJ&8n0E4o_=a<e5WujO6)G78L)yah0<a+SMe{VB z0D^P_nx|06r}Edb5jbd?<|$AH1^&of)E=_B%eg4HdwP`I?TzCg$2sXv>&)+3mK<E) zEn+d_#q$@8uCnnn0C|TLUL42Xas`p{&!M3F?QpZD+YO8Oz<%s)O|LHQYz-L?y&C|@ zq&cc}=9|Qr|KZC2cyxGJ4wk~owY5SOf3C5C3M+-^_xY~Sk+6p@)~-)(r?u{{WaYE$ zpzjT=B#rNWQ&&^_?6~Q(XN{UV_2W_%`;tVzJC%cNK3|t@X_8DsVdp|u;W}W@kBfD& zh_HkLAf5-GN8pK3b*LIU7O^`0`Je{~qRaSkP_|K+1>txMV8cAr@CY-l$Z<y?+8t=w z!QFu-6pjjtyAf<;q2S(o7r|t4Za;1Z_TJYzH6z~~OM6Cs!P%;%Q`R1j1~dZnT(C8r z1^d<>=Vurh@LAUwK=w5vr#LZ}c)q#buS(p!u{!nn^%tD=#uXR5VcOnn445oL@)+o) zV~(J!X7=l7i(RO&BPFgoom<x;eC|=$#_e#LUYHQrg;}T=HmcB>*ItfcLq)BiX-XHw z6{ZPsK_41tSm<lGE6_Z}k9^{F@QY<NP0OkgplzTHP$miT$XIb|VyMrK1?2%wxVP`z z(ex6KWU%|P`jgUHUykP7@P788soi4^e@+mDNO4TJ(!dWn#)p#wfn@nSe(NAV+Tq4L ztDnps>iT<|l;!ZInXeNQ`!JRNJP4}W8Da+uvRUMs8X_pH_&Kha-i|ZO0aon*$@BIi zoW0S8_A=|-Cp^#IJa+8H2iM}@b+HMvr<kdeKH$atFNtR^HjpEovt!A>$u`y_-`oUM zzK(+u1Grc>tQac&1ggi4MeU>ssF^Shi7}&KJWzxdo+sd>2@xPN06fmA8bSHxK)&F( zvtsjE9t*S~pK9W+zz*b^cOcZ?1hco4m)IM_d?sTAGHdi-){pIhzb>=%r7jbTJ>{G% zp)g#RNP93bpz+(5%0LYP=k_}GhFUVh3gYax6GY@72Xlro-usO2eR+(R`0mD<%%|30 zaL)Ya-#LFGC1Z%YS2!zHSO2u2duK-*SdJxZh{g-b({Yhj0K>UL2;f+iYzEl58FuBr zU}+5K_;oB)4w12-_(c%*9qFu~nZ`bkLS2aJ0>^t42bfMEQRPYbEP!J=fn_6_<$ift z2PMT@xzoh*ct64pD~Y|xwfT==#Uhn2qg^}JB2zO{_NC!?fxsLCV6W*Ls{GqBh4CB? zv-0Ny(H)dO`Qm<P8|@SN%?rwA$X$=ZKjN|<9qY&9mx-7Y(60O)qE$b)`?C#Hm|Xqa z9G|&%<{@Xd>k8P<*{{$>AuhA9*YV8e!-C*?E*t;2<}f_@!Y`6LT1L$qbHwb-+Y?o> z>qPwjX1_a`gK1J2<h@*TGj#VNOsC;EsdrsV@2Sd!NmNtekB=ZRdK6++RS?fZkV!|Y zcM1<;1jaKkF@o>IOVl!rMgV%aw2?M|9tY@Afek719?<ueEXvq-;-)8J`Pl>D$u%~j z)pzz5i0qXO4%lDx_rd?BMnLJ2iU_!sg~=jvxCq`T1|Rf1`O2vHsBdk&@a&JSx!~+m z*1qfPaW0uOr9ykccUE4av8MlTg3|*BRlk|gQLcsPTL&Q+g6RAgLC7Tt7ed?tu&bX& zxb9gvj(ye%>fj<cfIEE(LKcMO#964qR}iKZeAdG-#}Fb#&tki1Ft6k~r}q{wm5clm zauk6Sy#Cyqi2U2YgnwyRenT_EJ-W^BJa>YFSpdj+tZdhU5_|T_2SK#upGxNt@_7s^ zH_qkxT<>6)_^$P`kDan?S$eqY?{+XA{=u7PnnacU%<nW2Q&V8bA;{(st@^oA4r%QU zMqw6c4*brs!Exmp0K1qg{m;V5C&FCzhc(XqedVvd@Y420$<{e*X2*~G=q;z$n3^kn z&wNTm7C>Z{b2gDrrI6*ZMZTq($~lXHuKJ@Ei05LX#-MuqcqHoT;3pCgV^A=bNM9!b zDvJo0Hz^tcUfe^hx)xr%3M_y=U5<lRp-;$r7)f{m(*W<FZaL{8WB!sQw9&%*9o(Zt zW5aph%iM?&(BXj?2&x4#9Y&5NyvcaxvY0Pl@niC}O{<pw*SZVOI_^cD0rO!>hmyk( ziG}$G1afugaFv7n8V;*jZI;l3bM1MeA&nALQ41Bff}zq-fR1qmDimqu)U^IZ*q0s$ zS{ioEFFJOKFC}1H$^cQgP*Hn*8m&065k;C>k3uopS1$zIU#(|<*N8bASZEhPMmoFI zm(1s}zno}{TqKamo%8oZ+)>uqTplfLndm=E4!iOPvK%je6wiFek7ph^?vCZD;go~v zs<I<L_LW+{#=KvQyk3COfECBistQw;f4;R9mgimCQM)QX)M<QXj&<xHQ@`ba`?M2W zle6x&m)uhiul?<Hn^!DKa<%B>&<}lQ_LxcLKTSM-729$?1$~$ZYHg4gRr<N6Muh1U z9JlUBZ$OTWgb-<nkE%;0Mvp<X;x~q(abP{r7b7D>iSp}Qfrx;UBaMX^;&r3p#S<Vc zyz(xY>bOme`Sbn$wvGMItsOtRk#hbK%W`SO`(EfuMu6@H=%lh2vbZN$()p!^eR`IN zIZ2H9e`4f+JkR@b4Ugc~Uv&1n*Ijt_;hWAqw`RDQ+xpOL+qO?>UK-?aTWIrN2%Y=5 zweD+tX7>SZCpc_-<0V>=6Os5_nL7x_wkZSQQVu$&s3DN%M#GjhurL0L)HfC88scgh z;m(2KWF`bo7$oPSs@do1J4C)?u!GZt-k?K)vPkE0i0X*yLH{qx>`B1h?#F_su_W2! zu}U%t6GP1*l->Cvau_QfXtk)+MgEbY^4Bq&;V!o2bEy>VzR=-g&rlA(=A`&7k@Ta( zt^Aco9iZx$0jFv=@jrM_z0inEAcO4BHd18m3R63HS&88aQef=CZij>Wbr=Sp3LL&5 zZRQuNeu;l>Sd^^CqD7(dvd>4qUVYRRx1E`&8FQsE<}&uQSFzJg<d`+O6`yNvgc<<c zEr1)$LwCrM_S3Q2QOmgc_r2o(2GEYxuKaTufQ&0&-GT88V%611)Qy1`ivvQcctu@f z#mWA4;lAU#XjQLCZ(Fp;=3M$NKELHej-E07z0O5OKsp1RP%J0+y^g^>%aG1BqafH% zL|#oe-!tYD+?D$ZCb(<YUv$p9HeGV=A?p{OJoMYboF|%>-BjQ3z)zm4_w1jYXTC26 zS908b#tClbc%@=PE5*eq@8ym&P!y#v1ola&0vFCBB_lwn_=RW4>VskEfAQPC0d6IY zfDJDKnG}TiMt2WbE-KGCqC_vEsg)>w^&`-TLKLAG(E-rmQoOF9fTXia2?{9#xw|b+ z<d<aPfvtDn#^cwXX}s^n1=GcvH&M>7Cni@qyzfD$EB)waeyMb11PuRpb<ON&Kjq{9 zPNu>AV^1i56~7Kj_1ocy|GwdH@%;CRnAsc<zU5X{zO{Lm!emEnM;^|ALkq3PKUuh| z_^_@^HKl&JW>NBqm5Y<jK+=|2Ipp$N=1lY^>h8s-#K=N{*<S<+%Ym40Yvu7pBLe!W zp!onWh^vi5>|U?Bc2Run*y*0Hnj0kPptPfve=e&DeX7EE9%41MNQ@rG9f2x{NT15R zERdXwJGhw%ANviEUw8WAf9<faH?mI-+xgf)cnvwR>l?(aoLDSJ_dsa8!pmsK_SnWT zB62W0Iu(Mv+wgdf<LOIY-NetXzvS%y*mB{y`#v^rUW|A{=^U2anyFuM<A&`^W<4aP z`sWDTSDkgAwQyhJRQE^1Ix@i3ExBVLatv}VipI7o??_=2QTV(KpT9@n<08p$&MAT9 z^N{+jkX28?&=@fJEEHeM7l4$Nh7wa?9ZcEHsqhp!XJ}eqp>x>*#It1Y4rlG3wlA5p zt+(=9E<CeVd^uf=c^kk*CHCx<4??u1vXP;l%Lmb%J<J?!=X`jR7<{)LqyIIWXa1er zY04Ake(<|>rn>4sjgg}%6)MdDxt69#`P)Eu)%n=V3k-3X<ADxo2m2tm>OL1*_l4$E z>SwC>x8D6#wL04wI^e_KN*w*MTjnQX=2POC4{<^{g%ive2#swjVr_@6{B;L_9e2Q- zvqCjCxK-$Gk5yIOTs3~e{>F<Ps`XGg!O~#ruktT3V|*X++B#H?84tg@79238te3Yh z!lxiJTquX{){s6X2&Y@*?4K#;f3Q<<LhfV1J%FZ0fW8#ilFA^YGSGgp2iSPIROvxv z9G~wIA~=WR>-`4iv!Um%n|j35Pi?sP?6X(C<II_E0LMrD6F|~#U-G@y9ZPS1euqE% zu9$T{auR;galyg4@H^DWOZgn@>FfAsGO)`CU=ll}@L4OU5m0~-UeO3p-{aiiHP^#5 zH^8Vt5aF}MEUVo+0){CIbi9begx%AbIP8v60G2ty?e%qaFO@I8x?)9t4w^OI(Gc&Q z6qvpTw8xsEoa=eN?$GJm{%QzN++DFfRB768C^Pph!25yOntf)t-uCaVLFEPj4d9wH z#dzmZD0O-+u5ZUj=l$%s?D*Z$7@BkkHO*dtv)|@U+2_QiZd|=6`RI;6>dXBdxjFJ< z-=ADlHReL`yiXb9y<H&tLsy+FnCBUPu33$k7DT^RVB-eCuoZ_b4)zx3$8L&GoHWJw z-Z>&jC{5jE$hEaV&-_`xCiNRAfB1=N_;G@tfERryz#|<Yyo{Z5(+tevShz4g&{mvy z?<3m`CuUB(-1X_$2L?)WsLHA0kBoq}G}Is%s(M~obh%E1Ocar0jF`6?c>gV8uB@s` zT)Sab-A6aP``p*88IErZ@H~6V1GjA7dEc#%?KJlGF!aA+MLx%=;|o;9zu?$@mU7Q9 zPCdvJI$gzUk5mJo1cnNJ7lddJ(<l(mO+o^qzM0WP*Z=?!07*naR3(8ZOseV_Rj&Yr z$lfyg$>wV7+)slbvmAZ++TZ$`);XSd{{fNH*&ZHu^S%e1j=@wW2Q|vm+3c{7Nj^oc zVeu%9ysrhu-LkfJ+DpUnJOAE9ZAu7pKX}U&&v^eSkZDx@CfCx;t@0KyTtXQx-*SM} zTW5dI(RFRs`rlf0d-C2@i@w~n8w1YCk(b?gxRIKV7~@?I@#c%jScvYfg~+$I7PkCT zZG&z{^Z<eNv?6aZG4JM@$y0st{P&8ONlb&atS{ACQ2x6y+P?%xT2yjW{xL!vK8*l9 zVKAN#k@iQ{KcagaTk7EK0h2e@%q(N2UqRvM$vgZ7kOvv&mK65t%TfX8Ib#ct0}87R z_M*L-<GqGC+S!OfFj*ic8j*Jz&s=UCu8RBdYc|!S|7+8Q=bX0bo##%}73L6f9UT!g zEWKe}{eAn~i(KX=i{Q%^=5r464J!P*3HlFj0&o)0F{^+`sau_dB2dMzMnTD!D4!IZ zV~=)hCc$Yd9K@;L5u{^ukHyGti-Wn{`f^XxgFkQVjgi%tym>6F_j-YxE5MlE@P{Iw zj|IBT-xj@_lZNg9ST(qYqOz`OIykiPLEpiC@#R<|{)?0Uv~1Jc78TxC>$=GBr53b_ zbK+IWTa7U%x-g8Z^3S)b@(+iPlc*+_;{$t!&*xj>!v9@m-J%VPuH4A1-G+s3`5*Z| zx4uED;-BEE`F$cdl$|U=T!gtCk1m=CO_4%&oQO4j5D>8JDnWQdXxz<-u`_dCEcR|s z%u!5-<ABc7$OzJDFrrBV2j^h9J;>(}(cm+o5fCH9;l~mY=&pb<9>7N9Wpa^KF6uB7 zo_F+MSU%-1%jyBSk$q$vpSQ(ce(7YBj#eIN<hhgP_<Z+rmiI391VV=5yiJG5s~zOs zV&voS<SLtRS8l3JUA+FHb57WB(OV`Atuc_a^^g3lx#9j>pQ<-Aew$5r-?V}+lAkY# zey76WF^+v*q%av!LqL_e@Oc*ioEs1+_$W@TQ1DSmkKzn>aIQma4@W`~caIqRn?^gc z%Q?B6KX>V+v4jgwFrF+F5q<ZEkFXqL=)=0|PiJ#H>rbOCo#pro`G|&9rjCzw10V2> zu(&>zNi06*_e&Znh+$=-CrL*Jz}%1AFw^tRMPznVzO6-uU-|1$KockRzgXw4H!kzN zmlj>S9MRADc4vRi<+qHji;a4x@%>Ly3I9KKFkLC=Z|@LfGLhoXx3s|05a1Kvoj^ZQ z_@qL@YCg%EvXEPArtQ=0C)~N9Rm)NCIV%4klZ`%s42ChtOO2Jt0I(f(8`}s~`ko(y zABz)c3~*;a<1~O+E4vl%d$*J6&fr+gyEGQ@Ilx;k=9X}Ry~_c#xCTgM7>lt_Bh5ad zzctS0qQ&Ac*8YmBN{0cDkYqMQ&NL$L2Mmw><Vxd(S8Pb6-?8CcXC3|0!q<%%(hm;t zh@kcEA8cz_@}mcL)*Nw@@w_j?cwZFY8=UNa4+oy}BFp)J(*}EKyAe<bgYgLT(J+a9 zSwo$G8B8Hf-uD9M@Qe*{n-|YN3%0)}j>x%e$*(^Ukhk&~odCci44ZS5@2*vU2I*`* zdKYKd7${VfXFqt@!hSt;_M2-*&3N>TB}+1eti9*1N>gI7*joj1SU%O_=ehM?T73=& zo9ryyX0RLi(0<N+^y^o*>|C^R(U-P&SNAa=x^ecHnE5a9{Er*YoW_ZuT5%l}X5qZQ zkw+J;aQZu3%@`bzH@w9DbaM>uHt&$x^_~|ymV^BgV=$gPN4pIHxBeZ^^#)f}p|lOy zZ@5xypCAg!9qu9qhQ|S3WB??fM+6$yG|lUPycb3Itj9XY+_8z)>4RbGv_CFw@gO(z zx#&czyEB6!H!NkzD<`5{v>M59RiZls!&31px)Q0PMQ|YD95(aAo-dy^G4t7~n(B{i zUcLM+YcD?cu$}tBp=2^z=n$u}PQ>BP59hYs`@>Z`C%*Pi;iL)Q<oNrdf%y_Ex`BM% z&vCqkihzUKLKS@k4q!=wi_)N%)7xGO&TZpd_fy~Imu~IDPySxI@XSfpd1u4m4Qx>z zVc1;Ac{o+vackwOUkw5BK5X^#c{>NU70&(~kS_(z=BAVGdU);I_L41sbh^yJAHI2- z@%{6|Y_=-b+zcD$JE06|GzaHiu+IGmLH--77Jcr)ZeJ|nAU^VAHy)1K*kxP^Uk*<W zA!j~;JO{|P@w~s8%0Hcg8Uva>NC4SDCcm(>=GVf>Px4}a^86v#GP=Re_CzieV~$YT zmWo=p{#9vfe6XM$HRP^^wQ6_tPK^@`3@s7k`S6Ro0-hQLUJPP95)i`P<H(KA32<M} ztJZIT4~j9jEwh}n`mabt&m#Bc>60w(a+zFy*NaFrT6g7)ga#o2b}iIF^aC^URuNp` z1Xsm?Pi1`Xzc#K~e%6MI&N}Gnh4bs!Q51I&Rdp(=Mu5WY3vI*g|J%Id-XH#J{s&)s zt8uaGtZ`q2m2V1gyFi|Rb4||bHX*qHflj>$+R2s@0l}WXsLXQYi09YAAGSWU|Bl`` zdhx>x5;b1zG(i4?FyQxn(9g?qEM>UT*O&ZS+S16-2+*{Ck{K{MpB2S~l!Gi4>;5km z*e@P`;)8!aZRygMV%~sh4`o3UkK=3`*tyx}M$hJR)OkZ$-7eY=$WY-u&6Mvull$SS z-+bXkhP!sjq<?hdJ|}w;|G0?vpCYEP<xlL8=jC~Q*{`{Y=lxmoPs&Umq_gC0gR}BW zXM@|;|1!DhpiR@p!}s4P#+)tSNmyuk+>qi9K;?FIbQi(VsNhaWzt|TcM+8HquSWuY zJV93DFf<POMQG@e1(4}R+=-Yw@LvOfm%c&kyYT1E;Za5__Yg>Is9i1}a3>%W{nxR8 zD;D;(p|0}ZhrWnFWVDDJB}U#UVm`rPa25TJkEyA9&$<iFdYyh_VAHwh)^MhfiU~%I z00k0Uv~Z!_{`c>0tv`LAd#k6^eGB4W%jExs;07ANf1$!(O-R!qAPdZCce|pMW2~L{ z00Pd5lYa>0Cp$)sSqmh&DC(X}GMO~-W^=f6=Kry+`mPUc^zQL1k;92Pda+Me`>Oc$ ztUnr4l_1_%8V-3rxfl67f64}5m#}T$I_9sByeLWZD6hVfA4)v(E3ePBG{wUVk5io+ z%DUQVvli|Ak8|StuK4c9tABCb*7nR!fjO7lQgwLC>@(oUJ}bt12Si2zwC{<htL1!a zGjde^1>=R3nLbFTM7D_FH!jTG%3X<d%0tbl_%WVmE+Fj*j@D+7%ktb`WyX{WILZQ+ ztA8~D218CnC?W&O3cO)2yv71@<mB<A_Q4>pqq()lGpt+KZP$}j-?mMNxHq_b5TZ4m zK^sBC`uz6>zFtW@a3FgSOn}G<GzKp5j9eM>ysPuZ{SU^v^EY37*6ADH{id0#FPUFe zv39EwP=af&aT{*`dS=JpzW2h8`7>@0#?)QsjQt$7>eu1$a|b-kdO7zwZo4wZh&s{R zUH}fVF0}ThAnrZU?api&pYL7u*fbC3Eh0EWAeED8SskUI<)BwXI>qtRlFFc!tNtt( zgTp+I^!Rb31OCKC+t)0@YmZyJ^sb}sezL8^=ics{Fqi*l(AuJBJi}wHIAq1zrx3dD zw>7r@YUR(8&D{t|^nVhJ8D|&7JpW4Z{5L`nFW@=^*(`D`jnPMnTxHJt3#5U1T5^kR zD7Qqr63L_)Gd@2Hp0`kpQL7fZ<sYQl;A{nT4m-3OF_ogpL0D?f-sZ<R0q$pwoHSU* z1aQ^q_+3WapEwA+>qmpFX2{Bi+(l|Devxbs{5)yM+O>BQ79JPMBp5l(H|G7~na?@# zuHnReSu7m2aQ%g6ofv&%;L-|yeXwK*sGm&Q#@~ITY3JW>d2}ac{s4)pt1aXUoJ4-W zZv1B&1kVy$#KB^(xST4nUl}KVX}G8N|MIu#(sOILyYV{CJLf`V%1|{y6?`rqAjR{2 zUGX<l@n`g%8qS|XRc9A;b>i1wA^nZd>wC@x$>T@ubJIzSAK9RDQWyApZIVfC*!%-- zqyHGrZFd;*&ZlP#&+=K_#OL?x;@AAT5RQ`rKK!jwMkbymvDj4*bGisb5uLLLGMVW2 z{krw9t8q=Q2spG@=ax7}<-h1^J)Xc3nFGf_Vy_V~=dlj%I)}(}w?vgS;}vsiR78f1 z<5Q>vRV7m?T9x3ZjD|p_0q*oEM_yQ4mOP-~;Y*gZBET&MSk4LbWpxyw4Q78sI+H~! zS1}px0CB~o$s;g?65!CF5sGOdat1^$6HmS<#=9o&$3CznKkZFxE;#4dl^32l`LRkG z1KJ)n1laMhBpK}Z>vuLa+<)WZs(j0rt#zMuF1(%!^fvBo-p^sXj%d2QNLIDrutNxk z`$NHPJ7TN!Q@=g(ar?rBp3BNHl;uJZb11ou=4$#CbCyEMafM$}{4H%Mq*d|T9$Bkc z{Yr>6>56{~pVR$(J~w#QCG(B;8z<fM$dj^{zT~HT_XK9m?~{$$Aoo?u_vaWwBf!D& z8M?JD#7`a4zuI(1GSxL>PL96(n`3IKMxPDwuQuWxEdo(oM<xR*|7>Fex8G@?GOp<r zf(*(1gC@`|FS$b=CQUbYVKVLoxudxI@J>J`JKg%v=MWv2pn?}GuEh3#IY*Q?qwKQ0 z5864GCZ&LM=<z;S=P-&7^vG~@LSN(@EHxZ=_e0M(>wXMzYsjEl=Yys>oCL^o^bbi| z+A>Jd7zlVgz%DVIEd0CHB_fCuW*Q?49Ly&z<g1=9S66w7_f5-9d!zoh!u9Wc!+1v} zHv~d*8<s6f*FSK}ik%PK`r{z(e}<bvSHijPILIFekF(Al4$!g3;P5yHx6(QJZf&;t zB`jIeYu(3tEi*ax-Yz1iP%*|T#U<MfHHdY0OpnTRwcpfQQ2gOADSpmV%7!jnb#=dl zhS85g8(tkWxa*F+>!D?P@;m;Okh4)D8-MquozC;W4C{W$_*S;q(yyQs_9<+Gvwz6t z+J4dHSN)>eob30>8%BrTxU-Gnw!fIesQUQ~*sYx7%0CTN{*eM^JStLw8{4Z&<5?Ko zmdUukW6|3*F7X+&r;9P?ikK4xPQoBh!=qxqGHB=AS&L`~fPQ;o1p;hW1*njOK;L9t z%TS6icqcFpGRt}HwU|GjTeBF{#SY>|$K?-V-5q>R`lhlQ6u~`II3EPjPCy&C$26=4 z?;c|1-?CZ}8UqmhrO$Z=a;3n0)$`=D62>pulxTa+stewD@JsrQfgv&m8t%EFso{Z} zmhSLoeIpFKPjb?{);Zit_#1$ggcdk1Q5YC1$3EBS;BL;l^h0W#^j6RI_nbE>9{0}y z<P9P+78SU-QbZ7j$a00>#+|WdD*fixG&0#dRn%||ZKvQ8+k^lB5CBO;K~!wCQWi9Z z+}(hDPeS|IpwWJbEB*&x?usA9%M^XA{>5jv+HCGil(6muY^0b~36`=4=R2#*^(8ix z+t&Z_`b}LEqw>G>hS9aQ`b^LBJ}Zzzg*U}@-1g6>Q^+>#gw19&sgl5^Vm$}e?Xhh7 zj?&J=+z)=YmeawhFrNObC}F9bL)KmCt$%Gu$Xx};4zJ;gfwqb>M`h@l8p`K!4u)sx zSHuY5vz<g`efoGDFclTJ4*BEKmMro&vB}Fwt|B~=&ak_XOF(@&utm={b9sd9cf-!a zNQFA{R6}qO18+BiFCymsUzH#GbfT*2otta2r|K^Wo;&ZnQOP9Q=g^9YZAmiF&kygs z@8;j_X!EYI2tVeWe1)sB-*8wz<{Wem&9Xj5d9RQovA{v@bmINI>A|1r&ue?6{C67f z`Ou!sBNUw@_b0Lt2IL$YrF~yl`+6j%{lBp#1zq)LdFHSA10vkNLXPMvSN(RwKN<e5 zgIo^@u4qfezH<CumOc7PQT%LM<T`ZT)qlKhYbKxhl7;&ToLdb@9)rCc*s0u;0{hF= zM<6;^?~3HX@430Irq+LrFZis8IfM!#>P*gAM9ROO%AaSXU6mbVS_75ZpPaS7evUgK z5v_%{dnPgJ5IFCxa5Bp|2UYw5&;BWw2&Gat){9DS|L@|>?FtSm<m#MY0@ogYC&gze z4{nJKm|&@3f`NmL4PHgRBJQ-i9(#fP>}Ecr6@<a}-HLG4e<GAG^n6n%!E`1Ut%fwM z|CB~b3|ayroQI@FxFCVZMO1cQb>hBdjr(}r*ziBzyXu_dR=(rRnd=uWtmfE|LD$!r z!15bX`uX7<_uqJ9&d+}gMm|YCe&FE#N_gHu8d#(fi!}$hXT-Q~)MKA5;GRBuxQHwV zOt0IQyu1sL;{bSsemU*ay0FsSE?wQL;oHQOzAAp*1q&*@DC(L!PHo7+VJGGJ9C^Bz zrwc!_BA@ZnnJZ4XbLmYd-udVYXDsRcD5Puhdv|IF13+2T<A5d~*Hh<x56(WrG%mS? z&zqrsJ0Tgj$vOMSCTs3RGD#zLcOvsH{b5aPoH@z!{ZBx=BSj#JWo=kg{`GL&e%G{0 zf&=v2|9(FFU%s>``BI7Y;nSNY8V|1*Bd=9nY!LAHA%lvq(pjO>jM_#?F<LR_*eJHI zV)WPpPH-YS*(d%C$Ql44VNgyW(;(i0iKo72)Sw9MD(rS(2e<3+D<<iSR9*Hr=DjRj zjw_#*R605q(6COHFAK(Bxl9VLTEbB<=KaQ)ZyAyARwZH|m8#S^8!md|5!)^~YpVP3 zf&|B&R9FnQ<=&s{+_B`wB|BQp{|27?w}o6S&gp+AeAGF&o(h~htu)gIP%+DIcTT=h zm2G(jOOm~w`>(m=&11Z{EMz;+V0CqbJ~`c2SH+%Z-_CG{tCh!HO<d_Ww6sAD-dsKp z^3o?-14rVj5=gV2Z36ck>D))7?#FD)Ro2-Lty|mhg_G`F`q$%@EZ@P0$Yf%?Lfvi# zfVQ*#XUXPqFKzse3xh8^>y|lZn<)jWdHn<1CgScvXn(tXQL?qGvIl(lTZvpv)lr^! zR~X};D6&iW>xw&9KV-^3WKFbq@r##U+VCiOV-tb73vZA6vDk5*n70Bl%5e);SO2>G zk4j(8arK{t<F;?5Nk{ae7Db^!-yB>u2g{l41P_7RgtRZ}!5N3pKi3hvj&$ZZ!HFG{ z2Oc|X@ye_Z?<eGUF(8%T5qt6q**DtKnP@9iCrpj+Nq$D^ZkK?8$Y?QgoH5=<jAw2X z@qdtme0WQ<dEMp<&pssjZ-tfqC4pAI{Dyqv-)>r4f8R}uVr|<#9ys$~97A7W)?yC% zXX)>t-=7_@EXT_)!{+c0Joo2<j}&@vkFiaDn12nNyhTKM{GJD=I9Sf1K^R8=l}}gt zZL0KnuHVqyie~!SuN9|<DhHcIakw0bG{S*~5}t5ycXLs519jUcC5QK|UDNpKlkR-z zHz(iq@S3-+SfRK?f8{&VT@#nHlf87fcY7EHpXNOO2byIYh)cmxYz*}39CEa?{*e#t zuUGx%+Lc}5&rc@(nncZkUQGVW^UUj{UHRK+#jVQU4#CPFyad=PHvDxau=jv%Ws*9< zKFzZrW`THe6pa_Ly87qYKRb%%R}>sahou#)Mn**mw-aN(Zx0VHAcgA$BW6w*+TW1c z0~}0g`h#*Jm_~T(^m*sj42n=$;bRv+u-zE>A(QSWylmeGAn%c5H;KM>*39kEHW~xE zWvYEA${e}v4H7VF3>afhHsXEC8S@k8neSNNzJFt8>S^mPUa<e#cbz>>6(>g|r=H5O zylMFzsfGt`d~)aHmhWX+(;sk7F0;<v$g%mbbKou*S{SC?-c6m3I|dGq1)1QRjgQaK zZ)uRlZg7jq<5QFN<9z)t2o7VCA+$T~mzI0zfhv5?o!NXIDIR0#S-vX#Mk;+>=@*oK zuT{0v?PEX*TDDh>AKeYvLEWV?cm_`HBaNTYQ2IPu{C;GE_qJu?pF3gk!*?8a&(d}O zPD-D0Xm=eRUVCaOkWAV&zq$4iFNG_p%)icu`wt3~OLB0FNL&f63qQwBxPrpIO?H^S z16|-IlcuR<pBaMK1!BCnL&O6w$BM#C2DyfM43+Zdz(_f`KL<vBzhO~QSBb0{;88?% zEasnXO27GMM-KBjggJdLBtog^O?MWor6|#pC<js{>9LVLlq5nAx!q(r=W4kN@P?S6 zC3NoR+%{W5LSZ-PT_x|H<}g|Wr{+gZI(GNWfu|h*=ZBsNti6H#^)b%4L-PO!&fb7Z z>ZIC|%0SOabtN_Og5ZF}IMjtWr^<NtxigIKeV%jMA_M>1o-gm7l%90r>UW(r>&5dI zjMf+EP|0i2qOfK8FLvy_|Hi-VG^?(%X?s4b{S>FL-*OC40XqE$YdQ`%WZNrtoTE2U zVJDkv)~^SW-5UzUA}lO1_{TZ8ItRO+3&VAs7q(h!>+?a_lFj8aZJA7-eKe%9xAl!J zu94gO`ulz6gL<JzX+R#Uk0wi<b5zM^$-nL_*E4ksDXszB3aT63wdSJLeh-k3TWikG zw#eJp)K34%iFYo&@r1h``p1d)KDzUaC9lkLee~mEXYC#Pg*%cvR^jRIgf{!%&e@wO z<R_hT+-7namJTU=7XkEzKQ!|xKkg8Iud&(vX3dhM;t;Kaleta%jJ5C<i1GfD3Lv4m zq=_(_MYgdXsvI?K2*5(HoI9((S@R3L&`v*@G~uZDVFvy=&d3b55g~UU0vaRi<f!x& zwUvg2v$oQti}YO4-_2u&%kY8eAlfanrv%|e*}W<-=8(`O{zlxzf@or4aDYx=ATkpc z@0>ILk}6d0a@kDcUQReaVc&e7WYyB5_wshyZ!*~&jes_^(HN+}r26s}$ll7mjupU& zU;=le7VwDRdf$uvD(-t<PZ;lA`_HU7TE9HF<-#*-EB=jvB};<(f84Tu$Ah>0a%aBz z13V(QfaCpo&SUp+@au}W1(1N@HV6B?o%JpE_vQEg;3b?Gy&CzQ<m~%hKD;<|;s50G z;kBu@^mpqUTYt5)spambmbQn}>CBV4e4zj6Z8gUq4Fzm=4%<j#2LwA=cLT%vOM@o* zW#BZd>GkAyC-c;B*~)4+GQ5`ke<kTW!#EeC_HVHEH%$A!h)p`NAFwWbyUPauQCrva z?&B9POP+A&(%VnE>wzavfAGPEx6w!<jS*KS0aF(4IY{BHS#;gwiKm{q(q@87Y-q2C zb$3&Nt>A-NL#u1GbMA3#-H)xaS9mQAKdE1w)Gejm=+3$1mV}YmDPsH&i^w=dVA*J; zoo#G@rDD{yA%ZOy@~bxImX=$*M{J!u2F5!Bg4eK<8)qHV2(bZAJ%)f0$1O6)?J-ze zaq1i(d?ekHwai}&Cpyr&Md~htWygzir@`dMTI2nSbSOvY%A&g>yVAQ2xiOA%Z_b%x zx<wg4hFbWx5x;QG{*nUW5tg$9AhTB%324Day8&EXan;3c^onWPUMcSiFy)EJbYt)q z-<NN53;oxg7yC+J;&0s$Z=3t#!UdC}UlJsfeV>ziXUbvOqO=|n?707yuWfI(Z+Bt- zeQ@^291~B9!`(YGx$k1dqJB+s({H#VHT~yzuHENniyxl(<2!#d=Vy0*_rPD@d(F}F z&UpXo)eQ@+3(xTbIY+F#nf>>nb~<*$=^mpD@l{&CdG2o^@Y04&P!EzTXk#dk*gZ z$lKQ}+!u&@rC9q>CwM>MqA>5?%1wrIvtrKK;kLhJ?c!zcJ#q0vR~~=ovLBxK=VgC6 zY4IZ~baj9Dq7^v-9BGfZ9wgB3&bES`Wz`?9eQNculV1(D;q93qb(YNrZ^~w~Z?fs^ zIjdjVc*UwkpL=lS;%|4Y6q5RFeRHVq;XlQg!f*YlRV<ZZuBj2xM}B%>cu-jmS!%yO zNIrY__VSk!$&*)8eVjn_gBD{zexlVs&;B($s5-kS>`33{a&Xpmkz1K0hpuT05Q@0< z5NsYuO`OEU2wvq|yMO)PUwq!e{gK1$MQEc2LNF>rs*oAt%lk0DqPqal-|d=M;zz7u z5v$^Ag2HFumEct5dY0PQ+!nn-ozDkg|9&Mj?UmaGc0@pY5i{E}=6oaOMicXXQ&Zzz zXR2Gz+qmk{16E)1=CRxrh_k11xS~>*!{fI$?tJhk_iVra=F8CLpX1uH|BXj}*5x9t zzm<|vC&{GMvvexq=41c5bkp&7Eq(r!zbt$7gu9mAd*WToes|(s5C8bM#SeY|gvHCg zdfZ(Pec`ypORwPy{nMS`Gbi5pQ1bZ2ORqa=@v?8S><!1?wd@xs{`sLlpZMpc51ew( zvZqeJXZgC*|NLNszVQ1t&S(AQbp(Hx1o~|N>?#VZ;r9N<-(J5#4TAN*yY6ZIjzHN9 zb>*n-;X@mzO@ZgmrSe}O0#PF^3<Bg@nxOw+rya4v0SC^FaR0K#{c+V1{!8WL58X6v ziWBo%@yzkclXbSR`lnG+j#tUBzE|Le%m83(IeT=)FLPL{Y+$y2Or$H6-qXY#=!_gT zcK)2YtaFP2+|MW3+sk%D>(SL2xcTF)(eDDVU-XFEugv4_ShB+g-uD5ygY9o2ae8>g zT>36RYdQ=4DV2UVK;w=N_!ZN@S8_uHF%dbC@Ln;oTOj5)z70RWu_pEUP478#A3Y+d z{L6#lb}YYP^N!^|9nd1+mHasV-P$%N1E9ac;?{qaZ{nvJ@!lh1Vp`q?Ar*fs@~u3U z(uAP`2mLAIFMWfDkWB7c9xuGzi;b!})flsYb7u4|f~7$cWVwOCgrQ)^26^s=@kn}z z=qu0NDgfOYaBd@yZ1klWMI8W0l@XjI@b+na;Fj&A^(R@PI?Dh65CBO;K~$cYJTbUk z00?x86!PDgw{SEne4Tjr{i_k;n*jdo;L`M8QBI#X&s@>SBLRi%$Zo*P>-mbX|D&4o z(BYoJe~Xw!a8-ZIn^<yMX6mcAUvk!z)tAh#;?97_h6!QBjYwe75*SVcK*o;6A;$CG z4l%QobH}x4^jm*!{Zn~p(vX1T>YpR#PFVR{=YKzZ<m}8W&y&}3z|9q*Dx*@?;|QDY z*Rfci`PPZrW@ucn?R_rPUqm*zTX_mX3Berzx3#}y%kU{G9Pfpg%`{4_>H+%qJCSDk zUAw-eRsrtB@wKD=AJK(SQFp>$mafRV@LK};D}fK8qU84qV%ooS7oef375cNmfCjdv z?G?<8Fwr*&NOV<;;Al_G6=KY9a`1i^N8P73R=1q6`jYu$TynmjOkz0aZ;V{8JP8b2 z2Rh;d-y7>Z?+nA0HaoWHq!i>b$Tc-U4S}H&E%mvB!)oi?Z&!`mpkIC3Rn@|U9-Mm> zL|zYpuNk^J56KtPHClO~;<x!MhPKU?O?F-KPI&~O=dBlrzG2%XPG1s9eKyUdL&m-C z($U+Oe6N+y^lmu!PbzR`^@T#$I3hB^6Z!D?SG{|mt}zCc>P}t!$Rq3!U$@RKA*22N zCB&d=AI8FZ4A7cNV@Fdn+EN)<_B$PO!^px&Rh5tc2Lwb$8<CSl%vIvW?u?`Ej~iCi zUUBgYXC3+2x#!k!ObY-7j9eoU=#K=3%K#8lojBTf?rrSP(Fb32g`ID1;#qsXKm7I^ zSKvYiyC~<phjGIV9V$Cw%IglKLGn6?*;fhc1ZjEhuP^9nywXshpTkfpf908q4O*9m zI{_Ez`hh09QLJnK{y`_4K1Dg(_z*c-(k@ceUPJy-2YHB=M^|S#eWF=J@;IUG?*X3x zXrL7nE9D6-lsoTy=s_dl*BHFt0k2piKxGyL7ENs_>}YI;?hL3Qpy?y<vXp=k$XF3` zn&*38h$p<iP8;ujx8dS*KD6fTuRFvooEv{xwrYgwJtl!+F#rz#$d4w&^X9{N$7)M0 z&%pC-tvvfrX>{noQ5^xxtuc3PI4tP!!pr<*(vMYDy;=-jB`9pA=}+@QZvA(oJW+`& z$YwCq1^^Ws9aY=z3{xVmEhqjqF<#T|+5Jlq=Z^A_)#Du5`s8hGPQv?WVLaYHD!XHg zxLPOX&Ern3J!SXY!KWkv+nTEWJC88FMnmW!Qrz`U2qUjFM}rEvd>FkXxU;DR`j3Vz z6Nj>&ztUv5m$gSYv-tv<AjZ7b82L)9rsnQVHT(T?-9=}=XZ1VYIOp&42mf!j_p&yR zurmY_7zP6%X^ioYF)(Md!^WMnh0px940fT|2Wg0;IJ5u4O6*A_lML=Ev$JXTq0V?` z2+Rx=uaL?=9Kvr9xG;dr5ADl;fTJT6+tkUk%&AYM&;+rAJ+CKenPYu#4(452%?Mm9 z{wOPdgyD`Ke_}%aoQMFExXSq-(vDsh?O*xcvCmktBv`e+@vqJWUxsrJlJ5@vqjw4~ zKMY5upUnlRZ)!z-V+*pm9FGPZo6lbH@@vir#{h>3JQ1m4V1^iTuJ3vO7pwArx&Q3i zvoLavNT3%947mYt%!g-9FrGOHMh;hALQXn)edFH_?anLbIy$?=z<*%f&p)MKmO|;8 zpZvRTd@~>7PUR5tG~I?_bR6O6YkVjmjDA@#w0ee(=7ioY_n|=6VblvbxUj8TtUhKq zpjKcG99M;j;MH)?4b41i<{3MlWpuDEE^w!hs|#K?SVG;E*WWCsvNiWQabKa(?kC>R zc1l*TH#ju}GPykJo7xC1$YgV{+Hv*<=0<oJs04%sh0k^)`|^*QQ*D1^e8i1NphpRq z9&;;@X=C2uVhmT>lF+Sx{jGn<ZSV?^?u|qf=d|C%ZT<yN)1&O#*|g?R5yP#2Gp&@Y zyy*@=DPC#cQ8R`#0GzJDD^0uuJzddR-3RE9T8sqDU5!bToC|HLm^NTf1cplbP>I>; zC|u5l@))(rV~m!RDT4!Y;vl1Goqf2{9|tPuhC2b7umSg4$d@>A-ow1X@=X#i4`(?* zviUsp`vE%}o1y<`NM9bL5_x$vV1&zZ3FvtKyG3}pZ}UGnY|)ZI8~EkKN5Zd62@I(L zFz?bI*1&T|^IZ5CNBM=B4Dzk5+-=nu6NbofUegNh;@Q}vD;8bTaUd*Q=o!y{wTPSm z0riWr<DdqB0*2_)mkSZ?E+}h5R0+xI<gK8~0Y*DGrsn~95r-Y-jFHOx&e6$!Vgoe* zqQ2DF*sSkb{FANRh(TU#gAXSsP7K{^2T7{O;`+6~De3tA<oS9y{Fy*G^;qN;lgY6H zOQST$qp7CW6n64xKz}`u4+7dll*lWlrLWkAIQG|VaB>@`mn$-(+~23(c6S@c&d9@i z#Xj=NH7uI6D@U#)rEIl1Kp^^cz1nE&Kivk$bMTH>Ll6@*T7%zZg1S`z7n0a@9Wm>y z1C7C{<g0!4?>N~-3R-8wU8ofcQSl<=u7`8BVl=xYq{F`3dL-{)U(~XBF^<h0JVWAU zz<ATSN-w;Dykb#~ve%CSJ*D+va5vg%7!C10fVm3`^an?;+tT|kS&|7G-7-OVy@>m@ z0I$gJ1av0=_Jzn0(9a3Cq%u4jXoVUCSsoRrfuNnGyRswc!!H4S9-*_@Fbp5%^SRmy zzPQhR%_|Q4_Tqo5emne<e`VD;ga$y;`0>QSV&oXkEGEpR5vGU!18khg931WtYaidR z=zlUD9#=AHjF?wL<TwaorMyrLfMDnrea?okc`mrgT&d2X^0o0gIdnnavCUZ<1}l*S zOinE^7hv#LjabZ{m^b4~q=KA0&&u@I03GFDLg=6GLFCj46Gop7aGL91*?wW`PQX}< zdn^ph*C@juvv3O>{}}jpagGhO+!4qJA@pCkHZ-?FA(hD@;1ZK^A;yT?QxdQ|N~BTd zT2q<LEiI{AGTH3q)nV|9AI&~yqa;WEz3rZQE-%-5hs*#t`tsSMsTdBWs+kpX6%nLU zaO}K8E+}!^IY{ovq_BZ?>3l}7;0|rsXQmkMWI$%3cqvad$iZ@QD<)Oc(+M;BuE21# zy~w%idI!J?u(P2d6MX_$yqFc?6DpP&xF;lw+2Xv(B^u3dnAs>I&p2RhDQytGu!2!W z@Bz#}!y5#hJ{3K1@#1XVnEIz+<y#K+2Q1V;__uWWjzADv=nI4TRl)kE)@WBiUm6^F zS77+M1m`p4IES{hrBL78ns01rdn}dCeIXmBzT7mXVflogEpARGlXmzx8mZ}(B7q?@ z00I}xa-JMQWmKiBf14fpohdG`)!i*I?}<%!T(jGDLqg)GQkxtrBJJDB|DU~c0h6n$ z^8MPUs++tZ5I_(ej0}$V;tL_^M8I#r$8~1B-0ySz5=TF;AER>>9q;|b4@bR%l!5Rx zfS{n^6_AHR3qk_vBtYmS{Ypaf5C}qI-gF+_>36-)-fRA=`jP6cO48{*)v2mp)qB@D zXP<r6-urjX*=y~!Po1_H`8!0yk%c;`^6Uc_Q2xPsGn(Ou4<=-<rLku-!9_2LjzVE3 z3d?!`@k|@Gg9ZRa&>1=VwqbrF0NElU#D+gRBRz8#WP6fO$oSFfO)0M}@s4Lgzcs`+ z!2sC-uw2M8i&?f@yQ1*rIRWtmboRtDUV)xioG=<C*(Z65xecXKH@V1!r7#t?qVzjp zcy)9~8B;U+k}3c9I1fMRb@s8RpK97UYjJboT$iN+P3t*o0tM?#y^8P$a3TL4M!%j9 z*FTTL2-q0vU^Yt=J@#E1Hurzd6}QfSEBPWKI_sb-84A<)$sr=WAc0|A$TJ4Sa%&f) zh(V#?jbaWl5MWLjXEtRrM?fHy_Mq5;8BrTL0~gY%kPVUeMo1>@4m4TH3t}3844D(W zkhyGTZSA1(Mg{!LYHm(%oATZrA>TX<t_x8Cd9I=GC$WHS3PQAVOg_A2P(&1sB?+TZ z%KSUxSmK~D5JW)}NCvJi+_#+Jnn<LmI~vazSi-g!j1y@;nUcAF-(8<b&`mRFdcFKR z+z8PjZuSWTPn$X>0_eBLbbS7U<w<*E&cx_xro33krN(FUkGtqal=)h|(SHTam<0pj z6Hp{m1}g2G%P4<_n{yy7$fexaKJHk~?~)I)s6JUxPmB)Q^lc6OHYVxF3_h3_CMTo+ zyjh1Hc;qbznE|)MsdVvWng6CJNAyhD*~Olb2M*;|0g^P<=#lZh*p>R5vndks#wu(i z$Iq{>wo5Op-^(fgNpj{|GUj=-Q%78Y$FS~Xlq$~($P_^o27o9mF$TJOW0|)NilHFW z2*|D>i-53`=rAZsrF@FUlO*gg%7^lgWww)W`GYOGCigBFF7b@H%1b04ec^?=Eiz4& zB~DkBz^Dlnq$54|egAYklX*Wz*3+#hKwRjfuHi@zG}L1aJzWuxLE#L2@_*)K4@~kZ zLKmR}Kbs8x`en+<JmdaHuil>&=z^j6oftppECUsM2w^PkK$&@VOATTsO>buQz4@lG zCOj##9>5n9O=3f*O-tDm2F2CZ`kvu!Fv{K;OdI2hA$o5pT=C_ZwcE$V3n0~vM95XW zu%SKGL(f@fuSa_xVWwW$r?HO!1IR&RAeB*IVg!gn>%w$FFN_0GXx2L5W4TKE4xB*W z1B~Flr<jcLVI&Ek&fX~X#^Mx5nlOUWCov2FDGFGtncTHR=GNY5xNcT$b6Z45{iL7Z z2o%HsAV;S{1;5v&{g4#}7+ihxN<#m`xM4PgEH}S>-jwL@OedURMe(0&jG2+W4+aW3 z8^nX~*;4z~<%Y-f2eGw%3FGjcDKozTV9}ZEWsYNN1Qls*1qzyqwO|6X2mYr`G8HFf z3k-W^7tAd&0D^)bQx@~PojH{VCP#K*1zd;W!57un_ncx*YIJ08Glp+Raq`AB#!^ET z0o;oj1tyA26k0ry%qX}nD7?;|-poUU;w?xd)8ymcz~~m2CJ)9eQ6;x3_g{7t28m<} z?N4OdE#8sNo+$Oe#UBNiL@GsM5Xgg;!lAFh;=|+3j_5AjI}3oQx@LLZ7I|S+-+uj8 z0>Kd|hyeiS^2u!7DK3>T<Dmf2L8pM^X-v1bz&(t62U`b&;YxY(pFWJFFk&W%l`RGU z7tlLllYvZsXX-nmFX??H=4MVp<G<DZk00vo+jTMYCmr9nKK5_OHpZh<9l0R}fawag z!XDX5%sEEc=u0(c8#bSvdGWsvPB)BR*3ljLp_-axJTZBb=b3w;<ra{kjQ~0PdOJFy zWu99Un<zL@bO|W^7!;q3c)O!95{1~+uMj0YnTAo|+rftl2b5_sA{wZhw9mq`kxKiS zXCTC#Kj8fkW#0{DFCGwS-$8|MarrQAiy<u&W3r8ys&S>-f?fas5CBO;K~zm$<D9)~ z`_#^+3syF^M~L(q8-hwVf+A250{}v2*mUw_J6^wiH~h9C*RZ|foSgqKbnXvsn;tS= z6_FYIr$2-b`+nc(Kfl66j<E$Xd>9t~@Vk6$QV)G}Ux#$4eu5M1_%(_|`ZDyi7`A-k zp`{)D9z*67^33$?BU_q(7e|4+m`vuUhuQl^yKW3sLIHoJEoEi8!HibUXph54%s>B` z`dt;1j(ePazSfX=0<vQ0xEV_ghan(<oMVjqU1sE)z&v*hu5VGAJ(wow?v0Zu&90sp zM$GZd$T?SWI_kUDd2o4{B1gR|y9}wbD0vyt4|p}A@kC}MF9u8}j2Q873@H03=Jew* zbR@4B2ENU!@DJ9FDS>XN9>(&`m`b@h7VBE}sTEB-=2vf$fz82ux~2pICg24uFCz}O z=J76_I>EuB&m<J`3!0zEJVP$Ii>l}6xSG>+(npL5eHb0}6zc!T&FyTu&j9F83vway zW%Mu0Amtub7J3lQ@6Es-(`!A~JaGIuXLVq}ZibB32lkD6$uuKmG6sM-D8q0V%HI%g zKbSW5H8g0>ah2xdbk4lNmpP4H>c}Oaf&9s*YCB`8<DU17xe4`=DS=%XjWlvGniB-% z9)Z#$A0vNJmKmb}Zu1xvtc;uo3<FWHoiGeC$`(sewmq0T7iB9^3<dc&$8!9D;uU!* z->1A0BX-#@dF2>6R%Ar`%k33|1f%!9a-;o*Nfd@jjHGPY-;2C47%+0I$PsxNWseJj z(Y6r;ANR&vhWV}#@wFAkTe9nfzj^JF+D+oA8=;61l%iRbz##|}!~n3?PQwUT;vtF+ zE*bY)E9~p%D(SecT&ZlrVKaveeE<>t_CO9MhmHYt97qUuiAu@Ck5CA~$~}xU=|~wv zh}<j&MiIBB)05sF*cWS^3cW=q4{QgrG&G$NY2Lgc*A$0nACuV@NE!V?Fb994=fans z_@1eQMqU4|ab3V0kT`Gl=U!p*??&6j8?c6mb<{T2vw-_2<64J7>-QT5qF@tZ7(n65 z{JALVXe<dYL7aME2*|v;#O~fc1ucp@vo6Mhq~(d3JW%qIPmaw*DE?l^>%}rtM*nDD zl)M-UqU6OB;9J-4#^=$r76<XWhUrm9e4S73PTHS*@w}RKt@6v0(FoLIl)z{R4C$;# zBOu=~HXfT~{q$tQjht_PfN6{()?%h%%ckl`&d;+x_T9TrguD1$X#P{P%VgZV8Rd_I zv(tlEmkP-*3%EcJ7appPQZDB;060lZZ}(Q7-ac@wpNtwPtkVXz16oc+IVVu>>EUd7 zX|ioh4$}Y>;M0}{r_}s|XU!QfIOM^=>>|f?-9#d8PR;svC;3w!^POGD#P_2D`*H0v zmKq8`fN|eu-11@|;9mA&B#2TL<t$N*1&N}tGclQ_#PEpe2gxH*j*%!bM3yLb3)xbJ zlojBKM9rxKGM~k$|3=IHB0H7-1b6>-dGAC4P^m~Ia99EbF#!BzDg*^s@QxXsZIa17 z<4>I`uWQY@PtD|t4>Oswh|DC)`Zx=l8}o8mNrA2&tI<C?mfUtQN7?WOs*MaPV0X$% zhKw2fXGpmR9eoOVHhC!T_!;f(vK$o9Ni%yr^7bG>+?rSf6byY3#@&Udbxj&_ZUd5j zRALN<{hwI1D!OZB(~IFSEi#5~AVZBvPac&Z&0MYoaC=aXVOm4Xi;U$P;I({c&WiP~ zUr^nc^TyJ0g`n*!J^}?X09-om*!SHyG<QpwLL2w}E&O=7g&7J}e3C@b88VdhaRqe$ z%RIarho3%XH3zGVekCt%*gvL=EUibT!I0P=l~MW`g9*W`gdk>GD&!4S$h8sQu{(eh zupj$_3>AjVr8Zh24<4Ez1&>zNd?I`P(#9>l(T;l!yaAB&FuWo#emL*R!F~<pPapyN za3e0z-=G(|-a5W}_NvCFxi#y%k;diUd~IPd6DWuQU{dZ4XWa^B-U8D%j!v*37rJ5d zeB9Z66p7??uxJ0@J1RZ$K8DHeA#>gA967k>Wm$+5<DmSxfZm0Cb!G<xz+tL?*iNud z;~ea=y*xPok1QrtS$P~>kf&okz<@~wqN!o3oIG5pXFRw)4HV(<J!9UUYeM$yWA!lL zp=vJ=am|{$euX1*GrTXqBsOaeQ!lJEKGZRqURDI;Jj46LuMpF39ntkJ?B71C>hmwi z&-$SFkyKXg)y9-4fr1zSJ(H(ywASA0h;Jft_dz|ah9cSuMp4`ufn5BMnef?PF{$@J z-rtx{p~<HjV?Kx*a2m=T3=Ybf5eYj669Zad4D@Vb{5^V7uEd;X7y=vfa_6f{x(D|~ zB4!fXlgOB0e+Fobfy}9)%2190kapZf<n|5LA-I*3nL~d+ea0!lz0@e6x|s;MIm_$b z35AkS04!4i4>Fm}M63@92E@4N#4t1Jl!T%8nn!$}W4fM9>ZUnW4a?>(UB6GB7r}lF zN}y;66vP17_xm43cRX?JD>J6IJeZ2p4c78?xHoP={4G28B$oBKQ_vYw8<yfBkojpb z46u19HW)(@;hus+n<)wX{d(B<-rQ1iXWkCg8t+3y<~?L6L|GrUK5?GWa#og6uR2UE zjLT0SvuX&I#4tQK)AwZUAj062WaM3kRAGw+!m^eSQ}|3|uf$fM!4OYI$2W8e041>J zb>qagqD(B15L|$B!TgU(n}U~zO>km^lQe5tb8Jpc!*eO(TMWBJ#3Y_EnGUhRm7<c4 zDS^J5FNQk2h6{X&weChQY!>3YKUuYW<6aY?gZCdYX;1>iLZBc9z(C`g7cWllS{iBD z{>Mn|RzBw*o8;?!PF`c#UW<9*o1wRUMb6y=P4x(~dy1J?u;VrCTpiZyB|7GM=iFMv z=h^Yo$p5&5SHW5Sbu3NoD2owuLMUwh8xl`K91<Kx|LlUlA5m9wN%8vSt<I1-1iB$w zHGg}2)Z|?@_T}vIW*(mkkzp7|Y_ijXSVwu2U<4gET-Kz%pB)@PI<nw9$iVz@s^kyN zJO*zD9BDHEnlD`5u){ku^?)_*dM5rI?6dV)b{kj)BbB51ij4qcK*HUq)l0<uAQ^K* z$a=q+yQ=B&^On}P;JgRl(V#F5N+2i#1vLPMRI+-$-TqXhb7%Dpo3=l`VCA;|jNJFv z{q9CnL02bj>Sun+zlweSxpf?I>=r=5FR;G7mMt%^Y5Ij_|C%)ORes$6nM=~ow#{gH ztYul`kp6bh3!Me0^a<H@VCTpcX#QVh+wp$&FB-=Ta|jWuLjp8yFFK&t+Px3#$=(sK zv@ifN#!+^1AnS(Aab75t<5{q#0_VwfLg|U8Cy=rRg&1?ZBlGDLRSucz8Qfn)E3+0i zr$4p4X?-}IT4bHOiJW<iop}pY1Rs2BC=~)0_g6b&6XFtPzQI-4UsNrxe|*-;b$bjh z^ipYv)^lPL7(W9bmorms#NYBrq<eSu!gqK4>AJVJJ`s6Iyan5;7d*G^kC9c|pMar& z<&Hl^R`003wsB{5WYdmi*KHF+g5X_%NZfz;9v+wtd*=O2JPkJ|*>sxH@dPD%d&y5E zNtE^QL&mZ#WpEl!UU(PABIjt2m2w@seC-h~?UuP#7-!2(#HLkxWd6IsCp$feb=0TQ zxpa;J(00O}lryFqBcx;y<qVTyFgf&@l%J4)^n|{5*xn-Cob`Nj*W49N%ci){LPzda zRQefIa~qb0-~-Vb#!3L^hN0I}=u_Usb-u=9z6VoY*Y+m;1yw5=pOQKLv6i97D}nJQ z;Ei{I<5Ave-}vPem$ozfWU3<78>M7-55+q=Dc;dZ=~w~^6ZdkE6=5bTqkk-e6ni9D z=!no3nMxko9&E`-dzbP3rlB&}guDbs$}$BobWadlhD;bGgmPp}o926-i5j9r&b|N= zAopX=3(ur^$L7_*qiF)_%pY5|cGsLaUs&Q9dkqxJubJIyVs0U(oR?aSrVKqM5CV*I z6~#TZ8Os_d{ofeNSDSEhLDllc6`y-ygZ#u5y8|gpg(!h>B~X?Iz;V{Egwl`4+dKSN zdj}=Dx-s&H;<t|2IdZZLP+2oZ{_?MX$MwviFenUiXb)D01awl}7_DqP(0JAm_di|y zix5WP@QhH<ZvpHp-;jsiGDO2a)zuD+66hsk!*>O-4dpo*N^{QfttSnc@(DtAp=HRE z;pacw^j0j^au>0=hRFPmnd^vnA5oBRPlPlLBO(Ark4rVfzKxh)A*LrVU9-qD?x$0x zb}gz})z}~pcaBJyW>Nx0OrR_cfSr&2q!R`}eL9}p55+Txzi-75JI)vZ#B!harH=L+ zoi*7M-2ZtL@n~g^<TxppQ6@X_0AwG5MlrRZiO&;7T=t$bdRi*sy8JlOa-P&j+L!}q zR)olf^9W+k^TfSf5CcHUGlnjlMD|2kFU5FC?e;{~iiV9|IPps+`*V-@ew^bbC?EO7 zfOvFDu~{WnXPHkU8SQUF->}BXgMH*hCRO<VF?;Uk?iEArqt*H!`bzAiYIP4opezjl zBEy_A&q5)+NtEkOWoXAtgs#N?F$Gb;HaY&!a6vhcl$}#~HgRX@Z9i>Z8on=fe5w*7 z^eThT@O?pS8zu~%avcC7+c^U(i3<V>&5`hNKh3Ap#TVx@K%@#K5oKgKcg6a;M3;Ai zCB6!m=z}=d8`Tgf*y&?PPJ!`$Fn)~<FU56y8^-@vx=y~js-|w)$MiS+K%}7@36!Y; zKy+4D>K$mvHRwRal}bd}rw?8LOanN}gd0D5$I-1rIQ!_P{qY^3Nu5RcyPVNKx-i4i zk=1rL-q$g#F(#CBQ;AL0u=L<If%Q<r3^^ZKTD$;<$}-mUQ^Fzo@QnETri@ikF&uwU zeSOabHH~Z1m2|B!^b=gEOJLTDM?ju3Pr}j?#Z?SdEyX$jCk6)0?YNiTL3|O7xEITx z;#U5_wwn68tDb9k^@2uyPd~V5C}RR;YXH>N$~)-ov#{v%djT*MW_SW%0gU?eGCYPZ z1)T;%VAMiJbs%HzABG3Y&psR)!J;Z#jiu+2j!k?Igo`5~_A39z81tclq@b55+Zsmc zc?6q~k-8P^;Wj8ojQq{HG<kB#JqM5n*I?2`OY3{8mN%@mogA^&`vDXG2G^{(r*|Mz z)X=bt0Ers%6Tl52mU<_ymA@iKJ^WP<6Z6#-N%~GKUU|)&6^$z|T-C5&{-*=>Yfu7Z zPoQiK06BBJx3|1y9Lrk=TV;EAbT9zM;ss#m$jZxqh6^s}HfNN-b2g_GbZqUgYns|V zf9B@lJ5NdPoa`BQ0Xn?O;roKxHblN9C!K7LNaI9Nao&A7nMacV%LX0#C&=2eG5`ip z$Y^x#s=DUT{^ZS`<9{b(7UEn!1EWjcBhW^~DddHY!?&P&7$*P#5CBO;K~#nT0=OLr z7COlb!?xo3Yy_uAjq$Fj@cnN`W0gOK(yu;mb;FKJYHJI3Z4T5%mr9_>2$Zz}K+TKO z?5CD9^Bd?Hb8m1YGL$&M5IEZN0-5B}X=0lz_Go1tO@4IvBz0!dr`ZRJT|o3#H0c?N zM20;4C)rGen`%7sS?EdhgOU<_L~rYiM>%B&U(z8Z{$0qK88mNR{s$2bd06S}nAO~z zK7VE7ma66T_f^DWmm7B9XXeFdK^@|D#7@M5d0HU5*n?QcF))#-uy>ef9gNQ<WbBWu zv)`C9weyNu%j+Kf<a6scL+KafXQ{;wNb9Er1_+e50f1IctN6?7#N0s47$qTLSjgyq z7y#%nhV41RCPv`LV)V}_SKelb_6(^YI=U_-Y;2#hXUMC6kwzJX=tA!$L$fp6h5BMj z8Oz5^`GCO;3VH84W9vyduOlv0laG~LSaJNx+E+VguV|`$b$>Dv_tTfb^t#eHeh78i zfVdNR#26@Z&p^f!7De8Hdtx`@>)`MVI<`faj=J21{jc{XDt}z{Y}1pUTG6y!pW?@r zp+O1s6Tp4azgDJ;P1V&YYg4PxJn;g^=m4u(0b0XZM|?C!0EXdmj7v-3nkB2it0<Nn zJnT-amh7@H`iE=t9b&tbYHGygnZ1`zX*qrhJn$Fd_>+h12!12!JTtyfvfIEMcH}<T zb3B#BgMishJKXwr;1&4$RU3Czt*C!8+?u@7vHvf)7T_76dx;6gFKxr|ZN^Y9E_ZQR zVS$v=3sP^Xf1H^`;kOW*x0q=)k^3#u{-5u7p4XcA*I6|Ux6EEqS37s<`h6Jb%Q2<b zTCK4XC@_JtHvoj+<V5GohFk+iM0vdcGKO$g`WDH3<j7FKnTP+dJaX<}a-ee~hv^1u z#fBMLS8R1LanodfMnj&`j0^FJp6C4&6hJ}GH~1zz$2kT_rcNQxkTHcV-{3>u2SO=3 zHB;sU{E{hxxi#x|SJgBvn?0xg#})DDm)Ou($niDS*=k~HM%+cr2Mi1XAcDch&Ja?u zQA7ckHOW7;lF@xP>eU8CzZ2Db6?I=q9xWnrmme1nUAjM<m^XWQ<Im=-X#CR!m>vOx zSP`}dP0*kOii<!&JLF<%>Xw>2lkl9cf)afby^70MFH!0&o&fYR`Sxe0F=L!5Pyc5p z7I>XeF9!pF(U2iUF}il*w~R4Q?{2&;_jmT^%&UNN<1DoMQ$vm`zy=e?0arTg9O)ny zMyFhO*Sv9OgpcD%ITe_I2_`~LrU~XOuYaj(MZ;b3c+<BjmHr~Gqkp#SuEb>w4*|<h z;NAhAy-=+3uv`z;<vN04Ko~hA7iEkCM*5h8>6e8iE)^1M7G;o>6=$Yi?C!v|z8?i` zcaC2+%uf@$+fjq>d*r^v$NB%@?N9#iInOpM6eH&o%hqnYbXl`1d;rs+1df)#1TX;l zkW34?jbt+J(2l;8q2KHXBkU3Map<Ku?UPHVhYBd*7CJ=K%_j@@e@-!m4v^tBZLK}^ zIs1@s`pMI#hcNml=IPihSU?>GUKHMjyl?ws-wUG?FW4^-1{!9_yvOss!W$X`1(wkA zl3McTys+WG+*RwFF(1C9s;2&mXuRQn`j#(*hwKY5;J$@(v;ZdM1BPh@PG~cc*^D&I zty3!z!9d_HoNM_{lTmDop%6ztG5Ur^Lz#WZBi94+vKSVf%p||P-|v`rK@JQL-hgsz zaD6T@>=weQ_PvmC|0|r1U9_`{FJ4~L@U^O%#%oa5|D0XZ_{y9=Z8$IsQy!43K?x{< zF%p<C2EeB3NXj`U&jP#(W>EL|9v09cLD4$&Md;Fo?Hky1aKYPg9R2sz3CiEX;6U#= zP!Cx$86TB>**N+mZK{@0lq6@xh?gY$UXS@p@DP}+9R*m0$}rTM4uz%T&ygPryD%Fn z_{bc*PJqXwBBuhHke7fM1#p|U&syI2`kb1^r>bh|e>r<a!}n)RJL8`_{i&Y~bL`W} zRQhwibC*JCe-&2fw~5UUi0LZByb#M<JTiB{fVi8C`>jOe`wa~0+pzCOLlhxn{sZUb z`|z@T6AFHwCH_aU{w32KU*zpeetyT)_kDSGO~b!et!TV)?uv##%v#>G{=Da2X_?>H z7>~d%C;cb^B~TCoUO}W5k<jd_u$lG}F|S9OJTZ^O(11>h_z2GeFfxsY0l-l9jItbD z{?<<uV>z_8=w8|F#N_R>ZKwCXHf&#JbNWT^Ob=1`Gf=!|WfBVc1r2~2^-NAU8S&+m z<g7W)5EcI6JYzx>b|$9+nlNGlfXAk~+J0fxs_1z&ue5&pg$?h(NZ2s9reRgp%BIKX ztf;?lc1`{5P}*?A*IzSxdEJjO2miyWXB)4Oh<sPhsj2@NjEM!am)GA?^=#c;b7~qN zk~#XhE9+mpKt}SbHf;OI%Eoq#=410wmXtZ-3Tj3rpacRTFrf@RTz5RwZyf(R97=Q! zAzYksY1kw4WaX^$Q)Wp~WF*R-CnG`%WjjRr2_++&%p=0D&>dNI4daYtT)E%(;`;af zdOe@<{;cQuKHt|9Ir&~E(fJNdQ$u=R>Kg2pfVMiqnHM!ZL-i5%k%^Hvc4T|KykJx_ zfU+p;I7m1>L;WUE{6HRqRG0qm@u}Gd*aZ)s?sIVUp`2!YsZKuEl!8jZXaC@IVy9P? z--XS#XaQ+f8SO?Bt1+s8Z^9@Gs5dQ=r`HJo=0N0x6lrM1%<~mTAOG5eda8Uvms>Um zRZ(7pO~XVtafi*Ne<c2Oop$`|Ls#<64Ugs~bm(P?cegC8z8w8Lbak9F;?C&F50BEd zUj@&0Jt9odB=yPXh3;`%RbKi|TwOnvQ6^wLy*0&ky9^Z}4~bpm3{Gv-(yRAlZxBd- zLbn3t1Az|$y@5>6f^c`Tx&4;(DOG-Y0eU3$K<EStu>((<JS1{TUg8(8;f9YsDl~ER zM6Kk7Rn8M?Q~Z=jzh(W9{ygRJ?4H#2*ngB#H7O3=Sk|NtHYqE%s}|}<d1hw1a&^zn z+<5}ajyepWLhDT8W;^EbBn+AZOf$K(NYz^}n`*h<XZ5|B1j0_rp1Cibdh@03T{Snw z?ppw|$i>N)mFs%Y_o;`~NP|<>h3RZ;Uh0Zf7LuLih_{KGBIl`9v@^c3ixixASS;!{ z8}R{k1VIQPvQDWf3$LCuP}G(o&G95%Q*=?c<WJ}dus&n9s^?-`$l99o+s>}1df&t6 zp<mNeOwMR^OPFw5LqNOIG;kc(0MDoKKh!+N)cZ8|r)&t{%?q$|1mY|kQ@3bM^;DjM zNQG^))oq1)`4}fr1oGF}XBIOZ@82HJiy8ig7Ebr?JZ4G!?KM9*IKTZQXiernz5)w@ zdnXn3FA2qQ&)trttUU`ja?!_YeZwfp#HQ%;l(T}e)3Mfda%hlIHZ)V*yUu&EA&fu> ziuiuY{zGsM4;F&K3v&d19xrWC5&4;2Af)Ofgy(7~Q}s44h4XU*hC7_a12@38-+x@v z<S)OCTH9<vg$A;3lUEF8q<a%y_pD%(QTrfk{7SR>f?Ac}L;PMzu^*2lp!3PX9_Aku zgGzeH3Q{+(4t|W16wrM!7W=yi3MBYler{^+M;i_zYjh8f$z8c2%|(p90x>bnvy5w* ztG~-RdA%duyH^J%R3oQ_{S#1KcGI)Wk^T|U>Pa`}@7RXJ&|BI=)K8(Ms8;Z=ZIsYg zUr)WKcYQbh%jmHnXoe?x3hhG}M&5pcUKK;?CmUDJZ0@vu8uvkdUz<O=6Ys%YJZ--D zuFm{2d<P;(xjU!4O(_$jVp~p#Rc^>3DR)Sdwj$n@%^Q>7dMtwE&s{pywqJ3|en)Ds z{qpj*qUTdleYS8UM0zVj4dXeQQcQ^(`4$&)QoE?R(tNv|p8i-!91>d#ZJQCw{ctE= z?W=bXKi~-TQAvJ;9_&x;^R#er^HqGFW<frtn-CW=MdUpt_*qX;Pf$z)3FX0$**YdQ zq!Ki_S%VZ`G^$VJI;L;<wf;7+j@4UrpjzFJu#XtoJf7Izo4-*#8vZFo_@&J2Rd;gU zAyM_AaKi=J)HyzjxKP@cg<nB~<FXw$w!~IHGUt`SR0~c}#6{a0nheZ26T{?qKDPgK ze=NJ2yVc<OJ7T|?nNCgRj5i6z<D=$yo1PqK4q;qdr!oMPd=3q&Ir?7r{x8Aopxc^k zDai&$bMIW?1YEn|van!i7K)-<bSC<=iS9h5dzH1*LF~7$(NdXXZ=+^s=zO)D@*;JO zQWOWD<S$a0cjLQn$0lexw|<Ezc$sK&E3L1tfmo{~o4n|;3BK9c5U27sqsqJdqM-fh zoP@ySoqLiSvMOe4=d-?O%!_4JZnorp(a580{Upf=U(X~5R8CASPmhL`MGsg$)Nu^0 z7N++>G>ivj#q1RQ7zuMd-<0{G{0h0L$cF8}C+E($Oi8PmYHRJ{=AERO7RUH%hYb93 z=(bG#&_?2y@NYq>d7k&IJtta&S4NxXMcpPH8zp=?t(9fX<Bmx+e;1|+1x>|<L0;G% zyCwI-#`)Ei#I80)Z0bT_xQ`8~A#P)#vN6J=hnVSIYm-;Mf_C-3Ky4v-kTgEFmLM%Z zyt4}+&kGiFcj%VzVV5?m;jG|CQ+jvUkBj#LrjIYN=Qif&K8@oEhiB_SULqd`h3QQ7 zFUGoPEkNgPa~iun6^VU=Q6TdhksGh|JUUf)tT)CR9y4X>bJfaWQY+iR<I#dwd2?A^ zL<J&l<|_;;e8^1tx4rmH4MCzs3~f{Hs!ET{gzbSyP30uDf0H&dX*ZvL9+dD(c)Xo) zL}b(|k6Fo>UU7I9!!z`+EU?;US%>vdla?@oTqVw2P@(VYE2@`}u^bE7rKS(}i6Xtf z`eDRX4L6(i75y@BnGDFBR4u1mG}fl|*@jmsS`XiFT5OKE=1?cF_656HxPavlR(;r} zb$Iam^sQ~dxlJxxZV~K|ZKA=aOZO)G-#7%TOZy>I9xa`vvx34EisPYxc~8Z4B1OOv zC@~vf;5HpBCd4xh<@=V#phDej-@IM3K5lcc-hq%sQ8%KIQyWKO-c)7`Ah-h&wj@W| zbV=<t)!|^sw&BZYJub<h>Tj@s>EA2Oc`Krdu}e{DqMcDJQag7KDUgQwTaU1oVt2<V ziXEq*1Q@n+ASwIaMhGS}@_)BAT<RS9n6nhpr{f@Q*vKAT&y-+!l`DT{<O_+g!uPPL zU&~0RYnjHi&&C>|*4$X@y!c>@<UyItwcJFpRSCRUE@&Vwt<^4wyCNhM0^pXi#se>S z&Z704riPBWZTR<gO0_8e;XVy*d=Sfwrzz#$8p+e@&hQf$ZjlTgvCH=qss)fSy_biR zehl;`!?dTmT`Han)@jos=AT5crcQG&Qoh+Yw=V6B5y!Njmz^Uo7ewEujmHq}Ti<8b zA9&x&o&E~$x74Z7yL?h`&7HbLDA(P0&W=tsxH}7kTyX^wV_mC00|46rV}0GT{B~=z zUDq%lY%(vLaFG}%I)0H>)mxG6`B^zWWI>oiJXou!RSAt-kwJJ>X4n7gHOVX+@QxPl zdNn%Y8K1UH7Tg^fK7VbvTr@i*<EwSxiJz|@x4WAU7MaU+9!_*sy|0N6cxN=vw5$Kd zagI`^6oUv1YfWHmUKA-5c8Vs`|I^6Rvy*#RB<GCggulDDnZsoBfXMpYfUAa^ygq05 zAq1qT+G{%^yyiO7!m>*G-U`~zW$K6<F7At;evG~#3>T%-+c9R^_8>};*~yb#^_<Z^ zmc9cg2LielKCyA-jI6)GDVwPHSG0H=QMZj6I1+AoN(y%rAz=Yd>v|`&r4jA#x*+0K zdiuuQZ2d+1O_K@F6i1(VR|Y+H;ua9SP^?t9*D4P%fp-AI?&ZlpmcW~jYnAb7wXYGQ z6+322|Atf-X_@v5*T+2kW**2~>zviGPC<NlJ*49Qt2!ybtDPya6g(`@%MO!>wi5&- zyLZOV)%hD2hAlFi=`V4)?XU|5=Mb9uJAa-@kLtjS^k_N4d}~Ao-cK6!RZ@3d#H)e) zVROD*(RBap#Im4%@PH2a)J<lM#uQ<#gs7<_C2t}=cLe)KE<Mqb;}u=cK#)vG0nXA$ z_dgv7h2xRH8bZ+=BeJnFs^IO-#Q;h^_d=$BE3yT4&K@v}*q`bES!_v*w{f<czmtE2 zOv;#?q!J6gt-Q+bH3|KhdKkPu-G)NxlgsYj^@<-_mT+d}9!q5^1$m@USAK<{G4P$w zjDZ?Q;)&`Pd0oA0kKQzHz0lhmHfbkuRq_C4gO~T>fP+U_NaOdVsbHr8t;3|z3EC{K zW~1V|m+h(y`Bx*>A?`0>IgvtuWH_W|dpC=~&ZUPp<%}Fwx^U0(PZI$*gg&5Eaz1aH zYtQepECqgPkOQQaxBe?RMrR!~UVsk_pJ9v{_dk1!utb)=HUPB<$Jf~GK{t-GmonWr zUh0v_(3LEYd!Py=%j=wQ+?5QLE)Q6`5*FFk_IpU%ID6VFCb`<~`C-N~DH%|i)c4FW z|6TQM(NfqEXj`=QO=94#IarAE5j?a_VES7DV-Y4D&2bngPB=fmx5vOtkHfLd)8qNf z<+$A(1V8LcW2>NTuTn=KyGa3#78t0j@2iWu)ozH;9EoY@cp(7kl}EPPa}3Y23d1rV zLGYO|5G<JmGXkL2ZWa#wg>FFH0bb!3{D1fYlLo)Zo`z?_h90aj{A*(p7>#28?&=l> z0y%>9g`xp3YZwEO(xf~8OA-(48ssF-gOX=<63-L&ddYBO8VuM$O{?_M-Q5%h|CJ*x zjS2fhsV0gc1`|yWyl-K376XZrz@CPpQwFT}8XBHON`<cK=hoQh9?vY2SOsVsi<S=2 zlfg5q7#@n&eg5xW;|K3B&G7o1k+ZR-HGe&KXL$#pY7|S>&+QR*5Wqc<10Zfs5_XG+ zo<vn(a-^{8*)WJV<%LK(0j6nI1&h1W3{1puP>_JmsQm+mqlIGFA5ipg%1FX)=Le5Y zNRZ~VVZyr-1|o12C$0(@5;+I{oUQ(76sC8Z<k*K~hDBH@mINYzf_D=+8J-y!p$|kB zYDn6PF_0K(Y$p^wbGTBHAv>cKv?!z0)seK9RPZeHun+*>e&#mEaD+DlWSSNFZ1yjJ z#EB~d39$6hz0E=zdW$}=LI;a$^%+@zhl976Np6<tK|c`hMfxn=eLfYfGmK)n21lJ{ z##iIq7a6kCAfRKInd8?)7zm3g{wrr>B<aa4BY{ykO;AuTvq35Y0Z&)ria?)8U9AN} zv=7}PwZYq?rx_N#;z7wUJDqo^h&f7+7q~W~jqZJ$^u_FoT@&Gt&@e#&z9He(&rqMJ piladQfJS@s-XH`304RMhG6N|;^m;c~*rGrLFg7sPuQ=@#^*`A4{%HUJ literal 0 HcmV?d00001 diff --git a/web/backend/main.go b/web/backend/main.go index 650540ea8..f2fe3de97 100644 --- a/web/backend/main.go +++ b/web/backend/main.go @@ -22,16 +22,34 @@ import ( "strconv" "time" + "fyne.io/systray" + + "github.com/sipeed/picoclaw/pkg/config" "github.com/sipeed/picoclaw/web/backend/api" "github.com/sipeed/picoclaw/web/backend/launcherconfig" "github.com/sipeed/picoclaw/web/backend/middleware" "github.com/sipeed/picoclaw/web/backend/utils" ) +const ( + appName = "PicoClaw" +) + +var ( + appVersion = config.Version + + server *http.Server + serverAddr string + apiHandler *api.Handler + + noBrowser *bool +) + func main() { port := flag.String("port", "18800", "Port to listen on") public := flag.Bool("public", false, "Listen on all interfaces (0.0.0.0) instead of localhost only") - noBrowser := flag.Bool("no-browser", false, "Do not auto-open browser on startup") + noBrowser = flag.Bool("no-browser", false, "Do not auto-open browser on startup") + lang := flag.String("lang", "", "Language: en (English) or zh (Chinese). Default: auto-detect from system locale") flag.Usage = func() { fmt.Fprintf(os.Stderr, "PicoClaw Launcher - A web-based configuration editor\n\n") @@ -51,6 +69,11 @@ func main() { } flag.Parse() + // Set language from command line or auto-detect + if *lang != "" { + SetLanguage(*lang) + } + // Resolve config path configPath := utils.GetDefaultConfigPath() if flag.NArg() > 0 { @@ -113,7 +136,7 @@ func main() { mux := http.NewServeMux() // API Routes (e.g. /api/status) - apiHandler := api.NewHandler(absPath) + apiHandler = api.NewHandler(absPath) apiHandler.SetServerOptions(portNum, effectivePublic, explicitPublic, launcherCfg.AllowedCIDRs) apiHandler.RegisterRoutes(mux) @@ -145,16 +168,10 @@ func main() { } fmt.Println() - // Auto-open browser - if !*noBrowser { - go func() { - time.Sleep(500 * time.Millisecond) - url := "http://localhost:" + effectivePort - if err := utils.OpenBrowser(url); err != nil { - log.Printf("Warning: Failed to auto-open browser: %v", err) - } - }() - } + // Set server address for systray + serverAddr = fmt.Sprintf("http://localhost:%s", effectivePort) + + // Auto-open browser will be handled by systray onReady // Auto-start gateway after backend starts listening. go func() { @@ -162,8 +179,15 @@ func main() { apiHandler.TryAutoStartGateway() }() - // Start the Server - if err := http.ListenAndServe(addr, handler); err != nil { - log.Fatalf("Server failed to start: %v", err) - } + // Start the Server in a goroutine + server = &http.Server{Addr: addr, Handler: handler} + go func() { + log.Printf("Server listening on %s", addr) + if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed { + log.Fatalf("Server failed to start: %v", err) + } + }() + + // Start system tray + systray.Run(onReady, onExit) } diff --git a/web/backend/systray.go b/web/backend/systray.go new file mode 100644 index 000000000..58ce4984f --- /dev/null +++ b/web/backend/systray.go @@ -0,0 +1,133 @@ +package main + +import ( + "context" + _ "embed" + "fmt" + "time" + + "fyne.io/systray" + + "github.com/sipeed/picoclaw/pkg/logger" + "github.com/sipeed/picoclaw/web/backend/utils" +) + +const ( + browserDelay = 500 * time.Millisecond + shutdownTimeout = 15 * time.Second +) + +// onReady is called when the system tray is ready +func onReady() { + // Set icon and tooltip + systray.SetIcon(getIcon()) + systray.SetTooltip(fmt.Sprintf(T(AppTooltip), appName)) + + // Create menu items + mOpen := systray.AddMenuItem(T(MenuOpen), T(MenuOpenTooltip)) + mAbout := systray.AddMenuItem(T(MenuAbout), T(MenuAboutTooltip)) + + // Add version info under About menu + mVersion := mAbout.AddSubMenuItem(fmt.Sprintf(T(MenuVersion), appVersion), T(MenuVersionTooltip)) + mVersion.Disable() + mRepo := mAbout.AddSubMenuItem(T(MenuGitHub), "") + mDocs := mAbout.AddSubMenuItem(T(MenuDocs), "") + + systray.AddSeparator() + + // Add restart option + mRestart := systray.AddMenuItem(T(MenuRestart), T(MenuRestartTooltip)) + + systray.AddSeparator() + + // Quit option + mQuit := systray.AddMenuItem(T(MenuQuit), T(MenuQuitTooltip)) + + // Handle menu clicks + go func() { + for { + select { + case <-mOpen.ClickedCh: + if err := openBrowser(); err != nil { + logger.Errorf("Failed to open browser: %v", err) + } + + case <-mVersion.ClickedCh: + // Version info - do nothing, just shows current version + + case <-mRepo.ClickedCh: + if err := utils.OpenBrowser("https://github.com/sipeed/picoclaw"); err != nil { + logger.Errorf("Failed to open GitHub: %v", err) + } + + case <-mDocs.ClickedCh: + if err := utils.OpenBrowser(T(DocUrl)); err != nil { + logger.Errorf("Failed to open docs: %v", err) + } + + case <-mRestart.ClickedCh: + fmt.Println("Restart request received...") + if apiHandler != nil { + if pid, err := apiHandler.RestartGateway(); err != nil { + logger.Errorf("Failed to restart gateway: %v", err) + } else { + logger.Infof("Gateway restarted (PID: %d)", pid) + } + } + + case <-mQuit.ClickedCh: + systray.Quit() + } + } + }() + + if !*noBrowser { + // Auto-open browser after systray is ready (if not disabled) + // Check no-browser flag via environment or pass as parameter if needed + if err := openBrowser(); err != nil { + logger.Errorf("Warning: Failed to auto-open browser: %v", err) + } + } +} + +// onExit is called when the system tray is exiting +func onExit() { + fmt.Println(T(Exiting)) + + // First, shutdown API handler to close all SSE connections + if apiHandler != nil { + apiHandler.Shutdown() + } + + if server != nil { + // Disable keep-alive to allow graceful shutdown + server.SetKeepAlivesEnabled(false) + + ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout) + defer cancel() + if err := server.Shutdown(ctx); err != nil { + // Context deadline exceeded is expected if there are active connections + // This is not necessarily an error, so log it at info level + if err == context.DeadlineExceeded { + logger.Infof("Server shutdown timeout after %v, forcing close", shutdownTimeout) + } else { + logger.Errorf("Server shutdown error: %v", err) + } + } else { + logger.Infof("Server shutdown completed successfully") + } + } +} + +// openBrowser opens the PicoClaw web console in the default browser +func openBrowser() error { + if serverAddr == "" { + return fmt.Errorf("server address not set") + } + return utils.OpenBrowser(serverAddr) +} + +// getIcon returns the system tray icon +func getIcon() []byte { + return iconData +} diff --git a/web/backend/systray_unix.go b/web/backend/systray_unix.go new file mode 100644 index 000000000..0f9d2bb51 --- /dev/null +++ b/web/backend/systray_unix.go @@ -0,0 +1,8 @@ +//go:build !windows + +package main + +import _ "embed" + +//go:embed icon.png +var iconData []byte diff --git a/web/backend/systray_windows.go b/web/backend/systray_windows.go new file mode 100644 index 000000000..cc1885155 --- /dev/null +++ b/web/backend/systray_windows.go @@ -0,0 +1,8 @@ +//go:build windows + +package main + +import _ "embed" + +//go:embed icon.ico +var iconData []byte From b402888bfacd559852d2c245d33b578d4d8e2e5a Mon Sep 17 00:00:00 2001 From: Desmond Foo <102380796+SHINE-six@users.noreply.github.com> Date: Tue, 17 Mar 2026 14:41:43 +0800 Subject: [PATCH 37/47] feat(tools): add SpawnStatusTool for reporting subagent statuses (#1540) * feat(tools): add SpawnStatusTool for reporting subagent statuses * feat(tools): enhance SpawnStatusTool to restrict task visibility by conversation context * feat(tests): add Unicode result truncation and channel filtering tests for SpawnStatusTool * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * feat(tools): enhance SpawnStatusTool with task ID validation and sorting by creation timestamp * feat(tools): update SpawnStatusTool description and parameter documentation for clarity * refactor(tests): improve comments for clarity in ChannelFiltering test case * fix(tools): update no subagents message for clarity and remove unnecessary locking in runTask * fix(tools): improve description clarity for SpawnStatusTool regarding task context * feat(tools): add spawn_status tool configuration and registration * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(agent): improve subagent management for spawn and spawn_status tools * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * fix(tests): update ResultTruncation_Unicode test to use valid CJK character --------- Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Co-authored-by: lxowalle <83055338+lxowalle@users.noreply.github.com> --- pkg/agent/loop.go | 20 +- pkg/config/config.go | 3 + pkg/config/defaults.go | 3 + pkg/tools/spawn_status.go | 178 +++++++++++++++ pkg/tools/spawn_status_test.go | 406 +++++++++++++++++++++++++++++++++ pkg/tools/subagent.go | 28 ++- web/backend/api/tools.go | 14 +- 7 files changed, 641 insertions(+), 11 deletions(-) create mode 100644 pkg/tools/spawn_status.go create mode 100644 pkg/tools/spawn_status_test.go diff --git a/pkg/agent/loop.go b/pkg/agent/loop.go index 182bc0495..8328c691e 100644 --- a/pkg/agent/loop.go +++ b/pkg/agent/loop.go @@ -225,20 +225,26 @@ func registerSharedTools( } } - // Spawn tool with allowlist checker - if cfg.Tools.IsToolEnabled("spawn") { - if cfg.Tools.IsToolEnabled("subagent") { - subagentManager := tools.NewSubagentManager(provider, agent.Model, agent.Workspace) - subagentManager.SetLLMOptions(agent.MaxTokens, agent.Temperature) + // Spawn and spawn_status tools share a SubagentManager. + // Construct it when either tool is enabled (both require subagent). + spawnEnabled := cfg.Tools.IsToolEnabled("spawn") + spawnStatusEnabled := cfg.Tools.IsToolEnabled("spawn_status") + if (spawnEnabled || spawnStatusEnabled) && cfg.Tools.IsToolEnabled("subagent") { + subagentManager := tools.NewSubagentManager(provider, agent.Model, agent.Workspace) + subagentManager.SetLLMOptions(agent.MaxTokens, agent.Temperature) + if spawnEnabled { spawnTool := tools.NewSpawnTool(subagentManager) currentAgentID := agentID spawnTool.SetAllowlistChecker(func(targetAgentID string) bool { return registry.CanSpawnSubagent(currentAgentID, targetAgentID) }) agent.Tools.Register(spawnTool) - } else { - logger.WarnCF("agent", "spawn tool requires subagent to be enabled", nil) } + if spawnStatusEnabled { + agent.Tools.Register(tools.NewSpawnStatusTool(subagentManager)) + } + } else if (spawnEnabled || spawnStatusEnabled) && !cfg.Tools.IsToolEnabled("subagent") { + logger.WarnCF("agent", "spawn/spawn_status tools require subagent to be enabled", nil) } } } diff --git a/pkg/config/config.go b/pkg/config/config.go index ad5618907..35de48f23 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -751,6 +751,7 @@ type ToolsConfig struct { ReadFile ReadFileToolConfig `json:"read_file" envPrefix:"PICOCLAW_TOOLS_READ_FILE_"` SendFile ToolConfig `json:"send_file" envPrefix:"PICOCLAW_TOOLS_SEND_FILE_"` Spawn ToolConfig `json:"spawn" envPrefix:"PICOCLAW_TOOLS_SPAWN_"` + SpawnStatus ToolConfig `json:"spawn_status" envPrefix:"PICOCLAW_TOOLS_SPAWN_STATUS_"` SPI ToolConfig `json:"spi" envPrefix:"PICOCLAW_TOOLS_SPI_"` Subagent ToolConfig `json:"subagent" envPrefix:"PICOCLAW_TOOLS_SUBAGENT_"` WebFetch ToolConfig `json:"web_fetch" envPrefix:"PICOCLAW_TOOLS_WEB_FETCH_"` @@ -1112,6 +1113,8 @@ func (t *ToolsConfig) IsToolEnabled(name string) bool { return t.ReadFile.Enabled case "spawn": return t.Spawn.Enabled + case "spawn_status": + return t.SpawnStatus.Enabled case "spi": return t.SPI.Enabled case "subagent": diff --git a/pkg/config/defaults.go b/pkg/config/defaults.go index a029eeb59..2b177d5de 100644 --- a/pkg/config/defaults.go +++ b/pkg/config/defaults.go @@ -522,6 +522,9 @@ func DefaultConfig() *Config { Spawn: ToolConfig{ Enabled: true, }, + SpawnStatus: ToolConfig{ + Enabled: false, + }, SPI: ToolConfig{ Enabled: false, // Hardware tool - Linux only }, diff --git a/pkg/tools/spawn_status.go b/pkg/tools/spawn_status.go new file mode 100644 index 000000000..416fd2226 --- /dev/null +++ b/pkg/tools/spawn_status.go @@ -0,0 +1,178 @@ +package tools + +import ( + "context" + "fmt" + "sort" + "strings" + "time" +) + +// SpawnStatusTool reports the status of subagents that were spawned via the +// spawn tool. It can query a specific task by ID, or list every known task with +// a summary count broken-down by status. +type SpawnStatusTool struct { + manager *SubagentManager +} + +// NewSpawnStatusTool creates a SpawnStatusTool backed by the given manager. +func NewSpawnStatusTool(manager *SubagentManager) *SpawnStatusTool { + return &SpawnStatusTool{manager: manager} +} + +func (t *SpawnStatusTool) Name() string { + return "spawn_status" +} + +func (t *SpawnStatusTool) Description() string { + return "Get the status of spawned subagents. " + + "Returns a list of all subagents and their current state " + + "(running, completed, failed, or canceled), or retrieves details " + + "for a specific subagent task when task_id is provided. " + + "Results are scoped to the current conversation's channel and chat ID; " + + "all tasks are listed only when no channel/chat context is injected " + + "(e.g. direct programmatic calls via Execute)." +} + +func (t *SpawnStatusTool) Parameters() map[string]any { + return map[string]any{ + "type": "object", + "properties": map[string]any{ + "task_id": map[string]any{ + "type": "string", + "description": "Optional task ID (e.g. \"subagent-1\") to inspect a specific " + + "subagent. When omitted, all visible subagents are listed.", + }, + }, + "required": []string{}, + } +} + +func (t *SpawnStatusTool) Execute(ctx context.Context, args map[string]any) *ToolResult { + if t.manager == nil { + return ErrorResult("Subagent manager not configured") + } + + // Derive the calling conversation's identity so we can scope results to the + // current chat only — preventing cross-conversation task leakage in + // multi-user deployments. + callerChannel := ToolChannel(ctx) + callerChatID := ToolChatID(ctx) + + var taskID string + if rawTaskID, ok := args["task_id"]; ok && rawTaskID != nil { + taskIDStr, ok := rawTaskID.(string) + if !ok { + return ErrorResult("task_id must be a string") + } + taskID = strings.TrimSpace(taskIDStr) + } + + if taskID != "" { + // GetTaskCopy returns a consistent snapshot under the manager lock, + // eliminating any data race with the concurrent subagent goroutine. + taskCopy, ok := t.manager.GetTaskCopy(taskID) + if !ok { + return ErrorResult(fmt.Sprintf("No subagent found with task ID: %s", taskID)) + } + + // Restrict lookup to tasks that belong to this conversation. + if callerChannel != "" && taskCopy.OriginChannel != "" && taskCopy.OriginChannel != callerChannel { + return ErrorResult(fmt.Sprintf("No subagent found with task ID: %s", taskID)) + } + if callerChatID != "" && taskCopy.OriginChatID != "" && taskCopy.OriginChatID != callerChatID { + return ErrorResult(fmt.Sprintf("No subagent found with task ID: %s", taskID)) + } + + return NewToolResult(spawnStatusFormatTask(&taskCopy)) + } + + // ListTaskCopies returns consistent snapshots under the manager lock. + origTasks := t.manager.ListTaskCopies() + if len(origTasks) == 0 { + return NewToolResult("No subagents have been spawned yet.") + } + + tasks := make([]*SubagentTask, 0, len(origTasks)) + for i := range origTasks { + cpy := &origTasks[i] + + // Filter to tasks that originate from the current conversation only. + if callerChannel != "" && cpy.OriginChannel != "" && cpy.OriginChannel != callerChannel { + continue + } + if callerChatID != "" && cpy.OriginChatID != "" && cpy.OriginChatID != callerChatID { + continue + } + + tasks = append(tasks, cpy) + } + + if len(tasks) == 0 { + return NewToolResult("No subagents found for this conversation.") + } + + // Order by creation time (ascending) so spawning order is preserved. + // Fall back to ID string for tasks created in the same millisecond. + sort.Slice(tasks, func(i, j int) bool { + if tasks[i].Created != tasks[j].Created { + return tasks[i].Created < tasks[j].Created + } + return tasks[i].ID < tasks[j].ID + }) + + counts := map[string]int{} + for _, task := range tasks { + counts[task.Status]++ + } + + var sb strings.Builder + sb.WriteString(fmt.Sprintf("Subagent status report (%d total):\n", len(tasks))) + for _, status := range []string{"running", "completed", "failed", "canceled"} { + if n := counts[status]; n > 0 { + label := strings.ToUpper(status[:1]) + status[1:] + ":" + sb.WriteString(fmt.Sprintf(" %-10s %d\n", label, n)) + } + } + sb.WriteString("\n") + + for _, task := range tasks { + sb.WriteString(spawnStatusFormatTask(task)) + sb.WriteString("\n\n") + } + + return NewToolResult(strings.TrimRight(sb.String(), "\n")) +} + +// spawnStatusFormatTask renders a single SubagentTask as a human-readable block. +func spawnStatusFormatTask(task *SubagentTask) string { + var sb strings.Builder + + header := fmt.Sprintf("[%s] status=%s", task.ID, task.Status) + if task.Label != "" { + header += fmt.Sprintf(" label=%q", task.Label) + } + if task.AgentID != "" { + header += fmt.Sprintf(" agent=%s", task.AgentID) + } + if task.Created > 0 { + created := time.UnixMilli(task.Created).UTC().Format("2006-01-02 15:04:05 UTC") + header += fmt.Sprintf(" created=%s", created) + } + sb.WriteString(header) + + if task.Task != "" { + sb.WriteString(fmt.Sprintf("\n task: %s", task.Task)) + } + if task.Result != "" { + result := task.Result + const maxResultLen = 300 + runes := []rune(result) + if len(runes) > maxResultLen { + result = string(runes[:maxResultLen]) + "…" + } + sb.WriteString(fmt.Sprintf("\n result: %s", result)) + } + + return sb.String() +} diff --git a/pkg/tools/spawn_status_test.go b/pkg/tools/spawn_status_test.go new file mode 100644 index 000000000..9c772d61a --- /dev/null +++ b/pkg/tools/spawn_status_test.go @@ -0,0 +1,406 @@ +package tools + +import ( + "context" + "fmt" + "strings" + "testing" + "time" +) + +func TestSpawnStatusTool_Name(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + if tool.Name() != "spawn_status" { + t.Errorf("Expected name 'spawn_status', got '%s'", tool.Name()) + } +} + +func TestSpawnStatusTool_Description(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + desc := tool.Description() + if desc == "" { + t.Error("Description should not be empty") + } + if !strings.Contains(strings.ToLower(desc), "subagent") { + t.Errorf("Description should mention 'subagent', got: %s", desc) + } +} + +func TestSpawnStatusTool_Parameters(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + params := tool.Parameters() + if params["type"] != "object" { + t.Errorf("Expected type 'object', got: %v", params["type"]) + } + props, ok := params["properties"].(map[string]any) + if !ok { + t.Fatal("Expected 'properties' to be a map") + } + if _, hasTaskID := props["task_id"]; !hasTaskID { + t.Error("Expected 'task_id' parameter in properties") + } +} + +func TestSpawnStatusTool_NilManager(t *testing.T) { + tool := &SpawnStatusTool{manager: nil} + result := tool.Execute(context.Background(), map[string]any{}) + if !result.IsError { + t.Error("Expected error result when manager is nil") + } +} + +func TestSpawnStatusTool_Empty(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + tool := NewSpawnStatusTool(manager) + + result := tool.Execute(context.Background(), map[string]any{}) + if result.IsError { + t.Fatalf("Expected success, got error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "No subagents") { + t.Errorf("Expected 'No subagents' message, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ListAll(t *testing.T) { + provider := &MockLLMProvider{} + workspace := t.TempDir() + manager := NewSubagentManager(provider, "test-model", workspace) + + now := time.Now().UnixMilli() + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", + Task: "Do task A", + Label: "task-a", + Status: "running", + Created: now, + } + manager.tasks["subagent-2"] = &SubagentTask{ + ID: "subagent-2", + Task: "Do task B", + Label: "task-b", + Status: "completed", + Result: "Done successfully", + Created: now, + } + manager.tasks["subagent-3"] = &SubagentTask{ + ID: "subagent-3", + Task: "Do task C", + Status: "failed", + Result: "Error: something went wrong", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{}) + + if result.IsError { + t.Fatalf("Expected success, got error: %s", result.ForLLM) + } + + // Summary header + if !strings.Contains(result.ForLLM, "3 total") { + t.Errorf("Expected total count in header, got: %s", result.ForLLM) + } + + // Individual task IDs + for _, id := range []string{"subagent-1", "subagent-2", "subagent-3"} { + if !strings.Contains(result.ForLLM, id) { + t.Errorf("Expected task %s in output, got:\n%s", id, result.ForLLM) + } + } + + // Status values + for _, status := range []string{"running", "completed", "failed"} { + if !strings.Contains(result.ForLLM, status) { + t.Errorf("Expected status '%s' in output, got:\n%s", status, result.ForLLM) + } + } + + // Result content + if !strings.Contains(result.ForLLM, "Done successfully") { + t.Errorf("Expected result text in output, got:\n%s", result.ForLLM) + } +} + +func TestSpawnStatusTool_GetByID(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-42"] = &SubagentTask{ + ID: "subagent-42", + Task: "Specific task", + Label: "my-task", + Status: "failed", + Result: "Something went wrong", + Created: time.Now().UnixMilli(), + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{"task_id": "subagent-42"}) + + if result.IsError { + t.Fatalf("Expected success, got error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "subagent-42") { + t.Errorf("Expected task ID in output, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "failed") { + t.Errorf("Expected status 'failed' in output, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "Something went wrong") { + t.Errorf("Expected result text in output, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "my-task") { + t.Errorf("Expected label in output, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_GetByID_NotFound(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + tool := NewSpawnStatusTool(manager) + + result := tool.Execute(context.Background(), map[string]any{"task_id": "nonexistent-999"}) + if !result.IsError { + t.Errorf("Expected error for nonexistent task, got: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "nonexistent-999") { + t.Errorf("Expected task ID in error message, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_TaskID_NonString(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + tool := NewSpawnStatusTool(manager) + + for _, badVal := range []any{42, 3.14, true, map[string]any{"x": 1}, []string{"a"}} { + result := tool.Execute(context.Background(), map[string]any{"task_id": badVal}) + if !result.IsError { + t.Errorf("Expected error for task_id=%T(%v), got success: %s", badVal, badVal, result.ForLLM) + } + if !strings.Contains(result.ForLLM, "task_id must be a string") { + t.Errorf("Expected type-error message, got: %s", result.ForLLM) + } + } +} + +func TestSpawnStatusTool_ResultTruncation(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + longResult := strings.Repeat("X", 500) + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", + Task: "Long task", + Status: "completed", + Result: longResult, + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{"task_id": "subagent-1"}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + // Output should be shorter than the raw result due to truncation + if len(result.ForLLM) >= len(longResult) { + t.Errorf("Expected result to be truncated, but ForLLM is %d chars", len(result.ForLLM)) + } + if !strings.Contains(result.ForLLM, "…") { + t.Errorf("Expected truncation indicator '…' in output, got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ResultTruncation_Unicode(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + // Each CJK rune is 3 bytes; 400 runes = 1200 bytes — well over the 300-rune limit. + cjkChar := string(rune(0x5b57)) + longResult := strings.Repeat(cjkChar, 400) + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", + Task: "Unicode task", + Status: "completed", + Result: longResult, + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{"task_id": "subagent-1"}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "…") { + t.Errorf("Expected truncation indicator in output") + } + // The truncated result must be valid UTF-8 (no split rune boundaries). + if !strings.Contains(result.ForLLM, cjkChar) { + t.Errorf("Expected CJK runes to appear intact in output") + } +} + +func TestSpawnStatusTool_StatusCounts(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + for i, status := range []string{"running", "running", "completed", "failed", "canceled"} { + id := fmt.Sprintf("subagent-%d", i+1) + manager.tasks[id] = &SubagentTask{ID: id, Task: "t", Status: status} + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + // The summary line should mention all statuses that have counts + for _, want := range []string{"Running:", "Completed:", "Failed:", "Canceled:"} { + if !strings.Contains(result.ForLLM, want) { + t.Errorf("Expected %q in summary, got:\n%s", want, result.ForLLM) + } + } +} + +func TestSpawnStatusTool_SortByCreatedTimestamp(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + now := time.Now().UnixMilli() + manager.mu.Lock() + // Intentionally insert with out-of-order IDs and timestamps that reflect + // true spawn order: subagent-2 was spawned first, subagent-10 second. + manager.tasks["subagent-10"] = &SubagentTask{ + ID: "subagent-10", Task: "second", Status: "running", + Created: now + 1, + } + manager.tasks["subagent-2"] = &SubagentTask{ + ID: "subagent-2", Task: "first", Status: "running", + Created: now, + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + result := tool.Execute(context.Background(), map[string]any{}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + + pos2 := strings.Index(result.ForLLM, "subagent-2") + pos10 := strings.Index(result.ForLLM, "subagent-10") + if pos2 < 0 || pos10 < 0 { + t.Fatalf("Both task IDs should appear in output:\n%s", result.ForLLM) + } + if pos2 > pos10 { + t.Errorf("Expected subagent-2 (created first) to appear before subagent-10, but got:\n%s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ChannelFiltering_ListAll(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", Task: "mine", Status: "running", + OriginChannel: "telegram", OriginChatID: "chat-A", + } + manager.tasks["subagent-2"] = &SubagentTask{ + ID: "subagent-2", Task: "other user", Status: "running", + OriginChannel: "telegram", OriginChatID: "chat-B", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + + // Caller is chat-A — should only see subagent-1. + ctx := WithToolContext(context.Background(), "telegram", "chat-A") + result := tool.Execute(ctx, map[string]any{}) + + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "subagent-1") { + t.Errorf("Expected own task in output, got:\n%s", result.ForLLM) + } + if strings.Contains(result.ForLLM, "subagent-2") { + t.Errorf("Should NOT see other chat's task, got:\n%s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ChannelFiltering_GetByID(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-99"] = &SubagentTask{ + ID: "subagent-99", Task: "secret", Status: "completed", Result: "private data", + OriginChannel: "slack", OriginChatID: "room-Z", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + + // Different chat trying to look up subagent-99 by ID. + ctx := WithToolContext(context.Background(), "slack", "room-OTHER") + result := tool.Execute(ctx, map[string]any{"task_id": "subagent-99"}) + + if !result.IsError { + t.Errorf("Expected error (cross-chat lookup blocked), got: %s", result.ForLLM) + } +} + +func TestSpawnStatusTool_ChannelFiltering_NoContext(t *testing.T) { + provider := &MockLLMProvider{} + manager := NewSubagentManager(provider, "test-model", "/tmp/test") + + manager.mu.Lock() + manager.tasks["subagent-1"] = &SubagentTask{ + ID: "subagent-1", Task: "t", Status: "completed", + OriginChannel: "telegram", OriginChatID: "chat-A", + } + manager.mu.Unlock() + + tool := NewSpawnStatusTool(manager) + + // No ToolContext injected (e.g. a direct programmatic call that bypasses + // WithToolContext entirely) — callerChannel and callerChatID are both "". + // Note: the normal CLI path uses ProcessDirectWithChannel("cli", "direct"), + // which *does* inject a non-empty context; this test covers the case where + // no context injection happens at all. + // The filter conditions require a non-empty caller value, so all tasks pass through. + result := tool.Execute(context.Background(), map[string]any{}) + if result.IsError { + t.Fatalf("Unexpected error: %s", result.ForLLM) + } + if !strings.Contains(result.ForLLM, "subagent-1") { + t.Errorf("Expected task visible from no-context caller, got:\n%s", result.ForLLM) + } +} diff --git a/pkg/tools/subagent.go b/pkg/tools/subagent.go index e51cbaafa..c37a5ee0f 100644 --- a/pkg/tools/subagent.go +++ b/pkg/tools/subagent.go @@ -109,9 +109,6 @@ func (sm *SubagentManager) Spawn( } func (sm *SubagentManager) runTask(ctx context.Context, task *SubagentTask, callback AsyncCallback) { - task.Status = "running" - task.Created = time.Now().UnixMilli() - // Build system prompt for subagent systemPrompt := `You are a subagent. Complete the given task independently and report the result. You have access to tools - use them as needed to complete your task. @@ -219,6 +216,18 @@ func (sm *SubagentManager) GetTask(taskID string) (*SubagentTask, bool) { return task, ok } +// GetTaskCopy returns a copy of the task with the given ID, taken under the +// read lock, so the caller receives a consistent snapshot with no data race. +func (sm *SubagentManager) GetTaskCopy(taskID string) (SubagentTask, bool) { + sm.mu.RLock() + defer sm.mu.RUnlock() + task, ok := sm.tasks[taskID] + if !ok { + return SubagentTask{}, false + } + return *task, true +} + func (sm *SubagentManager) ListTasks() []*SubagentTask { sm.mu.RLock() defer sm.mu.RUnlock() @@ -230,6 +239,19 @@ func (sm *SubagentManager) ListTasks() []*SubagentTask { return tasks } +// ListTaskCopies returns value copies of all tasks, taken under the read lock, +// so callers receive consistent snapshots with no data race. +func (sm *SubagentManager) ListTaskCopies() []SubagentTask { + sm.mu.RLock() + defer sm.mu.RUnlock() + + copies := make([]SubagentTask, 0, len(sm.tasks)) + for _, task := range sm.tasks { + copies = append(copies, *task) + } + return copies +} + // SubagentTool executes a subagent task synchronously and returns the result. // Unlike SpawnTool which runs tasks asynchronously, SubagentTool waits for completion // and returns the result directly in the ToolResult. diff --git a/web/backend/api/tools.go b/web/backend/api/tools.go index 373a3be12..9df4a7091 100644 --- a/web/backend/api/tools.go +++ b/web/backend/api/tools.go @@ -118,6 +118,12 @@ var toolCatalog = []toolCatalogEntry{ Category: "agents", ConfigKey: "spawn", }, + { + Name: "spawn_status", + Description: "Query the status of spawned subagents.", + Category: "agents", + ConfigKey: "spawn_status", + }, { Name: "i2c", Description: "Interact with I2C hardware devices exposed on the host.", @@ -205,7 +211,7 @@ func buildToolSupport(cfg *config.Config) []toolSupportItem { reasonCode = "requires_skills" } } - case "spawn": + case "spawn", "spawn_status": if cfg.Tools.IsToolEnabled(entry.ConfigKey) { if cfg.Tools.IsToolEnabled("subagent") { status = "enabled" @@ -300,6 +306,12 @@ func applyToolState(cfg *config.Config, toolName string, enabled bool) error { if enabled { cfg.Tools.Subagent.Enabled = true } + case "spawn_status": + cfg.Tools.SpawnStatus.Enabled = enabled + if enabled { + cfg.Tools.Spawn.Enabled = true + cfg.Tools.Subagent.Enabled = true + } case "i2c": cfg.Tools.I2C.Enabled = enabled case "spi": From 0499cdab72ea13f74100b9bcf57d9cf88a4ba1d4 Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 15:23:49 +0800 Subject: [PATCH 38/47] build: use WEB_GO for web targets and preserve backend dist directory (#1671) Separate web Go commands from the default Go toolchain so web builds, tests, and vet can enable CGO on Darwin without affecting the rest of the project. Also ensure frontend backend builds recreate backend/dist with a .gitkeep file so the embedded output directory remains tracked. --- Makefile | 8 +++++-- web/Makefile | 21 ++++++++++--------- web/frontend/package.json | 2 +- .../scripts/ensure-backend-gitkeep.cjs | 9 ++++++++ 4 files changed, 27 insertions(+), 13 deletions(-) create mode 100644 web/frontend/scripts/ensure-backend-gitkeep.cjs diff --git a/Makefile b/Makefile index 4f4a7a6cb..1c6b73591 100644 --- a/Makefile +++ b/Makefile @@ -16,6 +16,7 @@ LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COM # Go variables GO?=CGO_ENABLED=0 go +WEB_GO?=$(GO) GOFLAGS?=-v -tags stdjson # Patch MIPS LE ELF e_flags (offset 36) for NaN2008-only kernels (e.g. Ingenic X2600). @@ -79,6 +80,7 @@ ifeq ($(UNAME_S),Linux) endif else ifeq ($(UNAME_S),Darwin) PLATFORM=darwin + WEB_GO=CGO_ENABLED=1 go ifeq ($(UNAME_M),x86_64) ARCH=amd64 else ifeq ($(UNAME_M),arm64) @@ -119,7 +121,7 @@ build-launcher: echo "Building frontend..."; \ cd web/frontend && pnpm install && pnpm build:backend; \ fi - @$(GO) build $(GOFLAGS) -o $(BUILD_DIR)/picoclaw-launcher-$(PLATFORM)-$(ARCH) ./web/backend + @$(WEB_GO) build $(GOFLAGS) -o $(BUILD_DIR)/picoclaw-launcher-$(PLATFORM)-$(ARCH) ./web/backend @ln -sf picoclaw-launcher-$(PLATFORM)-$(ARCH) $(BUILD_DIR)/picoclaw-launcher @echo "Build complete: $(BUILD_DIR)/picoclaw-launcher" @@ -219,7 +221,9 @@ clean: ## vet: Run go vet for static analysis vet: generate - @$(GO) vet ./... + @packages="$$(go list ./...)" && \ + $(GO) vet $$(printf '%s\n' "$$packages" | grep -v '^github.com/sipeed/picoclaw/web/') + @cd web/backend && $(WEB_GO) vet ./... ## test: Test Go code test: generate diff --git a/web/Makefile b/web/Makefile index 653dd77e1..5943924f2 100644 --- a/web/Makefile +++ b/web/Makefile @@ -1,17 +1,18 @@ .PHONY: dev dev-frontend dev-backend build test lint clean +# Go variables +GO?=CGO_ENABLED=0 go +WEB_GO?=$(GO) +GOFLAGS?=-v -tags stdjson + # Version VERSION?=$(shell git describe --tags --always --dirty 2>/dev/null || echo "dev") GIT_COMMIT=$(shell git rev-parse --short=8 HEAD 2>/dev/null || echo "dev") BUILD_TIME=$(shell date +%FT%T%z) -GO_VERSION=$(shell $(GO) version | awk '{print $$3}') +GO_VERSION=$(shell $(WEB_GO) version | awk '{print $$3}') CONFIG_PKG=github.com/sipeed/picoclaw/pkg/config LDFLAGS=-X $(CONFIG_PKG).Version=$(VERSION) -X $(CONFIG_PKG).GitCommit=$(GIT_COMMIT) -X $(CONFIG_PKG).BuildTime=$(BUILD_TIME) -X $(CONFIG_PKG).GoVersion=$(GO_VERSION) -s -w -# Go variables -GO?=CGO_ENABLED=0 go -GOFLAGS?=-v -tags stdjson - # OS detection UNAME_S:=$(shell uname -s) @@ -37,7 +38,7 @@ ifeq ($(UNAME_S),Linux) endif else ifeq ($(UNAME_S),Darwin) PLATFORM=darwin - GO=CGO_ENABLED=1 go + WEB_GO=CGO_ENABLED=1 go ifeq ($(UNAME_M),x86_64) ARCH=amd64 else ifeq ($(UNAME_M),arm64) @@ -69,21 +70,21 @@ dev-frontend: # Start backend dev server dev-backend: - cd backend && ${GO} run -ldflags "$(LDFLAGS)" . + cd backend && ${WEB_GO} run -ldflags "$(LDFLAGS)" . # Build frontend and embed into Go binary build: cd frontend && pnpm build:backend - cd backend && ${GO} build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o picoclaw-web . + cd backend && ${WEB_GO} build $(GOFLAGS) -ldflags "$(LDFLAGS)" -o picoclaw-web . # Run all tests test: - cd backend && ${GO} test ./... + cd backend && ${WEB_GO} test ./... cd frontend && pnpm lint # Lint and format lint: - cd backend && ${GO} vet ./... + cd backend && ${WEB_GO} vet ./... cd frontend && pnpm check # Clean build artifacts diff --git a/web/frontend/package.json b/web/frontend/package.json index 973586519..2e0e37117 100644 --- a/web/frontend/package.json +++ b/web/frontend/package.json @@ -6,7 +6,7 @@ "scripts": { "dev": "vite", "build": "tsc -b && vite build", - "build:backend": "tsc -b && vite build --outDir ../backend/dist --emptyOutDir", + "build:backend": "tsc -b && vite build --outDir ../backend/dist --emptyOutDir && node ./scripts/ensure-backend-gitkeep.cjs", "lint": "eslint .", "preview": "vite preview", "format": "prettier --check .", diff --git a/web/frontend/scripts/ensure-backend-gitkeep.cjs b/web/frontend/scripts/ensure-backend-gitkeep.cjs new file mode 100644 index 000000000..db9782ab4 --- /dev/null +++ b/web/frontend/scripts/ensure-backend-gitkeep.cjs @@ -0,0 +1,9 @@ +const fs = require("node:fs") +const path = require("node:path") + +const gitkeepPath = path.resolve(__dirname, "../../backend/dist/.gitkeep") +const gitkeepContents = + "# Keep the embedded web backend dist directory in version control.\n" + +fs.mkdirSync(path.dirname(gitkeepPath), { recursive: true }) +fs.writeFileSync(gitkeepPath, gitkeepContents) From 11207186c8d99e4286ad8fb8a6e3c7dee0974c05 Mon Sep 17 00:00:00 2001 From: Liu Yuan <namei.unix@gmail.com> Date: Tue, 17 Mar 2026 17:36:06 +0800 Subject: [PATCH 39/47] fix: proxy WebSocket through web server port (#1665) - Modify buildWsURL to use web server port (18800) instead of gateway port (18790) - Add WebSocket proxy handler to forward /pico/ws to gateway - Gateway port is read from config (cfg.Gateway.Port), defaults to 18790 - This allows WebSocket connections through the same port as the web UI, avoiding the need to expose extra ports for Tailscale/Docker --- web/backend/api/gateway_host.go | 8 ++++++- web/backend/api/gateway_host_test.go | 16 ++++++------- web/backend/api/pico.go | 35 ++++++++++++++++++++++++++++ 3 files changed, 50 insertions(+), 9 deletions(-) diff --git a/web/backend/api/gateway_host.go b/web/backend/api/gateway_host.go index 5ef3ba2c5..8dde29b76 100644 --- a/web/backend/api/gateway_host.go +++ b/web/backend/api/gateway_host.go @@ -80,5 +80,11 @@ func (h *Handler) buildWsURL(r *http.Request, cfg *config.Config) string { if host == "" || host == "0.0.0.0" { host = requestHostName(r) } - return requestWSScheme(r) + "://" + net.JoinHostPort(host, strconv.Itoa(cfg.Gateway.Port)) + "/pico/ws" + // Use web server port instead of gateway port to avoid exposing extra ports + // The WebSocket connection will be proxied by the backend to the gateway + wsPort := h.serverPort + if wsPort == 0 { + wsPort = 18800 // default web server port + } + return requestWSScheme(r) + "://" + net.JoinHostPort(host, strconv.Itoa(wsPort)) + "/pico/ws" } diff --git a/web/backend/api/gateway_host_test.go b/web/backend/api/gateway_host_test.go index 43e84ff0e..3fffeb893 100644 --- a/web/backend/api/gateway_host_test.go +++ b/web/backend/api/gateway_host_test.go @@ -48,8 +48,8 @@ func TestBuildWsURLUsesRequestHostWhenLauncherPublicSaved(t *testing.T) { req := httptest.NewRequest("GET", "http://launcher.local/api/pico/token", nil) req.Host = "192.168.1.9:18800" - if got := h.buildWsURL(req, cfg); got != "ws://192.168.1.9:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "ws://192.168.1.9:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "ws://192.168.1.9:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "ws://192.168.1.9:18800/pico/ws") } } @@ -71,8 +71,8 @@ func TestBuildWsURLUsesWSSWhenForwardedProtoIsHTTPS(t *testing.T) { req.Host = "chat.example.com" req.Header.Set("X-Forwarded-Proto", "https") - if got := h.buildWsURL(req, cfg); got != "wss://chat.example.com:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "wss://chat.example.com:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "wss://chat.example.com:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://chat.example.com:18800/pico/ws") } } @@ -88,8 +88,8 @@ func TestBuildWsURLUsesWSSWhenRequestIsTLS(t *testing.T) { req.Host = "secure.example.com" req.TLS = &tls.ConnectionState{} - if got := h.buildWsURL(req, cfg); got != "wss://secure.example.com:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "wss://secure.example.com:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "wss://secure.example.com:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "wss://secure.example.com:18800/pico/ws") } } @@ -106,7 +106,7 @@ func TestBuildWsURLPrefersForwardedHTTPOverTLS(t *testing.T) { req.TLS = &tls.ConnectionState{} req.Header.Set("X-Forwarded-Proto", "http") - if got := h.buildWsURL(req, cfg); got != "ws://chat.example.com:18790/pico/ws" { - t.Fatalf("buildWsURL() = %q, want %q", got, "ws://chat.example.com:18790/pico/ws") + if got := h.buildWsURL(req, cfg); got != "ws://chat.example.com:18800/pico/ws" { + t.Fatalf("buildWsURL() = %q, want %q", got, "ws://chat.example.com:18800/pico/ws") } } diff --git a/web/backend/api/pico.go b/web/backend/api/pico.go index 2d2201e16..d11f7bc5e 100644 --- a/web/backend/api/pico.go +++ b/web/backend/api/pico.go @@ -6,6 +6,8 @@ import ( "encoding/json" "fmt" "net/http" + "net/http/httputil" + "net/url" "time" "github.com/sipeed/picoclaw/pkg/config" @@ -16,6 +18,39 @@ func (h *Handler) registerPicoRoutes(mux *http.ServeMux) { mux.HandleFunc("GET /api/pico/token", h.handleGetPicoToken) mux.HandleFunc("POST /api/pico/token", h.handleRegenPicoToken) mux.HandleFunc("POST /api/pico/setup", h.handlePicoSetup) + + // WebSocket proxy: forward /pico/ws to gateway + // This allows the frontend to connect via the same port as the web UI, + // avoiding the need to expose extra ports for WebSocket communication. + wsProxy := h.createWsProxy() + mux.HandleFunc("GET /pico/ws", h.handleWebSocketProxy(wsProxy)) +} + +// createWsProxy creates a reverse proxy to the gateway WebSocket endpoint. +// The gateway port is read from the configuration. +func (h *Handler) createWsProxy() *httputil.ReverseProxy { + cfg, err := config.LoadConfig(h.configPath) + gatewayPort := 18790 // default + if err == nil && cfg.Gateway.Port != 0 { + gatewayPort = cfg.Gateway.Port + } + gatewayURL, _ := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", gatewayPort)) + wsProxy := httputil.NewSingleHostReverseProxy(gatewayURL) + wsProxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) { + http.Error(w, "Gateway unavailable: "+err.Error(), http.StatusBadGateway) + } + return wsProxy +} + +// handleWebSocketProxy wraps a reverse proxy to handle WebSocket connections. +// It ensures the Connection and Upgrade headers are properly forwarded. +func (h *Handler) handleWebSocketProxy(proxy *httputil.ReverseProxy) http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + // Set headers for WebSocket upgrade + r.Header.Set("Connection", "upgrade") + r.Header.Set("Upgrade", "websocket") + proxy.ServeHTTP(w, r) + } } // handleGetPicoToken returns the current WS token and URL for the frontend. From 8a44410e378b8a4e7789e2b3941001f4bddd5ad3 Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 18:46:00 +0800 Subject: [PATCH 40/47] feat: add web gateway hot reload and polling state sync (#1684) * feat(gateway): support hot reload and empty startup - extract gateway runtime into pkg/gateway - add gateway.hot_reload config with default and example values - allow starting the gateway without a default model via --allow-empty - stop treating missing enabled channels as a startup error - update related tests * feat: replace gateway SSE updates with polling-based state sync - remove gateway SSE broadcasting and event endpoint - add polling-based gateway status refresh with stopping state handling - detect when gateway restart is required after default model changes - resolve gateway health and websocket proxy targets from configured host - update gateway UI labels and add backend/frontend test coverage --- cmd/picoclaw/internal/gateway/command.go | 12 +- cmd/picoclaw/internal/gateway/command_test.go | 1 + config/config.example.json | 3 +- pkg/channels/manager.go | 1 - pkg/config/config.go | 5 +- pkg/config/config_test.go | 3 + pkg/config/defaults.go | 5 +- .../helpers.go => pkg/gateway/gateway.go | 262 ++++++++---------- web/backend/api/events.go | 80 ------ web/backend/api/gateway.go | 209 ++++---------- web/backend/api/gateway_host.go | 18 ++ web/backend/api/gateway_host_test.go | 76 +++++ web/backend/api/gateway_test.go | 129 +++++++++ web/backend/api/pico.go | 24 +- web/backend/api/pico_test.go | 77 +++++ web/backend/api/router.go | 5 +- web/backend/middleware/middleware.go | 5 +- web/backend/systray.go | 2 +- web/frontend/src/components/app-header.tsx | 34 ++- web/frontend/src/hooks/use-gateway-logs.ts | 4 +- web/frontend/src/hooks/use-gateway.ts | 138 ++------- web/frontend/src/i18n/locales/en.json | 3 +- web/frontend/src/i18n/locales/zh.json | 3 +- web/frontend/src/store/gateway.ts | 144 +++++++++- 24 files changed, 700 insertions(+), 543 deletions(-) rename cmd/picoclaw/internal/gateway/helpers.go => pkg/gateway/gateway.go (61%) delete mode 100644 web/backend/api/events.go diff --git a/cmd/picoclaw/internal/gateway/command.go b/cmd/picoclaw/internal/gateway/command.go index bfa69f072..4812f1bee 100644 --- a/cmd/picoclaw/internal/gateway/command.go +++ b/cmd/picoclaw/internal/gateway/command.go @@ -5,6 +5,8 @@ import ( "github.com/spf13/cobra" + "github.com/sipeed/picoclaw/cmd/picoclaw/internal" + "github.com/sipeed/picoclaw/pkg/gateway" "github.com/sipeed/picoclaw/pkg/logger" "github.com/sipeed/picoclaw/pkg/utils" ) @@ -12,6 +14,7 @@ import ( func NewGatewayCommand() *cobra.Command { var debug bool var noTruncate bool + var allowEmpty bool cmd := &cobra.Command{ Use: "gateway", @@ -31,12 +34,19 @@ func NewGatewayCommand() *cobra.Command { return nil }, RunE: func(_ *cobra.Command, _ []string) error { - return gatewayCmd(debug) + return gateway.Run(debug, internal.GetConfigPath(), allowEmpty) }, } cmd.Flags().BoolVarP(&debug, "debug", "d", false, "Enable debug logging") cmd.Flags().BoolVarP(&noTruncate, "no-truncate", "T", false, "Disable string truncation in debug logs") + cmd.Flags().BoolVarP( + &allowEmpty, + "allow-empty", + "E", + false, + "Continue starting even when no default model is configured", + ) return cmd } diff --git a/cmd/picoclaw/internal/gateway/command_test.go b/cmd/picoclaw/internal/gateway/command_test.go index 4d591ea67..839a7315a 100644 --- a/cmd/picoclaw/internal/gateway/command_test.go +++ b/cmd/picoclaw/internal/gateway/command_test.go @@ -28,4 +28,5 @@ func TestNewGatewayCommand(t *testing.T) { assert.True(t, cmd.HasFlags()) assert.NotNil(t, cmd.Flags().Lookup("debug")) + assert.NotNil(t, cmd.Flags().Lookup("allow-empty")) } diff --git a/config/config.example.json b/config/config.example.json index 1c11cd42a..14e209259 100644 --- a/config/config.example.json +++ b/config/config.example.json @@ -518,6 +518,7 @@ }, "gateway": { "host": "127.0.0.1", - "port": 18790 + "port": 18790, + "hot_reload": false } } diff --git a/pkg/channels/manager.go b/pkg/channels/manager.go index df430e4d3..8121525ab 100644 --- a/pkg/channels/manager.go +++ b/pkg/channels/manager.go @@ -357,7 +357,6 @@ func (m *Manager) StartAll(ctx context.Context) error { if len(m.channels) == 0 { logger.WarnC("channels", "No channels enabled") - return errors.New("no channels enabled") } logger.InfoC("channels", "Starting all channels") diff --git a/pkg/config/config.go b/pkg/config/config.go index 35de48f23..6694ef3a1 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -625,8 +625,9 @@ func (c *ModelConfig) Validate() error { } type GatewayConfig struct { - Host string `json:"host" env:"PICOCLAW_GATEWAY_HOST"` - Port int `json:"port" env:"PICOCLAW_GATEWAY_PORT"` + Host string `json:"host" env:"PICOCLAW_GATEWAY_HOST"` + Port int `json:"port" env:"PICOCLAW_GATEWAY_PORT"` + HotReload bool `json:"hot_reload" env:"PICOCLAW_GATEWAY_HOT_RELOAD"` } type ToolDiscoveryConfig struct { diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index fc835f78f..f4f8979e1 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -267,6 +267,9 @@ func TestDefaultConfig_Gateway(t *testing.T) { if cfg.Gateway.Port == 0 { t.Error("Gateway port should have default value") } + if cfg.Gateway.HotReload { + t.Error("Gateway hot reload should be disabled by default") + } } // TestDefaultConfig_Providers verifies provider structure diff --git a/pkg/config/defaults.go b/pkg/config/defaults.go index 2b177d5de..90a99408e 100644 --- a/pkg/config/defaults.go +++ b/pkg/config/defaults.go @@ -395,8 +395,9 @@ func DefaultConfig() *Config { }, }, Gateway: GatewayConfig{ - Host: "127.0.0.1", - Port: 18790, + Host: "127.0.0.1", + Port: 18790, + HotReload: false, }, Tools: ToolsConfig{ MediaCleanup: MediaCleanupConfig{ diff --git a/cmd/picoclaw/internal/gateway/helpers.go b/pkg/gateway/gateway.go similarity index 61% rename from cmd/picoclaw/internal/gateway/helpers.go rename to pkg/gateway/gateway.go index 85e93bcf9..6745d1748 100644 --- a/cmd/picoclaw/internal/gateway/helpers.go +++ b/pkg/gateway/gateway.go @@ -10,7 +10,6 @@ import ( "syscall" "time" - "github.com/sipeed/picoclaw/cmd/picoclaw/internal" "github.com/sipeed/picoclaw/pkg/agent" "github.com/sipeed/picoclaw/pkg/bus" "github.com/sipeed/picoclaw/pkg/channels" @@ -42,15 +41,13 @@ import ( "github.com/sipeed/picoclaw/pkg/voice" ) -// Timeout constants for service operations const ( serviceShutdownTimeout = 30 * time.Second providerReloadTimeout = 30 * time.Second gracefulShutdownTimeout = 15 * time.Second ) -// gatewayServices holds references to all running services -type gatewayServices struct { +type services struct { CronService *cron.CronService HeartbeatService *heartbeat.HeartbeatService MediaStore media.MediaStore @@ -59,24 +56,41 @@ type gatewayServices struct { HealthServer *health.Server } -func gatewayCmd(debug bool) error { +type startupBlockedProvider struct { + reason string +} + +func (p *startupBlockedProvider) Chat( + _ context.Context, + _ []providers.Message, + _ []providers.ToolDefinition, + _ string, + _ map[string]any, +) (*providers.LLMResponse, error) { + return nil, fmt.Errorf("%s", p.reason) +} + +func (p *startupBlockedProvider) GetDefaultModel() string { + return "" +} + +// Run starts the gateway runtime using the configuration loaded from configPath. +func Run(debug bool, configPath string, allowEmptyStartup bool) error { if debug { logger.SetLevel(logger.DEBUG) fmt.Println("🔍 Debug mode enabled") } - configPath := internal.GetConfigPath() - cfg, err := internal.LoadConfig() + cfg, err := config.LoadConfig(configPath) if err != nil { return fmt.Errorf("error loading config: %w", err) } - provider, modelID, err := providers.CreateProvider(cfg) + provider, modelID, err := createStartupProvider(cfg, allowEmptyStartup) if err != nil { return fmt.Errorf("error creating provider: %w", err) } - // Use the resolved model ID from provider creation if modelID != "" { cfg.Agents.Defaults.ModelName = modelID } @@ -84,17 +98,13 @@ func gatewayCmd(debug bool) error { msgBus := bus.NewMessageBus() agentLoop := agent.NewAgentLoop(cfg, msgBus, provider) - // Print agent startup info fmt.Println("\n📦 Agent Status:") startupInfo := agentLoop.GetStartupInfo() toolsInfo := startupInfo["tools"].(map[string]any) skillsInfo := startupInfo["skills"].(map[string]any) fmt.Printf(" • Tools: %d loaded\n", toolsInfo["count"]) - fmt.Printf(" • Skills: %d/%d available\n", - skillsInfo["available"], - skillsInfo["total"]) + fmt.Printf(" • Skills: %d/%d available\n", skillsInfo["available"], skillsInfo["total"]) - // Log to file as well logger.InfoCF("agent", "Agent initialized", map[string]any{ "tools_count": toolsInfo["count"], @@ -102,8 +112,7 @@ func gatewayCmd(debug bool) error { "skills_available": skillsInfo["available"], }) - // Setup and start all services - services, err := setupAndStartServices(cfg, agentLoop, msgBus) + runningServices, err := setupAndStartServices(cfg, agentLoop, msgBus) if err != nil { return err } @@ -116,23 +125,25 @@ func gatewayCmd(debug bool) error { go agentLoop.Run(ctx) - // Setup config file watcher for hot reload - configReloadChan, stopWatch := setupConfigWatcherPolling(configPath, debug) + var configReloadChan <-chan *config.Config + stopWatch := func() {} + if cfg.Gateway.HotReload { + configReloadChan, stopWatch = setupConfigWatcherPolling(configPath, debug) + logger.Info("Config hot reload enabled") + } defer stopWatch() sigChan := make(chan os.Signal, 1) signal.Notify(sigChan, os.Interrupt, syscall.SIGTERM) - // Main event loop - wait for signals or config changes for { select { case <-sigChan: logger.Info("Shutting down...") - shutdownGateway(services, agentLoop, provider, true) + shutdownGateway(runningServices, agentLoop, provider, true) return nil - case newCfg := <-configReloadChan: - err := handleConfigReload(ctx, agentLoop, newCfg, &provider, services, msgBus) + err := handleConfigReload(ctx, agentLoop, newCfg, &provider, runningServices, msgBus, allowEmptyStartup) if err != nil { logger.Errorf("Config reload failed: %v", err) } @@ -140,18 +151,33 @@ func gatewayCmd(debug bool) error { } } -// setupAndStartServices initializes and starts all services +func createStartupProvider( + cfg *config.Config, + allowEmptyStartup bool, +) (providers.LLMProvider, string, error) { + modelName := cfg.Agents.Defaults.GetModelName() + if modelName == "" && allowEmptyStartup { + reason := "no default model configured; gateway started in limited mode" + fmt.Printf("⚠ Warning: %s\n", reason) + logger.WarnCF("gateway", "Gateway started without default model", map[string]any{ + "limited_mode": true, + }) + return &startupBlockedProvider{reason: reason}, "", nil + } + + return providers.CreateProvider(cfg) +} + func setupAndStartServices( cfg *config.Config, agentLoop *agent.AgentLoop, msgBus *bus.MessageBus, -) (*gatewayServices, error) { - services := &gatewayServices{} +) (*services, error) { + runningServices := &services{} - // Setup cron tool and service execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute var err error - services.CronService, err = setupCronTool( + runningServices.CronService, err = setupCronTool( agentLoop, msgBus, cfg.WorkspacePath(), @@ -162,120 +188,105 @@ func setupAndStartServices( if err != nil { return nil, fmt.Errorf("error setting up cron service: %w", err) } - if err = services.CronService.Start(); err != nil { + if err = runningServices.CronService.Start(); err != nil { return nil, fmt.Errorf("error starting cron service: %w", err) } fmt.Println("✓ Cron service started") - // Setup heartbeat service - services.HeartbeatService = heartbeat.NewHeartbeatService( + runningServices.HeartbeatService = heartbeat.NewHeartbeatService( cfg.WorkspacePath(), cfg.Heartbeat.Interval, cfg.Heartbeat.Enabled, ) - services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(createHeartbeatHandler(agentLoop)) - if err = services.HeartbeatService.Start(); err != nil { + runningServices.HeartbeatService.SetBus(msgBus) + runningServices.HeartbeatService.SetHandler(createHeartbeatHandler(agentLoop)) + if err = runningServices.HeartbeatService.Start(); err != nil { return nil, fmt.Errorf("error starting heartbeat service: %w", err) } fmt.Println("✓ Heartbeat service started") - // Create media store for file lifecycle management with TTL cleanup - services.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ + runningServices.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ Enabled: cfg.Tools.MediaCleanup.Enabled, MaxAge: time.Duration(cfg.Tools.MediaCleanup.MaxAge) * time.Minute, Interval: time.Duration(cfg.Tools.MediaCleanup.Interval) * time.Minute, }) - // Start the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Start() } - // Create channel manager - services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) + runningServices.ChannelManager, err = channels.NewManager(cfg, msgBus, runningServices.MediaStore) if err != nil { - // Stop the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Stop() } return nil, fmt.Errorf("error creating channel manager: %w", err) } - // Inject channel manager and media store into agent loop - agentLoop.SetChannelManager(services.ChannelManager) - agentLoop.SetMediaStore(services.MediaStore) + agentLoop.SetChannelManager(runningServices.ChannelManager) + agentLoop.SetMediaStore(runningServices.MediaStore) - // Wire up voice transcription if a supported provider is configured. if transcriber := voice.DetectTranscriber(cfg); transcriber != nil { agentLoop.SetTranscriber(transcriber) logger.InfoCF("voice", "Transcription enabled (agent-level)", map[string]any{"provider": transcriber.Name()}) } - enabledChannels := services.ChannelManager.GetEnabledChannels() + enabledChannels := runningServices.ChannelManager.GetEnabledChannels() if len(enabledChannels) > 0 { fmt.Printf("✓ Channels enabled: %s\n", enabledChannels) } else { fmt.Println("⚠ Warning: No channels enabled") } - // Setup shared HTTP server with health endpoints and webhook handlers addr := fmt.Sprintf("%s:%d", cfg.Gateway.Host, cfg.Gateway.Port) - services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) - services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) + runningServices.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) + runningServices.ChannelManager.SetupHTTPServer(addr, runningServices.HealthServer) - if err = services.ChannelManager.StartAll(context.Background()); err != nil { + if err = runningServices.ChannelManager.StartAll(context.Background()); err != nil { return nil, fmt.Errorf("error starting channels: %w", err) } fmt.Printf("✓ Health endpoints available at http://%s:%d/health and /ready\n", cfg.Gateway.Host, cfg.Gateway.Port) - // Setup state manager and device service stateManager := state.NewManager(cfg.WorkspacePath()) - services.DeviceService = devices.NewService(devices.Config{ + runningServices.DeviceService = devices.NewService(devices.Config{ Enabled: cfg.Devices.Enabled, MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) - services.DeviceService.SetBus(msgBus) - if err = services.DeviceService.Start(context.Background()); err != nil { + runningServices.DeviceService.SetBus(msgBus) + if err = runningServices.DeviceService.Start(context.Background()); err != nil { logger.ErrorCF("device", "Error starting device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println("✓ Device event service started") } - return services, nil + return runningServices, nil } -// stopAndCleanupServices stops all services and cleans up resources -func stopAndCleanupServices( - services *gatewayServices, - shutdownTimeout time.Duration, -) { +func stopAndCleanupServices(runningServices *services, shutdownTimeout time.Duration) { shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), shutdownTimeout) defer shutdownCancel() - if services.ChannelManager != nil { - services.ChannelManager.StopAll(shutdownCtx) + if runningServices.ChannelManager != nil { + runningServices.ChannelManager.StopAll(shutdownCtx) } - if services.DeviceService != nil { - services.DeviceService.Stop() + if runningServices.DeviceService != nil { + runningServices.DeviceService.Stop() } - if services.HeartbeatService != nil { - services.HeartbeatService.Stop() + if runningServices.HeartbeatService != nil { + runningServices.HeartbeatService.Stop() } - if services.CronService != nil { - services.CronService.Stop() + if runningServices.CronService != nil { + runningServices.CronService.Stop() } - if services.MediaStore != nil { - // Stop the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if runningServices.MediaStore != nil { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Stop() } } } -// shutdownGateway performs a complete gateway shutdown func shutdownGateway( - services *gatewayServices, + runningServices *services, agentLoop *agent.AgentLoop, provider providers.LLMProvider, fullShutdown bool, @@ -284,7 +295,7 @@ func shutdownGateway( cp.Close() } - stopAndCleanupServices(services, gracefulShutdownTimeout) + stopAndCleanupServices(runningServices, gracefulShutdownTimeout) agentLoop.Stop() agentLoop.Close() @@ -292,15 +303,14 @@ func shutdownGateway( logger.Info("✓ Gateway stopped") } -// handleConfigReload handles config file reload by stopping all services, -// reloading the provider and config, and restarting services with the new config. func handleConfigReload( ctx context.Context, al *agent.AgentLoop, newCfg *config.Config, providerRef *providers.LLMProvider, - services *gatewayServices, + runningServices *services, msgBus *bus.MessageBus, + allowEmptyStartup bool, ) error { logger.Info("🔄 Config file changed, reloading...") @@ -311,18 +321,14 @@ func handleConfigReload( logger.Infof(" New model is '%s', recreating provider...", newModel) - // Stop all services before reloading logger.Info(" Stopping all services...") - stopAndCleanupServices(services, serviceShutdownTimeout) + stopAndCleanupServices(runningServices, serviceShutdownTimeout) - // Create new provider from updated config first to ensure validity - // This will use the correct API key and settings from newCfg.ModelList - newProvider, newModelID, err := providers.CreateProvider(newCfg) + newProvider, newModelID, err := createStartupProvider(newCfg, allowEmptyStartup) if err != nil { logger.Errorf(" ⚠ Error creating new provider: %v", err) logger.Warn(" Attempting to restart services with old provider and config...") - // Try to restart services with old configuration - if restartErr := restartServices(al, services, msgBus); restartErr != nil { + if restartErr := restartServices(al, runningServices, msgBus); restartErr != nil { logger.Errorf(" ⚠ Failed to restart services: %v", restartErr) } return fmt.Errorf("error creating new provider: %w", err) @@ -332,31 +338,25 @@ func handleConfigReload( newCfg.Agents.Defaults.ModelName = newModelID } - // Use the atomic reload method on AgentLoop to safely swap provider and config. - // This handles locking internally to prevent races with in-flight LLM calls - // and concurrent reads of registry/config while the swap occurs. reloadCtx, reloadCancel := context.WithTimeout(context.Background(), providerReloadTimeout) defer reloadCancel() if err := al.ReloadProviderAndConfig(reloadCtx, newProvider, newCfg); err != nil { logger.Errorf(" ⚠ Error reloading agent loop: %v", err) - // Close the newly created provider since it wasn't adopted if cp, ok := newProvider.(providers.StatefulProvider); ok { cp.Close() } logger.Warn(" Attempting to restart services with old provider and config...") - if restartErr := restartServices(al, services, msgBus); restartErr != nil { + if restartErr := restartServices(al, runningServices, msgBus); restartErr != nil { logger.Errorf(" ⚠ Failed to restart services: %v", restartErr) } return fmt.Errorf("error reloading agent loop: %w", err) } - // Update local provider reference only after successful atomic reload *providerRef = newProvider - // Restart all services with new config logger.Info(" Restarting all services with new configuration...") - if err := restartServices(al, services, msgBus); err != nil { + if err := restartServices(al, runningServices, msgBus); err != nil { logger.Errorf(" ⚠ Error restarting services: %v", err) return fmt.Errorf("error restarting services: %w", err) } @@ -365,19 +365,16 @@ func handleConfigReload( return nil } -// restartServices restarts all services after a config reload func restartServices( al *agent.AgentLoop, - services *gatewayServices, + runningServices *services, msgBus *bus.MessageBus, ) error { - // Get current config from agent loop (which has been updated if this is a reload) cfg := al.GetConfig() - // Re-create and start cron service with new config execTimeout := time.Duration(cfg.Tools.Cron.ExecTimeoutMinutes) * time.Minute var err error - services.CronService, err = setupCronTool( + runningServices.CronService, err = setupCronTool( al, msgBus, cfg.WorkspacePath(), @@ -388,57 +385,51 @@ func restartServices( if err != nil { return fmt.Errorf("error restarting cron service: %w", err) } - if err = services.CronService.Start(); err != nil { + if err = runningServices.CronService.Start(); err != nil { return fmt.Errorf("error restarting cron service: %w", err) } fmt.Println(" ✓ Cron service restarted") - // Re-create and start heartbeat service with new config - services.HeartbeatService = heartbeat.NewHeartbeatService( + runningServices.HeartbeatService = heartbeat.NewHeartbeatService( cfg.WorkspacePath(), cfg.Heartbeat.Interval, cfg.Heartbeat.Enabled, ) - services.HeartbeatService.SetBus(msgBus) - services.HeartbeatService.SetHandler(createHeartbeatHandler(al)) - if err = services.HeartbeatService.Start(); err != nil { + runningServices.HeartbeatService.SetBus(msgBus) + runningServices.HeartbeatService.SetHandler(createHeartbeatHandler(al)) + if err = runningServices.HeartbeatService.Start(); err != nil { return fmt.Errorf("error restarting heartbeat service: %w", err) } fmt.Println(" ✓ Heartbeat service restarted") - // Re-create media store with new config - services.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ + runningServices.MediaStore = media.NewFileMediaStoreWithCleanup(media.MediaCleanerConfig{ Enabled: cfg.Tools.MediaCleanup.Enabled, MaxAge: time.Duration(cfg.Tools.MediaCleanup.MaxAge) * time.Minute, Interval: time.Duration(cfg.Tools.MediaCleanup.Interval) * time.Minute, }) - // Start the media store if it's a FileMediaStore with cleanup - if fms, ok := services.MediaStore.(*media.FileMediaStore); ok { + if fms, ok := runningServices.MediaStore.(*media.FileMediaStore); ok { fms.Start() } - al.SetMediaStore(services.MediaStore) + al.SetMediaStore(runningServices.MediaStore) - // Re-create channel manager with new config - services.ChannelManager, err = channels.NewManager(cfg, msgBus, services.MediaStore) + runningServices.ChannelManager, err = channels.NewManager(cfg, msgBus, runningServices.MediaStore) if err != nil { return fmt.Errorf("error recreating channel manager: %w", err) } - al.SetChannelManager(services.ChannelManager) + al.SetChannelManager(runningServices.ChannelManager) - enabledChannels := services.ChannelManager.GetEnabledChannels() + enabledChannels := runningServices.ChannelManager.GetEnabledChannels() if len(enabledChannels) > 0 { fmt.Printf(" ✓ Channels enabled: %s\n", enabledChannels) } else { fmt.Println(" ⚠ Warning: No channels enabled") } - // Setup HTTP server with new config addr := fmt.Sprintf("%s:%d", cfg.Gateway.Host, cfg.Gateway.Port) - services.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) - services.ChannelManager.SetupHTTPServer(addr, services.HealthServer) + runningServices.HealthServer = health.NewServer(cfg.Gateway.Host, cfg.Gateway.Port) + runningServices.ChannelManager.SetupHTTPServer(addr, runningServices.HealthServer) - // Use background context for lifecycle to ensure services persist after restartServices returns - if err = services.ChannelManager.StartAll(context.Background()); err != nil { + if err = runningServices.ChannelManager.StartAll(context.Background()); err != nil { return fmt.Errorf("error restarting channels: %w", err) } fmt.Printf( @@ -447,22 +438,20 @@ func restartServices( cfg.Gateway.Port, ) - // Re-create device service with new config stateManager := state.NewManager(cfg.WorkspacePath()) - services.DeviceService = devices.NewService(devices.Config{ + runningServices.DeviceService = devices.NewService(devices.Config{ Enabled: cfg.Devices.Enabled, MonitorUSB: cfg.Devices.MonitorUSB, }, stateManager) - services.DeviceService.SetBus(msgBus) - if err := services.DeviceService.Start(context.Background()); err != nil { + runningServices.DeviceService.SetBus(msgBus) + if err := runningServices.DeviceService.Start(context.Background()); err != nil { logger.WarnCF("device", "Failed to restart device service", map[string]any{"error": err.Error()}) } else if cfg.Devices.Enabled { fmt.Println(" ✓ Device event service restarted") } - // Wire up voice transcription with new config transcriber := voice.DetectTranscriber(cfg) - al.SetTranscriber(transcriber) // This will set it to nil if disabled + al.SetTranscriber(transcriber) if transcriber != nil { logger.InfoCF("voice", "Transcription re-enabled (agent-level)", map[string]any{"provider": transcriber.Name()}) } else { @@ -472,8 +461,6 @@ func restartServices( return nil } -// setupConfigWatcherPolling sets up a simple polling-based config file watcher -// Returns a channel for config updates and a stop function func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Config, func()) { configChan := make(chan *config.Config, 1) stop := make(chan struct{}) @@ -483,11 +470,10 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf go func() { defer wg.Done() - // Get initial file info lastModTime := getFileModTime(configPath) lastSize := getFileSize(configPath) - ticker := time.NewTicker(2 * time.Second) // Check every 2 seconds + ticker := time.NewTicker(2 * time.Second) defer ticker.Stop() for { @@ -496,20 +482,16 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf currentModTime := getFileModTime(configPath) currentSize := getFileSize(configPath) - // Check if file changed (modification time or size changed) if currentModTime.After(lastModTime) || currentSize != lastSize { if debug { logger.Debugf("🔍 Config file change detected") } - // Debounce - wait a bit to ensure file write is complete time.Sleep(500 * time.Millisecond) - // Update last known state to prevent repeated reload attempts on failure lastModTime = currentModTime lastSize = currentSize - // Validate and load new config newCfg, err := config.LoadConfig(configPath) if err != nil { logger.Errorf("⚠ Error loading new config: %v", err) @@ -517,7 +499,6 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf continue } - // Validate the new config if err := newCfg.ValidateModelList(); err != nil { logger.Errorf(" ⚠ New config validation failed: %v", err) logger.Warn(" Using previous valid config") @@ -526,15 +507,12 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf logger.Info("✓ Config file validated and loaded") - // Send new config to main loop (non-blocking) select { case configChan <- newCfg: default: - // Channel full, skip this update logger.Warn("⚠ Previous config reload still in progress, skipping") } } - case <-stop: return } @@ -549,7 +527,6 @@ func setupConfigWatcherPolling(configPath string, debug bool) (chan *config.Conf return configChan, stopFunc } -// getFileModTime returns the modification time of a file, or zero time if file doesn't exist func getFileModTime(path string) time.Time { info, err := os.Stat(path) if err != nil { @@ -558,7 +535,6 @@ func getFileModTime(path string) time.Time { return info.ModTime() } -// getFileSize returns the size of a file, or 0 if file doesn't exist func getFileSize(path string) int64 { info, err := os.Stat(path) if err != nil { @@ -577,10 +553,8 @@ func setupCronTool( ) (*cron.CronService, error) { cronStorePath := filepath.Join(workspace, "cron", "jobs.json") - // Create cron service cronService := cron.NewCronService(cronStorePath, nil) - // Create and register CronTool if enabled var cronTool *tools.CronTool if cfg.Tools.IsToolEnabled("cron") { var err error @@ -592,7 +566,6 @@ func setupCronTool( agentLoop.RegisterTool(cronTool) } - // Set onJob handler if cronTool != nil { cronService.SetOnJob(func(job *cron.CronJob) (string, error) { result := cronTool.ExecuteJob(context.Background(), job) @@ -605,22 +578,17 @@ func setupCronTool( func createHeartbeatHandler(agentLoop *agent.AgentLoop) func(prompt, channel, chatID string) *tools.ToolResult { return func(prompt, channel, chatID string) *tools.ToolResult { - // Use cli:direct as fallback if no valid channel if channel == "" || chatID == "" { channel, chatID = "cli", "direct" } - // Use ProcessHeartbeat - no session history, each heartbeat is independent - var response string - var err error - response, err = agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) + + response, err := agentLoop.ProcessHeartbeat(context.Background(), prompt, channel, chatID) if err != nil { return tools.ErrorResult(fmt.Sprintf("Heartbeat error: %v", err)) } if response == "HEARTBEAT_OK" { return tools.SilentResult("Heartbeat OK") } - // For heartbeat, always return silent - the subagent result will be - // sent to user via processSystemMessage when the async task completes return tools.SilentResult(response) } } diff --git a/web/backend/api/events.go b/web/backend/api/events.go deleted file mode 100644 index 5c85b149a..000000000 --- a/web/backend/api/events.go +++ /dev/null @@ -1,80 +0,0 @@ -package api - -import ( - "encoding/json" - "sync" -) - -// GatewayEvent represents a state change event for the gateway process. -type GatewayEvent struct { - Status string `json:"gateway_status"` // "running", "starting", "restarting", "stopped", "error" - PID int `json:"pid,omitempty"` - BootDefaultModel string `json:"boot_default_model,omitempty"` - ConfigDefaultModel string `json:"config_default_model,omitempty"` - RestartRequired bool `json:"gateway_restart_required,omitempty"` -} - -// EventBroadcaster manages SSE client subscriptions and broadcasts events. -type EventBroadcaster struct { - mu sync.RWMutex - clients map[chan string]struct{} -} - -// NewEventBroadcaster creates a new broadcaster. -func NewEventBroadcaster() *EventBroadcaster { - return &EventBroadcaster{ - clients: make(map[chan string]struct{}), - } -} - -// Subscribe adds a new listener channel and returns it. -// The caller must call Unsubscribe when done. -func (b *EventBroadcaster) Subscribe() chan string { - ch := make(chan string, 8) - b.mu.Lock() - b.clients[ch] = struct{}{} - b.mu.Unlock() - return ch -} - -// Unsubscribe removes a listener channel and closes it. -func (b *EventBroadcaster) Unsubscribe(ch chan string) { - b.mu.Lock() - defer b.mu.Unlock() - - // Check if the channel is still registered before closing - if _, exists := b.clients[ch]; exists { - delete(b.clients, ch) - close(ch) - } -} - -// Broadcast sends a GatewayEvent to all connected SSE clients. -func (b *EventBroadcaster) Broadcast(event GatewayEvent) { - data, err := json.Marshal(event) - if err != nil { - return - } - - b.mu.RLock() - defer b.mu.RUnlock() - - for ch := range b.clients { - // Non-blocking send; drop event if client is slow - select { - case ch <- string(data): - default: - } - } -} - -// Shutdown closes all subscriber channels, notifying all SSE clients to disconnect. -// This should be called when the server is shutting down. -func (b *EventBroadcaster) Shutdown() { - // Close all channels to notify listeners - for ch := range b.clients { - b.Unsubscribe(ch) - } - // Clear the map - b.clients = make(map[chan string]struct{}) -} diff --git a/web/backend/api/gateway.go b/web/backend/api/gateway.go index 424b21e96..16b793427 100644 --- a/web/backend/api/gateway.go +++ b/web/backend/api/gateway.go @@ -7,6 +7,7 @@ import ( "fmt" "io" "log" + "net" "net/http" "os" "os/exec" @@ -30,11 +31,9 @@ var gateway = struct { runtimeStatus string startupDeadline time.Time logs *LogBuffer - events *EventBroadcaster }{ runtimeStatus: "stopped", logs: NewLogBuffer(200), - events: NewEventBroadcaster(), } var ( @@ -51,11 +50,19 @@ var gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, // getGatewayHealth checks the gateway health endpoint and returns the status response // Returns (*health.StatusResponse, statusCode, error). If error is not nil, the other values are not valid. -func getGatewayHealth(port int, timeout time.Duration) (*health.StatusResponse, int, error) { - if port == 0 { - port = 18790 +func (h *Handler) getGatewayHealth(cfg *config.Config, timeout time.Duration) (*health.StatusResponse, int, error) { + port := 18790 + if cfg != nil && cfg.Gateway.Port != 0 { + port = cfg.Gateway.Port } - url := fmt.Sprintf("http://127.0.0.1:%d/health", port) + + probeHost := gatewayProbeHost(h.effectiveGatewayBindHost(cfg)) + url := "http://" + net.JoinHostPort(probeHost, strconv.Itoa(port)) + "/health" + + return getGatewayHealthByURL(url, timeout) +} + +func getGatewayHealthByURL(url string, timeout time.Duration) (*health.StatusResponse, int, error) { resp, err := gatewayHealthGet(url, timeout) if err != nil { return nil, 0, err @@ -73,7 +80,6 @@ func getGatewayHealth(port int, timeout time.Duration) (*health.StatusResponse, // registerGatewayRoutes binds gateway lifecycle endpoints to the ServeMux. func (h *Handler) registerGatewayRoutes(mux *http.ServeMux) { mux.HandleFunc("GET /api/gateway/status", h.handleGatewayStatus) - mux.HandleFunc("GET /api/gateway/events", h.handleGatewayEvents) mux.HandleFunc("GET /api/gateway/logs", h.handleGatewayLogs) mux.HandleFunc("POST /api/gateway/logs/clear", h.handleGatewayClearLogs) mux.HandleFunc("POST /api/gateway/start", h.handleGatewayStart) @@ -87,7 +93,7 @@ func (h *Handler) TryAutoStartGateway() { // Check if gateway is already running via health endpoint cfg, cfgErr := config.LoadConfig(h.configPath) if cfgErr == nil && cfg != nil { - healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 2*time.Second) if err == nil && statusCode == http.StatusOK { // Gateway is already running, attach to the existing process pid := healthResp.Pid @@ -170,6 +176,16 @@ func lookupModelConfig(cfg *config.Config, modelName string) *config.ModelConfig return modelCfg } +func gatewayRestartRequired(configDefaultModel, bootDefaultModel, gatewayStatus string) bool { + if gatewayStatus != "running" { + return false + } + if strings.TrimSpace(configDefaultModel) == "" || strings.TrimSpace(bootDefaultModel) == "" { + return false + } + return configDefaultModel != bootDefaultModel +} + func isCmdProcessAliveLocked(cmd *exec.Cmd) bool { if cmd == nil || cmd.Process == nil { return false @@ -220,7 +236,7 @@ func attachToGatewayProcessLocked(pid int, cfg *config.Config) error { return nil } -func gatewayStatusOnHealthFailureLocked() string { +func gatewayStatusWithoutHealthLocked() string { if gateway.runtimeStatus == "starting" || gateway.runtimeStatus == "restarting" { if gateway.startupDeadline.IsZero() || time.Now().Before(gateway.startupDeadline) { return gateway.runtimeStatus @@ -233,23 +249,7 @@ func gatewayStatusOnHealthFailureLocked() string { if gateway.runtimeStatus == "error" { return "error" } - return "error" -} - -func currentGatewayStatusLocked(processAlive bool) string { - if !processAlive { - if gateway.runtimeStatus == "restarting" { - if gateway.startupDeadline.IsZero() || time.Now().Before(gateway.startupDeadline) { - return "restarting" - } - return "error" - } - if gateway.runtimeStatus == "error" { - return "error" - } - return "stopped" - } - return gatewayStatusOnHealthFailureLocked() + return "stopped" } func waitForGatewayProcessExit(cmd *exec.Cmd, timeout time.Duration) bool { @@ -319,15 +319,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int return 0, err } - // Broadcast the attached state - gateway.events.Broadcast(GatewayEvent{ - Status: initialStatus, - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) - return pid, nil } @@ -335,7 +326,7 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int // Locate the picoclaw executable execPath := utils.FindPicoclawBinary() - cmd = exec.Command(execPath, "gateway") + cmd = exec.Command(execPath, "gateway", "-E") cmd.Env = os.Environ() // Forward the launcher's config path via the environment variable that // GetConfigPath() already reads, so the gateway sub-process uses the same @@ -376,15 +367,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int pid = cmd.Process.Pid log.Printf("Started picoclaw gateway (PID: %d) from %s", pid, execPath) - // Broadcast the launch state immediately so clients can reflect it without polling. - gateway.events.Broadcast(GatewayEvent{ - Status: initialStatus, - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) - // Capture stdout/stderr in background go scanPipe(stdoutPipe, gateway.logs) go scanPipe(stderrPipe, gateway.logs) @@ -398,26 +380,17 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int } gateway.mu.Lock() - shouldBroadcastStopped := false if gateway.cmd == cmd { gateway.cmd = nil gateway.bootDefaultModel = "" if gateway.runtimeStatus != "restarting" { setGatewayRuntimeStatusLocked("stopped") - shouldBroadcastStopped = true } } gateway.mu.Unlock() - - if shouldBroadcastStopped { - gateway.events.Broadcast(GatewayEvent{ - Status: "stopped", - RestartRequired: false, - }) - } }() - // Start a goroutine to probe health and broadcast "running" once ready + // Start a goroutine to probe health and update the runtime state once ready. go func() { for i := 0; i < 30; i++ { // try for up to 15 seconds time.Sleep(500 * time.Millisecond) @@ -431,7 +404,7 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int if err != nil { continue } - healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 1*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 1*time.Second) if err == nil && statusCode == http.StatusOK && healthResp.Pid == pid { // Verify the health endpoint returns the expected pid gateway.mu.Lock() @@ -439,13 +412,6 @@ func (h *Handler) startGatewayLocked(initialStatus string, existingPid int) (int setGatewayRuntimeStatusLocked("running") } gateway.mu.Unlock() - gateway.events.Broadcast(GatewayEvent{ - Status: "running", - PID: pid, - BootDefaultModel: defaultModelName, - ConfigDefaultModel: defaultModelName, - RestartRequired: false, - }) return } } @@ -461,7 +427,7 @@ func (h *Handler) handleGatewayStart(w http.ResponseWriter, r *http.Request) { // Prevent duplicate starts by checking health endpoint cfg, cfgErr := config.LoadConfig(h.configPath) if cfgErr == nil && cfg != nil { - healthResp, statusCode, err := getGatewayHealth(cfg.Gateway.Port, 2*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 2*time.Second) if err == nil && statusCode == http.StatusOK { // Gateway is already running, attach to the existing process pid := healthResp.Pid @@ -597,10 +563,6 @@ func (h *Handler) RestartGateway() (int, error) { gateway.mu.Lock() previousCmd := gateway.cmd setGatewayRuntimeStatusLocked("restarting") - gateway.events.Broadcast(GatewayEvent{ - Status: "restarting", - RestartRequired: false, - }) gateway.mu.Unlock() if err = stopGatewayProcessForRestart(previousCmd); err != nil { @@ -704,24 +666,20 @@ func (h *Handler) handleGatewayStatus(w http.ResponseWriter, r *http.Request) { func (h *Handler) gatewayStatusData() map[string]any { data := map[string]any{} + configDefaultModel := "" cfg, cfgErr := config.LoadConfig(h.configPath) if cfgErr == nil && cfg != nil { - configDefaultModel := strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) + configDefaultModel = strings.TrimSpace(cfg.Agents.Defaults.GetModelName()) if configDefaultModel != "" { data["config_default_model"] = configDefaultModel } } // Probe health endpoint to get pid and status - port := 0 - if cfgErr == nil && cfg != nil { - port = cfg.Gateway.Port - } - - healthResp, statusCode, err := getGatewayHealth(port, 2*time.Second) + healthResp, statusCode, err := h.getGatewayHealth(cfg, 2*time.Second) if err != nil { gateway.mu.Lock() - data["gateway_status"] = currentGatewayStatusLocked(true) + data["gateway_status"] = gatewayStatusWithoutHealthLocked() gateway.mu.Unlock() log.Printf("Gateway health check failed: %v", err) } else { @@ -734,45 +692,43 @@ func (h *Handler) gatewayStatusData() map[string]any { data["status_code"] = statusCode } else { gateway.mu.Lock() - // Check if this pid matches our tracked process - if gateway.cmd != nil && gateway.cmd.Process != nil && gateway.cmd.Process.Pid == healthResp.Pid { - setGatewayRuntimeStatusLocked("running") - bootDefaultModel := gateway.bootDefaultModel - if bootDefaultModel != "" { - data["boot_default_model"] = bootDefaultModel - } - data["gateway_status"] = "running" - data["pid"] = healthResp.Pid - } else { - // Health endpoint responded with a different pid - // This could be a manual restart, try to attach to the new process + setGatewayRuntimeStatusLocked("running") + if gateway.cmd == nil || gateway.cmd.Process == nil || gateway.cmd.Process.Pid != healthResp.Pid { oldPid := "none" if gateway.cmd != nil && gateway.cmd.Process != nil { oldPid = fmt.Sprintf("%d", gateway.cmd.Process.Pid) } - log.Printf("Detected new gateway PID (old: %s, new: %d), attempting to attach", oldPid, healthResp.Pid) - + log.Printf( + "Detected gateway PID from health (old: %s, new: %d), attempting to attach", + oldPid, + healthResp.Pid, + ) if err := attachToGatewayProcessLocked(healthResp.Pid, cfg); err != nil { - // Failed to find the process, treat as error - setGatewayRuntimeStatusLocked("error") - data["gateway_status"] = "error" - data["pid"] = healthResp.Pid - log.Printf("Failed to attach to new gateway process (PID: %d): %v", healthResp.Pid, err) - } else { - // Successfully attached, update response data - bootDefaultModel := gateway.bootDefaultModel - if bootDefaultModel != "" { - data["boot_default_model"] = bootDefaultModel - } - data["gateway_status"] = "running" - data["pid"] = healthResp.Pid + log.Printf( + "Failed to attach to gateway process reported by health (PID: %d): %v", + healthResp.Pid, + err, + ) } } + + bootDefaultModel := gateway.bootDefaultModel + if bootDefaultModel != "" { + data["boot_default_model"] = bootDefaultModel + } + data["gateway_status"] = "running" + data["pid"] = healthResp.Pid gateway.mu.Unlock() } } - data["gateway_restart_required"] = false + bootDefaultModel, _ := data["boot_default_model"].(string) + gatewayStatus, _ := data["gateway_status"].(string) + data["gateway_restart_required"] = gatewayRestartRequired( + configDefaultModel, + bootDefaultModel, + gatewayStatus, + ) ready, reason, readyErr := h.gatewayStartReady() if readyErr != nil { @@ -842,51 +798,6 @@ func gatewayLogsData(r *http.Request) map[string]any { return data } -// handleGatewayEvents serves an SSE stream of gateway state change events. -// -// GET /api/gateway/events -func (h *Handler) handleGatewayEvents(w http.ResponseWriter, r *http.Request) { - flusher, ok := w.(http.Flusher) - if !ok { - http.Error(w, "SSE not supported", http.StatusInternalServerError) - return - } - - w.Header().Set("Content-Type", "text/event-stream") - w.Header().Set("Cache-Control", "no-cache") - w.Header().Set("Connection", "keep-alive") - w.Header().Set("Access-Control-Allow-Origin", "*") - - // Subscribe to gateway events - ch := gateway.events.Subscribe() - defer gateway.events.Unsubscribe(ch) - - // Send initial status so the client doesn't start blank - initial := h.currentGatewayStatus() - fmt.Fprintf(w, "data: %s\n\n", initial) - flusher.Flush() - - for { - select { - case <-r.Context().Done(): - return - case data, ok := <-ch: - if !ok { - return - } - fmt.Fprintf(w, "data: %s\n\n", data) - flusher.Flush() - } - } -} - -// currentGatewayStatus returns the current gateway status as a JSON string. -func (h *Handler) currentGatewayStatus() string { - data := h.gatewayStatusData() - encoded, _ := json.Marshal(data) - return string(encoded) -} - // scanPipe reads lines from r and appends them to buf. Returns when r reaches EOF. func scanPipe(r io.Reader, buf *LogBuffer) { scanner := bufio.NewScanner(r) diff --git a/web/backend/api/gateway_host.go b/web/backend/api/gateway_host.go index 8dde29b76..592571a28 100644 --- a/web/backend/api/gateway_host.go +++ b/web/backend/api/gateway_host.go @@ -3,6 +3,7 @@ package api import ( "net" "net/http" + "net/url" "strconv" "strings" @@ -46,6 +47,23 @@ func gatewayProbeHost(bindHost string) string { return bindHost } +func (h *Handler) gatewayProxyURL() *url.URL { + cfg, err := config.LoadConfig(h.configPath) + port := 18790 + bindHost := "" + if err == nil && cfg != nil { + if cfg.Gateway.Port != 0 { + port = cfg.Gateway.Port + } + bindHost = h.effectiveGatewayBindHost(cfg) + } + + return &url.URL{ + Scheme: "http", + Host: net.JoinHostPort(gatewayProbeHost(bindHost), strconv.Itoa(port)), + } +} + func requestHostName(r *http.Request) string { reqHost, _, err := net.SplitHostPort(r.Host) if err == nil { diff --git a/web/backend/api/gateway_host_test.go b/web/backend/api/gateway_host_test.go index 3fffeb893..ae3434862 100644 --- a/web/backend/api/gateway_host_test.go +++ b/web/backend/api/gateway_host_test.go @@ -2,9 +2,12 @@ package api import ( "crypto/tls" + "errors" + "net/http" "net/http/httptest" "path/filepath" "testing" + "time" "github.com/sipeed/picoclaw/pkg/config" "github.com/sipeed/picoclaw/web/backend/launcherconfig" @@ -59,6 +62,79 @@ func TestGatewayProbeHostUsesLoopbackForWildcardBind(t *testing.T) { } } +func TestGatewayProxyURLUsesConfiguredHost(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "192.168.1.10" + cfg.Gateway.Port = 18791 + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + if got := h.gatewayProxyURL().String(); got != "http://192.168.1.10:18791" { + t.Fatalf("gatewayProxyURL() = %q, want %q", got, "http://192.168.1.10:18791") + } +} + +func TestGetGatewayHealthUsesConfiguredHost(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "192.168.1.10" + cfg.Gateway.Port = 18791 + + originalHealthGet := gatewayHealthGet + t.Cleanup(func() { + gatewayHealthGet = originalHealthGet + }) + + var requestedURL string + gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, error) { + requestedURL = url + return nil, errors.New("probe failed") + } + + _, statusCode, err := h.getGatewayHealth(cfg, time.Second) + _ = statusCode + _ = err + + if requestedURL != "http://192.168.1.10:18791/health" { + t.Fatalf("health url = %q, want %q", requestedURL, "http://192.168.1.10:18791/health") + } +} + +func TestGetGatewayHealthUsesProbeHostForPublicLauncher(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + h.SetServerOptions(18800, true, true, nil) + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "127.0.0.1" + cfg.Gateway.Port = 18791 + + originalHealthGet := gatewayHealthGet + t.Cleanup(func() { + gatewayHealthGet = originalHealthGet + }) + + var requestedURL string + gatewayHealthGet = func(url string, timeout time.Duration) (*http.Response, error) { + requestedURL = url + return nil, errors.New("probe failed") + } + + _, statusCode, err := h.getGatewayHealth(cfg, time.Second) + _ = statusCode + _ = err + + if requestedURL != "http://127.0.0.1:18791/health" { + t.Fatalf("health url = %q, want %q", requestedURL, "http://127.0.0.1:18791/health") + } +} + func TestBuildWsURLUsesWSSWhenForwardedProtoIsHTTPS(t *testing.T) { configPath := filepath.Join(t.TempDir(), "config.json") h := NewHandler(configPath) diff --git a/web/backend/api/gateway_test.go b/web/backend/api/gateway_test.go index fb4f7d943..5c94f0b89 100644 --- a/web/backend/api/gateway_test.go +++ b/web/backend/api/gateway_test.go @@ -3,6 +3,7 @@ package api import ( "encoding/json" "errors" + "io" "net/http" "net/http/httptest" "os" @@ -36,6 +37,15 @@ func startLongRunningProcess(t *testing.T) *exec.Cmd { return cmd } +func mockGatewayHealthResponse(statusCode, pid int) *http.Response { + return &http.Response{ + StatusCode: statusCode, + Body: io.NopCloser(strings.NewReader( + `{"status":"ok","uptime":"1s","pid":` + strconv.Itoa(pid) + `}`, + )), + } +} + func startIgnoringTermProcess(t *testing.T) *exec.Cmd { t.Helper() @@ -419,6 +429,125 @@ func TestGatewayStatusKeepsRunningWhenHealthProbeFailsAfterRunning(t *testing.T) } } +func TestGatewayStatusReportsRunningFromHealthProbe(t *testing.T) { + resetGatewayTestState(t) + + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + cmd := startLongRunningProcess(t) + t.Cleanup(func() { + if cmd.Process != nil { + _ = cmd.Process.Kill() + } + _ = cmd.Wait() + }) + + gateway.mu.Lock() + setGatewayRuntimeStatusLocked("stopped") + gateway.mu.Unlock() + + gatewayHealthGet = func(string, time.Duration) (*http.Response, error) { + return mockGatewayHealthResponse(http.StatusOK, cmd.Process.Pid), nil + } + + rec := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/gateway/status", nil) + mux.ServeHTTP(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + var body map[string]any + if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil { + t.Fatalf("unmarshal response: %v", err) + } + + if got := body["gateway_status"]; got != "running" { + t.Fatalf("gateway_status = %#v, want %q", got, "running") + } + if got := body["pid"]; got != float64(cmd.Process.Pid) { + t.Fatalf("pid = %#v, want %d", got, cmd.Process.Pid) + } + if got := body["gateway_restart_required"]; got != false { + t.Fatalf("gateway_restart_required = %#v, want false", got) + } +} + +func TestGatewayStatusRequiresRestartAfterDefaultModelChange(t *testing.T) { + resetGatewayTestState(t) + + configPath := filepath.Join(t.TempDir(), "config.json") + cfg := config.DefaultConfig() + cfg.Agents.Defaults.ModelName = cfg.ModelList[0].ModelName + cfg.ModelList[0].APIKey = "test-key" + cfg.ModelList = append(cfg.ModelList, config.ModelConfig{ + ModelName: "second-model", + Model: "openai/gpt-4.1", + APIKey: "second-key", + }) + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + process, err := os.FindProcess(os.Getpid()) + if err != nil { + t.Fatalf("FindProcess() error = %v", err) + } + + gateway.mu.Lock() + gateway.cmd = &exec.Cmd{Process: process} + gateway.bootDefaultModel = cfg.ModelList[0].ModelName + setGatewayRuntimeStatusLocked("running") + gateway.mu.Unlock() + + updatedCfg, err := config.LoadConfig(configPath) + if err != nil { + t.Fatalf("LoadConfig() error = %v", err) + } + updatedCfg.Agents.Defaults.ModelName = "second-model" + if err := config.SaveConfig(configPath, updatedCfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + gatewayHealthGet = func(string, time.Duration) (*http.Response, error) { + return mockGatewayHealthResponse(http.StatusOK, os.Getpid()), nil + } + + rec := httptest.NewRecorder() + req := httptest.NewRequest(http.MethodGet, "/api/gateway/status", nil) + mux.ServeHTTP(rec, req) + + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d", rec.Code, http.StatusOK) + } + + var body map[string]any + if err := json.Unmarshal(rec.Body.Bytes(), &body); err != nil { + t.Fatalf("unmarshal response: %v", err) + } + + if got := body["gateway_status"]; got != "running" { + t.Fatalf("gateway_status = %#v, want %q", got, "running") + } + if got := body["boot_default_model"]; got != cfg.ModelList[0].ModelName { + t.Fatalf("boot_default_model = %#v, want %q", got, cfg.ModelList[0].ModelName) + } + if got := body["config_default_model"]; got != "second-model" { + t.Fatalf("config_default_model = %#v, want %q", got, "second-model") + } + if got := body["gateway_restart_required"]; got != true { + t.Fatalf("gateway_restart_required = %#v, want true", got) + } +} + func TestGatewayStatusReturnsErrorAfterStartupWindowExpires(t *testing.T) { resetGatewayTestState(t) diff --git a/web/backend/api/pico.go b/web/backend/api/pico.go index d11f7bc5e..a880f2f0c 100644 --- a/web/backend/api/pico.go +++ b/web/backend/api/pico.go @@ -7,7 +7,6 @@ import ( "fmt" "net/http" "net/http/httputil" - "net/url" "time" "github.com/sipeed/picoclaw/pkg/config" @@ -22,20 +21,13 @@ func (h *Handler) registerPicoRoutes(mux *http.ServeMux) { // WebSocket proxy: forward /pico/ws to gateway // This allows the frontend to connect via the same port as the web UI, // avoiding the need to expose extra ports for WebSocket communication. - wsProxy := h.createWsProxy() - mux.HandleFunc("GET /pico/ws", h.handleWebSocketProxy(wsProxy)) + mux.HandleFunc("GET /pico/ws", h.handleWebSocketProxy()) } -// createWsProxy creates a reverse proxy to the gateway WebSocket endpoint. -// The gateway port is read from the configuration. +// createWsProxy creates a reverse proxy to the current gateway WebSocket endpoint. +// The gateway bind host and port are resolved from the latest configuration. func (h *Handler) createWsProxy() *httputil.ReverseProxy { - cfg, err := config.LoadConfig(h.configPath) - gatewayPort := 18790 // default - if err == nil && cfg.Gateway.Port != 0 { - gatewayPort = cfg.Gateway.Port - } - gatewayURL, _ := url.Parse(fmt.Sprintf("http://127.0.0.1:%d", gatewayPort)) - wsProxy := httputil.NewSingleHostReverseProxy(gatewayURL) + wsProxy := httputil.NewSingleHostReverseProxy(h.gatewayProxyURL()) wsProxy.ErrorHandler = func(w http.ResponseWriter, r *http.Request, err error) { http.Error(w, "Gateway unavailable: "+err.Error(), http.StatusBadGateway) } @@ -43,12 +35,10 @@ func (h *Handler) createWsProxy() *httputil.ReverseProxy { } // handleWebSocketProxy wraps a reverse proxy to handle WebSocket connections. -// It ensures the Connection and Upgrade headers are properly forwarded. -func (h *Handler) handleWebSocketProxy(proxy *httputil.ReverseProxy) http.HandlerFunc { +// The reverse proxy forwards the incoming upgrade handshake as-is. +func (h *Handler) handleWebSocketProxy() http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { - // Set headers for WebSocket upgrade - r.Header.Set("Connection", "upgrade") - r.Header.Set("Upgrade", "websocket") + proxy := h.createWsProxy() proxy.ServeHTTP(w, r) } } diff --git a/web/backend/api/pico_test.go b/web/backend/api/pico_test.go index 46149fa09..075da4ddc 100644 --- a/web/backend/api/pico_test.go +++ b/web/backend/api/pico_test.go @@ -2,9 +2,12 @@ package api import ( "encoding/json" + "io" "net/http" "net/http/httptest" + "net/url" "path/filepath" + "strconv" "testing" "github.com/sipeed/picoclaw/pkg/config" @@ -235,3 +238,77 @@ func TestHandlePicoSetup_Response(t *testing.T) { t.Error("response should have changed=true on first setup") } } + +func TestHandleWebSocketProxyReloadsGatewayTargetFromConfig(t *testing.T) { + configPath := filepath.Join(t.TempDir(), "config.json") + h := NewHandler(configPath) + handler := h.handleWebSocketProxy() + + server1 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path != "/pico/ws" { + t.Fatalf("server1 path = %q, want %q", r.URL.Path, "/pico/ws") + } + w.WriteHeader(http.StatusOK) + _, _ = io.WriteString(w, "server1") + })) + defer server1.Close() + + server2 := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.URL.Path != "/pico/ws" { + t.Fatalf("server2 path = %q, want %q", r.URL.Path, "/pico/ws") + } + w.WriteHeader(http.StatusOK) + _, _ = io.WriteString(w, "server2") + })) + defer server2.Close() + + cfg := config.DefaultConfig() + cfg.Gateway.Host = "127.0.0.1" + cfg.Gateway.Port = mustGatewayTestPort(t, server1.URL) + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + req1 := httptest.NewRequest(http.MethodGet, "/pico/ws", nil) + rec1 := httptest.NewRecorder() + handler(rec1, req1) + + if rec1.Code != http.StatusOK { + t.Fatalf("first status = %d, want %d", rec1.Code, http.StatusOK) + } + if body := rec1.Body.String(); body != "server1" { + t.Fatalf("first body = %q, want %q", body, "server1") + } + + cfg.Gateway.Port = mustGatewayTestPort(t, server2.URL) + if err := config.SaveConfig(configPath, cfg); err != nil { + t.Fatalf("SaveConfig() error = %v", err) + } + + req2 := httptest.NewRequest(http.MethodGet, "/pico/ws", nil) + rec2 := httptest.NewRecorder() + handler(rec2, req2) + + if rec2.Code != http.StatusOK { + t.Fatalf("second status = %d, want %d", rec2.Code, http.StatusOK) + } + if body := rec2.Body.String(); body != "server2" { + t.Fatalf("second body = %q, want %q", body, "server2") + } +} + +func mustGatewayTestPort(t *testing.T, rawURL string) int { + t.Helper() + + parsed, err := url.Parse(rawURL) + if err != nil { + t.Fatalf("url.Parse() error = %v", err) + } + + port, err := strconv.Atoi(parsed.Port()) + if err != nil { + t.Fatalf("Atoi(%q) error = %v", parsed.Port(), err) + } + + return port +} diff --git a/web/backend/api/router.go b/web/backend/api/router.go index b56438784..028a476f2 100644 --- a/web/backend/api/router.go +++ b/web/backend/api/router.go @@ -71,7 +71,4 @@ func (h *Handler) RegisterRoutes(mux *http.ServeMux) { h.registerLauncherConfigRoutes(mux) } -// Shutdown gracefully shuts down the handler, closing all SSE connections. -func (h *Handler) Shutdown() { - gateway.events.Shutdown() -} +func (h *Handler) Shutdown() {} diff --git a/web/backend/middleware/middleware.go b/web/backend/middleware/middleware.go index de9e6d870..e15da577b 100644 --- a/web/backend/middleware/middleware.go +++ b/web/backend/middleware/middleware.go @@ -4,16 +4,14 @@ import ( "log" "net/http" "runtime/debug" - "strings" "time" ) // JSONContentType sets the Content-Type header to application/json for // API requests handled by the wrapped handler. -// SSE endpoints (text/event-stream) are excluded. func JSONContentType(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if strings.HasPrefix(r.URL.Path, "/api/") && !strings.HasSuffix(r.URL.Path, "/events") { + if len(r.URL.Path) >= 5 && r.URL.Path[:5] == "/api/" { w.Header().Set("Content-Type", "application/json") } next.ServeHTTP(w, r) @@ -32,7 +30,6 @@ func (rr *responseRecorder) WriteHeader(code int) { } // Flush delegates to the underlying ResponseWriter if it implements http.Flusher. -// This is required for SSE (Server-Sent Events) to work through the middleware. func (rr *responseRecorder) Flush() { if f, ok := rr.ResponseWriter.(http.Flusher); ok { f.Flush() diff --git a/web/backend/systray.go b/web/backend/systray.go index 58ce4984f..1ff98c71b 100644 --- a/web/backend/systray.go +++ b/web/backend/systray.go @@ -94,7 +94,7 @@ func onReady() { func onExit() { fmt.Println(T(Exiting)) - // First, shutdown API handler to close all SSE connections + // First, shutdown API handler if apiHandler != nil { apiHandler.Shutdown() } diff --git a/web/frontend/src/components/app-header.tsx b/web/frontend/src/components/app-header.tsx index fe0c84e69..4f0688008 100644 --- a/web/frontend/src/components/app-header.tsx +++ b/web/frontend/src/components/app-header.tsx @@ -56,14 +56,20 @@ export function AppHeader() { const isRunning = gwState === "running" const isStarting = gwState === "starting" const isRestarting = gwState === "restarting" + const isStopping = gwState === "stopping" const isStopped = gwState === "stopped" || gwState === "unknown" const showNotConnectedHint = - !isRestarting && canStart && (gwState === "stopped" || gwState === "error") + !isRestarting && + !isStopping && + canStart && + (gwState === "stopped" || gwState === "error") const [showStopDialog, setShowStopDialog] = React.useState(false) const handleGatewayToggle = () => { - if (gwLoading || isRestarting || (!isRunning && !canStart)) return + if (gwLoading || isRestarting || isStopping || (!isRunning && !canStart)) { + return + } if (isRunning) { setShowStopDialog(true) } else { @@ -137,7 +143,7 @@ export function AppHeader() { size="icon-sm" className="bg-amber-500/15 text-amber-700 hover:bg-amber-500/25 hover:text-amber-800 dark:text-amber-300 dark:hover:bg-amber-500/25" onClick={handleGatewayRestart} - disabled={gwLoading || isRestarting || !canStart} + disabled={gwLoading || isRestarting || isStopping || !canStart} aria-label={t("header.gateway.action.restart")} > <IconRefresh className="size-4" /> @@ -168,25 +174,31 @@ export function AppHeader() { </Tooltip> ) : ( <Button - variant={isStarting || isRestarting ? "secondary" : "default"} + variant={ + isStarting || isRestarting || isStopping ? "secondary" : "default" + } size="sm" className={`h-8 gap-2 px-3 ${ isStopped ? "bg-green-500 text-white hover:bg-green-600" : "" }`} onClick={handleGatewayToggle} - disabled={gwLoading || isStarting || isRestarting || !canStart} + disabled={ + gwLoading || isStarting || isRestarting || isStopping || !canStart + } > - {gwLoading || isStarting || isRestarting ? ( + {gwLoading || isStarting || isRestarting || isStopping ? ( <IconLoader2 className="h-4 w-4 animate-spin opacity-70" /> ) : ( <IconPlayerPlay className="h-4 w-4 opacity-80" /> )} <span className="text-xs font-semibold"> - {isRestarting - ? t("header.gateway.status.restarting") - : isStarting - ? t("header.gateway.status.starting") - : t("header.gateway.action.start")} + {isStopping + ? t("header.gateway.status.stopping") + : isRestarting + ? t("header.gateway.status.restarting") + : isStarting + ? t("header.gateway.status.starting") + : t("header.gateway.action.start")} </span> </Button> )} diff --git a/web/frontend/src/hooks/use-gateway-logs.ts b/web/frontend/src/hooks/use-gateway-logs.ts index 15cbca4ae..1de361124 100644 --- a/web/frontend/src/hooks/use-gateway-logs.ts +++ b/web/frontend/src/hooks/use-gateway-logs.ts @@ -37,7 +37,9 @@ export function useGatewayLogs() { const fetchLogs = async () => { if ( !mounted || - !["running", "starting", "restarting"].includes(gateway.status) + !["running", "starting", "restarting", "stopping"].includes( + gateway.status, + ) ) { if (mounted) { timeout = setTimeout(fetchLogs, 1000) diff --git a/web/frontend/src/hooks/use-gateway.ts b/web/frontend/src/hooks/use-gateway.ts index 65ec2b776..b118b43da 100644 --- a/web/frontend/src/hooks/use-gateway.ts +++ b/web/frontend/src/hooks/use-gateway.ts @@ -1,83 +1,24 @@ import { useAtomValue } from "jotai" import { useCallback, useEffect, useState } from "react" +import { restartGateway, startGateway, stopGateway } from "@/api/gateway" import { - type GatewayStatusResponse, - getGatewayStatus, - restartGateway, - startGateway, - stopGateway, -} from "@/api/gateway" -import { - applyGatewayStatusToStore, + beginGatewayStoppingTransition, + cancelGatewayStoppingTransition, gatewayAtom, + refreshGatewayState, + subscribeGatewayPolling, updateGatewayStore, } from "@/store" -// Global variable to ensure we only have one SSE connection -let sseInitialized = false - export function useGateway() { const gateway = useAtomValue(gatewayAtom) const { status: state, canStart, restartRequired } = gateway const [loading, setLoading] = useState(false) - const applyGatewayStatus = useCallback((data: GatewayStatusResponse) => { - applyGatewayStatusToStore(data) - }, []) - - // Initialize global SSE connection once useEffect(() => { - if (sseInitialized) return - sseInitialized = true - - getGatewayStatus() - .then((data) => applyGatewayStatus(data)) - .catch(() => { - updateGatewayStore({ - status: "unknown", - canStart: true, - restartRequired: false, - }) - }) - - const statusPoll = window.setInterval(() => { - getGatewayStatus() - .then((data) => applyGatewayStatus(data)) - .catch(() => { - // ignore polling errors - }) - }, 5000) - - // Subscribe to SSE for real-time updates globally - const es = new EventSource("/api/gateway/events") - - es.onmessage = (event) => { - try { - const data = JSON.parse(event.data) - if ( - data.gateway_status || - typeof data.gateway_start_allowed === "boolean" - ) { - applyGatewayStatus(data) - } - } catch { - // ignore - } - } - - es.onerror = () => { - // EventSource will auto-reconnect. Preserve the last known gateway - // status so transient SSE disconnects do not suppress chat websocket - // reconnects while polling catches up. - } - - return () => { - window.clearInterval(statusPoll) - es.close() - sseInitialized = false - } - }, [applyGatewayStatus]) + return subscribeGatewayPolling() + }, []) const start = useCallback(async () => { if (!canStart) return @@ -85,33 +26,28 @@ export function useGateway() { setLoading(true) try { await startGateway() - // SSE will push the real state changes, but set optimistic state - updateGatewayStore({ status: "starting" }) - } catch (err) { - console.error("Failed to start gateway:", err) - try { - const status = await getGatewayStatus() - applyGatewayStatus(status) - } catch { - updateGatewayStore({ status: "unknown" }) - } - } finally { - setLoading(false) - } - }, [applyGatewayStatus, canStart]) - - const stop = useCallback(async () => { - setLoading(true) - try { - await stopGateway() updateGatewayStore({ - status: "stopped", - canStart: true, + status: "starting", restartRequired: false, }) } catch (err) { - console.error("Failed to stop gateway:", err) + console.error("Failed to start gateway:", err) } finally { + await refreshGatewayState({ force: true }) + setLoading(false) + } + }, [canStart]) + + const stop = useCallback(async () => { + setLoading(true) + beginGatewayStoppingTransition() + try { + await stopGateway() + } catch (err) { + console.error("Failed to stop gateway:", err) + cancelGatewayStoppingTransition() + } finally { + await refreshGatewayState({ force: true }) setLoading(false) } }, []) @@ -119,34 +55,20 @@ export function useGateway() { const restart = useCallback(async () => { if (state !== "running") return - const previousState = state - const previousCanStart = canStart - const previousRestartRequired = restartRequired - setLoading(true) - updateGatewayStore({ - status: "restarting", - restartRequired: false, - }) - try { await restartGateway() + updateGatewayStore({ + status: "restarting", + restartRequired: false, + }) } catch (err) { console.error("Failed to restart gateway:", err) - try { - const status = await getGatewayStatus() - applyGatewayStatus(status) - } catch { - updateGatewayStore({ - status: previousState, - canStart: previousCanStart, - restartRequired: previousRestartRequired, - }) - } } finally { + await refreshGatewayState({ force: true }) setLoading(false) } - }, [applyGatewayStatus, canStart, restartRequired, state]) + }, [state]) return { state, loading, canStart, restartRequired, start, stop, restart } } diff --git a/web/frontend/src/i18n/locales/en.json b/web/frontend/src/i18n/locales/en.json index 2fa32ebb5..327b4c646 100644 --- a/web/frontend/src/i18n/locales/en.json +++ b/web/frontend/src/i18n/locales/en.json @@ -63,7 +63,8 @@ }, "status": { "starting": "Starting Gateway...", - "restarting": "Restarting Gateway..." + "restarting": "Restarting Gateway...", + "stopping": "Stopping Gateway..." }, "restartRequired": "Model changes require a gateway restart to take effect." } diff --git a/web/frontend/src/i18n/locales/zh.json b/web/frontend/src/i18n/locales/zh.json index badf5bb3d..cd674ddc1 100644 --- a/web/frontend/src/i18n/locales/zh.json +++ b/web/frontend/src/i18n/locales/zh.json @@ -63,7 +63,8 @@ }, "status": { "starting": "服务启动中...", - "restarting": "服务重启中..." + "restarting": "服务重启中...", + "stopping": "服务停止中..." }, "restartRequired": "切换默认模型后需要重启服务才能生效。" } diff --git a/web/frontend/src/store/gateway.ts b/web/frontend/src/store/gateway.ts index c5eee8451..1bdec6220 100644 --- a/web/frontend/src/store/gateway.ts +++ b/web/frontend/src/store/gateway.ts @@ -6,6 +6,7 @@ export type GatewayState = | "running" | "starting" | "restarting" + | "stopping" | "stopped" | "error" | "unknown" @@ -24,9 +25,29 @@ const DEFAULT_GATEWAY_STATE: GatewayStoreState = { restartRequired: false, } +const GATEWAY_POLL_INTERVAL_MS = 2000 +const GATEWAY_TRANSIENT_POLL_INTERVAL_MS = 1000 +const GATEWAY_STOPPING_TIMEOUT_MS = 5000 + +interface RefreshGatewayStateOptions { + force?: boolean +} + // Global atom for gateway state export const gatewayAtom = atom<GatewayStoreState>(DEFAULT_GATEWAY_STATE) +let gatewayPollingSubscribers = 0 +let gatewayPollingTimer: ReturnType<typeof setTimeout> | null = null +let gatewayPollingRequest: Promise<void> | null = null +let gatewayStoppingTimer: ReturnType<typeof setTimeout> | null = null + +function clearGatewayStoppingTimeout() { + if (gatewayStoppingTimer !== null) { + clearTimeout(gatewayStoppingTimer) + gatewayStoppingTimer = null + } +} + function normalizeGatewayStoreState( prev: GatewayStoreState, patch: GatewayStorePatch, @@ -49,10 +70,38 @@ export function updateGatewayStore( | GatewayStorePatch | ((prev: GatewayStoreState) => GatewayStorePatch | GatewayStoreState), ) { - getDefaultStore().set(gatewayAtom, (prev) => { + const store = getDefaultStore() + store.set(gatewayAtom, (prev) => { const nextPatch = typeof patch === "function" ? patch(prev) : patch return normalizeGatewayStoreState(prev, nextPatch) }) + const nextState = store.get(gatewayAtom) + if (nextState?.status !== "stopping") { + clearGatewayStoppingTimeout() + } +} + +export function beginGatewayStoppingTransition() { + clearGatewayStoppingTimeout() + updateGatewayStore({ + status: "stopping", + canStart: false, + restartRequired: false, + }) + gatewayStoppingTimer = setTimeout(() => { + gatewayStoppingTimer = null + updateGatewayStore((prev) => + prev.status === "stopping" ? { status: "running" } : prev, + ) + void refreshGatewayState({ force: true }) + }, GATEWAY_STOPPING_TIMEOUT_MS) +} + +export function cancelGatewayStoppingTransition() { + clearGatewayStoppingTimeout() + updateGatewayStore((prev) => + prev.status === "stopping" ? { status: "running" } : prev, + ) } export function applyGatewayStatusToStore( @@ -64,21 +113,92 @@ export function applyGatewayStatusToStore( >, ) { updateGatewayStore((prev) => ({ - status: data.gateway_status ?? prev.status, - canStart: data.gateway_start_allowed ?? prev.canStart, - restartRequired: - data.gateway_restart_required ?? - (data.gateway_status && data.gateway_status !== "running" + status: + prev.status === "stopping" && data.gateway_status === "running" + ? "stopping" + : (data.gateway_status ?? prev.status), + canStart: + prev.status === "stopping" && data.gateway_status === "running" ? false - : prev.restartRequired), + : (data.gateway_start_allowed ?? prev.canStart), + restartRequired: + prev.status === "stopping" && data.gateway_status === "running" + ? false + : (data.gateway_restart_required ?? prev.restartRequired), })) } -export async function refreshGatewayState() { +function nextGatewayPollInterval() { + const status = getDefaultStore().get(gatewayAtom).status + if ( + status === "starting" || + status === "restarting" || + status === "stopping" + ) { + return GATEWAY_TRANSIENT_POLL_INTERVAL_MS + } + return GATEWAY_POLL_INTERVAL_MS +} + +function scheduleGatewayPoll(delay = nextGatewayPollInterval()) { + if (gatewayPollingSubscribers === 0) { + return + } + + if (gatewayPollingTimer !== null) { + clearTimeout(gatewayPollingTimer) + } + + gatewayPollingTimer = setTimeout(() => { + gatewayPollingTimer = null + void refreshGatewayState() + }, delay) +} + +export async function refreshGatewayState( + options: RefreshGatewayStateOptions = {}, +) { + if (gatewayPollingRequest) { + await gatewayPollingRequest + if (options.force) { + return refreshGatewayState() + } + return + } + + gatewayPollingRequest = (async () => { + try { + const status = await getGatewayStatus() + applyGatewayStatusToStore(status) + } catch { + // Preserve the last known state when a poll fails. + } finally { + gatewayPollingRequest = null + scheduleGatewayPoll() + } + })() + try { - const status = await getGatewayStatus() - applyGatewayStatusToStore(status) - } catch { - updateGatewayStore(DEFAULT_GATEWAY_STATE) + await gatewayPollingRequest + } finally { + if (gatewayPollingSubscribers === 0 && gatewayPollingTimer !== null) { + clearTimeout(gatewayPollingTimer) + gatewayPollingTimer = null + } + } +} + +export function subscribeGatewayPolling() { + gatewayPollingSubscribers += 1 + if (gatewayPollingSubscribers === 1) { + void refreshGatewayState() + } + + return () => { + gatewayPollingSubscribers = Math.max(0, gatewayPollingSubscribers - 1) + if (gatewayPollingSubscribers === 0 && gatewayPollingTimer !== null) { + clearTimeout(gatewayPollingTimer) + gatewayPollingTimer = null + } } } From 7b9fdaec3229422fa9d81d3100eaea0ec8878acb Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 18:56:52 +0800 Subject: [PATCH 41/47] feat(config): add exec controls and gate cron commands on exec settings (#1685) - add a dedicated exec settings section in the config page - support timeout and custom allow/deny regex patterns for exec - validate custom exec regex patterns in the config API - block cron command scheduling and execution when exec is disabled - update tests and i18n strings for the new command settings --- pkg/tools/cron.go | 37 +++++-- pkg/tools/cron_test.go | 49 +++++++++ web/backend/api/config.go | 22 ++++ web/backend/api/config_test.go | 79 ++++++++++++++ .../src/components/config/config-page.tsx | 30 +++++- .../src/components/config/config-sections.tsx | 102 ++++++++++++++++-- .../src/components/config/form-model.ts | 42 ++++++++ web/frontend/src/i18n/locales/en.json | 24 +++-- web/frontend/src/i18n/locales/zh.json | 22 +++- 9 files changed, 379 insertions(+), 28 deletions(-) diff --git a/pkg/tools/cron.go b/pkg/tools/cron.go index aa22f9aa6..154ec75f0 100644 --- a/pkg/tools/cron.go +++ b/pkg/tools/cron.go @@ -25,6 +25,7 @@ type CronTool struct { msgBus *bus.MessageBus execTool *ExecTool allowCommand bool + execEnabled bool } // NewCronTool creates a new CronTool @@ -33,23 +34,32 @@ func NewCronTool( cronService *cron.CronService, executor JobExecutor, msgBus *bus.MessageBus, workspace string, restrict bool, execTimeout time.Duration, config *config.Config, ) (*CronTool, error) { - execTool, err := NewExecToolWithConfig(workspace, restrict, config) - if err != nil { - return nil, fmt.Errorf("unable to configure exec tool: %w", err) - } - allowCommand := true + execEnabled := true if config != nil { allowCommand = config.Tools.Cron.AllowCommand + execEnabled = config.Tools.Exec.Enabled } - execTool.SetTimeout(execTimeout) + var execTool *ExecTool + if execEnabled { + var err error + execTool, err = NewExecToolWithConfig(workspace, restrict, config) + if err != nil { + return nil, fmt.Errorf("unable to configure exec tool: %w", err) + } + } + + if execTool != nil { + execTool.SetTimeout(execTimeout) + } return &CronTool{ cronService: cronService, executor: executor, msgBus: msgBus, execTool: execTool, allowCommand: allowCommand, + execEnabled: execEnabled, }, nil } @@ -193,6 +203,9 @@ func (t *CronTool) addJob(ctx context.Context, args map[string]any) *ToolResult command, _ := args["command"].(string) commandConfirm, _ := args["command_confirm"].(bool) if command != "" { + if !t.execEnabled { + return ErrorResult("command execution is disabled") + } if !constants.IsInternalChannel(channel) { return ErrorResult("scheduling command execution is restricted to internal channels") } @@ -298,6 +311,18 @@ func (t *CronTool) ExecuteJob(ctx context.Context, job *cron.CronJob) string { // Execute command if present if job.Payload.Command != "" { + if !t.execEnabled || t.execTool == nil { + output := "Error executing scheduled command: command execution is disabled" + pubCtx, pubCancel := context.WithTimeout(context.Background(), 5*time.Second) + defer pubCancel() + t.msgBus.PublishOutbound(pubCtx, bus.OutboundMessage{ + Channel: channel, + ChatID: chatID, + Content: output, + }) + return "ok" + } + args := map[string]any{ "command": job.Payload.Command, "__channel": channel, diff --git a/pkg/tools/cron_test.go b/pkg/tools/cron_test.go index e46b13b13..09d29b6fa 100644 --- a/pkg/tools/cron_test.go +++ b/pkg/tools/cron_test.go @@ -5,6 +5,7 @@ import ( "path/filepath" "strings" "testing" + "time" "github.com/sipeed/picoclaw/pkg/bus" "github.com/sipeed/picoclaw/pkg/config" @@ -112,6 +113,28 @@ func TestCronTool_CommandAllowedWithConfirmWhenAllowCommandDisabled(t *testing.T } } +func TestCronTool_CommandBlockedWhenExecDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Exec.Enabled = false + + tool := newTestCronToolWithConfig(t, cfg) + ctx := WithToolContext(context.Background(), "cli", "direct") + result := tool.Execute(ctx, map[string]any{ + "action": "add", + "message": "check disk", + "command": "df -h", + "command_confirm": true, + "at_seconds": float64(60), + }) + + if !result.IsError { + t.Fatal("expected command scheduling to be blocked when exec is disabled") + } + if !strings.Contains(result.ForLLM, "command execution is disabled") { + t.Errorf("expected exec disabled message, got: %s", result.ForLLM) + } +} + // TestCronTool_CommandAllowedFromInternalChannel verifies command scheduling works from internal channels func TestCronTool_CommandAllowedFromInternalChannel(t *testing.T) { tool := newTestCronTool(t) @@ -185,3 +208,29 @@ func TestCronTool_NonCommandJobDefaultsDeliverToFalse(t *testing.T) { t.Fatal("expected deliver=false by default for non-command jobs") } } + +func TestCronTool_ExecuteJobPublishesErrorWhenExecDisabled(t *testing.T) { + cfg := config.DefaultConfig() + cfg.Tools.Exec.Enabled = false + + tool := newTestCronToolWithConfig(t, cfg) + job := &cron.CronJob{} + job.Payload.Channel = "cli" + job.Payload.To = "direct" + job.Payload.Command = "df -h" + + if got := tool.ExecuteJob(context.Background(), job); got != "ok" { + t.Fatalf("ExecuteJob() = %q, want ok", got) + } + + ctx, cancel := context.WithTimeout(context.Background(), time.Second) + defer cancel() + + msg, ok := tool.msgBus.SubscribeOutbound(ctx) + if !ok { + t.Fatal("expected outbound message") + } + if !strings.Contains(msg.Content, "command execution is disabled") { + t.Fatalf("expected exec disabled message, got: %s", msg.Content) + } +} diff --git a/web/backend/api/config.go b/web/backend/api/config.go index 091e3fbae..a7d5b3c5d 100644 --- a/web/backend/api/config.go +++ b/web/backend/api/config.go @@ -5,6 +5,7 @@ import ( "fmt" "io" "net/http" + "regexp" "github.com/sipeed/picoclaw/pkg/config" ) @@ -188,6 +189,27 @@ func validateConfig(cfg *config.Config) []string { errs = append(errs, "channels.discord.token is required when discord channel is enabled") } + if cfg.Tools.Exec.Enabled { + if cfg.Tools.Exec.EnableDenyPatterns { + errs = append( + errs, + validateRegexPatterns("tools.exec.custom_deny_patterns", cfg.Tools.Exec.CustomDenyPatterns)...) + } + errs = append( + errs, + validateRegexPatterns("tools.exec.custom_allow_patterns", cfg.Tools.Exec.CustomAllowPatterns)...) + } + + return errs +} + +func validateRegexPatterns(field string, patterns []string) []string { + var errs []string + for index, pattern := range patterns { + if _, err := regexp.Compile(pattern); err != nil { + errs = append(errs, fmt.Sprintf("%s[%d] is not a valid regular expression: %v", field, index, err)) + } + } return errs } diff --git a/web/backend/api/config_test.go b/web/backend/api/config_test.go index 29811e37e..54ec8e857 100644 --- a/web/backend/api/config_test.go +++ b/web/backend/api/config_test.go @@ -86,3 +86,82 @@ func TestHandleUpdateConfig_DoesNotInheritDefaultModelFields(t *testing.T) { t.Fatalf("model_list[0].api_base = %q, want empty string", got) } } + +func TestHandlePatchConfig_RejectsInvalidExecRegexPatterns(t *testing.T) { + configPath, cleanup := setupOAuthTestEnv(t) + defer cleanup() + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + req := httptest.NewRequest(http.MethodPatch, "/api/config", bytes.NewBufferString(`{ + "tools": { + "exec": { + "custom_deny_patterns": ["("] + } + } + }`)) + req.Header.Set("Content-Type", "application/json") + + rec := httptest.NewRecorder() + mux.ServeHTTP(rec, req) + if rec.Code != http.StatusBadRequest { + t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusBadRequest, rec.Body.String()) + } + if !bytes.Contains(rec.Body.Bytes(), []byte("custom_deny_patterns")) { + t.Fatalf("expected validation error mentioning custom_deny_patterns, body=%s", rec.Body.String()) + } +} + +func TestHandlePatchConfig_AllowsInvalidExecRegexPatternsWhenExecDisabled(t *testing.T) { + configPath, cleanup := setupOAuthTestEnv(t) + defer cleanup() + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + req := httptest.NewRequest(http.MethodPatch, "/api/config", bytes.NewBufferString(`{ + "tools": { + "exec": { + "enabled": false, + "custom_deny_patterns": ["("], + "custom_allow_patterns": ["("] + } + } + }`)) + req.Header.Set("Content-Type", "application/json") + + rec := httptest.NewRecorder() + mux.ServeHTTP(rec, req) + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusOK, rec.Body.String()) + } +} + +func TestHandlePatchConfig_AllowsInvalidDenyRegexPatternsWhenDenyPatternsDisabled(t *testing.T) { + configPath, cleanup := setupOAuthTestEnv(t) + defer cleanup() + + h := NewHandler(configPath) + mux := http.NewServeMux() + h.RegisterRoutes(mux) + + req := httptest.NewRequest(http.MethodPatch, "/api/config", bytes.NewBufferString(`{ + "tools": { + "exec": { + "enabled": true, + "enable_deny_patterns": false, + "custom_deny_patterns": ["("] + } + } + }`)) + req.Header.Set("Content-Type", "application/json") + + rec := httptest.NewRecorder() + mux.ServeHTTP(rec, req) + if rec.Code != http.StatusOK { + t.Fatalf("status = %d, want %d, body=%s", rec.Code, http.StatusOK, rec.Body.String()) + } +} diff --git a/web/frontend/src/components/config/config-page.tsx b/web/frontend/src/components/config/config-page.tsx index 130498ba4..e533b956f 100644 --- a/web/frontend/src/components/config/config-page.tsx +++ b/web/frontend/src/components/config/config-page.tsx @@ -16,6 +16,7 @@ import { AgentDefaultsSection, CronSection, DevicesSection, + ExecSection, LauncherSection, RuntimeSection, } from "@/components/config/config-sections" @@ -27,6 +28,7 @@ import { buildFormFromConfig, parseCIDRText, parseIntField, + parseMultilineList, } from "@/components/config/form-model" import { PageHeader } from "@/components/page-header" import { Button } from "@/components/ui/button" @@ -170,6 +172,28 @@ export function ConfigPage() { "Cron exec timeout", { min: 0 }, ) + const execConfigPatch: Record<string, unknown> = { + enabled: form.execEnabled, + } + + if (form.execEnabled) { + execConfigPatch.allow_remote = form.allowRemote + execConfigPatch.enable_deny_patterns = form.enableDenyPatterns + execConfigPatch.custom_allow_patterns = parseMultilineList( + form.customAllowPatternsText, + ) + execConfigPatch.timeout_seconds = parseIntField( + form.execTimeoutSeconds, + "Exec timeout", + { min: 0 }, + ) + + if (form.enableDenyPatterns) { + execConfigPatch.custom_deny_patterns = parseMultilineList( + form.customDenyPatternsText, + ) + } + } await patchAppConfig({ agents: { @@ -190,9 +214,7 @@ export function ConfigPage() { allow_command: form.allowCommand, exec_timeout_minutes: cronExecTimeoutMinutes, }, - exec: { - allow_remote: form.allowRemote, - }, + exec: execConfigPatch, }, heartbeat: { enabled: form.heartbeatEnabled, @@ -289,6 +311,8 @@ export function ConfigPage() { <RuntimeSection form={form} onFieldChange={updateField} /> + <ExecSection form={form} onFieldChange={updateField} /> + <CronSection form={form} onFieldChange={updateField} /> <LauncherSection diff --git a/web/frontend/src/components/config/config-sections.tsx b/web/frontend/src/components/config/config-sections.tsx index 04b9e528b..517185eda 100644 --- a/web/frontend/src/components/config/config-sections.tsx +++ b/web/frontend/src/components/config/config-sections.tsx @@ -93,14 +93,6 @@ export function AgentDefaultsSection({ } /> - <SwitchCardField - label={t("pages.config.allow_remote")} - hint={t("pages.config.allow_remote_hint")} - layout="setting-row" - checked={form.allowRemote} - onCheckedChange={(checked) => onFieldChange("allowRemote", checked)} - /> - <Field label={t("pages.config.max_tokens")} hint={t("pages.config.max_tokens_hint")} @@ -161,6 +153,98 @@ export function AgentDefaultsSection({ ) } +interface ExecSectionProps { + form: CoreConfigForm + onFieldChange: UpdateCoreField +} + +export function ExecSection({ form, onFieldChange }: ExecSectionProps) { + const { t } = useTranslation() + + return ( + <ConfigSectionCard title={t("pages.config.sections.exec")}> + <SwitchCardField + label={t("pages.config.exec_enabled")} + hint={t("pages.config.exec_enabled_hint")} + layout="setting-row" + checked={form.execEnabled} + onCheckedChange={(checked) => onFieldChange("execEnabled", checked)} + /> + + {form.execEnabled && ( + <> + <SwitchCardField + label={t("pages.config.allow_remote")} + hint={t("pages.config.allow_remote_hint")} + layout="setting-row" + checked={form.allowRemote} + onCheckedChange={(checked) => onFieldChange("allowRemote", checked)} + /> + + <SwitchCardField + label={t("pages.config.enable_deny_patterns")} + hint={t("pages.config.enable_deny_patterns_hint")} + layout="setting-row" + checked={form.enableDenyPatterns} + onCheckedChange={(checked) => + onFieldChange("enableDenyPatterns", checked) + } + /> + + {form.enableDenyPatterns && ( + <Field + label={t("pages.config.custom_deny_patterns")} + hint={t("pages.config.custom_deny_patterns_hint")} + layout="setting-row" + controlClassName="md:max-w-md" + > + <Textarea + value={form.customDenyPatternsText} + placeholder={t("pages.config.custom_patterns_placeholder")} + className="min-h-[88px]" + onChange={(e) => + onFieldChange("customDenyPatternsText", e.target.value) + } + /> + </Field> + )} + + <Field + label={t("pages.config.custom_allow_patterns")} + hint={t("pages.config.custom_allow_patterns_hint")} + layout="setting-row" + controlClassName="md:max-w-md" + > + <Textarea + value={form.customAllowPatternsText} + placeholder={t("pages.config.custom_patterns_placeholder")} + className="min-h-[88px]" + onChange={(e) => + onFieldChange("customAllowPatternsText", e.target.value) + } + /> + </Field> + + <Field + label={t("pages.config.exec_timeout_seconds")} + hint={t("pages.config.exec_timeout_seconds_hint")} + layout="setting-row" + > + <Input + type="number" + min={0} + value={form.execTimeoutSeconds} + onChange={(e) => + onFieldChange("execTimeoutSeconds", e.target.value) + } + /> + </Field> + </> + )} + </ConfigSectionCard> + ) +} + interface RuntimeSectionProps { form: CoreConfigForm onFieldChange: UpdateCoreField @@ -251,6 +335,7 @@ export function CronSection({ form, onFieldChange }: CronSectionProps) { hint={t("pages.config.allow_shell_execution_hint")} layout="setting-row" checked={form.allowCommand} + disabled={!form.execEnabled} onCheckedChange={(checked) => onFieldChange("allowCommand", checked)} /> @@ -262,6 +347,7 @@ export function CronSection({ form, onFieldChange }: CronSectionProps) { <Input type="number" min={0} + disabled={!form.execEnabled} value={form.cronExecTimeoutMinutes} onChange={(e) => onFieldChange("cronExecTimeoutMinutes", e.target.value) diff --git a/web/frontend/src/components/config/form-model.ts b/web/frontend/src/components/config/form-model.ts index 8c850b2c4..90d849274 100644 --- a/web/frontend/src/components/config/form-model.ts +++ b/web/frontend/src/components/config/form-model.ts @@ -3,7 +3,12 @@ export type JsonRecord = Record<string, unknown> export interface CoreConfigForm { workspace: string restrictToWorkspace: boolean + execEnabled: boolean allowRemote: boolean + enableDenyPatterns: boolean + customDenyPatternsText: string + customAllowPatternsText: string + execTimeoutSeconds: string allowCommand: boolean cronExecTimeoutMinutes: string maxTokens: string @@ -57,7 +62,12 @@ export const DM_SCOPE_OPTIONS = [ export const EMPTY_FORM: CoreConfigForm = { workspace: "", restrictToWorkspace: true, + execEnabled: true, allowRemote: true, + enableDenyPatterns: true, + customDenyPatternsText: "", + customAllowPatternsText: "", + execTimeoutSeconds: "0", allowCommand: true, cronExecTimeoutMinutes: "5", maxTokens: "32768", @@ -119,10 +129,32 @@ export function buildFormFromConfig(config: unknown): CoreConfigForm { defaults.restrict_to_workspace === undefined ? EMPTY_FORM.restrictToWorkspace : asBool(defaults.restrict_to_workspace), + execEnabled: + exec.enabled === undefined + ? EMPTY_FORM.execEnabled + : asBool(exec.enabled), allowRemote: exec.allow_remote === undefined ? EMPTY_FORM.allowRemote : asBool(exec.allow_remote), + enableDenyPatterns: + exec.enable_deny_patterns === undefined + ? EMPTY_FORM.enableDenyPatterns + : asBool(exec.enable_deny_patterns), + customDenyPatternsText: Array.isArray(exec.custom_deny_patterns) + ? exec.custom_deny_patterns + .filter((value): value is string => typeof value === "string") + .join("\n") + : EMPTY_FORM.customDenyPatternsText, + customAllowPatternsText: Array.isArray(exec.custom_allow_patterns) + ? exec.custom_allow_patterns + .filter((value): value is string => typeof value === "string") + .join("\n") + : EMPTY_FORM.customAllowPatternsText, + execTimeoutSeconds: asNumberString( + exec.timeout_seconds, + EMPTY_FORM.execTimeoutSeconds, + ), allowCommand: cron.allow_command === undefined ? EMPTY_FORM.allowCommand @@ -191,3 +223,13 @@ export function parseCIDRText(raw: string): string[] { .map((v) => v.trim()) .filter((v) => v.length > 0) } + +export function parseMultilineList(raw: string): string[] { + if (!raw.trim()) { + return [] + } + return raw + .split("\n") + .map((value) => value.trim()) + .filter((value) => value.length > 0) +} diff --git a/web/frontend/src/i18n/locales/en.json b/web/frontend/src/i18n/locales/en.json index 327b4c646..0b9d8c614 100644 --- a/web/frontend/src/i18n/locales/en.json +++ b/web/frontend/src/i18n/locales/en.json @@ -393,12 +393,23 @@ "workspace_hint": "Base directory for agent file operations.", "restrict_workspace": "Restrict to Workspace", "restrict_workspace_hint": "Only allow file operations inside workspace.", - "allow_remote": "Allow Remote Shell Execution", - "allow_remote_hint": "When enabled, shell commands can also run for remote sessions or non-local contexts. When disabled, shell execution stays limited to local safe contexts.", - "allow_shell_execution": "Allow Shell Execution", - "allow_shell_execution_hint": "Enable scheduled shell commands for cron jobs by default. When disabled, users must pass command_confirm=true to schedule a cron command.", - "cron_exec_timeout": "Cron Command Timeout (minutes)", - "cron_exec_timeout_hint": "Maximum runtime for scheduled shell commands. Set to 0 to disable the timeout.", + "exec_enabled": "Allow Commands", + "exec_enabled_hint": "Enable or disable command execution for the app. When disabled, no command requests will run.", + "allow_remote": "Allow Remote Commands", + "allow_remote_hint": "When enabled, remote sessions or non-local contexts can also run commands. When disabled, command execution stays limited to local safe contexts.", + "enable_deny_patterns": "Enable Blacklist", + "enable_deny_patterns_hint": "When enabled, the app blocks commands that match its built-in dangerous patterns and the custom command blacklist below.", + "exec_timeout_seconds": "Command Timeout (seconds)", + "exec_timeout_seconds_hint": "Maximum runtime for command requests. Set to 0 to use the default timeout.", + "custom_deny_patterns": "Command Blacklist", + "custom_deny_patterns_hint": "Add extra command-blocking rules, one regular expression per line. A command matching any rule here will be blocked.", + "custom_allow_patterns": "Command Whitelist", + "custom_allow_patterns_hint": "Add extra command-allow rules, one regular expression per line. A command matching any rule here skips blacklist matching, but other safety limits still apply.", + "custom_patterns_placeholder": "^rm\\s+-rf\\b\n^git\\s+push\\b", + "allow_shell_execution": "Allow Scheduled Commands", + "allow_shell_execution_hint": "Allow scheduled tasks to run commands by default. When disabled, users must pass command_confirm=true to schedule a command task.", + "cron_exec_timeout": "Scheduled Command Timeout (minutes)", + "cron_exec_timeout_hint": "Maximum runtime for scheduled commands. Set to 0 to disable the timeout.", "max_tokens": "Max Tokens", "max_tokens_hint": "Upper token limit per model response.", "max_tool_iterations": "Max Tool Iterations", @@ -439,6 +450,7 @@ "sections": { "agent": "Agent", "runtime": "Runtime", + "exec": "Run Commands", "cron": "Cron Tasks", "launcher": "Service", "devices": "Devices" diff --git a/web/frontend/src/i18n/locales/zh.json b/web/frontend/src/i18n/locales/zh.json index cd674ddc1..c0aa158a2 100644 --- a/web/frontend/src/i18n/locales/zh.json +++ b/web/frontend/src/i18n/locales/zh.json @@ -393,12 +393,23 @@ "workspace_hint": "智能体执行文件读写操作时使用的基础目录。", "restrict_workspace": "限制工作目录访问", "restrict_workspace_hint": "仅允许在工作目录内执行文件操作。", - "allow_remote": "允许远程执行 Shell 命令", - "allow_remote_hint": "开启后,来自远程会话或非本地上下文的请求也可以执行 shell 命令;关闭后,仅允许本地安全上下文执行。", - "allow_shell_execution": "允许 Shell 执行", - "allow_shell_execution_hint": "开启后,cron 定时任务默认允许执行 shell 命令。关闭后,必须显式传入 command_confirm=true 才能创建 cron 命令任务。", + "exec_enabled": "允许命令执行", + "exec_enabled_hint": "控制应用是否允许执行命令。关闭后,所有命令请求都不会执行。", + "allow_remote": "允许远程命令执行", + "allow_remote_hint": "开启后,来自远程会话或非本地上下文的请求也可以执行命令;关闭后,仅允许本地安全上下文执行命令。", + "enable_deny_patterns": "启用黑名单", + "enable_deny_patterns_hint": "开启后,应用会拦截匹配内置危险模式以及下方自定义命令黑名单的命令。", + "exec_timeout_seconds": "命令超时(秒)", + "exec_timeout_seconds_hint": "命令请求的最长运行时间。设置为 0 表示使用默认超时。", + "custom_deny_patterns": "命令黑名单", + "custom_deny_patterns_hint": "用于补充额外的命令拦截规则,每行一个正则表达式。命中任意一条规则的命令都会被阻止。", + "custom_allow_patterns": "命令白名单", + "custom_allow_patterns_hint": "用于补充额外的命令放行规则,每行一个正则表达式。命中任意一条规则的命令会跳过黑名单检查,但仍受其他安全限制约束。", + "custom_patterns_placeholder": "^rm\\s+-rf\\b\n^git\\s+push\\b", + "allow_shell_execution": "允许定时任务运行命令", + "allow_shell_execution_hint": "开启后,定时任务默认允许运行命令。关闭后,必须显式传入 command_confirm=true 才能创建运行命令的定时任务。", "cron_exec_timeout": "定时命令超时(分钟)", - "cron_exec_timeout_hint": "定时 shell 命令的最长执行时间。设置为 0 表示不限制超时。", + "cron_exec_timeout_hint": "定时任务中命令的最长运行时间。设置为 0 表示不限制超时。", "max_tokens": "最大 Token 数", "max_tokens_hint": "单次模型响应允许的最大 Token 数。", "max_tool_iterations": "最大工具迭代次数", @@ -439,6 +450,7 @@ "sections": { "agent": "智能体", "runtime": "运行时", + "exec": "运行命令", "cron": "定时任务", "launcher": "服务参数", "devices": "设备" From afe22c5adf882238f371c60f6d07c48889579433 Mon Sep 17 00:00:00 2001 From: Cytown <cytown@gmail.com> Date: Tue, 17 Mar 2026 19:07:36 +0800 Subject: [PATCH 42/47] bug fix: gateway should not start when gateway server is not running (#1562) --- pkg/channels/manager.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/channels/manager.go b/pkg/channels/manager.go index 8121525ab..7d49a0e30 100644 --- a/pkg/channels/manager.go +++ b/pkg/channels/manager.go @@ -396,7 +396,7 @@ func (m *Manager) StartAll(ctx context.Context) error { "addr": m.httpServer.Addr, }) if err := m.httpServer.ListenAndServe(); err != nil && err != http.ErrServerClosed { - logger.ErrorCF("channels", "Shared HTTP server error", map[string]any{ + logger.FatalCF("channels", "Shared HTTP server error", map[string]any{ "error": err.Error(), }) } From da1fddc4f0ce0fe97a0b2c6c0e07f4032a805248 Mon Sep 17 00:00:00 2001 From: Alix-007 <267018309+Alix-007@users.noreply.github.com> Date: Tue, 17 Mar 2026 19:43:02 +0800 Subject: [PATCH 43/47] docs(exec): document build tool guard limitation --- README.md | 15 +++++++++++++++ docs/tools_configuration.md | 16 ++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/README.md b/README.md index 159ac706f..328d59f8c 100644 --- a/README.md +++ b/README.md @@ -861,6 +861,21 @@ Even with `restrict_to_workspace: false`, the `exec` tool blocks these dangerous * `shutdown`, `reboot`, `poweroff` — System shutdown * Fork bomb `:(){ :|:& };:` +#### Known Limitation: Child Processes From Build Tools + +The exec safety guard only inspects the command line PicoClaw launches directly. It does not recursively inspect child +processes spawned by allowed developer tools such as `make`, `go run`, `cargo`, `npm run`, or custom build scripts. + +That means a top-level command can still compile or launch other binaries after it passes the initial guard check. In +practice, treat build scripts, Makefiles, package scripts, and generated binaries as executable code that needs the same +level of review as a direct shell command. + +For higher-risk environments: + +* Review build scripts before execution. +* Prefer approval/manual review for compile-and-run workflows. +* Run PicoClaw inside a container or VM if you need stronger isolation than the built-in guard provides. + #### Error Examples ``` diff --git a/docs/tools_configuration.md b/docs/tools_configuration.md index 8c8eb31f0..43810d5f8 100644 --- a/docs/tools_configuration.md +++ b/docs/tools_configuration.md @@ -84,6 +84,22 @@ By default, PicoClaw blocks the following dangerous commands: - Git: `git push`, `git force` - Other: `eval`, `source *.sh` +### Known Architectural Limitation + +The exec guard only validates the top-level command sent to PicoClaw. It does **not** recursively inspect child +processes spawned by build tools or scripts after that command starts running. + +Examples of workflows that can bypass the direct command guard once the initial command is allowed: + +- `make run` +- `go run ./cmd/...` +- `cargo run` +- `npm run build` + +This means the guard is useful for blocking obviously dangerous direct commands, but it is **not** a full sandbox for +unreviewed build pipelines. If your threat model includes untrusted code in the workspace, use stronger isolation such +as containers, VMs, or an approval flow around build-and-run commands. + ### Configuration Example ```json From 174fbba14c10cafe64010df36d2fc6f2d4375bab Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 19:43:44 +0800 Subject: [PATCH 44/47] refactor(backend): add darwin no-cgo tray fallback (#1689) --- web/backend/app_runtime.go | 46 +++++++++++++++++++++++++ web/backend/main.go | 9 ++--- web/backend/systray.go | 48 +++------------------------ web/backend/tray_stub_darwin_nocgo.go | 32 ++++++++++++++++++ 4 files changed, 86 insertions(+), 49 deletions(-) create mode 100644 web/backend/app_runtime.go create mode 100644 web/backend/tray_stub_darwin_nocgo.go diff --git a/web/backend/app_runtime.go b/web/backend/app_runtime.go new file mode 100644 index 000000000..cf54e18a1 --- /dev/null +++ b/web/backend/app_runtime.go @@ -0,0 +1,46 @@ +package main + +import ( + "context" + "fmt" + "time" + + "github.com/sipeed/picoclaw/pkg/logger" + "github.com/sipeed/picoclaw/web/backend/utils" +) + +const ( + browserDelay = 500 * time.Millisecond + shutdownTimeout = 15 * time.Second +) + +func shutdownApp() { + fmt.Println(T(Exiting)) + + if apiHandler != nil { + apiHandler.Shutdown() + } + + if server != nil { + server.SetKeepAlivesEnabled(false) + + ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout) + defer cancel() + if err := server.Shutdown(ctx); err != nil { + if err == context.DeadlineExceeded { + logger.Infof("Server shutdown timeout after %v, forcing close", shutdownTimeout) + } else { + logger.Errorf("Server shutdown error: %v", err) + } + } else { + logger.Infof("Server shutdown completed successfully") + } + } +} + +func openBrowser() error { + if serverAddr == "" { + return fmt.Errorf("server address not set") + } + return utils.OpenBrowser(serverAddr) +} diff --git a/web/backend/main.go b/web/backend/main.go index f2fe3de97..ec4e2832d 100644 --- a/web/backend/main.go +++ b/web/backend/main.go @@ -22,8 +22,6 @@ import ( "strconv" "time" - "fyne.io/systray" - "github.com/sipeed/picoclaw/pkg/config" "github.com/sipeed/picoclaw/web/backend/api" "github.com/sipeed/picoclaw/web/backend/launcherconfig" @@ -168,10 +166,10 @@ func main() { } fmt.Println() - // Set server address for systray + // Share the local URL with the launcher runtime. serverAddr = fmt.Sprintf("http://localhost:%s", effectivePort) - // Auto-open browser will be handled by systray onReady + // Auto-open browser will be handled by the launcher runtime. // Auto-start gateway after backend starts listening. go func() { @@ -188,6 +186,5 @@ func main() { } }() - // Start system tray - systray.Run(onReady, onExit) + runTray() } diff --git a/web/backend/systray.go b/web/backend/systray.go index 1ff98c71b..902cc65e0 100644 --- a/web/backend/systray.go +++ b/web/backend/systray.go @@ -1,10 +1,10 @@ +//go:build !darwin || cgo + package main import ( - "context" _ "embed" "fmt" - "time" "fyne.io/systray" @@ -12,10 +12,9 @@ import ( "github.com/sipeed/picoclaw/web/backend/utils" ) -const ( - browserDelay = 500 * time.Millisecond - shutdownTimeout = 15 * time.Second -) +func runTray() { + systray.Run(onReady, shutdownApp) +} // onReady is called when the system tray is ready func onReady() { @@ -90,43 +89,6 @@ func onReady() { } } -// onExit is called when the system tray is exiting -func onExit() { - fmt.Println(T(Exiting)) - - // First, shutdown API handler - if apiHandler != nil { - apiHandler.Shutdown() - } - - if server != nil { - // Disable keep-alive to allow graceful shutdown - server.SetKeepAlivesEnabled(false) - - ctx, cancel := context.WithTimeout(context.Background(), shutdownTimeout) - defer cancel() - if err := server.Shutdown(ctx); err != nil { - // Context deadline exceeded is expected if there are active connections - // This is not necessarily an error, so log it at info level - if err == context.DeadlineExceeded { - logger.Infof("Server shutdown timeout after %v, forcing close", shutdownTimeout) - } else { - logger.Errorf("Server shutdown error: %v", err) - } - } else { - logger.Infof("Server shutdown completed successfully") - } - } -} - -// openBrowser opens the PicoClaw web console in the default browser -func openBrowser() error { - if serverAddr == "" { - return fmt.Errorf("server address not set") - } - return utils.OpenBrowser(serverAddr) -} - // getIcon returns the system tray icon func getIcon() []byte { return iconData diff --git a/web/backend/tray_stub_darwin_nocgo.go b/web/backend/tray_stub_darwin_nocgo.go new file mode 100644 index 000000000..c54aaac1b --- /dev/null +++ b/web/backend/tray_stub_darwin_nocgo.go @@ -0,0 +1,32 @@ +//go:build darwin && !cgo + +package main + +import ( + "context" + "os" + "os/signal" + "syscall" + "time" + + "github.com/sipeed/picoclaw/pkg/logger" +) + +func runTray() { + logger.Infof("System tray is unavailable in darwin builds without cgo; running without tray") + + if !*noBrowser { + go func() { + time.Sleep(browserDelay) + if err := openBrowser(); err != nil { + logger.Errorf("Warning: Failed to auto-open browser: %v", err) + } + }() + } + + ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) + defer stop() + + <-ctx.Done() + shutdownApp() +} From 3e33d1053c222dcb0400c39657aba776cadf086b Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 20:13:11 +0800 Subject: [PATCH 45/47] fix(backend): add no-cgo tray fallback for darwin and freebsd (#1691) * refactor(backend): add darwin no-cgo tray fallback * fix(release): stub tray for freebsd builds without cgo --- web/backend/systray.go | 2 +- web/backend/tray_stub_nocgo.go | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 web/backend/tray_stub_nocgo.go diff --git a/web/backend/systray.go b/web/backend/systray.go index 902cc65e0..2ae4434bb 100644 --- a/web/backend/systray.go +++ b/web/backend/systray.go @@ -1,4 +1,4 @@ -//go:build !darwin || cgo +//go:build (!darwin && !freebsd) || cgo package main diff --git a/web/backend/tray_stub_nocgo.go b/web/backend/tray_stub_nocgo.go new file mode 100644 index 000000000..13ecfd2cb --- /dev/null +++ b/web/backend/tray_stub_nocgo.go @@ -0,0 +1,33 @@ +//go:build (darwin || freebsd) && !cgo + +package main + +import ( + "context" + "os" + "os/signal" + "runtime" + "syscall" + "time" + + "github.com/sipeed/picoclaw/pkg/logger" +) + +func runTray() { + logger.Infof("System tray is unavailable in %s builds without cgo; running without tray", runtime.GOOS) + + if !*noBrowser { + go func() { + time.Sleep(browserDelay) + if err := openBrowser(); err != nil { + logger.Errorf("Warning: Failed to auto-open browser: %v", err) + } + }() + } + + ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) + defer stop() + + <-ctx.Done() + shutdownApp() +} From 12c01327dd77ffcd4a7409bf9a0174a7169058d8 Mon Sep 17 00:00:00 2001 From: wenjie <meetwenjie@gmail.com> Date: Tue, 17 Mar 2026 20:34:11 +0800 Subject: [PATCH 46/47] Remove redundant Darwin tray stub (#1694) --- web/backend/tray_stub_darwin_nocgo.go | 32 --------------------------- 1 file changed, 32 deletions(-) delete mode 100644 web/backend/tray_stub_darwin_nocgo.go diff --git a/web/backend/tray_stub_darwin_nocgo.go b/web/backend/tray_stub_darwin_nocgo.go deleted file mode 100644 index c54aaac1b..000000000 --- a/web/backend/tray_stub_darwin_nocgo.go +++ /dev/null @@ -1,32 +0,0 @@ -//go:build darwin && !cgo - -package main - -import ( - "context" - "os" - "os/signal" - "syscall" - "time" - - "github.com/sipeed/picoclaw/pkg/logger" -) - -func runTray() { - logger.Infof("System tray is unavailable in darwin builds without cgo; running without tray") - - if !*noBrowser { - go func() { - time.Sleep(browserDelay) - if err := openBrowser(); err != nil { - logger.Errorf("Warning: Failed to auto-open browser: %v", err) - } - }() - } - - ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) - defer stop() - - <-ctx.Done() - shutdownApp() -} From 5bc4fe4dea84e804548907754e5c02f1093b2faa Mon Sep 17 00:00:00 2001 From: BeaconCat <111232138+BeaconCat@users.noreply.github.com> Date: Tue, 17 Mar 2026 20:51:07 +0800 Subject: [PATCH 47/47] docs: add project identity statement and normalize NanoBot capitalization across all READMEs (#1695) Add a clear identity statement to all 6 README files clarifying that PicoClaw is an independent open-source project by Sipeed, written entirely in Go, and not a fork of OpenClaw, NanoBot, or any other project. This addresses common AI hallucinations found during testing of 11 AI tools. Also normalizes [nanobot] to [NanoBot] for consistent capitalization. Co-authored-by: BeaconCat <BeaconCat@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> --- README.fr.md | 4 +++- README.ja.md | 4 +++- README.md | 4 +++- README.pt-br.md | 4 +++- README.vi.md | 4 +++- README.zh.md | 4 +++- 6 files changed, 18 insertions(+), 6 deletions(-) diff --git a/README.fr.md b/README.fr.md index 49a02fb77..8d66efb66 100644 --- a/README.fr.md +++ b/README.fr.md @@ -23,7 +23,9 @@ --- -🦐 **PicoClaw** est un assistant personnel IA ultra-léger inspiré de [nanobot](https://github.com/HKUDS/nanobot), entièrement réécrit en **Go** via un processus d'auto-amorçage (self-bootstrapping) — où l'agent IA lui-même a piloté l'intégralité de la migration architecturale et de l'optimisation du code. +> **PicoClaw** est un projet open-source indépendant initié par [Sipeed](https://sipeed.com). Il est entièrement écrit en **Go** — ce n'est pas un fork d'OpenClaw, de NanoBot ou de tout autre projet. + +🦐 **PicoClaw** est un assistant personnel IA ultra-léger inspiré de [NanoBot](https://github.com/HKUDS/nanobot), entièrement réécrit en **Go** via un processus d'auto-amorçage (self-bootstrapping) — où l'agent IA lui-même a piloté l'intégralité de la migration architecturale et de l'optimisation du code. ⚡️ **Extrêmement léger :** Fonctionne sur du matériel à seulement **10$** avec **<10 Mo** de RAM. C'est 99% de mémoire en moins qu'OpenClaw et 98% moins cher qu'un Mac mini ! diff --git a/README.ja.md b/README.ja.md index c0d27de4f..be8e05554 100644 --- a/README.ja.md +++ b/README.ja.md @@ -26,7 +26,9 @@ --- -🦐 PicoClaw は [nanobot](https://github.com/HKUDS/nanobot) にインスパイアされた超軽量パーソナル AI アシスタントです。Go でゼロからリファクタリングされ、AI エージェント自身がアーキテクチャの移行とコード最適化を推進するセルフブートストラッピングプロセスで構築されました。 +> **PicoClaw** は [Sipeed](https://sipeed.com) が立ち上げた独立したオープンソースプロジェクトです。完全に **Go 言語**で一から書かれており、OpenClaw、NanoBot、その他のプロジェクトのフォークではありません。 + +🦐 PicoClaw は [NanoBot](https://github.com/HKUDS/nanobot) にインスパイアされた超軽量パーソナル AI アシスタントです。Go でゼロからリファクタリングされ、AI エージェント自身がアーキテクチャの移行とコード最適化を推進するセルフブートストラッピングプロセスで構築されました。 ⚡️ $10 のハードウェアで 10MB 未満の RAM で動作:OpenClaw より 99% 少ないメモリ、Mac mini より 98% 安い! diff --git a/README.md b/README.md index 328d59f8c..f607dc035 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,9 @@ --- -🦐 PicoClaw is an ultra-lightweight personal AI Assistant inspired by [nanobot](https://github.com/HKUDS/nanobot), refactored from the ground up in Go through a self-bootstrapping process, where the AI agent itself drove the entire architectural migration and code optimization. +> **PicoClaw** is an independent open-source project initiated by [Sipeed](https://sipeed.com). It is written entirely in **Go** — not a fork of OpenClaw, NanoBot, or any other project. + +🦐 PicoClaw is an ultra-lightweight personal AI Assistant inspired by [NanoBot](https://github.com/HKUDS/nanobot), refactored from the ground up in Go through a self-bootstrapping process, where the AI agent itself drove the entire architectural migration and code optimization. ⚡️ Runs on $10 hardware with <10MB RAM: That's 99% less memory than OpenClaw and 98% cheaper than a Mac mini! diff --git a/README.pt-br.md b/README.pt-br.md index 56946139b..2d4ce1b8a 100644 --- a/README.pt-br.md +++ b/README.pt-br.md @@ -23,7 +23,9 @@ --- -🦐 **PicoClaw** é um assistente pessoal de IA ultra-leve inspirado no [nanobot](https://github.com/HKUDS/nanobot), reescrito do zero em **Go** por meio de um processo de "auto-inicialização" (self-bootstrapping) — onde o próprio agente de IA conduziu toda a migração de arquitetura e otimização de código. +> **PicoClaw** é um projeto open-source independente iniciado pela [Sipeed](https://sipeed.com). É escrito inteiramente em **Go** — não é um fork do OpenClaw, NanoBot ou qualquer outro projeto. + +🦐 **PicoClaw** é um assistente pessoal de IA ultra-leve inspirado no [NanoBot](https://github.com/HKUDS/nanobot), reescrito do zero em **Go** por meio de um processo de "auto-inicialização" (self-bootstrapping) — onde o próprio agente de IA conduziu toda a migração de arquitetura e otimização de código. ⚡️ **Extremamente leve:** Roda em hardware de apenas **$10** com **<10MB** de RAM. Isso é 99% menos memória que o OpenClaw e 98% mais barato que um Mac mini! diff --git a/README.vi.md b/README.vi.md index a542d6507..da77d0bf5 100644 --- a/README.vi.md +++ b/README.vi.md @@ -23,7 +23,9 @@ --- -🦐 **PicoClaw** là trợ lý AI cá nhân siêu nhẹ, lấy cảm hứng từ [nanobot](https://github.com/HKUDS/nanobot), được viết lại hoàn toàn bằng **Go** thông qua quá trình "tự khởi tạo" (self-bootstrapping) — nơi chính AI Agent đã tự dẫn dắt toàn bộ quá trình chuyển đổi kiến trúc và tối ưu hóa mã nguồn. +> **PicoClaw** là dự án mã nguồn mở độc lập được khởi xướng bởi [Sipeed](https://sipeed.com). Được viết hoàn toàn bằng **Go** — không phải là bản fork của OpenClaw, NanoBot hay bất kỳ dự án nào khác. + +🦐 **PicoClaw** là trợ lý AI cá nhân siêu nhẹ, lấy cảm hứng từ [NanoBot](https://github.com/HKUDS/nanobot), được viết lại hoàn toàn bằng **Go** thông qua quá trình "tự khởi tạo" (self-bootstrapping) — nơi chính AI Agent đã tự dẫn dắt toàn bộ quá trình chuyển đổi kiến trúc và tối ưu hóa mã nguồn. ⚡️ **Cực kỳ nhẹ:** Chạy trên phần cứng chỉ **$10** với RAM **<10MB**. Tiết kiệm 99% bộ nhớ so với OpenClaw và rẻ hơn 98% so với Mac mini! diff --git a/README.zh.md b/README.zh.md index 9877ef9f4..6eacec008 100644 --- a/README.zh.md +++ b/README.zh.md @@ -24,7 +24,9 @@ --- -🦐 **PicoClaw** 是一个受 [nanobot](https://github.com/HKUDS/nanobot) 启发的超轻量级个人 AI 助手。它采用 **Go 语言** 从零重构,经历了一个“自举”过程——即由 AI Agent 自身驱动了整个架构迁移和代码优化。 +> **PicoClaw** 是由 [矽速科技 (Sipeed)](https://sipeed.com) 发起的独立开源项目,完全使用 **Go 语言**从零编写——不是 OpenClaw、NanoBot 或其他项目的分支。 + +🦐 **PicoClaw** 是一个受 [NanoBot](https://github.com/HKUDS/nanobot) 启发的超轻量级个人 AI 助手。它采用 **Go 语言** 从零重构,经历了一个“自举”过程——即由 AI Agent 自身驱动了整个架构迁移和代码优化。 ⚡️ **极致轻量**:可在 **10 美元** 的硬件上运行,内存占用 **<10MB**。这意味着比 OpenClaw 节省 99% 的内存,比 Mac mini 便宜 98%!